Poster

The sys admin set up a rdbms in a safe way.

0x01 简介

什么是rdbms？

根据EF-Codd关系模型，RDBMS允许用户构建、更新、管理和与关系数据库交互，关系数据库将数据存储为表。

当前，一些公司使用关系数据库代替平面文件或层次数据库来存储业务数据。这是因为关系数据库可以处理范围广泛的数据格式并有效地处理查询。此外，它将数据组织到可以基于公共数据进行内部链接的表中。这允许用户通过单个查询轻松检索一个或多个表。另一方面，平面文件将数据存储在一个表结构中，这会降低效率并消耗更多的空间和内存。

大多数商用RDBMS目前都使用结构化查询语言（SQL）来访问数据库。RDBMS结构最常用于执行CRUD操作（创建、读取、更新和删除），这对于支持一致的数据管理至关重要。

0x02 信息收集

先用rustscan联动Nmap扫描目标机器端口

dd@kalikali-123:~$ rustscan -a 10.10.217.90 -r 1-65535 --ulimit 5000 -- -A[~] Automatically increasing ulimit value to 5000.Open 10.10.217.90:22Open 10.10.217.90:80Open 10.10.217.90:5432[~] Starting Nmap[>] The Nmap command to be run is nmap -A -vvv -p 22,80,5432 10.10.217.90Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-10 06:23 UTCNSE: Loaded 148 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 06:23Completed NSE at 06:23, 0.00s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 06:23Completed NSE at 06:23, 0.00s elapsedInitiating Ping Scan at 06:23Scanning 10.10.217.90 [2 ports]Completed Ping Scan at 06:23, 0.27s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 06:23Completed Parallel DNS resolution of 1 host. at 06:23, 0.02s elapsedDNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]Initiating Connect Scan at 06:23Scanning 10.10.217.90 [3 ports]Discovered open port 22/tcp on 10.10.217.90Discovered open port 80/tcp on 10.10.217.90Discovered open port 5432/tcp on 10.10.217.90Completed Connect Scan at 06:23, 0.27s elapsed (3 total ports)Initiating Service scan at 06:23Scanning 3 services on 10.10.217.90Completed Service scan at 06:23, 7.61s elapsed (3 services on 1 host)NSE: Script scanning 10.10.217.90.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 06:23NSE Timing: About 99.76% done; ETC: 06:23 (0:00:00 remaining)NSE Timing: About 99.76% done; ETC: 06:24 (0:00:00 remaining)NSE Timing: About 99.76% done; ETC: 06:24 (0:00:00 remaining)Completed NSE at 06:24, 95.27s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 06:24Completed NSE at 06:24, 0.00s elapsedNmap scan report for 10.10.217.90Host is up, received conn-refused (0.27s latency).Scanned at 2021-03-10 06:23:12 UTC for 104sPORT     STATE SERVICE    REASON  VERSION22/tcp   open  ssh        syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:|   2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGK2azIgGLY4GFFZlpgMpyOub/To5vmftSEWkjbtFkTBvc5tW/SpoDtjyNMT0JKJUmFJ2/vp6oIpwyIRtDa+oomuNL//exbp/i798hl8FFo4Zq5HsDvQCwNKZ0lfk0HGYgbXj6WAjohokSbkDY1U26FN/MKE2JxcXLcN8n1QmvVbP5p8zO/jgrXvX6DLv4eHxJjhzsBJ6DwFMchtBwy4CiTQsiCUcAyyua93LJO6NEnnM4SOwOUE/wyggCNPbwzB1wzPLAgaiU+M2gn9/XZGmlD+vWOBu3sruCB2PnRuM3cx27gDbbElR4KDIOq2ar66rV+yIZQoQ7KfVUNUFFCbRz|   256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN2f/wWkOMnH6rNZ+0m2p+PrzBVbz/vfQ/k9rx9W27i9DLBKmRM2b2ntmg8tSwHhZVTb/FvStJci9SIBLAqao00=80/tcp   open  http       syn-ack Apache httpd 2.4.18 ((Ubuntu))| http-methods:|_  Supported Methods: OPTIONS GET HEAD POST|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Poster CMS5432/tcp open  postgresql syn-ack PostgreSQL DB| fingerprint-strings:|   SMBProgNeg:|     SFATAL|     C0A000|     Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0|     Fpostmaster.c|     L2015|_    RProcessStartupPacket| ssl-cert: Subject: commonName=ubuntu| Issuer: commonName=ubuntu| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2020-07-29T00:54:25| Not valid after:  2030-07-27T00:54:25| MD5:   da57 3213 e9aa 9274 d0be c1b0 bbb2 0b09| SHA-1: 4e03 8469 28f7 673b 2bb2 0440 4ba9 e4d2 a0d0 5dd5| -----BEGIN CERTIFICATE-----| MIICsjCCAZqgAwIBAgIJAIrmTOUt3qZtMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV| BAMMBnVidW50dTAeFw0yMDA3MjkwMDU0MjVaFw0zMDA3MjcwMDU0MjVaMBExDzAN| BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMca| tkPhi1xPkNomQzkTX+XRDk0RPBxRJQm17+Q8sru8J72rToPVyZesM7v5M+ttfqlZ| sHAevEv/iVb1D6hNPawU9kG61Ja9baHd1s31H7RjWxpMS2vZuiu6/oXNWpc4yinQ| RDWgLqKhDzczacMWLxKkgh06H8DI04/4pCJ6pbf6gXFfVRrccOu1FmoVlWWdVeGd| CZ2C8XOA1tEEE6UG9HI9Q2gd3AHOSex+ar3EnWm1LanYDQPJSXEgl/K2A9D5DQEw| +xJxPnH9abqxUrLUDOxzbMpdqXfb0OHxy7jeBJhpd6DonAZTEACdsgh9SzssH4ac| FOqjsJjfSzok3x3uBx0CAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF| AAOCAQEAxGskqCN0uihEe1rpb7fveGYGMhDsFso9aYdJ4Q3CHJHX3leCN92nLCOq| R9bTRgVjrvph00jO3+qhHzXCLbnpZXu9R9mPsfcDU/IFCFxMNmjRs4DkkzpGWAyp| t5I18Zxh4JWJP7Mf1zc39z2Zk/IucAI5kMPMDJUWR/mjVFG/iZY8W+YlKsfvWblU| tY4RYFhVy9JTVFYe5ZxghLxylYi+cbkGcPMj7qaOkDWIWhILZX1DDAb7cSfVd4rq| 2ayWhA4Dh/FJkL2j+5mfAku0C7qMAqSlJTMRa6pTQjXeGafLDBoomQIIFnhWOITS| fohtzsob6PyjssrRoqlRkJLJEJf2YQ==|_-----END CERTIFICATE-----|_ssl-date: TLS randomness does not represent time1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port5432-TCP:V=7.70%I=7%D=3/10%Time=604865D8%P=x86_64-pc-linux-gnu%r(SMSF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20proSF:tocol\x2065363\.19778:\x20server\x20supports\x201\.0\x20to\x203\.0\0FpoSF:stmaster\.c\0L2015\0RProcessStartupPacket\0\0");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelNSE: Script Post-scanning.NSE: Starting runlevel 1 (of 2) scan.Initiating NSE at 06:24Completed NSE at 06:24, 0.00s elapsedNSE: Starting runlevel 2 (of 2) scan.Initiating NSE at 06:24Completed NSE at 06:24, 0.00s elapsedRead data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 104.86 seconds

根据端口信息，先从postgresql入手，启动MSF。。。

搜索对应的漏洞，先枚举一下数据库用户，获得弱口令用户：

postgres：password

0x03 PostgreSQL漏洞利用

搜索其它利用模块进行攻击，这里#13有个cmd命令执行模块，尝试利用一下。

exploit/multi/postgres/postgres_copy_from_program_cmd_exec

配置好选项直接就返回了shell数据库用户权限

0x04 USER权限

这里翻用户家目录在drak用户的目录下发现credentials.txt

里面有drak用户的账号密码

ssh登录drak用户

接着又在网站目录的config.php中反倒alison的密码。一般翻下家目录、网站目录、/tmp、/opt、/etc可以用grep -r password搜索一遍

0x04 ROOT权限

切换到alison用户，根据上面的config.php提示可能有sudo权限、用sudo -l查看sudo权限。

sudo su root 直接切换到root

TryHackMe - Poster靶场相关推荐

TryHackMe - Dav靶场
Dav boot2root machine for FIT and bsides guatemala CTF 0x01 信息收集常规Nmap扫描目标机器收集端口开放服务信息,只开放了一个端口 0x0 ...
直播活动丨BMMeetup第1期：大模型Prompt Tuning技术，8场学术报告和Poster提前下载...
「Big Model Meetup」系列活动是由智源研究院悟道团队.青源会.清华大学计算机科学与技术系博硕论坛.中国中文信息学会青年工作委员会共同组织,智源社区提供社区支持,PaperWeekly提供 ...
ICLR2020放榜 34篇满分论文！ 48篇orals，108篇spotlights，531篇poster
点击上方"深度学习技术前沿",选择"星标"公众号资源干货,第一时间送达 ICLR,全称为International Conference on Learnin ...
full paper(long paper),short paper,oral,poster,workshop,findings
注:本文参考以下资源整理而来: 参考1:https://blog.csdn.net/keneyr/article/details/103210960 参考2:https://www.zhihu.com ...
video标签poster属性在安卓微信中不生效问题解决
video标签poster属性在安卓微信中不生效问题解决参考文章: (1)video标签poster属性在安卓微信中不生效问题解决 (2)https://www.cnblogs.com/shicha ...
upload-labs-master文件上传靶场第七关详解
一.前言 upload-labs-master是文件上传靶场,里面目前总共有19关,github地址https://github.com/c0ny1/upload-labs,今天要说的是这个靶场的第七 ...
【网络安全】2022年第一次靶场渗透实战学习
一.介绍渗透测试是通过模拟黑客或者骇客攻击,以评估计算机系统或者网络环境安全性的技术:主要的目的是进行安全性的评估,而不是摧毁或者破坏目标系统. 渗透测试所需要的基础技能必须有网络基础.编程基础.数 ...
渗透操作系统——【靶场实战训练营】快来看看有没有你需要的
基于3个操作系统的靶场(提供镜像),讲解从只有一个IP到最终基于3个操作系统的靶场(提供镜像),讲解从只有一个IP到最终拿下机器root权限的全流程.不只讲解怎么做,并且讲解为什么这样做,教给你别的地 ...
带你刷burpsuite官方网络安全学院靶场(练兵场)之客户端漏洞——跨站请求伪造(CSRF)专题
介绍 PortSwigger是信息安全从业者必备工具burpsuite的发行商,作为网络空间安全的领导者,他们为信息安全初学者提供了一个在线的网络安全学院(也称练兵场),在讲解相关漏洞的同时还配套了相 ...

TryHackMe - Poster靶场