lvzhouhang
0%

Tiki:1

发表于 更新于 分类于
本文字数: 4k 阅读时长 ≈ 4 分钟

描述

哦,不,我们的网络服务器受到了损害。攻击者使用了0day,所以我们不知道他是如何进入管理面板的。调查一下。

这是一个 OSCP Prep Box,它基于我最近发现的 CVE。它位于 OSCP 实验室机器级别。

渗透过程

首先就是信息搜集,靶机的ip用nmap或者netdiscover都可以

靶机ip:192.168.56.102

然后扫描一下全部的端口

nmap -sS -p- 192.168.56.102 -T4 --min-rate 1000 -oN nmap.txt

结果如下:

1
2
3
4
5
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

然后扫一下端口的信息,和服务的版本

nmap -sV -sC -O -p22,80,139,445 192.168.56.102 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a3d84a89a9256d07c53d762806edd1c0 (RSA)
|   256 e7b289055457dc02f48c3a7c558b51aa (ECDSA)
|_  256 fd77072b4a163a016be0000c0a36d82f (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/tiki/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:26:96:01 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 7h59m57s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2023-12-04T20:55:56
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.95 seconds

可以发现有samba服务,可以对samba进行枚举

enum4linux跑一下可以找到silky的用户,用smbclient列举一下共享的资源

smbclient -L IP

1
2
3
4
5
6
Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
Notes           Disk      My Notes
IPC$            IPC       IPC Service (ubuntu server (Samba, Ubuntu))

能找到Notes,连接一下smbclient //192.168.56.102/Notes有一个Mail.txt

下载下来查看

1
2
3
4
5
6
7
8
9
10
#Mail.txt
Hi Silky
because of a current Breach we had to change all Passwords,
please note that it was a 0day, we don't know how he made it.

Your new CMS-password is now 51lky571k1, 
please investigate how he made it into our Admin Panel.

Cheers Boss.

可以看到cms的密码,登录之后没什么用。

查看cms有没有什么历史漏洞

searchsploit tiki cms

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Tiki Wiki CMS 15.0 - Arbitrary File Download                                                                                                              | php/webapps/40080.txt
Tiki Wiki CMS Calendar 6.15/9.11 LTS/12.5 LTS/14.2 - Remote Code Execution                                                                                | php/webapps/39965.txt
Tiki Wiki CMS Groupware - 'url' Open Redirection                                                                                                          | php/webapps/36848.txt
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass                                                                                                      | php/webapps/48927.py
Tiki Wiki CMS Groupware 5.2 - Multiple Vulnerabilities                                                                                                    | php/webapps/15174.txt
Tiki Wiki CMS Groupware 7.2 - 'snarf_ajax.php' Cross-Site Scripting                                                                                       | php/webapps/35974.txt
Tiki Wiki CMS Groupware 8.1 - 'show_errors' HTML Injection                                                                                                | php/webapps/36470.txt
Tiki Wiki CMS Groupware 8.2 - 'snarf_ajax.php' Remote PHP Code Injection                                                                                  | php/webapps/18265.txt
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution                                                                                          | php/webapps/19573.php
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit)                                                                             | php/webapps/19630.rb
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

查看web服务cms的版本用dirsearch可以找到一个changelog

访问可以看到版本为21.1,正好有一个历史漏洞

searchsploit tiki cms -m 48927 将脚本下载下来运行,重置admin的密码为空,然后用admin登录bp抓包修改登录密码为空,成功登录。在lastchange的Credentials里可以找到silky:Agy8Y7SPJNXQzqA 这个是ssh的密码,用ssh连接,查看id,发现用户在sodu组下,可以直接sudo su提权。

小结

一开始靶场搭建的时候出了点问题导致发现不了靶机的地址,是因为我的攻击机和靶机不在一个局域网内,将靶机的网卡和攻击机桥接在一起就可以了

记录下来的只有正确的路线,渗透过程中还要去试着探索其他的功能点