dpwwn:01

靶机下载地址

dpwwn: 1 ~ VulnHub

信息收集

# nmap -sn 192.168.1.0/24 -oN live.nmap     
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:24 CST
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 0bcc61d9e6ea39148e78c7c68571e53 (192.168.1.2)
Host is up (0.00014s latency).
MAC Address: 00:50:56:FE:B1:6F (VMware)
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.00084s latency).
MAC Address: 00:0C:29:93:02:FA (VMware)
Nmap scan report for 192.168.1.254 (192.168.1.254)
Host is up (0.00020s latency).
MAC Address: 00:50:56:F2:FC:E9 (VMware)
Nmap scan report for 192.168.1.60 (192.168.1.60)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.95 seconds

靶标的IP地址为192.168.1.88

# nmap -sT --min-rate 10000 -p- 192.168.1.88 -oN port.nmap  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:24 CST
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.0028s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:93:02:FA (VMware)

端口探测的结果为22 80 3306三个端口

# nmap -sT -sC -sV -O -p22,80,3306 192.168.1.88 -oN details.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:24 CST
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.00061s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c1:d3:be:39:42:9d:5c:b4:95:2c:5b:2e:20:59:0e:3a (RSA)
|   256 43:4a:c6:10:e7:17:7d:a0:c0:c3:76:88:1d:43:a1:8c (ECDSA)
|_  256 0e:cc:e3:e1:f7:87:73:a1:03:47:b9:e2:cf:1c:93:15 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
3306/tcp open  mysql   MySQL 5.5.60-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.60-MariaDB
|   Thread ID: 6
|   Capabilities flags: 63487
|   Some Capabilities: SupportsCompression, ODBCClient, SupportsTransactions, ConnectWithDatabase, LongPassword, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsLoadDataLocal, Speaks41ProtocolNew, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSigpipes, InteractiveClient, FoundRows, Support41Auth, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: 4A,VM]m+-BA`AaEs7T"J
|_  Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:93:02:FA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

服务的详细信息探测结果显示 22端口是Openssh的7.4版本 80端口是Apache2.4.6起的服务,其中php的版本是5.4.16,系统应该是Centos;在3306端口上是Mysql 5.5.60 MariaDB

# nmap -sT --script=vuln -p22,80,3306 192.168.1.88 -oN vuln.nmap 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 22:25 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.88 (192.168.1.88)
Host is up (0.00089s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /info.php: Possible information file
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:93:02:FA (VMware)

nmap的默认漏洞脚本探测的结果是80端口上存在两个敏感的目录和文件;尝试现在在80端口上进行突破!

渗透测试

3306端口上尝试利用nmap的漏洞脚本,进行账户的枚举,但是由于速度过快和太多的连接错误,导致并没有找到有效的用户信息:

dpwwn:01_第1张图片

80端口上的首页就是Apache的默认页面:

dpwwn:01_第2张图片

info.php页面是phpinfo的页面信息:

dpwwn:01_第3张图片

尝试进行目录的扫描工作:

dpwwn:01_第4张图片

没额外的发现,尝试连接数据库,不给用户名和密码,看看能不能连接上:

dpwwn:01_第5张图片

未授权;存在三个数据库,分别是ssh mysql 和另外两个数据库!查看ssh数据库中的信息,既然是ssh,那么感觉数据库中的信息,应该能直接利用ssh登录吧!

dpwwn:01_第6张图片

果然拿到了一个账号和密码:

mistic
testP@$$swordmistic

尝试利用ssh进行登录!

dpwwn:01_第7张图片

没问题~ 成功登录,拿到了初始的立足点!

提权

尝试查看是否存在其他的用户信息:

dpwwn:01_第8张图片

发现只有当前这一个用户,查看是否具有sudo权限 :

dpwwn:01_第9张图片

发现当前用户是没有特殊的权限的!同时/etc/passwd文件也没有可以修改的权限!利用find命令来查找info.php文件,从而确定80端口的网站目录在那里!

发现在网站的目录下面,只有这一个文件就是info文件~ 查看计划任务发现每三分钟执行logrot脚本文件:

dpwwn:01_第10张图片

看到当前的文件是否具有修改的权限!

dpwwn:01_第11张图片

没问题,提权思路来了。由于我们具有修改的权限,所以我们可以将我们的提权命令写入到该脚本中,当计划任务被执行的时候,从而执行我们的提权脚本!因为计划任务是root权限执行的!所以可以提权到root权限!

重写logrot文件!

dpwwn:01_第12张图片

当前的文件是这样的!我们直接创建一个新的就好了!

dpwwn:01_第13张图片

等待不超过三分钟应该就会提权成功了!

dpwwn:01_第14张图片

提示我们存在邮件,在/var/mail/root下面!先读取/root目录下面的flag文件:

dpwwn:01_第15张图片

dpwwn:01_第16张图片

邮件中的内容~ 整个靶机已经拿下~

你可能感兴趣的:(Vulnhub,网络安全,web安全,安全,安全威胁分析,学习)