Post

VulnVM Administrator靶机复盘

难度-Medium

Posted Updated
By
4 min read
VulnVM Administrator靶机复盘

网段扫描

1
2
3
4
5
6
7
8
9

root@LingMj:~# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.5	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.66	a0:78:17:62:e5:0a	Apple, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.101 seconds (121.85 hosts/sec). 3 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

root@LingMj:~# nmap -p- -sC -sV 192.168.137.5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 18:56 EST
Nmap scan report for administrator.mshome.net (192.168.137.5)
Host is up (0.0072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:5d:29:05:44:f2:fc:c7:b5:cd:c0:c0:4d:c7:b9:4b (RSA)
|   256 a4:35:b4:ca:be:d3:8b:95:fc:14:f2:55:c5:80:a5:bd (ECDSA)
|_  256 62:83:88:6a:5e:77:c1:c0:ed:ed:e6:eb:6d:10:68:9b (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Login @ 17.0.0
|_Requested resource was http://administrator.mshome.net/dolibarr/htdocs/
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.43 seconds

获取webshell

picture 0
picture 1
picture 2

这里我研究2天了最后看wp获得突破口,这里我获得的突破口是连接自己数据库就说吧localhost改成自己的ip说实话真想不到我吧其他窗口都试了除了root和这个地方,被我默认不可更改

picture 3
picture 4
picture 5

首先启动mysql并且把mysql的地址设计成0.0.0.0不是127.0.0.1,修改文件路径自取

picture 6

接下来你需要自己找一个数据库创建并且换一个登录的比较好不用root这个,当然这个随意,保证创建一个用完就删,不要把自己配置搞得乱七八糟

方便大家不用又查一遍命令我给我的命令出来你们自行修改

1
2
3
4
5
6
7
8
9
10
11

MariaDB [(none)]> CREATE USER 'xxoo'@'%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.012 sec)

MariaDB [(none)]> CREATE DATABASE dolibarr;
Query OK, 1 row affected (0.003 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON dolibarr.* TO 'xxoo'@'%';
Query OK, 0 rows affected (0.004 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.004 sec)

用户名自己填密码也是

picture 7

好了前期工作做完可以连接数据库了

picture 8
picture 9
picture 10
picture 11
picture 12
picture 13

接下来版本漏洞,这些自己查就行了

picture 14
picture 15
picture 16
picture 17
picture 18

这里有一个坑

picture 19

国外没直接见图文并茂的方案,可以看看,地址:https://blog.csdn.net/sycamorelg/article/details/140251903,这里演示的是手工注入,我们不用之需要把事web这个页面开启就行

picture 20
picture 21
picture 22
picture 23

还是没成功换一个poc,换一个poc也没成功直接进行方案利用吧地址:https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253

picture 24
picture 25
picture 26
picture 27
picture 28

没成功么?

picture 29
picture 30

这玩意要打开

picture 31
picture 32

绕过一下就好了

提权

picture 33

开始找数据库

picture 34
picture 35

看来不是这条路

picture 36

找密码吗?

picture 37

这个更像root提权

picture 38

有ssh可执行权限,还有其他用户提示

picture 39

那没用但是不应该啥也没有

picture 40
picture 41
picture 42
picture 43
picture 44
picture 45
picture 46

查了半天浪费时间就应该回这个conf里面看

picture 47

是一个用户密码

picture 49

picture 48

picture 50

picture 51

picture 52

picture 53
picture 54

好像变得不难了,找密码思路是对的找半天我是不理解我自己的

picture 55

好了root方案也有了我自己给自己写个公钥算了

picture 56
picture 57

picture 58

不起作用

picture 59
picture 60

原来没写进去

picture 61

有读的话能软连接吗?但是目录不可以写不然王炸了

picture 62
picture 63
picture 64

picture 65
picture 66
picture 67
picture 68
picture 69
picture 70

不枉我查怎么久的poc,ok,到这这个靶场对我基本结束了

picture 71

OK,总结一下这个靶机是非常有意思的靶机root提权和webshell都是我没见过的,算是一个全新体验。

对了看了群主的视频还有自动生成工具补发一下地址和方案:https://github.com/j0lt-github/python-deserialization-attack-payload-generator

userflag:c20f80f45da20ec2b6edcb6575297b85

rootflag:8a0f989c11a724123ef293c7318bdab6

VulnVM
upload
This post is licensed under CC BY 4.0 by the author.