SickOS
这里是引用
扫描网段
nmap -sn 192.168.85.0/24
157是本机,158应该就是靶机了
然后看158开了什么端口
扫描端口
nmap -p- 192.168.85.158
还有一种方法,使用nc连接探测端口
nc 192.168.85.158 1-65535 -tvz -w 1 2>&1 |grep open
它是带80端口的,有web服务访问一下:
没有什么东西,扫一下目录看看
发现还有一个文件
尝试访问一下
发现都不能访问到,也不能下载看,那抓个包分析一下数据包格式
貌似没有什么有用的信息,这里涨个姿势,使用OPTIONS
协议,可以看服务器支持什么传输协议
反弹shell
发现这里可以使用PUT协议,那就好玩了,我们上传一个🐎
先传一个冰蝎的🐎
访问看看
拿到shell之后,whoami
查看当前用户,pwd
查看当前位置,uname -a
查看系统信息
lsb_release -a
查看版本以及内核信息
可以上网搜一下这些版本有没有漏洞可以利用
这里没什么好用的,想要提权,可以用计划任务来提,因为计划任务是root权限下的
查看/etc/cron*
的计划任务列表
在计划任务里面有一个任务引起注意,这是一个检查rootkit脚本的脚本,使用chkrootkit -V
查看chkrootkit版本
searchsploit
搜一下这个版本是否有漏洞
这里可以用msf做,我们先用手动做一做
先看一下怎么做
cat /usr/share/exploitdb/exploits/linux/local/33899.txt
显示
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}
fi
}
The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.
Steps to reproduce://这里开始写了步骤
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
Suggested fix: Put quotation marks around the assignment.
file_port="$file_port $i"
I will also try to contact upstream, although the latest version of
chkrootkit dates back to 2009 - will have to see, if I reach a dev there.
拿到普通shell后,进入tmp
,在这下面创建一个update
,并且赋予执行权限。
1、nc监听反弹rootshell
注意
:直接base -i
会编译错误,需要使用base -c
编译一下,这边开启监听就能获得root的shell