OSCP-PG-GlasgowSmile

Mkd1R 2022-5-26 80 5/26

#Enumeration

-nmap

# nmap -sS -Pn -open -T4 -p- 192.168.210.79
Nmap scan report for 192.168.210.79
Host is up (0.29s latency).
Not shown: 64630 closed tcp ports (reset), 903 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 838.90 seconds

-nmap2

# nmap -p 22,80 -A 192.168.210.79            
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-26 10:16 CST
Nmap scan report for 192.168.210.79
Host is up (0.29s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 67:34:48:1f:25:0e:d7:b3:ea:bb:36:11:22:60:8f:a1 (RSA)
|   256 4c:8c:45:65:a4:84:e8:b1:50:77:77:a9:3a:96:06:31 (ECDSA)
|_  256 09:e9:94:23:60:97:f7:20:cc:ee:d6:c1:9b:da:18:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18 (91%), Linux 4.15 - 5.6 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%), Linux 3.10 - 3.12 (90%), Linux 3.4 (90%), Linux 3.7 (90%), Linux 4.4 (90%), Synology DiskStation Manager 5.1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#Web Enumeration

-Gobuster

# gobuster dir -u http://192.168.210.79 -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig2.txt 
===============================================================
/index.html           (Status: 200) [Size: 125]
/joomla               (Status: 301) [Size: 317] [--> http://192.168.210.79/joomla/]
/server-status        (Status: 403) [Size: 279]

-Gobuster2

# gobuster dir -u http://192.168.210.79/joomla/ -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig2.txt 
===============================================================
/LICENSE.txt          (Status: 200) [Size: 18092]
/README.txt           (Status: 200) [Size: 4874] 
/administrator        (Status: 301) [Size: 331] [--> http://192.168.210.79/joomla/administrator/]
/bin                  (Status: 301) [Size: 321] [--> http://192.168.210.79/joomla/bin/]
/cache                (Status: 301) [Size: 323] [--> http://192.168.210.79/joomla/cache/]
/cli                  (Status: 301) [Size: 321] [--> http://192.168.210.79/joomla/cli/]
components           (Status: 301) [Size: 328] [--> http://192.168.210.79/joomla/components/]
/configuration.php    (Status: 200) [Size: 0]
/htaccess.txt         (Status: 200) [Size: 3005]
/images               (Status: 301) [Size: 324] [--> http://192.168.210.79/joomla/images/]
/index.php            (Status: 200) [Size: 10013]                                                
/includes             (Status: 301) [Size: 326] [--> http://192.168.210.79/joomla/includes/]
/language             (Status: 301) [Size: 326] [--> http://192.168.210.79/joomla/language/] 
/layouts              (Status: 301) [Size: 325] [--> http://192.168.210.79/joomla/layouts/]
/libraries            (Status: 301) [Size: 327] [--> http://192.168.210.79/joomla/libraries/]
/media                (Status: 301) [Size: 323] [--> http://192.168.210.79/joomla/media/]
/modules              (Status: 301) [Size: 325] [--> http://192.168.210.79/joomla/modules/]
/plugins              (Status: 301) [Size: 325] [--> http://192.168.210.79/joomla/plugins/] 
/robots.txt           (Status: 200) [Size: 836]
/templates            (Status: 301) [Size: 327] [--> http://192.168.210.79/joomla/templates/]
/tmp                  (Status: 301) [Size: 321] [--> http://192.168.210.79/joomla/tmp/]

-Gobuster3

# gobuster dir -u http://192.168.210.79/joomla/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,json -o gbig2.txt 
===============================================================
/index.php            (Status: 200) [Size: 10013]
/images               (Status: 301) [Size: 324] [--> http://192.168.210.79/joomla/images/]
/media                (Status: 301) [Size: 323] [--> http://192.168.210.79/joomla/media/] 
/templates            (Status: 301) [Size: 327] [--> http://192.168.210.79/joomla/templates/]
/modules              (Status: 301) [Size: 325] [--> http://192.168.210.79/joomla/modules/]  
/bin                  (Status: 301) [Size: 321] [--> http://192.168.210.79/joomla/bin/]      
/plugins              (Status: 301) [Size: 325] [--> http://192.168.210.79/joomla/plugins/]  
/includes             (Status: 301) [Size: 326] [--> http://192.168.210.79/joomla/includes/] 
/language             (Status: 301) [Size: 326] [--> http://192.168.210.79/joomla/language/] 
/README.txt           (Status: 200) [Size: 4874]                                             
/components           (Status: 301) [Size: 328] [--> http://192.168.210.79/joomla/components/]
/cache                (Status: 301) [Size: 323] [--> http://192.168.210.79/joomla/cache/]     
/libraries            (Status: 301) [Size: 327] [--> http://192.168.210.79/joomla/libraries/] 
/robots.txt           (Status: 200) [Size: 836]                                               
/LICENSE.txt          (Status: 200) [Size: 18092]                                             
/tmp                  (Status: 301) [Size: 321] [--> http://192.168.210.79/joomla/tmp/]       
/layouts              (Status: 301) [Size: 325] [--> http://192.168.210.79/joomla/layouts/]   
/administrator        (Status: 301) [Size: 331] [--> http://192.168.210.79/joomla/administrator/]
/configuration.php    (Status: 200) [Size: 0]                                                    
/htaccess.txt         (Status: 200) [Size: 3005]                                                 
/cli                  (Status: 301) [Size: 321] [--> http://192.168.210.79/joomla/cli/] 

#Exploitation

在joomla后台尝试了一下常见的密码但是并没有进入,随后我将joomla前台页面的内容收集起来用作字典对后台的密码进行爆破,并使用joomla作为用户名,利用Burp进行爆破
# cewl http://192.168.210.79/joomla/ > passfile.txt                                          
┌──(root㉿Mkd1R)-[/home/PG/GlasgowSmile]
└─# cat passfile.txt                                 
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
you
Joker
the
Home
laughing
Email
your
that
what
funny
and
Arthur
Begin
Content
End
Right
Sidebar
Username
Password
Forgot
You
Isn
decide
right
was
chuckling
Cop
Psychiatrist
just
thinking
Glasgow
Smile
Print
username
password
Body
Header
User
Uncategorised
are
here
Main
Menu
Login
Form
Remember
Log
Footer
Back
Top
Details
Written
Super
Category
Published
June
Hits
Comedy
subjective
Murray
they
say
All
system
knows
much
wrong
The
same
way
not
Why
everybody
upset
about
these
guys
dying
sidewalk
walk
over
pass
every
day
don
notice
police
car
chaos
being
spread
Gotham
City
Stop
freak
This
isn
Yeah
whole
fucking
city
fire
because
know
beautiful
loudly
during
psychiatric
examination
Arkham
Asylum
soon
settles
down
but
still
laughs
What
some
more
joke
wanna
tell
softly
whispers
wouldn
get
this
link
friend
Address
article
email
address
account
will
Close
Window
Your
Please
enter
Submit
for
verification
code
Sender
Subject
Send
Cancel
end
items
leading
RSS
Atom
associated
with
emailed
file
sent
Once
have
received
able
choose
new
我登录到后台之后我需要拿到一个shell,于是我通过修改templates的源码来反弹一个shell,路径是Extensions-->Templates-->Templates,我修改了Beez3 Details and Files的index.php源码,将它替换成了kali自带的phpshell(/usr/share/webshells/php/php-reverse-shell.php),修改完成之后我将访问192.168.210.79/joomla/templates/beez3并成功在本地接收到了一个shell,并使用python3 -m "import pty;pty.spawn('/bin/bash')"获得一个交互式shell

#Escalation

我展开了新一轮检索,在web站点配置文件configuration.php中找到mysql的账号密码
public $host = 'localhost';
public $user = 'joomla';
public $password = 'babyjoker';
在home目录下是存在rob用户的,我使用base64解码密文并使用ssh尝试连接
# echo "Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/" |base64 -d
???AllIHaveAreNegativeThoughts??? 

#Changing user

当前家目录存在几个文件,,当我查看到Abnerineedyourhelp文件是,有一段对话,但它是加密的,我尝试使用base64解密但失败了,随后使用ROT13成功了,解密网站(https://www.chinabaiker.com/cyberchef.htm),对话提示让我使用它给我的密码(I33hope99my0death000makes44more8cents00than0my0life0)去解开这个谜底,随后我使用他给我的这个密码切换到了abner用户
经过很长一段时间的寻找,发现一个.dear_penguins.zip文件,我wget到本地使用,再次使用I33hope99my0death000makes44more8cents00than0my0life0当做解压密码将它打开,又获得一段对话,和一个类似于秘钥的字符串,我将使用它切换到penguin用户

# cat dear_penguins       
My dear penguins, we stand on a great threshold! It's okay to be scared; many of you won't be coming back. Thanks to Batman, the time has come to punish all of God's children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!!!
scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz

#Elevate privileges

并没有什么发现时,我上传了一个pspy来窥探进程,找到一个被我遗忘的文件

我在文件中添加了一个python反弹shell的语句,等待了一会我接收到了具有root权限的的shell

- THE END -

Mkd1R

7月02日21:54

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。