【offensive-security】7.Photographer靶机

image.png

一、获取靶机信息

1.已知信息：

• IP: 192.168.245.76

2.获取信息：

• nmap扫描开启的服务

┌──(lo0p㉿0xlo0p)-[~]
└─$ nmap -sV -T4 192.168.245.76 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-28 10:18 CST
Nmap scan report for 192.168.245.76
Host is up (0.26s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: PHOTOGRAPHER; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.04 seconds

开了80、8000端口的web服务，smb服务

3.爆破web目录

扫描80端口及8000端口的目录，发现8000端口上存在后台登录地址，80端口存在目录遍历地址

┌──(lo0p㉿0xlo0p)-[~]
└─$ dirsearch -u http://192.168.245.76:8000 -x 302

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                     
                                                                                                                                                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/lo0p/.dirsearch/reports/192.168.245.76-8000/_22-10-28_10-22-57.txt

Error Log: /home/lo0p/.dirsearch/logs/errors-22-10-28_10-22-57.log

Target: http://192.168.245.76:8000/

[10:22:57] Starting: 
[10:23:01] 301 -    0B  - /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua  ->  / CSCOT /oem-customization/?app=AnyConnect&type=oem&platform=..&resource-type=..&name=+CSCOE+/portal_inc.lua
[10:23:01] 301 -    0B  - /+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../  ->  / CSCOT /translation-table/?type=mst&textdomain=/+CSCOE+/portal_inc.lua&lang=../                                   
[10:23:29] 301 -  323B  - /admin  ->  http://192.168.245.76:8000/admin/                                     
[10:23:30] 200 - 1020B  - /admin/
[10:23:30] 200 - 1020B  - /admin/?/login
[10:23:31] 200 - 1020B  - /admin/index.html                                                                                                              
[10:23:43] 200 -  114B  - /app/cache/                                       
[10:23:43] 200 -  114B  - /app/                                             
[10:23:43] 200 -  114B  - /app/logs/                                        
[10:23:52] 200 -    3KB - /content/                                         
[10:23:58] 200 -    3KB - /error/                                                                            
[10:24:06] 200 -    4KB - /index.php                                                                             
[10:24:40] 200 -    4KB - /wp-content/plugins/jrss-widget/proxy.php?url=    
                                                                            
Task Completed

8000端口是一个koken cms系统，msf上无可利用exp，只能进行人工渗透测试

3.smb文件泄露

┌──(lo0p㉿0xlo0p)-[~]
└─$ smbclient -L 192.168.245.76 -U root
Enter WORKGROUP\root's password: 
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        sambashare      Disk      Samba on Ubuntu
        IPC$            IPC       IPC Service (photographer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
        Server               Comment
        ---------            -------
        Workgroup            Master
        ---------            -------
        WORKGROUP            PHOTOGRAPHER
┌──(lo0p㉿0xlo0p)-[~]
└─$ smbclient //192.168.245.76/sambashare -U root
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Aug 20 23:51:08 2020
  ..                                  D        0  Fri Aug 21 00:08:59 2020
  mailsent.txt                        N      503  Tue Jul 21 09:29:40 2020
  wordpress.bkp.zip                   N 13930308  Tue Jul 21 09:22:23 2020
smb: \> get mailsent.txt
getting file \mailsent.txt of size 503 as mailsent.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> get wordpress.bkp.zip
getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip getting file \wordpress.bkp.zip of size 13930308 as wordpress.bkp.zip (296.5 KiloBytes/sec) (average 288.7 KiloBytes/sec)
┌──(lo0p㉿0xlo0p)-[~]
└─$ cat mailsent.txt 
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

smb上有两个文件，一个mailsent.txt，另一个疑似web网站备份文件，我们查看mailsent.txt发现疑似后台用户密码的信息，拿到koken cms后台测试成功进入（用户邮箱：daisa@photographer.com，密码：babygirl）

image.png

5.任意文件上传漏洞

既然是cms系统，那就存在上传文件的地方，我们看到右下角有一个import content的按钮，打开burp进行上传文件的抓包

image.png

payload如上，上传成功后会重定向到一个地址，访问该地址可以拿到上传的文件的url

image.png

于是我们就得到了一个webshell，使用蚁剑连接发现很多命令执行的时候都会返回ret=2，不知道是蚁剑的bug还是有限制，所以我们改用msf的shell

6.提权