介绍

系列：HarryPotter（此系列共3台）
发布日期：2021年04月29日
难度: 中→高（Difficult to hit）
目标: 取得 root 权限 + 3 Flag
攻击方法:

• 主机发现
• 端口扫描
• WEB信息收集
• HTTP3协议
• 域名绑定
• SSRF漏洞（Gopher + Mysql）
• Joomla漏洞
• SSH公钥登录
• Browser password recovery

靶机地址：https://www.vulnhub.com/entry/harrypotter-fawkes,686/

信息收集

主机发现

netdiscover主机发现

sudo netdiscover -i eth0 -r 192.168.56.0/24

主机信息探测

网站探测

The beginning is a picture,没什么有价值的信息

目录扫描

这里提供2Enhanced document scanning：

1. dictionary,The former has dictionaries87664行,The latter has dictionaries220560行
2. 从速度上来说,gobuster远胜于dirsearch.因为gobuster扫完了220560dictionary of rows,dirsearch才扫描87664half of the line dictionary.

常规目录扫描
dirsearch -u http://192.168.56.115/

Enhanced document scanning
dirsearch -u http://192.168.56.115/ -f -e html,php,txt -w /usr/share/SecLists-2022.2/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster dir -r -u http://192.168.56.110/site/ -x txt,html,php -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100

从下图中可以看出,Normal scan found it“joomla”站点,An enhanced file scan found a file“note.txt”,After reading it, I learned that the target drone also has a domain name,绑定host即可查看（浏览器必须支持HTTP3）,Here comes an embarrassing problem,我怎么去访问http3呢？After trying online tutorials, it failed,不清楚原因.I found out after checking the target drone strategy here,http3After visiting this domain name, you will see a prompt message,There is a sensitive page on the target machineinternalResourceFeTcher.php

joomscan 扫描

既然是joomla站点,先来joomscan 扫描看看

1. 直接扫描：joomscan -u "http://192.168.56.115",只发现了joomla后台
2. Specify road scan：joomscan -u "http://192.168.56.115/joomla"

A backup configuration file was found

下载备份文件,It was found that there is a name in the target drone“joomla”的mysql数据库.

发现SSRF漏洞

Open sensitive pagesinternalResourceFeTcher.php后,There is a frame,Fill in the content directly.Observe the browserurl栏中,赫然写着url=123,And the webpage says“Welcome to the internal network resource acquisition page ”,能通过webaccess to intranet resources,就是SSRF啊.

检查一下,确认存在SSRF漏洞

关于SSRFSupplement to missing scans

I've spent some time researching the ability to detectSSRF的工具,The result was very disappointing.

1. burpsuite插件ssrf-king

This is a passive detectionSSRF的插件,where I have explicitly verifiedSSRF的前提下,Plugin not foundSSRF漏洞

2. burpsuite插件Burp Bounty Pro

手工指定“Burp Bounty Pro”插件以GETThe method scans the specified page for presence or absenceSSRF,发现了SSRF漏洞

3. burpsuite插件J2EE

J2EEScanIs a passive scanning based can be usedjava开发的web程序,Surprise here,让BurpSuiteScan this page directly,J2EEScanSuspects were foundSSRF漏洞,SSRF-KingContinued to remain silent

4. SSRFmapp

这是一个在github上有着1.9K小星星的项目,One is used to implement automaticSSRFFuzzy exploit tool.
项目地址：https://github.com/swisskyrepo/SSRFmap
The actual experience doesn't feel good,下图中,I followed the method described in the project address for port scanning,It seems to be able to scan a port,However, only this one port can be scanned,Take a look at the captured packets and you'll understand why nothing was scanned.

此外,Discover this tool as described below“Gopherus”有重合,都能生成Gopher有效载荷,但是ssrfmapIt is not easy to operate without the latter,And it's also prone to warnings、错误信息.

综上,放弃ssrfmap工具.

利用SSRF漏洞

漏洞利用：这里着重介绍Gopher协议

Gopher在HTTPThe protocol is preceded by a very well-known information search system,但是随着web技术的发展,Few services will be usedGopher了,但是！在SSRF漏洞中,It's brilliant,让SSRFVulnerability exploits are more widespread,In theory as long as the backend application is based onTCP协议的,前端存在SSRF漏洞,并且我们可以使用GopherThe port to access the backend,那么我们就可以使用GopherAccess almost everything based onTCP的应用（对ftp,memchahe,mysql,telnet,redis,Waiting for the service to attack）,Send can be constructedGET,POST请求包.

说白了就是：通过SSRF漏洞,Let the server send its own carefully constructedGET或者POST请求包
格式：

gopher://<host>:<post>/<gopher-path>_后面接TCP数据流

利用要点（未验证）：

1. PHP版本大于等于5.3
2. PHP.ini开启了php_curl
3. gopher没有默认端口,需要指定:gopher://127.0.0.1:80
4. 在传送GET或POSTThe data needs to go through two timesURl编码
5. urlCarriage return and line feed need to be used when encoding%0d%0a替换%0a
6. POST中的&也需要url编码.

利用方式：

1. 利用SSRF进行内网渗透
2. gopher协议反弹shell
3. 超级经典的redis写入webshell

1. 验证Gopher协议

访问80The port is not responding,仔细看的话,You will notice that the browser keeps loading,The test effect is not obvious,但是换成22The port showed the result immediately.All of this proves that it can be usedGopher协议

2. 确认数据库

上面通过joomscanThe scan found sensitive files,Know that there is a shooting rangemysql数据库,确认一下,Found that the website started loading again,The database port is no problem.If you enter the correct command to connect to the database,In theory, we can see the connection result.It is impossible to construct commands by hand,直接上工具.

3. 利用工具

1. 安装与介绍

Using the tool is fairly simple,Just enter one parameter.

2. 查询表中所有列

After dozens of attempts,Finally got the results.【需要多次尝试】

通过搜索,Locate a table that meets expectations

3. 查询表中所有数据

Still after many attempts, the data was successfully queried,根据对比,能找到 site_admin 用户的密码,但是破解很难,It's as simple as updating the user's password.

4. 更新用户密码

设置密码123
echo -n "123" | md5sum

Perform update password
use joomla; update joomla_users SET password='202cb962ac59075b964b07152d234b70' WHERE username='site_admin';

entered many times,The page responds as follows,Then you can log in to the website.

反弹shell

寻找上传点

找到“error.php”页面,paste bounceshell的内容

拿到shell-Flag1

网上随便搜一下 error.php 的页面位置,在http://cn-sec.com/archives/286076.html 中看到了/templates/beez3/error.php,So splicing to get the path：http://192.168.56.115/joomla/templates/beez3/error.php

敏感文件-SSH登录

Sensitive files found：/home/snape/.creds.txt,base64解码后发现是[email protected],然后就SSH登录了.

敏感文件-SSH偷梁换柱

After some simple search,发现 hermoine There is a file in the user's home directorysuid权限的文件：su_cp,那么思路就来了,在kali下生成SSHPublic key cryptographic pair,Then copy the public key to hermoine 用户的 ssh 目录下,那么我就可以在kaliUse the private key above hermoine 的身份SSH连接到靶机了

1. 在kali下生成SSHPublic key cryptographic pair,and delivered to the target drone

2. Throw away the public key hermoine 用户的 ssh 目录下

chmod 640 id_rsa.pub
mv id_rsa.pub authorized_keys
/home/hermoine/bin/su_cp -p /home/snape/authorized_keys /home/hermoine/.ssh/

注意：

• 需要设置sshThe public key authority is 640（See about permissions：）
• 需要修改文件名：mv id_rsa.pub authorized_keys,否则ssh连接时需要密码

相关阅读：https://blog.csdn.net/qq_26400953/article/details/105145103
https://mp.weixin.qq.com/s/azDzb1AA8iwk4JLjMecwag

3. ssh免密连接

flag2

提权-firefox密码泄露

在 hermoine A hidden directory was found in the user's homemozilla,一般来说,This directory contains extensions for the Firefox browser、用户信息,and save to account password.I plan to copy all of these to kali上,然后在kaliInstall the tool above,to extract the account information saved in the browser.

1. 下载信息

scp -rp [email protected]:/home/hermoine/.mozilla /root/test

2. Download tools to extract information

Firefox Decrypt是一个从Mozilla（Firefox,Waterfox,Thunderbird,SeaMonkey）Tool to extract passwords from configuration files.项目地址：https://github.com/unode/firefox_decrypt

总结