ContainMe
端口扫描
root@ip-10-10-142-31:~/containme1# nmap -sTCV -p- --min-rate 1000 10.10.191.24
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-06 09:10 BST
Nmap scan report for ip-10-10-191-24.eu-west-1.compute.internal (10.10.191.24)
Host is up (0.00055s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a6:3e:80:d9:b0:98:fd:7e:09:6d:34:12:f9:15:8a:18 (RSA)
| 256 ec:5f:8a:1d:59:b3:59:2f:49:ef:fb:f4:4a:d0:1d:7a (ECDSA)
|_ 256 b1:4a:22:dc:7f:60:e4:fc:08:0c:55:4f:e4:15:e0:fa (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open EtherNetIP-1?
8022/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ppa1+obfuscated (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:ae:ea:27:3f:ab:10:ae:8c:2e:b3:0c:5b:d5:42:bc (RSA)
| 256 67:29:75:04:74:1b:83:d3:c8:de:6d:65:fe:e6:07:35 (ECDSA)
|_ 256 7f:7e:89:c4:e0:a0:da:92:6e:a6:70:45:fc:43:23:84 (EdDSA)
MAC Address: 02:70:87:2E:2F:1D (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
80
root@ip-10-10-142-31:~/containme1# gobuster dir -u http://10.10.191.24/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.191.24/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/10/06 09:14:07 Starting gobuster
===============================================================
/index.php (Status: 200)
/index.html (Status: 200)
/info.php (Status: 200)
访问我们的页面:
- info.php : phpinfo 界面, 什么也没有
- index.html 看起来是默认页面
- index.php 输出有些奇怪从这里来看是网站��的目录文件
查看网页信息你可以发现这是网站的目录文件, 并且网页源代码中提示 path参数
经过测试我发现这是命令注入漏洞
后渗透
www-data (172.16.20.2)
基于上面的命令注入来获取一个 Shell
www-data (172.16.20.2) —> root (172.16.20.2)
在枚举过程中你会发现一个特殊的 SUID 程序, 我在此尝试逆向但是没有结果, 看了别人的介绍都是讲的直接输入 mike 就可以获取到 root 权限,等回头自己修补一下吧
root (172.16.20.2) —> mike (172.16.20.6)
此时你会发现 root 目录下并没有我们的 flag 输入 ifconfig 你会发现有一个子网, 所以进行扫描后可以发现一个新的主机
在用户 mike 家目录发现一个 ssh 私钥, 所以尝试用次进行连接发现可以
mike (172.16.20.6) —> root(172.16.20.6)
查看端口占用情况发现还占用了 3306 端口, 所以进行一波 mysql 尝试最终发现连接密码为 mike:password, 在数据库中我们可以发现用户密码
mysql> SELECT * FROM users;
+-------+---------------------+
| login | password |
+-------+---------------------+
| root | bjsig4868fgjjeog |
| mike | WhatAreYouDoingHere |
+-------+---------------------+