Daily Bugle

端口扫描

root@ip-10-10-193-102:~# nmap -sTCV -p 22,80,3306 --min-rate 10000 10.10.175.133

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-15 09:21 BST
Nmap scan report for ip-10-10-175-133.eu-west-1.compute.internal (10.10.175.133)
Host is up (0.00013s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (EdDSA)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
3306/tcp open  mysql   MariaDB (unauthorized)
MAC Address: 02:17:DE:78:6C:6F (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds

80

进行目录扫描

root@ip-10-10-193-102:~/dailybugle# gobuster dir -u http://10.10.175.133/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php.txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.175.133/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php.txt,html
[+] Timeout:        10s
===============================================================
2023/10/15 09:27:37 Starting gobuster
===============================================================
/images (Status: 301)
/templates (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/bin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/components (Status: 301)
/cache (Status: 301)
/libraries (Status: 301)
/tmp (Status: 301)
/layouts (Status: 301)
/administrator (Status: 301)
/cli (Status: 301)
===============================================================
2023/10/15 09:30:20 Finished
===============================================================

访问站点, 我们可以发现其存在一个登陆窗口, 同时我们也可以发现一个 administrator 页面. 通过页面的内容我们可以确定这是一个 joombla CMS

在发现其 CMS 之后我马上进行了寻找漏洞, 最后发现一个 sqli , https://github.com/stefanlucas/Exploit-Joomla将其下载进行攻击验证

从上面我们可以获取到一个管理员用户, 接着进行暴力破解 (破解时间很长)

root@ip-10-10-193-102:~/dailybugle# john hash.txt --wordlist=`locate rockyou.txt` -format=bcrypt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spiderman123     (?)
1g 0:00:22:23 DONE (2023-10-15 11:22) 0.000744g/s 34.87p/s 34.87c/s 34.87C/s sweet28..spaceship
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
root@ip-10-10-193-102:~/dailybugle#

在破解到密码之后我便登陆了后台管理页面, 之后我在此搜索了如何利用 Joomla 后台获取 Shell, 在这里我选择了修改模板文件

后渗透

apache

访问我们修改的文件之后我们就可以得到一个 Shell

###apache —> jjameson

按照常理我们肯定要去查看完整的数据库配置文件, 从中获取到密码, 随后我发现其对应的数据库密码是用户jjameson 的密码

nv5uz9r3ZEDzVjNu

jjameson —> root

之后我发现 jjameson 用户存在 SUDO 特权 yum#sudo

在这里我使用了第二种方式, 进行提权操作