靶机下载地址:戳我

This box is all about CMS as its name suggests. You need to enumerate the box, find the CMS, and exploit in order to gain access to other and finally get the user and root flag.

Hint: Proceed in the given order 😛

0x00 信息收集

fscan,梭:

好多站喔@ @,80端口界面如下:

8081端口:

9001端口:

0x01 获取权限

fscan的扫描结果提示8081端口存在cve-2015-7297注入漏洞。所以使用msf梭梭看,成功得到一些信息。

[{"activation":"0","block":"0","email":"Fluntence54@armyspy.com","id":"46","lastResetTime":"0000-00-00 00:00:00","lastvisitDate":"2021-05-31 09:14:41","name":"Super User","otep":"","otpKey":"","params":"","password":"$2y$10$EYc6SKfMLzlLE/IcD9a6XeAe2Uv7WTBFlbbqRrnpht1K0M1bLrWee","registerDate":"2021-05-29 10:08:24","requireReset":"0","resetCount":"0","sendEmail":"1","username":"joomlaCMS_admin"},{"activation":"","block":"1","email":"5T3e!_M0un7i@N","id":"47","lastResetTime":"0000-00-00 00:00:00","lastvisitDate":"0000-00-00 00:00:00","name":"elliot","otep":"","otpKey":"","params":"{\u0026quot;admin_style\u0026quot;:\u0026quot;\u0026quot;,\u0026quot;admin_language\u0026quot;:\u0026quot;\u0026quot;,\u0026quot;language\u0026quot;:\u0026quot;\u0026quot;,\u0026quot;editor\u0026quot;:\u0026quot;\u0026quot;,\u0026quot;helpsite\u0026quot;:\u0026quot;\u0026quot;,\u0026quot;timezone\u0026quot;:\u0026quot;\u0026quot;}","password":"$2y$10$jddnEQpjriJX9jPxh6C/hOag4ZZXae4iVhL7GVRPC9SHWgqbi4SYy","registerDate":"2021-05-31 09:16:30","requireReset":"0","resetCount":"0","sendEmail":"0","username":"elliot"}]

但是无法登陆,回显502,密码使用john无法破解。考虑使用得到的信息组合登陆其他端口的网站服务,无果。

注意到端口9001的CMS是Drupal 7,存在RCE漏洞,MSF也自带模块,这次成功拿到了www-data权限。

0x02 提升权限

在misc目录下的tyrell.pass文件中找到用户名和密码:

Username: tyrell
Password: mR_R0bo7_i5_R3@!_

home目录下倒确实有这个用户:

尝试使用ssh对其连接:

发现/home/elliot下存在user.txt,但是没有权限,需要提权。

上传les.sh,发现该环境存在CVE-2021-4034(PwnKit)提权漏洞。

找个exp,gcc编译一下提权成功了。成功看到了之前看不到的user.txt:

/root/下有root.txt,至此两个flag都找到了,没截图。总的来说,这次的靶机还算挺简单。