banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉

HackTheBox-Curling


信息收集#

─# nmap -sV 10.129.215.122         
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-09 21:59 EST
Nmap scan report for 10.129.215.122
Host is up (0.46s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.04 seconds


image

根据 ico 识别出是joomla的系统。
目录扫描

┌──(root㉿kali)-[~/Downloads/dirsearch-master]
└─# python3 dirsearch.py -u http://10.129.215.122               

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11592

Output: /root/Downloads/dirsearch-master/reports/http_10.129.215.122/_23-01-09_22-06-39.txt

Target: http://10.129.215.122/

[22:06:39] Starting: 
[22:06:55] 403 -  279B  - /.ht_wsr.txt                                    
[22:06:55] 403 -  279B  - /.htaccess.bak1                                 
[22:06:56] 403 -  279B  - /.htaccess.orig                                 
[22:06:56] 403 -  279B  - /.htaccess.sample
[22:06:56] 403 -  279B  - /.htaccess.save                                 
[22:06:56] 403 -  279B  - /.htaccess_sc
[22:06:56] 403 -  279B  - /.htaccess_extra
[22:06:56] 403 -  279B  - /.htaccess_orig                                 
[22:06:56] 403 -  279B  - /.htaccessBAK
[22:06:56] 403 -  279B  - /.htaccessOLD2
[22:06:56] 403 -  279B  - /.html                                          
[22:06:56] 403 -  279B  - /.htpasswd_test
[22:06:56] 403 -  279B  - /.htm
[22:06:56] 403 -  279B  - /.htaccessOLD                                   
[22:06:56] 403 -  279B  - /.httr-oauth                                    
[22:06:56] 403 -  279B  - /.htpasswds                                     
[22:07:00] 403 -  279B  - /.php                                           
[22:07:40] 301 -  324B  - /administrator  ->  http://10.129.215.122/administrator/
[22:07:41] 200 -    2KB - /administrator/                                 
[22:07:41] 200 -  533B  - /administrator/includes/                        
[22:07:41] 200 -   31B  - /administrator/cache/
[22:07:41] 200 -    2KB - /administrator/index.php
[22:07:41] 301 -  329B  - /administrator/logs  ->  http://10.129.215.122/administrator/logs/
[22:07:41] 200 -   31B  - /administrator/logs/
[22:07:55] 200 -   31B  - /bin/                                           
[22:07:55] 301 -  314B  - /bin  ->  http://10.129.215.122/bin/
[22:07:58] 200 -   31B  - /cache/                                         
[22:07:58] 301 -  316B  - /cache  ->  http://10.129.215.122/cache/        
[22:08:02] 200 -   31B  - /cli/                                           
[22:08:04] 200 -   31B  - /components/                                    
[22:08:04] 301 -  321B  - /components  ->  http://10.129.215.122/components/
[22:08:06] 200 -    0B  - /configuration.php                              
[22:08:31] 200 -    1KB - /htaccess.txt                                   
[22:08:33] 301 -  317B  - /images  ->  http://10.129.215.122/images/      
[22:08:33] 200 -   31B  - /images/
[22:08:34] 200 -   31B  - /includes/                                      
[22:08:34] 301 -  319B  - /includes  ->  http://10.129.215.122/includes/  
[22:08:34] 200 -    4KB - /index.php                                      
[22:08:34] 404 -    3KB - /index.php/login/                               
[22:08:40] 200 -   31B  - /layouts/                                       
[22:08:40] 301 -  319B  - /language  ->  http://10.129.215.122/language/
[22:08:42] 200 -   31B  - /libraries/                                     
[22:08:42] 301 -  320B  - /libraries  ->  http://10.129.215.122/libraries/
[22:08:42] 200 -    7KB - /LICENSE.txt                                    
[22:08:49] 301 -  316B  - /media  ->  http://10.129.215.122/media/        
[22:08:49] 200 -   31B  - /media/                                         
[22:08:53] 301 -  318B  - /modules  ->  http://10.129.215.122/modules/    
[22:08:53] 200 -   31B  - /modules/                                       
[22:09:10] 301 -  318B  - /plugins  ->  http://10.129.215.122/plugins/    
[22:09:10] 200 -   31B  - /plugins/                                       
[22:09:17] 200 -    2KB - /README.txt                                     
[22:09:20] 200 -  395B  - /robots.txt.dist                                
[22:09:24] 403 -  279B  - /server-status                                  
[22:09:24] 403 -  279B  - /server-status/                                 
[22:09:41] 200 -   31B  - /templates/index.html                           
[22:09:41] 301 -  320B  - /templates  ->  http://10.129.215.122/templates/
[22:09:41] 200 -    0B  - /templates/system/                              
[22:09:41] 200 -   31B  - /templates/                                     
[22:09:41] 200 -    0B  - /templates/beez3/                               
[22:09:41] 200 -    0B  - /templates/protostar/                           
[22:09:44] 301 -  314B  - /tmp  ->  http://10.129.215.122/tmp/            
[22:09:44] 200 -   31B  - /tmp/                                           
[22:09:57] 200 -  567B  - /web.config.txt  

获得了 administrator 后台路径,翻阅了其他文件暂时没有发现可用的东西。
image
浏览首页发现了一个账户名 Floris。


image
通过浏览首页源代码发现了注释掉的一个 txt 文件,访问后得到一串编码。
Q3VybGluZzIwMTgh
image
Curling2018!
登录后台
image

后台#

image

关于 jooma 后台 getshell 和 WP 有点类似

第一种
官网下载joomla中文包com_zmaxappstore.zip,解压修改install.xml 添加<filename>>test.php</filename> 将test.php放到admin文件夹内,重新打包zip,后台操作Extensions–> install–>upload package file

shell_url:/administrator/components/{zip包名}/da.php

第二种
后台操作 Global Configuration- ->media–>Legal Extensions (File Types)添加php后缀,媒体上传即可

第三种
后台操作 Extensions–>Templates–>Templates–>xxx Details and Files修改error.php文件 添加shell代码,save保存,

shell_url:/administrator/templates/xxx/error.php


image
新建一个文件之后写入 php 的一句话然后连接之。

后渗透#

image
访问 home 目录发现了该文件,但是 user.txt 文件内容为空。
image
访问 password_backup 文件的时候给出了文件流内容,是一个 hex dump 文件,开头的 Bzh 说明该文件的来由。
https://en.wikipedia.org/wiki/List_of_file_signatures
image

既然是知道他是一个压缩文件,反转回二进制文件即可。
他当前机器没有权限,所以下载回本地自行解压。

xxd我将使用和-r反向转换回二进制:

root@kali# cat password_backup_orig | xxd -r > password_backup.bz2
root@kali# file password_backup.bz2 
password_backup.bz2: bzip2 compressed data, block size = 900k
并解压:

root@kali# bunzip2 -k password_backup.bz2
我将检查结果文件的文件类型,并查看它是否经过 gzip 压缩:

root@kali# file password_backup
password_backup: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size 141                                                                                 
root@kali# mv password_backup password_backup.gz
我会解压缩,然后检查。另一个bz2:

root@kali# gunzip -k password_backup.gz
root@kali# ls
password_backup  password_backup.bz2  password_backup.gz  password_backup_orig
root@kali# file password_backup
password_backup: bzip2 compressed data, block size = 900k
root@kali# mv password_backup password_backup2.bz2
再次解压,得到一个tar包:

root@kali# bunzip2 -k password_backup2.bz2
root@kali# ls -l
total 48
-rwxrwx--- 1 root vboxsf 10240 Oct 29 16:25 password_backup2
-rwxrwx--- 1 root vboxsf   141 Oct 29 16:25 password_backup2.bz2
-rwxrwx--- 1 root vboxsf   244 Oct 29 16:25 password_backup.bz2
-rwxrwx--- 1 root vboxsf   173 Oct 29 16:25 password_backup.gz
-rwxrwx--- 1 root vboxsf  1076 Oct 29 16:22 password_backup_orig
root@kali# file password_backup2
password_backup2: POSIX tar archive (GNU)
解压,得到一个带密码的文本文件:

root@kali# mv password_backup2 password_backup.tar

root@kali# tar xvf password_backup.tar
password.txt

root@kali# ls -l
total 56
-rwxrwx--- 1 root vboxsf   141 Oct 29 16:25 password_backup2.bz2
-rwxrwx--- 1 root vboxsf   244 Oct 29 16:25 password_backup.bz2
-rwxrwx--- 1 root vboxsf   173 Oct 29 16:25 password_backup.gz
-rwxrwx--- 1 root vboxsf  1076 Oct 29 16:22 password_backup_orig
-rwxrwx--- 1 root vboxsf 10240 Oct 29 16:25 password_backup.tar
-rwxrwx--- 1 root vboxsf    19 May 22 15:15 password.txt
root@kali# cat password.txt
5d<wdCbdZu)|hChXll


image

在线网站:https://gchq.github.io/CyberChef

image
选择 bzip 算法即可。

user#

获得密码之后直接 SSH 登录后查看 user 文件
image

root#

root 实在是找不到办法了,使用了漏洞特权脚本
先使用 SCP 传上去

┌──(root㉿kali)-[~/Desktop]
└─# scp /root/Downloads/linpeas.sh [email protected]:/home/floris
[email protected]'s password: 
linpeas.sh     


然后执行 bash linpeas.sh,获得了漏洞扫描结果
image

还是把 4034 的漏洞执行脚本丢上去。
image

结束。

加载中...
此文章数据所有权由区块链加密技术和智能合约保障仅归创作者所有。