10일차
20250104 미션1 vicitm.jeonjucom.kr를 공격하시오. 정보수집후 사이트에 접속하시오. ┌──(root㉿kali)-[/home/kali] └─# nikto -host victim.jeonjucom.kr - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.0.126 + Target Hostname: victim.jeonjucom.kr + Target Port: 80 + Start Time: 2025-01-03 20:07:35 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g + /: Server may leak inodes via ETags, header found with file /, inode: 838422, size: 625, mtime: Fri Jan 5 20:14:02 2018. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + /crossdomain.xml contains a full wildcard entry. See: http://jeremiahgrossman.blogspot.com/2008/05/crossdomainxml-invites-cross-site.html + /index: Uncommon header 'tcn' found, with contents: list. + /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.bak, index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275 + OpenSSL/0.9.8g appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023. + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + mod_ssl/2.2.8 appears to be outdated (current is at least 2.9.6) (may depend on server version). + PHP/5.2.4-2ubuntu5 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch. + OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE . + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + mod_ssl/2.2.8 OpenSSL/0.9.8g - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. + PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support. + /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources. See: OSVDB-561 + /phpmyadmin/changelog.php: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5. + /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + /icons/: Directory indexing found. + /images/: Directory indexing found. + /README: README file found. + /INSTALL.txt: Default file found. + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + /phpmyadmin/: phpMyAdmin directory found. + /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials. + 8045 requests: 0 error(s) and 25 item(s) reported on remote host + End Time: 2025-01-03 20:08:21 (GMT-5) (46 seconds) --------------------------------------------------------------------------- + 1 host(s) tested 퀴즈 victim.jeonjucom.kr의 IP는 무엇인가 192.168.0.126 열려 있는 포트는 무엇인가 웹 애플리케이션이 취약함 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 3306/tcp open mysql 8080/tcp open http-proxy 서버에 등록된 사용자는 몇명인가 7명 시스템에 접속할수 있는가 ssh bee@192.168.0.126 미션2 윈도우10에서 3대서버로 접속할 수 있도록 설정후 웹 브라우저와 editplus로 접속하기 포트포워딩 하기 53 22 80 21 3306 (53번은 UDP로 변경) nano localhost.conf 에서 ip 자기걸로 수정 edit 플러스 ftp설정 디렉토리 /home/st/public_html 서버 본인 ip ubunto설치 PHP=FPM(FPM: FastCGI Process Manager) apt -y install php8.3-fpm a2enmod proxy_fcgi setenvif a2enconf php8.3-fpm systemctl restart php8.3-fpm apache2 monitor에서 include __DIR__ . "/includes/db.php"; 추가 includes에서 db.php만들어주고 <-?php /* local $servername = "localhost"; $username = "master"; $password = "123456"; $dbname = "master"; */ /* remote */ $servername = "192.168.0.126"; $username = "st"; $password = "12345"; $dbname = "st"; // Create connection $conn = mysqli_connect($servername, $username, $password, $dbname); // Check connection if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } echo "Connected successfully"; -?> 넣어주기 xshell에 들어가서 root로 들어간뒤 mysql에서 create database st; create user st@localhost identified by '123456'; grant all on st.* to st@localhost; flush privileges; 넣어주기 미션3 192.168.0.126 222 mysql -u root -p bug show databases; use dvwa show tables; desc users; select * from users; root@victim:/home/bee# cat /etc/*release* DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION="Ubuntu 8.04" root@victim:/home/bee# a2enmod userdir Module userdir installed; run /etc/init.d/apache2 force-reload to enable. root@victim:/home/bee# ls core.6859 Desktop Documents Examples Music Pictures Public Templates Videos root@victim:/home/bee# cd /home/ root@victim:/home# ls alice bee ftp johnny neo selene thor wolverine root@victim:/home# cd /var/www/html bash: cd: /var/www/html: No such file or directory root@victim:/home# cd /var/www root@victim:/var/www# ls bWAPP bWAPP_intro.pdf drupal images index.lighttpd.html release_notes.txt bWAPP_BAK ClientAccessPolicy.xml dvwa index.bak INSTALL.txt sqlite bwapp.html crossdomain.xml evil index.html README.txt root@victim:/var/www# cd config bash: cd: config: No such file or directory root@victim:/var/www# cd dvwa root@victim:/var/www/dvwa# ls about.php COPYING.txt external ids_log.php login.php php.ini security.php CHANGELOG.md docs favicon.ico index.php logout.php README.md setup.php config dvwa hackable instructions.php phpinfo.php robots.txt vulnerabilities root@victim:/var/www/dvwa# cd config root@victim:/var/www/dvwa/config# ls config.inc.php root@victim:/var/www/dvwa/config# nano config.inc.php root@victim:/var/www/dvwa/config# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 144 Server version: 5.0.96-0ubuntu3 (Ubuntu) Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show tables; ERROR 1046 (3D000): No database selected mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | bWAPP | | drupageddon | | dvwa | | mysql | +--------------------+ 5 rows in set (0.00 sec) mysql> use dvwa; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +----------------+ | Tables_in_dvwa | +----------------+ | guestbook | | users | +----------------+ 2 rows in set (0.00 sec) mysql> desc users; +--------------+-------------+------+-----+-------------------+-------+ | Field | Type | Null | Key | Default | Extra | +--------------+-------------+------+-----+-------------------+-------+ | user_id | int(6) | NO | PRI | 0 | | | first_name | varchar(15) | YES | | NULL | | | last_name | varchar(15) | YES | | NULL | | | user | varchar(15) | YES | | NULL | | | password | varchar(32) | YES | | NULL | | | avatar | varchar(70) | YES | | NULL | | | last_login | timestamp | NO | | CURRENT_TIMESTAMP | | | failed_login | int(3) | YES | | NULL | | +--------------+-------------+------+-----+-------------------+-------+ 8 rows in set (0.00 sec) mysql> select * from users; +---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+---------------------+--------------+ | user_id | first_name | last_name | user | password | avatar | last_login | failed_login | +---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+---------------------+--------------+ | 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/admin.jpg | 2017-12-09 08:18:07 | 0 | | 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg | 2017-12-09 08:18:07 | 0 | | 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg | 2017-12-09 08:18:07 | 0 | | 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg | 2017-12-09 08:18:07 | 0 | | 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg | 2017-12-09 08:18:07 | 0 | +---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+---------------------+--------------+ 5 rows in set (0.00 sec) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- root@victim:/var/www/dvwa/config# mysql ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) root@victim:/var/www/dvwa/config# mysqldump -u root -p dvwa > dvwa.sql Enter password: root@victim:/var/www/dvwa/config# ls config.inc.php dvwa.sql root@victim:/var/www/dvwa/config# cat dvwa.sql -- MySQL dump 10.11 -- -- Host: localhost Database: dvwa -- ------------------------------------------------------ -- Server version 5.0.96-0ubuntu3 /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; /*!40101 SET NAMES utf8 */; /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; /*!40103 SET TIME_ZONE='+00:00' */; /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; -- -- Table structure for table `guestbook` -- DROP TABLE IF EXISTS `guestbook`; /*!40101 SET @saved_cs_client = @@character_set_client */; /*!40101 SET character_set_client = utf8 */; CREATE TABLE `guestbook` ( `comment_id` smallint(5) unsigned NOT NULL auto_increment, `comment` varchar(300) default NULL, `name` varchar(100) default NULL, PRIMARY KEY (`comment_id`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- -- Dumping data for table `guestbook` -- LOCK TABLES `guestbook` WRITE; /*!40000 ALTER TABLE `guestbook` DISABLE KEYS */; INSERT INTO `guestbook` VALUES (1,'This is a test comment.','test'); /*!40000 ALTER TABLE `guestbook` ENABLE KEYS */; UNLOCK TABLES; -- -- Table structure for table `users` -- DROP TABLE IF EXISTS `users`; /*!40101 SET @saved_cs_client = @@character_set_client */; /*!40101 SET character_set_client = utf8 */; CREATE TABLE `users` ( `user_id` int(6) NOT NULL default '0', `first_name` varchar(15) default NULL, `last_name` varchar(15) default NULL, `user` varchar(15) default NULL, `password` varchar(32) default NULL, `avatar` varchar(70) default NULL, `last_login` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, `failed_login` int(3) default NULL, PRIMARY KEY (`user_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; -- -- Dumping data for table `users` -- LOCK TABLES `users` WRITE; /*!40000 ALTER TABLE `users` DISABLE KEYS */; INSERT INTO `users` VALUES (1,'admin','admin','admin','5f4dcc3b5aa765d61d8327deb882cf99','http://127.0.0.1/dvwa/hackable/users/admin.jpg','2017-12-09 07:18:07',0),(2,'Gordon','Brown','gordonb','e99a18c428cb38d5f260853678922e03','http://127.0.0.1/dvwa/hackable/users/gordonb.jpg','2017-12-09 07:18:07',0),(3,'Hack','Me','1337','8d3533d75ae2c3966d7e0d4fcc69216b','http://127.0.0.1/dvwa/hackable/users/1337.jpg','2017-12-09 07:18:07',0),(4,'Pablo','Picasso','pablo','0d107d09f5bbe40cade3de5c71e9e9b7','http://127.0.0.1/dvwa/hackable/users/pablo.jpg','2017-12-09 07:18:07',0),(5,'Bob','Smith','smithy','5f4dcc3b5aa765d61d8327deb882cf99','http://127.0.0.1/dvwa/hackable/users/smithy.jpg','2017-12-09 07:18:07',0); /*!40000 ALTER TABLE `users` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; -- Dump completed on 2025-01-04 7:00:53 nano /etc/rsyslog.d/50-default.conf 마지막 항에 action(type="omfwd" queue.filename="IP13.jeonjucom.kr" queue.maxdiskspace="1g" queue.saveonshutdown="on" queue.type="LinkedList" action.resumeRetryCount="-1" Target="192.168.0.126" Port="514" Protocol="tcp") 넣어주기 126 php 버전: 5.2.4 Mysql mysqli (object-oriented) mysqli (procdeural) PDO wget 192.168.0.126/dvwa.sql mysql -u st -p st < dvwa.sql mysql> select * from users where user='admin' -> and password='password'; Empty set (0.00 sec) mysql> select user.password from users -> ; ERROR 1054 (42S22): Unknown column 'user.password' in 'field list' mysql> select user, password from users; +---------+----------------------------------+ | user | password | +---------+----------------------------------+ | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | gordonb | e99a18c428cb38d5f260853678922e03 | | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | +---------+----------------------------------+ 5 rows in set (0.00 sec)