AIX的渗透

前言

一句话连接上去发现是我没遇到过的操作系统（AIX），记录一下学习过程

查看内核

[/]$ uname -a
AIX rafiki 1 7 00C081F54C00

[/]$ oslevel -s
7100-02-02-1316

7              100         02      02      1316
version   release     TL     SP       CSP

查看Rpm已安装软件包

[/usr/local/tomcat6.0-j6/bin/]$ rpm -qa
popt-1.16-1
tcl-8.4.7-3
tk-8.4.7-3
expect-5.42.1-3
unzip-5.51-1
libidn-1.22-1
gettext-0.17-5
gmp-5.0.2-1
coreutils-8.12-1
AIX-rpm-7.1.1.0-3
tar-1.26-1
screen-4.0.3-1
sudo-1.6.9p23-1
libiconv-1.14-2
bash-4.3-12
rsync-3.1.1-1
less-466-1

查找提权EXP

root@kali:/# searchsploit AIX | grep "Privilege Escalation" --color
AIX 4.3/5.1 < 5.3 - 'lsmcode' Execution Privilege Escalation           | exploits/aix/local/701.sh
AIX 5.2 - 'ipl_varyon' Local Privilege Escalation                      | exploits/aix/local/1045.c
AIX 5.2 - 'netpmon' Local Privilege Escalation                         | exploits/aix/local/1044.c
AIX 5.2 - 'paginit' Local Privilege Escalation                         | exploits/aix/local/1046.c
AIX 7.1 - 'lquerylv' Local Privilege Escalation                        | exploits/aix/local/38576.sh
AIX lquerylv - Local Buffer Overflow / Local Privilege Escalation      | exploits/aix/local/335.c
Digital Ultrix 4.0/4.1 - '/usr/bin/chroot' Local Privilege Escalation  | exploits/aix/local/19041.txt
IBM AIX 3.2.5 - 'IFS' Local Privilege Escalation                       | exploits/aix/local/19344.sh
IBM AIX 3.2.5 - 'login(1)' Privilege Escalation                        | exploits/aix/remote/19348.txt
IBM AIX 4.3 - 'infod' Local Privilege Escalation                       | exploits/aix/local/19287.c
IBM AIX 5.3 SP6 - Capture Terminal Sequence Privilege Escalation       | exploits/aix/local/4231.c
IBM AIX 5.3 SP6 - FTP 'gets()' Local Privilege Escalation              | exploits/aix/local/4233.c
IBM AIX 5.3.0 - 'setlocale()' Local Privilege Escalation               | exploits/aix/local/4612.py
IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Local Privilege Escalation        | exploits/aix/local/40710.sh
IBM AIX 5.x - 'Diag' Local Privilege Escalation                        | exploits/aix/local/25039.txt
IBM AIX 6.1/7.1 - Local Privilege Escalation                           | exploits/aix/local/28507.sh
IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation            | exploits/aix/local/40950.sh
IBM AIX 6.1/7.1/7.2.0.2 - 'lsmcode' Local Privilege Escalation         | exploits/aix/local/40709.sh
SGI IRIX 5.1/5.2 - 'sgihelp' Local Privilege Escalation                | exploits/aix/local/19354.txt
SunOS 4.1.1 - '/usr/release/bin/winstall' Local Privilege Escalation   | exploits/aix/local/19043.txt
SunOS 4.1.3 - '/etc/crash' SetGID kmem Privilege Escalation            | exploits/aix/local/19045.txt
Xorg X11 Server (AIX) - Local Privilege Escalation                     | exploits/aix/local/45938.pl
root@kali:/# 

复制EXP

cp /usr/share/exploitdb/exploits/aix/local/28507.sh /1.sh
cp /usr/share/exploitdb/exploits/aix/local/40710.sh /2.sh

查看系统详细命令

[/]$ prtconf
System Model: IBM,9119-FHA
Machine Serial Number: 83081F5
Processor Type: PowerPC_POWER6
Processor Implementation Mode: POWER 6
Processor Version: PV_6_Compat
Number Of Processors: 2
Processor Clock Speed: 5000 MHz
CPU Type: 64-bit
Kernel Type: 64-bit
LPAR Info: 13 RAFIKI
Memory Size: 6144 MB
Good Memory Size: 6144 MB
Platform Firmware level: EH350_176
Firmware Version: IBM,EH350_176
Console Login: enable
Auto Restart: true
Full Core: false
 
Network Information
    Host Name: rafiki.cma.junta-andalucia.es
    IP Address: 10.229.36.67
    Sub Netmask: 255.255.252.0
    Gateway: 10.229.39.7
    Name Server: 10.229.36.2
    Domain Name: cma.junta-andalucia.es
 
Paging Space Information
    Total Paging Space: 4096MB
    Percent Used: 1%
 

[/]$ id
uid=204(aplica) gid=202(aplica) groups=1(staff)

[/]$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:!:6:12::/var/adm/invscout:/usr/bin/ksh
ipsec:*:200:1::/etc/ipsec:/usr/bin/ksh
esaadmin:*:7:0::/var/esa:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
snapp:*:201:14:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
nuucp:*:10:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
sshd:*:202:201::/var/empty:/usr/bin/ksh
monitor:!:203:1::/home/monitor:/usr/bin/ksh
aplica:!:204:202:Usuario para Tomcats:/home/aplica:/usr/bin/ksh
fujitsu:!:205:1::/home/fujitsu:/usr/bin/ksh
rim:!:206:1::/home/rim:/usr/bin/ksh
vrl:!:207:1::/home/vrl:/usr/bin/ksh
dhr:!:208:1::/home/dhr:/usr/bin/ksh
jrg:!:209:1::/home/jrg:/usr/bin/ksh
mhr:!:210:1::/home/mhr:/usr/bin/ksh
atc:!:211:1::/home/atc:/usr/bin/ksh
mjvp:!:212:1::/home/mjvp:/usr/bin/ksh
egmasa:!:10003:1::/home/egmasa:/usr/bin/ksh
lec-hsm:!:10004:1::/home/lec-hsm:/usr/bin/ksh

[/]$ cat /etc/group
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,esaadmin,sshd,monitor,aplica,rim,vrl,dhr,jrg,mhr,atc,mjvp,egmasa,lec-hsm
bin:!:2:root,bin
sys:!:3:root,bin,sys
adm:!:4:bin,adm
uucp:!:5:uucp,nuucp
mail:!:6:
security:!:7:root
cron:!:8:root
printq:!:9:lp
audit:!:10:root
ecs:!:28:
nobody:!:4294967294:nobody,lpd
usr:!:100:guest
perf:!:20:
shutdown:!:21:
lp:!:11:root,lp
invscout:!:12:invscout
ipsec:!:200:
pconsole:!:13:pconsole
snapp:!:14:snapp
sshd:!:201:sshd
aplica:!:202:aplica
adminaix:!:203:rim,fujitsu,vrl,dhr,jrg,mhr,atc,mjvp
egmasa:!:10003:egmasa,lec-hsm

[/]$ lsgroup ALL
system id=0 admin=true users=root,esaadmin,pconsole registry=files 
staff id=1 admin=false users=ipsec,esaadmin,sshd,monitor,aplica,rim,vrl,dhr,jrg,mhr,atc,mjvp,egmasa,lec-hsm,daemon,fujitsu registry=files 
bin id=2 admin=true users=root,bin registry=files 
sys id=3 admin=true users=root,bin,sys registry=files 
adm id=4 admin=true users=bin,adm registry=files 
uucp id=5 admin=true users=uucp,nuucp registry=files 
mail id=6 admin=true users= registry=files 
security id=7 admin=true users=root registry=files 
cron id=8 admin=true users=root registry=files 
printq id=9 admin=true users=lp registry=files 
audit id=10 admin=true users=root registry=files 
ecs id=28 admin=true users= registry=files 
nobody id=4294967294 admin=false users=nobody,lpd registry=files 
usr id=100 admin=false users=guest registry=files 
perf id=20 admin=false users= registry=files 
shutdown id=21 admin=true users= registry=files 
lp id=11 admin=true users=root,lp registry=files 
invscout id=12 admin=true users=invscout registry=files 
ipsec id=200 admin=false users= registry=files 
pconsole id=13 admin=true users=pconsole registry=files 
snapp id=14 admin=true users=snapp registry=files 
sshd id=201 admin=false users=sshd registry=files 
aplica id=202 admin=false users=aplica adms=root registry=files 
adminaix id=203 admin=false users=rim,fujitsu,vrl,dhr,jrg,mhr,atc,mjvp adms=root registry=files 
egmasa id=10003 admin=false users=egmasa,lec-hsm adms=root registry=files 

[/]$ ifconfig -a
en2: flags=1e084863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
    inet 10.229.36.67 netmask 0xfffffc00 broadcast 10.229.39.255
     tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1
lo0: flags=e08084b,c0<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,LARGESEND,CHAIN>
    inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
    inet6 ::1%1/0
     tcp_sendspace 131072 tcp_recvspace 131072 rfc1323 1

[/]$ ps aux
USER          PID %CPU %MEM   SZ  RSS    TTY STAT    STIME  TIME COMMAND
aplica   23330932  0.1  3.0 169768 169820      - A    02:00:08  1:40 /usr/java6_64/
root       131076  0.0  0.0  448  448      - A      Jan 09 975:43 wait
... ...

[/]$ who -p /var/adm/wtmp
ha_star         .       Jan 18 11:46     0:40  23068700 id=ha_star
... ... 

参考：https://www.anquanke.com/post/id/85924