dpwwn: 1 ~ VulnHub
# nmap -sn 192.168.1.0/24 -oN live.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:24 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
Host is up (0.00014s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.00084s latency).
MAC Address: 00:0C:29:93:02:FA (VMware)
Nmap scan report for 192.168.1.254 (192.168.1.254)
Host is up (0.00020s latency).
MAC Address: 00:50:56:F2:FC:E9 (VMware)
Nmap scan report for 192.168.1.60 (192.168.1.60)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.95 seconds
靶标的IP地址为192.168.1.88
# nmap -sT --min-rate 10000 -p- 192.168.1.88 -oN port.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:24 CST
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.0028s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:93:02:FA (VMware)
端口探测的结果为22 80 3306三个端口
# nmap -sT -sC -sV -O -p22,80,3306 192.168.1.88 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:24 CST
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.00061s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 c1:d3:be:39:42:9d:5c:b4:95:2c:5b:2e:20:59:0e:3a (RSA)
| 256 43:4a:c6:10:e7:17:7d:a0:c0:c3:76:88:1d:43:a1:8c (ECDSA)
|_ 256 0e:cc:e3:e1:f7:87:73:a1:03:47:b9:e2:cf:1c:93:15 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
3306/tcp open mysql MySQL 5.5.60-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 6
| Capabilities flags: 63487
| Some Capabilities: SupportsCompression, ODBCClient, SupportsTransactions, ConnectWithDatabase, LongPassword, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsLoadDataLocal, Speaks41ProtocolNew, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSigpipes, InteractiveClient, FoundRows, Support41Auth, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: 4A,VM]m+-BA`AaEs7T"J
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:93:02:FA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
服务的详细信息探测结果显示 22端口是Openssh的7.4版本 80端口是Apache2.4.6起的服务,其中php的版本是5.4.16,系统应该是Centos;在3306端口上是Mysql 5.5.60 MariaDB
# nmap -sT --script=vuln -p22,80,3306 192.168.1.88 -oN vuln.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:25 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.00089s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /info.php: Possible information file
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:93:02:FA (VMware)
nmap的默认漏洞脚本探测的结果是80端口上存在两个敏感的目录和文件;尝试现在在80端口上进行突破!
3306端口上尝试利用nmap的漏洞脚本,进行账户的枚举,但是由于速度过快和太多的连接错误,导致并没有找到有效的用户信息:
80端口上的首页就是Apache的默认页面:
info.php页面是phpinfo的页面信息:
尝试进行目录的扫描工作:
没额外的发现,尝试连接数据库,不给用户名和密码,看看能不能连接上:
未授权;存在三个数据库,分别是ssh mysql 和另外两个数据库!查看ssh数据库中的信息,既然是ssh,那么感觉数据库中的信息,应该能直接利用ssh登录吧!
果然拿到了一个账号和密码:
mistic
testP@$$swordmistic
尝试利用ssh进行登录!
没问题~ 成功登录,拿到了初始的立足点!
尝试查看是否存在其他的用户信息:
发现只有当前这一个用户,查看是否具有sudo权限 :
发现当前用户是没有特殊的权限的!同时/etc/passwd文件也没有可以修改的权限!利用find命令来查找info.php文件,从而确定80端口的网站目录在那里!
发现在网站的目录下面,只有这一个文件就是info文件~ 查看计划任务发现每三分钟执行logrot脚本文件:
看到当前的文件是否具有修改的权限!
没问题,提权思路来了。由于我们具有修改的权限,所以我们可以将我们的提权命令写入到该脚本中,当计划任务被执行的时候,从而执行我们的提权脚本!因为计划任务是root权限执行的!所以可以提权到root权限!
重写logrot文件!
当前的文件是这样的!我们直接创建一个新的就好了!
等待不超过三分钟应该就会提权成功了!
提示我们存在邮件,在/var/mail/root下面!先读取/root目录下面的flag文件:
邮件中的内容~ 整个靶机已经拿下~