TryHackMe - Poster靶场

Poster

The sys admin set up a rdbms in a safe way.


0x01 简介

什么是rdbms?

根据EF-Codd关系模型,RDBMS允许用户构建、更新、管理和与关系数据库交互,关系数据库将数据存储为表。

当前,一些公司使用关系数据库代替平面文件或层次数据库来存储业务数据。这是因为关系数据库可以处理范围广泛的数据格式并有效地处理查询。此外,它将数据组织到可以基于公共数据进行内部链接的表中。这允许用户通过单个查询轻松检索一个或多个表。另一方面,平面文件将数据存储在一个表结构中,这会降低效率并消耗更多的空间和内存。

大多数商用RDBMS目前都使用结构化查询语言(SQL)来访问数据库。RDBMS结构最常用于执行CRUD操作(创建、读取、更新和删除),这对于支持一致的数据管理至关重要。

 

0x02 信息收集

先用rustscan联动Nmap扫描目标机器端口

dd@kalikali-123:~$ rustscan -a 10.10.217.90 -r 1-65535 --ulimit 5000 -- -A

[~] Automatically increasing ulimit value to 5000.

Open 10.10.217.90:22

Open 10.10.217.90:80

Open 10.10.217.90:5432

[~] Starting Nmap

[>] The Nmap command to be run is nmap -A -vvv -p 22,80,5432 10.10.217.90



Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-10 06:23 UTC

NSE: Loaded 148 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 06:23

Completed NSE at 06:23, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 06:23

Completed NSE at 06:23, 0.00s elapsed

Initiating Ping Scan at 06:23

Scanning 10.10.217.90 [2 ports]

Completed Ping Scan at 06:23, 0.27s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 06:23

Completed Parallel DNS resolution of 1 host. at 06:23, 0.02s elapsed

DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating Connect Scan at 06:23

Scanning 10.10.217.90 [3 ports]

Discovered open port 22/tcp on 10.10.217.90

Discovered open port 80/tcp on 10.10.217.90

Discovered open port 5432/tcp on 10.10.217.90

Completed Connect Scan at 06:23, 0.27s elapsed (3 total ports)

Initiating Service scan at 06:23

Scanning 3 services on 10.10.217.90

Completed Service scan at 06:23, 7.61s elapsed (3 services on 1 host)

NSE: Script scanning 10.10.217.90.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 06:23

NSE Timing: About 99.76% done; ETC: 06:23 (0:00:00 remaining)

NSE Timing: About 99.76% done; ETC: 06:24 (0:00:00 remaining)

NSE Timing: About 99.76% done; ETC: 06:24 (0:00:00 remaining)

Completed NSE at 06:24, 95.27s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 06:24

Completed NSE at 06:24, 0.00s elapsed

Nmap scan report for 10.10.217.90

Host is up, received conn-refused (0.27s latency).

Scanned at 2021-03-10 06:23:12 UTC for 104s



PORT     STATE SERVICE    REASON  VERSION

22/tcp   open  ssh        syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)

| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGK2azIgGLY4GFFZlpgMpyOub/To5vmftSEWkjbtFkTBvc5tW/SpoDtjyNMT0JKJUmFJ2/vp6oIpwyIRtDa+oomuNL//exbp/i798hl8FFo4Zq5HsDvQCwNKZ0lfk0HGYgbXj6WAjohokSbkDY1U26FN/MKE2JxcXLcN8n1QmvVbP5p8zO/jgrXvX6DLv4eHxJjhzsBJ6DwFMchtBwy4CiTQsiCUcAyyua93LJO6NEnnM4SOwOUE/wyggCNPbwzB1wzPLAgaiU+M2gn9/XZGmlD+vWOBu3sruCB2PnRuM3cx27gDbbElR4KDIOq2ar66rV+yIZQoQ7KfVUNUFFCbRz

|   256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)

|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN2f/wWkOMnH6rNZ+0m2p+PrzBVbz/vfQ/k9rx9W27i9DLBKmRM2b2ntmg8tSwHhZVTb/FvStJci9SIBLAqao00=

80/tcp   open  http       syn-ack Apache httpd 2.4.18 ((Ubuntu))

| http-methods:

|_  Supported Methods: OPTIONS GET HEAD POST

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Poster CMS

5432/tcp open  postgresql syn-ack PostgreSQL DB

| fingerprint-strings:

|   SMBProgNeg:

|     SFATAL

|     C0A000

|     Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0

|     Fpostmaster.c

|     L2015

|_    RProcessStartupPacket

| ssl-cert: Subject: commonName=ubuntu

| Issuer: commonName=ubuntu

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2020-07-29T00:54:25

| Not valid after:  2030-07-27T00:54:25

| MD5:   da57 3213 e9aa 9274 d0be c1b0 bbb2 0b09

| SHA-1: 4e03 8469 28f7 673b 2bb2 0440 4ba9 e4d2 a0d0 5dd5

| -----BEGIN CERTIFICATE-----

| MIICsjCCAZqgAwIBAgIJAIrmTOUt3qZtMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV

| BAMMBnVidW50dTAeFw0yMDA3MjkwMDU0MjVaFw0zMDA3MjcwMDU0MjVaMBExDzAN

| BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMca

| tkPhi1xPkNomQzkTX+XRDk0RPBxRJQm17+Q8sru8J72rToPVyZesM7v5M+ttfqlZ

| sHAevEv/iVb1D6hNPawU9kG61Ja9baHd1s31H7RjWxpMS2vZuiu6/oXNWpc4yinQ

| RDWgLqKhDzczacMWLxKkgh06H8DI04/4pCJ6pbf6gXFfVRrccOu1FmoVlWWdVeGd

| CZ2C8XOA1tEEE6UG9HI9Q2gd3AHOSex+ar3EnWm1LanYDQPJSXEgl/K2A9D5DQEw

| +xJxPnH9abqxUrLUDOxzbMpdqXfb0OHxy7jeBJhpd6DonAZTEACdsgh9SzssH4ac

| FOqjsJjfSzok3x3uBx0CAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF

| AAOCAQEAxGskqCN0uihEe1rpb7fveGYGMhDsFso9aYdJ4Q3CHJHX3leCN92nLCOq

| R9bTRgVjrvph00jO3+qhHzXCLbnpZXu9R9mPsfcDU/IFCFxMNmjRs4DkkzpGWAyp

| t5I18Zxh4JWJP7Mf1zc39z2Zk/IucAI5kMPMDJUWR/mjVFG/iZY8W+YlKsfvWblU

| tY4RYFhVy9JTVFYe5ZxghLxylYi+cbkGcPMj7qaOkDWIWhILZX1DDAb7cSfVd4rq

| 2ayWhA4Dh/FJkL2j+5mfAku0C7qMAqSlJTMRa6pTQjXeGafLDBoomQIIFnhWOITS

| fohtzsob6PyjssrRoqlRkJLJEJf2YQ==

|_-----END CERTIFICATE-----

|_ssl-date: TLS randomness does not represent time

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port5432-TCP:V=7.70%I=7%D=3/10%Time=604865D8%P=x86_64-pc-linux-gnu%r(SM

SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro

SF:tocol\x2065363\.19778:\x20server\x20supports\x201\.0\x20to\x203\.0\0Fpo

SF:stmaster\.c\0L2015\0RProcessStartupPacket\0\0");

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 06:24

Completed NSE at 06:24, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 06:24

Completed NSE at 06:24, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 104.86 seconds

根据端口信息,先从postgresql入手,启动MSF。。。

搜索对应的漏洞,先枚举一下数据库用户,获得弱口令用户:

postgres:password

TryHackMe - Poster靶场

 

0x03 PostgreSQL漏洞利用 

搜索其它利用模块进行攻击,这里#13有个cmd命令执行模块,尝试利用一下。

TryHackMe - Poster靶场

 

exploit/multi/postgres/postgres_copy_from_program_cmd_exec

配置好选项直接就返回了shell数据库用户权限

TryHackMe - Poster靶场

 

0x04 USER权限

这里翻用户家目录在drak用户的目录下发现credentials.txt

里面有drak用户的账号密码

TryHackMe - Poster靶场

 

ssh登录drak用户

TryHackMe - Poster靶场

 

接着又在网站目录的config.php中反倒alison的密码。一般翻下家目录、网站目录、/tmp、/opt、/etc可以用grep -r password搜索一遍

TryHackMe - Poster靶场

 

0x04 ROOT权限

切换到alison用户,根据上面的config.php提示可能有sudo权限、用sudo -l查看sudo权限。

sudo su root 直接切换到root

TryHackMe - Poster靶场

 

上一篇:渗透测试之弱点扫描


下一篇:基于Q-Learning 的FlappyBird AI