# TIKI: 1

Download

Back to the Top

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!

• Tiki.ova (Size: 4.3GB)
• Download: https://drive.google.com/file/d/1D853GmY2puKw7fxB_hIYVjc2KS5YTz19/view?usp=sharing
• Download (Mirror): https://download.vulnhub.com/tiki/Tiki.ova

# Description

Oh no our webserver got compromised. The attacker used an 0day, so we dont know how he got into the admin panel. Investigate that.

This is an OSCP Prep Box, its based on a CVE I recently found. Its on the OSCP lab machines level.

If you need hints contact me on Twitter: S1lky_1337, should work on VirtualBox and Vmware.

# 信息收集

┌──(root ㉿ yhuanhuan)-[/home/kali]
└─# nmap 192.168.85.145 -p 1-65535
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-24 06:39 EST
Nmap scan report for 192.168.85.145
Host is up (0.00025s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:74:35:F1 (VMware)

nmap, 开了 22，80，139 和 445 端口

使用脚本 autorecon.py

445 端口

[+] IP: 192.168.85.145:445 Name: 192.168.85.145 Status: Authenticated
Disk Permissions Comment

---

​ print$ NO ACCESS Printer Drivers
​ Notes (目录) READ ONLY My Notes
​ ./Notes
​ dr–r--r-- 0 Wed Jul 29 09:52:09 2020 .
​ dr–r--r-- 0 Thu Jul 30 15:32:11 2020 …
​ fr–r--r-- 244 Wed Jul 29 09:52:05 2020 Mail.txt
​ IPC$ NO ACCESS IPC Service (ubuntu server (Samba, Ubuntu))

存在 Mail.txt 文件

80 端口

200 GET 469l 1513w 49414c http://192.168.85.145/tiki/tiki-index.php
200 GET 15l 74w 6147c http://192.168.85.145/icons/ubuntu-logo.png
200 GET 375l 964w 10918c http://192.168.85.145/
200 GET 375l 964w 10918c http://192.168.85.145/index.html
200 GET 3l 5w 42c http://192.168.85.145/robots.txt
200 GET 1105l 3225w 29168c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/colorbox/jquery.colorbox.js
200 GET 1l 163w 1533c http://192.168.85.145/tiki/themes/base_files/favicons/safari-pinned-tab.svg
200 GET 72l 237w 1692c http://192.168.85.145/tiki/lib/jquery_tiki/iconsets.js
200 GET 214l 697w 6583c http://192.168.85.145/tiki/lib/ajax/autosave.js
200 GET 24l 80w 2159c http://192.168.85.145/tiki/img/spinner.gif
200 GET 1311l 3479w 36444c http://192.168.85.145/tiki/vendor_bundled/vendor/components/jqueryui/themes/flick/jquery-ui.css
200 GET 2280l 8947w 66245c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/tagcanvas/jquery.tagcanvas.js
200 GET 4305l 12949w 123816c http://192.168.85.145/tiki/lib/jquery_tiki/tiki-jquery.js
200 GET 45l 270w 1536c http://192.168.85.145/tiki/lang/en/language.js
200 GET 17l 28w 436c http://192.168.85.145/tiki/lib/captcha/captchalib.js
200 GET 357l 1792w 13839c http://192.168.85.145/tiki/lib/jquery_tiki/tiki-confirm.js
200 GET 2291l 8530w 78475c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery/jquery-timepicker-addon/dist/jquery-ui-timepicker-addon.js
200 GET 4556l 7744w 72670c http://192.168.85.145/tiki/vendor_bundled/vendor/bower-asset/fontawesome/css/all.css
200 GET 18706l 71547w 520714c http://192.168.85.145/tiki/vendor_bundled/vendor/components/jqueryui/jquery-ui.js
200 GET 8065l 26342w 265027c http://192.168.85.145/tiki/themes/darkly/css/darkly.css
200 GET 6l 19w 1384c http://192.168.85.145/tiki/themes/base_files/favicons/favicon-16x16.png
403 GET 393l 1324w 46811c http://192.168.85.145/tiki/tiki-admin.php
404 GET 393l 1316w 46786c http://192.168.85.145/tiki/tiki-ajax_services.php
200 GET 289l 995w 8317c http://192.168.85.145/tiki/lib/jquery_tiki/pluginedit.js
200 GET 19l 76w 6061c http://192.168.85.145/tiki/img/tiki/Tiki_WCG.png
200 GET 70l 332w 4474c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/colorbox/example1/colorbox.css
200 GET 2624l 11633w 88740c http://192.168.85.145/tiki/vendor_bundled/vendor/npm-asset/popper.js/dist/umd/popper.js
200 GET 77l 293w 1848c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/async/jquery.async.js
200 GET 200l 803w 5256c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/jquery-json/src/jquery.json.js
200 GET 50l 267w 18969c http://192.168.85.145/tiki/themes/base_files/favicons/apple-touch-icon.png
200 GET 130l 436w 5366c http://192.168.85.145/tiki/vendor_bundled/vendor/cwspear/bootstrap-hover-dropdown/bootstrap-hover-dropdown.js
200 GET 935l 2838w 27000c http://192.168.85.145/tiki/lib/jquery_tiki/files.js
200 GET 11l 16w 443c http://192.168.85.145/tiki/themes/base_files/favicons/browserconfig.xml
200 GET 21l 37w 552c http://192.168.85.145/tiki/themes/base_files/favicons/site.webmanifest
200 GET 10872l 44287w 287630c http://192.168.85.145/tiki/vendor_bundled/vendor/components/jquery/jquery.js
200 GET 8l 45w 3046c http://192.168.85.145/tiki/themes/base_files/favicons/favicon-32x32.png
200 GET 30l 187w 1945c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery/jquery-timepicker-addon/dist/jquery-ui-timepicker-addon.css
200 GET 28l 67w 652c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/treetable/css/jquery.treetable.css
200 GET 24l 90w 945c http://192.168.85.145/tiki/lib/jquery_tiki/tiki-bootstrapmodalfix.js
200 GET 114l 597w 4938c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/superfish/dist/js/hoverIntent.js
200 GET 61l 379w 24354c http://192.168.85.145/tiki/themes/base_files/favicons/favicon.ico
200 GET 1372l 5516w 42878c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/jquery-validation/dist/jquery.validate.js
200 GET 4420l 11447w 136323c http://192.168.85.145/tiki/vendor_bundled/vendor/twbs/bootstrap/dist/js/bootstrap.js
200 GET 228l 866w 8083c http://192.168.85.145/tiki/lib/validators/validator_tiki.js
200 GET 540l 2164w 14923c http://192.168.85.145/tiki/vendor_bundled/vendor/components/jquery-migrate/jquery-migrate.js
200 GET 629l 1606w 16611c http://192.168.85.145/tiki/vendor_bundled/vendor/jquery-plugins/treetable/jquery.treetable.js
200 GET 421l 1343w 47118c http://192.168.85.145/tiki/tiki-remind_password.php
200 GET 5026l 13357w 119973c http://192.168.85.145/tiki/themes/base_files/css/tiki_base.css
200 GET 1654l 5876w 47509c http://192.168.85.145/tiki/lib/tiki-js.js

关于 robot.txt 内容为

HTTP/1.1 200 OK
Date: Sat, 24 Feb 2024 12:32:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 29 Jul 2020 11:21:37 GMT
ETag: “2a-5ab92c25233cd”
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/plain

User-Agent: *
Disallow:
Disallow: /tiki/(可访问)

# 收集 SMB 端口信息

SMB(445// SMB端口139或445 ) 可以读到 Mail.txt

SMB 端口由于 autorecon 可以直接读到一些有用的信息，那么我们可以考虑用波 smbclient 进行连接密码为空登录成功以后可以用 get 下载到本地

命令:smbclient [\\ip\](file:///\\ip\) 目录

# 挖掘 80 端口信息

robots.txt 下禁止的 tiki 是能够被访问的

一个 CMS

用前面得到的密码去登陆

登陆成功

# 收集 CMS 信息

既然我们目前知道了 CMS 的名字是 tiki wiki, 我们首先需要确定版本才能找到相关漏洞根据 CMS 官网和靶机发布时间为 20207 月大概推断该 CMS 版本为 21

也可以加上 changelog.txt

# 搜索相关 payload

确定完版本号后得找找相关漏洞可以在 kali 本地下直接搜关键词 searchsploit Tiki Wiki 21 找到一个相关的绕过漏洞

┌──(root ㉿ kali)-[/home/kali/Desktop/Tools/AutoRecon]
└─# searchsploit Tiki Wiki 21

---

Exploit Title | Path

---

Tiki Wiki CMS Groupware - ‘url’ Open Redirection | php/webapps/36848.txt
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass | php/webapps/48927.py
TikiWiki jhot - Remote Command Execution (Metasploit) | php/webapps/16885.rb
TikiWiki Project 1.8 - ‘tiki-browse_categories.php?sort_mode’ SQL Injection | php/webapps/23966.txt
TikiWiki Project 1.8 - ‘tiki-directory_ranking.php?sort_mode’ SQL Injection | php/webapps/23965.txt
TikiWiki Project 1.8 - ‘tiki-directory_search.php?sort_mode’ SQL Injection | php/webapps/23973.txt
TikiWiki Project 1.8 - ‘tiki-file_galleries.php?sort_mode’ SQL Injection | php/webapps/23974.txt
TikiWiki Project 1.8 - ‘tiki-index.php?comments_offset & offset’ SQL Injections | php/webapps/23971.txt
TikiWiki Project 1.8 - ‘tiki-list_file_gallery.php?sort_mode’ SQL Injection | php/webapps/23964.txt
TikiWiki Project 1.8 - ‘tiki-list_trackers.php?sort_mode’ SQL Injection | php/webapps/23976.txt
TikiWiki Project 1.8 - ‘tiki-usermenu.php?sort_mode’ SQL Injection | php/webapps/23963.txt
TikiWiki Project 1.8 - ‘tiki-user_tasks.php?offset & sort_mode’ SQL Injections | php/webapps/23972.txt
TikiWiki Project 1.8 - ‘tiki-view_chart.php?chartId’ Cross-Site Scripting | php/webapps/23962.txt

---

Shellcodes: No Results

接着就按照脚本的方法在登录处用 admin 登录然后用 Burp 抓包就可

# 提权

发现 Credentials

点进去有个账号后面的字符串明显不同于前面的 Mail.txt 的内容

有个不同于 silky 的账号

使用 ssh 连接

ssh silky@http://192.168.85.145

用 SSH 连接以后输入账号密码成功登录。用 sudo -l 查看权限跟 root 一样高直接 su 就可。

心得：

学习了不少工具方法和端口协议，坚持坚持！！！