Post

VulNyx Leak靶机复盘

难度-Medium

Posted Updated
By
7 min read
VulNyx Leak靶机复盘

网段扫描

1
2
3
4
5
6
7
8
9
10
11
12

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.26.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.26.2    00:50:56:e8:d4:e1       (Unknown)
192.168.26.1    00:50:56:c0:00:08       (Unknown)
192.168.26.177  00:0c:29:a2:58:a9       (Unknown)
192.168.26.254  00:50:56:ff:4b:3d       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.893 seconds (135.24 hosts/sec). 4 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

└─# nmap -p- -sC -sV 192.168.26.177
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 02:15 EST
Nmap scan report for 192.168.26.177 (192.168.26.177)
Host is up (0.0010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
8080/tcp open  http    Jetty 10.0.13
|_http-title: Panel de control [Jenkins]
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Jetty(10.0.13)
| http-robots.txt: 1 disallowed entry 
|_/
MAC Address: 00:0C:29:A2:58:A9 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.48 seconds

获取Webshell

通过扫描短裤信息可以看出这个大概率考的是某个东西的版本cve

图 0
图 1

上web看一下就一个80端口就apache服务,可以换着看其他的

图 2
图 3
图 4
图 5

目前知道登录用户名可以尝试爆破

图 6

图 7
图 8

特别慢,但是感觉应该不是去扫一下目录

图 9

换个方式就有线索了

图 10

图 11

小字典没结果,换一个大字典

图 12
图 13

…被坐牢半小时,看一下8080

图 14
图 15
图 16
图 17
图 18

图 19
图 20

可用

图 21
图 22

之前url路径错了,改一下能下载东西,咱看一下80端口的connect.php扫也扫了半个点

图 23

账号密码,可以试试登录

图 24

不行,看看ssh,不过ipv4没有ssh,可以看看ipv6

图 25

没出来,可以看看其他方式比如目录靶机的ipv6文件,因为他有可能做了现在找不到ipv6的地址

图 26

图 27
图 28
图 29

不行,需要换一个方式进行

图 30
图 31

去查了一下这个0不能省略的

图 32

提权

1
2
3
4
5
6

george@leak:~$ sudo -l
Matching Defaults entries for george on leak:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User george may run the following commands on leak:
    (root) NOPASSWD: /usr/bin/wkhtmltopdf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

george@leak:~$ sudo /usr/bin/wkhtmltopdf
You need to specify at least one input file, and exactly one output file
Use - for stdin or stdout

Name:
  wkhtmltopdf 0.12.6

Synopsis:
  wkhtmltopdf [GLOBAL OPTION]... [OBJECT]... <output file>
  
Document objects:
  wkhtmltopdf is able to put several objects into the output file, an object is
  either a single webpage, a cover webpage or a table of contents.  The objects
  are put into the output document in the order they are specified on the
  command line, options can be specified on a per object basis or in the global
  options area. Options from the Global Options section can only be placed in
  the global options area.

  A page objects puts the content of a single webpage into the output document.

  (page)? <input url/file name> [PAGE OPTION]...
  Options for the page object can be placed in the global options and the page
  options areas. The applicable options can be found in the Page Options and 
  Headers And Footer Options sections.

  A cover objects puts the content of a single webpage into the output document,
  the page does not appear in the table of contents, and does not have headers
  and footers.

  cover <input url/file name> [PAGE OPTION]...
  All options that can be specified for a page object can also be specified for
  a cover.

  A table of contents object inserts a table of contents into the output
  document.

  toc [TOC OPTION]...
  All options that can be specified for a page object can also be specified for
  a toc, further more the options from the TOC Options section can also be
  applied. The table of contents is generated via XSLT which means that it can
  be styled to look however you want it to look. To get an idea of how to do
  this you can dump the default xslt document by supplying the
  --dump-default-toc-xsl, and the outline it works on by supplying
  --dump-outline, see the Outline Options section.

Description:
  Converts one or more HTML pages into a PDF document, *not* using wkhtmltopdf
  patched qt.

Global Options:
      --collate                       Collate when printing multiple copies
                                      (default)
      --no-collate                    Do not collate when printing multiple
                                      copies
      --copies <number>               Number of copies to print into the pdf
                                      file (default 1)
  -H, --extended-help                 Display more extensive help, detailing
                                      less common command switches
  -g, --grayscale                     PDF will be generated in grayscale
  -h, --help                          Display help
      --license                       Output license information and exit
      --log-level <level>             Set log level to: none, error, warn or
                                      info (default info)
  -l, --lowquality                    Generates lower quality pdf/ps. Useful to
                                      shrink the result document space
  -O, --orientation <orientation>     Set orientation to Landscape or Portrait
                                      (default Portrait)
  -s, --page-size <Size>              Set paper size to: A4, Letter, etc.
                                      (default A4)
  -q, --quiet                         Be less verbose, maintained for backwards
                                      compatibility; Same as using --log-level
                                      none
      --read-args-from-stdin          Read command line arguments from stdin
      --title <text>                  The title of the generated pdf file (The
                                      title of the first document is used if not
                                      specified)
  -V, --version                       Output version information and exit

Reduced Functionality:
  This version of wkhtmltopdf has been compiled against a version of QT without
  the wkhtmltopdf patches. Therefore some features are missing, if you need
  these features please use the static version.

  Currently the list of features only supported with patch QT includes:

 * Printing more than one HTML document into a PDF file.
 * Running without an X11 server.
 * Adding a document outline to the PDF file.
 * Adding headers and footers to the PDF file.
 * Generating a table of contents.
 * Adding links in the generated PDF file.
 * Printing using the screen media-type.
 * Disabling the smart shrink feature of WebKit.

Contact:
  If you experience bugs or want to request new features please visit 
  <https://wkhtmltopdf.org/support.html>

图 33
图 34

我想到个点子,就是他如果能原格式输出文件可以进行文件覆盖

图 35

卡住了跑一下工具,看看是否有提示,找一下网页形式的文件这样可以pdf

图 37

这个是例子

图 36

存在定时任务,尝试获取一下

图 38
存在直接读取,不过需要传递出来看看pdf里面是什么

图 39 图 41
图 40

存在私钥可以尝试一下,登录

图 42

这里说一下这个两个pdf的原因,他是可以写/接绝对路径不用http://,http://127.0.0.1/connect.php,默认解析php,所以返回没有结果,root.txt失败的主要原因是它并不是root.txt

图 43

好了到这里靶场复盘就结束了

userflag:f65335b64773d249e3f7372c0b79c2c6

rootflag:89c441988949961e48d5085c3d70c9f1

VulNyx
cve look_file ipv6 wkhtmltopdf
This post is licensed under CC BY 4.0 by the author.